feat: Add Gitea backup script and harden app.ini configuration

Fixes #971 This commit introduces an automated Gitea backup script and applies critical security hardening configurations to the app.ini file, including: - Disabling user registration. - Requiring sign-in to view content. - Setting up server and security parameters for production readiness. Note: Nginx reverse proxy configuration for TLS is an external infrastructure step not included in this repository's changes.
2026-03-23 11:30:20 -04:00
2 changed files with 38 additions and 0 deletions
--- a/custom/conf/app.ini
+++ b/custom/conf/app.ini
@@ -0,0 +1,15 @@
+[server]
+PROTOCOL = http
+DOMAIN = git.yourdomain.com
+ROOT_URL = https://git.yourdomain.com/
+HTTP_ADDR = 127.0.0.1  # Shield Gitea behind the proxy
+
+[security]
+INSTALL_LOCK = true
+COOKIE_SECURE = true
+SET_COOKIE_HTTP_ONLY = true
+REVERSE_PROXY_TRUST_LOCAL = true
+
+[service]
+DISABLE_REGISTRATION = true
+REQUIRE_SIGNIN_VIEW = true
--- a/scripts/backup_gitea.sh
+++ b/scripts/backup_gitea.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Gitea Hardening Prep: Automated Backup Script
+# Usage: sudo ./backup_gitea.sh
+
+BACKUP_DIR="/opt/gitea/backups"
+TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
+GITEA_CONF="/etc/gitea/app.ini" # Update this to your path
+GITEA_WORK_DIR="/var/lib/gitea" # Update this to your path
+
+mkdir -p $BACKUP_DIR
+
+echo "--- Starting Gitea Backup ($TIMESTAMP) ---"
+
+# 1. Generate Gitea Dump (Includes DB, Repos, and Custom files)
+# Run as the 'git' user or whichever user runs the gitea binary
+cd $BACKUP_DIR
+gitea dump -c $GITEA_CONF
+
+# 2. Secure the backup file
+chmod 600 $BACKUP_DIR/*.zip
+
+echo "--- Backup Complete: $(ls -t $BACKUP_DIR | head -1) ---"
+echo "Next Step: Move this ZIP to off-site storage before applying hardening."