Hosting Gitea on Google Cloud Platform

kylejschwartz

Kyle Schwartz

Posted on November 26, 2019

Hosting Gitea on Google Cloud Platform

This tutorial assumes you already have a registered domain and access to your DNS records. I used Cloudflare, but feel free to use your domain registrar's build in DNS records. This tutorial is heavily based on this excellent tutorial by Bryan Gilbert with additions specific to Google Cloud Platform and from my own experience.

Getting Ready

Start by heading to https://cloud.google.com/ and signing up for a free account. Make sure you enter your credit card details to enable full access. Don't worry though, this won't cost us anything.

Virtual Machine Setup

Once you're in your GCP console, create a new project by navigating to the top left and selecting 'New Project'. The name is unimportant, I chose 'Gitea'. Then, select the project from the same menu.

Next, open the side menu and navigate to Compute Engine > VM Instances. Wait a few minutes for Compute Engine to get ready.

Click Create and setup your vm with the following parameters:

  • Machine Type: f1-micro
  • Boot Disk: Ubuntu 20.04 LTS with a 30 GB standard persistent disk
  • Firewall: Allow HTTP Traffic, Allow HTTPS Traffic

Here is an example setup page

Firewall Setup

Open the side menu and navigate to VPC Network > Firewall rules.

We will be adding 3 rules to our firewall. This can be done by clicking CREATE FIREWALL RULE at the top of the page. They are as follows:

Rule Name Direction of traffic Targets Source IP ranges Specified protocols and ports (tcp)
gitea-setup Ingress All instances in the network 0.0.0.0/0 3000
ssh-in Ingress All instances in the network 0.0.0.0/0 5522
ssh-out Egress All instances in the network 0.0.0.0/0 5522

Connect to the VM

The easiest way to connect to the VM is by pressing the SSH button on the VM Instances page. This opens up a terminal connected to your VM right within your browser. Viewable here.

Server Setup

Run the following commands to update and upgrade any packages:

sudo apt update
sudo apt upgrade
Enter fullscreen mode Exit fullscreen mode

Now, we will create a new user named git who does not have a password

sudo adduser --system --shell /bin/bash --group --disabled-password --home /home/git git
Enter fullscreen mode Exit fullscreen mode

Now that we have our user, we need to give them "sudo" permissions, so that the account can run administrator commands. This is done by editing the sudoers file as follows:

sudo EDITOR=nano visudo
Enter fullscreen mode Exit fullscreen mode

Now, add the following line to the bottom of the file:

git  ALL=(ALL) NOPASSWD:ALL
Enter fullscreen mode Exit fullscreen mode

Press CTRL+X (control+X on MacOS), then Y, then Enter.

Next, restart the VM for the changes to take effect. GCP calls this RESET

PostgreSQL Setup

Install PostgreSQL:

sudo apt install postgresql
Enter fullscreen mode Exit fullscreen mode

Now, let's switch to the postgres user and enter the database

sudo su postgres
psql
Enter fullscreen mode Exit fullscreen mode

Next, we are going to create a database and a user. Make sure you change <password> to an actual password:

CREATE USER gitea WITH PASSWORD '<password>';
CREATE DATABASE gitea OWNER gitea;
\q
Enter fullscreen mode Exit fullscreen mode

Gitea Installation & Setup

Since we are still logged into the postgres user, we have to switch accounts. For the second-last command, we download Gitea. However, the version downloaded might be out of date. Check here for the most up to date release. The version should be listed as 'Latest release'. Then, adjust the command to match the current version number.

exit
sudo su git
cd /home/git
mkdir gitea
cd gitea
wget -O gitea https://github.com/go-gitea/gitea/releases/download/v1.13.0/gitea-1.13.0-linux-amd64
chmod +x gitea
Enter fullscreen mode Exit fullscreen mode

Now we are going to run Gitea for the initial setup.

./gitea web
Enter fullscreen mode Exit fullscreen mode

Open up the Gitea web interface by navigating to your VM's external IP with the port 3000. E.g. http://93.184.216.34:3000

If the install page doesn't appear instantly, press the login button and it will appear.

Change the following accordingly:

  • Database Type: PostgreSQL
  • Password: The password you set in the PostgreSQL Setup step
  • Application Name: Optional, as you please
  • SSH Port: 5522
  • Domain: Your domain (E.g. git.example.com)
  • Application URL: Your domain (E.g. http://git.example.com)

Under Optional Settings, open Server and Third-Party Service Settings and change the following settings:

  • Disable Self-Registration: True
  • Allow Registration Only Through External Services: False
  • Enable OpenID Self-Registration: False
  • Enable OpenID Sign-In: False

Finally, setup an admin account by opening Administrator Account Settings and filling in the fields.

