firefrost-operations-manual/docs/deployment/gitea.md

FIREFROST GAMING: Gitea Deployment Documentation

Project: Frostwall Protocol - Phase 0.5 Management Layer
Service: Gitea (Version Control System)
Deployment Date: February 8, 2026
Lead Engineer: Michael
Status: ✅ OPERATIONAL
Document Version: 1.0

---

1. Service Profile

1.1 Network Configuration

Parameter	Value
Service Name	Gitea
Purpose	Git Version Control & Repository Management
Dedicated IP	74.63.218.202
Subnet	74.63.218.200/29 (Command Center /29 Block)
Subdomain	git.firefrostgaming.com
Internal Port	3000 (localhost only)
External Ports	80 (HTTP → HTTPS redirect), 443 (HTTPS)
SSH Port	2222 (Git SSH access)

1.2 Application Paths

Component	Path
Binary	/usr/local/bin/gitea
Home Directory	/var/lib/gitea
Data Directory	/var/lib/gitea/data
Repository Root	/var/lib/gitea/repositories
Git LFS Root	/var/lib/gitea/lfs
Log Directory	/var/lib/gitea/log
Configuration	/etc/gitea/app.ini
Systemd Service	/etc/systemd/system/gitea.service

1.3 Database

Parameter	Value
Type	SQLite3
Path	/var/lib/gitea/data/gitea.db
Rationale	Lightweight, embedded, zero-maintenance for single-server deployment

1.4 SSL/TLS Configuration

Parameter	Value
Certificate Provider	Let's Encrypt
Certificate Path	/etc/letsencrypt/live/git.firefrostgaming.com/fullchain.pem
Private Key Path	/etc/letsencrypt/live/git.firefrostgaming.com/privkey.pem
Expiration	May 9, 2026
Auto-Renewal	Enabled (Certbot systemd timer)

1.5 Reverse Proxy

Parameter	Value
Proxy Software	Nginx 1.24.0
Configuration File	/etc/nginx/sites-available/git.firefrostgaming.com
Enabled Symlink	/etc/nginx/sites-enabled/git.firefrostgaming.com
Proxy Target	http://127.0.0.1:3000
Max Upload Size	512M

---

2. Changelog v1.0 - Initial Deployment

2.1 System Preparation

• Updated system packages: apt update && apt upgrade
• Installed dependencies: git, curl, wget, gnupg2
• Created system user: gitea (system user, disabled password, home: /var/lib/gitea)
• Created directory structure: /var/lib/gitea/{custom,data,log}
• Set ownership: gitea:gitea on all application directories
• Set permissions: 750 on /var/lib/gitea

2.2 Gitea Installation

• Downloaded Gitea binary: v1.21.5 (linux-amd64) to /usr/local/bin/gitea
• Set executable permissions: 755 on binary
• Initialized SQLite database: /var/lib/gitea/data/gitea.db
• Created configuration file: /etc/gitea/app.ini with base settings

2.3 Systemd Service Configuration

• Created service file: /etc/systemd/system/gitea.service
• Service type: Simple
• Run as: gitea user/group
• Working directory: /var/lib/gitea
• ExecStart: /usr/local/bin/gitea web -c /etc/gitea/app.ini
• Auto-restart: Enabled
• Boot enabled: systemctl enable gitea

2.4 Nginx Reverse Proxy Setup

• Installed Nginx: v1.24.0 (Ubuntu)
• Disabled default site: Removed /etc/nginx/sites-enabled/default to prevent 0.0.0.0:80 binding conflict
• Created Gitea site config: /etc/nginx/sites-available/git.firefrostgaming.com
• IP binding: Nginx listens ONLY on 74.63.218.202:80 and :443
• HTTP redirect: Port 80 → 301 redirect to HTTPS
• HTTPS proxy: Port 443 → proxy_pass to localhost:3000
• Generated temporary self-signed certificate: For initial testing
• Enabled site: Symlinked to /etc/nginx/sites-enabled/
• Restarted Nginx: Full restart to clear inherited socket bindings

