v1.25.4-1

50-gitea-container.conf

@@ -0,0 +1,6 @@
+Match User git
+    AuthorizedKeysCommand /usr/libexec/gitea-keys %u %t %k
+    AuthorizedKeysCommandUser root
+    PasswordAuthentication no
+    GSSAPIAuthentication no
+    AuthenticationMethods publickey

50-gitea-service.conf

@@ -0,0 +1,6 @@
+Match User git
+    AuthorizedKeysCommand /usr/libexec/gitea keys -c /etc/gitea/app.ini -e git -u %u -t %t -k %k
+    AuthorizedKeysCommandUser git
+    PasswordAuthentication no
+    GSSAPIAuthentication no
+    AuthenticationMethods publickey

app.ini

@@ -0,0 +1,460 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; General Settings
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; App name that shows in every page title
+APP_NAME = Gitea: Git with a cup of tea
+;;
+;; The user Gitea runs as
+RUN_USER = git
+;;
+;; Application run mode: "dev" or "prod"
+RUN_MODE = prod
+;;
+;; The working directory
+WORK_PATH = /var/lib/gitea
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[server]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Protocol: "http", "https", "http+unix", "fcgi" or "fcgi+unix"
+PROTOCOL = http
+;;
+;; Domain name for the server
+DOMAIN = localhost
+;;
+;; Public URL used in links, set this to your real URL when using a reverse proxy
+ROOT_URL = http://localhost:3000/
+;;
+;; Local (DMZ) URL for Gitea workers (such as SSH update)
+;;LOCAL_ROOT_URL = https://gitea.example.com
+;;
+;; Default path for App data
+;APP_DATA_PATH = data
+;;
+;; Listen address
+;HTTP_ADDR = 0.0.0.0
+;;
+;; Listen port
+HTTP_PORT = 3000
+;;
+;; Disable SSH feature
+;DISABLE_SSH = false
+;;
+;; Whether to use the builtin SSH server or not
+START_SSH_SERVER = false
+;;
+;; Username for the builtin SSH server (defaults to RUN_USER)
+;BUILTIN_SSH_SERVER_USER = git
+;;
+;; SSH domain name to be exposed in clone URL
+;SSH_DOMAIN = localhost
+;;
+;; SSH port displayed in clone URLs
+SSH_PORT = 22
+;;
+;; The port the builtin SSH server should listen on (defaults to SSH_PORT)
+;SSH_LISTEN_PORT =
+;;
+;; Do not manage authorized_keys (using AuthorizedKeysCommand instead)
+SSH_CREATE_AUTHORIZED_KEYS_FILE = false
+;;
+;; Show SSH clone URL to anonymous visitors
+SSH_EXPOSE_ANONYMOUS = false
+;;
+;; Landing page: "home", "explore", "organizations", "login"
+;LANDING_PAGE = home
+;;
+;; Enable gzip compression
+;ENABLE_GZIP = false
+;;
+;; Enable git-lfs support
+LFS_START_SERVER = true
+;;
+;; LFS authentication secret
+;LFS_JWT_SECRET =
+;;
+;; Offline mode (disable CDN)
+;OFFLINE_MODE = true
+;;
+;; Static resource cache time
+;STATIC_CACHE_TIME = 6h
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[database]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Database type: "mysql", "postgres", "mssql" or "sqlite3"
+DB_TYPE = postgres
+;;
+;; Database host (can use socket e.g. /var/run/postgresql/)
+HOST = 127.0.0.1:5432
+;;
+;; Database name
+NAME = gitea
+;;
+;; Database user
+USER = gitea
+;;
+;; Database password (use backticks for special chars: PASSWD = `pass`)
+PASSWD = gitea
+;;
+;; For PostgreSQL: "disable", "require", or "verify-full"
+;SSL_MODE = disable
+;;
+;; Schema for PostgreSQL
+;SCHEMA =
+;;
+;; Database path (for sqlite3 only)
+;PATH =
+;;
+;; Show SQL in logs
+;LOG_SQL = false
+;;
+;; Max idle database connections
+;MAX_IDLE_CONNS = 2
+;;
+;; Max open database connections (0 = unlimited)
+;MAX_OPEN_CONNS = 0
+;;
+;; Connection max lifetime
+;CONN_MAX_LIFETIME = 3s
+;;
+;; Auto run database migrations
+;AUTO_MIGRATION = true
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[security]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Disable the installer after first setup
+;INSTALL_LOCK = false
+;;
+;; Global secret key (VERY IMPORTANT - do not lose!)
+;SECRET_KEY =
+;; Or use a file:
+;SECRET_KEY_URI = file:/etc/gitea/secret_key
+;;
+;; Internal communication token
+;INTERNAL_TOKEN =
+;; Or use a file:
+;INTERNAL_TOKEN_URI = file:/etc/gitea/internal_token
+;;
+;; Minimum password length
+;MIN_PASSWORD_LENGTH = 8
+;;
+;; Password complexity: "lower,upper,digit,spec" or "off"
+;PASSWORD_COMPLEXITY = off
+;;
+;; Password hash algorithm: "argon2", "pbkdf2", "scrypt" or "bcrypt"
+;PASSWORD_HASH_ALGO = pbkdf2
+;;
+;; Disable custom git hooks (security: allows arbitrary code execution)
+;DISABLE_GIT_HOOKS = true
+;;
