Based on Dvard's answer below, here is roughly I did to get this to work. Users should replace mydomain.com with their domain (or subdomain):
I tried using gitea's built-in https service, but that didn't work. I think this is because DigitalOcean only lets some priviledged services connect to the 443 address, but I'm not sure.
I tried fucking around with DigitalOcean's firewall, but that didn't work.
I tried following Dvard's answer below, but that didn't work because his formatting was fucked up, so I had to spend some time reconstructing it (instead of italics, there should be slashes). In case DigitalOcean messes my formatting as well, I've saved these instructions to a Github gist here: https://gist.github.com/NunoSempere/b96d495194f4461e98555d23d38881fc
As far as I understand, the thing that we're doing is having nginx intercept requests to port 443 (https), and sending them to port 3000. Then, we are intercepting requests to port 80 (http), and giving a reply that the resource has moved (to the https url).
sudo apt install nginx
sudo service nginx enable
sudo service nginx start
sudo service nginx status
sudo apt install python3-certbot-nginx
sudo certbot certonly --standalone -d mydomain.com ## then enter my email, and say no to EFF spam.
sudo service nginx restart
sudo rm /etc/nginx/sites-enabled/default
sudo vim /etc/nginx/sites-available/root
Then paste:
server {
listen 443 ssl;
server_name mydomain.com;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:3000;
}
}
server {
listen 80;
server_name mydomain.com;
return 301 https://mydomain.com;
}
Then
ln -s /etc/nginx/sites-available/root /etc/nginx/sites-enabled
nginx -t ## Check for errors in config file
sudo service nginx start ## or restart
Dvard creates a new user named git, but I thought this was not needed because the droplet runs as root (?).
vim /var/snap/gitea/common/conf/app.ini
the part after server should look something like
PROTOCOL = http
DOMAIN = mydomain.com
; CHANGE DOMAIN TO YOUR ACTUAL DOMAIN
HTTP_PORT = 3000
; Not 80!!
LFS_JWT_SECRET = some-secret
START_SSH_SERVER = true
SSH_PORT = 22022
Note that instead of mydomain.com, I used git.mydomain.com, because I'm hosting gitea in a subdomain. But this shouldn't matter.
There may be some small mistakes above. In that case, some useful diagnostic commands are:
sudo service nginx status
nginx -t
reboot ## reboot the droplet
snap restart gitea ## easier way to restart gitea
License for the above in case gitea wants to incorporate this into their docs: Public domain, or equivalent.