firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
fe88ec1b4dba0d653da2a3f2c6fade7767d6569f
firefrost-operations-manual/docs/reference/technical-readme.md

289 lines
7.2 KiB
Markdown
Raw Blame History

# FIREFROST GAMING: Gitea Technical Dossier
**Project:** Frostwall Protocol - Phase 0.5 Management Layer
**Service:** Gitea (Version Control System)
**Deployment Date:** February 8, 2026
**Lead Engineer:** Michael
**Status:** ✅ OPERATIONAL
**Document Version:** 1.0
---
## 1. Service Specifications
### 1.1 Network Configuration
| Parameter | Value |
|-----------|-------|
| **Service Name** | Gitea |
| **Purpose** | Git Version Control & Repository Management |
| **Dedicated IP** | 74.63.218.202 |
| **Subnet** | 74.63.218.200/29 (Command Center /29 Block) |
| **Subdomain** | git.firefrostgaming.com |
| **Internal Port** | 3000 (localhost only) |
| **External Ports** | 80 (HTTP → HTTPS redirect), 443 (HTTPS) |
| **SSH Port** | 2222 (Git SSH access) |
### 1.2 Application Paths
| Component | Path |
|-----------|------|
| **Binary** | /usr/local/bin/gitea |
| **Home Directory** | /var/lib/gitea |
| **Data Directory** | /var/lib/gitea/data |
| **Repository Root** | /var/lib/gitea/repositories |
| **Git LFS Root** | /var/lib/gitea/lfs |
| **Log Directory** | /var/lib/gitea/log |
| **Configuration** | /etc/gitea/app.ini |
| **Systemd Service** | /etc/systemd/system/gitea.service |
| **Database** | /var/lib/gitea/data/gitea.db (SQLite3) |
### 1.3 Reverse Proxy & SSL
| Parameter | Value |
|-----------|-------|
| **Proxy Software** | Nginx 1.24.0 |
| **Configuration** | /etc/nginx/sites-available/git.firefrostgaming.com |
| **SSL Provider** | Let's Encrypt |
| **Certificate Path** | /etc/letsencrypt/live/git.firefrostgaming.com/ |
| **Expiration** | May 9, 2026 (Auto-renewal enabled) |
---
## 2. Deployment Changelog v1.0
### 2.1 System Preparation
- Created system user `gitea` with home directory /var/lib/gitea
- Created directory structure: /var/lib/gitea/{custom,data,log}
- Set ownership: gitea:gitea on all application directories
- Set permissions: 750 on application directories
### 2.2 Gitea Installation
- Downloaded Gitea binary v1.21.5 to /usr/local/bin/gitea
- Initialized SQLite database at /var/lib/gitea/data/gitea.db
- Created base configuration at /etc/gitea/app.ini
### 2.3 Systemd Service
- Created service file: /etc/systemd/system/gitea.service
- Configured to run as gitea user
- Enabled auto-start on boot
### 2.4 Nginx Reverse Proxy
- Installed Nginx 1.24.0
- Removed default site to prevent 0.0.0.0:80 binding conflict
- Created site config: /etc/nginx/sites-available/git.firefrostgaming.com
- Configured IP-specific binding: 74.63.218.202:80 and :443
- HTTP→HTTPS redirect enabled
- Proxy pass to localhost:3000
### 2.5 DNS Configuration
- Added Cloudflare A record: git.firefrostgaming.com → 74.63.218.202
- Proxy status: DNS only (gray cloud)
- Propagation verified via nslookup
### 2.6 Frostwall (UFW) Configuration
- Installed UFW v0.36.2-6
- Added SSH protection rule (port 22)
- Protected primary gateway IP (63.143.34.217)
- Opened HTTP (80) on 74.63.218.202
- Opened HTTPS (443) on 74.63.218.202
- Enabled firewall
### 2.7 SSL Certificate
- Installed Certbot with Nginx plugin
- Obtained Let's Encrypt certificate for git.firefrostgaming.com
- Auto-renewal configured via systemd timer
### 2.8 Gitea Web Installation
- Configured via web installer at https://git.firefrostgaming.com
- Database: SQLite3
- Security: Disabled public registration, require sign-in to view
- Created administrator account: mkrause612
- Locked configuration permissions post-install
