Starting with my default Debian build, I want a local gitea machine for acting as a centralized git repo with a graphical UI available via a web browser and I want it to at least look like I care about security.
The link to the description of my default install: Debian Buster Ultra Basic Install
The link to the description of my default install: Debian Buster Ultra Basic Install
Okay, first things first.
If it is orange, this is likely something that will be special and unique to your install, so change the values where necessary.
If it is orange, this is likely something that will be special and unique to your install, so change the values where necessary.
Prerequisites.
We'll need a few things.
$ sudo apt install -y curl default-jre git golang-go mariadb-client mariadb-server ufw
$ sudo systemctl enable ufw
$ sudo systemctl restart ufw
$ sudo systemctl restart mariadb.service
$ sudo cp wildcard-domain.com.* /etc/ssl/certs/
$ sudo chmod 440 /etc/ssl/certs/wildcard-domain.com.*
Bear with me, we are going to imitate the mysql_secure_install database modifications.
$ mysql -uroot -p -e "DROP DATABASE IF EXISTS test;"
$ mysql -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"
$ mysql -uroot -pdb-root-password -e "FLUSH PRIVILEGES";
$ mysql -uroot -pdb-root-password -e "GRANT ALL PRIVILEGES ON *.* TO 'root-user'@'127.0.0.1' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"
$ mysql -uroot -pdb-root-password -e "GRANT ALL PRIVILEGES ON *.* TO 'root-user'@'::1' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"
$ mysql -uroot -pdb-root-password -e "DELETE FROM mysql.user WHERE User='';"
$ mysql -uroot -pdb-root-password -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
$ mysql -uroot -pdb-root-password -e "FLUSH PRIVILEGES;"
$ mysql -uroot-user -pdb-root-password -e "DELETE FROM mysql.user WHERE User='root';"
$ mysql -uroot-user -pdb-root-password -e "CREATE USER 'backup'@'localhost' IDENTIFIED BY 'db-backup-user-password';"
$ mysql -uroot-user -pdb-root-password -e "GRANT SELECT, SHOW VIEW, RELOAD, REPLICATION CLIENT, EVENT, TRIGGER ON *.* TO 'backup-user'@'localhost';"
$ mysql -uroot-user -pdb-root-password -e "FLUSH PRIVILEGES";
$ sudo systemctl restart mariadb.service
Now for the Gitea specific database work we need to complete.
$ mysql -uroot-user -pdb-root-password -e "CREATE DATABASE IF NOT EXISTS gitea CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;"
$ mysql -u"$root-user" -pdb-root-password -e "GRANT ALL ON gitea.* TO 'gitea-user'@'localhost' IDENTIFIED BY 'gitea-db-password';"
$ mysql -uroot-user -pdb-root-password -e "FLUSH PRIVILEGES;"
$ sudo ufw allow dns
$ sudo ufw allow OpenSSH
$ sudo ufw allow 443/tcp
$ sudo ufw allow OpenSSH
$ sudo ufw allow 443/tcp
$ sudo systemctl enable ufw
$ sudo systemctl restart ufw
$ sudo systemctl enable mariadb.service
$ sudo systemctl restart mariadb.service
For SSL we will need the SSL certificate and key files. You'll see these again when we write the app.ini file. Adjust the filenames as needed on your part, the names don't matter, they just need to match what is in the app.ini file.
$ sudo cp wildcard-domain.com.* /etc/ssl/certs/
$ sudo chmod 440 /etc/ssl/certs/wildcard-domain.com.*
Bear with me, we are going to imitate the mysql_secure_install database modifications.
$ mysql -uroot -p -e "DROP DATABASE IF EXISTS test;"
$ mysql -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"
$ mysql -uroot -pdb-root-password -e "FLUSH PRIVILEGES";
$ mysql -uroot -pdb-root-password -e "GRANT ALL PRIVILEGES ON *.* TO 'root-user'@'127.0.0.1' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"
$ mysql -uroot -pdb-root-password -e "GRANT ALL PRIVILEGES ON *.* TO 'root-user'@'::1' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"
$ mysql -uroot -pdb-root-password -e "DELETE FROM mysql.user WHERE User='';"
$ mysql -uroot -pdb-root-password -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
$ mysql -uroot -pdb-root-password -e "FLUSH PRIVILEGES;"
$ mysql -uroot-user -pdb-root-password -e "DELETE FROM mysql.user WHERE User='root';"
$ mysql -uroot-user -pdb-root-password -e "CREATE USER 'backup'@'localhost' IDENTIFIED BY 'db-backup-user-password';"
$ mysql -uroot-user -pdb-root-password -e "GRANT SELECT, SHOW VIEW, RELOAD, REPLICATION CLIENT, EVENT, TRIGGER ON *.* TO 'backup-user'@'localhost';"
$ mysql -uroot-user -pdb-root-password -e "FLUSH PRIVILEGES";
$ sudo systemctl restart mariadb.service
Now for the Gitea specific database work we need to complete.
