Hosting Gitea on Google Cloud Platform

Kyle Schwartz
5 min readNov 26, 2019

--

This tutorial assumes you already have a registered domain and access to your DNS records. I used Cloudflare, but feel free to use your domain registrar’s build in DNS records. This tutorial is heavily based on this excellent tutorial by Bryan Gilbert with additions specific to Google Cloud Platform and from my own experience.

Getting Ready

Start by heading to https://cloud.google.com/ and signing up for a free account. Make sure you enter your credit card details to enable full access. Don’t worry though, this won’t cost us anything.

Virtual Machine Setup

Once you’re in your GCP console, create a new project by navigating to the top left and selecting ‘New Project’. The name is unimportant, I chose ‘Gitea’. Then, select the project from the same menu.

Next, open the side menu and navigate to Compute Engine > VM Instances. Wait a few minutes for Compute Engine to get ready.

Click Create and setup your vm with the following parameters:

  • Machine Type: f1-micro
  • Boot Disk: Ubuntu 16.04 LTS with a 30 GB standard persistent disk
  • Firewall: Allow HTTP Traffic, Allow HTTPS Traffic

Here is an example setup page

Firewall Setup

Open the side menu and navigate to VPC Network > Firewall rules.

We will be adding 3 rules to our firewall. This can be done by clicking CREATE FIREWALL RULE at the top of the page. They are as follows:

Connect to the VM

The easiest way to connect to the VM is by pressing the SSH button on the VM Instances page. This opens up a terminal connected to your VM right within your browser. Viewable here.

Server Setup

Run the following commands to update and upgrade any packages:

sudo apt update 
sudo apt upgrade

Now, we will create a new user named git who does not have a password

sudo adduser --system --shell /bin/bash --group --disabled-password --home /home/git git

Now that we have our user, we need to give them “sudo” permissions, so that the account can run administrator commands. This is done by editing the sudoers file as follows:

sudo EDITOR=nano visudo

Now, add the following line to the bottom of the file:

git ALL=(ALL) NOPASSWD:ALL

Press Ctrl+X (control+x on MacOS), then Y, then Enter.

Next, restart the VM for the changes to take effect. GCP calls this RESET

PostgreSQL Setup

Install PostgreSQL:

sudo apt install postgresql

Now, let’s switch to the postgres user and enter the database

sudo su postgres
psql

Next, we are going to create a database and a user. Make sure you change <password> to an actual password:

CREATE USER gitea WITH PASSWORD '<password>'; 
CREATE DATABASE gitea OWNER gitea;
\q

Gitea Installation & Setup

Since we are still logged into the postgres user, we have to switch accounts. For the second-last command, we download Gitea. However, the version downloaded might be out of date. Check here for the most up to date release. The version should be listed as ‘Latest release’. Then, adjust the command to match the current version number.

exit 
sudo su git
cd /home/git
mkdir gitea
cd gitea
wget -O gitea https://dl.gitea.io/gitea/1.9.5/gitea-1.9.5-linux-amd64
chmod +x gitea

Now we are going to run Gitea for the initial setup.

./gitea web

Open up the Gitea web interface by navigating to your VM’s external IP with the port 3000. E.g. http://93.184.216.34:3000

If the install page doesn’t appear instantly, press the login button and it will appear.

Change the following accordingly:

  • Database Type: PostgreSQL
  • Password: The password you set in the PostgreSQL Setup step
  • Application Name: Optional, as you please
  • SSH Port: 5522
  • Domain: Your domain (E.g. git.example.com)
  • Application URL: Your domain (E.g. http://git.example.com)

Under Optional Settings, open Server and Third-Party Service Settings and change the following settings:

  • Disable Self-Registration: True
  • Allow Registration Only Through External Services: False
  • Enable OpenID Self-Registration: False
  • Enable OpenID Sign-In: False

Finally, setup an admin account by opening Administrator Account Settings and filling in the fields.

Click Install Gitea

Now, delete the gitea firewall rule for security.

Systemd Service Setup

Next, we are going to setup a service for gitea to run in the background

sudo nano /etc/systemd/system/gitea.service

Paste the following into the file:

[Unit] 
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
After=postgresql.service
[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/home/git/gitea
ExecStart=/home/git/gitea/gitea web
Restart=always
Environment=USER=git HOME=/home/git
[Install]
WantedBy=multi-user.target

Enable the service with the following commands:

sudo systemctl enable gitea.service 
sudo systemctl start gitea.service

Nginx Setup

Install Nginx:

sudo apt install nginx

Now, we are gonna sent up Nginx:

sudo nano /etc/nginx/sites-enabled/gitea

Paste the following into the file, changing <your-domain> to your domain:

server {
listen 80;
server_name <your-domain>;
location / {
proxy_pass http://localhost:3000;
}
proxy_set_header X-Real-IP $remote_addr;
}

Next, remove the default site and reload the service:

sudo rm /etc/nginx/sites-enabled/default 
sudo service nginx reload

Fail2ban Setup

Install Fail2ban:

sudo apt install fail2ban

Setup filter:

sudo nano /etc/fail2ban/filter.d/gitea.conf
[Definition]
failregex = .*Failed authentication attempt for .* from <HOST> ignoreregex =

Setup ban connection with gitea:

sudo nano /etc/fail2ban/jail.d/jail.local
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = /home/git/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports

Finally, restart the service for the effects to take effect:

sudo service fail2ban restart

Let’s Encrypt Setup

Before proceeding, ensure that your DNS records point to the VM’s external IP. If not, certbot will fail. Another note, it cannot point to a CNAME record, it has to be an A or AAAA record. Fun fact!

Install certbot:

sudo apt install software-properties-common 
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install python-certbot-nginx

Setup certbot:

sudo certbot --nginx

Enable Automatic Certificate Renewal

Create a service to renew the certificate:

sudo nano /etc/systemd/system/certbot-renewal.service
[Unit]
Description=Certbot Renewal
[Service]
ExecStart=/usr/bin/certbot renew

Next, create a daily timer

sudo nano /etc/systemd/system/certbot-renewal.timer
[Unit]
Description=Timer for Certbot Renewal
[Timer]
OnBootSec=300
OnUnitActiveSec=1d
[Install]
WantedBy=multi-user.target

Now simply start and enable the timer:

sudo systemctl enable certbot-renewal.timer 
sudo systemctl start certbot-renewal.timer

Enabling Git Over SSH

Now that we’re done with the command line, navigate back to your Gitea website, now hosted on your domain (E.g. git.example.com).

Click the profile icon in the top right and go to Site Administration

Run the Maintenance Operation titled

Update the '.ssh/authorized_keys' file with Gitea SSH keys. (Not needed for the built-in SSH server.)

Done

Enjoy!

Maybe create a user account and don’t use the admin one. This is also done in the Site Administration section.

Thank you again to Bryan Gilbert and I hope you enjoyed.

Originally published at https://dev.to on November 26, 2019.

--

--