Vincent/Obsidian-Vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63233425d3086209c9056dbf9ed05f89ed9e56cc
Obsidian-Vault/Personal/Areas/Servers/TrueNAS/Docker Gitea with Traefik.md
Vincent Verbruggen fd37421245 Init
2025-10-25 20:11:21 +02:00

10 KiB
Raw Blame History

Docker Gitea with Traefik Setup

Overview

Complete setup for self-hosted Gitea with Traefik reverse proxy for secure external access on TrueNAS Scale.

Stack:

  • Gitea (Git server)
  • Traefik (Reverse proxy with automatic SSL)
  • Docker Compose

Prerequisites

  1. Domain name (or subdomain) pointed to your public IP

    • Example: git.yourdomain.com
    • Can use free services like DuckDNS, Cloudflare, etc.

  2. Port forwarding on your router

    • Port 80 (HTTP) → TrueNAS IP
    • Port 443 (HTTPS) → TrueNAS IP

  3. SSH access to TrueNAS Scale

Step 1: Create Datasets

SSH into TrueNAS and create storage locations:

# Create main directory for docker compose projects
cd /mnt/[your-pool-name]
mkdir -p docker/gitea
mkdir -p docker/traefik

# Create data directories
mkdir -p docker/gitea/data
mkdir -p docker/traefik/letsencrypt

Or create via TrueNAS web UI:

  • Storage → Create Dataset → docker
  • Then create subdirectories via SSH or UI

Step 2: Traefik Configuration

Create Traefik Config Directory

cd /mnt/[your-pool-name]/docker/traefik

Create traefik.yml

api:
  dashboard: true
  insecure: false

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: traefik_proxy

certificatesResolvers:
  letsencrypt:
    acme:
      email: your-email@example.com
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web

Create docker-compose.yml for Traefik

version: '3.8'

networks:
  traefik_proxy:
    name: traefik_proxy
    driver: bridge

services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - traefik_proxy
    ports:
      - "80:80"
      - "443:443"
    environment:
      - TZ=America/New_York  # Adjust to your timezone
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro
      - ./letsencrypt:/letsencrypt
    labels:
      - "traefik.enable=true"
      # Dashboard
      - "traefik.http.routers.traefik.rule=Host(`traefik.yourdomain.com`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      # Basic auth for dashboard (optional but recommended)
      # Generate password: echo $(htpasswd -nb admin yourpassword) | sed -e s/\\$/\\$\\$/g
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$xyz$$abc123"  # Replace with your hash

Start Traefik

cd /mnt/[your-pool-name]/docker/traefik
docker compose up -d

Step 3: Gitea with Traefik Integration

Create docker-compose.yml for Gitea

cd /mnt/[your-pool-name]/docker/gitea

Create docker-compose.yml:

version: '3.8'

networks:
  traefik_proxy:
    external: true
  gitea_internal:
    driver: bridge

services:
  gitea:
    image: gitea/gitea:latest
    container_name: gitea
    restart: unless-stopped
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - GITEA__database__DB_TYPE=sqlite3
      - GITEA__server__DOMAIN=git.yourdomain.com
      - GITEA__server__SSH_DOMAIN=git.yourdomain.com
      - GITEA__server__ROOT_URL=https://git.yourdomain.com
      - GITEA__server__SSH_PORT=2222
      - GITEA__server__SSH_LISTEN_PORT=22
    networks:
      - traefik_proxy
      - gitea_internal
    volumes:
      - ./data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "2222:22"  # SSH for git operations
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"
      # HTTP/HTTPS
      - "traefik.http.routers.gitea.rule=Host(`git.yourdomain.com`)"
      - "traefik.http.routers.gitea.entrypoints=websecure"
      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"

Start Gitea

docker compose up -d

Step 4: Router Configuration

Port Forwarding Rules

On your router, forward these ports to your TrueNAS IP:

External Port Internal Port Protocol Service
80 80 TCP HTTP (Traefik)
443 443 TCP HTTPS (Traefik)
2222 2222 TCP SSH (Git operations)

Step 5: DNS Configuration

Point your domain/subdomain to your public IP:

Option A: Cloudflare (Recommended)

  1. Add A record: git.yourdomain.com → Your public IP
  2. Optional: Enable Cloudflare proxy (orange cloud)
    • Pros: DDoS protection, caching
    • Cons: Need to configure Traefik for Cloudflare SSL

Option B: DuckDNS (Free Dynamic DNS)

  1. Create account at duckdns.org
  2. Create subdomain: yourname.duckdns.org
  3. Set up auto-update script on TrueNAS for dynamic IP

Option C: Your Domain Registrar

  1. Add A record: git → Your public IP
  2. Wait for DNS propagation (up to 24 hours)

Step 6: Initial Gitea Setup

  1. Navigate to https://git.yourdomain.com
  2. Complete first-time setup wizard:
    • Database: SQLite (default is fine for personal use)
    • SSH Server Domain: git.yourdomain.com
    • SSH Port: 2222
    • Base URL: https://git.yourdomain.com
    • Disable registration (personal use only)
    • Create admin account

