allow binding gitea to privileged port, gated behind environment variable

Signed-off-by: Clint Armstrong <[email protected]>

Author: clinta

Dockerfile

@@ -34,7 +34,8 @@ RUN apk --no-cache add \
     s6 \
     sqlite \
     su-exec \
-    tzdata
+    tzdata \
+    libcap
 
 RUN addgroup \
     -S -g 1000 \

docker/etc/s6/gitea/setup

@@ -44,3 +44,4 @@ if ! [[ $(ls -ld /data/gitea | awk '{print $3}') = ${USER} ]]; then chown -R ${U
 if ! [[ $(ls -ld /app/gitea  | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /app/gitea;  fi
 if ! [[ $(ls -ld /data/git   | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /data/git;   fi
 chmod 0755 /data/gitea /app/gitea /data/git
+if [[ "${ALLOW_PRIVILEGED_PORT}" = 1 ]]; then setcap 'cap_net_bind_service=+ep' /app/gitea/gitea; fi

docs/content/doc/installation/with-docker.en-us.md

@@ -259,6 +259,7 @@ You can configure some of Gitea's settings via environment variables:
 * `REQUIRE_SIGNIN_VIEW`: **false**: Enable this to force users to log in to view any page.
 * `USER_UID`: **1000**: The UID (Unix user ID) of the user that runs Gitea within the container. Match this to the UID of the owner of the `/data` volume if using host volumes (this is not necessary with named volumes).
 * `USER_GID`: **1000**: The GID (Unix group ID) of the user that runs Gitea within the container. Match this to the GID of the owner of the `/data` volume if using host volumes (this is not necessary with named volumes).
+* `ALLOW_PRIVILEGED_PORT`: **0**: Set to 1 to allow the gitea service to run on a port < 1024.
 
 # Customization