Setup self hosted git repository with Gitea

Gitea Overview

Gitea is a self-hosted Git service. It provides lightweight code hosting solution written in Go and published under the MIT license. The tool is a community managed fork of Gogs.

Git itself is a distributed version-control system for tracking changes in in files. The tool was originally invented by Linus Torvalds in 2005 to manage the development of the Linux kernel among other developers contributing to its code-base.

Unlike many other client-server systems, every Git directory on every computer contains the full repository with a complete history and version tracking, making it independent of network access or a central server.

Git was developed initially for software development, but it can be used to track changes in any kind of files.

Requirements

Installing Gitea

1 . Log into your server via SSH.

2 . Update the APT sources, upgrade the already installed software and install Git:

apt update && apt upgrade -y && apt install git -y

Download the Gitea Binary and make it executable :

wget -O gitea https://dl.gitea.io/gitea/1.8.1/gitea-1.8.1-linux-amd64
chmod +x gitea

3 . Add the user that will run the Gitea application:

adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git

4 . Create the folder structure that is used by Gitea to store data:

mkdir -p /var/lib/gitea/custom
mkdir -p /var/lib/gitea/data
mkdir -p /var/lib/gitea/log
chown -R git:git /var/lib/gitea/
chmod -R 750 /var/lib/gitea/
mkdir /etc/gitea
chown root:git /etc/gitea
chmod 770 /etc/gitea

5 . Set the working directory of Gitea:

export GITEA_WORK_DIR=/var/lib/gitea/

6 . Copy the Gitea binary file to /usr/local/bin to make it available system-wide:

cp gitea /usr/local/bin/gitea

Running Gitea

1 . Create a Systemd service for Gitea by opening the file /etc/systemd/system/gitea.service in a texteditor like nano.

2 . Copy the following content into the service file:

[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
#Requires=mysql.service
#Requires=mariadb.service
#Requires=postgresql.service
#Requires=memcached.service
#Requires=redis.service

[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
# If you want to bind Gitea to a port below 1024 uncomment
# the two values below
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

3 . Enable the service and start Gitea at system boot:

systemctl enable gitea
systemctl start gitea

4 . Start Gitea for the first time from the command-line:

GITEA_WORK_DIR=/var/lib/gitea/ /usr/local/bin/gitea web -c /etc/gitea/app.ini

5 . In a web browser go to http://<your_instance_ip>:3000/ to access the Gitea application:

Gitea Application

6 . Click on Register to start the database initialization. Gitea supports SQLite which makes the application very lightweight and ideal for a self-hosted development Environment. If you require more performance, it is also possible to use MySQL/MariaDB or PostGreSQL.

7 . Choose SQLite as database type. Leave the other pre-filled settings as they are, they are already set to the required values and confirm the form.

8 . The installation is ready now and it is time to create the first user. Open http://<your_instance_ip>:3000/user/sign_up in a web browser and fill in the required parameters.

Important: The first user becomes automatically Admin of the Gitea instance.

9 . Once the form has been submitted, you are logged into your Gitea account:

Gitea Dashboard

You can now configure your profile and begin to host code on your instance.

Setting up a Nginx SSL/TLS reverse proxy

For increased security it is possible to recommended to configure NGINX reverse proxy](https://www.scaleway.com/en/docs/how-to-configure-nginx-reverse-proxy/) with TSL/SSL in front of the Gitea instance, it handles all requests sent from a client to the web interface and adds a layer of increased security and performance.

1 . Install Nginx:

apt install nginx

2 . Disable the default virtual host which has been configured during the installation of Nginx via the apt packet manager:

unlink /etc/nginx/sites-enabled/default

3 . Enter the directory /etc/nginx/sites-available and create a reverse proxy configuration file:

cd /etc/nginx/sites-available
nano reverse-proxy.conf

4 . Paste the following Nginx configuration block in the text editor. The proxy server redirects all incoming connections to the web server listening on port 80, to the local Gitea application, listening on port 3000.

server {
        listen 80;
        listen [::]:80;
        server_name gitea.example.com;

        access_log /var/log/nginx/reverse-access.log;
        error_log /var/log/nginx/reverse-error.log;

        location / {
                    proxy_pass http://127.0.0.1:3000;
  }
}

5 . Create a symbolic link from /etc/nginx/sites-available/reverse-proxy.conf to /etc/nginx/sites-enabled/reverse-proxy.conf to activate the new configuration:

ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

6 . Restart Ngnix:

service nginx restart

7 . Certbot is a tool that is able to obtain and renew Let’s Encrypt apt repository and install the Certbot application

apt install software-properties-common
add-apt-repository ppa:certbot/certbot
apt update && apt install python-certbot-nginx -y

8 . Certbot is able to configure the Nginx automatically. Run the application and specify the flag --nginx to configure the web server:

certbot --nginx

9 . When asked to do so, enter your email address and press Enter.

10 . Confirm the Terms of Service of Let’s Encrypt by pressing on A to agree.

11 . Certbot asks you if you want to share your email address with the Electronic Frontier Foundation (EFF). Confirm it by pressing Y or refuse it by pressing N.

12 . A list of domain names configured on the server is displayed. Press Enter to confirm:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: gitea.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

13 . Certbot requests the certificate for the domain name indicated in the previous step. Decide wether you want to force HTTPS on all connections by pressing 1 or not, by pressing 2, followed by Enter:

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

14 . You can access Gitea via the Nginx Proxy now using an encrypted connection, by opening https://gitea.example.com in your web browser.

Disabling Port 3000 in the Firewall

1 . For increased security it is possible to block the access to port 3000 from the exterior to avoid direct connections to the Gitea application without passing through Nginx. Start by installing UFW as firewall on the instance:

apt install ufw

2 . Block all traffic by default:

ufw default deny

3 . Then allow outgoing connections:

ufw default allow outgoing

4 . Enable connections on the ports 21 (SSH), 80 (HTTP), 443 (HTTPS) via TCP and 53 (DNS) via TCP and UDP as both are required for DNS:

ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 53

5 . Activate the new firewall configuration:

ufw enable

6 . Connections to all other ports than the ones mentioned above are blocked now. The access to the Gitea Application is only possible by passing through the Nginx proxy.

Discover a New Cloud Experience

Deploy SSD Cloud Servers in seconds.