Self-hosting with Gitea

Vultr Gitea instance with PostgreSQL

The following is example configuration for a low-cost Vultr instance that can easily run Gitea with PostgreSQL used for data storage.

Cloud Compute
intel Regular Performance
Chicago United States
Debian 11 x64
25 GB SSD for $5/month with 1 vCPU, 1 GB Memory, 1 TB Bandwidth
Disable Auto Backups
Enable IPv6

Referral link
Non-referral link: Cloud Compute

Initial setups

Create a new non-root user
- adduser <new-user>
- usermod -aG sudo <new-user>
- exit
Initial updates
1. sudo apt update
2. sudo apt upgrade if needed (wasn't required)
3. sudo apt autoremove to remove ~310 MB of packages
Install required packages
1. sudo apt install postgresql (version 13)
2. sudo apt install git (version 2.30.2)
3. sudo systemctl start postgresql
4. sudo systemctl enable postgresql
5. sudo systemctl status postgresql

PostgreSQL Setup

sudo vim /etc/postgresql/13/main/postgresql.conf
- Under Connections and Authentication, update password_encryption from md5 to scram-sha-256 and uncomment.
sudo vim /etc/postgresql/13/main/pg_hba.conf
- Update all md5 instances to scram-sha-256.
sudo service postgresql restart (restart service / reload config)
sudo -i -u postgres
psql
CREATE ROLE gitea WITH LOGIN PASSWORD 'TODO-SET-PASSWORD';
- Alter it: ALTER ROLE gitea WITH PASSWORD 'TODO-SET-NEW-PASSWORD';
CREATE DATABASE giteadb WITH OWNER gitea TEMPLATE template0 ENCODING UTF8 LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8';
quit (psql)
exit (postgres user)
sudo vim /etc/postgresql/13/main/pg_hba.conf
- Add a new line with local giteadb gitea scram-sha-256 for local access.
sudo service postgresql restart
psql -U gitea -d giteadb to verify access.

Install Gitea (1.16.8 at the time of writing)

uname -mrs to confirm amd64.
Get link from https://dl.gitea.io/gitea/
- https://dl.gitea.io/gitea/1.16.8/gitea-1.16.8-linux-amd64
wget -O gitea https://dl.gitea.io/gitea/1.16.8/gitea-1.16.8-linux-amd64
chmod +x gitea
sudo mv gitea /usr/local/bin/gitea
sudo adduser --system --shell /bin/bash --gecos 'Git Version Control' --group --disabled-password --home /home/git git
Setup directory structure:
- sudo mkdir -p /var/lib/gitea/{custom,data,log}
- sudo chown -R git:git /var/lib/gitea/
- sudo chmod -R 750 /var/lib/gitea/
- sudo mkdir /etc/gitea
- sudo chown root:git /etc/gitea
- sudo chmod 770 /etc/gitea
sudo wget https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/systemd/gitea.service -P /etc/systemd/system/
sudo nano /etc/systemd/system/gitea.service
- Uncomment Wants=postgresql.service and After=postgresql.service lines.
sudo systemctl daemon-reload
sudo systemctl enable --now gitea
sudo systemctl status gitea
sudo ufw allow 3000/tcp

Configure Gitea

http://:3000
Select PostgreSQL as Database Type
Set Password.
Change Database Name to giteadb
Update Gitea Base URL to http://:3000/
Create a new administrator account.
Once setup, logout and log back in with new account.
sudo vim /etc/gitea/app.ini if you want to update after the fact.

Lockdown Gitea

This locks down Gitea so that only signed in users can access the site, and registration isn't available.

sudo vim /etc/gitea/app.ini
[service]
- DISABLE_REGISTRATION = true
- REQUIRE_SIGNIN_VIEW = true
sudo service gitea restart
sudo chmod 750 /etc/gitea
sudo chmod 640 /etc/gitea/app.ini

Nginx

Setup a new (sub)domain to point to the server.
Should be able to access http://:3000.
sudo apt install nginx
sudo ufw allow 'Nginx HTTP'
sudo ufw status
systemctl status nginx
sudo nano /etc/nginx/nginx.conf

server {
    listen 80;
    server_name git.example.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

sudo nginx -t to verify configuration changes
sudo systemctl restart nginx
Custom domain, port 80, should now work.

