Support reverse proxy deployment and general container improvements

5 files changed, 43 insertions, 11 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ceb2b98
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+CLAUDE.md
diff --git a/Caddyfile b/Caddyfile
index 125cf2b..ad6f1ca 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,4 +1,10 @@
-{$SITE_ADDRESS:localhost}
+{
+	servers {
+		trusted_proxies static private_ranges
+	}
+}
+
+{$SITE_ADDRESS::80}
 
 @assets path /cgit.css /cgit.js /cgit.png /favicon.ico /robots.txt
 handle @assets {
@@ -7,8 +13,7 @@ handle @assets {
 }
 
 reverse_proxy unix//var/run/fgciwrap.sock {
-  transport fastcgi {
-    env SCRIPT_FILENAME /usr/share/webapps/cgit/cgit.cgi
-  }
+	transport fastcgi {
+		env SCRIPT_FILENAME /usr/share/webapps/cgit/cgit.cgi
+	}
 }
-
diff --git a/Dockerfile b/Dockerfile
index 8a17307..c62cb30 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,9 @@
-FROM alpine
+FROM alpine:3.21
 WORKDIR /root
 COPY Caddyfile .
 COPY supervisord.conf .
 COPY entrypoint.sh .
 COPY cgitrc.template /etc/
-RUN apk add --no-cache cgit git caddy fcgiwrap supervisor py3-markdown py3-pygments envsubst; \
-    envsubst < /etc/cgitrc.template > /etc/cgitrc
+RUN apk add --no-cache cgit git caddy fcgiwrap supervisor py3-markdown py3-pygments envsubst
 CMD ["supervisord", "-c", "supervisord.conf"]
 ENTRYPOINT ["./entrypoint.sh"]
diff --git a/README.md b/README.md
index 8ca3065..b666b8c 100644
--- a/README.md
+++ b/README.md
@@ -4,8 +4,13 @@
 
 ### Docker compose
 
-Bind mount your git repos to `/repos` and a data folder to `/root/.local/share/caddy`.
-The only environment variable is `SITE_ADDRESS`. If unset then localhost will be used (which you can't really use since the certs are inside the container).
+Bind mount your git repos to `/repos`.
+
+The `SITE_ADDRESS` environment variable is passed directly to Caddy as the site address. If unset, defaults to `:80` (plain HTTP, no TLS).
+
+### Standalone (Caddy handles TLS)
+
+Mount a data folder to `/root/.local/share/caddy` to persist certificates.
 
     services:
       cgit:
@@ -17,4 +22,22 @@ The only environment variable is `SITE_ADDRESS`. If unset then localhost will be
           - ~/repos:/repos
           - ./data:/root/.local/share/caddy
         environment:
-          SITE_ADDRESS: git.soltermann.xyz
+          SITE_ADDRESS: git.example.com
+
+### Behind a reverse proxy
+
+Leave `SITE_ADDRESS` unset (defaults to `:80`). Bind the port to localhost only and let the external proxy handle TLS.
+
+    services:
+      cgit:
+        build: ./cgit
+        ports:
+          - "127.0.0.1:8080:80"
+        volumes:
+          - ~/repos:/repos
+
+Then in your external Caddyfile:
+
+    git.example.com {
+        reverse_proxy localhost:8080
+    }
diff --git a/supervisord.conf b/supervisord.conf
index 953aa5e..fb52d5e 100644
--- a/supervisord.conf
+++ b/supervisord.conf
@@ -7,8 +7,12 @@ user=root
 command=caddy run --config /root/Caddyfile
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 
 [program:git_frontend]
 command=fcgiwrap -s unix:/var/run/fgciwrap.sock
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0