“Gitea is an open-source forge software package for hosting software development version control using Git as well as other collaborative features like bug tracking, wikis and code review. - Wikipedia”

goals:

  • install and setup gitea
  • nginx reverse proxy
  • privacy tweaks
  • optimize server for static content
  • handle updates
  • setup fail2ban

install requirements

## install required software
> apt install gnupg git postgresql nginx fail2ban

configure postgresql

## edit /etc/postgresql/11/main/postgresql.conf
password_encryption = scram-sha-256

## change to user postgres to create db and user
> su postgres
> psql
postgres='#': CREATE ROLE gitea LOGIN ENCRYPTED PASSWORD 'passwd';
postgres='#': CREATE DATABASE gitea;
postgres='#': GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
postgres='#': exit;

## enable & start postgres service
> systemctl enable postgresql \
  && systemctl restart postgresql

create git user

## add git user 
> adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git

you can change username but default ssh entry should looks like this git@example.com

setup folder and permissions

## setup dirs owner and permissions
> mkdir -p /var/lib/gitea/{custom,data,log} \
  && chown -R git:git /var/lib/gitea/ \
  && chmod -R 750 /var/lib/gitea/

> mkdir /etc/gitea \
  && chown root:git /etc/gitea \
  && chmod 770 /etc/gitea

download and verify bin

## download binary and signature file
> wget https://dl.gitea.io/gitea/master/gitea-master-linux-amd64 \
  && wget https://dl.gitea.io/gitea/master/gitea-master-linux-amd64.asc

## verify signature
> gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2 \
  && gpg --verify gitea-master-linux-amd64.asc gitea-master-linux-amd64	

## move binary to /usr/local/bin/gitea
> mv gitea-master-linux-amd64 /usr/local/bin/gitea

## set binary executable
> chmod +x /usr/local/bin/gitea

Note: after installation please change permission on /etc/gitea/app.ini

setup workdir

## setup variables
> export GITEA_WORK_DIR=/var/lib/gitea/

edit /etc/systemd/system/gitea.service

[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
Requires=postgresql.service

[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
RuntimeDirectory=gitea
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea

[Install]
WantedBy=multi-user.target
## reload systemd
> systemctl daemon-reload

## enable & start gitea service
> systemctl enable gitea \
  && systemctl restart gitea

webinterface <host>:3000

create certificates

## generate self signed certificates
> openssl req -x509 -nodes -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=XX" -newkey rsa:4096 -keyout /etc/ssl/nginx.key -out /etc/ssl/nginx.crt -days 365

edit /etc/nginx/sites-available/default

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl;

        server_name gitea;
        ssl_certificate /etc/ssl/nginx.crt;
        ssl_certificate_key /etc/ssl/nginx.key;

        location / {
            proxy_pass http://localhost:3000;
        }
}
## enable & start nginx service
> systemctl enable nginx \
  && systemctl restart nginx

for now gitea is available under https://<host>

Setup Gitea over Webinterface:

  • Choose PostgreSQL
  • Setup DB Password
  • Create Administrator

after successfully installation please correct the app.ini permission

set correct permissions on /etc/gitea/app.ini

## strict /etc/gitea permissions after fully installation
> chmod 750 /etc/gitea
> chown root:git /etc/gitea/app.ini
> chmod 640 /etc/gitea/app.ini

optional tweaks /etc/gitea/app.ini

## dark theme default
[ui]
DEFAULT_THEME = arc-green

## disable self-registration
[service]
DISABLE_REGISTRATION = true

## must login to see anything for private use
[service]
REQUIRE_SIGNIN_VIEW = true

## hide mail addresses
[service]
DEFAULT_KEEP_EMAIL_PRIVATE = true

## offline mode no external ressources
[server]
OFFLINE_MODE = true

## private repository checkbox default enabled (not work on test)
[repository]
DEFAULT_PRIVATE = true

## change hash algorithm to argon2
[security]
PASSWORD_HASH_ALGO = argon2

## hide footer details
[other]
SHOW_FOOTER_BRANDING           = false
SHOW_FOOTER_VERSION            = false
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

if you like to optimize nginx for gitea try the following
see: “Using Nginx as a reverse proxy and serve static resources directly” - to build these static files it needs about 300 dependencies on your server and should build on an other machine

## required software
> apt install npm nodejs make git

## change dir and set perms
> cd /var/www \
	&& git clone https://github.com/go-gitea/gitea.git \
	&& cd gitea

## build gitea static content
> make frontend 

## remove everything exept the public folder
find . -maxdepth 1 ! -name "public" ! -name . -exec rm -r {} \;

## configure /etc/nginx/sites-available/default
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl;

        server_name gitea;
        ssl_certificate /etc/ssl/nginx.crt;
        ssl_certificate_key /etc/ssl/nginx.key;

        location /_/static {
        alias /var/www/gitea/public;
        }
        location / {
            proxy_pass http://localhost:3000;
        }
}

finally update is the same like install

## stop systemd service
> systemctl stop gitea.service

## download binary and signature file
> wget https://dl.gitea.io/gitea/master/gitea-master-linux-amd64 \
  && wget https://dl.gitea.io/gitea/master/gitea-master-linux-amd64.asc

## verify signature
> gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2 \
  && gpg --verify gitea-master-linux-amd64.asc gitea-master-linux-amd64	

## move binary to /usr/local/bin/gitea
> mv gitea-master-linux-amd64 /usr/local/bin/gitea

## set binary executable
> chmod +x /usr/local/bin/gitea

## start systemd service
> systemctl start gitea.service

for fail2ban edit /etc/fail2ban/filter.d/gitea.conf

# gitea.conf
[Definition]
failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =

edit /etc/fail2ban/jail.d/gitea.conf

[gitea]
enabled = true
filter = gitea
logpath = /var/lib/gitea/log/gitea.log
maxretry = 3
findtime = 3600
bantime = 900
action = iptables-allports

and setup log in /etc/gitea/app.ini

[log]
MODE                 = file
LEVEL                = warn
ROOT_PATH            = /var/lib/gitea/log

add proxy_set_header X-Real-IP $remote_addr; in nginx.conf and restart services