2.5 DNS Configuration

• Provider: Cloudflare
• Record added: git.firefrostgaming.com A 74.63.218.202
• Proxy status: DNS only (gray cloud) - required for Let's Encrypt validation
• TTL: Auto
• Propagation verified: nslookup confirmed 74.63.218.202 resolution

2.6 Frostwall (UFW) Configuration

• Installed UFW: v0.36.2-6
• Removed packages: iptables-persistent, netfilter-persistent (conflicting)
• Added SSH rule: Port 22 allowed (prevent lockout)
• Added primary gateway rule: Full access to 63.143.34.217 on ens3
• Added Gitea HTTP rule: Port 80 on 74.63.218.202 via ens3
• Added Gitea HTTPS rule: Port 443 on 74.63.218.202 via ens3
• Enabled firewall: ufw --force enable

2.7 SSL Certificate Deployment

• Installed Certbot: certbot + python3-certbot-nginx
• Obtained Let's Encrypt certificate: For git.firefrostgaming.com
• Email registered: mkrause612@gmail.com (renewal notifications)
• Certificate deployed: Certbot automatically updated Nginx config
• Auto-renewal configured: Certbot systemd timer active

2.8 Gitea Web Installation

• Accessed installer: https://git.firefrostgaming.com
• Fixed permissions temporarily: chown gitea:gitea /etc/gitea and app.ini for web installer write access
• Configured via web UI:
  • Database: SQLite3 at /var/lib/gitea/data/gitea.db
  • Site title: Firefrost Gaming - Git Repository
  • Server domain: git.firefrostgaming.com
  • SSH port: 2222
  • Base URL: https://git.firefrostgaming.com/
  • Server settings: Enable Local Mode, Disable Gravatar, Disable Self-Registration, Require Sign-In to View Pages
  • Administrator account: mkrause612 created
• Locked down permissions post-install:
  • chmod 750 /etc/gitea
  • chmod 640 /etc/gitea/app.ini
• Restarted Gitea service: Applied final configuration

2.9 Verification & Testing

• HTTPS access verified: curl -I returned HTTP/2 200
• SSL certificate verified: openssl s_client confirmed CN=git.firefrostgaming.com
• Port bindings verified: ss -tlnp confirmed Nginx on 74.63.218.202:80 and :443
• Created test repository: firefrost-phase0-configs (private)
• Repository accessibility confirmed: HTTPS clone URL working

---

3. Security Posture

3.1 Application Security

• User registration: Disabled (admin-only account creation)
• Public browsing: Disabled (requires sign-in to view)
• Gravatar: Disabled (no external avatar service calls)
• Local mode: Enabled (all assets served locally, no CDN)
• Password hashing: pbkdf2 algorithm
• Hidden email domain: noreply.git.firefrostgaming.com

3.2 Network Security

• Internal service binding: Gitea bound to 127.0.0.1:3000 only (not externally accessible)
• Reverse proxy isolation: All external access via Nginx on dedicated IP
• IP-specific firewall rules: UFW rules target 74.63.218.202 only
• Primary gateway protection: 63.143.34.217 unchanged, zero new services

3.3 File Permissions

• Configuration directory: /etc/gitea (750, root:gitea)
• Configuration file: /etc/gitea/app.ini (640, gitea:gitea)
• Application directories: /var/lib/gitea/* (750, gitea:gitea)
• Binary: /usr/local/bin/gitea (755, root:root)

---

4. Frostwall (UFW) Rules Summary

4.1 Active Rules for 74.63.218.202

# HTTP (Port 80) - Let's Encrypt validation & HTTPS redirect
ufw allow in on ens3 to 74.63.218.202 port 80 proto tcp

# HTTPS (Port 443) - Gitea web interface
ufw allow in on ens3 to 74.63.218.202 port 443 proto tcp

4.2 Complete Firewall Status

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
63.143.34.217 on ens3      ALLOW IN    Anywhere
74.63.218.202 80/tcp on ens3 ALLOW IN    Anywhere
74.63.218.202 443/tcp on ens3 ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