$ mysql -uroot-user -pdb-root-password -e "CREATE DATABASE IF NOT EXISTS gitea CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;"
$ mysql -u"$root-user" -pdb-root-password -e "GRANT ALL ON gitea.* TO 'gitea-user'@'localhost' IDENTIFIED BY 'gitea-db-password';"
$ mysql -uroot-user -pdb-root-password -e "FLUSH PRIVILEGES;"
$ sudo mkdir -p /var/lib/gitea/{custom,data,indexers,log,public}
$ sudo chown -R git:git /var/lib/gitea
$ sudo chmod 750 /var/lib/gitea
$ sudo mkdir /etc/gitea
$ sudo chown root:git /etc/gitea
$ sudo chmod 770 /etc/gitea
$ sudo mkdir /root/gitea
$ cd /tmp
$ sudo chown -R git:git /var/lib/gitea
$ sudo chmod 750 /var/lib/gitea
$ sudo mkdir /etc/gitea
$ sudo chown root:git /etc/gitea
$ sudo chmod 770 /etc/gitea
$ sudo mkdir /root/gitea
$ cd /tmp
$ sudo curl -o gitea https://dl.gitea.io/gitea/1.9.1/gitea-1.9.1-linux-amd64
$ sudo chmod 550 gitea
$ sudo chmod 550 gitea
$ sudo mv gitea /usr/local/bin/gitea
If we want to avoid the GUI UI to make an app.ini file, we need to provide an app.ini file. Use your favorite editor (nano, vi, emacs...) to put the following configuration into /usr/local/bin/gitea/custom/conf/app.ini .
RUN_USER = root
RUN_MODE = prod
[ui]
DEFAULT_THEME = arc-green
[database]
DB_TYPE = mysql
HOST = 127.0.0.1:3306
NAME = gitea
USER = GITEA_DB_USER
PASSWD = GITEA_DB_PASSWORD
SSL_MODE = disable
CHARSET = utf8mb4
PATH = /usr/local/bin/data/gitea.db
[repository]
ROOT = /root/gitea-repositories
[server]
SSH_DOMAIN = DOMAIN.COM
DOMAIN = DOMAIN.COM
HTTP_PORT = 3000
ROOT_URL = https://DOMAIN.COM:3000/
DISABLE_SSH = false
SSH_PORT = 22
LFS_START_SERVER = false
LFS_CONTENT_PATH = /usr/local/bin/data/lfs
LFS_JWT_SECRET = GITEA_JWT_SECRET
OFFLINE_MODE = false
PROTOCOL = https
CERT_FILE = /etc/ssl/certs/DOMAIN.COM.crt
KEY_FILE = /etc/ssl/certs/DOMAIN.COM.key
[mailer]
ENABLED = true
HOST = MAILGUN_SMTP_HOST:465
FROM = GITEA_SYSTEM_EMAIL
USER = MAILGUN_SMTP_USER
PASSWD = MAILGUN_SMTP_PASSWORD
IS_TLS_ENABLED = true
[service]
ACTIVE_CODE_LIVE_MINUTES = 1440
RESET_PASSWD_CODE_LIVE_MINUTES = 1440
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
DISABLE_REGISTRATION = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = true
REQUIRE_SIGNIN_VIEW = true
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply
[security]
INTERNAL_TOKEN = GITEA_INTERNAL_TOKEN
INSTALL_LOCK = true
SECRET_KEY = GITEA_SECRET_KEY
LOGIN_REMEMBER_DAYS = 7
COOKIE_USERNAME = gitea_awesome
COOKIE_REMEMBER_NAME = gitea_incredible
MIN_PASSWORD_LENGTH = 8
IMPORT_LOCAL_PATHS = false
DISABLE_GIT_HOOKS = false
PASSWORD_HASH_ALGO = pbkdf2
CSRF_COOKIE_HTTP_ONLY = true
[picture]
DISABLE_GRAVATAR = false
ENABLE_FEDERATED_AVATAR = true
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[oauth2]
JWT_SECRET=GITEA_JWT_SECRET
[session]
PROVIDER = file
[log]
MODE = file
LEVEL = info
ROOT_PATH = /usr/local/bin/log
We are ready to mimic the last of the install processes kicked off by the GUI install. The benevolent Gitea developers have blessed us with a little script we can run from the command line. Bless you Gitea devs!
$ sudo gitea migrate
Now to create a service to manage Gitea and start it at boot.
$ sudo touch /etc/systemd/system/gitea.service
Use your favorite editor (nano, vi, emacs...) to put the following configuration into /etc/systemd/system/gitea.service .
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
#Requires=mysql.service
Requires=mariadb.service
#Requires=postgresql.service
#Requires=memcached.service
#Requires=redis.service
[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=root
Group=root
ExecStart=/usr/local/bin/gitea web
Restart=always
Environment=USER=root HOME=/root/gitea
# If you want to bind Gitea to a port below 1024 uncomment
# the two values below
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
Lastly, what we do is enable and start the service with the following commands.
$ sudo systemctl enable gitea
$ sudo systemctl daemon-reload
$ sudo systemctl start gitea
That should more or less do it. Navigate to https://domain.com:3000/ to see your handiwork...
(The reason I left my installation listening on port 3000 is because I usually have a whole network reverse proxy running and using the SNI hostname on port 443 to direct the proper web traffic to each host.)
$ sudo systemctl start gitea
That should more or less do it. Navigate to https://domain.com:3000/ to see your handiwork...
(The reason I left my installation listening on port 3000 is because I usually have a whole network reverse proxy running and using the SNI hostname on port 443 to direct the proper web traffic to each host.)
