final gitea configuration without SSL

hammerhead/app/gitea/deploy/gitea.hcl

@@ -12,16 +12,22 @@ job "gitea" {
 
     network {
       mode = "bridge"
-      port "http" { 
+      port "ssh" { 
-        static = 3000
+        static = 22 
-        to = 3000 
       }
-      port "ssh" { to = 22 }
+      # port "http" { 
+      #   static = 3000
+      #   to = 3000 
+      # }
     }
 
     service {
       name = "gitea-frontend"
-      port = "http"
+      port = "3000"
+
+      connect {
+        sidecar_service {}
+      }
 
       # check {
       #   name     = "alive"
@@ -44,7 +50,7 @@ job "gitea" {
     }
 
     service {
-      name = "gitea-db"
+      name = "gitea-postgres-connector"
 
       connect {
         sidecar_service {
@@ -65,11 +71,7 @@ job "gitea" {
       driver = "docker"
 
       config {
-        # Exposes the http & ssh ports from the container to the host.
+        ports = ["ssh"]
-        # Lame because anyone can access gitea bypassing nginx from :3000
-        # Necessary because without further mesh-net config, 
-        # nginx can't access the container's port.
-        ports = ["http", "ssh"]
         image = "gitea/gitea:1.14.2"
 
         volumes = [

hammerhead/app/nginx/config/gitea.tpl

@@ -1,17 +1,27 @@
-upstream gitea-backend {
+upstream gitea-frontend {
-{{ range service "gitea-frontend" }}
+  server 127.0.0.1:3000;
-  server {{ .Address }}:{{ .Port }};
-{{ else }}
-  server 127.0.0.1:65535; # force a 502
-{{ end }}
 }
 
 server {
-   listen 80;
+  listen 80;
-   listen [::]:80;
+  listen [::]:80;
-   server_name gitea.hammerhead.luxeylab.net;
+  server_name gitea.hammerhead.luxeylab.net;
 
-   location / {
+
-      proxy_pass http://gitea-backend;
+  # Forward information from nginx to the upstream
-   }
+  # add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
+  add_header X-Frame-Options              SAMEORIGIN;
+  add_header X-Content-Type-Options       nosniff;
+  add_header X-XSS-Protection             "1; mode=block";
+  location / {
+    # Forward information from nginx to the upstream
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Forwarded-Host    $http_host;
+    proxy_set_header    X-Forwarded-Port    $server_port;
+
+    proxy_pass http://gitea-frontend;
+  }
 }

hammerhead/app/nginx/deploy/nginx.hcl

@@ -5,6 +5,7 @@ job "nginx" {
     count = 1
 
     network {
+      mode = "bridge"
       port "http" {
         static = 80
       }
@@ -24,6 +25,24 @@ job "nginx" {
       port = "http"
     }
 
+    service {
+      name = "nginx-gitea-frontend-connector"
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              # Required
+              destination_name = "gitea-frontend"
+              local_bind_port = "3000"
+              # Optional
+              local_bind_address = "127.0.0.1"
+            }
+          }
+        }
+      }
+    }
+
     task "nginx" {
       driver = "docker"
 
@@ -36,12 +55,12 @@ job "nginx" {
         ]
       }
 
-      template {
+      # template {
-        data = file("../config/dummy-http-server.tpl")
+      #   data = file("../config/dummy-http-server.tpl")
-        destination   = "local/dummy-http-server.conf"
+      #   destination   = "local/dummy-http-server.conf"
-        change_mode   = "signal"
+      #   change_mode   = "signal"
-        change_signal = "SIGHUP"
+      #   change_signal = "SIGHUP"
-      }
+      # }
 
       template {
         data = file("../config/gitea.tpl")