summaryrefslogtreecommitdiff
path: root/20210911-openbsd-simple-git-server.md
diff options
context:
space:
mode:
authorVincent Douillet <vincent@vdouillet.fr>2021-10-11 23:03:07 +0200
committerVincent Douillet <vincent@vdouillet.fr>2021-10-11 23:03:07 +0200
commit6ee862efd612832e88b154105afe4715fd1cc78b (patch)
treef3e4d2be1615d9e37a9a120b18bee6aa3bbadf6a /20210911-openbsd-simple-git-server.md
first commit
Diffstat (limited to '20210911-openbsd-simple-git-server.md')
-rw-r--r--20210911-openbsd-simple-git-server.md94
1 files changed, 94 insertions, 0 deletions
diff --git a/20210911-openbsd-simple-git-server.md b/20210911-openbsd-simple-git-server.md
new file mode 100644
index 0000000..d27fdb6
--- /dev/null
+++ b/20210911-openbsd-simple-git-server.md
@@ -0,0 +1,94 @@
+# Simple git server on OpenBSD
+
+September 11, 2021
+
+Nowadays solutions like Github or Gitlab are popular to host online git repositories. I think that these tools can be quite bloated with features that I likely won't need for my small projects. So I decided to setup a self-hosted simple git server on OpenBSD. Here is how I configured it.
+
+## Creating the repository
+
+Of course, you first need to install git. I personally chose to install the package:
+
+ # pkg_add git
+
+Next you need to add a git user, which will be used to push code to the repositories:
+
+ # adduser
+ Enter username []: git
+ Enter full name []: git
+ Enter shell csh git-shell ksh nologin sh [ksh]:
+ Uid [1001]:
+ Login group git [git]:
+ Invite git into other groups: guest no [no]:
+ Login class authpf bgpd daemon default pbuild staff unbound xenodm [default]:
+ Enter password []: xxx
+ Enter password again []: xxx
+
+Now you can import the public keys of the developers, by adding them to the file `/home/git/.ssh/authorized_keys` (one key per line). This process can be simplified with the command `ssh-copy-id` that is available on Linux systems.
+
+Initialise a repository, in folder `/var/www/git-repos`:
+
+ # mkdir -p /var/www/git-repos/pelican-minimal.git
+ # chown -R git:www /var/www/git-repos
+ $ cd /var/www/git-repos/pelican-minimal.git/
+ $ git init --bare
+
+The folder choice can seem strange but it will allow us to easily publish the repository through a website a bit later. If you want developers to be able to push code with a URL like `git@git.vdouillet.fr/git/pelican-minimal`, a link does the job:
+
+ # ln -s /var/www/git-repos /git
+
+The repository is ready, developers can push code like so:
+
+ $ git remote add origin git@git.vdouillet.fr:/git/pelican-minimal
+ $ git push origin master
+
+Though security is not optimal: developers can open a shell on the server with the git account by using their SSH key. To prevent this, we are going to change the shell of the git account to the `git-shell`. This shell refuses interactive connections:
+
+ # chpass -s git-shell git
+
+It’s better, but developers can still use port forwarding. This can be disabled by prefixing each key in the `authorized_keys` file you edited earlier with the following text:
+
+ no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+
+## Public access
+
+To make the repository publicly available, I’ve chosen to use [cgit](https://git.zx2c4.com/cgit/). It’s a CGI script for a web interface that also allows to clone the repository through HTTP. Let’s first install cgit:
+
+ # pkg_add cgit
+
+As noted by the README after installation, you need to create a configuration file `/var/www/conf/cgitrc` for cgit. See cgitrc(5) for the complete list of parameters, here is a basic file that exposes only one repository:
+
+ repo.url=pelican-minimal
+ repo.path=/git-repos/pelican-minimal
+ repo.clone-url=http://git.vdouillet.fr/pelican-minimal
+ repo.desc=minimal pelican theme
+
+The httpd web server still needs to be configured, the sample configuration from cgit’s README works just fine, so I copied it into `/etc/httpd.conf`:
+
+ server "git.vdouillet.fr" {
+ listen on egress port 80
+
+ # don't serve static files from cgit CGI: cgit.css and cgit.png
+ location "/cgit.*" {
+ root "/cgit"
+ no fastcgi
+ }
+ root "/cgi-bin/cgit.cgi"
+ fastcgi socket "/run/slowcgi.sock"
+ }
+
+Finally, launch the two required daemons httpd and slowcgi:
+
+ # rcctl enable slowcgi
+ # rcctl start slowcgi
+ # rcctl enable httpd
+ # rcctl start httpd
+
+The repository is now available via [git.vdouillet.fr](//git.vdouillet.fr).
+
+Constructive feedback is welcome on [Twitter](https://twitter.com/vdouillet12/status/1443303913017516037?s=20).
+
+## Sources
+
+* [Git online book](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server)
+* cgitrc(5)
+* OpenBSD cgit package README