At first I started with Gitea on my Synology NAS (check this tool for installing it on Synology). It is supposed to be a replacement for the Gogs. I like the Gogs, it is also lightweight and good enough for a solo developer or freelancer. Gitea is a fork from Gogs with many improvements. I started to feel I need something bigger which outscales Git service running on NAS.
So I took my Linode VPS and started to prepare all necessary for running Gitea. It is not very difficult and I prefer this solution over Docker containers for some reasons.
Gitea Features I like
-
graphs
-
integrated code editor
-
both git and web hooks
-
2FA for better security
-
SQLite support
Gitea on Debian 10 Buster step by step
So how to install Gitea on your Debian Linux? Follow these steps.
At first, run updates as usual:
sudo apt-get update
If you don’t have already install Git and then check its version:
sudo apt-get install git
git --version
Create git user account:
sudo adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
If you would like to store the Gitea database into MySQL/MariaDB then install it using sudo apt-get install mariadb-server and configure it with mysql_secure_installation command. Then log in as a root and create a gitea database with user name having all privileges for it.
For simplicity I use SQLite instead of MySQL as it is enough for me and my only one co-worker.
Now Gitea itself. Check its latest version number on Github. Download it to your Debian server. Just replace VERSION with the number in the following command:
wget https://github.com/go-gitea/gitea/releases/download/vVERSION/gitea-version-linux-amd64
Set it as executable and move to its destination folder:
chmod +x gitea-${VER}-linux-amd64
sudo mv gitea-${VER}-linux-amd64 /usr/local/bin/gitea
Double check if everything went OK. Run gitea --version command. You should see the Gitea version installed.
Now set the Gitea service up:
sudo mkdir -p /etc/gitea /var/lib/gitea/{custom,data,indexers,public,log}
sudo chown git:git /var/lib/gitea/{data,indexers,log}
sudo chmod 750 /var/lib/gitea/{data,indexers,log}
sudo chown root:git /etc/gitea
sudo chmod 770 /etc/gitea
Create service configuration file:
sudo nano /etc/systemd/system/gitea.service
Its content:
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
After=mysql.service
[Service]
LimitMEMLOCK=infinity
LimitNOFILE=65535
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
[Install]
WantedBy=multi-user.target
Reload systemd and this new service. Check Gitea status:
sudo systemctl daemon-reload
sudo systemctl enable --now gitea
systemctl status gitea
Gitea is now listening on your IP and :3000 port. I prefer using a proxy to be able to access it using a domain name. I use Virtualmin, which means adding a new website, going to Server Configuration options and Edit Proxy Website. Then set it up as on the screenshot below.
Gitea GUI installer
The server part is done. Now continue using your browser pointing to https://IP:3000 or using the domain name. The Gitea installer will appear.
Set the database connection details for MySQL or just select SQLite as me. Don’t forget to disable user self-registration option. Create your username for Gitea, upload your SSH key and you are done. Almost.
How to secure Gitea with Fail2ban
Fail2ban is a server tool which automatically bans users or bots having a defined number of bad login attempts to your services. I use it together with Virtualmin and think it is a good idea to use it together with Gitea to improve its security with one more step besides the 2FA.
First, check your Fail2Ban status using systemctl status fail2ban. If it is not running, configure or install it using sudo apt-get install fail2ban.
Create another config file:
sudo nano /etc/fail2ban/filter.d/gitea.conf
Provide the content for this file:
# gitea.conf
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
You now have the basic filter for Fail2ban. Next, create a jail:
sudo nano /etc/fail2ban/jail.d/gitea.conf
Provide this content:
[gitea]
enabled = true
filter = gitea
logpath = /var/lib/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
Feel free to edit your maxretry, findtime and bantime value. This example from Gitea docs means that after 10 failed login attempts during one hour (3600 seconds) the user will be blocked for 900 seconds. You can also use values like 1d for one day.
Restart Fail2ban using systemctl restart fail2ban and check its status if everything is OK: systemctl status fail2ban.
Just a note. When Fail2ban blocks go to action it will restrict you from the whole server for that interval. Don’t forget it when testing if everything works as expected.
Thanks for the inspiration to Josphat Mutai and his article Install Gitea Git service on Debian 10 (Buster).