Click Install Gitea

Now, delete the gitea firewall rule for security.

Systemd Service Setup

Next, we are going to setup a service for gitea to run in the background

sudo nano /etc/systemd/system/gitea.service
Enter fullscreen mode Exit fullscreen mode

Paste the following into the file:

[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
After=postgresql.service

[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/home/git/gitea
ExecStart=/home/git/gitea/gitea web
Restart=always
Environment=USER=git HOME=/home/git

[Install]
WantedBy=multi-user.target
Enter fullscreen mode Exit fullscreen mode

Enable the service with the following commands:

sudo systemctl enable gitea.service
sudo systemctl start gitea.service
Enter fullscreen mode Exit fullscreen mode

Nginx Setup

Install Nginx:

sudo apt install nginx
Enter fullscreen mode Exit fullscreen mode

Now, we are gonna sent up Nginx:

sudo nano /etc/nginx/sites-enabled/gitea
Enter fullscreen mode Exit fullscreen mode

Paste the following into the file, changing <your-domain> to your domain:

server {
    listen 80;
    server_name <your-domain>;

    location / {
        proxy_pass http://localhost:3000;
    }

    proxy_set_header X-Real-IP $remote_addr;
}
Enter fullscreen mode Exit fullscreen mode

Next, remove the default site and reload the service:

sudo rm /etc/nginx/sites-enabled/default
sudo service nginx reload
Enter fullscreen mode Exit fullscreen mode

Fail2ban Setup

Install Fail2ban:

sudo apt install fail2ban
Enter fullscreen mode Exit fullscreen mode

Setup filter:

sudo nano /etc/fail2ban/filter.d/gitea.conf
Enter fullscreen mode Exit fullscreen mode
[Definition]
failregex =  .*Failed authentication attempt for .* from <HOST>
ignoreregex =
Enter fullscreen mode Exit fullscreen mode

Setup ban connection with gitea:

sudo nano /etc/fail2ban/jail.d/jail.local
Enter fullscreen mode Exit fullscreen mode
[gitea]
enabled = true
port = http,https
filter = gitea
logpath = /home/git/gitea/log/gitea.log
maxretry = 10
findtime = 3600
bantime = 900
action = iptables-allports
Enter fullscreen mode Exit fullscreen mode

Finally, restart the service for the effects to take effect:

sudo service fail2ban restart
Enter fullscreen mode Exit fullscreen mode

Let's Encrypt Setup

Before proceeding, ensure that your DNS records point to the VM's external IP. If not, certbot will fail. Another note, it cannot point to a CNAME record, it has to be an A or AAAA record. Fun fact!

Install certbot:

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install python3-certbot-nginx 
Enter fullscreen mode Exit fullscreen mode

Setup Certbot:

sudo certbot --nginx
Enter fullscreen mode Exit fullscreen mode

Enable Automatic Certificate Renewal

Create a service to renew the certificate:

sudo nano /etc/systemd/system/certbot-renewal.service
Enter fullscreen mode Exit fullscreen mode
[Unit]
Description=Certbot Renewal

[Service]
ExecStart=/usr/bin/certbot renew
Enter fullscreen mode Exit fullscreen mode

Next, create a daily timer

sudo nano /etc/systemd/system/certbot-renewal.timer
Enter fullscreen mode Exit fullscreen mode
[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnBootSec=300
OnUnitActiveSec=1d

[Install]
WantedBy=multi-user.target
Enter fullscreen mode Exit fullscreen mode

Now simply start and enable the timer:

sudo systemctl enable certbot-renewal.timer
sudo systemctl start certbot-renewal.timer
Enter fullscreen mode Exit fullscreen mode

Enabling Git Over SSH

Now that we're done with the command line, navigate back to your Gitea website, now hosted on your domain (E.g. git.example.com).

Click the profile icon in the top right and go to Site Administration

Run the Maintenance Operation titled

Update the '.ssh/authorized_keys' file with Gitea SSH keys. (Not needed for the built-in SSH server.)
Enter fullscreen mode Exit fullscreen mode

Done

Enjoy!

Maybe create a user account and don't use the admin one. This is also done in the Site Administration section.

Thank you again to Bryan Gilbert and I hope you enjoyed.

💖 💪 🙅 🚩
kylejschwartz
Kyle Schwartz

Posted on November 26, 2019

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related