From 50d7cb5fcc3b76afe89c2a4ffd7c1b85d480b8e4 Mon Sep 17 00:00:00 2001 From: Alexander Whitestone Date: Mon, 23 Mar 2026 11:30:20 -0400 Subject: [PATCH] feat: Add Gitea backup script and harden app.ini configuration Fixes #971 This commit introduces an automated Gitea backup script and applies critical security hardening configurations to the app.ini file, including: - Disabling user registration. - Requiring sign-in to view content. - Setting up server and security parameters for production readiness. Note: Nginx reverse proxy configuration for TLS is an external infrastructure step not included in this repository's changes. --- custom/conf/app.ini | 15 +++++++++++++++ scripts/backup_gitea.sh | 23 +++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 custom/conf/app.ini create mode 100644 scripts/backup_gitea.sh diff --git a/custom/conf/app.ini b/custom/conf/app.ini new file mode 100644 index 0000000..e02b047 --- /dev/null +++ b/custom/conf/app.ini @@ -0,0 +1,15 @@ +[server] +PROTOCOL = http +DOMAIN = git.yourdomain.com +ROOT_URL = https://git.yourdomain.com/ +HTTP_ADDR = 127.0.0.1 # Shield Gitea behind the proxy + +[security] +INSTALL_LOCK = true +COOKIE_SECURE = true +SET_COOKIE_HTTP_ONLY = true +REVERSE_PROXY_TRUST_LOCAL = true + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = true diff --git a/scripts/backup_gitea.sh b/scripts/backup_gitea.sh new file mode 100644 index 0000000..7e4080d --- /dev/null +++ b/scripts/backup_gitea.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Gitea Hardening Prep: Automated Backup Script +# Usage: sudo ./backup_gitea.sh + +BACKUP_DIR="/opt/gitea/backups" +TIMESTAMP=$(date +"%Y%m%d_%H%M%S") +GITEA_CONF="/etc/gitea/app.ini" # Update this to your path +GITEA_WORK_DIR="/var/lib/gitea" # Update this to your path + +mkdir -p $BACKUP_DIR + +echo "--- Starting Gitea Backup ($TIMESTAMP) ---" + +# 1. Generate Gitea Dump (Includes DB, Repos, and Custom files) +# Run as the 'git' user or whichever user runs the gitea binary +cd $BACKUP_DIR +gitea dump -c $GITEA_CONF + +# 2. Secure the backup file +chmod 600 $BACKUP_DIR/*.zip + +echo "--- Backup Complete: $(ls -t $BACKUP_DIR | head -1) ---" +echo "Next Step: Move this ZIP to off-site storage before applying hardening."