+;; Reverse proxy auth headers (for SSO setups)
+;REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
+;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
+;REVERSE_PROXY_LIMIT = 1
+;REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[oauth2]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable OAuth2 provider
+;ENABLED = true
+;;
+;; JWT signing algorithm: HS256, RS256, ES256, EdDSA, etc.
+;JWT_SIGNING_ALGORITHM = RS256
+;;
+;; OAuth2 JWT secret (for HS256/HS384/HS512)
+;JWT_SECRET =
+;;
+;; OAuth2 access token lifetime (seconds)
+;ACCESS_TOKEN_EXPIRATION_TIME = 3600
+;;
+;; OAuth2 refresh token lifetime (hours)
+;REFRESH_TOKEN_EXPIRATION_TIME = 730
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[service]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Require email confirmation for new registrations
+;REGISTER_EMAIL_CONFIRM = false
+;;
+;; Disable self-registration (admin creates accounts only)
+DISABLE_REGISTRATION = true
+;;
+;; Require sign-in to view anything
+;; Set to "expensive" to block anonymous crawlers from code pages
+;REQUIRE_SIGNIN_VIEW = false
+;;
+;; Enable mail notifications
+;ENABLE_NOTIFY_MAIL = false
+;;
+;; Enable basic auth with password (disable to force OAuth2/tokens only)
+;ENABLE_BASIC_AUTHENTICATION = true
+;;
+;; Allow registration only using third-party services
+;ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+;;
+;; Enable captcha validation for registration
+;ENABLE_CAPTCHA = false
+;;
+;; Enable heatmap on users profiles
+;ENABLE_USER_HEATMAP = true
+;;
+;; Default value for KeepEmailPrivate
+;DEFAULT_KEEP_EMAIL_PRIVATE = false
+;;
+;; Default value for AllowCreateOrganization
+;DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+;;
+;; Default value for EnableTimetracking
+;DEFAULT_ENABLE_TIMETRACKING = true
+;;
+;; Default visibility for new organizations: "public", "limited", "private"
+;DEFAULT_ORG_VISIBILITY = public
+;;
+;; No-reply mail address
+;NO_REPLY_ADDRESS = noreply.localhost
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[log]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Log root path
+ROOT_PATH = log
+;;
+;; Log mode: "console", "file" or "conn" (comma-separated for multiple)
+MODE = console
+;;
+;; Log level: "Trace", "Debug", "Info", "Warn", "Error", "None"
+LEVEL = Info
+;;
+;; Enable SSH request logging
+;ENABLE_SSH_LOG = false
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[mailer]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable mail sending
+ENABLED = false
+;;
+;; Mail protocol: "smtp", "smtps", "smtp+starttls", "smtp+unix", "sendmail", "dummy"
+;PROTOCOL = smtp
+;;
+;; SMTP server address (hostname only, without port)
+;SMTP_ADDR = localhost
+;;
+;; SMTP server port (25, 465, 587)
+;SMTP_PORT = 25
+;;
+;; Mail from address
+;FROM = gitea@localhost
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[cache]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Cache adapter: "memory", "redis", "redis-cluster", "twoqueue", "memcache"
+;ADAPTER = memory
+;;
+;; Cache interval (seconds), for memory cache only
+;INTERVAL = 60
+;;
+;; Cache connection string (for redis/memcache)
+;HOST =
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[session]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Session provider: "memory", "file", "redis", "redis-cluster", "db", "mysql", "couchbase", "memcache", "postgres"
+PROVIDER = file
+;;
+;; Provider config (file path for "file", connection string for redis/db)
+;PROVIDER_CONFIG = data/sessions
+;;
+;; Session cookie name
+;COOKIE_NAME = i_like_gitea
+;;
+;; Session GC interval (seconds)
+;GC_INTERVAL_TIME = 86400
+;;
+;; Session life time (seconds)
+;SESSION_LIFE_TIME = 86400
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[picture]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Path for uploaded avatars
+;AVATAR_UPLOAD_PATH = data/avatars
+;;
+;; Path for repository avatars
+;REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
+;;
+;; Gravatar source: gravatar, libravatar or a custom URL
+;GRAVATAR_SOURCE = gravatar
+;;
+;; Disable Gravatar/Libravatar
+;DISABLE_GRAVATAR = true
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[attachment]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable attachments
+;ENABLED = true
+;;
+;; Path for attachments
+;PATH = data/attachments
