kimi/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Pull Requests Activity
This repository has been archived on 2026-03-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
claude/issue-989
Timmy-time-dashboard/deploy/gitea-app-ini.patch
Alexander Whitestone e831176dec feat: add Nginx + Let's Encrypt deploy config for Gitea TLS 
Stage reverse proxy configuration and automated deploy script
for securing the Gitea instance with TLS. Includes:

- Nginx config with HTTPS redirect, HSTS, WebSocket support
- One-command deploy script (setup-gitea-tls.sh) that installs
  Nginx + Certbot, obtains cert, patches app.ini, blocks port 3000
- app.ini hardening reference from security audit (#971)

Requires DNS A record for git.alexanderwhitestone.com -> 143.198.27.163
before running the deploy script on the server.

Fixes #989

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-22 18:39:11 -04:00

51 lines
2.5 KiB
Diff
Raw Permalink Blame History

# ── Gitea app.ini Hardening Patch ────────────────────────────────────────────
#
# Apply these changes to /etc/gitea/app.ini (or custom/conf/app.ini)
# AFTER running setup-gitea-tls.sh, or apply manually.
#
# The deploy script handles DOMAIN, ROOT_URL, HTTP_ADDR, and COOKIE_SECURE
# automatically. This file documents the FULL recommended hardening config
# from the security audit (#971).
#
# ── Instructions ────────────────────────────────────────────────────────────
#
# 1. Back up your current app.ini:
# cp /etc/gitea/app.ini /etc/gitea/app.ini.bak
#
# 2. Apply each section below by editing app.ini.
#
# 3. Restart Gitea:
# systemctl restart gitea
# # or: docker restart gitea
# ── [server] section ───────────────────────────────────────────────────────
# These are set automatically by setup-gitea-tls.sh:
#
# DOMAIN = git.alexanderwhitestone.com
# HTTP_ADDR = 127.0.0.1
# HTTP_PORT = 3000
# PROTOCOL = http
# ROOT_URL = https://git.alexanderwhitestone.com/
#
# Additionally recommended:
# ENABLE_PPROF = false
# OFFLINE_MODE = true
# ── [security] section ─────────────────────────────────────────────────────
# INSTALL_LOCK = true
# SECRET_KEY = <generate with: gitea generate secret SECRET_KEY>
# REVERSE_PROXY_TRUST_LOCAL = true
# COOKIE_SECURE = true (set by deploy script)
# SET_COOKIE_HTTP_ONLY = true
# ── [service] section ──────────────────────────────────────────────────────
# DISABLE_REGISTRATION = true
# ALLOW_ONLY_EXTERNAL_REGISTRATION = false
# SHOW_REGISTRATION_BUTTON = false
# ENABLE_REVERSE_PROXY_AUTHENTICATION = false
# REQUIRE_SIGNIN_VIEW = true
# ── [repository] section ───────────────────────────────────────────────────
# FORCE_PRIVATE = true
# DEFAULT_PRIVATE = private
View Git Blame Copy Permalink