Written with assistance from ChatGPT.

Checkout my instance: <https://gitea.9th.fun/>

1. Setting Up the VM

I started with GCP’s Free Tier e2-micro VM:

• 1 non-preemptible e2-micro VM in a US region

• 30 GB persistent disk

• 1 GB outbound data transfer

Firewall setup:

• Allowed HTTP (80) and HTTPS (443) traffic

• SSH left open for private access

Static IP:

• Reserved a static IP for consistent domain mapping

2. Preparing the VM

Before connecting to the VM, generate a SSH key pair for secure authentication.

2.1: Generate an SSH key pair

On Windows (PowerShell or Git Bash):

# Create a folder for keys
mkdir C:\Users\<YOUR_USER>\Keys\gitea

# Generate an ed25519 SSH key pair
ssh-keygen -t ed25519 -C "USERNAME@gitea-vm" -f C:\Users\<YOUR_USER>\Keys\gitea\id_ed25519

• Optional: Enter a passphrase for extra security.

• This generates:

C:\Users\<YOUR_USER>\Keys\gitea\id_ed25519       # Private key (keep secure!)
C:\Users\<YOUR_USER>\Keys\gitea\id_ed25519.pub   # Public key (upload to VM)

2.2: Add the public key to the VM

• During VM creation, paste the public key in the SSH keys section of the GCP Console.

• Alternatively, after VM creation:

# On VM, create SSH directory for the user
mkdir -p ~/.ssh
echo "<paste-your-public-key-here>" >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Files involved:

• ~/.ssh/authorized_keys → Stores the public keys allowed to connect

• ~/.ssh/ → SSH directory

2.3: Test SSH connection

On Windows:

ssh -i C:\Users\<YOUR_USER>\Keys\gitea\id_ed25519 USERNAME@<VM_IP>

2.4: Update SSH config for convenience

Edit C:\Users\<YOUR_USER>\.ssh\config:

Host gitea.example.com
  HostName <VM_IP>
  User USERNAME
  IdentityFile C:\Users\<YOUR_USER>\Keys\gitea\id_ed25519
  Port 22

3. Installing Gitea

3.1: Create necessary directories

sudo mkdir -p /var/lib/gitea/{custom,data,log}
sudo chown -R git:git /var/lib/gitea

Directories involved:

• /var/lib/gitea/custom/ → Custom configs/templates

• /var/lib/gitea/data/ → App data, database

• /var/lib/gitea/log/ → Logs

3.2: Download Gitea binary

wget -O /usr/local/bin/gitea https://dl.gitea.io/gitea/1.21.0/gitea-1.21.0-linux-amd64
sudo chmod +x /usr/local/bin/gitea

File involved:

• /usr/local/bin/gitea → Main Gitea executable

3.3: Create a systemd service at /etc/systemd/system/gitea.service

[Unit]
Description=Gitea (Git with a cup of tea)
After=network.target

[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea
Environment=USER=git HOME=/var/lib/gitea GITEA_WORK_DIR=/var/lib/gitea
ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini

[Install]
WantedBy=multi-user.target

4. Nginx Reverse Proxy Setup

4.1: Create a file /etc/nginx/sites-available/gitea

server {
    listen 80;
    server_name gitea.example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 90;
    }
}

4.2: Enable the site and reload Nginx

sudo ln -s /etc/nginx/sites-available/gitea /etc/nginx/sites-enabled/gitea
sudo nginx -t
sudo systemctl reload nginx

Files involved:

• /etc/nginx/sites-available/gitea → Nginx config for Gitea

• /etc/nginx/sites-enabled/gitea → Symlink to enable site

5. Initial Gitea Setup

• Visit http://gitea.example.com to complete the installation.

• Use SQLite for simplicity.

• Create an admin user.

Files involved:

• /etc/gitea/app.ini → Main Gitea configuration

• /var/lib/gitea/data/gitea.db → SQLite database

6. Enabling SSH for Gitea

Update /etc/gitea/app.ini:

[server]
DISABLE_SSH = false
SSH_PORT = 2222
SSH_DOMAIN = gitea.example.com
START_SSH_SERVER = true

Problem faced:

• Ports <1024 require root; Gitea runs as non-root.

• Service failed with: Failed to start SSH server: listen tcp :22: bind: permission denied.

Solution:

• Use a non-privileged SSH port (e.g., 2222).

• Restart Gitea to activate SSH:

sudo systemctl restart gitea

7. Configuring Windows SSH

Update C:\Users\<YOUR_USER>\.ssh\config:

Host gitea.example.com
  User git
  IdentityFile C:\Users\<YOUR_USER>\Keys\gitea\id_ed25519
  Port 2222

Test connection:

ssh -v git@gitea.example.com

8. Firewall & Networking

• Open TCP port 2222 in GCP firewall rules.

