Gitea supports automatically signing commits it generates (such as when merging pull requests, or editing files through the web editor). Sadly there is no documentation on how to actually configure this, besides vague references that it is left up to the server administrator to achieve.

Secure key management is a topic fraught with complexity and trade off decisions, and the Gitea development team holds a (sensible) position that it is preferable to give no advice than it is to give bad advice.

A position that I, as an internet rando, am absolutely not bound by, so here's what I did!

Edit 2024-08-19: these exact steps also work for Forejo! Just use /var/lib/forgejo instead of /var/lib/gitea for all instructions below

Open Source is a Gift. But a gift that comes with strings attached is a shitty one.

The PiBox is a small personal server powered by a Raspberry Pi CM4. It comes in a nice enclosure which has a fan, an LCD screen, and has two bays for SATA SSDs. KubeSail, the company behind it, offers backup storage and proxy traffic as a service. They also support a bunch of templates for easily self hosting apps like Jellyfin or NextCloud.

But, since I'm already very comfortable with NixOS and deploy a bunch of custom workloads with it, I wanted to try using it instead of the OS that ships with the PiBox.

Here's how I went about it, and how you can too!

Suppose we have control of our own domain and a set of services we want to share with (only) our friends and family. Here's how we can make them accessible over both Tailscale or when connected to the same physical network while using the exact same domain in each case.

A year ago I found myself with some free time around the holidays which was the perfect opportunity for tinkering with Nix and cargo. What started out as a weekend learning project shaped up so nicely that I decided to share it with the world, and here we are a year later.