Gitea: Difference between revisions
From charlesreid1
| Line 111: | Line 111: | ||
Here's how I organized and arranged my gitea installation: | Here's how I organized and arranged my gitea installation: | ||
* set the git user as the user gitea runs as in the gitea config file | |||
* the git user was running the gitea binary | * the git user was running the gitea binary | ||
* the git user was part of the ssl-certs group, which could read both public and private SSL keys | * the git user was part of the ssl-certs group, which could read both public and private SSL keys | ||
| Line 117: | Line 118: | ||
Here's what that requires: | Here's what that requires: | ||
Change the <code>RUN_USER</code> variable in the gitea config file, in <code>custom/conf/app.ini</code>: | |||
<pre> | |||
RUN_USER = git | |||
</pre> | |||
And then some commands to do user stuff and prepare to run the web server as git user: | |||
<pre> | <pre> | ||
Revision as of 16:46, 21 March 2017
What is it?
Gitea is a self-hosted github-like web service, written in Go.
(insert screenshot here)
Main link: https://try.gitea.io/
Github project: https://github.com/go-gitea/gitea
Installing
To install it, you can use the binary.
I kept the gitea directory organized by putting the binary in its own folder, then separating out the certificates (for https/ssl), data (gitea's sqlite database), repositories (data for git repositories), and log (logging for gitea).
/path/to/www/gitea/ +--------- bin/ +--------- certs/ +--------- data/ +--------- repositories/ +--------- log/
To install it, you just navigate to the binary and run
$ ./gitea web
This runs a setup page on port 3000. Alternatively, you can use the admin command line interface to set things up securely, without exposing the (sensitive) setup page to anyone.
That's about it.
Gitea with HTTPS
You can run gitea over HTTPS. The gitea binary can generate self-signed certificates, or you can use an existing HTTPS certificate.
Using existing HTTPS certificate
I needed to have gitea over HTTPS using an existing certificate. I already had an HTTPS certificate, in the form of a private .key and a public .cert, but it was set up to be restricted to root only, and nginx and Apache are perfectly okay running as www-data and not being able to read the private key file (which is only readable by root). We're fine there.
But when I pointed to these files with soft links,
$ ln -fs /sslkeys/key.pem /www/gitea/cert/key.pem $ ln -fs /sslkeys/cert.pem /www/gitea/cert/key.pem
I was having some problems getting gitea to run. Gitea was raising a permissions error:
$ ./gitea web 2017/03/21 15:21:12 [T] Custom path: /www/gitea/bin/custom 2017/03/21 15:21:12 [T] Log path: /www/gitea/log 2017/03/21 15:21:12 [I] Gitea v1.0.1 2017/03/21 15:21:12 [I] Log Mode: File(Info) 2017/03/21 15:21:12 [I] Cache Service Enabled 2017/03/21 15:21:12 [I] Session Service Enabled 2017/03/21 15:21:12 [I] Git Version: 2.5.0 2017/03/21 15:21:12 [I] SQLite3 Supported 2017/03/21 15:21:12 [I] Run Mode: Production 2017/03/21 15:21:12 [I] Listen: https://0.0.0.0:3000 2017/03/21 15:21:12 [....io/gitea/cmd/web.go:632 runWeb()] [E] Fail to start server: open /www/gitea/certs/key.pem: permission denied
The solution was, the user that runs the Gitea web command also has to be able to read the private key file. Can just make the /sslkeys folder and contents group-readable to a new group ssl-group, and add any users that need access to the keys. Then add a git or gitea user, and run everything as the git user.
Add SSL group:
groupadd ssl-certs
Make a git user to run gitea:
useradd git
Add git user to ssl-certs group:
usermod -G ssl-certs git
Change permissions of SSL certs to be group-readable:
chgrp ssl-certs /sslcerts/{cert,key}.pem
chmod g+r /sslcerts/{cert,key}.pem
Now the keys are group-readable, and git is added to the group who can read SSL keys.
One more hurdle: we have to run gitea as the git user we just created. But we'll cover that below.
Using Self-Signed Cert
Using a self-signed HTTPS certificate is basically the equivalent to saying "Trust me!" at the end of every sentence. Any decent web browser raising an annoying warning or not loading the page at all. To use gitea to do it:
$ ./gitea cert --host mysite.com
This will create a key and certificate in the same directory, with pretty loose permissions.
Users and Permissions
Here's how I organized and arranged my gitea installation:
- set the git user as the user gitea runs as in the gitea config file
- the git user was running the gitea binary
- the git user was part of the ssl-certs group, which could read both public and private SSL keys
- the public and private keys were made group-readable and owned by the ssl-certs group
- to run gitea, I start up Screen and run the command
sudo su gitto get a shell as the user git. I then start up the gitea binary.
Here's what that requires:
Change the RUN_USER variable in the gitea config file, in custom/conf/app.ini:
RUN_USER = git
And then some commands to do user stuff and prepare to run the web server as git user:
# add group
groupadd ssl-certs
# add user
useradd git
# make user home directory for git user
mkdir /home/git
# add user to group
usermod -G ssl-certs git
# make ssl certs ownable
chgrp ssl-certs /sslkeys/{cert,key}.pem
chmod g+r /sslkeys/{cert,key}.pem
Now open up a screen and in the screen execute these commands:
# get a shell as user git sudo su git # run the gitea binary cd /www/gitea/bin ./gitea web
Then detach the screen and voila.
References
Main site: https://github.com/go-gitea/gitea
Config cheat sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
Binary installation: https://docs.gitea.io/en-us/install-from-binary/
Can use Docker