[claude] Deploy reverse proxy with TLS for Gitea (#989) #998

Closed

Rockachopa wants to merge 1 commits from claude/issue-989 into main

pull from: claude/issue-989

merge into: Rockachopa:main

Rockachopa:main

Rockachopa:gemini/issue-892

Rockachopa:claude/issue-1342

Rockachopa:claude/issue-1346

Rockachopa:claude/issue-1351

Rockachopa:claude/issue-1340

Rockachopa:fix/test-llm-triage-syntax

Rockachopa:gemini/issue-1014

Rockachopa:gemini/issue-932

Rockachopa:claude/issue-1277

Rockachopa:claude/issue-1139

Rockachopa:claude/issue-870

Rockachopa:claude/issue-1285

Rockachopa:claude/issue-1292

Rockachopa:claude/issue-1281

Rockachopa:claude/issue-917

Rockachopa:claude/issue-1275

Rockachopa:claude/issue-925

Rockachopa:claude/issue-1019

Rockachopa:claude/issue-1094

Rockachopa:claude/issue-1019-v3

Rockachopa:fix/flaky-vassal-xdist-tests

Rockachopa:fix/test-config-env-isolation

Rockachopa:claude/issue-1019-v2

Rockachopa:claude/issue-957-v2

Rockachopa:claude/issue-1218

Rockachopa:claude/issue-1217

Rockachopa:test/chat-store-unit-tests

Rockachopa:claude/issue-1191

Rockachopa:claude/issue-1186

Rockachopa:claude/issue-957

Rockachopa:gemini/issue-936

Rockachopa:claude/issue-1065

Rockachopa:gemini/issue-976

Rockachopa:gemini/issue-1149

Rockachopa:claude/issue-1135

Rockachopa:claude/issue-1064

Rockachopa:gemini/issue-1012

Rockachopa:claude/issue-1095

Rockachopa:claude/issue-1102

Rockachopa:claude/issue-1114

Rockachopa:gemini/issue-978

Rockachopa:gemini/issue-971

Rockachopa:claude/issue-1074

Rockachopa:claude/issue-987

Rockachopa:claude/issue-1011

Rockachopa:feature/internal-monologue

Rockachopa:feature/issue-1006

Rockachopa:feature/issue-1007

Rockachopa:feature/issue-1008

Rockachopa:feature/issue-1009

Rockachopa:feature/issue-1010

Rockachopa:feature/issue-1011

Rockachopa:feature/issue-1012

Rockachopa:feature/issue-1013

Rockachopa:feature/issue-1014

Rockachopa:feature/issue-981

Rockachopa:feature/issue-982

Rockachopa:feature/issue-983

Rockachopa:feature/issue-984

Rockachopa:feature/issue-985

Rockachopa:feature/issue-986

Rockachopa:feature/issue-987

Rockachopa:feature/issue-993

Rockachopa:claude/issue-943

Rockachopa:claude/issue-975

Rockachopa:claude/issue-988

Rockachopa:fix/loop-guard-gitea-api-and-queue-validation

Rockachopa:feature/lhf-tech-debt-fixes

Rockachopa:kimi/issue-753

Rockachopa:kimi/issue-714

Rockachopa:kimi/issue-716

Rockachopa:fix/csrf-check-before-execute

Rockachopa:chore/migrate-gitea-to-vps

Rockachopa:kimi/issue-640

Rockachopa:fix/utcnow-calm-py

Rockachopa:kimi/issue-635

Rockachopa:kimi/issue-625

Rockachopa:fix/router-api-truncated-param

Rockachopa:kimi/issue-604

Rockachopa:kimi/issue-594

Rockachopa:review-fixes

Rockachopa:kimi/issue-570

Rockachopa:kimi/issue-554

Rockachopa:kimi/issue-539

Rockachopa:kimi/issue-540

Rockachopa:feature/ipad-v1-api

Rockachopa:kimi/issue-506

Rockachopa:kimi/issue-512

Rockachopa:refactor/airllm-doc-cleanup

Rockachopa:kimi/issue-513

Rockachopa:kimi/issue-514

Rockachopa:kimi/issue-500

Rockachopa:kimi/issue-492

Rockachopa:kimi/issue-490

Rockachopa:kimi/issue-459

Rockachopa:kimi/issue-472

Rockachopa:kimi/issue-473

Rockachopa:kimi/issue-462

Rockachopa:kimi/issue-463

Rockachopa:kimi/issue-454

Rockachopa:kimi/issue-445

Rockachopa:kimi/issue-446

Rockachopa:kimi/issue-431

Conversation 1 Commits 1 Files Changed 3 +424

Rockachopa commented 2026-03-22 22:39:32 +00:00

Owner

Copy Link

Fixes #989

Summary

Stages all configuration and a deploy script for securing the Gitea instance behind Nginx with Let's Encrypt TLS.