+;;
+;; Max attachment size (MB)
+;MAX_SIZE = 256
+;;
+;; Max number of attachments per upload
+;MAX_FILES = 10
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[indexer]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Issue indexer type: "bleve", "db", "elasticsearch", "meilisearch"
+;ISSUE_INDEXER_TYPE = bleve
+;;
+;; Code indexer enabled
+;REPO_INDEXER_ENABLED = false
+;;
+;; Code indexer type: "bleve", "elasticsearch"
+;REPO_INDEXER_TYPE = bleve
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[repository]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Root path for storing repositories
+ROOT = data/git/repositories
+;;
+;; Default branch name for new repos
+;DEFAULT_BRANCH = main
+;;
+;; Default private when creating a new repository
+;DEFAULT_PRIVATE = last
+;;
+;; Max creation limit per user (-1 = unlimited)
+;MAX_CREATION_LIMIT = -1
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[repository.local]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Local repository copy path for temporary operations
+;LOCAL_COPY_PATH = tmp/local-repo
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[repository.upload]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Temp path for uploads
+;TEMP_PATH = data/tmp/uploads
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[repository.pull-request]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Default merge style: "merge", "rebase", "rebase-merge", "squash", "fast-forward-only"
+;DEFAULT_MERGE_STYLE = merge
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[repository.signing]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Default trust model: "collaborator", "committer", "collaboratorcommitter"
+;DEFAULT_TRUST_MODEL = committer
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[lfs]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; LFS storage path
+PATH = data/git/lfs
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[webhook]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Allowed hosts for webhooks (CIDR list, empty = allow all)
+;ALLOWED_HOST_LIST = external
+;;
+;; Queue length
+;QUEUE_LENGTH = 1000
+;;
+;; Deliver timeout (seconds)
+;DELIVER_TIMEOUT = 5
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[api]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable Swagger UI
+;ENABLE_SWAGGER = true
+;;
+;; Max items per page in API responses
+;MAX_RESPONSE_ITEMS = 50
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[openid]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable OpenID sign-in
+ENABLE_OPENID_SIGNIN = false
+;;
+;; Enable OpenID sign-up
+ENABLE_OPENID_SIGNUP = false
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[actions]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable Gitea Actions (CI/CD)
+;ENABLED = true
+;;
+;; Default platform for action plugins: "github" for https://github.com, "self" for current Gitea instance
+DEFAULT_ACTIONS_URL = github
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[packages]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable package registry
+;ENABLED = true
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[mirror]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable repository mirroring
+;ENABLED = true
+;;
+;; Minimum mirror interval (e.g. "1h", "10m")
+;MIN_INTERVAL = 10m
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[metrics]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable Prometheus metrics endpoint (/metrics)
+;ENABLED = false
+;;
+;; Require token for metrics endpoint
+;TOKEN =
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[cron]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable cron tasks
+;ENABLED = true
+;;
+;; Run cron tasks at start
+;RUN_AT_START = false
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[cron.update_checker]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable update checker
+;ENABLED = false
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+[git]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; The HOME directory for Git, contains .gitconfig and possible .gnupg directories
+;HOME_PATH = home
+;;
+;; Max lines in diff view
+;MAX_GIT_DIFF_LINES = 1000
+;;
+;; Max files in diff view
+;MAX_GIT_DIFF_FILES = 100
+;;
+;; Default commits range size
+;COMMITS_RANGE_SIZE = 50

