firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
5638d50f7c299fc5861e2fcde295e040ae47dd5f
firefrost-operations-manual/docs/gitea-deployment.md

383 lines
12 KiB
Markdown
Raw Blame History

# FIREFROST GAMING: Gitea Deployment Documentation
**Project:** Frostwall Protocol - Phase 0.5 Management Layer
**Service:** Gitea (Version Control System)
**Deployment Date:** February 8, 2026
**Lead Engineer:** Michael
**Status:** ✅ OPERATIONAL
**Document Version:** 1.0
---
## 1. Service Profile
### 1.1 Network Configuration
| Parameter | Value |
|-----------|-------|
| **Service Name** | Gitea |
| **Purpose** | Git Version Control & Repository Management |
| **Dedicated IP** | 74.63.218.202 |
| **Subnet** | 74.63.218.200/29 (Command Center /29 Block) |
| **Subdomain** | git.firefrostgaming.com |
| **Internal Port** | 3000 (localhost only) |
| **External Ports** | 80 (HTTP → HTTPS redirect), 443 (HTTPS) |
| **SSH Port** | 2222 (Git SSH access) |
### 1.2 Application Paths
| Component | Path |
|-----------|------|
| **Binary** | /usr/local/bin/gitea |
| **Home Directory** | /var/lib/gitea |
| **Data Directory** | /var/lib/gitea/data |
| **Repository Root** | /var/lib/gitea/repositories |
| **Git LFS Root** | /var/lib/gitea/lfs |
| **Log Directory** | /var/lib/gitea/log |
| **Configuration** | /etc/gitea/app.ini |
| **Systemd Service** | /etc/systemd/system/gitea.service |
### 1.3 Database
| Parameter | Value |
|-----------|-------|
| **Type** | SQLite3 |
| **Path** | /var/lib/gitea/data/gitea.db |
| **Rationale** | Lightweight, embedded, zero-maintenance for single-server deployment |
### 1.4 SSL/TLS Configuration
| Parameter | Value |
|-----------|-------|
| **Certificate Provider** | Let's Encrypt |
| **Certificate Path** | /etc/letsencrypt/live/git.firefrostgaming.com/fullchain.pem |
| **Private Key Path** | /etc/letsencrypt/live/git.firefrostgaming.com/privkey.pem |
| **Expiration** | May 9, 2026 |
| **Auto-Renewal** | Enabled (Certbot systemd timer) |
### 1.5 Reverse Proxy
| Parameter | Value |
|-----------|-------|
| **Proxy Software** | Nginx 1.24.0 |
| **Configuration File** | /etc/nginx/sites-available/git.firefrostgaming.com |
| **Enabled Symlink** | /etc/nginx/sites-enabled/git.firefrostgaming.com |
| **Proxy Target** | http://127.0.0.1:3000 |
| **Max Upload Size** | 512M |
---
## 2. Changelog v1.0 - Initial Deployment
### 2.1 System Preparation
- **Updated system packages:** `apt update && apt upgrade`
- **Installed dependencies:** git, curl, wget, gnupg2
- **Created system user:** `gitea` (system user, disabled password, home: /var/lib/gitea)
- **Created directory structure:** /var/lib/gitea/{custom,data,log}
- **Set ownership:** gitea:gitea on all application directories
- **Set permissions:** 750 on /var/lib/gitea
### 2.2 Gitea Installation
- **Downloaded Gitea binary:** v1.21.5 (linux-amd64) to /usr/local/bin/gitea
- **Set executable permissions:** 755 on binary
- **Initialized SQLite database:** /var/lib/gitea/data/gitea.db
- **Created configuration file:** /etc/gitea/app.ini with base settings
### 2.3 Systemd Service Configuration
- **Created service file:** /etc/systemd/system/gitea.service
- **Service type:** Simple
- **Run as:** gitea user/group
- **Working directory:** /var/lib/gitea
- **ExecStart:** /usr/local/bin/gitea web -c /etc/gitea/app.ini
- **Auto-restart:** Enabled
- **Boot enabled:** systemctl enable gitea
### 2.4 Nginx Reverse Proxy Setup
- **Installed Nginx:** v1.24.0 (Ubuntu)
- **Disabled default site:** Removed /etc/nginx/sites-enabled/default to prevent 0.0.0.0:80 binding conflict
- **Created Gitea site config:** /etc/nginx/sites-available/git.firefrostgaming.com
- **IP binding:** Nginx listens ONLY on 74.63.218.202:80 and :443
- **HTTP redirect:** Port 80 → 301 redirect to HTTPS
- **HTTPS proxy:** Port 443 → proxy_pass to localhost:3000
- **Generated temporary self-signed certificate:** For initial testing
