4.3 KiB
Installing gitlab on your local ssh with SSH
This guide showcases my experience with installing gitea within a docker compose.
Step 1: The traefik service
If you use rootful podman, make sure that the container has access to a few DNS servers. (configure it in the corresponding DNS provider.) If you use podman, make sure to map the corresponding podman socket into the container, instead of "/var/run/docker.sock". Otherwise you should not change the config.
services:
traefik:
image: traefik:latest
container_name: traefik
command:
- --providers.docker=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencrypt.acme.httpchallenge=true
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.letsencrypt.acme.email=<your-email>
- --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:rw
networks:
- traefik-net
- proxy
dns:
- 1.1.1.1
Step 2: The gitea service
You should add the script "/usr/local/bin/gitea-ssh.sh".
#!/bin/sh
exec /usr/bin/docker exec -e SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" --user git -i gitea
/usr/local/bin/gitea $@
Otherwise you can simply change
GITEA__server__SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE option to include the
docker command. If you would use rootful podman you should also add the -c
parameter and corresponding value for specifiying the connection.
As you can see command uses the git user.
It is necessary to set the "USER_UID" and "USER_GID" to the ones of your git
local git user/group. That is because the "authorized_keys" file is mapped into
a directory which does outside of the container and is used for external ssh
connections.
In theory you could use another user for ssh, but I don't know how that would
translate into another gitea config. For the ssh config you would simply replace
the user in the snippet below.
Add the following config snippet to your sshd config. It can be in a separate file or at the end of your "sshd_config" file.
Match User git
AllowTcpForwarding no
PermitTTY yes
X11Forwarding no
PasswordAuthentication no
AuthorizedKeysFile /srv/gitea/git/.ssh/authorized_keys
For the database you can use any database inside the docker compose file you just have to specify the options "host", "name", "user" and "type".
To change the domain, you have to add under "gitea.rule" the domain.
gitea:
image: gitea/gitea:1.22
container_name: gitea
restart: unless-stopped
environment:
USER_UID: 999
USER_GID: 989
GITEA__server__DOMAIN: gitea.${DOMAIN}
GITEA__server__ROOT_URL: https://gitea.${DOMAIN}/
GITEA__server__PROTOCOL: http
GITEA__server__SSH_AUTHORIZED_KEYS_FILE: /git/.ssh/authorized_keys
GITEA__server__SSH_DOMAIN: gitea.${DOMAIN}
GITEA__server__SSH_LISTEN_PORT: 2223
GITEA__server__SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE: /usr/local/bin/gitea-ssh.sh --config={{.CustomConf}} serv key-{{.Key.ID}}
GITEA__server__START_SSH_SERVER: "false"
GITEA__security__INSTALL_LOCK: "true"
GITEA__database__DB_TYPE: postgres
GITEA__database__HOST: db:5432
GITEA__database__NAME: gitea
GITEA__database__USER: gitea
GITEA__database__PASSWD: NOPE
volumes:
- gitea-data:/data
- /srv/gitea/git/.ssh:/data/git/.ssh
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`gitea.${DOMAIN}`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
networks:
- proxy
depends_on:
- db
Step 3. Include a postgres database.
Simply add this service with the corresponding password.
db:
image: docker.io/library/postgres:14
restart: always
environment:
- POSTGRES_USER=gitea
- POSTGRES_DB=gitea
- POSTGRES_PASSWORD=NOPE
volumes:
- ./postgres:/var/lib/postgresql/data
networks:
- proxy