Certbot / SSL

sudo apt install certbot python3-certbot-nginx
sudo ufw allow 'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
sudo ufw status
sudo certbot --nginx -d git.ebacher-skemp.com (or whatever custom domain was setup)
sudo systemctl status certbot.timer (verify Certbot will run again automatically)
sudo certbot renew --dry-run (fake a cert renewal to make sure it picks it up)
https:// should work for Gitea access, and http should redirect
sudo nano /etc/gitea/app.ini
- Update server > ROOT_URL
- Also needed to add a repository > DEFAULT_BRANCH = main
sudo service gitea restart
sudo ufw delete allow 3000/tcp (no longer allow external access via 3000)

Other Customizations

In my.vultr.com, add the following tags to the server instance (so I know core functionality):
- gitea
- postgresql
- nginx
- certbot
sudo apt install htop (prettier top)
sudo vim /etc/gitea/app.ini
- repository > ENABLE_PUSH_CREATE_USER = true
- repository > ENABLE_PUSH_CREATE_ORG = true
- repository > DEFAULT_REPO_UNITS = repo.code,repo.issues,repo.pulls (updated 11/2024)
  - Default is currently repo.code,repo.releases,repo.issues,repo.pulls,repo.wiki,repo.projects,repo.packages,repo.actions (1.22.3)
- cron.repo_health_check > TIMEOUT = 90s
- service > REQUIRE_SIGNIN_VIEW = false (updated 4/2023)
- server > SSH_DOMAIN = git.domain.com (updated 8/2023)
  - DOMAIN is fine as localhost since ROOT_URL is set.
- server > LANDING_PAGE = explore (updated 12/2023)
sudo nano /etc/nginx/nginx.conf
- Add client_max_body_size 100M; to gitea server section (to allow for larger files)
- sudo nginx -t
- sudo systemctl restart nginx
sudo nano /var/lib/gitea/custom/robots.txt
- Configure as you'd like.
- See https://docs.gitea.com/next/administration/search-engines-indexation#block-search-engines-indexation-using-robotstxt for some options.

Blocking bots

Optionally add the following within the first nginx.conf server block:

if ($http_user_agent ~* "SemrushBot|Semrush|facebookexternalhit|Amazonbot|Bytespider|meta-externalagent|ChatpGPT|CCBot|GPTBot|Applebot") {
	return 403;
}

Regular backups

On the server:

sudo systemctl stop gitea
sudo su - git
gitea dump -c /etc/gitea/app.ini -w /var/lib/gitea -t /tmp
ls -l --block-size=M
rm <old-backup-file>
# Grant everyone read access to the backup file.
chmod a=r <backup-file>
exit
sudo systemctl restart gitea

On your local machine:

# Copy the file locally.
scp <user>@<remote_ip>:/home/git/<backup-file> d:\

SMTP setup with Fastmail

sudo vim /etc/gitea/app.ini
Update [mailer] per the below.
sudo systemctl restart gitea
Send a test email from Gitea's /admin/config.

[mailer]
ENABLED        = true
FROM           = [email protected]
SMTP_ADDR      = smtp.fastmail.com
SMTP_PORT      = 465
USER           = `[email protected]`
PASSWD         = `password`

USER must be your primary Fastmail email. PASSWD is an application password. FROM can be your primary or an alias email.

Enable code search

sudo vim /etc/gitea/app.ini
Add [indexer] per the below.
sudo systemctl restart gitea
After some time, run sudo du -sh /var/lib/gitea/indexers to check index size.
- sudo ls -lhR /var/lib/gitea/indexers/repos.bleve will list file sizes and dates.

[indexer]
REPO_INDEXER_ENABLED = true
REPO_INDEXER_PATH = indexers/repos.bleve
MAX_FILE_SIZE = 1048576
REPO_INDEXER_INCLUDE = **.bat,**.cfm,**.cs,**.gd,**.go,**.htm,**.html,**.js,**.json,**.linq,**.md,**.ps1,**.ts,**.tsx,**.txt,**.xml,**go.mod
REPO_INDEXER_EXCLUDE =

Useful commands

# View Gitea disk usage.
sudo du -sh /var/lib/gitea
# Show by child directory size.
sudo du -h /var/lib/gitea --max-depth=1
# Show largest directories first.
sudo du -h /var/lib/gitea --max-depth=1 | sort -hr
# Sort by directory name.
sudo du -h /var/lib/gitea --max-depth=1 | sort -k2
# Largest directories.
sudo du --separate-dirs -h /var/lib/gitea | sort -hr | head
sudo du --separate-dirs -h /var/lib/gitea | sort -hr | head -n 2

Git Commands by James Skemp