• Cloudflare only proxies HTTP/HTTPS → cannot proxy SSH.

• Use VM public IP for SSH pushes.

Example Git remote:

git remote set-url gitea ssh://git@gitea.example.com:2222/USERNAME/<repo_name>.git
git push -u gitea master

9. Final Notes

• Private Gitea: Only admin can create accounts (DISABLE_REGISTRATION = true).

• HTTP/HTTPS: Served via Nginx, optionally protected by Cloudflare.

• SSH for Git: Non-privileged port (2222), keys registered in Gitea.

• File paths modified/created:

✅ Outcome: Fully functional private Gitea instance on GCP:

• Web UI via https://gitea.example.com

• Git push/pull via SSH on port 2222

• Admin-only registration

• Secure key-based authentication

Install JDK (Preferably OpenJDK)

To get started, install OpenJDK. For example, download version 23.0.2 from the official site:

wget https://download.java.net/java/GA/jdk23.0.2/6da2a6609d6e406f85c491fcb119101b/7/GPL/openjdk-23.0.2_linux-x64_bin.tar.gz
tar -xvf openjdk-23.0.2_linux-x64_bin.tar.gz

Add JDK to PATH

To ensure your system recognizes the JDK, set up the JAVA_HOME environment variable and update your PATH.

For Bash, add the following lines to ~/.bashrc:

export JAVA_HOME=/path/to/your/jdk-23.0.2
export PATH=$JAVA_HOME/bin:$PATH

For Fish, update your ~/.config/fish/config.fish:

set -x JAVA_HOME /path/to/your/jdk-23.0.2
set -U fish_user_paths /path/to/your/jdk-23.0.2/bin $fish_user_paths

Install Clojure

To install Clojure, run the following commands:

curl -L -O https://github.com/clojure/brew-install/releases/latest/download/linux-install.sh
chmod +x linux-install.sh
sudo ./linux-install.sh

For more details, visit the official guide.

Install clojure-mode for Emacs

To enable Clojure support in Emacs, install clojure-mode:

M-x package-install [RET] clojure-mode [RET]

For more information, check the clojure-mode repository.

Install clojure-lsp

clojure-lsp provides language server support for Clojure. Install it using:

curl -s https://raw.githubusercontent.com/clojure-lsp/clojure-lsp/master/install | sudo bash

More details are available on the clojure-lsp installation page.

Configure clojure-lsp for Emacs

Using eglot:

If you prefer eglot, configure it as follows:

;; clojure-lsp configuration
(use-package eglot
  :ensure t
  :hook ((clojure-mode . eglot-ensure)
         (clojurec-mode . eglot-ensure)
         (clojurescript-mode . eglot-ensure))
  :config
  (setenv "PATH" (concat "/usr/local/bin" path-separator (getenv "PATH")))
  (add-to-list 'eglot-server-programs '(clojure-mode . ("clojure-lsp")))
  (add-to-list 'eglot-server-programs '(clojurec-mode . ("clojure-lsp")))
  (add-to-list 'eglot-server-programs '(clojurescript-mode . ("clojure-lsp")))
  (add-to-list 'eglot-server-programs '(clojurex-mode . ("clojure-lsp"))))

Using lsp-mode:

If you use lsp-mode, add the following configuration:

(use-package lsp-mode
  :ensure t
  :hook ((clojure-mode . lsp)
         (clojurec-mode . lsp)
         (clojurescript-mode . lsp))
  :config
  ;; add paths to your local installation of project mgmt tools, like lein
  (setenv "PATH" (concat
                   "/usr/local/bin" path-separator
                   (getenv "PATH")))
  (dolist (m '(clojure-mode
               clojurec-mode
               clojurescript-mode
               clojurex-mode))
     (add-to-list 'lsp-language-id-configuration `(,m . "clojure")))
  (setq lsp-clojure-server-command '("/path/to/clojure-lsp"))) ;; Optional: In case `clojure-lsp` is not in your $PATH

For further details, check the clojure-lsp Emacs client guide.

