I recently found myself in a situation where I needed to write up a document intended to be updated once or twice per year and otherwise kept printed out as a hard copy in a safe location. The only requirement I have is that I want to be able to write in Markdown (I write a lot of Markdown and find it to be minimal enough fuss that I can focus on getting content on to a page) and be able to render to something that can easily be printed out (like PDF!).

Although there are resources online on doing this, I had to read through and cobble together information from various places, so hopefully this ends up being a nicer quick start for someone else!

Gitea supports automatically signing commits it generates (such as when merging pull requests, or editing files through the web editor). Sadly there is no documentation on how to actually configure this, besides vague references that it is left up to the server administrator to achieve.

Secure key management is a topic fraught with complexity and trade off decisions, and the Gitea development team holds a (sensible) position that it is preferable to give no advice than it is to give bad advice.

A position that I, as an internet rando, am absolutely not bound by, so here's what I did!

Edit 2024-08-19: these exact steps also work for Forgejo! Just use /var/lib/forgejo instead of /var/lib/gitea for all instructions below

Open Source is a Gift. But a gift that comes with strings attached is a shitty one.

The PiBox is a small personal server powered by a Raspberry Pi CM4. It comes in a nice enclosure which has a fan, an LCD screen, and has two bays for SATA SSDs. KubeSail, the company behind it, offers backup storage and proxy traffic as a service. They also support a bunch of templates for easily self hosting apps like Jellyfin or NextCloud.

But, since I'm already very comfortable with NixOS and deploy a bunch of custom workloads with it, I wanted to try using it instead of the OS that ships with the PiBox.

Here's how I went about it, and how you can too!

Suppose we have control of our own domain and a set of services we want to share with (only) our friends and family. Here's how we can make them accessible over both Tailscale or when connected to the same physical network while using the exact same domain in each case.