690420:2332 Refactor QNAP service

2026-04-20 23:32:30 +07:00
parent 2e89761b0f
commit e2753e4eac
13 changed files with 1569 additions and 13 deletions
@@ -1,5 +1,5 @@
-# File: /share/np-dms/git/docker-compose.yml
-# DMS Container v1.8.6 — Application: git, Service: gitea
+# File: /share/np-dms/gitea/docker-compose.yml
+# DMS Container v1.8.6 — Application name: lcbp3-git, Service: gitea

 x-restart: &restart_policy
  restart: unless-stopped
@@ -21,8 +21,17 @@ networks:
 services:
  gitea:
    <<: [*restart_policy, *default_logging]
-    image: gitea/gitea:latest-rootless
+    image: gitea/gitea:1.26.0-rootless
    container_name: gitea
+    # M4: container hardening (Gitea rootless runs as 'git' user)
+    # user: '1000:1000'
+    # tmpfs:
+    #   - /tmp:rw,noexec,nosuid,size=256m
+    #   - /var/run/gitea:rw,size=128m
+    # security_opt:
+    #   - no-new-privileges:true
+    # cap_drop:
+    #   - ALL
    deploy:
      resources:
        limits:
@@ -31,10 +40,8 @@ services:
        reservations:
          cpus: '0.25'
          memory: 512M
-    security_opt:
-      - no-new-privileges:true
    env_file:
-      - .env
+      - /share/np-dms/gitea/.env
    environment:
      # ---- File ownership in QNAP ----
      USER_UID: '1000'
@@ -78,13 +85,13 @@ services:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
-      - '3003:3000' # HTTP (ไปหลัง NPM)
-      - '2222:22' # SSH สำหรับ git clone/push
+      - '3003:3000' # HTTP (to NPM)
+      - '2222:22' # SSH for git clone/push
    networks:
      - lcbp3
      - giteanet
    healthcheck:
-      test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:3000/api/healthz']
+      test: ['CMD', 'curl', '-f', 'http://localhost:3000/api/healthz']
      interval: 30s
      timeout: 10s
      retries: 3