Git
I have for 5 years been sitting on a private git instance, most specifically Gitea, and this year I migrated to Forgejo instead. I kept it private for two reasons: While I planned to use it, I never came to, most due to that if everything broke down, I would lose it all; I am concerned about my ability to expose services publicly in a safe enough manner. In the recent years I have been going through several iterations of security measures for all my services, made sure that things does work, and even if it is far from perfect, I think I am now sufficiently confident that my backups and security would have adequate quality for a version based storage.
To install git as a service, I would of course make use of Ansible, but sadly I made this service before I started roles to my services, and while I was creating it, I was not sure how I should structure it, so I left it as is for now and will finalize it in the future.
The steps to install are rather straightforward when done manually: Download Forgejo binary, add it to /usr/local/bin
and run it. Visit the web UI and follow the instructions. Register the first user which will become administrator. Besides this you can modify the app.ini
that was created (Usually in /etc/forgejo
) and modify it to your liking. However, while this works, there are several additional steps to secure it down further.
First is to add some sort of intrusion detection. This is done easily with fail2ban
, which Forgejo has already prepared a profile for us. Adjust it to your liking, but I had to modify the filter as it did not detect all attempts. Enable the jail and it should make it harder for people to brute force your instance 1. Optionally you could enable the builtin SSH to reduce the attack surface to one account which require only SSH keys. In addition, enabling 2FA will ultimately make it extremely hard to try to break into your git account, even if they have your password. This can easily be done within Forgejo web UI.
|
|
To avoid having Forgejo to handle HTTPS certificates, a reverse proxy could be set up. That way you could secure it down further with less attack area. Just remember to enable websocket and REVERSE_PROXY_TRUSTED_PROXIES
config in app.ini
to avoid fail2ban to ban your proxy, hence locking all the users.
Then set up mail so you can get notified whenever something is happening. I am using SMTPS, but there are many ways to do it differently, like with ProtonMail. If you would like to open up the instance for registration, then this is a must in order to reduce spam.
Finally you are ready to migrate from any instance you like. I myself migrated from GitHub, but I do exist on other instances too. I used my small migration script which automatically moves over all repositories with all its related data like topics, wiki, issues, releases, visibility, etc.
Next step is to finalize the Ansible role and set up a runner for CI.