Dependencies

1. Alpine Linux ISO

2. QEMU

Getting Started

1. Create a Virtual Disk

To enable persistent storage, create a virtual hard disk:

qemu-img create -f qcow2 alpine-persistent.qcow2 10G

2. Run QEMU with ISO and Virtual Disk

Boot Alpine Linux with the installation ISO and attach the virtual disk:

qemu-system-x86_64 \
  -m 1024 \
  -smp 2 \
  -boot d \
  -cdrom alpine-standard-3.21.2-x86_64.iso \
  -drive file=alpine-persistent.qcow2,format=qcow2 \
  -net nic -net user,hostfwd=tcp::2222-:22 \
  -display gtk

3. Install Alpine Linux

1. Login with the default credentials i.e. (root,<no_passwd>).

2. Start the setup script via setup-alpine.

3. When prompted to select a disk, choose sda (the attached virtual disk).

4. Follow the setup instructions and confirm writing changes to disk.

5. Once installation is complete, reboot the system.

4. Enable SSH (Optional)

SSH allows remote access to your VM from the host machine. Start the ssh service and enable for future connections.

rc-service sshd start
rc-update add sshd

You can now connect via SSH using:

ssh -p 2222 root@localhost

5. Boot Installed Alpine Linux

After installation, run QEMU without the ISO:

qemu-system-x86_64 \
  -m 1024 \
  -smp 2 \
  -drive file=alpine-persistent.qcow2,format=qcow2 \
  -net nic -net user,hostfwd=tcp::2222-:22 \
  -display gtk

Now, your Alpine Linux VM is fully set up with persistent storage and SSH access.

Install OpenSSL 3.x or Later

Nginx 1.26.2 comes bundled with OpenSSL 1.1.1f by default, which lacks QUIC support. Nginx’s QUIC support begins with OpenSSL 3.0. Download and extract OpenSSL 3.0.8, then proceed to build and install it.

wget https://www.openssl.org/source/openssl-3.0.8.tar.gz
tar -xzf openssl-3.0.8.tar.gz
cd openssl-3.0.8
./config
make
sudo make install
cd ..

Build Nginx 1.26.x with OpenSSL 3.x

After downloading the Nginx source code, extract the contents and prepare for configuration.

wget http://nginx.org/download/nginx-1.26.2.tar.gz
tar -xzf nginx-1.26.2.tar.gz
cd nginx-1.26.2

Rebuild Nginx using OpenSSL 3.x by specifying the appropriate configuration flags.

./configure \
    --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx \
    --modules-path=/usr/lib/nginx/modules \
    --conf-path=/etc/nginx/nginx.conf \
    --error-log-path=/var/log/nginx/error.log \
    --http-log-path=/var/log/nginx/access.log \
    --pid-path=/var/run/nginx.pid \
    --lock-path=/var/run/nginx.lock \
    --http-client-body-temp-path=/var/cache/nginx/client_temp \
    --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
    --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
    --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
    --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
    --with-http_ssl_module --with-http_v2_module \
    --with-http_v3_module --with-openssl=../openssl-3.0.8
make
sudo make install

Verify the Nginx build configuration with nginx -V.

nginx version: nginx/1.26.2
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
built with OpenSSL 3.0.8 7 Feb 2023
TLS SNI support enabled
configure arguments: \
    --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx \
    --modules-path=/usr/lib/nginx/modules \
    --conf-path=/etc/nginx/nginx.conf \
    --error-log-path=/var/log/nginx/error.log \
    --http-log-path=/var/log/nginx/access.log \
    --pid-path=/var/run/nginx.pid \
    --lock-path=/var/run/nginx.lock \
    --http-client-body-temp-path=/var/cache/nginx/client_temp \
    --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
    --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
    --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
    --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
    --with-http_ssl_module --with-http_v2_module \
    --with-http_v3_module --with-openssl=../openssl-3.0.8

Edit nginx configuration

Modify the Nginx configuration file to enable HTTP/3 and set up the server’s SSL certificates. The configuration file is located at /etc/nginx/nginx.conf.

• Adjust the server block to listen on port 443 for both QUIC and SSL connections.

• Specify the root directory and set up file paths for serving content, enabling auto-indexing.

• Add the HTTP/3 Alt-Svc header to enable QUIC connections.

events {
    worker_connections  1024;
}

http {
    server {
        listen 443 quic reuseport;
        listen 443 ssl;

        ssl_certificate       <ADD_YOUR_CRT>;
        ssl_certificate_key   <ADD_YOUR_KEY>;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

        root                  <ADD_YOUR_ROOT>;
        index index.html index.htm;

        location / {
                root          <ADD_YOUR_ROOT>;
                autoindex on;
                try_files $uri $uri/ =404;
        }

        add_header alt-svc 'h3=":443"; ma=86400';
    }
}

Save the changes, test the configuration, and start Nginx.

nginx -t
sudo systemctl start nginx

Verify HTTP/3 and QUIC functionality using Wireshark to capture and analyze network traffic, ensuring that the connection traces indicate QUIC support.

The IPs are masked for obvious reasons. But we can see traces of QUIC connection, which means http3 is working.