Below are some of the configurations of Gitea that are useful for security hardening:
Config Reference: https://docs.gitea.io/en-us/config-cheat-sheet/
The more features we disable, the less attack surfaces we will face when using Gitea.
version: "3"
networks:
gitea:
external: false
volumes:
gitea-data:
driver: local
gitea-config:
driver: local
services:
server:
image: gitea/gitea@sha256:ef6279e13e223d956bc417f299a3530795afcf79f3af429a5c893262c550a648
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__repository__DISABLE_DOWNLOAD_SOURCE_ARCHIVES=true
- GITEA__repository__DISABLE_HTTP_GIT=true
- GITEA__repository__repository.upload__ENABLED=false
- GITEA__server__DISABLE_SSH=true
- GITEA__security__DISABLE_GIT_HOOKS=true
- GITEA__security__DISABLE_WEBHOOKS=true
- GITEA__security__PASSWORD_COMPLEXITY=on
- GITEA__security__MIN_PASSWORD_LENGTH=10
- GITEA__attachment__ENABLED=false
- GITEA__api__ENABLE_SWAGGER=false
- GITEA__packages__ENABLED=false
- GITEA__migrations__ALLOWED_DOMAINS=github.com,*.github.com
- GITEA__repository__MAX_CREATION_LIMIT=0
- GITEA__security__PASSWORD_HASH_ALGO=argon2
- GITEA__mirror__DISABLE_NEW_PUSH=true
- GITEA__service__DISABLE_REGISTRATION=true
- GITEA__repository__DISABLED_REPO_UNITS=repo.issues, repo.ext_issues, repo.pulls, repo.wiki, repo.ext_wiki, repo.projects
- GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION=false
- GITEA__service__DEFAULT_USER_IS_RESTRICTED=true
- GITEA__repository__DISABLE_MIGRATIONS=true # Set as false when there is new mirror
- GITEA__mirror__DISABLE_NEW_PULL=true # Set as false when there is new mirror
restart: always
networks:
- gitea
volumes:
- gitea-data:/var/lib/gitea
- gitea-config:/etc/gitea
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "222:22"