Add Gitea entrypoint to generate app.ini from template on startup

Since app.ini is gitignored, the container needs to create it at runtime. The entrypoint copies the template on first start, then Gitea's env var overrides handle secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Gitignore gitea app.ini and remove INTERNAL_TOKEN from template
2026-04-07 14:40:38 +01:00 · 2026-04-07 14:37:30 +01:00
5 changed files with 13 additions and 99 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@ backend/token/
 .env

 gitea/data/*
+gitea/config/app.ini

 # Gitea runner
 gitea-runner/.runner
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -152,6 +152,7 @@ services:
    gitea:
        image: docker.gitea.com/gitea:1.25.4-rootless
        container_name: "${GITEA_HOST}"
+        entrypoint: ["/usr/bin/dumb-init", "--", "/etc/gitea/entrypoint.sh"]
        networks:
            - app-network
        environment:
@@ -169,6 +170,7 @@ services:
        volumes:
            - ./gitea/data:/var/lib/gitea
            - ./gitea/config:/etc/gitea
+            - ./gitea/entrypoint.sh:/etc/gitea/entrypoint.sh:ro
            - /etc/timezone:/etc/timezone:ro
            - /etc/localtime:/etc/localtime:ro
        ports:
--- a/gitea/config/app.ini
+++ b/gitea/config/app.ini
@@ -1,98 +0,0 @@
-APP_NAME = Gitea: Git with a cup of tea
-RUN_USER = git
-RUN_MODE = prod
-WORK_PATH = /var/lib/gitea
-
-[repository]
-ROOT = /var/lib/gitea/git/repositories
-
-[repository.local]
-LOCAL_COPY_PATH = /tmp/gitea/local-repo
-
-[repository.upload]
-TEMP_PATH = /tmp/gitea/uploads
-
-[server]
-APP_DATA_PATH = /var/lib/gitea
-SSH_DOMAIN = adam-french.co.uk
-HTTP_PORT = 3000
-ROOT_URL = https://adam-french.co.uk/gitea/
-DISABLE_SSH = false
-; In rootless gitea container only internal ssh server is supported
-START_SSH_SERVER = true
-SSH_PORT = 2222
-SSH_LISTEN_PORT = 2222
-BUILTIN_SSH_SERVER_USER = git
-LFS_START_SERVER = true
-DOMAIN = stppi.local
-LFS_JWT_SECRET =
-OFFLINE_MODE = true
-
-[database]
-PATH = /var/lib/gitea/data/gitea.db
-DB_TYPE = postgres
-HOST = db
-NAME = gitea
-USER = postgres
-PASSWD =
-SCHEMA = 
-SSL_MODE = disable
-LOG_SQL = false
-
-[session]
-PROVIDER_CONFIG = /var/lib/gitea/data/sessions
-PROVIDER = file
-
-[picture]
-AVATAR_UPLOAD_PATH = /var/lib/gitea/data/avatars
-REPOSITORY_AVATAR_UPLOAD_PATH = /var/lib/gitea/data/repo-avatars
-
-[attachment]
-PATH = /var/lib/gitea/data/attachments
-
-[log]
-ROOT_PATH = /var/lib/gitea/data/log
-MODE = console
-LEVEL = info
-
-[security]
-INSTALL_LOCK = true
-SECRET_KEY = 
-REVERSE_PROXY_LIMIT = 1
-REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN =
-PASSWORD_HASH_ALGO = pbkdf2
-
-[service]
-DISABLE_REGISTRATION = true
-REQUIRE_SIGNIN_VIEW = false
-REGISTER_EMAIL_CONFIRM = false
-ENABLE_NOTIFY_MAIL = false
-ALLOW_ONLY_EXTERNAL_REGISTRATION = false
-ENABLE_CAPTCHA = false
-DEFAULT_KEEP_EMAIL_PRIVATE = false
-DEFAULT_ALLOW_CREATE_ORGANIZATION = true
-DEFAULT_ENABLE_TIMETRACKING = true
-NO_REPLY_ADDRESS = noreply.localhost
-
-[lfs]
-PATH = /var/lib/gitea/git/lfs
-
-[mailer]
-ENABLED = false
-
-[openid]
-ENABLE_OPENID_SIGNIN = true
-ENABLE_OPENID_SIGNUP = true
-
-[cron.update_checker]
-ENABLED = false
-
-[repository.pull-request]
-DEFAULT_MERGE_STYLE = merge
-
-[repository.signing]
-DEFAULT_TRUST_MODEL = committer
-
-[oauth2]
-JWT_SECRET =
--- a/gitea/config/app.ini.template
+++ b/gitea/config/app.ini.template
@@ -60,7 +60,6 @@ INSTALL_LOCK = true
 SECRET_KEY = 
 REVERSE_PROXY_LIMIT = 1
 REVERSE_PROXY_TRUSTED_PROXIES = *
-INTERNAL_TOKEN =
 PASSWORD_HASH_ALGO = pbkdf2

 [service]
--- a/gitea/entrypoint.sh
+++ b/gitea/entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+# Generate app.ini from template if it doesn't already exist
+if [ ! -f /etc/gitea/app.ini ]; then
+    cp /etc/gitea/app.ini.template /etc/gitea/app.ini
+    echo "Generated app.ini from template"
+fi
+
+exec /usr/local/bin/docker-entrypoint.sh "$@"