Rockachopa/Timmy-time-dashboard
1
0
Fork 2
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

[URGENT] Deploy reverse proxy with TLS for Gitea (Nginx + Let's Encrypt) #989

New Issue
Closed
opened 2026-03-22 19:12:49 +00:00 by perplexity · 2 comments
perplexity commented 2026-03-22 19:12:49 +00:00
Collaborator
Copy Link

Parent

  • #971 — Urgent: falsework and security and gitea database robustness

Objective

Stop running Gitea on plain HTTP over a raw IP. Point a domain, wrap in TLS.

Scope

  1. Point a domain (e.g., git.alexanderwhitestone.com) to 143.198.27.163
  2. Install Nginx as reverse proxy
  3. Install certbot + Let's Encrypt for TLS
  4. Configure Nginx per the template in #971 issue body
  5. Update app.ini:
    • DOMAIN = git.alexanderwhitestone.com
    • ROOT_URL = https://git.alexanderwhitestone.com/
    • HTTP_ADDR = 127.0.0.1 (only listen to proxy)
  6. Force HTTPS redirect
  7. Add HSTS header

Acceptance Criteria

  • https://git.alexanderwhitestone.com loads Gitea with valid TLS
  • http:// redirects to https://
  • Direct IP:3000 access is blocked or redirected
  • HSTS header present in response

Note

Requires DNS access. @rockachopa needs to point the domain.

## Parent - #971 — Urgent: falsework and security and gitea database robustness ## Objective Stop running Gitea on plain HTTP over a raw IP. Point a domain, wrap in TLS. ## Scope 1. Point a domain (e.g., `git.alexanderwhitestone.com`) to `143.198.27.163` 2. Install Nginx as reverse proxy 3. Install certbot + Let's Encrypt for TLS 4. Configure Nginx per the template in #971 issue body 5. Update `app.ini`: - `DOMAIN = git.alexanderwhitestone.com` - `ROOT_URL = https://git.alexanderwhitestone.com/` - `HTTP_ADDR = 127.0.0.1` (only listen to proxy) 6. Force HTTPS redirect 7. Add HSTS header ## Acceptance Criteria - [ ] `https://git.alexanderwhitestone.com` loads Gitea with valid TLS - [ ] `http://` redirects to `https://` - [ ] Direct IP:3000 access is blocked or redirected - [ ] HSTS header present in response ## Note Requires DNS access. @rockachopa needs to point the domain.
claude was assigned by Rockachopa 2026-03-22 21:44:38 +00:00
Rockachopa commented 2026-03-22 21:49:03 +00:00
Owner
Copy Link

Can I just have someone do all this in digital ocean for me? Or at the very least stage the changes so I can approve them.

Can I just have someone do all this in digital ocean for me? Or at the very least stage the changes so I can approve them.
Rockachopa commented 2026-03-22 22:39:42 +00:00
Owner
Copy Link

PR #998 created with staged deploy configs for review.

What's in the PR:

  • deploy/nginx-gitea.conf — Nginx reverse proxy config (HTTPS, HSTS, WebSocket, large push support)
  • deploy/setup-gitea-tls.sh — One-command deploy script (installs Nginx + Certbot, gets cert, patches app.ini, blocks port 3000)
  • deploy/gitea-app-ini.patch — Full hardening reference from #971 audit

To deploy after merging:

  1. Point DNS: git.alexanderwhitestone.com A record → 143.198.27.163
  2. SSH into the server and run: sudo bash deploy/setup-gitea-tls.sh git.alexanderwhitestone.com

The script has a --dry-run flag to preview what it will do before making changes.

PR #998 created with staged deploy configs for review. **What's in the PR:** - `deploy/nginx-gitea.conf` — Nginx reverse proxy config (HTTPS, HSTS, WebSocket, large push support) - `deploy/setup-gitea-tls.sh` — One-command deploy script (installs Nginx + Certbot, gets cert, patches app.ini, blocks port 3000) - `deploy/gitea-app-ini.patch` — Full hardening reference from #971 audit **To deploy after merging:** 1. Point DNS: `git.alexanderwhitestone.com` A record → `143.198.27.163` 2. SSH into the server and run: `sudo bash deploy/setup-gitea-tls.sh git.alexanderwhitestone.com` The script has a `--dry-run` flag to preview what it will do before making changes.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
222-epic
Workshop: Timmy as Presence (Epic #222)
 actionable
Has a concrete code/config task extracted
 assigned-claude
Issue currently assigned to Claude agent — do not assign to another agent
 assigned-gemini
Issue currently assigned to Gemini agent — do not assign to another agent
 assigned-groq
assigned-kimi
Issue currently assigned to Kimi agent — do not assign to another agent
 assigned-manus
Issue currently assigned to Manus agent — do not assign to another agent
 claude-ready
consolidation
Part of a consolidation epic
 deprioritized
Keep open but not blocking P0 work
 deprioritized
Keep open but not blocking P0 work
 duplicate
Duplicate of another issue
 gemini-review
Auto-generated by Gemini, needs relevance review
 groq-ready
harness
Core product: agent framework, heartbeat, inference, memory
 heartbeat
Harness: Agent heartbeat loop
 inference
Harness: Inference and model routing
 infrastructure
Supporting stage: dashboard, CI/CD, deployment, DNS
 kimi-ready
Scoped and ready for Kimi to pick up
 memory-session
Harness: Memory and session crystallization
 morrowind
Harness: Morrowind embodiment
 needs-design
Needs architectural design before implementation
 needs-extraction
Philosophy with unextracted engineering work
 p0-critical
Priority 0: Must fix now
 p1-important
Priority 1: Important, next sprint
 p2-backlog
Priority 2: Backlog, do when time permits
 philosophy
Philosophical foundation — informs architecture decisions
 rejected-direction
Closed: rejected or superseded direction
 seed:know-purpose
Three Seeds: KNOW YOUR PURPOSE
 seed:serve-real
Three Seeds: SERVE THE REAL
 seed:tell-truth
Three Seeds: TELL THE TRUTH
 sovereignty
Harness: Sovereignty stack
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Timmy claude grok groq kimi manus perplexity Rockachopa
No Assignees claude
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Rockachopa/Timmy-time-dashboard#989
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?