Gitea docker-compose config with Traefik and PostgreSQL

This is the Gitea production use config I currently recommend for small-to-medium companies. It uses PostgreSQL as a backend and Traefik as a reverse proxy.

See Simple Traefik Docker-Compose Setup With Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 Challenges for more information on the Traefik setup I use.

First, run the initialization script to create the necessary directories with the correct permissions and select a random PostgreSQL password.

#!/bin/sh
# gitea initialize script
echo POSTGRES_PASSWORD=$(pwgen 30 1) > .env
mkdir -p gitea_data gitea_config
chown -R 1000:1000 gitea_data gitea_config

docker-compose config

Note that there are a few things different from the official Gitea Docker installation guide:

We use a random PostgreSQL password instead of gitea. See this post on why this is extremely important
We don’t use a dedicated network, as docker-compose will create a separate network anyway.
We don’t use SSH because we just don’t care about it. HTTPS-based git works more than well enough in 2024.

version: "3"

services:
  postgres:
    image: postgres:14
    restart: unless-stopped
    environment:
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_DB=gitea
    volumes:
      - ./postgres_data:/var/lib/postgresql/data
  gitea:
    image: gitea/gitea:latest-rootless
    container_name: gitea
    depends_on:
      - postgres
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=postgres:5432
      - GITEA__database__NAME=gitea
      - GITEA__database__USER=gitea
      - GITEA__database__PASSWD=${POSTGRES_PASSWORD}
    restart: unless-stopped
    volumes:
      - ./gitea_data:/var/lib/gitea
      - ./gitea_config:/etc/gitea
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitea.rule=Host(`gitea.mydomain.com`)"
      - "traefik.http.routers.gitea.entrypoints=websecure"
      - "traefik.http.routers.gitea.tls.certresolver=cloudflare"
      - "traefik.http.routers.gitea.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.gitea.tls.domains[0].sans=*.mydomain.com"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"

Now you can create a systemd service to start the Gitea service automatically. For details, see our post on docker-compose systemd services

curl -fsSL https://techoverflow.net/scripts/create-docker-compose-service.sh | sudo bash /dev/stdin

How to get started

Now configure Gitea by opening your domain in your browser. The schema field needs to be left empty.