diff --git a/docs/gitea-deployment.md b/docs/gitea-deployment.md deleted file mode 100644 index c728a7a..0000000 --- a/docs/gitea-deployment.md +++ /dev/null @@ -1,382 +0,0 @@ -# FIREFROST GAMING: Gitea Deployment Documentation - -**Project:** Frostwall Protocol - Phase 0.5 Management Layer -**Service:** Gitea (Version Control System) -**Deployment Date:** February 8, 2026 -**Lead Engineer:** Michael -**Status:** ✅ OPERATIONAL -**Document Version:** 1.0 - ---- - -## 1. Service Profile - -### 1.1 Network Configuration - -| Parameter | Value | -|-----------|-------| -| **Service Name** | Gitea | -| **Purpose** | Git Version Control & Repository Management | -| **Dedicated IP** | 74.63.218.202 | -| **Subnet** | 74.63.218.200/29 (Command Center /29 Block) | -| **Subdomain** | git.firefrostgaming.com | -| **Internal Port** | 3000 (localhost only) | -| **External Ports** | 80 (HTTP → HTTPS redirect), 443 (HTTPS) | -| **SSH Port** | 2222 (Git SSH access) | - -### 1.2 Application Paths - -| Component | Path | -|-----------|------| -| **Binary** | /usr/local/bin/gitea | -| **Home Directory** | /var/lib/gitea | -| **Data Directory** | /var/lib/gitea/data | -| **Repository Root** | /var/lib/gitea/repositories | -| **Git LFS Root** | /var/lib/gitea/lfs | -| **Log Directory** | /var/lib/gitea/log | -| **Configuration** | /etc/gitea/app.ini | -| **Systemd Service** | /etc/systemd/system/gitea.service | - -### 1.3 Database - -| Parameter | Value | -|-----------|-------| -| **Type** | SQLite3 | -| **Path** | /var/lib/gitea/data/gitea.db | -| **Rationale** | Lightweight, embedded, zero-maintenance for single-server deployment | - -### 1.4 SSL/TLS Configuration - -| Parameter | Value | -|-----------|-------| -| **Certificate Provider** | Let's Encrypt | -| **Certificate Path** | /etc/letsencrypt/live/git.firefrostgaming.com/fullchain.pem | -| **Private Key Path** | /etc/letsencrypt/live/git.firefrostgaming.com/privkey.pem | -| **Expiration** | May 9, 2026 | -| **Auto-Renewal** | Enabled (Certbot systemd timer) | - -### 1.5 Reverse Proxy - -| Parameter | Value | -|-----------|-------| -| **Proxy Software** | Nginx 1.24.0 | -| **Configuration File** | /etc/nginx/sites-available/git.firefrostgaming.com | -| **Enabled Symlink** | /etc/nginx/sites-enabled/git.firefrostgaming.com | -| **Proxy Target** | http://127.0.0.1:3000 | -| **Max Upload Size** | 512M | - ---- - -## 2. Changelog v1.0 - Initial Deployment - -### 2.1 System Preparation -- **Updated system packages:** `apt update && apt upgrade` -- **Installed dependencies:** git, curl, wget, gnupg2 -- **Created system user:** `gitea` (system user, disabled password, home: /var/lib/gitea) -- **Created directory structure:** /var/lib/gitea/{custom,data,log} -- **Set ownership:** gitea:gitea on all application directories -- **Set permissions:** 750 on /var/lib/gitea - -### 2.2 Gitea Installation -- **Downloaded Gitea binary:** v1.21.5 (linux-amd64) to /usr/local/bin/gitea -- **Set executable permissions:** 755 on binary -- **Initialized SQLite database:** /var/lib/gitea/data/gitea.db -- **Created configuration file:** /etc/gitea/app.ini with base settings - -### 2.3 Systemd Service Configuration -- **Created service file:** /etc/systemd/system/gitea.service -- **Service type:** Simple -- **Run as:** gitea user/group -- **Working directory:** /var/lib/gitea -- **ExecStart:** /usr/local/bin/gitea web -c /etc/gitea/app.ini -- **Auto-restart:** Enabled -- **Boot enabled:** systemctl enable gitea - -### 2.4 Nginx Reverse Proxy Setup -- **Installed Nginx:** v1.24.0 (Ubuntu) -- **Disabled default site:** Removed /etc/nginx/sites-enabled/default to prevent 0.0.0.0:80 binding conflict -- **Created Gitea site config:** /etc/nginx/sites-available/git.firefrostgaming.com -- **IP binding:** Nginx listens ONLY on 74.63.218.202:80 and :443 -- **HTTP redirect:** Port 80 → 301 redirect to HTTPS -- **HTTPS proxy:** Port 443 → proxy_pass to localhost:3000 -- **Generated temporary self-signed certificate:** For initial testing -- **Enabled site:** Symlinked to /etc/nginx/sites-enabled/ -- **Restarted Nginx:** Full restart to clear inherited socket bindings - -### 2.5 DNS Configuration -- **Provider:** Cloudflare -- **Record added:** git.firefrostgaming.com A 74.63.218.202 -- **Proxy status:** DNS only (gray cloud) - required for Let's Encrypt validation -- **TTL:** Auto -- **Propagation verified:** nslookup confirmed 74.63.218.202 resolution - -### 2.6 Frostwall (UFW) Configuration -- **Installed UFW:** v0.36.2-6 -- **Removed packages:** iptables-persistent, netfilter-persistent (conflicting) -- **Added SSH rule:** Port 22 allowed (prevent lockout) -- **Added primary gateway rule:** Full access to 63.143.34.217 on ens3 -- **Added Gitea HTTP rule:** Port 80 on 74.63.218.202 via ens3 -- **Added Gitea HTTPS rule:** Port 443 on 74.63.218.202 via ens3 -- **Enabled firewall:** ufw --force enable - -### 2.7 SSL Certificate Deployment -- **Installed Certbot:** certbot + python3-certbot-nginx -- **Obtained Let's Encrypt certificate:** For git.firefrostgaming.com -- **Email registered:** mkrause612@gmail.com (renewal notifications) -- **Certificate deployed:** Certbot automatically updated Nginx config -- **Auto-renewal configured:** Certbot systemd timer active - -### 2.8 Gitea Web Installation -- **Accessed installer:** https://git.firefrostgaming.com -- **Fixed permissions temporarily:** chown gitea:gitea /etc/gitea and app.ini for web installer write access -- **Configured via web UI:** - - Database: SQLite3 at /var/lib/gitea/data/gitea.db - - Site title: Firefrost Gaming - Git Repository - - Server domain: git.firefrostgaming.com - - SSH port: 2222 - - Base URL: https://git.firefrostgaming.com/ - - Server settings: Enable Local Mode, Disable Gravatar, Disable Self-Registration, Require Sign-In to View Pages - - Administrator account: mkrause612 created -- **Locked down permissions post-install:** - - chmod 750 /etc/gitea - - chmod 640 /etc/gitea/app.ini -- **Restarted Gitea service:** Applied final configuration - -### 2.9 Verification & Testing -- **HTTPS access verified:** curl -I returned HTTP/2 200 -- **SSL certificate verified:** openssl s_client confirmed CN=git.firefrostgaming.com -- **Port bindings verified:** ss -tlnp confirmed Nginx on 74.63.218.202:80 and :443 -- **Created test repository:** firefrost-phase0-configs (private) -- **Repository accessibility confirmed:** HTTPS clone URL working - ---- - -## 3. Security Posture - -### 3.1 Application Security -- **User registration:** Disabled (admin-only account creation) -- **Public browsing:** Disabled (requires sign-in to view) -- **Gravatar:** Disabled (no external avatar service calls) -- **Local mode:** Enabled (all assets served locally, no CDN) -- **Password hashing:** pbkdf2 algorithm -- **Hidden email domain:** noreply.git.firefrostgaming.com - -### 3.2 Network Security -- **Internal service binding:** Gitea bound to 127.0.0.1:3000 only (not externally accessible) -- **Reverse proxy isolation:** All external access via Nginx on dedicated IP -- **IP-specific firewall rules:** UFW rules target 74.63.218.202 only -- **Primary gateway protection:** 63.143.34.217 unchanged, zero new services - -### 3.3 File Permissions -- **Configuration directory:** /etc/gitea (750, root:gitea) -- **Configuration file:** /etc/gitea/app.ini (640, gitea:gitea) -- **Application directories:** /var/lib/gitea/* (750, gitea:gitea) -- **Binary:** /usr/local/bin/gitea (755, root:root) - ---- - -## 4. Frostwall (UFW) Rules Summary - -### 4.1 Active Rules for 74.63.218.202 -```bash -# HTTP (Port 80) - Let's Encrypt validation & HTTPS redirect -ufw allow in on ens3 to 74.63.218.202 port 80 proto tcp - -# HTTPS (Port 443) - Gitea web interface -ufw allow in on ens3 to 74.63.218.202 port 443 proto tcp -``` - -### 4.2 Complete Firewall Status -``` -Status: active - -To Action From --- ------ ---- -22/tcp ALLOW IN Anywhere -63.143.34.217 on ens3 ALLOW IN Anywhere -74.63.218.202 80/tcp on ens3 ALLOW IN Anywhere -74.63.218.202 443/tcp on ens3 ALLOW IN Anywhere -22/tcp (v6) ALLOW IN Anywhere (v6) -``` - -### 4.3 Port Allocation - -| Port | Protocol | Purpose | Scope | -|------|----------|---------|-------| -| 22 | TCP | SSH Management | Global (inherited) | -| 80 | TCP | HTTP (redirect) | 74.63.218.202 only | -| 443 | TCP | HTTPS (Gitea web) | 74.63.218.202 only | -| 2222 | TCP | Git SSH (future) | Not yet exposed via firewall | -| 3000 | TCP | Gitea internal | localhost only (not firewalled) | - ---- - -## 5. Operational Notes - -### 5.1 Service Management - -**Start Gitea:** -```bash -systemctl start gitea -``` - -**Stop Gitea:** -```bash -systemctl stop gitea -``` - -**Restart Gitea:** -```bash -systemctl restart gitea -``` - -**Check status:** -```bash -systemctl status gitea -``` - -**View logs:** -```bash -journalctl -u gitea -f -``` - -### 5.2 Nginx Management - -**Test configuration:** -```bash -nginx -t -``` - -**Reload configuration:** -```bash -systemctl reload nginx -``` - -**Restart Nginx:** -```bash -systemctl restart nginx -``` - -### 5.3 SSL Certificate Renewal - -**Manual renewal (testing):** -```bash -certbot renew --dry-run -``` - -**Force renewal:** -```bash -certbot renew --force-renewal -``` - -**Auto-renewal status:** -```bash -systemctl status certbot.timer -``` - -### 5.4 Configuration Backup - -**Backup configuration:** -```bash -cp /etc/gitea/app.ini /etc/gitea/app.ini.backup.$(date +%Y%m%d) -``` - -**Backup repositories:** -```bash -tar -czf /root/gitea-repos-backup-$(date +%Y%m%d).tar.gz /var/lib/gitea/repositories -``` - ---- - -## 6. Troubleshooting - -### 6.1 Common Issues - -**Issue:** Gitea not accessible via HTTPS -- **Check Nginx binding:** `ss -tlnp | grep 74.63.218.202` -- **Check Gitea service:** `systemctl status gitea` -- **Check firewall:** `ufw status | grep 74.63.218.202` -- **Check DNS:** `nslookup git.firefrostgaming.com` - -**Issue:** 502 Bad Gateway -- **Cause:** Gitea service not running -- **Fix:** `systemctl start gitea` - -**Issue:** Permission denied errors -- **Cause:** Incorrect file ownership or permissions -- **Fix:** `chown -R gitea:gitea /var/lib/gitea` - -**Issue:** SSL certificate expired -- **Check expiration:** `certbot certificates` -- **Renew manually:** `certbot renew` - -### 6.2 Port Binding Conflicts - -**Check what's using a port:** -```bash -ss -tlnp | grep :PORT_NUMBER -``` - -**Check Nginx configuration:** -```bash -nginx -T | grep listen -``` - ---- - -## 7. Phase 0.5 Integration - -### 7.1 Management Layer Position - -**Gitea Role:** Source of truth for all Firefrost Gaming infrastructure configurations, scripts, and documentation. - -**Integration Points:** -- **Uptime Kuma (Planned):** Will monitor Gitea health endpoint -- **BookStack (Planned):** Will reference Gitea repos in documentation -- **Netdata (Planned):** Will track Gitea resource usage -- **Vaultwarden (Planned):** Will store Gitea admin credentials - -### 7.2 Repository Structure (Recommended) -``` -firefrost-phase0-configs/ -├── docs/ -│ ├── phase0-technical-changelog.md -│ ├── phase0-addendum-service-audit.md -│ └── gitea-deployment.md (this document) -├── configs/ -│ ├── nginx/ -│ │ └── git.firefrostgaming.com.conf -│ ├── systemd/ -│ │ └── gitea.service -│ └── gitea/ -│ └── app.ini.template -└── scripts/ - ├── backup-gitea.sh - └── restore-gitea.sh -``` - ---- - -## 8. Revision History - -| Version | Date | Author | Changes | -|---------|------|--------|---------| -| **1.0** | 2026-02-08 | Michael | Initial deployment. Gitea 1.21.5 installed on 74.63.218.202 with Nginx reverse proxy, Let's Encrypt SSL, and UFW firewall. First repository created. | - ---- - -## 9. Related Documentation - -- `FIREFROST_GAMING__Phase_0_Technical_Change_Log.md` - Vanilla Reset baseline -- `FIREFROST_GAMING__Phase_0_Addendum.md` - Service reallocation audit -- `Firefrost_Vanilla_Manifest.md` v1.3 - Infrastructure inventory -- Phase 0.5 Master Plan - Management layer architecture - ---- - -**END OF DOCUMENT** - -**Document Generated:** 2026-02-08 01:15 CST -**Service Status:** ✅ OPERATIONAL -**Next Service:** Uptime Kuma (74.63.218.203) - status.firefrostgaming.com -**Phase 0.5 Progress:** 1/5 Services Deployed (20%)