This Howto explains how to set up a Linux server that runs SSH, WireGuard VPN, Forgejo (a fork of Gitea, a web-based git forge, kinda like self-hosted Github) behind a local nginx reverse proxy and a minimal DNS server so we can have an internal domain for pretty URLs. It also shows how to set up a minimal MTA/mail forwarder so the server can send mails, an iptables + SSHGuard-based firewall, automated backups and some basic self-monitoring. As a bonus there’s a short section that outlines how to set up OpenProject in this environment.
To follow this Howto you’ll need (very) basic Linux commandline knowledge, i.e. you should be
able to navigate the file system in a terminal, use SSH and edit textfiles with a terminal-based
text editor (like nano, joe or vim, whatever you prefer).
It will assume that you’re using Ubuntu Server 22.04, but it should be the same for other
(systemd-using) Debian-based Linux distributions, and reasonably similar when using other distributions.
You’ll also need full root privileges on the system.
Hopefully this Howto is also useful if you only want to do some of these things (maybe set up a public Forgejo instance, or just a Wireguard server without Forgejo on it).
UPDATE: There was a bug in the backup and monitoring scripts (shouldn’t have used
bash_function | tee foolog.txt
), so I updated them accordingly.
UPDATE 2: Added something about configuring
[git] HOME_PATH
in Forgejo’s app.ini
, which works
around a Forgejo bug that prevents blobless clones.
UPDATE 3: Some small changes, and added a section about denying Git users SSH access unless they’re coming through the Wireguard VPN.
UPDATE 4: Replaced suggestions for using Hetzner or vultr with warnings about them.