gitea-container-database.conf

@@ -0,0 +1,3 @@
+[Unit]
+After=gitea-db.service
+Wants=gitea-db.service

gitea-database.conf

@@ -0,0 +1,12 @@
+[Unit]
+###
+# Don't forget to add the database service dependencies
+###
+#Wants=postgresql.service
+#After=postgresql.service
+#
+#Wants=memcached.service
+#After=memcached.service
+#
+#Wants=redis.service
+#After=redis.service

gitea-db-credentials.conf

@@ -0,0 +1,4 @@
+[Container]
+Environment=POSTGRES_USER=gitea
+Environment=POSTGRES_PASSWORD=gitea
+Environment=POSTGRES_DB=gitea

gitea-db-pod.conf

@@ -0,0 +1,2 @@
+[Container]
+Pod=gitea.pod

gitea-db-publish.conf

@@ -0,0 +1,2 @@
+[Container]
+PublishPort=127.0.0.1:5432:5432

gitea-db.container

@@ -0,0 +1,21 @@
+[Unit]
+Description=Gitea PostgreSQL Database
+
+[Container]
+Image=docker.io/library/postgres:18.1-trixie
+ContainerName=gitea-db
+User=1000:1000
+Volume=/var/lib/gitea/postgresql:/var/lib/postgresql:z
+Exec=postgres -c shared_buffers=256MB -c min_wal_size=80MB
+HealthCmd=pg_isready -U gitea
+HealthInterval=30s
+HealthTimeout=10s
+HealthRetries=5
+HealthStartPeriod=1m
+HealthOnFailure=kill
+LogDriver=journald
+
+[Service]
+Restart=always
+RestartSec=5
+TimeoutStartSec=900

gitea-keys

@@ -0,0 +1,5 @@
+#!/bin/sh
+output=$(/usr/bin/gitea keys -c /etc/gitea/app.ini -e git -u "$1" -t "$2" -k "$3")
+rc=$?
+printf '%s\n' "$output" | sed 's|/usr/local/bin/gitea|/usr/bin/gitea|g'
+exit "$rc"

gitea-pod-enable.conf

@@ -0,0 +1,2 @@
+[Install]
+WantedBy=multi-user.target

gitea-shim

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec sudo /usr/bin/podman exec -i gitea /app/gitea/gitea "$@"

gitea-sudoers

@@ -0,0 +1 @@
+git ALL=(root) NOPASSWD: /usr/bin/podman exec -i gitea /app/gitea/gitea *

