added git server info

2026-04-22 14:59:04 -05:00
parent 2f0a95674c
commit 060219d161
4 changed files with 704 additions and 6248 deletions
--- a/zet.home.arpa/git-server/GITEA.SERVICE
+++ b/zet.home.arpa/git-server/GITEA.SERVICE
@@ -0,0 +1,115 @@
+# Gitea Service Unit File
+
+Systemd service configuration for Gitea git server.
+
+```ini
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea
+ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
+
+# Hardening
+PrivateTmp=true
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target
+```
+
+**Location**: `/etc/systemd/system/gitea.service`
+
+**File Format**: Systemd unit file (INI-style)
+
+## Key Configuration Parameters
+
+### [Unit] Section
+- **Description**: Gitea (Git with a cup of tea)
+- **After**: Service starts after network is available
+
+### [Service] Section
+
+#### Execution
+- **Type**: simple (traditional foreground process)
+- **User**: git (unprivileged system user)
+- **Group**: git (service group)
+- **WorkingDirectory**: /var/lib/gitea (Gitea data directory)
+- **ExecStart**: Command to start Gitea with config file
+
+#### Restart Policy
+- **Restart**: always (auto-restart on exit)
+- **RestartSec**: 2s (wait 2 seconds before restarting)
+
+#### Environment
+- **USER**: git
+- **HOME**: /home/git
+- **GITEA_WORK_DIR**: /var/lib/gitea
+
+#### Security Hardening
+- **PrivateTmp**: true
+  - Isolates /tmp and /var/tmp for the process
+  - Prevents temp file leaks between processes
+  
+- **NoNewPrivileges**: true
+  - Prevents capability escalation
+  - Drops all capabilities except those explicitly granted
+
+### [Install] Section
+- **WantedBy**: multi-user.target
+  - Service is wanted by the multi-user runlevel
+  - Enables auto-start on boot when enabled
+
+## Service Management Commands
+
+### Status and Control
+```bash
+sudo systemctl status gitea              # Check current status
+sudo systemctl start gitea               # Start the service
+sudo systemctl stop gitea                # Stop the service
+sudo systemctl restart gitea             # Restart the service
+sudo systemctl enable gitea              # Enable auto-start on boot
+sudo systemctl disable gitea             # Disable auto-start on boot
+```
+
+### Monitoring
+```bash
+journalctl -u gitea -n 50 --no-pager    # Last 50 log lines
+journalctl -u gitea -f                   # Follow live logs
+journalctl -u gitea --since "2 hours ago" # Logs from last 2 hours
+```
+
+### Reload Systemd
+If you edit the unit file:
+```bash
+sudo systemctl daemon-reload
+sudo systemctl restart gitea
+```
+
+## Lifecycle
+
+1. **Systemd Start**: Systemd reads the unit file
+2. **Environment Setup**: Sets USER=git, HOME=/home/git, GITEA_WORK_DIR
+3. **Process Isolation**: Activates PrivateTmp and security restrictions
+4. **Gitea Launch**: Executes `/usr/local/bin/gitea web --config /etc/gitea/app.ini`
+5. **Crash Handling**: If process exits, waits 2 seconds and restarts automatically
+
+## Notes
+
+- Service runs in foreground (Type=simple) rather than daemon mode
+- Output goes to systemd journal (viewable via `journalctl`)
+- Working directory is `/var/lib/gitea` where Gitea stores data
+- Restart policy ensures automatic recovery from crashes
+- Security hardening prevents privilege escalation and temp file exposure
+
+---
+
+**Last Updated**: 2026-04-22  
+**Source**: `/etc/systemd/system/gitea.service` on zet.home.arpa