You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Mageas 73d3374e40
Update: It is not necessary to open ports on an external network
2 weeks ago
.env Update: Add mailer for gmail 1 month ago
README.org Add: security with fail2ban 1 month ago
docker-compose.yml Update: It is not necessary to open ports on an external network 2 weeks ago
nginx.conf Initial commit 2 months ago

README.org

Gitea

Nginx Setup

Certginx is used for simplicity.

Copy nginx.conf to ./nginx/conf.d/subdomain.domain.com.conf in the Certginx directory.

Then follow the steps here.

Docker Setup

Informations

User Username
Host gitea
Docker git

Key & Token

Generate new secrets/tokens.

sed -i -e 's/gitea_secret_key/'"$(docker run -it --rm gitea/gitea:1 gitea generate secret SECRET_KEY)"'/g' docker-compose.yml
sed -i -e 's/gitea_internal_token/'"$(docker run -it --rm gitea/gitea:1 gitea generate secret INTERNAL_TOKEN)"'/g' docker-compose.yml

SSH Container Passthrough

Generate the SSH key pars.

sudo -u gitea ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"

Configure the SSH folder.

sudo -u gitea cat /home/gitea/.ssh/id_rsa.pub | sudo -u gitea tee -a /home/gitea/.ssh/authorized_keys
sudo chmod 600 /home/gitea/.ssh/authorized_keys

Script for SSH passthrough

cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
sudo chmod +x /usr/local/bin/gitea

Docker Backup

Dump

docker exec -u git -it -w /tmp $(docker ps -qf 'name=^gitea$') bash -c '/usr/local/bin/gitea dump -c /data/gitea/conf/app.ini'

Share

Create the shared directory.

mkdir /home/gitea-shared

Add the shared group.

addgroup gitea-shared

Update the permissions of the shared directory for the group.

chown :gitea-shared /home/gitea-shared

Add the users to the shared group (Duplicate this for the other user).

usermod -aG gitea-shared gitea

Update the permissions of the shared directory

chmod 1770 /home/gitea-shared

Sharing the Dump

Update the permission of the file

chown :gitea-shared /path/to/your/dumps.zip

Move the file to your shared directory

cp /home/gitea/gitea/dumps/* /home/gitea-shared

Script

Automation for the Dumping, encrypt the dumped file with gpg, then move the encrypted file to the shared directory.

#!/bin/bash
GPG_EMAILS=(
    "example1@mail.net"
    "example2@mail.net"
)

DUMPS_DIR="/home/gitea/gitea/dumps"
SHARE_DIR="/home/gitea-shared"
BACKUP_DURATION_IN_DAYS=28

find ${SHARE_DIR} -type f -mtime +${BACKUP_DURATION_IN_DAYS} -delete

echo "[$(date '+%Y-%m-%d %H:%M')] Dumping Gitea.."
docker exec -u git -it -w /tmp $(docker ps -qf 'name=^gitea$') bash -c '/usr/local/bin/gitea dump -c /data/gitea/conf/app.ini' &>/dev/null || exit 1

for file in "${DUMPS_DIR}"/*; do
    file="${file##*/}"
    for email in "${GPG_EMAILS[@]}"; do
        echo "[$(date '+%Y-%m-%d %H:%M')] Encrypting '${file}' for ${email}"
        gpg -r ${email} -o "${SHARE_DIR}/${email}:${file}.gpg" -e "${DUMPS_DIR}/${file}" || exit 1
        chown :gitea-shared "${SHARE_DIR}/${email}:${file}.gpg" || exit 1
    done
    rm -r "${DUMPS_DIR}/${file}" || exit 1
done
echo "[$(date '+%Y-%m-%d %H:%M')] Backup completed"

Security (fail2ban)

Add /etc/fail2ban/jail.local:

[gitea]
enabled = true
port = 80,443
filter = gitea
action = iptables-allports[chain="FORWARD"]
logpath = /var/lib/docker/volumes/gitea_gitea/_data/gitea/log/gitea.log
maxretry = 6
bantime = 30m
findtime = 10m

Create /etc/fail2ban/filter.d/gitea.local:

[INCLUDES]
before = common.conf

[Definition]
failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =