# Note We use ``` https://codeberg.org/forgejo-aneksajo/forgejo-aneksajo ``` instead of the vanilla forgejo. The reason is that our data hungry research discipines need git-annex ( https://git-annex.branchable.com/ ). forgejo-aneksajo is always a bit behind the main. However, the want to be part of the vanilla forgejo. I hope they will be able to do that. This would be nice for us because then we don't need to compile the source code ourselfs. :-) # Firewall ``` ufw allow 80 ufw allow 443 ufw allow 11080 ufw allow 22 ufw enable ``` # Package installation ``` add-apt-repository ppa:git-core/ppa apt update apt upgrade apt -y install mc net-tools nginx micro mariadb-server mariadb-client git git-lfs make curl lynx git-annex ``` # SSH Port We need to change the ssh port. We need it for git. ``` micro /etc/ssh/sshd_config ``` Replace ``` #Port 22 ``` with ``` Port 11080 ``` Restart service ``` systemctl restart sshd ``` # Maria DB ``` systemctl enable mariadb mysql_secure_installation ``` * Switch to unix_socket authentication [Y/n] Y * Change the root password? [Y/n] n * Remove anonymous users? [Y/n] Y * Disallow root login remotely? [Y/n] Y * Remove test database and access to it? [Y/n] Y * Reload privilege tables now? [Y/n] Y ``` mysql ``` Under mysql: ``` SET old_passwords=0; CREATE USER 'forgejo'@'%' IDENTIFIED BY '[REDACTED]'; CREATE DATABASE forgejodb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_bin'; GRANT ALL PRIVILEGES ON forgejodb.* TO 'forgejo'; FLUSH PRIVILEGES; exit ``` # Install go lang >= 1.23 Add the go complier path to the bash rc ``` echo "export PATH=\$PATH:/usr/local/go/bin" >> /root/.bashrc export PATH=$PATH:/usr/local/go/bin ``` ``` cd /root wget https://go.dev/dl/go1.23.5.linux-amd64.tar.gz rm -rf /usr/local/go tar -C /usr/local -xzf go1.23.5.linux-amd64.tar.gz ``` # Install nodejs 22 ``` curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash export NVM_DIR="$HOME/.nvm" [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" # This loads nvm bash_completion nvm install 22 ``` ## Some checks ``` node -v # Should print "v22.13.0" nvm current # Should print "v22.13.0" npm -v # Should print "10.9.2" ``` # Install forgejo-aneksajo (v9.0.3-git-annex0 on the 16.01.2025) Prepare the user ``` sudo adduser --system --shell /bin/bash --gecos 'Git Version Control' \ --group --disabled-password --home /home/git git ``` Make the necessary directories ``` mkdir /var/lib/forgejo chown git:git /var/lib/forgejo chmod 750 /var/lib/forgejo mkdir -p /var/lib/forgejo/custom/public/assets chown -R git:git /var/lib/forgejo/custom chmod -R 750 /var/lib/forgejo/custom mkdir /etc/forgejo chown root:git /etc/forgejo chmod 770 /etc/forgejo ``` Place the forgejo.service the systemd script to ``` /etc/systemd/system/forgejo.service ``` Compile the software ``` cd /root https://codeberg.org/forgejo-aneksajo/forgejo-aneksajo.git cd forgejo-aneksajo TAGS="bindata timetzdata" make build cp gitea /usr/local/bin/forgejo chmod 755 /usr/local/bin/forgejo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/forgejo ``` ``` systemctl enable forgejo.service systemctl start forgejo.service ``` Check ``` systemctl status forgejo.service ``` # SSL Certifcate I placed the SSL certificates into /etc/nginx (ca.pem: certifcate bundle, key.pem: private key) ``` cd /etc/nginx chmod 0400 key.pem chmod 0444 ca.pem ``` # nginx ``` cd /etc/nginx mv nginx.conf nginx.conf_old wget -O/etc/nginx/nginx.conf https://git.neuro.uni-bremen.de/git_rot/forgejo_installation_process/raw/branch/main/etc/nginx/nginx.conf ``` Test if everything is okay: ``` nginx -t systemctl stop nginx systemctl start nginx systemctl enable nginx systemctl status nginx ``` # Configure forgejo ``` chmod 777 /etc/forgejo touch /etc/forgejo/app.ini chmod 777 /etc/forgejo/app.ini systemctl enable forgejo.service systemctl start forgejo.service ``` Check the status of forgejo ``` systemctl status forgejo.service ``` go to https://git.neuro.uni-bremen.de Working on the forgejo config: ``` systemctl stop forgejo.service chmod 755 /etc/forgejo chmod 644 /etc/forgejo/app.ini ``` ``` mkdir -p /var/lib/forgejo/uploads chmod -R 0777 /var/lib/forgejo/uploads ``` ``` systemctl stop forgejo.service ``` ## app.ini changes (Round 1): For reference use /etc/forgejo/app.ini in this repo but with ALLOW_ONLY_EXTERNAL_REGISTRATION = false and the secrets from your installation. ``` systemctl restart forgejo.service systemctl status forgejo.service ``` Anmelden und Admin-User erzeugen. Now we go to https://git.neuro.uni-bremen.de/admin/auths Create a new source of authentication For the moment I am using the itexchange.neuro.uni-bremen.de/sso. Will be changed. * Type: OAuth2 * Name: UniBremenSSO * OAuth2-Provide: OpenID Connect * Client-ID: git * Client-Secret: [REDACTED] * OpenID-Connect-Auto-Discovery-URL: https://itexchange.neuro.uni-bremen.de/sso/realms/master/.well-known/openid-configuration app.ini changes (Round 2): ``` [service] [...] ALLOW_ONLY_EXTERNAL_REGISTRATION = true ``` ``` mkdir -p /var/lib/forgejo/custom/public/assets/img ``` Put the logos into /var/lib/forgejo/custom/public/assets/img ``` mkdir -p /var/lib/forgejo/custom/templates/user/auth chmod -R 777 /var/lib/forgejo/custom ``` Put the files custom template files /var/lib/forgejo/custom/templates/ ``` systemctl stop forgejo.service systemctl start forgejo.service systemctl status forgejo.service ```