Scaleway Documentationtutorials
self hosted repository gitea

Jump toUpdate content

Setup self hosted git repository with Gitea

Reviewed on 10 May 2021Published on 28 May 2019
  • compute
  • server
  • development
  • gitea
  • git
  • versionning

Gitea - Overview

Gitea is a self-hosted Git service. It provides lightweight code hosting solution written in Go and published under the MIT license. The tool is a community managed fork of Gogs.

Git itself is a distributed version-control system for tracking changes in in files. The tool was originally invented by Linus Torvalds in 2005 to manage the development of the Linux kernel among other developers contributing to its code-base.

Unlike many other client-server systems, every Git directory on every computer contains the full repository with a complete history and version tracking, making it independent of network access or a central server.

Git was developed initially for software development, but it can be used to track changes in any kind of files.


Installing Gitea

  1. Log into your server via SSH.

  2. Update the APT sources, upgrade the already installed software and install Git:

    apt update && apt upgrade -y && apt install git -y
  3. Download the Gitea Binary and make it executable :

    wget -O gitea +x gitea
  4. Add the user that will run the Gitea application:

    adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
  5. Create the folder structure that is used by Gitea to store data:

    mkdir -p /var/lib/gitea/custommkdir -p /var/lib/gitea/datamkdir -p /var/lib/gitea/logchown -R git:git /var/lib/gitea/chmod -R 750 /var/lib/gitea/mkdir /etc/giteachown root:git /etc/giteachmod 770 /etc/gitea
  6. Set the working directory of Gitea:

    export GITEA_WORK_DIR=/var/lib/gitea/
  7. Copy the Gitea binary file to /usr/local/bin to make it available system-wide:

    cp gitea /usr/local/bin/gitea

Running Gitea

  1. Create a Systemd service for Gitea by opening the file /etc/systemd/system/gitea.service in a texteditor like nano.

  2. Copy the following content into the service file:

    [Unit]Description=Gitea (Git with a cup of tea)
    [Service]# Modify these two values and uncomment them if you have# repos with lots of files and get an HTTP error 500 because# of that###LimitMEMLOCK=infinity#LimitNOFILE=65535RestartSec=2sType=simpleUser=gitGroup=gitWorkingDirectory=/var/lib/gitea/ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.iniRestart=alwaysEnvironment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea# If you want to bind Gitea to a port below 1024 uncomment# the two values below###CapabilityBoundingSet=CAP_NET_BIND_SERVICE#AmbientCapabilities=CAP_NET_BIND_SERVICE
  3. Enable the service and start Gitea at system boot:

    systemctl enable giteasystemctl start gitea
  4. Start Gitea for the first time from the command-line:

    GITEA_WORK_DIR=/var/lib/gitea/ /usr/local/bin/gitea web -c /etc/gitea/app.ini
  5. In a web browser go to http://<your_instance_ip>:3000/ to access the Gitea application:

  6. Click Register to start the database initialization. Gitea supports SQLite which makes the application very lightweight and ideal for a self-hosted development Environment. If you require more performance, it is also possible to use MySQL/MariaDB or PostGreSQL.

  7. Choose SQLite as database type. Leave the other pre-filled settings as they are, they are already set to the required values and confirm the form.

  8. The installation is ready now and it is time to create the first user. Open http://<your_instance_ip>:3000/user/sign_up in a web browser and fill in the required parameters.


    The first user becomes automatically admin of the Gitea instance.

  9. Once the form has been submitted, you are logged into your Gitea account:

You can now configure your profile and begin to host code on your instance.

Setting up a Nginx SSL/TLS reverse proxy

For increased security it is possible to configure NGINX reverse proxy with TSL/SSL in front of the Gitea instance, it handles all requests sent from a client to the web interface and adds a layer of increased security and performance.

  1. Install Nginx:

    apt install nginx
  2. Disable the default virtual host which has been configured during the installation of Nginx via the apt packet manager:

    unlink /etc/nginx/sites-enabled/default
  3. Enter the directory /etc/nginx/sites-available and create a reverse proxy configuration file:

    cd /etc/nginx/sites-availablenano reverse-proxy.conf
  4. Paste the following Nginx configuration block in the text editor. The proxy server redirects all incoming connections to the web server listening on port 80, to the local Gitea application, listening on port 3000.

    server {        listen 80;        listen [::]:80;        server_name;
            access_log /var/log/nginx/reverse-access.log;        error_log /var/log/nginx/reverse-error.log;
            location / {                    proxy_pass;  }}
  5. Create a symbolic link from /etc/nginx/sites-available/reverse-proxy.conf to /etc/nginx/sites-enabled/reverse-proxy.conf to activate the new configuration:

    ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
  6. Restart Ngnix:

    service nginx restart
  7. Certbot is a tool that is able to obtain and renew Let’s Encrypt TLS certificates. Add it to the apt repository and install the Certbot application

    apt install software-properties-commonadd-apt-repository ppa:certbot/certbotapt update && apt install python-certbot-nginx -y
  8. Certbot is able to configure the Nginx automatically. Run the application and specify the flag --nginx to configure the web server:

    certbot --nginx
  9. When asked to do so, enter your email address and press Enter.

  10. Confirm the Terms of Service of Let’s Encrypt by pressing on A to agree.

  11. Certbot asks you if you want to share your email address with the Electronic Frontier Foundation (EFF). Confirm it by pressing Y or refuse it by pressing N.

  12. A list of domain names configured on the server is displayed. Press Enter to confirm:

    Which names would you like to activate HTTPS for?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter 'c' to cancel):
  13. Certbot requests the certificate for the domain name indicated in the previous step. Decide wether you want to force HTTPS on all connections by pressing 1 or not, by pressing 2, followed by Enter:

    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: No redirect - Make no further changes to the webserver configuration.2: Redirect - Make all requests redirect to secure HTTPS access. Choose this fornew sites, or if you're confident your site works on HTTPS. You can undo thischange by editing your web server's configuration.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
  14. You can access Gitea via the Nginx Proxy now using an encrypted connection, by opening in your web browser.

Disabling Port 3000 in the Firewall

  1. For increased security it is possible to block the access to port 3000 from the exterior to avoid direct connections to the Gitea application without passing through Nginx. Start by installing UFW as firewall on the instance:

    apt install ufw
  2. Block all traffic by default:

    ufw default deny
  3. Then allow outgoing connections:

    ufw default allow outgoing
  4. Enable connections on the ports 21 (SSH), 80 (HTTP), 443 (HTTPS) via TCP and 53 (DNS) via TCP and UDP as both are required for DNS:

    ufw allow 22/tcpufw allow 80/tcpufw allow 443/tcpufw allow 53
  5. Activate the new firewall configuration:

    ufw enable
  6. Connections to all other ports than the ones mentioned above are blocked now. The access to the Gitea Application is only possible by passing through the Nginx proxy.