Skip to main content

Gitea on GCP (git.daw.club)

Self-hosted Gitea instance for daw.club project management, running on a GCE e2-small VM behind a global HTTPS load balancer.

Architecture

                   ┌──────────────┐
  git.daw.club ──► │  Cloudflare  │  DNS (A record → LB IP)
                   └──────┬───────┘

                   ┌──────▼───────┐
                   │  GCP Global  │  Static IP: 34.117.234.171
                   │  HTTPS LB    │  Managed SSL cert (auto-renew)
                   │  + HTTP→HTTPS│  HTTP 301 redirect
                   └──────┬───────┘

                   ┌──────▼───────┐
                   │  GCE e2-small│  us-central1-a
                   │  Debian 12   │  30GB pd-ssd
                   │  Gitea 1.22.6│  Port 3000
                   │  SQLite + LFS│  /var/lib/gitea/data
                   └──────────────┘

GCP Resources

ResourceNameDetails
Projectgen-lang-client-0380481603
VMgitea-servere2-small, us-central1-a, Debian 12
Static IPgitea-lb-ip34.117.234.171 (global)
Instance Groupgitea-igUnmanaged, us-central1-a
Health Checkgitea-health-checkHTTP :3000/, 30s interval
Backend Servicegitea-gce-backendGlobal, EXTERNAL_MANAGED
URL Mapgitea-url-mapDefault → gitea-gce-backend
URL Map (redirect)gitea-http-redirectHTTP 301 → HTTPS
SSL Certgitea-certManaged, git.daw.club
HTTPS Proxygitea-https-proxy→ gitea-url-map
HTTP Proxygitea-http-proxy→ gitea-http-redirect
Forwarding Rulegitea-https-rule:443 → gitea-https-proxy
Forwarding Rulegitea-http-rule:80 → gitea-http-proxy
Firewallallow-health-checktcp:3000 from GCP health check ranges
Service Accountgitea-cloudrun@...storage.objectAdmin on GCS buckets
GCS Bucketssongbird-gitea-data, songbird-gitea-lfssongbird-gitea-lfs mounted via gcsfuse for LFS object storage

VM Details

  • OS: Debian 12
  • Gitea: v1.22.6 (binary install at /usr/local/bin/gitea)
  • Config: /etc/gitea/app.ini
  • Data: /var/lib/gitea/data/ (SQLite DB, repos)
  • LFS storage: GCS bucket songbird-gitea-lfs (via gcsfuse mount at /mnt/gcslfs)
  • Service: systemd unit gitea.service
  • User: git (system user)

Common Operations

# SSH into the VM
gcloud compute ssh gitea-server --zone=us-central1-a --project=gen-lang-client-0380481603

# Check Gitea status
sudo systemctl status gitea

# View Gitea logs
sudo journalctl -u gitea -f

# Restart Gitea
sudo systemctl restart gitea

# Edit config (requires root)
sudo vim /etc/gitea/app.ini
sudo systemctl restart gitea

# Create admin user
sudo -u git /usr/local/bin/gitea admin user create \
  --config /etc/gitea/app.ini \
  --username admin \
  --password <password> \
  --email admin@daw.club \
  --admin

# Backup
sudo -u git /usr/local/bin/gitea dump --config /etc/gitea/app.ini

Cost

  • GCE e2-small: ~$15/month (0.5 vCPU, 2GB RAM)
  • 30GB pd-ssd: ~$5/month
  • Static IP: Free (while attached to a running VM)
  • Load balancer: ~$18/month (forwarding rules + backend)
  • SSL cert: Free (Google-managed)
  • GCS LFS storage: ~$0.02/GB/month (Standard class)
  • Total: ~$38/month (VM + disk + LB + GCS)

DNS

Managed via Cloudflare:
  • git.daw.club → A record → 34.117.234.171 (GCP LB static IP)
  • Cloudflare proxy disabled (DNS only) — GCP LB handles SSL

LFS on GCS

Git LFS objects are stored in the songbird-gitea-lfs GCS bucket via gcsfuse, which mounts the bucket as a local filesystem at /mnt/gcslfs. Gitea uses its standard PATH-based LFS storage pointing to the mount, so no HMAC keys or S3 credentials are needed — the VM’s attached service account (gitea-cloudrun@...) provides authentication automatically. The mount is managed by a systemd mount unit (mnt-gcslfs.mount) that starts before Gitea. 
# Check mount status
sudo systemctl status mnt-gcslfs.mount

# View mounted files
ls /mnt/gcslfs/

# Remount if needed
sudo systemctl restart mnt-gcslfs.mount
sudo systemctl restart gitea

# View gcsfuse logs
sudo journalctl -u mnt-gcslfs.mount -f

Future: Cloud Run for Headless DAW

The GCS bucket songbird-gitea-data and Artifact Registry (us-central1/songbird) are already provisioned for future Cloud Run deployments of the headless DAW instances. The load balancer can be extended with additional URL map rules to route DAW traffic.