gitea.container

@@ -0,0 +1,27 @@
+[Unit]
+Description=Gitea - Git with a cup of tea
+
+[Container]
+Image=docker.io/gitea/gitea:1.25.4-rootless
+ContainerName=gitea
+Pod=gitea.pod
+Volume=/var/lib/gitea:/var/lib/gitea:z
+Volume=/etc/gitea:/etc/gitea:z
+Volume=/etc/localtime:/etc/localtime:ro
+Environment=USER=git
+Environment=USER_UID=1000
+Environment=USER_GID=1000
+Environment=HOME=/var/lib/gitea/git
+Notify=healthy
+HealthCmd=curl --fail --silent --output /dev/null http://localhost:3000/api/healthz
+HealthInterval=30s
+HealthTimeout=10s
+HealthRetries=5
+HealthStartPeriod=120s
+HealthOnFailure=kill
+LogDriver=journald
+
+[Service]
+Restart=always
+RestartSec=5
+TimeoutStartSec=900

gitea.pod

@@ -0,0 +1,5 @@
+[Pod]
+PodName=gitea-pod
+PublishPort=1240:3000
+UIDMap=0:0:124 124:1000:1 125:125:875 1000:124:1 1001:1001:64536
+GIDMap=0:0:124 124:1000:1 125:125:875 1000:124:1 1001:1001:64536

gitea.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Gitea - Git with a cup of tea
+After=network.target
+
+[Service]
+Type=notify
+User=git
+Group=git
+WorkingDirectory=/var/lib/gitea
+Environment=GITEA_WORK_DIR=/var/lib/gitea
+Environment=HOME=/var/lib/gitea/git
+ExecStart=/usr/libexec/gitea web --config /etc/gitea/app.ini
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target

