firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
fe88ec1b4dba0d653da2a3f2c6fade7767d6569f
firefrost-operations-manual/docs/reference/technical-readme.md

7.2 KiB
Raw Blame History

FIREFROST GAMING: Gitea Technical Dossier

Project: Frostwall Protocol - Phase 0.5 Management Layer
Service: Gitea (Version Control System)
Deployment Date: February 8, 2026
Lead Engineer: Michael
Status: OPERATIONAL
Document Version: 1.0

1. Service Specifications

1.1 Network Configuration

Parameter Value
Service Name Gitea
Purpose Git Version Control & Repository Management
Dedicated IP 74.63.218.202
Subnet 74.63.218.200/29 (Command Center /29 Block)
Subdomain git.firefrostgaming.com
Internal Port 3000 (localhost only)
External Ports 80 (HTTP → HTTPS redirect), 443 (HTTPS)
SSH Port 2222 (Git SSH access)

1.2 Application Paths

Component Path
Binary /usr/local/bin/gitea
Home Directory /var/lib/gitea
Data Directory /var/lib/gitea/data
Repository Root /var/lib/gitea/repositories
Git LFS Root /var/lib/gitea/lfs
Log Directory /var/lib/gitea/log
Configuration /etc/gitea/app.ini
Systemd Service /etc/systemd/system/gitea.service
Database /var/lib/gitea/data/gitea.db (SQLite3)

1.3 Reverse Proxy & SSL

Parameter Value
Proxy Software Nginx 1.24.0
Configuration /etc/nginx/sites-available/git.firefrostgaming.com
SSL Provider Let's Encrypt
Certificate Path /etc/letsencrypt/live/git.firefrostgaming.com/
Expiration May 9, 2026 (Auto-renewal enabled)

2. Deployment Changelog v1.0

2.1 System Preparation

  • Created system user gitea with home directory /var/lib/gitea
  • Created directory structure: /var/lib/gitea/{custom,data,log}
  • Set ownership: gitea:gitea on all application directories
  • Set permissions: 750 on application directories

2.2 Gitea Installation

  • Downloaded Gitea binary v1.21.5 to /usr/local/bin/gitea
  • Initialized SQLite database at /var/lib/gitea/data/gitea.db
  • Created base configuration at /etc/gitea/app.ini

2.3 Systemd Service

  • Created service file: /etc/systemd/system/gitea.service
  • Configured to run as gitea user
  • Enabled auto-start on boot

2.4 Nginx Reverse Proxy

  • Installed Nginx 1.24.0
  • Removed default site to prevent 0.0.0.0:80 binding conflict
  • Created site config: /etc/nginx/sites-available/git.firefrostgaming.com
  • Configured IP-specific binding: 74.63.218.202:80 and :443
  • HTTP→HTTPS redirect enabled
  • Proxy pass to localhost:3000

2.5 DNS Configuration

  • Added Cloudflare A record: git.firefrostgaming.com → 74.63.218.202
  • Proxy status: DNS only (gray cloud)
  • Propagation verified via nslookup

2.6 Frostwall (UFW) Configuration

  • Installed UFW v0.36.2-6
  • Added SSH protection rule (port 22)
  • Protected primary gateway IP (63.143.34.217)
  • Opened HTTP (80) on 74.63.218.202
  • Opened HTTPS (443) on 74.63.218.202
  • Enabled firewall

2.7 SSL Certificate

  • Installed Certbot with Nginx plugin
  • Obtained Let's Encrypt certificate for git.firefrostgaming.com
  • Auto-renewal configured via systemd timer

2.8 Gitea Web Installation

  • Configured via web installer at https://git.firefrostgaming.com
  • Database: SQLite3
  • Security: Disabled public registration, require sign-in to view
  • Created administrator account: mkrause612
  • Locked configuration permissions post-install

2.9 Master Archive Creation

  • Initialized local Git repository: /root/firefrost-master-configs
  • Created folder structure: management/, nodes/, security/, web/, docs/
  • Copied configuration files to repository
  • Created .gitignore to protect sensitive files (app.ini)
  • Created sanitized template: app.ini.template
  • Committed and pushed to Gitea repository