Files added:

• deploy/nginx-gitea.conf — Production Nginx config with HTTPS redirect, HSTS, TLS 1.2/1.3, WebSocket proxy, large push support
• deploy/setup-gitea-tls.sh — One-command deploy script that:
  1. Installs Nginx + Certbot
  2. Deploys proxy config
  3. Obtains Let's Encrypt cert
  4. Patches Gitea app.ini (DOMAIN, ROOT_URL, HTTP_ADDR, COOKIE_SECURE)
  5. Blocks direct port 3000 access via ufw
  6. Restarts services and verifies
• deploy/gitea-app-ini.patch — Full hardening reference from audit (#971)

Prerequisites (manual)

1. DNS: Point git.alexanderwhitestone.com A record to 143.198.27.163
2. Run on server: sudo bash deploy/setup-gitea-tls.sh git.alexanderwhitestone.com

Acceptance criteria addressed

• HTTPS with valid TLS via Let's Encrypt
• HTTP → HTTPS redirect (301)
• Direct IP:3000 blocked (ufw deny)
• HSTS header in response

No source code changes — deploy configs only.

Fixes #989 ## Summary Stages all configuration and a deploy script for securing the Gitea instance behind Nginx with Let's Encrypt TLS. ### Files added: - **`deploy/nginx-gitea.conf`** — Production Nginx config with HTTPS redirect, HSTS, TLS 1.2/1.3, WebSocket proxy, large push support - **`deploy/setup-gitea-tls.sh`** — One-command deploy script that: 1. Installs Nginx + Certbot 2. Deploys proxy config 3. Obtains Let's Encrypt cert 4. Patches Gitea `app.ini` (DOMAIN, ROOT_URL, HTTP_ADDR, COOKIE_SECURE) 5. Blocks direct port 3000 access via ufw 6. Restarts services and verifies - **`deploy/gitea-app-ini.patch`** — Full hardening reference from audit (#971) ## Prerequisites (manual) 1. **DNS**: Point `git.alexanderwhitestone.com` A record to `143.198.27.163` 2. **Run on server**: `sudo bash deploy/setup-gitea-tls.sh git.alexanderwhitestone.com` ## Acceptance criteria addressed - [x] HTTPS with valid TLS via Let's Encrypt - [x] HTTP → HTTPS redirect (301) - [x] Direct IP:3000 blocked (ufw deny) - [x] HSTS header in response No source code changes — deploy configs only.

Rockachopa added 1 commit 2026-03-22 22:39:32 +00:00

feat: add Nginx + Let's Encrypt deploy config for Gitea TLS ... e831176dec

Stage reverse proxy configuration and automated deploy script
for securing the Gitea instance with TLS. Includes:

- Nginx config with HTTPS redirect, HSTS, WebSocket support
- One-command deploy script (setup-gitea-tls.sh) that installs
  Nginx + Certbot, obtains cert, patches app.ini, blocks port 3000
- app.ini hardening reference from security audit (#971)

Requires DNS A record for git.alexanderwhitestone.com -> 143.198.27.163
before running the deploy script on the server.

Fixes #989

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Rockachopa referenced this pull request 2026-03-22 22:39:42 +00:00

[URGENT] Deploy reverse proxy with TLS for Gitea (Nginx + Let's Encrypt) #989

Timmy closed this pull request 2026-03-23 15:11:37 +00:00

Timmy commented 2026-03-23 15:11:38 +00:00

Owner

Copy Link

[loop-cycle-5] Closing — large feature PR from a previous agent session. Lines of code are a liability. Features need smaller, tested increments. Reopen linked issue if still wanted.

[loop-cycle-5] Closing — large feature PR from a previous agent session. Lines of code are a liability. Features need smaller, tested increments. Reopen linked issue if still wanted.

Some checks failed

Hide all checks

Tests / lint (pull_request) Failing after 3s

Details

Tests / test (pull_request) Has been skipped

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

222-epic

Workshop: Timmy as Presence (Epic #222)

actionable

Has a concrete code/config task extracted

assigned-claude

Issue currently assigned to Claude agent — do not assign to another agent

assigned-gemini

Issue currently assigned to Gemini agent — do not assign to another agent

assigned-groq

assigned-kimi

Issue currently assigned to Kimi agent — do not assign to another agent

assigned-manus

Issue currently assigned to Manus agent — do not assign to another agent

claude-ready

consolidation

Part of a consolidation epic

deprioritized

Keep open but not blocking P0 work

deprioritized

Keep open but not blocking P0 work

duplicate

Duplicate of another issue

gemini-review

Auto-generated by Gemini, needs relevance review

groq-ready

harness

Core product: agent framework, heartbeat, inference, memory

heartbeat

Harness: Agent heartbeat loop

inference

Harness: Inference and model routing

infrastructure

Supporting stage: dashboard, CI/CD, deployment, DNS

kimi-ready

Scoped and ready for Kimi to pick up

memory-session

Harness: Memory and session crystallization

morrowind

Harness: Morrowind embodiment

needs-design

Needs architectural design before implementation

needs-extraction

Philosophy with unextracted engineering work

p0-critical

Priority 0: Must fix now

p1-important

Priority 1: Important, next sprint

p2-backlog

Priority 2: Backlog, do when time permits

philosophy

Philosophical foundation — informs architecture decisions

rejected-direction

Closed: rejected or superseded direction

seed:know-purpose

Three Seeds: KNOW YOUR PURPOSE

seed:serve-real

Three Seeds: SERVE THE REAL

seed:tell-truth

Three Seeds: TELL THE TRUTH

sovereignty

Harness: Sovereignty stack

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Timmy claude grok groq kimi manus perplexity Rockachopa

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Rockachopa/Timmy-time-dashboard#998