# Gitea Git Service Role Self-contained Gitea Git service for rick-infra following the established architectural patterns. ## Features - ✅ **Self-contained**: Manages its own database and configuration - ✅ **Native Arch installation**: Uses pacman packages - ✅ **PostgreSQL integration**: Uses shared PostgreSQL infrastructure - ✅ **Caddy integration**: Deploys reverse proxy configuration - ✅ **Security hardened**: SystemD restrictions and secure defaults - ✅ **Firewall management**: Automatically configures nftables for SSH access - ✅ **fail2ban protection**: Brute force protection for SSH authentication - ✅ **Production ready**: HTTPS, SSH access, LFS support ## Architecture - **Dependencies**: PostgreSQL infrastructure role - **Database**: Self-managed gitea database and user - **Network**: HTTP on :3000 (localhost), SSH on :2222 (public) - **Web access**: https://git.domain.com (via Caddy reverse proxy) - **SSH access**: ssh://git@git.domain.com:2222 - **Firewall**: Port 2222 automatically opened via nftables - **Security**: fail2ban monitors and blocks SSH brute force attempts ## Configuration Key variables (defaults in `defaults/main.yml`): ```yaml # Service gitea_service_enabled: true gitea_http_port: 3000 gitea_ssh_port: 2222 # Domain gitea_subdomain: "git" gitea_domain: "{{ caddy_domain }}" # Database (self-managed) gitea_db_name: "gitea" gitea_db_user: "gitea" gitea_db_password: "{{ vault_gitea_db_password }}" # Application gitea_app_name: "Gitea: Git with a cup of tea" gitea_disable_registration: false gitea_enable_lfs: true # Firewall and Security gitea_manage_firewall: true # Automatically manage nftables rules ``` ## Usage 1. **Add vault password**: Set `vault_gitea_db_password` in host_vars vault 2. **Deploy**: `ansible-playbook site.yml --tags gitea` 3. **Access**: Visit https://git.yourdomain.com to set up admin account ## Dependencies - PostgreSQL infrastructure role (auto-included) - Caddy web server (for HTTPS access) - Vault password: `vault_gitea_db_password` ## SSH Access Gitea provides Git repository access via SSH on port 2222: ```bash # Clone a repository git clone ssh://git@git.jnss.me:2222/username/repository.git # Or add as remote git remote add origin ssh://git@git.jnss.me:2222/username/repository.git ``` ### SSH Key Setup 1. **Generate SSH key** (if you don't have one): ```bash ssh-keygen -t ed25519 -C "your_email@example.com" ``` 2. **Copy your public key**: ```bash cat ~/.ssh/id_ed25519.pub ``` 3. **Add to Gitea**: - Log into Gitea web interface - Go to Settings → SSH/GPG Keys - Click "Add Key" - Paste your public key 4. **Test SSH connection**: ```bash ssh -T -p 2222 git@git.jnss.me ``` ## Firewall and Security ### Automatic Firewall Management The Gitea role automatically manages firewall rules via nftables: - **Port 2222** is opened automatically when Gitea is deployed - Firewall rules are stored in `/etc/nftables.d/gitea.nft` - Rules are integrated with the main security playbook configuration - To disable automatic firewall management, set `gitea_manage_firewall: false` ### fail2ban Protection SSH brute force protection is automatically configured: - **Jail**: `gitea-ssh` monitors Gitea SSH authentication attempts - **Max retries**: 5 failed attempts - **Find time**: 10 minutes (600 seconds) - **Ban time**: 1 hour (3600 seconds) - **Action**: IP banned via nftables Check fail2ban status: ```bash # Check Gitea SSH jail status fail2ban-client status gitea-ssh # View banned IPs fail2ban-client get gitea-ssh banned # Unban an IP if needed fail2ban-client set gitea-ssh unbanip 203.0.113.100 ``` ### Firewall Verification ```bash # List active nftables rules nft list ruleset # Check if Gitea SSH port is open nft list ruleset | grep 2222 # Verify from external machine nc -zv git.jnss.me 2222 ``` ## Self-Contained Design This role follows rick-infra's self-contained service pattern: - Creates its own database and user via PostgreSQL infrastructure - Manages its own configuration and data - Deploys its own Caddy reverse proxy config - Manages its own firewall rules and security (nftables, fail2ban) - Independent lifecycle from other services --- **Rick-Infra Gitea Service** Git repository management with integrated CI/CD capabilities.