First off gitea will try to validate the SSL certificate we are using for postfix, but this is a self signed cert, and not valid for “localhost” so we need to patch the config file to not validate this certificate.
sudo sed -i.bak '/mailer/a\
SKIP_VERIFY = true' /etc/gitea/app.ini
Then we need to make gitea a service that will start when we start the server.
cat << EOF | sudo tee -a /etc/systemd/system/gitea.service > /dev/null
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
After=mysqld.service
#After=postgresql.service
#After=memcached.service
#After=redis.service
[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/var/lib/gitea GITEA_WORK_DIR=/var/lib/gitea
# If you want to bind Gitea to a port below 1024 uncomment
# the two values below
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable gitea
sudo systemctl start gitea
And finally we are using fail2ban to block IP addresses that are making too many failed logins over SSH from being able to brut force passwords, but now we have set up a server that allows logins over HTTPS, so we should block those too.
cat << EOF | sudo tee -a /etc/fail2ban/filter.d/gitea.conf > /dev/null
# gitea.conf
[Definition]
failregex = .*Failed authentication attempt for .* from
ignoreregex =
EOF
cat << EOF | sudo tee -a /etc/fail2ban/jail.d/jail.local > /dev/null
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = /var/lib/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
EOF
sudo service fail2ban restart
We should now have a working git server. If you set up an Admin user when configuring gitea in the previous steps then we are set. If not you should register a user now, as the first registered user will become admin. The only remaining step before our server is ready is to automate the renewal of our SSL certificate.
sudo crontab -e
This will create an empty crontab for root, and open it in the default editor. As an invalid crontab will stop cron from working properly this command will validate what you save before installing it to cron. You will need to add a line like the below to the end of the file and save it.
21 05 * * * /usr/bin/certbot renew --manual-auth-hook /root/certbot/auth.sh --manual-cleanup-hook /root/certbot/clean.sh --renew-hook /root/certbot/renew.sh --manual-public-ip-logging-ok --quiet
This will need to be on a single line without the quotes, and will run the certbot command at 05:21 every day, which will check the expiry of your certificate, and renew it and restart apache if it is about to expire. Feel free to change the time it runs, Lets Encrypt won’t want everyone trying to get certificates at the same time.
Once that is done your Git Server is ready to use.