The website for craig.stewart.zone https://craig.stewart.zone/
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

122 lignes
4.3 KiB

  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <link href="/styles/default.css" rel="stylesheet" type="text/css" />
  5. <title>
  6. Finalising Everything
  7. </title>
  8. <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  9. </head>
  10. <body>
  11. <div id="wrapper">
  12. <div id="header">
  13. <h1>
  14. Finalising Everything
  15. </h1>
  16. </div>
  17. <div id="layout">
  18. <div id="navigation">
  19. <p class="link">
  20. <a href="/index.html">
  21. Home
  22. </a>
  23. </p>
  24. <p class="link">
  25. <a href="/about.html">
  26. About Me
  27. </a>
  28. </p>
  29. <p class="link">
  30. <a href="/contact.html">
  31. Contact Me
  32. </a>
  33. </p>
  34. <!--<p class="link">
  35. <a href="/cv.html">
  36. My CV
  37. </a>
  38. </p>-->
  39. <p class="link">
  40. <a href="/guides/">
  41. Guides
  42. </a>
  43. </p>
  44. <p class="link">
  45. <a href="https://www.craig-james-stewart.co.uk/blog/">
  46. My Blog
  47. </a>
  48. </p>
  49. </div>
  50. <div id="content">
  51. <p>First off gitea will try to validate the SSL certificate we are using for postfix, but this is a self signed cert, and not valid for "localhost" so we need to patch the config file to not validate this certificate.</p>
  52. <pre>sudo sed -i.bak '/mailer/a\
  53. SKIP_VERIFY = true' /etc/gitea/app.ini</pre>
  54. <p>Then we need to make gitea a service that will start when we start the server.</p>
  55. <pre>cat << EOF | sudo tee -a /etc/systemd/system/gitea.service > /dev/null
  56. [Unit]
  57. Description=Gitea (Git with a cup of tea)
  58. After=syslog.target
  59. After=network.target
  60. After=mysqld.service
  61. #After=postgresql.service
  62. #After=memcached.service
  63. #After=redis.service
  64. [Service]
  65. # Modify these two values and uncomment them if you have
  66. # repos with lots of files and get an HTTP error 500 because
  67. # of that
  68. ###
  69. #LimitMEMLOCK=infinity
  70. #LimitNOFILE=65535
  71. RestartSec=2s
  72. Type=simple
  73. User=git
  74. Group=git
  75. WorkingDirectory=/var/lib/gitea/
  76. ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
  77. Restart=always
  78. Environment=USER=git HOME=/var/lib/gitea GITEA_WORK_DIR=/var/lib/gitea
  79. # If you want to bind Gitea to a port below 1024 uncomment
  80. # the two values below
  81. ###
  82. #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
  83. #AmbientCapabilities=CAP_NET_BIND_SERVICE
  84. [Install]
  85. WantedBy=multi-user.target
  86. EOF
  87. sudo systemctl enable gitea
  88. sudo systemctl start gitea</pre>
  89. <p>And finally we are using fail2ban to block IP addresses that are making too many failed logins over SSH from being able to brut force passwords, but now we have set up a server that allows logins over HTTPS, so we should block those too.</p>
  90. <pre>cat << EOF | sudo tee -a /etc/fail2ban/filter.d/gitea.conf > /dev/null
  91. # gitea.conf
  92. [Definition]
  93. failregex = .*Failed authentication attempt for .* from <HOST>
  94. ignoreregex =
  95. EOF
  96. cat << EOF | sudo tee -a /etc/fail2ban/jail.d/jail.local > /dev/null
  97. [gitea]
  98. enabled = true
  99. port = http,https
  100. filter = gitea
  101. logpath = /var/lib/gitea/log/gitea.log
  102. maxretry = 10
  103. findtime = 3600
  104. bantime = 900
  105. action = iptables-allports
  106. EOF
  107. sudo service fail2ban restart</pre>
  108. <p>We should now have a working git server. If you set up an Admin user when configuring gitea in the previous steps then we are set. If not you should register a user now, as the first registered user will become admin. The only remaining step before our server is ready is to automate the renewal of our SSL certificate.</p>
  109. <pre>sudo crontab -e</pre>
  110. <p>This will create an empty crontab for root, and open it in the default editor. As an invalid crontab will stop cron from working properly this command will validate what you save before installing it to cron. You will need to add a line like the below to the end of the file and save it.</p>
  111. <p>"21 05 * * * /usr/bin/certbot renew --manual-auth-hook /root/certbot/auth.sh --manual-cleanup-hook /root/certbot/clean.sh --renew-hook /root/certbot/renew.sh --manual-public-ip-logging-ok --quiet"</p>
  112. <p>This will need to be on a single line without the quotes, and will run the certbot command at 05:21 every day, which will check the expiry of your certificate, and renew it and restart apache if it is about to expire. Feel free to change the time it runs, Lets Encrypt won't want everyone trying to get certificates at the same time.</p>
  113. <p>Once that is done your Git Server is ready to use.</p>
  114. <p style="text-align:center;"><a href="/guides/building-a-git-repo/installgitea.html" title="Installing Gitea">Installing Gitea</a>|<a href="/guides/building-a-git-repo/" title="Building A git Repository Server">Main Page</a>|<a href="/guides/building-a-git-repo/other-considerations.html" title="Other Considerations">Other Considerations</a></p>
  115. </div>
  116. </div>
  117. </div>
  118. </body>
  119. </html>