joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fe194ba8228080d16d9757d8030f12544074b75
rick-infra/roles/gitea/README.md
Joakim 2fe194ba82 Implement modular nftables architecture and Gitea SSH firewall management 
- Restructure security playbook with modular nftables loader
- Base rules loaded first, service rules second, drop rule last
- Add Gitea self-contained firewall management (port 2222)
- Add fail2ban protection for Gitea SSH brute force attacks
- Update documentation with new firewall architecture
- Create comprehensive Gitea deployment and testing guide

This enables self-contained service roles to manage their own firewall
rules without modifying the central security playbook. Each service
deploys rules to /etc/nftables.d/ which are loaded before the final
drop rule, maintaining the defense-in-depth security model.
2025-12-16 21:45:22 +01:00

4.2 KiB
Raw Blame History

Gitea Git Service Role

Self-contained Gitea Git service for rick-infra following the established architectural patterns.

Features

  • Self-contained: Manages its own database and configuration
  • Native Arch installation: Uses pacman packages
  • PostgreSQL integration: Uses shared PostgreSQL infrastructure
  • Caddy integration: Deploys reverse proxy configuration
  • Security hardened: SystemD restrictions and secure defaults
  • Firewall management: Automatically configures nftables for SSH access
  • fail2ban protection: Brute force protection for SSH authentication
  • Production ready: HTTPS, SSH access, LFS support

Architecture

  • Dependencies: PostgreSQL infrastructure role
  • Database: Self-managed gitea database and user
  • Network: HTTP on :3000 (localhost), SSH on :2222 (public)
  • Web access: https://git.domain.com (via Caddy reverse proxy)
  • SSH access: ssh://git@git.domain.com:2222
  • Firewall: Port 2222 automatically opened via nftables
  • Security: fail2ban monitors and blocks SSH brute force attempts

Configuration

Key variables (defaults in defaults/main.yml):

# Service
gitea_service_enabled: true
gitea_http_port: 3000
gitea_ssh_port: 2222

# Domain 
gitea_subdomain: "git"
gitea_domain: "{{ caddy_domain }}"

# Database (self-managed)
gitea_db_name: "gitea"
gitea_db_user: "gitea" 
gitea_db_password: "{{ vault_gitea_db_password }}"

# Application
gitea_app_name: "Gitea: Git with a cup of tea"
gitea_disable_registration: false
gitea_enable_lfs: true

# Firewall and Security
gitea_manage_firewall: true  # Automatically manage nftables rules

Usage

  1. Add vault password: Set vault_gitea_db_password in host_vars vault
  2. Deploy: ansible-playbook site.yml --tags gitea
  3. Access: Visit https://git.yourdomain.com to set up admin account

Dependencies

  • PostgreSQL infrastructure role (auto-included)
  • Caddy web server (for HTTPS access)
  • Vault password: vault_gitea_db_password

SSH Access

Gitea provides Git repository access via SSH on port 2222:

# Clone a repository
git clone ssh://git@git.jnss.me:2222/username/repository.git

# Or add as remote
git remote add origin ssh://git@git.jnss.me:2222/username/repository.git

SSH Key Setup

  1. Generate SSH key (if you don't have one):

    ssh-keygen -t ed25519 -C "your_email@example.com"

  2. Copy your public key:

    cat ~/.ssh/id_ed25519.pub

  3. Add to Gitea:

    • Log into Gitea web interface
    • Go to Settings → SSH/GPG Keys
    • Click "Add Key"
    • Paste your public key

  4. Test SSH connection:

    ssh -T -p 2222 git@git.jnss.me

Firewall and Security

Automatic Firewall Management

The Gitea role automatically manages firewall rules via nftables:

  • Port 2222 is opened automatically when Gitea is deployed
  • Firewall rules are stored in /etc/nftables.d/gitea.nft
  • Rules are integrated with the main security playbook configuration
  • To disable automatic firewall management, set gitea_manage_firewall: false

fail2ban Protection

SSH brute force protection is automatically configured:

  • Jail: gitea-ssh monitors Gitea SSH authentication attempts
  • Max retries: 5 failed attempts
  • Find time: 10 minutes (600 seconds)
  • Ban time: 1 hour (3600 seconds)
  • Action: IP banned via nftables

Check fail2ban status:

# Check Gitea SSH jail status
fail2ban-client status gitea-ssh

# View banned IPs
fail2ban-client get gitea-ssh banned

# Unban an IP if needed
fail2ban-client set gitea-ssh unbanip 203.0.113.100

Firewall Verification

# List active nftables rules
nft list ruleset

# Check if Gitea SSH port is open
nft list ruleset | grep 2222

# Verify from external machine
nc -zv git.jnss.me 2222

Self-Contained Design

This role follows rick-infra's self-contained service pattern:

  • Creates its own database and user via PostgreSQL infrastructure
  • Manages its own configuration and data
  • Deploys its own Caddy reverse proxy config
  • Manages its own firewall rules and security (nftables, fail2ban)
  • Independent lifecycle from other services

Rick-Infra Gitea Service
Git repository management with integrated CI/CD capabilities.

Reference in New Issue View Git Blame Copy Permalink