### 2.9 Master Archive Creation
- Initialized local Git repository: /root/firefrost-master-configs
- Created folder structure: management/, nodes/, security/, web/, docs/
- Copied configuration files to repository
- Created .gitignore to protect sensitive files (app.ini)
- Created sanitized template: app.ini.template
- Committed and pushed to Gitea repository
---
## 3. Frostwall (UFW) Rules
### 3.1 Commands Used
```bash
# Install UFW
apt install -y ufw
# Prevent SSH lockout
ufw allow 22/tcp
# Protect primary gateway
ufw allow in on ens3 to 63.143.34.217
# Open Gitea HTTP (Let's Encrypt validation & redirect)
ufw allow in on ens3 to 74.63.218.202 port 80 proto tcp
# Open Gitea HTTPS (Web interface)
ufw allow in on ens3 to 74.63.218.202 port 443 proto tcp
# Enable firewall
ufw --force enable
```
### 3.2 Active Rules
```
Status: active
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
63.143.34.217 on ens3 ALLOW IN Anywhere
74.63.218.202 80/tcp on ens3 ALLOW IN Anywhere
74.63.218.202 443/tcp on ens3 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
```
---
## 4. Service Management Commands
### 4.1 Gitea Service
```bash
# Start Gitea
systemctl start gitea
# Stop Gitea
systemctl stop gitea
# Restart Gitea
systemctl restart gitea
# Check status
systemctl status gitea
# View logs
journalctl -u gitea -f
```
### 4.2 Nginx
```bash
# Test configuration
nginx -t
# Reload configuration
systemctl reload nginx
# Restart Nginx
systemctl restart nginx
```
### 4.3 SSL Certificate
```bash
# Test renewal
certbot renew --dry-run
# Force renewal
certbot renew --force-renewal
# Check certificate status
certbot certificates
# Check auto-renewal timer
systemctl status certbot.timer
```
---
## 5. Security Configuration
### 5.1 Application Security
- User registration: Disabled (admin-only)
- Public browsing: Disabled (requires sign-in)
- Gravatar: Disabled (privacy)
- Local mode: Enabled (no external CDN)
- Password hashing: pbkdf2
### 5.2 File Permissions
- Configuration directory: /etc/gitea (750, root:gitea)
- Configuration file: /etc/gitea/app.ini (640, gitea:gitea)
- Application directories: /var/lib/gitea/* (750, gitea:gitea)
### 5.3 Network Security
- Internal binding: 127.0.0.1:3000 only
- External access: Via Nginx reverse proxy only
- Dedicated IP: 74.63.218.202 (isolated from primary gateway)
---
## 6. Backup Procedures
### 6.1 Configuration Backup
```bash
# Backup Gitea config
cp /etc/gitea/app.ini /root/backups/gitea-app.ini.$(date +%Y%m%d)
# Backup Nginx config
cp /etc/nginx/sites-available/git.firefrostgaming.com \
/root/backups/nginx-gitea.$(date +%Y%m%d)
```
### 6.2 Repository Backup
```bash
# Backup all repositories
tar -czf /root/backups/gitea-repos-$(date +%Y%m%d).tar.gz \
/var/lib/gitea/repositories
# Backup database
cp /var/lib/gitea/data/gitea.db \
/root/backups/gitea.db.$(date +%Y%m%d)
```
---
## 7. Troubleshooting
### 7.1 Service Not Accessible
**Check Gitea service:**
```bash
systemctl status gitea
```
**Check Nginx binding:**
```bash
ss -tlnp | grep 74.63.218.202
```
**Check firewall:**
```bash
ufw status | grep 74.63.218.202
```
**Check DNS:**
```bash
nslookup git.firefrostgaming.com
```
### 7.2 502 Bad Gateway
- **Cause:** Gitea service not running
- **Fix:** `systemctl start gitea`
### 7.3 Permission Denied Errors
- **Cause:** Incorrect file ownership
- **Fix:** `chown -R gitea:gitea /var/lib/gitea`
---
## 8. Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| **1.0** | 2026-02-08 | Michael | Initial deployment. Gitea 1.21.5 installed on 74.63.218.202 with Nginx reverse proxy, Let's Encrypt SSL, UFW firewall, and Master Archive repository created. |
---
**END OF TECHNICAL DOSSIER**
Reference in New Issue View Git Blame Copy Permalink