# Gitea Hardening Notes

## Minimum Hardening
- Put Gitea behind reverse proxy (nginx/Traefik) with TLS
- Disable public registration if not needed
- Enforce 2FA for admin/org owners
- Restrict SSH to known networks or require VPN/tunnel
- Back up the data dir regularly (repos + config + sqlite/db)

## Backups
If using sqlite, backing up `/data/gitea/gitea.db` plus repos is enough.
For Postgres/MySQL, dump database + repos.

## Next Skills
- container-registry (self-hosted with signatures)
- dns-sovereign (PowerDNS + Cloudflare hybrid)