ConfDroid Gitea Module – Self-Hosted Git Made Easy with Puppet
We’re continuing the ConfDroid Puppet modules series with another practical piece of the puzzle! Following the solid foundations from confdroid_puppet and the reliable database layer in confdroid_postgresql, we now move to the version control layer.
Today we’re excited to spotlight confdroid_gitea — a clean, secure Puppet module that deploys and manages a standalone Gitea instance: the lightweight, self-hosted Git service loved by teams who want GitHub-like features without the cloud dependency.
Whether you’re running internal code reviews, hosting private repositories for CI/CD pipelines, or simply need a fast local Git server, this module gets Gitea up and running quickly, consistently, and securely on Rocky Linux 9 (and compatible DNF-based systems) with Puppet 8.
What is confdroid_gitea?
In essence, it’s your all-in-one Puppet class for installing and operating a production-grade standalone Gitea server using official binary releases — no RPM packaging required. The module handles binary download and installation, user and directory setup, configuration generation, systemd service management, firewall rules, SELinux contexts, and integration points for PostgreSQL and Prometheus.
It follows the same composable, layered ConfDroid philosophy: infrastructure → platform → application services. Once this module is applied, your Gitea instance is ready to host repositories, serve the web UI on port 3000, expose metrics, and connect securely to a PostgreSQL backend.
Key Features
Core Components (always included)
- Downloads and installs the official Gitea binary (version-controlled via parameter) to
/usr/local/bin/gitea - Creates a dedicated system user (
gitea) and home directory structure (/var/lib/giteafor repos, attachments, logs) - Manages the main configuration file (
/etc/gitea/app.ini) via templating — fully overridable through parameters and Hiera (if used) - Full systemd service lifecycle: creation, enablement, start/stop/restart
- Firewall rule to open the web port (default 3000/tcp) (requires puppetlabs-firewall)
- SELinux context enforcement on all relevant paths (works in enforcing mode)
- Built-in Prometheus metrics endpoint (/metrics) for easy monitoring integration
Database Backend Options
- SQLite — default, perfect for testing or very small setups
- PostgreSQL — strongly recommended for production; integrates seamlessly with
confdroid_postgresql
Important Note: Standalone Servers Only.
Like the PostgreSQL module,
confdroid_giteais designed strictly for standalone instances. It does not support clustering, high availability, load balancing across multiple nodes, or any distributed Git setups. For HA environments, pair it with an external reverse proxy, load balancer, and shared storage/replication solution.
How to Use It
Lookup https://sourcecode.confdroid.com/confdroid/confdroid_gitea#deployment.
When using Postgres as database backend, this needs to be set up as prerequisite on the database server first, ie. using confdroid_postgresql.
Gitea will automatically pick up the database connection details from parameters (DB host, name, user, password) passed via Hiera (if used) or ENC.
Security hardening is automatic:
- Strict file ownership (
gitea:gitea) - Correct SELinux types (
httpd_sys_content_t,httpd_config_t, etc.) - Firewall restricted to the Gitea port only
For HTTPS, use an external reverse proxy (e.g., via HAproxy or Nginx) — the module does not handle TLS termination itself. I am using haproxy myself using confdroid_haproxy, soon to be published here, which does automatic handling of TLS via Let's encryptfor all backends.
Why Choose confdroid_gitea?
You get a battle-tested, idempotent Gitea deployment that aligns perfectly with the rest of the ConfDroid stack. No manual binary downloads, no fighting permissions, no forgetting firewall rules — everything is version-controlled, repeatable, and secure by default.
It’s especially powerful when combined with:
- confdroid_postgresql for reliable, performant storage
- confdroid_prometheus for scraping Gitea metrics
- External proxy modules for domain-based access and SSL
What’s Coming Next
We’re actively expanding the ConfDroid ecosystem. Future enhancements for this module may include:
- More granular app.ini section overrides
- Deeper integration with upcoming monitoring and backup modules
All additions will remain optional and toggleable to keep the module lean.
Ready to Get Started?
Check out the source:
DeepWiki documentation: https://deepwiki.com/grizzlycoda/puppet_collection/4.5-confdroid_gitea Repository: https://sourcecode.confdroid.com/confdroid/confdroid_gitea
Add it to your Puppetfile, declare the class, run Puppet — and enjoy your own self-hosted Git service in minutes. Questions, feature requests, or production war stories? Drop them in the ConfDroid feedback portal. We love hearing how the collection is being used in the real world. Let’s keep building reliable, automated infrastructure — one module at a time! 🚀 What service would you like to see automated next? Let us know below.
Did you find this post helpful? You can support me.
Related posts
- Confdroid Puppet Modules – Pilot
- Confdroid Puppet Modules – Puppet
- ConfDroid Puppet Modules – confdroid_resources
- ConfDroid Puppet Modules – Postgresql
Author Profile
Latest entries
blog27.02.2026ConfDroid Puppet Modules – Gitea- blog26.02.2026ConfDroid Puppet Modules – Postgresql
blog23.02.2026Secure & Smart – Pilot- blog18.02.2026Publishing Pipeline – Telegram