gitea.spec

@@ -0,0 +1,215 @@
+Name:           gitea
+Version:        1.25.4
+Release:        1%{?dist}
+Summary:        Gitea - Git with a cup of tea
+License:        MIT
+Group:          System Environment/Base
+URL:            https://gitea.com
+
+Source0:        https://dl.gitea.com/gitea/%{version}/gitea-%{version}-linux-amd64
+Source1:        https://dl.gitea.com/gitea/%{version}/gitea-%{version}-linux-arm64
+Source10:       gitea.service
+Source11:       gitea.sysusers
+Source12:       gitea.tmpfiles
+Source13:       app.ini
+Source14:       50-gitea-service.conf
+Source15:       50-gitea-container.conf
+Source16:       gitea.container
+Source17:       gitea-keys
+Source18:       gitea-shim
+Source19:       gitea-database.conf
+Source20:       gitea.pod
+Source21:       gitea-db.container
+Source22:       gitea-pod-enable.conf
+Source23:       gitea-container-database.conf
+Source24:       gitea-db-pod.conf
+Source25:       gitea-db-publish.conf
+Source26:       gitea-sudoers
+Source27:       gitea-db-credentials.conf
+
+ExclusiveArch:  x86_64 aarch64
+
+BuildRequires:  systemd-rpm-macros
+
+%description
+Gitea is a painless self-hosted all-in-one software development service.
+It includes Git hosting, code review, team collaboration, package registry
+and CI/CD.
+
+%package service
+Summary:        Gitea systemd service (native binary)
+Requires:       %{name} = %{version}-%{release}
+Requires:       git
+Conflicts:      %{name}-container
+%{?systemd_requires}
+
+%description service
+Runs Gitea as a native binary under systemd. Includes the gitea binary,
+systemd unit, and SSH passthrough configuration.
+
+%package container
+Summary:        Gitea container (Podman quadlet)
+Requires:       %{name} = %{version}-%{release}
+Requires:       podman
+Requires:       containers-common
+Conflicts:      %{name}-service
+
+%description container
+Runs Gitea as a Podman container via quadlet. Includes the container
+definition, SSH passthrough shim, and sshd configuration.
+
+%package postgresql
+Summary:        PostgreSQL database support for Gitea
+Requires:       podman
+Requires:       containers-common
+Requires:       %{name} = %{version}-%{release}
+
+%description postgresql
+Provides PostgreSQL database integration for Gitea. When used with
+gitea-service, adds a systemd dependency on postgresql.service. When used
+with gitea-container, ships a PostgreSQL container (gitea-db) in the pod.
+
+%install
+%{__rm} -rf %{buildroot}
+
+# Binary (for -service subpackage) → libexec
+install -d -m 755 %{buildroot}%{_libexecdir}
+%ifarch x86_64
+install -m 755 %{SOURCE0} %{buildroot}%{_libexecdir}/gitea
+%endif
+
+%ifarch aarch64
+install -m 755 %{SOURCE1} %{buildroot}%{_libexecdir}/gitea
+%endif
+
+# Shim (for -container subpackage)
+install -d -m 755 %{buildroot}%{_libexecdir}
+install -m 755 %{SOURCE18} %{buildroot}%{_libexecdir}/gitea-container
+
+# Base: sysusers, tmpfiles, config
+install -p -D -m 644 %{SOURCE11} %{buildroot}%{_sysusersdir}/gitea.conf
+install -p -D -m 644 %{SOURCE12} %{buildroot}%{_tmpfilesdir}/gitea.conf
+
+install -d -m 770 %{buildroot}%{_sysconfdir}/gitea
+install -m 640 %{SOURCE13} %{buildroot}%{_sysconfdir}/gitea/app.ini
+
+# Base: data dirs
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/custom
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/data
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/data/git
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/data/git/repositories
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/data/git/lfs
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/log
+
+# Service subpackage
+install -p -D -m 644 %{SOURCE10} %{buildroot}%{_unitdir}/gitea.service
+install -p -D -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-gitea.conf
+install -p -D -m 644 %{SOURCE25} %{buildroot}%{_datadir}/containers/systemd/gitea-db.container.d/publish.conf
+
+# Container subpackage
+install -p -D -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-gitea.conf
+install -p -D -m 644 %{SOURCE16} %{buildroot}%{_datadir}/containers/systemd/gitea.container
