================================================================================
RBIO-Mesh-Kit: Self-Hosting on Gitea
================================================================================
Version: 1.0
Target: Gitea on Raspberry Pi 5 or any Linux server
Author: RBIO Project

This guide explains why and how to host the RBIO-Mesh-Kit on your own Gitea
instance. Self-hosting ensures that your operational code never touches
third-party servers, eliminating a critical surveillance vector.

--------------------------------------------------------------------------------
TABLE OF CONTENTS
--------------------------------------------------------------------------------
1. Why Self-Host?
2. Installing Gitea on Raspberry Pi 5
3. Initial Gitea Configuration
4. Creating the RBIO Repository
5. Uploading the RBIO-Mesh-Kit
6. Cloning on Phones (via Termux)
7. Managing Updates
8. Backup Strategy
9. Security Hardening
10. Troubleshooting

--------------------------------------------------------------------------------
1. WHY SELF-HOST?
--------------------------------------------------------------------------------
Platforms like GitHub and GitLab track:
- Your IP address on every push and pull.
- Repository access patterns.
- Commit timestamps and metadata.

For a privacy tool like RBIO, hosting your code on a platform that logs
everything defeats the purpose. Self-hosting Gitea means:
- Zero external tracking.
- Full control over access logs.
- Ability to run entirely offline (LAN only).
- No risk of takedown or censorship.

--------------------------------------------------------------------------------
2. INSTALLING GITEA ON RASPBERRY PI 5
--------------------------------------------------------------------------------
Gitea is a lightweight, self-hosted Git service written in Go. It runs
comfortably on a Raspberry Pi 5 alongside the RBIO Docker stack.

STEP 1: Install Prerequisites
1. SSH into your Pi.
2. Install Git:
   sudo apt install git -y

STEP 2: Create a Git User
1. Create a dedicated user for Gitea:
   sudo adduser --system --group --disabled-password --shell /bin/bash git

STEP 3: Download Gitea
1. Determine your Pi's architecture (ARM64):
   uname -m
   (Should output: aarch64 or armv7l)

2. Download the latest Gitea binary for ARM64:
   wget -O /usr/local/bin/gitea https://dl.gitea.io/gitea/1.22.0/gitea-1.22.0-linux-arm64
   (Check https://dl.gitea.io/gitea/ for the latest version)

3. Make it executable:
   sudo chmod +x /usr/local/bin/gitea

STEP 4: Create Directory Structure
1. Create required directories:
   sudo mkdir -p /var/lib/gitea/{custom,data,log}
   sudo chown -R git:git /var/lib/gitea
   sudo chmod -R 750 /var/lib/gitea

2. Create config directory:
   sudo mkdir /etc/gitea
   sudo chown git:git /etc/gitea
   sudo chmod 770 /etc/gitea

STEP 5: Create a Systemd Service
1. Create the service file:
   sudo nano /etc/systemd/system/gitea.service

2. Paste the following content:

[Unit]
Description=Gitea (Git with a cup of tea)
After=network.target

[Service]
User=git
Group=git
WorkingDirectory=/var/lib/gitea
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini
Restart=always
RestartSec=3
Environment=USER=git HOME=/var/lib/gitea/data GITEA_WORK_DIR=/var/lib/gitea

[Install]
WantedBy=multi-user.target

3. Save and exit (Ctrl+X, then Y, then Enter).

4. Enable and start Gitea:
   sudo systemctl enable gitea
   sudo systemctl start gitea

5. Check status:
   sudo systemctl status gitea
   (Should show "active (running)")

STEP 6: Initial Web Configuration
1. Open a browser on your computer and go to:
   http://192.168.1.50:3000
   (Replace with your Pi's IP)

2. Configure the following:
   - Database Type: SQLite3
   - Domain: 192.168.1.50 (your Pi's IP)
   - SSH Port: 22
   - HTTP Port: 3000
   - Gitea Base URL: http://192.168.1.50:3000

3. Create an admin account:
   - Username: (choose one)
   - Password: (choose a strong one)
   - Email: (optional, can be fake)

4. Click "Install Gitea".

5. Log in with your new admin account.

--------------------------------------------------------------------------------
3. INITIAL GITEA CONFIGURATION
--------------------------------------------------------------------------------
STEP 1: Disable Public Registration
1. Log in as admin.
2. Go to: Site Administration > Configuration > General.
3. Uncheck "Enable OpenID Sign-In" and "Disable Self-Registration".
4. This prevents strangers from creating accounts on your server.

STEP 2: Restrict Visibility
1. Go to: Site Administration > Configuration.
2. Set "Default Visibility" to "Private".
3. This ensures new repos are private by default.

STEP 3: (Optional) Disable Gravatar
1. Go to: Site Administration > Configuration.
2. Disable Gravatar to prevent external image requests.

--------------------------------------------------------------------------------
4. CREATING THE RBIO REPOSITORY
--------------------------------------------------------------------------------
1. Log in to Gitea.
2. Click the "+" icon (New Repository).
3. Fill in:
   - Owner: Your admin username
   - Name: rbio-mesh-kit
   - Visibility: Private
   - Initialize: Check "Initialize Repository"
   - .gitignore: None
   - License: GNU General Public License v3.0
4. Click "Create Repository".

--------------------------------------------------------------------------------
5. UPLOADING THE RBIO-MESH-KIT
--------------------------------------------------------------------------------
You have two options:

OPTION A: Upload via Web Interface
1. Open the rbio-mesh-kit repository.
2. Click "Upload Files".
3. Drag and drop the entire contents of the ZIP file.
4. Commit with message: "Initial RBIO Mesh Kit upload".

