Files
GitHop/docs/production-deployment.md
T
cyph3rasi 96cd6823b2 Recognize authenticated Gitea browser sessions without weakening per-user prompt isolation
Hop-State: A_06FNB6HTKZAXH2SX1G8AB0R
Hop-Proposal: R_06FNB6HA40Y1E1T39G6YJHG
Hop-Task: T_06FNB5TE4DHAVABVH82WBN8
Hop-Attempt: AT_06FNB5TE4FW7MD6KTFYP3EG
2026-07-12 02:13:18 -07:00

1.7 KiB

Production deployment

Run the Compose stack behind an HTTPS reverse proxy. Keep the Gitea HTTP port and Hop control-plane port bound to loopback; only publish Gitea's SSH port if the deployment has a DNS-only hostname that can reach it without an HTTP proxy.

Start from .env.example, replace every secret, and set at least:

GITEA_DOMAIN=git.example.com
GITEA_ROOT_URL=https://git.example.com/
GITEA_HTTP_BIND=127.0.0.1
HOP_HTTP_BIND=127.0.0.1
GITEA_SSH_BIND=127.0.0.1
GITEA_DISABLE_SSH=true
GITEA_DISABLE_REGISTRATION=true
GITEA_ACTIONS_ENABLED=false

Start the services and install the Hop-native Gitea assets:

docker compose --env-file .env up --build -d
./deploy/gitea/install-hop-native.sh

The reverse proxy should forward the public hostname to the configured GITEA_HTTP_BIND:GITEA_HTTP_PORT, preserve the Host header, and set X-Forwarded-Proto to https. It must also proxy /hop/ to the Hop control plane, preserving the browser's Gitea session cookie. This lets the Prompts view check the viewer's repository access before returning potentially sensitive prompt text.

The control plane verifies the browser session through Gitea's protected web settings route, then uses GITEA_API_TOKEN to resolve the server-rendered login to Gitea's immutable user ID. Gitea's /api/v1/user endpoint is token-only and must not be used to validate browser sessions.

For nginx, the control-plane location should precede the Gitea catch-all:

location /hop/ {
    proxy_pass http://127.0.0.1:8080/;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Cookie $http_cookie;
}

Persistent repository and database data live in the named Compose volumes.