Gitea - Hardened Self-Hosted Git Service

What is Gitea

Gitea is a lightweight, open-source self-hosted Git service written in Go. It provides a complete platform for source code: repository hosting, pull requests, issues, wikis, releases, packages, and built-in CI/CD via Gitea Actions. Gitea works with the standard git CLI and any Git GUI client - your developers keep the same workflow while every repository, issue, and pipeline run lives entirely on your own infrastructure. Compared to running a heavier Git platform, Gitea has a small footprint (single binary plus PostgreSQL), starts in seconds, and scales from a single team to thousands of users on modest VM sizes.

Why self-host Gitea

Self-hosting puts every commit, code review, and pipeline secret under your own control - no per-seat SaaS fees, no third-party visibility into your source. Ideal for teams with data residency requirements, organisations operating under regulated frameworks (HIPAA, GDPR, ISO 27001), defence and government work, and MSPs that need to keep customer code inside their own tenant.

What this VM image adds

Security hardening:

• Unique admin password generated per instance - admin account created at first boot with a per-VM password, password change required on first web login
• Four internal secrets generated per instance - SECRET_KEY, INTERNAL_TOKEN, LFS_JWT_SECRET, OAUTH2_JWT_SECRET regenerated at first boot, never the same on two deployments
• PostgreSQL 16 listening on localhost only - 127.0.0.1:5432, per-instance database password, no external exposure
• Nginx reverse proxy with TLS - HTTP to HTTPS redirect, hardened cipher suite, security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
• Gitea runs as non-root - dedicated git system user, systemd UMask=0027, ProtectSystem=full, ProtectKernelTunables, NoNewPrivileges
• Built-in Git SSH server on port 2222 - separated from the system SSH on port 22, hardened key-only authentication
• CVE scan - every image is scanned for vulnerabilities with Trivy before release
• UFW firewall - only ports 22 (system SSH), 80, 443, and 2222 (git SSH) open
• fail2ban - SSH brute-force protection
• AppArmor - mandatory access control
• Certbot pre-installed - one command issues a Let's Encrypt certificate after you point a domain at the VM

OS hardening (CIS Level 1):

• CIS Level 1 hardened - CIS Ubuntu 24.04 LTS Level 1 Benchmark via ansible-lockdown
• auditd - system call auditing for critical paths
• SSH hardening - PasswordAuthentication disabled, key-only access
• Kernel hardening - SYN cookies, ASLR, rp_filter, TCP BBR
• /tmp as tmpfs - nosuid, nodev, noexec
• Azure IMDS endpoints - egress rules pre-configured (169.254.169.254, 168.63.129.16)

Compliance artifacts (inside the VM):

• SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json
• CIS Conformance Report - OpenSCAP HTML at /etc/lynxroute/cis-report.html
• Tailored CIS profile - /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
• Server credentials file - /root/gitea-credentials.txt with public IP, web UI URL, the per-instance admin password, and the per-instance PostgreSQL password

Quick Start

1. Deploy VM from Azure Marketplace (Standard_D2s_v3 or larger recommended)
2. Open NSG: TCP 80 and 443 from your client networks, TCP 2222 from networks that need git over SSH, TCP 22 from your management IPs only
3. SSH: ssh -i key.pem <username>@<PUBLIC_IP> (username set during VM creation, default: azureuser)
4. Read connection details: sudo cat /root/gitea-credentials.txt - contains web UI URL, admin password, and the PostgreSQL password
5. Open https://<PUBLIC_IP> in your browser, accept the self-signed certificate, log in as admin, and set a new password when prompted
6. Issue a public TLS certificate (recommended before sharing with users): sudo certbot --nginx -d your.domain.com

The image ships with a self-signed certificate so the web UI works on first boot - replace it with a CA-signed certificate before exposing the server to end users.