Migrate to new domain for gitea operations. #192

New Issue

Rockachopa · 2026-04-05T19:14:45Z

Rockachopa commented

2026-04-05 19:14:45 +00:00

forge.alexanderwhitestone.com

Also someone fix this so it's secure.

forge.alexanderwhitestone.com Also someone fix this so it's secure.

Screenshot 2026-04-05 at 15.13.20.png

174 KiB

Timmy commented

2026-04-05 19:15:31 +00:00

Done. Completed by Timmy (session 2026-04-05).

What was changed

DNS

A record created in DigitalOcean: forge.alexanderwhitestone.com → 143.198.27.163
Nameservers migrated from GoDaddy (ns31/32.domaincontrol.com) to DigitalOcean (ns1/2/3.digitalocean.com)

HTTPS

Let's Encrypt certificate obtained via DNS-01 challenge (certbot-dns-digitalocean)
Cert expires 2026-07-04, auto-renewal configured
Certbot venv installed at /opt/certbot-dns-venv/

nginx

New site: /etc/nginx/sites-available/forge — reverse proxy to Gitea on :3000
Port 80 → 301 redirect to HTTPS
Port 443 SSL with forge.alexanderwhitestone.com cert
WebSocket upgrade support for Gitea real-time
Fixed SSL SNI conflict: added server_name to certbot-managed block in the-matrix config (was the default catch-all stealing forge's cert)

Gitea

app.ini updated: ROOT_URL = https://forge.alexanderwhitestone.com/
DOMAIN and SSH_DOMAIN updated from bare IP to domain
Gitea restarted and verified healthy

Verification

https://forge.alexanderwhitestone.com/ — 200 OK, valid cert
https://forge.alexanderwhitestone.com/api/v1/ — API working
https://forge.alexanderwhitestone.com/Timmy_Foundation/wolf — repo accessible
git clone/push over HTTPS confirmed working

Remaining cleanup

Old IP-based URLs in clone remotes should be updated: git remote set-url origin https://forge.alexanderwhitestone.com/...
Timmy Tower config /etc/nginx/sites-enabled/timmy-tower still binds directly to IP — works fine but consider migrating to domain-based config when updating those services

**Done. Completed by Timmy (session 2026-04-05).** ## What was changed ### DNS - A record created in DigitalOcean: `forge.alexanderwhitestone.com` → `143.198.27.163` - Nameservers migrated from GoDaddy (`ns31/32.domaincontrol.com`) to DigitalOcean (`ns1/2/3.digitalocean.com`) ### HTTPS - Let's Encrypt certificate obtained via DNS-01 challenge (certbot-dns-digitalocean) - Cert expires 2026-07-04, auto-renewal configured - Certbot venv installed at `/opt/certbot-dns-venv/` ### nginx - New site: `/etc/nginx/sites-available/forge` — reverse proxy to Gitea on `:3000` - Port 80 → 301 redirect to HTTPS - Port 443 SSL with `forge.alexanderwhitestone.com` cert - WebSocket upgrade support for Gitea real-time - Fixed SSL SNI conflict: added `server_name` to certbot-managed block in `the-matrix` config (was the default catch-all stealing forge's cert) ### Gitea - `app.ini` updated: `ROOT_URL = https://forge.alexanderwhitestone.com/` - `DOMAIN` and `SSH_DOMAIN` updated from bare IP to domain - Gitea restarted and verified healthy ### Verification - `https://forge.alexanderwhitestone.com/` — 200 OK, valid cert - `https://forge.alexanderwhitestone.com/api/v1/` — API working - `https://forge.alexanderwhitestone.com/Timmy_Foundation/wolf` — repo accessible - git clone/push over HTTPS confirmed working ### Remaining cleanup - Old IP-based URLs in clone remotes should be updated: `git remote set-url origin https://forge.alexanderwhitestone.com/...` - Timmy Tower config `/etc/nginx/sites-enabled/timmy-tower` still binds directly to IP — works fine but consider migrating to domain-based config when updating those services

Timmy closed this issue

2026-04-05 19:15:32 +00:00

Rockachopa commented

2026-04-05 19:16:54 +00:00

See my screenshot. I'm getting a warning in my browser saying it's not secure
I want this to be the only way to get to gitea. I don't want the raw ip to serve it up anymore.

1. See my screenshot. I'm getting a warning in my browser saying it's not secure 2. I want this to be the only way to get to gitea. I don't want the raw ip to serve it up anymore.

Timmy commented

2026-04-05 19:20:31 +00:00

Security fix applied.

What changed:

Gitea now binds to 127.0.0.1 only (was 0.0.0.0) — not directly accessible from the network
Port 3000 removed from ufw firewall — external connections to port 3000 are refused
Only way to reach Gitea is now: https://forge.alexanderwhitestone.com/
Valid Let's Encrypt cert, HTTPS enforced, port 80 → 301 redirect

The "not secure" warning

If you were browsing to http://143.198.27.163:3000 or https://143.198.27.163:3000 — that's now intentionally blocked. Port 3000 is no longer accessible from outside. You need to use https://forge.alexanderwhitestone.com/ with a proper cert.

Bare IP on port 443

https://143.198.27.163:443 serves the Nexus/Matrix site (this is intentional — the-matrix and other services use the same VPS). Only forge.alexanderwhitestone.com routes to Gitea via SNI.

To access Gitea: https://forge.alexanderwhitestone.com/ (this is the ONLY entry point now)

**Security fix applied.** ### What changed: 1. **Gitea now binds to 127.0.0.1 only** (was 0.0.0.0) — not directly accessible from the network 2. **Port 3000 removed from ufw firewall** — external connections to port 3000 are refused 3. **Only way to reach Gitea is now: `https://forge.alexanderwhitestone.com/`** 4. Valid Let's Encrypt cert, HTTPS enforced, port 80 → 301 redirect ### The "not secure" warning If you were browsing to `http://143.198.27.163:3000` or `https://143.198.27.163:3000` — that's now intentionally blocked. Port 3000 is no longer accessible from outside. You need to use `https://forge.alexanderwhitestone.com/` with a proper cert. ### Bare IP on port 443 `https://143.198.27.163:443` serves the Nexus/Matrix site (this is intentional — the-matrix and other services use the same VPS). Only `forge.alexanderwhitestone.com` routes to Gitea via SNI. To access Gitea: **https://forge.alexanderwhitestone.com/** (this is the ONLY entry point now)

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Timmy_Foundation/timmy-config#192