Alpine 安装 Gitea

Alpine 安装 Nginx + Mariadb + Gitea。

更换为国内源。

sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
apk update

安装 sshd 。（可选）

apk add openssh
service sshd start
rc-update add sshd

安装 Gitea

apk add gitea mariadb mariadb-client nginx openssl

配置 Mariadb

rc-service mariadb setup
rc-service mariadb start
mysql_secure_installation

创建 Gitea 数据库

mysql -u root -p

替换 username 和 password 。

CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS gitea CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
GRANT ALL PRIVILEGES ON gitea.* TO 'username'@'localhost';
FLUSH PRIVILEGES;
EXIT

配置 Gitea （可选）

也可以先不设置，到安装页面再填。
编辑 /etc/gitea/app.ini ，按自己的数据库配置，添加下面字段。

[server]
...
SSH_DOMAIN = example.com
DOMAIN = xample.com
HTTP_PORT = 8080
ROOT_URL = https://xample.com/
DISABLE_SSH = false
SSH_PORT = 22
OFFLINE_MODE = true

[database]
# DB_TYPE = sqlite3
# PATH = /var/lib/gitea/db/gitea.db
# SSL_MODE = disable
DB_TYPE = mysql
HOST = /var/run/mysqld/mysqld.sock
NAME = gitea
USER = username
PASSWD = password
SCHEMA = 
SSL_MODE = disable
CHARSET = utf8mb4
PATH = /var/lib/gitea/data/gitea.db
LOG_SQL = false

[log]
ROOT_PATH = /var/log/gitea
MODE = file
LEVEL = Info
logger.router.MODE = ,

[service]
DISABLE_REGISTRATION = true

[time]
DEFAULT_UI_LOCATION = Asia/Shanghai

配置 nginx

openssl dhparam -dsaparam -out /etc/ssl/private/dsa4096.pem 4096

mkdir -p /etc/nginx/snippets/ssl

cat > /etc/nginx/snippets/ssl/dhparam.conf <<EOF
# Path of the file with Diffie-Hellman parameters for EDH ciphers.
# TIP: Generate with: `openssl dhparam -dsaparam -out /etc/ssl/private/dsa4096.pem 4096`
ssl_dhparam /etc/ssl/private/dsa4096.pem;
ssl_ecdh_curve secp521r1:secp384r1;
EOF

cat > /etc/nginx/snippets/ssl/ocsp.conf <<EOF
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
EOF

cat > /etc/nginx/snippets/ssl/ssl.conf <<EOF
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384';
EOF

cat > /etc/nginx/snippets/ssl_params.conf <<EOF
include snippets/ssl/ssl.conf;
include snippets/ssl/dhparam.conf;
include snippets/ssl/ocsp.conf;
EOF

cat > /etc/nginx/snippets/client_params.conf <<EOF
client_max_body_size 512M;
client_body_timeout 300s;
client_body_buffer_size 512k;
EOF

cat > /etc/nginx/snippets/hsts.conf <<EOF
add_header Strict-Transport-Security "max-age=31536000" always;
EOF

mkdir -p /etc/nginx/snippets/proxy/map

cat > /etc/nginx/snippets/proxy/map/connection_upgrade.conf <<EOF
map \$http_upgrade \$connection_upgrade {
  default upgrade;
  '' close;
}
EOF

cat > /etc/nginx/snippets/proxy/buffer.conf <<EOF
proxy_buffer_size 64k; 
proxy_buffers 4 32k; 
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
EOF

cat > /etc/nginx/snippets/proxy/header.conf <<EOF
proxy_redirect off; #重写代理服务器响应中的Location和Refresh重定向字段
proxy_ssl_server_name on; #传递主机名给代理服务器
proxy_set_header Host \$host; #设置请求头Host字段主机名
proxy_set_header X-Real-IP \$remote_addr; #设置请求头X-Real-IP字段客户端真实ip
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; #设置请求头X-Forwarded-For字段客户端真实ip+转发ip
proxy_set_header X-Forwarded-Port \$server_port;
proxy_set_header X-Forwarded-Proto \$scheme; #设置请求头X-Forwarded-Proto转发协议（https）

proxy_set_header Upgrade \$http_upgrade; #设置请求头Upgrade和Connection用于http协议升级websocket
proxy_set_header Connection \$connection_upgrade;
proxy_http_version 1.1; #代理请求http协议版本1.1
EOF

cat > /etc/nginx/snippets/proxy/timeout.conf <<EOF
proxy_connect_timeout 75s; #nginx 跟后端服务器连接超时时间(代理连接超时)
proxy_send_timeout 600s; #连接成功后，后端服务器响应时间(代理接收超时)
proxy_read_timeout 600s; #请求的超时时间
EOF

cat > /etc/nginx/snippets/proxy_params.conf <<EOF
include snippets/proxy/header.conf;
include snippets/proxy/buffer.conf;
include snippets/proxy/timeout.conf;
EOF

准备好 SSL 证书，假设证书存放目录是 /etc/ssl/example.com 。

cat > /etc/nginx/snippets/example.com_cert.conf <<EOF
ssl_certificate /etc/ssl/example.com/fullchain.pem;
ssl_certificate_key /etc/ssl/example.com/privkey.pem;
EOF

新建 Gitea 的 Nginx 配置。

cat > /etc/nginx/http.d/example.com.conf <<EOF

server {
    listen 80;
    server_name  example.com;
    rewrite ^(.*)\$ https://\$host\$1 permanent;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    include snippets/example.com_cert.conf;
    include snippets/ssl_params.conf;

    include snippets/hsts.conf;
    include snippets/client_params.conf;

    location / {
        proxy_pass http://localhost:8080;
        include snippets/proxy_params.conf;
    }
}
EOF

启动服务并添加自启服务。

rc-service gitea start
rc-service nginx start

rc-update add nginx
rc-update add mariadb
rc-update add gitea