Step 7: Configure Git Client

SSH Config

Add to ~/.ssh/config:

Host git.yourdomain.com
    HostName git.yourdomain.com
    Port 2222
    User git
    IdentityFile ~/.ssh/id_ed25519  # Or your SSH key

Add SSH Key to Gitea

  1. Generate SSH key (if needed):

    ssh-keygen -t ed25519 -C "your-email@example.com"

  2. Copy public key:

    cat ~/.ssh/id_ed25519.pub

  3. In Gitea: Settings → SSH/GPG Keys → Add Key

Test SSH Connection

ssh -T git@git.yourdomain.com

Expected output:

Hi there, username! You've successfully authenticated...

Step 8: Usage Examples

Clone Repository

# HTTPS
git clone https://git.yourdomain.com/username/repo.git

# SSH (recommended)
git clone git@git.yourdomain.com:username/repo.git

Push Existing Repository

cd /path/to/your/repo
git remote add origin git@git.yourdomain.com:username/repo.git
git push -u origin main

Backup Strategy

Manual Backup

# Stop Gitea
cd /mnt/[your-pool-name]/docker/gitea
docker compose down

# Backup data directory
tar -czf gitea-backup-$(date +%Y%m%d).tar.gz data/

# Restart Gitea
docker compose up -d

Automated Backup (Gitea Built-in)

Create cron job on TrueNAS:

# Add to crontab (System Settings → Advanced → Cron Jobs in TrueNAS UI)
0 2 * * * docker exec gitea gitea dump -c /data/gitea/conf/app.ini -f /data/gitea-backup-$(date +\%Y\%m\%d).zip

TrueNAS Snapshots

  • Enable periodic snapshots for docker/gitea dataset
  • Retention: Daily for 7 days, weekly for 4 weeks
  • Optional: Replicate to another location

Maintenance

Update Containers

# Traefik
cd /mnt/[your-pool-name]/docker/traefik
docker compose pull
docker compose up -d

# Gitea
cd /mnt/[your-pool-name]/docker/gitea
docker compose pull
docker compose up -d

View Logs

# Traefik
docker logs traefik -f

# Gitea
docker logs gitea -f

Restart Services

# Restart Gitea
docker restart gitea

# Restart Traefik
docker restart traefik

Security Hardening

1. Disable Gitea Registration

In Gitea settings or app.ini:

[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = true  # Optional: require login to view

2. Fail2Ban (Optional)

Protect against brute force attacks:

# Install fail2ban on TrueNAS
# Configure jail for Gitea SSH attempts

3. Firewall Rules

On TrueNAS, restrict access if needed:

# Only allow specific IPs (example)
iptables -A INPUT -p tcp --dport 2222 -s YOUR_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j DROP

4. Regular Updates

  • Update Docker images monthly
  • Monitor Gitea security advisories
  • Keep TrueNAS Scale updated

Troubleshooting

SSL Certificate Not Generated

Check Traefik logs:

docker logs traefik | grep -i error

Common issues:

  • Port 80/443 not properly forwarded
  • DNS not pointing to your IP
  • Email in traefik.yml incorrect
  • Firewall blocking ports

Can't Access Externally

  1. Verify port forwarding on router
  2. Check public IP: curl ifconfig.me
  3. Test DNS: nslookup git.yourdomain.com
  4. Check Traefik dashboard for routes

SSH Clone Not Working

  1. Verify port 2222 is forwarded
  2. Test: nc -zv git.yourdomain.com 2222
  3. Check SSH key is added in Gitea
  4. Verify SSH config (~/.ssh/config)

Gitea Container Won't Start

# Check logs
docker logs gitea

# Common issues:
# - Port conflicts (3000 or 2222 in use)
# - Permission issues on data directory
# - Network conflicts

Resource Usage

Expected usage on your i7-1065G7 with 16GB RAM:

  • Traefik: ~30-50 MB RAM, minimal CPU
  • Gitea: ~100-150 MB RAM, <5% CPU (idle)
  • Total: ~150-200 MB RAM combined

Plenty of headroom for other services!

Next Steps

  • Decide on domain name (purchase or use DuckDNS)
  • Create datasets on TrueNAS
  • Set up Traefik with docker-compose
  • Configure DNS records
  • Set up router port forwarding
  • Deploy Gitea container
  • Complete Gitea initial setup
  • Configure SSH keys
  • Test external access
  • Set up automated backups
  • Migrate repositories from GitHub

Additional Services to Consider

Once Traefik is set up, you can easily add more services:

  • Uptime Kuma - Monitoring dashboard
  • Vaultwarden - Self-hosted Bitwarden
  • Nextcloud - File sync and sharing
  • Portainer - Docker management UI
  • Homer/Heimdall - Homepage dashboard

All use the same Traefik setup for automatic SSL!

Reference in New Issue View Git Blame Copy Permalink