Certginx is used for simplicity.
Copy nginx.conf to ./nginx/conf.d/subdomain.domain.com.conf in the Certginx directory.
Then follow the steps here.
| User | Username |
|---|---|
| Host | gitea |
| Docker | git |
Generate new secrets/tokens.
sed -i -e 's/gitea_secret_key/'"$(docker run -it --rm gitea/gitea:1 gitea generate secret SECRET_KEY)"'/g' docker-compose.yml
sed -i -e 's/gitea_internal_token/'"$(docker run -it --rm gitea/gitea:1 gitea generate secret INTERNAL_TOKEN)"'/g' docker-compose.ymlGenerate the SSH key pars.
sudo -u gitea ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"Configure the SSH folder.
sudo -u gitea cat /home/gitea/.ssh/id_rsa.pub | sudo -u gitea tee -a /home/gitea/.ssh/authorized_keys
sudo chmod 600 /home/gitea/.ssh/authorized_keysScript for SSH passthrough
cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
ssh -p 2222 -o StrictHostKeyChecking=no [email protected] "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
sudo chmod +x /usr/local/bin/giteadocker exec -u git -it -w /tmp $(docker ps -qf 'name=^gitea$') bash -c '/usr/local/bin/gitea dump -c /data/gitea/conf/app.ini'Create the shared directory.
mkdir /home/gitea-sharedAdd the shared group.
addgroup gitea-sharedUpdate the permissions of the shared directory for the group.
chown :gitea-shared /home/gitea-sharedAdd the users to the shared group (Duplicate this for the other user).
usermod -aG gitea-shared giteaUpdate the permissions of the shared directory
chmod 1770 /home/gitea-sharedUpdate the permission of the file
chown :gitea-shared /path/to/your/dumps.zipMove the file to your shared directory
cp /home/gitea/gitea/dumps/* /home/gitea-sharedAutomation for the Dumping, encrypt the dumped file with gpg, then move the encrypted file to the shared directory.
#!/bin/bash
GPG_EMAILS=(
"[email protected]"
"[email protected]"
)
DUMPS_DIR="/home/gitea/gitea/dumps"
SHARE_DIR="/home/gitea-shared"
mkdir -p "${DUMPS_DIR}"
echo "[$(date '+%Y-%m-%d %H:%M')] Dumping Gitea.."
docker exec -u git -it -w /tmp $(docker ps -qf 'name=^gitea$') bash -c '/usr/local/bin/gitea dump -c /data/gitea/conf/app.ini' &>/dev/null || exit 1
for file in "${DUMPS_DIR}"/*; do
file="${file##*/}"
for email in "${GPG_EMAILS[@]}"; do
echo "[$(date '+%Y-%m-%d %H:%M')] Encrypting '${file}' for ${email}"
gpg -r ${email} -o "${SHARE_DIR}/${email}_${file}.gpg" -e "${DUMPS_DIR}/${file}" || exit 1
chown :gitea-shared "${SHARE_DIR}/${email}_${file}.gpg" || exit 1
done
rm -r "${DUMPS_DIR}/${file}" || exit 1
done
rm -r "${DUMPS_DIR}"
echo "[$(date '+%Y-%m-%d %H:%M')] Backup completed"Add /etc/fail2ban/jail.local:
[gitea] enabled = true port = 80,443 filter = gitea action = iptables-allports[chain="FORWARD"] logpath = /var/lib/docker/volumes/gitea_gitea/_data/gitea/log/gitea.log maxretry = 6 bantime = 30m findtime = 10m
Create /etc/fail2ban/filter.d/gitea.local:
[INCLUDES] before = common.conf [Definition] failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST> ignoreregex =