- **Enabled site:** Symlinked to /etc/nginx/sites-enabled/
- **Restarted Nginx:** Full restart to clear inherited socket bindings
### 2.5 DNS Configuration
- **Provider:** Cloudflare
- **Record added:** git.firefrostgaming.com A 74.63.218.202
- **Proxy status:** DNS only (gray cloud) - required for Let's Encrypt validation
- **TTL:** Auto
- **Propagation verified:** nslookup confirmed 74.63.218.202 resolution
### 2.6 Frostwall (UFW) Configuration
- **Installed UFW:** v0.36.2-6
- **Removed packages:** iptables-persistent, netfilter-persistent (conflicting)
- **Added SSH rule:** Port 22 allowed (prevent lockout)
- **Added primary gateway rule:** Full access to 63.143.34.217 on ens3
- **Added Gitea HTTP rule:** Port 80 on 74.63.218.202 via ens3
- **Added Gitea HTTPS rule:** Port 443 on 74.63.218.202 via ens3
- **Enabled firewall:** ufw --force enable
### 2.7 SSL Certificate Deployment
- **Installed Certbot:** certbot + python3-certbot-nginx
- **Obtained Let's Encrypt certificate:** For git.firefrostgaming.com
- **Email registered:** mkrause612@gmail.com (renewal notifications)
- **Certificate deployed:** Certbot automatically updated Nginx config
- **Auto-renewal configured:** Certbot systemd timer active
### 2.8 Gitea Web Installation
- **Accessed installer:** https://git.firefrostgaming.com
- **Fixed permissions temporarily:** chown gitea:gitea /etc/gitea and app.ini for web installer write access
- **Configured via web UI:**
- Database: SQLite3 at /var/lib/gitea/data/gitea.db
- Site title: Firefrost Gaming - Git Repository
- Server domain: git.firefrostgaming.com
- SSH port: 2222
- Base URL: https://git.firefrostgaming.com/
- Server settings: Enable Local Mode, Disable Gravatar, Disable Self-Registration, Require Sign-In to View Pages
- Administrator account: mkrause612 created
- **Locked down permissions post-install:**
- chmod 750 /etc/gitea
- chmod 640 /etc/gitea/app.ini
- **Restarted Gitea service:** Applied final configuration
### 2.9 Verification & Testing
- **HTTPS access verified:** curl -I returned HTTP/2 200
- **SSL certificate verified:** openssl s_client confirmed CN=git.firefrostgaming.com
- **Port bindings verified:** ss -tlnp confirmed Nginx on 74.63.218.202:80 and :443
- **Created test repository:** firefrost-phase0-configs (private)
- **Repository accessibility confirmed:** HTTPS clone URL working
---
## 3. Security Posture
### 3.1 Application Security
- **User registration:** Disabled (admin-only account creation)
- **Public browsing:** Disabled (requires sign-in to view)
- **Gravatar:** Disabled (no external avatar service calls)
- **Local mode:** Enabled (all assets served locally, no CDN)
- **Password hashing:** pbkdf2 algorithm
- **Hidden email domain:** noreply.git.firefrostgaming.com
### 3.2 Network Security
- **Internal service binding:** Gitea bound to 127.0.0.1:3000 only (not externally accessible)
- **Reverse proxy isolation:** All external access via Nginx on dedicated IP
- **IP-specific firewall rules:** UFW rules target 74.63.218.202 only
- **Primary gateway protection:** 63.143.34.217 unchanged, zero new services
### 3.3 File Permissions
- **Configuration directory:** /etc/gitea (750, root:gitea)
- **Configuration file:** /etc/gitea/app.ini (640, gitea:gitea)
- **Application directories:** /var/lib/gitea/* (750, gitea:gitea)
- **Binary:** /usr/local/bin/gitea (755, root:root)
---
## 4. Frostwall (UFW) Rules Summary
### 4.1 Active Rules for 74.63.218.202
```bash
# HTTP (Port 80) - Let's Encrypt validation & HTTPS redirect
ufw allow in on ens3 to 74.63.218.202 port 80 proto tcp
# HTTPS (Port 443) - Gitea web interface
ufw allow in on ens3 to 74.63.218.202 port 443 proto tcp
```
### 4.2 Complete Firewall Status
```
Status: active
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
63.143.34.217 on ens3 ALLOW IN Anywhere
74.63.218.202 80/tcp on ens3 ALLOW IN Anywhere
74.63.218.202 443/tcp on ens3 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
