=============
code.libre.is
=============
This is documentation for the system administrators of
``_
The code server is a git server running Forgejo.
Status
======
Under development.
Issues
======
Issues are tracked with Forgejo:
``_
Links
=====
``_
``_
``_
Operating System
================
Install Debian stable, bookworm at present.
Install dependenices:
.. code-block:: sh
sudo apt install python3-certbot-apache git git-lfs gpg mariadb-server \
rsyslog
sudo apt clean
Open up firewalls as needed.
Apache
======
Set up apache and get other dependencies, ala:
.. code-block:: sh
sudo su -
echo "code.libre.is" > /var/www/html/index.html
certbot -d code.libre.is
Firewall
========
Briefly, something like this. Note change the real ssh port,
as defined in /etc/ssh/sshd_config, from 9999 to whatever it
is on the server. This runs two ssh servers. One for server admin,
one for Forgejo connections.
File: /etc/iptables.test.rules
.. code-block:: sh
# iptables.test.rules
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# SSH Access Port
-A INPUT -p tcp --dport 9999 -j ACCEPT
# Forgejo ssh
# redirect
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 2222 -j ACCEPT
# web
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow ping
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
# Redirect for Forgejo from 2222 to 22
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
-A OUTPUT -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
COMMIT
MariaDB
=======
It is best to use Forgejo with a database for 10+ users.
MariaDB is like MySQL, but a better fork.
For now, the database will be hosted on the same server as the Forgejo server.
If it gets bigger, it can be moved to a dedicated machine.
If it gets even bigger than that, it can be clustered with Galera.
Set up MariaDB thusly:
.. code-block:: sh
sudo mariadb-admin password
mariadb -uroot -p
In the database run:
.. code-block:: sql
SET old_passwords=0;
CREATE USER 'forgejo'@'%' IDENTIFIED BY 'mypassword';
CREATE DATABASE forgejodb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_bin';
GRANT ALL PRIVILEGES ON forgejodb.* TO 'forgejo';
FLUSH PRIVILEGES;
EXIT
Test the new database setup thusly:
.. code-block:: sh
mariadb -u forgejo -p forgejodb
Forgejo
=======
Forgejo main site:
``_
Forgejo release information:
``_
For this server we'll be using the Long Term Support (LTS) releases,
currently starting with the major version "7".
Download information: ``_
Latest releases can be found here:
``_
Binary install docs here:
``_
Get Forgejo GPG key:
.. code-block:: sh
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
Install Forgejo thusly.
.. code-block:: sh
wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64
wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64.sha256
wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64.asc
cat forgejo-7.0.8-linux-amd64.sha256 ; sha256sum forgejo-7.0.8-linux-amd64
gpg --verify forgejo-7.0.8-linux-amd64.asc forgejo-7.0.8-linux-amd64
sudo cp forgejo-7.0.8-linux-amd64 /usr/local/bin/forgejo
sudo chmod 755 /usr/local/bin/forgejo
sudo adduser --system --shell /bin/bash --gecos 'Git Version Control' \
--group --disabled-password --home /home/git git
sudo mkdir /var/lib/forgejo
sudo chown git:git /var/lib/forgejo
sudo chmod 750 /var/lib/forgejo
sudo mkdir /etc/forgejo
sudo chown root:git /etc/forgejo
sudo chmod 770 /etc/forgejo
sudo wget -O /etc/systemd/system/forgejo.service \
https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service
sudo sed -i -e 's/#Wants=mariadb.service/Wants=mariadb.service/g' \
/etc/systemd/system/forgejo.service
sudo sed -i -e 's/#After=mariadb.service/After=mariadb.service/g' \
/etc/systemd/system/forgejo.service
sudo systemctl daemon-reload
sudo systemctl enable forgejo.service
sudo systemctl start forgejo.service
Reverse Proxy
=============
Set up Apache to be a reverse proxy for Forgejo.
.. code-block:: sh
sudo a2enmod proxy proxy_http
sudo vim /etc/apache2/sites-available/code-libre-is.conf
ServerName code.libre.is
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error-code-libre-is.log
CustomLog ${APACHE_LOG_DIR}/access-code-libre-is.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =code.libre.is
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ServerName code.libre.is
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error-code-libre-is.log
CustomLog ${APACHE_LOG_DIR}/access-code-libre-is.log combined
RewriteEngine on
ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:3000/ nocanon
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/code.libre.is/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/code.libre.is/privkey.pem
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Remove old Apache configs, and put new one in place.
.. code-block:: sh
sudo rm /etc/apache2/sites-enabled/000-default.conf
sudo rm /etc/apache2/sites-enabled/000-default-le-ssl.conf
sudo ln -s /etc/apache2/sites-available/code-libre-is.conf \
/etc/apache2/sites-enabled/
sudo systemctl daemon-reload
sudo systemctl restart apache2
Admin Setup
===========
Now connect to the newly created site and configure:
``_
Most of the defaults are ok. Set:
* Database type: MySQL
* Host: 127.0.0.1:3306
* Username: forgejo
* Password: Set to database password
* Database name: forgejodb (note "db" at end, like above)
* Instance title: Libre Code
* SSH server port: 22
The reset should be ok by default.
The main SSH should be on an alternative port.
Email settings will be set up at another point.
Uncheck:
* Enable OpenID sign-in
Set up:
* Administrator account settings
* Administrator username: codeadmin
Configure Forgejo
=================
Configuration cheat sheet:
``_
Configure Forgejo thusly:
.. code-block:: sh
sudo vim /etc/forgejo/app.ini
In the very top section, add:
.. code-block:: sh
APP_NAME = Libre Code
APP_SLOGAN = Code free or die
APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}
Add to the [server] section, so port 3000 is just listening on localhost.
Also set the SSH to use a different than the main openssh server.
This way admin and Forgejo key/ports/etc are separate.
This requires forwarding port 2222 to port 22 in the firewall.
.. code-block:: sh
HTTP_ADDR = 127.0.0.1
SSH_PORT = 22
START_SSH_SERVER = true
SSH_LISTEN_PORT = 2222
Under [service] change this to true:
.. code-block:: sh
DISABLE_REGISTRATION = true
Add sections:
.. code-block:: sh
[ui]
SHOW_USER_EMAIL = false
[ui.meta]
AUTHOR = Libre Developers
DESCRIPTION = Free Software