Gitea

5 minute read

What to do?

I want to collect notes in a more organised way. Or at all, really. Otherwise things disappear. I’ve heard good things about Obsidian so thought I’d give it a try. But I’d like to have backups of my notes and have the option to collect notes on multiple devices such that they’d automatically be synched.

Obsidian has encrypted synch support, but only if you pay. Not that it’s a lot ($4/month), but that also requires setting up payments, which involves giving out personal data and that I don’t like.

So I had a look at alternative approaches. Turns out that Obsidian is just a collection of markdown files. And what’s really good for managing changes in a collection of text files? Git. That makes things nice and simple - a basic cron job that calls git commit + push would suffice, or maybe something more advanced that does it on save. Either way, it’s just a wrapper round git.

But then we’re back to protecting data. The default for git is just to use github. Thing is, it’s Microsoft, and call me biased, but I remember the 90s and don’t trust them. Especially not with my private notes. Initially I thought about doing some kind of encryption on commit etc., but that loses the magic of git, as it’s just random binaries flying around, rather than changesets. At that point I might as well use S3 or something.

That’s when I realised that I’m overcomplicating things (hehe). This is git. Git is simple (sort of), or at least not a massive bloated monstrosity like most things today. So I could just host it myself. This is something I’ve wanted to do for a while now - it’s unlikely for github to just up and disappear, but it’s not unheard of for them to delete repos for arbitrary reasons. Best to have more options.

Basic self hosted git

Having decided on this approach, it was time to learn something new. It turns out that hosting a git repo is basically:

  • make the repo
  • add the ssh keys you want to .ssh/authorized_keys
  • point your remote at that folder

You want this to be done by a dedicated user for security reasons, but otherwise it’s trivial. So:

sudo adduser git
sudo usermod -aG ssh git

sudo su git
mkdir ~/.ssh
chmod 700 ~/.ssh

vim ~/.ssh/authorized_keys # add your ssh public key
chmod 600 ~/.ssh/authorized_keys

git init --bare <repo name>

That’s it. Nice and easy. This works. But it requires manually creating the repo and adding ssh keys. A lot of work, I know… Still - that has to be done by logging into the server and running a bunch of commands, but I don’t always have easy access to my raspberry pi. Sometimes I need to fire up my VPN to access it. That’s a whole extra step!

Gitea

So I decided to make things harder and add a GUI for managing repos. The first thing I found that seemed halfway decent was Gitea. This is basically a github clone for self hosting. Works though! At least for now?

Installation

Setting it up went quite smoothly. First install the binary:

wget -O gitea https://dl.gitea.com/gitea/1.23.8/gitea-1.23.8-linux-arm-6
chmod +x gitea
sudo mv gitea /usr/local/bin/

Create its data folders:

sudo mkdir -p /var/lib/gitea/{custom,data,log}
sudo chown -R git:git /var/lib/gitea/
sudo chmod -R 750 /var/lib/gitea/

And config:

sudo mkdir /etc/gitea
sudo chmod 770 /etc/gitea
sudo touch /etc/gitea/app.ini
sudo chown -R root:git /etc/gitea

Initial Setup

By default Gitea runs on port 3000, but I already have something there. Changing the port is just a matter of adding the following to the config file (/etc/gitea)

[server]
HTTP_PORT = 3001

Running as a service

I want this to always run. Since I have Systemd set up, might as well make it into a service. So the following goes into /etc/systemd/system/gitea.service

[Unit]
Description=Gitea
After=network.target

[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea

[Install]
WantedBy=multi-user.target

Then run the following to start it up:

sudo systemctl daemon-reload
sudo systemctl enable --now gitea

Gitea should now be available at http://localhost:3001

GUI Setup

If you then go to the website, you can set up the Gitea. This is mainly pointing to where it should store repos, what domain to use - that kind of thing.

Users

By default anyone can create a new user - this I wanted to disable, so I added the following to /etc/gitea/app.ini:

DISABLE_REGISTRATION=true

After restarting it (sudo systemctl restart gitea) there now is no option to create a user, only to log in. Which is what I wanted, but now don’t have any way to log in. Luckily there’s a CLI option to do that:

sudo -u git /usr/local/bin/gitea --config /etc/gitea/app.ini admin user create \
  --username <your username> \
  --password <your password> \
  --email <your email address> \
  --must-change-password=false \
  --admin=true

And now I have a user with which I can log in!

Config Nginx

My domain is handled by Nginx with subservers defined. I’d like to access gitea via https://ahiru.pl/git, so this will require redirecting stuff. Luckily this is trivial with Nginx - adding the following to the server definition in /etc/nginx/sites-enabled/ahiru.pl is enough:

        location /git {
                proxy_pass http://127.0.0.1:3001/;
        }

Then load nginx (sudo systemctl restart nginx) and viola!

Mirroring

Gitea can apparently be set up to mirror existing repos. I tried it out with some Github repos that I have, and it copies the code over, but I’m not sure how well it syncs issues, PRs etc. Not that it’s much of a problem, of course…

Git problems

Most of this went smoothly. The main problem I had was trying to connect via git. I created an empty repo in Gitea, made an empty repo locally, set git remote set-url git@ahiru.pl:user/test.git (where user is the gitea user you created), made an initial commit and pushed. And got hit with:

fatal: 'user/test.git' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights

Lovely. This is where I had to break out the old -vvv option. First thing that was strange was that I was getting no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1. This happens when an old version of sshd is used. But logging in to my Pi didn’t raise that error?

Turns out I’m stupid and forgot that ssh ahiru.pl is not the same as ssh pi, as the former goes through the router. Which also has sshd set up. With a publicly available port? Thought I disabled that? Either way, git should be going to the Pi, not the router. A simple port redirect fixed that.

That part allowed me to get to the Pi. But it was still complaining that it can’t log in via key - it always wanted my password. This also turned out to be a stupid mistake. Looking in /etc/ssh/sshd_config I have AllowGroups ssh. So only users in the ssh group can ssh in. This was fixed by sudo usermod -aG ssh git and now git push works!