4.3 Port Allocation

Port	Protocol	Purpose	Scope
22	TCP	SSH Management	Global (inherited)
80	TCP	HTTP (redirect)	74.63.218.202 only
443	TCP	HTTPS (Gitea web)	74.63.218.202 only
2222	TCP	Git SSH (future)	Not yet exposed via firewall
3000	TCP	Gitea internal	localhost only (not firewalled)

---

5. Operational Notes

5.1 Service Management

Start Gitea:

systemctl start gitea

Stop Gitea:

systemctl stop gitea

Restart Gitea:

systemctl restart gitea

Check status:

systemctl status gitea

View logs:

journalctl -u gitea -f

5.2 Nginx Management

Test configuration:

nginx -t

Reload configuration:

systemctl reload nginx

Restart Nginx:

systemctl restart nginx

5.3 SSL Certificate Renewal

Manual renewal (testing):

certbot renew --dry-run

Force renewal:

certbot renew --force-renewal

Auto-renewal status:

systemctl status certbot.timer

5.4 Configuration Backup

Backup configuration:

cp /etc/gitea/app.ini /etc/gitea/app.ini.backup.$(date +%Y%m%d)

Backup repositories:

tar -czf /root/gitea-repos-backup-$(date +%Y%m%d).tar.gz /var/lib/gitea/repositories

---

6. Troubleshooting

6.1 Common Issues

Issue: Gitea not accessible via HTTPS

• Check Nginx binding: ss -tlnp | grep 74.63.218.202
• Check Gitea service: systemctl status gitea
• Check firewall: ufw status | grep 74.63.218.202
• Check DNS: nslookup git.firefrostgaming.com

Issue: 502 Bad Gateway

• Cause: Gitea service not running
• Fix: systemctl start gitea

Issue: Permission denied errors

• Cause: Incorrect file ownership or permissions
• Fix: chown -R gitea:gitea /var/lib/gitea

Issue: SSL certificate expired

• Check expiration: certbot certificates
• Renew manually: certbot renew

6.2 Port Binding Conflicts

Check what's using a port:

ss -tlnp | grep :PORT_NUMBER

Check Nginx configuration:

nginx -T | grep listen

---

7. Phase 0.5 Integration

7.1 Management Layer Position

Gitea Role: Source of truth for all Firefrost Gaming infrastructure configurations, scripts, and documentation.

Integration Points:

• Uptime Kuma (Planned): Will monitor Gitea health endpoint
• BookStack (Planned): Will reference Gitea repos in documentation
• Netdata (Planned): Will track Gitea resource usage
• Vaultwarden (Planned): Will store Gitea admin credentials

7.2 Repository Structure (Recommended)

firefrost-phase0-configs/
├── docs/
│   ├── phase0-technical-changelog.md
│   ├── phase0-addendum-service-audit.md
│   └── gitea-deployment.md (this document)
├── configs/
│   ├── nginx/
│   │   └── git.firefrostgaming.com.conf
│   ├── systemd/
│   │   └── gitea.service
│   └── gitea/
│       └── app.ini.template
└── scripts/
    ├── backup-gitea.sh
    └── restore-gitea.sh

---

8. Revision History

Version	Date	Author	Changes
1.0	2026-02-08	Michael	Initial deployment. Gitea 1.21.5 installed on 74.63.218.202 with Nginx reverse proxy, Let's Encrypt SSL, and UFW firewall. First repository created.

---

9. Related Documentation

• FIREFROST_GAMING__Phase_0_Technical_Change_Log.md - Vanilla Reset baseline
• FIREFROST_GAMING__Phase_0_Addendum.md - Service reallocation audit
• Firefrost_Vanilla_Manifest.md v1.3 - Infrastructure inventory
• Phase 0.5 Master Plan - Management layer architecture

---

END OF DOCUMENT

Document Generated: 2026-02-08 01:15 CST
Service Status: ✅ OPERATIONAL
Next Service: Uptime Kuma (74.63.218.203) - status.firefrostgaming.com
Phase 0.5 Progress: 1/5 Services Deployed (20%)