+install -p -D -m 644 %{SOURCE20} %{buildroot}%{_datadir}/containers/systemd/gitea.pod
+install -p -D -m 644 %{SOURCE22} %{buildroot}%{_sysconfdir}/containers/systemd/gitea.pod.d/enable.conf
+install -p -D -m 755 %{SOURCE17} %{buildroot}%{_libexecdir}/gitea-keys
+install -p -D -m 644 %{SOURCE24} %{buildroot}%{_datadir}/containers/systemd/gitea-db.container.d/pod.conf
+install -p -D -m 440 %{SOURCE26} %{buildroot}%{_sysconfdir}/sudoers.d/gitea
+
+# PostgreSQL subpackage
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/postgresql
+install -p -D -m 644 %{SOURCE19} %{buildroot}%{_sysconfdir}/containers/systemd/gitea.service.d/database.conf
+install -p -D -m 644 %{SOURCE21} %{buildroot}%{_datadir}/containers/systemd/gitea-db.container
+install -p -D -m 644 %{SOURCE23} %{buildroot}%{_datadir}/containers/systemd/gitea.container.d/database.conf
+install -p -D -m 644 %{SOURCE27} %{buildroot}%{_sysconfdir}/containers/systemd/gitea-db.container.d/credentials.conf
+
+%pre
+%sysusers_create_compat %{SOURCE11}
+
+%post service
+%systemd_post gitea.service
+
+%posttrans service
+ln -sf %{_libexecdir}/gitea %{_bindir}/gitea
+
+%preun service
+%systemd_preun gitea.service
+
+%postun service
+%systemd_postun gitea.service
+if [ $1 -eq 0 ]; then
+    rm -f %{_bindir}/gitea
+fi
+
+%post container
+%systemd_post gitea.service
+
+%posttrans container
+ln -sf %{_libexecdir}/gitea-container %{_bindir}/gitea
+
+%preun container
+%systemd_preun gitea.service
+if [ $1 -eq 0 ]; then
+    rm -f %{_bindir}/gitea
+fi
+
+%postun container
+%systemd_postun gitea.service
+
+%clean
+%{__rm} -rf %{buildroot}
+
+%files
+%defattr(-,root,root,-)
+%{_sysusersdir}/gitea.conf
+%{_tmpfilesdir}/gitea.conf
+
+%dir %attr(0770,root,git) %{_sysconfdir}/gitea
+%config(noreplace) %attr(0640,root,git) %{_sysconfdir}/gitea/app.ini
+
+%dir %attr(0750,git,git) %{_sharedstatedir}/gitea
+%dir %attr(0750,git,git) %{_sharedstatedir}/gitea/custom
+%dir %attr(0750,git,git) %{_sharedstatedir}/gitea/data
+%dir %attr(0750,git,git) %{_sharedstatedir}/gitea/data/git
+%dir %attr(0750,git,git) %{_sharedstatedir}/gitea/data/git/repositories
+%dir %attr(0750,git,git) %{_sharedstatedir}/gitea/data/git/lfs
+%dir %attr(0750,git,git) %{_sharedstatedir}/gitea/log
+
+%files service
+%defattr(-,root,root,-)
+%{_libexecdir}/gitea
+%ghost %{_bindir}/gitea
+%attr(0644,root,root) %{_unitdir}/gitea.service
+%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-gitea.conf
+%{_datadir}/containers/systemd/gitea-db.container.d/publish.conf
+
+%files container
+%defattr(-,root,root,-)
+%attr(0755,root,root) %{_libexecdir}/gitea-container
+%ghost %{_bindir}/gitea
+%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-gitea.conf
+%{_datadir}/containers/systemd/gitea.container
+%{_datadir}/containers/systemd/gitea.pod
+%dir %{_sysconfdir}/containers/systemd/gitea.pod.d
+%config(noreplace) %{_sysconfdir}/containers/systemd/gitea.pod.d/enable.conf
+%attr(0755,root,root) %{_libexecdir}/gitea-keys
+%dir %{_datadir}/containers/systemd/gitea-db.container.d
+%{_datadir}/containers/systemd/gitea-db.container.d/pod.conf
+%attr(0440,root,root) %{_sysconfdir}/sudoers.d/gitea
+
+%files postgresql
+%defattr(-,root,root,-)
+%dir %attr(0750,git,git) %{_sharedstatedir}/gitea/postgresql
+# For -service: systemd drop-in adding postgresql.service dependency
+%dir %{_sysconfdir}/containers/systemd/gitea.service.d
+%config(noreplace) %{_sysconfdir}/containers/systemd/gitea.service.d/database.conf
+# For -container: gitea-db container + drop-in wiring it to gitea
+%{_datadir}/containers/systemd/gitea-db.container
+%dir %{_datadir}/containers/systemd/gitea.container.d
+%config(noreplace) %{_datadir}/containers/systemd/gitea.container.d/database.conf
+%dir %{_sysconfdir}/containers/systemd/gitea-db.container.d
+%config(noreplace) %{_sysconfdir}/containers/systemd/gitea-db.container.d/credentials.conf
+
+%changelog
+* Wed Mar 18 2026 Zoran Pericic <zpericic@netst.org> - 1.25.4-1
+- Initial package with service, container and postgresql subpackages

gitea.sysusers

@@ -0,0 +1,2 @@
+g git 124
+u git 124:124 "Git Version Control" /var/lib/gitea /bin/bash

gitea.tmpfiles

@@ -0,0 +1 @@
+d /run/gitea 0755 git git -