47 lines
1.4 KiB
Markdown
47 lines
1.4 KiB
Markdown
# Production deployment
|
|
|
|
Run the Compose stack behind an HTTPS reverse proxy. Keep the Gitea HTTP port
|
|
and Hop control-plane port bound to loopback; only publish Gitea's SSH port if
|
|
the deployment has a DNS-only hostname that can reach it without an HTTP
|
|
proxy.
|
|
|
|
Start from `.env.example`, replace every secret, and set at least:
|
|
|
|
```dotenv
|
|
GITEA_DOMAIN=git.example.com
|
|
GITEA_ROOT_URL=https://git.example.com/
|
|
GITEA_HTTP_BIND=127.0.0.1
|
|
HOP_HTTP_BIND=127.0.0.1
|
|
GITEA_SSH_BIND=127.0.0.1
|
|
GITEA_DISABLE_SSH=true
|
|
GITEA_DISABLE_REGISTRATION=true
|
|
GITEA_ACTIONS_ENABLED=false
|
|
```
|
|
|
|
Start the services and install the Hop-native Gitea assets:
|
|
|
|
```sh
|
|
docker compose --env-file .env up --build -d
|
|
./deploy/gitea/install-hop-native.sh
|
|
```
|
|
|
|
The reverse proxy should forward the public hostname to the configured
|
|
`GITEA_HTTP_BIND:GITEA_HTTP_PORT`, preserve the `Host` header, and set
|
|
`X-Forwarded-Proto` to `https`. It must also proxy `/hop/` to the Hop control
|
|
plane, preserving the browser's Gitea session cookie. This lets the Prompts
|
|
view check the viewer's repository access before returning potentially
|
|
sensitive prompt text.
|
|
|
|
For nginx, the control-plane location should precede the Gitea catch-all:
|
|
|
|
```nginx
|
|
location /hop/ {
|
|
proxy_pass http://127.0.0.1:8080/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Cookie $http_cookie;
|
|
}
|
|
```
|
|
|
|
Persistent repository and database data live in the named Compose volumes.
|