3. Frostwall (UFW) Rules

3.1 Commands Used

# Install UFW
apt install -y ufw

# Prevent SSH lockout
ufw allow 22/tcp

# Protect primary gateway
ufw allow in on ens3 to 63.143.34.217

# Open Gitea HTTP (Let's Encrypt validation & redirect)
ufw allow in on ens3 to 74.63.218.202 port 80 proto tcp

# Open Gitea HTTPS (Web interface)
ufw allow in on ens3 to 74.63.218.202 port 443 proto tcp

# Enable firewall
ufw --force enable

3.2 Active Rules

Status: active

To                              Action      From
--                              ------      ----
22/tcp                          ALLOW IN    Anywhere
63.143.34.217 on ens3           ALLOW IN    Anywhere
74.63.218.202 80/tcp on ens3    ALLOW IN    Anywhere
74.63.218.202 443/tcp on ens3   ALLOW IN    Anywhere
22/tcp (v6)                     ALLOW IN    Anywhere (v6)

4. Service Management Commands

4.1 Gitea Service

# Start Gitea
systemctl start gitea

# Stop Gitea
systemctl stop gitea

# Restart Gitea
systemctl restart gitea

# Check status
systemctl status gitea

# View logs
journalctl -u gitea -f

4.2 Nginx

# Test configuration
nginx -t

# Reload configuration
systemctl reload nginx

# Restart Nginx
systemctl restart nginx

4.3 SSL Certificate

# Test renewal
certbot renew --dry-run

# Force renewal
certbot renew --force-renewal

# Check certificate status
certbot certificates

# Check auto-renewal timer
systemctl status certbot.timer

5. Security Configuration

5.1 Application Security

  • User registration: Disabled (admin-only)
  • Public browsing: Disabled (requires sign-in)
  • Gravatar: Disabled (privacy)
  • Local mode: Enabled (no external CDN)
  • Password hashing: pbkdf2

5.2 File Permissions

  • Configuration directory: /etc/gitea (750, root:gitea)
  • Configuration file: /etc/gitea/app.ini (640, gitea:gitea)
  • Application directories: /var/lib/gitea/* (750, gitea:gitea)

5.3 Network Security

  • Internal binding: 127.0.0.1:3000 only
  • External access: Via Nginx reverse proxy only
  • Dedicated IP: 74.63.218.202 (isolated from primary gateway)

6. Backup Procedures

6.1 Configuration Backup

# Backup Gitea config
cp /etc/gitea/app.ini /root/backups/gitea-app.ini.$(date +%Y%m%d)

# Backup Nginx config
cp /etc/nginx/sites-available/git.firefrostgaming.com \
   /root/backups/nginx-gitea.$(date +%Y%m%d)

6.2 Repository Backup

# Backup all repositories
tar -czf /root/backups/gitea-repos-$(date +%Y%m%d).tar.gz \
  /var/lib/gitea/repositories

# Backup database
cp /var/lib/gitea/data/gitea.db \
   /root/backups/gitea.db.$(date +%Y%m%d)

7. Troubleshooting

7.1 Service Not Accessible

Check Gitea service:

systemctl status gitea

Check Nginx binding:

ss -tlnp | grep 74.63.218.202

Check firewall:

ufw status | grep 74.63.218.202

Check DNS:

nslookup git.firefrostgaming.com

7.2 502 Bad Gateway

  • Cause: Gitea service not running
  • Fix: systemctl start gitea

7.3 Permission Denied Errors

  • Cause: Incorrect file ownership
  • Fix: chown -R gitea:gitea /var/lib/gitea

8. Revision History

Version Date Author Changes
1.0 2026-02-08 Michael Initial deployment. Gitea 1.21.5 installed on 74.63.218.202 with Nginx reverse proxy, Let's Encrypt SSL, UFW firewall, and Master Archive repository created.

END OF TECHNICAL DOSSIER

Reference in New Issue View Git Blame Copy Permalink