From ArchWiki
Jump to: navigation, search

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Missing PostgreSQL, Apache proxy example, etc. (Discuss in Talk:Gitea#)

Gitea is a community managed fork of Gogs, lightweight code hosting solution written in Go and published under the MIT license.


Install the giteaAUR or gitea-gitAUR package.

Gitea requires the use of a database backend, the following are supported:


Note: If you want Gitea to listen on all interfaces, set HTTP_ADDR = in /var/lib/gitea/custom/conf/app.ini.

Start/enable gitea.service, the webinterface should listen on http://localhost:3000.

When running Gitea for the first time it should redirect to http://localhost:3000/install.


Note: gitea-gitAUR already provides a basic configuration file of /var/lib/gitea/custom/conf/app.ini on first install.

The user configuration file should be located at /etc/gitea/app.ini. Do not edit the main configuration file (/var/lib/gitea/conf/app.ini), since this file is included in the binary and will be overwritten on each update. Instead copy (if not exists) /var/lib/gitea/conf/app.ini to /etc/gitea/app.ini.

Gitea application and repository data will be saved into /var/lib/gitea, however it is possible to set custom locations in /etc/gitea/app.ini.

Gitea relies on bash for operations like cloning in ssh; bash should therefore be the shell of the user running gitea.


Note: MySQL socket support can be enabled by using /var/run/mysqld/mysqld.sock as the listen address.

The following is an example of setting up MariaDB:

$ mysql -u root -p
mysql> CREATE DATABASE `gitea` DEFAULT CHARACTER SET `utf8mb4` COLLATE `utf8mb4_general_ci`;
mysql> CREATE USER `gitea`@'localhost' IDENTIFIED BY 'password';
mysql> GRANT ALL PRIVILEGES ON `gitea`.* TO `gitea`@`localhost`;
mysql> \q

Try connecting to the new database with the new user:

$ mysql -u gitea -p -D gitea

Configure MariaDB on first run or by updating app.ini:

DB_TYPE  = mysql
HOST     = ; or /var/run/mysqld/mysqld.sock
NAME     = gitea
USER     = gitea
PASSWD   = password

Enable SSH Support

Warning: If you do all configuration via SSH do not close the session before you tested that everything is working, else you may lock yourself out.
  • Make sure SSH has been properly configured.
  • Create the gitea group and user with /home/gitea as home directory:
# groupadd --system gitea
# useradd --system -c 'Gitea' -g gitea -m -d /home/gitea -s /bin/bash gitea
  • Set correct permissions:
# chown -R gitea:gitea /var/log/gitea
# chown -R gitea:gitea /var/lib/gitea
  • Update app.ini to the running SSH configuration:
; Disable SSH feature when not available
; Domain name to be exposed in clone URL
; Port number to be exposed in clone URL
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
SSH_ROOT_PATH = /home/gitea/.ssh
  • Update the SSH configuration with AuthorizedKeysFile .ssh/authorized_keys and AllowUsers gitea, e.g.:
Port 22
AuthorizedKeysFile .ssh/authorized_keys
UseDNS no
PermitUserEnvironment yes
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers archie gitea
PubkeyAuthentication yes
PrintMotd no
Subsystem sftp /usr/lib/ssh/sftp-server
  • Set correct SSH permissions
  • Restart gitea.service and sshd.service
  • Generate a SSH key pair on the client (if non exists)
  • Copy the contents of the (newly) generated ~/.ssh/ to Add Key on the Your Settings, SSH Keys on the Gitea webinterface.

You should now be able to use SSH-authentication to manage the repositories, without entering an username/password.

Disable HTTP protocol

By default, the ability to interact with repositories by HTTP protocol is enabled. You may want to disable HTTP-support if using SSH, by setting DISABLE_HTTP_GIT to true.

Advanced Configuration

See the Gogs FAQ's for more configuration examples.

Configure nginx as reverse proxy

Tip: Let’s Encrypt is a free, automated, and open certificate authority. A plugin is available to request valid SSL certificates straight from the command line and automatic configuration.

An example of using nginx as reverse proxy including OpenSSL:

# redirect to ssl
server {
  listen 80;
  listen [::]:80;
  server_name git.domain.tld;
  return 301 https://$server_name$request_uri;

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name git.domain.tld;
  client_max_body_size 50M;
  ssl_certificate ssl/cert.crt;
  ssl_certificate_key ssl/cert.key;
  location / {
    proxy_pass http://localhost:3000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;

Update the server section of app.ini:

PROTOCOL               = http
DOMAIN                 = git.domain.tld
ROOT_URL               = https://git.domain.tld/
HTTP_ADDR              =
HTTP_PORT              = 3000
Note: You don't need to activate any SSL certificate options in app.ini.

Finally update the cookie section - set COOKIE_SECURE to true.

See also