$ vgenguita.es

    |em0 - public ip
+---+----------------------------------------------+
|   |PF FIREWALL                             HOST  |
|   |                                              |
|   |                                              |
|   |br0 - 172.16.0.0/0                            |
|   +------------+--------------+                  |
|   |            |:80           |                  |
|   |:3306       |:443          | :3000            |
| +-+--------+ +-+----------+ +-+------------+     |
| |DB_JAIL   | |NGINX_JAIL  | |GITEA_JAIL    |     |
| |          | |            | |              |     |
| |172.16.0.1| |172.16.0.2  | |172.16.0.3    |     |
| |          | |            | |              |     |
| |          | |            | |              |     |
| |          | |            | |              |     |
| |          | |            | |              |     |
| +----------+ +------------+ +--------------+     |
|                                                  |
+--------------------------------------------------+

CREATE USER 'gitea'@'172.16.0.1' IDENTIFIED BY 'YourPassword';

ALTER USER 'gitea'@'172.16.0.1' IDENTIFIED BY 'YourPassword';

CREATE DATABASE gitea CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_unicode_ci';

GRANT ALL ON gitea.* TO 'gitea'@'172.16.0.1';
FLUSH PRIVILEGES;

APP_NAME = git name
RUN_USER = git
RUN_MODE = prod

[database]
DB_TYPE  = mysql 
HOST     = 172.16.0.1:3306
NAME     = gitea
PASSWD   = 'YourPassword'
PATH     = /var/db/gitea/gitea.db
SSL_MODE = disable
USER     = gitea

[indexer]
ISSUE_INDEXER_PATH = /var/db/gitea/indexers/issues.bleve

[log]
ROOT_PATH = /var/log/gitea
MODE      = file
LEVEL     = Info

[mailer]
ENABLED = false

[oauth2]
JWT_SECRET = RandomAlphaNumericCode

[picture]
AVATAR_UPLOAD_PATH      = /var/db/gitea/data/avatars
DISABLE_GRAVATAR        = false
ENABLE_FEDERATED_AVATAR = false

[repository]
ROOT = /var/db/gitea/gitea-repositories
# Gitea's default is 'bash', so if you have bash installed, you can comment
# this out.
SCRIPT_TYPE = sh
ENABLE_PUSH_CREATE_USER = true
DEFAULT_PUSH_CREATE_PRIVATE = false

[repository.upload]
TEMP_PATH = /var/db/gitea/data/tmp/uploads

[security]
INSTALL_LOCK = true
INTERNAL_TOKEN = AnotherRandomAlphaNumericCode==
SECRET_KEY   = ChangeMeBeforeRunning

[session]
PROVIDER = file
PROVIDER_CONFIG = /var/db/gitea/data/sessions

[server]
DOMAIN       = git.yourdomain.com
HTTP_ADDR    = 0.0.0.0 
HTTP_PORT    = 3000
ROOT_URL     = https://%(DOMAIN)s/
DISABLE_SSH  = false
SSH_DOMAIN   = %(DOMAIN)s
SSH_PORT     = 22
OFFLINE_MODE = false
APP_DATA_PATH = /var/db/gitea/data

[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL     = false
DISABLE_REGISTRATION   = true
ENABLE_CAPTCHA         = true
REQUIRE_SIGNIN_VIEW    = false

server {
    listen 80;
    server_name git.yourdomain.com;
    return 301 https://$server_name:443$request_uri;
}

server {
    listen        443 ssl http2;
    server_name   git.yourdomain.com;
    location / {
        proxy_pass http://172.16.0.3 :3000;
    }
    error_log   /var/log/git.error.log;
    access_log  /var/log/git.access.log;
    ## SSL settings
    ssl_certificate           /path/to/fullchain.pem;
    ssl_certificate_key       /path/to/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /path/to/fullchain.pem;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers               "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
    ssl_prefer_server_ciphers on;
    ssl_session_cache         shared:SSL:10m;
    ssl_session_timeout       10m;
    ssl_ecdh_curve            secp384r1;

    add_header Strict-Transport-Security max-age=31536000;
}

sysrc gitea_enable=yes
service gitea onestart

[root@gitea /]# service gitea status
gitea is running as pid 25587.