```
### 4.3 Port Allocation
| Port | Protocol | Purpose | Scope |
|------|----------|---------|-------|
| 22 | TCP | SSH Management | Global (inherited) |
| 80 | TCP | HTTP (redirect) | 74.63.218.202 only |
| 443 | TCP | HTTPS (Gitea web) | 74.63.218.202 only |
| 2222 | TCP | Git SSH (future) | Not yet exposed via firewall |
| 3000 | TCP | Gitea internal | localhost only (not firewalled) |
---
## 5. Operational Notes
### 5.1 Service Management
**Start Gitea:**
```bash
systemctl start gitea
```
**Stop Gitea:**
```bash
systemctl stop gitea
```
**Restart Gitea:**
```bash
systemctl restart gitea
```
**Check status:**
```bash
systemctl status gitea
```
**View logs:**
```bash
journalctl -u gitea -f
```
### 5.2 Nginx Management
**Test configuration:**
```bash
nginx -t
```
**Reload configuration:**
```bash
systemctl reload nginx
```
**Restart Nginx:**
```bash
systemctl restart nginx
```
### 5.3 SSL Certificate Renewal
**Manual renewal (testing):**
```bash
certbot renew --dry-run
```
**Force renewal:**
```bash
certbot renew --force-renewal
```
**Auto-renewal status:**
```bash
systemctl status certbot.timer
```
### 5.4 Configuration Backup
**Backup configuration:**
```bash
cp /etc/gitea/app.ini /etc/gitea/app.ini.backup.$(date +%Y%m%d)
```
**Backup repositories:**
```bash
tar -czf /root/gitea-repos-backup-$(date +%Y%m%d).tar.gz /var/lib/gitea/repositories
```
---
## 6. Troubleshooting
### 6.1 Common Issues
**Issue:** Gitea not accessible via HTTPS
- **Check Nginx binding:** `ss -tlnp | grep 74.63.218.202`
- **Check Gitea service:** `systemctl status gitea`
- **Check firewall:** `ufw status | grep 74.63.218.202`
- **Check DNS:** `nslookup git.firefrostgaming.com`
**Issue:** 502 Bad Gateway
- **Cause:** Gitea service not running
- **Fix:** `systemctl start gitea`
**Issue:** Permission denied errors
- **Cause:** Incorrect file ownership or permissions
- **Fix:** `chown -R gitea:gitea /var/lib/gitea`
**Issue:** SSL certificate expired
- **Check expiration:** `certbot certificates`
- **Renew manually:** `certbot renew`
### 6.2 Port Binding Conflicts
**Check what's using a port:**
```bash
ss -tlnp | grep :PORT_NUMBER
```
**Check Nginx configuration:**
```bash
nginx -T | grep listen
```
---
## 7. Phase 0.5 Integration
### 7.1 Management Layer Position
**Gitea Role:** Source of truth for all Firefrost Gaming infrastructure configurations, scripts, and documentation.
**Integration Points:**
- **Uptime Kuma (Planned):** Will monitor Gitea health endpoint
- **BookStack (Planned):** Will reference Gitea repos in documentation
- **Netdata (Planned):** Will track Gitea resource usage
- **Vaultwarden (Planned):** Will store Gitea admin credentials
### 7.2 Repository Structure (Recommended)
```
firefrost-phase0-configs/
├── docs/
│ ├── phase0-technical-changelog.md
│ ├── phase0-addendum-service-audit.md
│ └── gitea-deployment.md (this document)
├── configs/
│ ├── nginx/
│ │ └── git.firefrostgaming.com.conf
│ ├── systemd/
│ │ └── gitea.service
│ └── gitea/
│ └── app.ini.template
└── scripts/
├── backup-gitea.sh
└── restore-gitea.sh
```
---
## 8. Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| **1.0** | 2026-02-08 | Michael | Initial deployment. Gitea 1.21.5 installed on 74.63.218.202 with Nginx reverse proxy, Let's Encrypt SSL, and UFW firewall. First repository created. |
---
## 9. Related Documentation
- `FIREFROST_GAMING__Phase_0_Technical_Change_Log.md` - Vanilla Reset baseline
- `FIREFROST_GAMING__Phase_0_Addendum.md` - Service reallocation audit
- `Firefrost_Vanilla_Manifest.md` v1.3 - Infrastructure inventory
- Phase 0.5 Master Plan - Management layer architecture
---
**END OF DOCUMENT**
**Document Generated:** 2026-02-08 01:15 CST
**Service Status:** ✅ OPERATIONAL
**Next Service:** Uptime Kuma (74.63.218.203) - status.firefrostgaming.com
**Phase 0.5 Progress:** 1/5 Services Deployed (20%)
Reference in New Issue View Git Blame Copy Permalink