diff options
author | Vincent Douillet <vincent@vdouillet.fr> | 2021-10-11 23:03:07 +0200 |
---|---|---|
committer | Vincent Douillet <vincent@vdouillet.fr> | 2021-10-11 23:03:07 +0200 |
commit | 6ee862efd612832e88b154105afe4715fd1cc78b (patch) | |
tree | f3e4d2be1615d9e37a9a120b18bee6aa3bbadf6a /20210911-openbsd-simple-git-server.md |
first commit
Diffstat (limited to '20210911-openbsd-simple-git-server.md')
-rw-r--r-- | 20210911-openbsd-simple-git-server.md | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/20210911-openbsd-simple-git-server.md b/20210911-openbsd-simple-git-server.md new file mode 100644 index 0000000..d27fdb6 --- /dev/null +++ b/20210911-openbsd-simple-git-server.md @@ -0,0 +1,94 @@ +# Simple git server on OpenBSD + +September 11, 2021 + +Nowadays solutions like Github or Gitlab are popular to host online git repositories. I think that these tools can be quite bloated with features that I likely won't need for my small projects. So I decided to setup a self-hosted simple git server on OpenBSD. Here is how I configured it. + +## Creating the repository + +Of course, you first need to install git. I personally chose to install the package: + + # pkg_add git + +Next you need to add a git user, which will be used to push code to the repositories: + + # adduser + Enter username []: git + Enter full name []: git + Enter shell csh git-shell ksh nologin sh [ksh]: + Uid [1001]: + Login group git [git]: + Invite git into other groups: guest no [no]: + Login class authpf bgpd daemon default pbuild staff unbound xenodm [default]: + Enter password []: xxx + Enter password again []: xxx + +Now you can import the public keys of the developers, by adding them to the file `/home/git/.ssh/authorized_keys` (one key per line). This process can be simplified with the command `ssh-copy-id` that is available on Linux systems. + +Initialise a repository, in folder `/var/www/git-repos`: + + # mkdir -p /var/www/git-repos/pelican-minimal.git + # chown -R git:www /var/www/git-repos + $ cd /var/www/git-repos/pelican-minimal.git/ + $ git init --bare + +The folder choice can seem strange but it will allow us to easily publish the repository through a website a bit later. If you want developers to be able to push code with a URL like `git@git.vdouillet.fr/git/pelican-minimal`, a link does the job: + + # ln -s /var/www/git-repos /git + +The repository is ready, developers can push code like so: + + $ git remote add origin git@git.vdouillet.fr:/git/pelican-minimal + $ git push origin master + +Though security is not optimal: developers can open a shell on the server with the git account by using their SSH key. To prevent this, we are going to change the shell of the git account to the `git-shell`. This shell refuses interactive connections: + + # chpass -s git-shell git + +It’s better, but developers can still use port forwarding. This can be disabled by prefixing each key in the `authorized_keys` file you edited earlier with the following text: + + no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty + +## Public access + +To make the repository publicly available, I’ve chosen to use [cgit](https://git.zx2c4.com/cgit/). It’s a CGI script for a web interface that also allows to clone the repository through HTTP. Let’s first install cgit: + + # pkg_add cgit + +As noted by the README after installation, you need to create a configuration file `/var/www/conf/cgitrc` for cgit. See cgitrc(5) for the complete list of parameters, here is a basic file that exposes only one repository: + + repo.url=pelican-minimal + repo.path=/git-repos/pelican-minimal + repo.clone-url=http://git.vdouillet.fr/pelican-minimal + repo.desc=minimal pelican theme + +The httpd web server still needs to be configured, the sample configuration from cgit’s README works just fine, so I copied it into `/etc/httpd.conf`: + + server "git.vdouillet.fr" { + listen on egress port 80 + + # don't serve static files from cgit CGI: cgit.css and cgit.png + location "/cgit.*" { + root "/cgit" + no fastcgi + } + root "/cgi-bin/cgit.cgi" + fastcgi socket "/run/slowcgi.sock" + } + +Finally, launch the two required daemons httpd and slowcgi: + + # rcctl enable slowcgi + # rcctl start slowcgi + # rcctl enable httpd + # rcctl start httpd + +The repository is now available via [git.vdouillet.fr](//git.vdouillet.fr). + +Constructive feedback is welcome on [Twitter](https://twitter.com/vdouillet12/status/1443303913017516037?s=20). + +## Sources + +* [Git online book](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server) +* cgitrc(5) +* OpenBSD cgit package README |