OPTION B: Upload via Git CLI (Recommended)
1. On your Pi, navigate to the extracted ZIP:
   cd ~/rbio-mesh

2. Initialize a Git repository:
   git init

3. Add all files:
   git add .

4. Commit:
   git commit -m "Initial RBIO Mesh Kit upload"

5. Add the Gitea remote:
   git remote add origin http://192.168.1.50:3000/YOUR-USERNAME/rbio-mesh-kit.git
   (Replace YOUR-USERNAME and IP address)

6. Push:
   git push -u origin master
   (Enter your Gitea credentials when prompted)

7. Verify by refreshing the Gitea web interface. You should see all files.

--------------------------------------------------------------------------------
6. CLONING ON PHONES (VIA TERMUX)
--------------------------------------------------------------------------------
Once Gitea is running, you can clone the repo directly to your phones.

1. Open Termux on the phone.
2. Install Git:
   pkg install git

3. Clone the repository:
   git clone http://192.168.1.50:3000/YOUR-USERNAME/rbio-mesh-kit.git
   (Replace with your Pi's IP and username)

4. Navigate to the phone scripts:
   cd rbio-mesh-kit/phones/graphene
   (Or phones/eos for /e/OS devices)

5. Proceed with the bootstrap script as described in phone-setup-guide.txt.

NOTE: If your Gitea instance is LAN-only (no internet), this works perfectly
as long as the phone is on the same Wi-Fi network.

--------------------------------------------------------------------------------
7. MANAGING UPDATES
--------------------------------------------------------------------------------
When you modify the RBIO code or configuration:

1. Make your changes on the Pi or phone.
2. Commit and push:
   git add .
   git commit -m "Updated thresholds for field op"
   git push origin master

3. On other devices, pull the updates:
   git pull origin master

This creates a full audit trail of changes, which is valuable for
operational security reviews.

--------------------------------------------------------------------------------
8. BACKUP STRATEGY
--------------------------------------------------------------------------------
Your Gitea data lives in /var/lib/gitea. Back it up regularly.

1. Create a backup script:
   sudo nano /home/pi/gitea-backup.sh

2. Paste:
   #!/bin/bash
   BACKUP_DIR="/home/pi/gitea-backups"
   mkdir -p $BACKUP_DIR
   sudo systemctl stop gitea
   sudo tar -czf $BACKUP_DIR/gitea-backup-$(date +%Y%m%d).tar.gz /var/lib/gitea /etc/gitea
   sudo systemctl start gitea
   echo "Backup complete: $(date)"

3. Make executable:
   sudo chmod +x /home/pi/gitea-backup.sh

4. Schedule daily backups (optional):
   sudo crontab -e
   Add: 0 3 * * * /home/pi/gitea-backup.sh
   (Runs at 3 AM daily)

5. Copy backups to an encrypted USB drive periodically.

--------------------------------------------------------------------------------
9. SECURITY HARDENING
--------------------------------------------------------------------------------
STEP 1: Firewall Rules
1. Block Gitea from the internet:
   sudo ufw deny 3000
   (This blocks external access. LAN access still works.)

2. Only allow SSH from LAN:
   sudo ufw allow from 192.168.1.0/24 to any port 22

STEP 2: Fail2Ban (Optional)
1. Install Fail2Ban:
   sudo apt install fail2ban -y

2. Create a Gitea filter:
   sudo nano /etc/fail2ban/filter.d/gitea.conf
   Paste:
   [Definition]
   failregex = .*Failed authentication attempt for .* from <HOST>
   ignoreregex =

3. Create a jail:
   sudo nano /etc/fail2ban/jail.d/gitea.conf
   Paste:
   [gitea]
   enabled = true
   filter = gitea
   logpath = /var/lib/gitea/log/gitea.log
   maxretry = 5
   bantime = 3600

4. Restart Fail2Ban:
   sudo systemctl restart fail2ban

STEP 3: SSH Keys (Recommended)
1. Generate an SSH key on your computer:
   ssh-keygen -t ed25519

2. Copy the public key to Gitea:
   - In Gitea, go to Settings > SSH / GPG Keys.
   - Add your public key.

3. Clone via SSH instead of HTTP:
   git clone git@192.168.1.50:YOUR-USERNAME/rbio-mesh-kit.git

This eliminates password prompts and is more secure.

--------------------------------------------------------------------------------
10. TROUBLESHOOTING
--------------------------------------------------------------------------------
Problem: Gitea web interface won't load.
Solution: Check if the service is running:
  sudo systemctl status gitea
If not running: sudo systemctl start gitea
Check logs: sudo journalctl -u gitea

Problem: "Connection refused" when cloning.
Solution: Ensure port 3000 is accessible on the Pi.
Test: curl http://192.168.1.50:3000
If it fails, check Gitea's app.ini for the HTTP_PORT setting.

Problem: Git push fails with "authentication required".
Solution: Use your Gitea username and password, or set up SSH keys.

Problem: Phone can't reach Gitea.
Solution: Ensure the phone is on the same Wi-Fi network.
Ping the Pi: ping 192.168.1.50
If ping fails, check Wi-Fi and firewall rules.

Problem: Gitea is slow on the Pi.
Solution: Gitea runs fine on Pi 5 but can slow down with large repos.
Keep your RBIO repo small (scripts and configs only, no binaries).
If needed, move Gitea to a separate server.

================================================================================
END OF SELF-HOSTING GITEA GUIDE
================================================================================