feat: add configuration templates

- docker-compose-gitea.yml.tpl: Gitea + SQLite container - app.ini.tpl: Gitea config (INSTALL_LOCK, Actions enabled, no registration) - docker-compose-runner.yml.tpl: act_runner Docker container (Linux) - runner-config.yaml.tpl: act_runner config (capacity=1, timeout=3h) - com.gitea.runner.plist.tpl: macOS launchd service for native runner - nginx-gitea.conf.tpl: Nginx reverse proxy with SSL/WebSocket support - workflows/security-scan.yml.tpl: Semgrep + Trivy + Gitleaks workflow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 15:03:54 -06:00
parent f32e200c64
commit 6b0e4de464
7 changed files with 250 additions and 0 deletions
--- a/templates/nginx-gitea.conf.tpl
+++ b/templates/nginx-gitea.conf.tpl
@@ -0,0 +1,68 @@
+# Nginx reverse proxy for Gitea — rendered from nginx-gitea.conf.tpl
+# SSL_ENABLED is set by the deployment script, not .env
+
+# HTTP server — always present
+server {
+    listen 80;
+    server_name ${GITEA_DOMAIN};
+
+    # ACME challenge for Let's Encrypt (used when SSL_MODE=letsencrypt)
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    # When SSL is enabled, redirect all other HTTP traffic to HTTPS
+    # When SSL is not yet enabled, proxy directly to Gitea
+    location / {
+        # SSL_REDIRECT_BLOCK_START
+        # This block is replaced by the deployment script:
+        # - Before SSL: proxy_pass to Gitea
+        # - After SSL: return 301 https://$host$request_uri;
+        proxy_pass http://${UNRAID_IP}:${UNRAID_GITEA_PORT};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        # SSL_REDIRECT_BLOCK_END
+    }
+}
+
+# HTTPS server — only present when SSL_ENABLED=true
+# SSL_HTTPS_BLOCK_START
+server {
+    listen 443 ssl;
+    server_name ${GITEA_DOMAIN};
+
+    # SSL certificate paths depend on SSL_MODE:
+    # letsencrypt: /etc/letsencrypt/live/${GITEA_DOMAIN}/
+    # existing: ${SSL_CERT_PATH} and ${SSL_KEY_PATH}
+    ssl_certificate     ${SSL_CERT_FULLPATH};
+    ssl_certificate_key ${SSL_KEY_FULLPATH};
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Allow large git pushes and LFS uploads
+    client_max_body_size 512m;
+
+    location / {
+        proxy_pass http://${UNRAID_IP}:${UNRAID_GITEA_PORT};
+
+        # Standard proxy headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+
+        # WebSocket support (needed for Gitea live features)
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_buffering off;
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+    }
+}
+# SSL_HTTPS_BLOCK_END