This project explains how to run locally (or using docker) a gitea instance like how to create a selfsigned CA certificate exposing the server using HTTPS with minimal effort ;-)
- Download the binary (see doc)
wget -O gitea https://dl.gitea.com/gitea/1.22.2/gitea-1.21.2-darwin-10.12-arm64
chmod +x giteaor install it using homebrew tool: brew install gitea
Next, verify that the binary is working: gitea -h
When this is done, you will have to create a config app.ini file with the following content:
mkdir -p custom/conf
cat <<EOF > custom/conf/app.ini
[security]
INSTALL_LOCK = true
[database]
DB_TYPE = sqlite3
SSL_MODE = disable
PATH = ./data/gitea.db
LOG_SQL = false
[server]
PROTOCOL = http
HTTP_PORT = 3333
EOF- Launch the gitea server
export GITEA_WORK_DIR=$HOME/code/gitea/my-gitea
export GITEA_CUSTOM=$GITEA_WORK_DIR/custom
gitea web- Create an admin user
export GITEA_WORK_DIR=$HOME/code/gitea/my-gitea
export GITEA_CUSTOM=$GITEA_WORK_DIR/custom
gitea admin user create --admin --username gitea_admin --password gitea_admin --email "[email protected]" --must-change-password=false
gitea admin user change-password --username gitea_admin --password gitea_admin- Next, you can customize the
custom/conf/app.inifile to by example configure the TLS section
[server]
PROTOCOL = https
CERT_FILE = ../pki/gitea/cert.pem
KEY_FILE = ../pki/gitea/key.pemNOTE: Don't forget top restart the server
Generate first a new selfsigned CA certificate and create the secret within gitea namespace
gitea cert --host gitea.localtest.me --ca
mv cert.pem gitea-localtest-me.pem
mv key.pem gitea-localtest-me.key
kubectl -n gitea create secret tls gitea-tls --cert=gitea-localtest-me.pem --key=gitea-localtest-me.keyImportant: Don't forget to set this env variable before to start backstage
export NODE_EXTRA_CA_CERTS=$HOME/code/gitea/my-gitea/pki/gitea/gitea-localtest-me.pem Generate the helm values and deploy the helm chart
cat <<EOF > helm-values.yml
redis-cluster:
enabled: false
postgresql:
enabled: false
postgresql-ha:
enabled: false
persistence:
enabled: false
gitea:
admin:
username: "gitea_admin"
password: "gitea_admin"
email: "[email protected]"
config:
database:
DB_TYPE: sqlite3
session:
PROVIDER: memory
cache:
ADAPTER: memory
queue:
TYPE: level
service:
ssh:
type: NodePort
nodePort: 32222
externalTrafficPolicy: Local
ingress:
enabled: true
className: nginx
hosts:
- host: gitea.localtest.me
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls
hosts:
- gitea.localtest.me
EOF
helm install gitea gitea-charts/gitea -n gitea --create-namespace -f helm-values.ymlTo remove it
helm uninstall gitea -n gitea- Create a docker compose file as documented here
cat << EOF > docker-compose.yml
version: "3"
networks:
gitea:
external: false
services:
server:
image: gitea/gitea:latest
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
networks:
- gitea
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3333:3000"
- "222:22"
EOFand launch the container
docker-compose down; docker-compose up -d; docker-compose logs -fSee: curl-gitea.md
This section describes different approaches to generate a selfsigned certificate for the localhost including also a CA (not trusted) certificate to be used by the gitea server.
To add the certificate generated to your keychain tool, execute by example on macOS the following command:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <CERTIFICATE_FILE>
NOTE: You can also use certbot if you would like to generate a certificate for a domain name (e.g. gitea.example.com, etc.).
IMPORTANT: If you plan to run gitea on kubernetes/openshift, then we recommend to use the cert-manager tool to generate a certificate for your domain name. See this project: https://github.com/snowdrop/pki?tab=readme-ov-file#create-a-pkcs12-using-cert-manager
To generate a certificate which is also its own CA & key
mkdir -p pki/gitea; cd pki/gitea
gitea cert --host localhost -ca- Generate a private key and CA certificate:
mkdir openssl; cd openssl
openssl req -x509 -nodes -new -sha512 \
-days 365 \
-newkey rsa:4096 \
-keyout ca.key \
-out ca.crt \
-subj "/C=BE/CN=Snowdrop-CA"-
Check the certificate file
openssl x509 -text -noout -in ca.crt -
Generate a x509 v3 extension file:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF- Generate a private key and certificate sign request (CSR) for localhost
openssl req -new -nodes -newkey rsa:4096 \
-keyout localhost.key \
-out localhost.csr \
-subj "/C=BE/L=Silenrieux/O=Snowdrop/CN=localhost"- Generate a certificate signed using the CA cert using the CSR:
openssl x509 -req -sha512 -days 365 \
-extfile v3.ext \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-in localhost.csr \
-out localhost.crthttps://github.com/FiloSottile/mkcert
mkcert localhost
ls -la
total 16
drwxr-xr-x@ 4 cmoullia staff 128 Jan 3 17:16 .
drwxr-xr-x@ 6 cmoullia staff 192 Jan 3 17:16 ..
-rw-------@ 1 cmoullia staff 1704 Jan 3 17:16 localhost-key.pem
-rw-r--r--@ 1 cmoullia staff 1517 Jan 3 17:16 localhost.pem
openssl s_server -accept 8443 -key localhost-key.pem -cert localhost.pem -wwwbrew install minica
minica -domains localhost -ip-addresses 127.0.0.1 -ca-cert ca.crt -ca-key ca.key
openssl x509 -noout -text -in ca.crt
openssl x509 -noout -text -in localhost/cert.pem