How to Deploy Containerised Gitea Source Repository with PostgreSQL

Gitea is an open-source, self-hosted Git platform. It’s a painless, all-in-one software development service with a simple user interface, allowing you to manage repositories within your own servers easily. As such, it’s perfect for smaller teams and individual developers. 

Navigating new platforms is always challenge, even with an easy-to-use one like Gitea. But fret not! We prepared this short blog detailing how to deploy Gitea source repository with PostgreSQL database using podman and podman pod. All you have to is follow the steps below. 

How to Create a Custom SSL Certificate for Git Server 

• Create a directory on the git server 

mkdir /root/git_certs 

• Create a private key with which to sign the certificate signing request (CSR). The private key must be UNENCRYPTED. If you already have a private key for this server, skip this step 

openssl genrsa -out /root/git_cert/git_cert_key.pem 4096 

• Create the openssl.cnf configuration file for the CSR and include the following content. Skip this step if the file already exists: 

[ req ] 
req_extensions = v3_req 
distinguished_name = req_distinguished_name 
x509_extensions = usr_cert 
prompt = no 

[ req_distinguished_name ] 
C = AU 
ST = Victoria 
L = North Sydney 
O = Organisation 
OU = IT Department 
CN = aap02.example.net
 
[ v3_req ] 
basicConstraints = CA:FALSE 
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment 
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection 
subjectAltName = @alt_names 

[ usr_cert ] 
basicConstraints=CA:FALSE 
nsCertType = client, server, email 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection 
nsComment = "OpenSSL Generated Certificate" 
subjectKeyIdentifier=hash 
authorityKeyIdentifier=keyid,issuer 

[ alt_names ] 
DNS.1 = aap02.example.net 
DNS.2 = git-repo.example.net 

• Generate CSR using the following command: 

openssl req -new \ 
-key /root/git_cert/git_cert_key.pem \ 
-config /root/git_cert/openssl.cnf \ 
-out /root/git_cert/git_cert_csr.pem 

• Send the CSR to generate the certificate. Make sure to request the bundle or RootCA to create a bundle. This will be used later during the configuration of Gitea 

How to Deploy Gitea Source Repository 

• Install podman and podman-plugins on the server 

dnf install podman podman-plugins -y 

• Create two podman volumes: postgresdb and gitea. The first volume will be used to store postgreSQL database files, the other one will be used to store permanently gitea data and repositories 

podman volume create postgresdb 
podman volume create gitea 

• Create a new pod. This pod exposes ports 3000/tcp and 222/tcp 

podman pod create --name gitea-pod -p 3000:3000 -p 222:22 

• Create a postgreSQL container. Remember to change the username and password to something more elaborate 

podman create --rm -dt --name postgres --pod gitea-pod \ 
-v postgresdb:/var/lib/postgresql/data \ 
-e POSTGRES_USER=gitea \ 
-e POSTGRES_PASSWORD=gitea \ 
-e POSTGRES_DB=gitea postgres:14 

• Create a Gitea container. Make sure to specify your postgreSQL username and password 

podman create -dt --rm --name gitea --pod gitea-pod \ 
-v gitea:/data \ 
-v /etc/localtime:/etc/localtime:ro \ 
-e USER_UID=1000 -e USER_GID=1000 \ 
-e GITEA__database__DB_TYPE=postgres \ 
-e GITEA__database__HOST=postgres:5432 \ 
-e GITEA__database__NAME=gitea \ 
-e GITEA__database__USER=gitea \ 
-e GITEA__database__PASSWD=gitea gitea/gitea 

• Create systemd service accounts. I found that in some instances, the systemd units do not work if they are generated fully automatically, so I create them manually one by one 

cd /etc/systemd/system/ 
podman generate systemd gitea --files --new > gitea-container.service 
podman generate systemd postgres --files --new > postgres-container.service 
podman generate systemd --files --new gitea-pod > gitea-pod.service 

• Reload the systemd unit files 

systemd daemon-reload 

• Enable the gitea-pod service 

systemd enable –-now gitea-pod.service 

• Restart the Service 

systemd restart gitea-pod.service 

• Navigate to http://host_name:3000. If the page loads, the initial configuration has been done. Stop service 

systemd stop gitea-pod.service 

• On the host, navigate to /var/lib/containers/storage/volumes/gitea/_data/gitea/conf 
• Edit app.ini configuration file to read: 

[server] 
APP_DATA_PATH = /data/gitea 
DOMAIN = aap02 
SSH_DOMAIN = aap02 
PROTOCOL = https 
HTTP_PORT = 3000 
ROOT_URL = https://aap02.example.net:3000/ 
CERT_FILE = cert.pem 
KEY_FILE  = key.pem 

• Copy cert.pem and key.pem to /var/lib/containers/storage/volumes/gitea/_data/gitea, ensuring that user:group are set the same as for other directories in this location (that would be gitea USER_ID GROUP_ID, used to create a container). Ensure that the cert.pem is a bundle with the server’s certificate listed as the first one 
• Start the containers 
• Navigate to the repository using https://server_name. Make sure to open 3000/tcp on the firewalld if used 
• Create Admin account 
• Enable DISABLE_REGISTRATION = true in app.ini and restart the pod 

And there you have it! We hope this guide made deploying Gitea source repositories a stress-free process for you. Check out Insentra Insights for more helpful tips, tricks and strategies to further elevate your modern workplace.  

If you’d like assistance or guidance on how you can improve your tech stack, contact us today to start a conversation.