- kochwas service gets Traefik v2 labels matching the project's conventions:
websecure entrypoint, cloudflareResolver, Host(`kochwas.siegeln.net`).
- Service port 3000 exposed to Traefik only; the external port binding is gone.
- Dual network: external 'proxy' (for Traefik ingress) and internal 'internal'
(for kochwas ↔ searxng). traefik.docker.network hint is set.
- SearXNG has no Traefik labels — intentionally only reachable from kochwas.
Note: the 'proxy' network name must match the existing external Traefik network
(change via 'name:' field if your homelab uses a different one like 'traefik').
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
On push to main (or version tag), the workflow logs into the Gitea container
registry, builds a multi-tag image (sha-<short>, branch name, 'latest' on main,
version on tag) and pushes to gitea.siegeln.net/<owner>/<repo>.
docker-compose.prod.yml now pulls from the registry by default, with
KOCHWAS_TAG env var to pin a specific build.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
