6b0e4de464
- docker-compose-gitea.yml.tpl: Gitea + SQLite container - app.ini.tpl: Gitea config (INSTALL_LOCK, Actions enabled, no registration) - docker-compose-runner.yml.tpl: act_runner Docker container (Linux) - runner-config.yaml.tpl: act_runner config (capacity=1, timeout=3h) - com.gitea.runner.plist.tpl: macOS launchd service for native runner - nginx-gitea.conf.tpl: Nginx reverse proxy with SSL/WebSocket support - workflows/security-scan.yml.tpl: Semgrep + Trivy + Gitleaks workflow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
69 lines
2.2 KiB
Smarty
69 lines
2.2 KiB
Smarty
# Nginx reverse proxy for Gitea — rendered from nginx-gitea.conf.tpl
|
|
# SSL_ENABLED is set by the deployment script, not .env
|
|
|
|
# HTTP server — always present
|
|
server {
|
|
listen 80;
|
|
server_name ${GITEA_DOMAIN};
|
|
|
|
# ACME challenge for Let's Encrypt (used when SSL_MODE=letsencrypt)
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/html;
|
|
}
|
|
|
|
# When SSL is enabled, redirect all other HTTP traffic to HTTPS
|
|
# When SSL is not yet enabled, proxy directly to Gitea
|
|
location / {
|
|
# SSL_REDIRECT_BLOCK_START
|
|
# This block is replaced by the deployment script:
|
|
# - Before SSL: proxy_pass to Gitea
|
|
# - After SSL: return 301 https://$host$request_uri;
|
|
proxy_pass http://${UNRAID_IP}:${UNRAID_GITEA_PORT};
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
# SSL_REDIRECT_BLOCK_END
|
|
}
|
|
}
|
|
|
|
# HTTPS server — only present when SSL_ENABLED=true
|
|
# SSL_HTTPS_BLOCK_START
|
|
server {
|
|
listen 443 ssl;
|
|
server_name ${GITEA_DOMAIN};
|
|
|
|
# SSL certificate paths depend on SSL_MODE:
|
|
# letsencrypt: /etc/letsencrypt/live/${GITEA_DOMAIN}/
|
|
# existing: ${SSL_CERT_PATH} and ${SSL_KEY_PATH}
|
|
ssl_certificate ${SSL_CERT_FULLPATH};
|
|
ssl_certificate_key ${SSL_KEY_FULLPATH};
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# Allow large git pushes and LFS uploads
|
|
client_max_body_size 512m;
|
|
|
|
location / {
|
|
proxy_pass http://${UNRAID_IP}:${UNRAID_GITEA_PORT};
|
|
|
|
# Standard proxy headers
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
# WebSocket support (needed for Gitea live features)
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_buffering off;
|
|
proxy_read_timeout 3600s;
|
|
proxy_send_timeout 3600s;
|
|
}
|
|
}
|
|
# SSL_HTTPS_BLOCK_END
|