---
name: gitea-bootstrap
description: >
  Bootstrap a sovereign Git service on Node B using Gitea (Docker or native),
  with two-phase plan/apply, backups, verification, and rollback. Creates an
  admin user, configures SSH/HTTP, and outputs an audit report.
  Triggers: 'install gitea', 'bootstrap gitea', 'self-host git', 'node b git',
  'gitea plan', 'gitea rollback'.
version: 1.0.0
---

# Gitea Bootstrap

Tier 2 (Infrastructure Sovereignty): build **Node B** as your self-hosted Git authority.

This skill supports two deployment modes:
- **Docker** (recommended for fastest repeatability)
- **Native** (system package + systemd)

It is **plan/apply** gated with DRY_RUN and a confirmation phrase.

## Quick Start

```bash
cd ~/.claude/skills/gitea-bootstrap

# Choose mode
export MODE="docker"                 # docker | native
export NODE_NAME="node-b"

# Network
export HTTP_PORT=3000
export SSH_PORT=2222                 # external SSH for git (docker mode)
export DOMAIN="git.example.com"      # optional; for reverse proxy

# Storage
export DATA_DIR="$HOME/gitea"
export BACKUP_DIR="outputs/backups"

# Admin bootstrap (you'll be prompted to set password securely)
export ADMIN_USER="sovereign"
export ADMIN_EMAIL="sovereign@vaultmesh.org"

# Safety
export DRY_RUN=1
export REQUIRE_CONFIRM=1
export CONFIRM_PHRASE="I UNDERSTAND THIS WILL INSTALL AND CONFIGURE GITEA"

./scripts/00_preflight.sh
./scripts/10_plan.sh

export DRY_RUN=0
./scripts/11_apply.sh

./scripts/90_verify.sh
./scripts/99_report.sh
```

## Inputs

| Parameter | Required | Default | Description |
|---|---:|---|---|
| MODE | Yes | docker | docker or native |
| NODE_NAME | No | node-b | Identifier for reporting |
| HTTP_PORT | No | 3000 | Gitea web port |
| SSH_PORT | No | 2222 | SSH port for git (docker mode) |
| DOMAIN | No | (empty) | Hostname if using reverse proxy |
| DATA_DIR | No | ~/gitea | Data directory (repos, config, db) |
| ADMIN_USER | Yes | (none) | Initial admin username |
| ADMIN_EMAIL | Yes | (none) | Initial admin email |
| DRY_RUN | No | 1 | Apply refuses unless DRY_RUN=0 |
| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
| CONFIRM_PHRASE | No | I UNDERSTAND THIS WILL INSTALL AND CONFIGURE GITEA | Safety phrase |

## Outputs

- `outputs/compose.yml` (docker mode)
- `outputs/gitea_app.ini` (rendered config template)
- `outputs/status_matrix.json`
- `outputs/audit_report.md`
- Backups under `outputs/backups/`

## Safety Guarantees

1. Default **DRY_RUN=1**
2. Confirmation phrase required
3. Backups of generated configs + service definitions
4. Rollback scripts for docker and native modes

## EU Compliance

| Aspect | Value |
|---|---|
| Data Residency | EU (Ireland - Dublin) |
| Jurisdiction | Irish Law |
| Git Data | Stored on Node B only |
| Backups | Local outputs + optional offsite via backup-sovereign |

## References
- [Gitea Hardening Notes](references/gitea_hardening_notes.md)