first commit

1 files changed, 94 insertions, 0 deletions

diff --git a/20210911-openbsd-simple-git-server.md b/20210911-openbsd-simple-git-server.md
new file mode 100644
index 0000000..d27fdb6
--- /dev/null
+++ b/20210911-openbsd-simple-git-server.md
@@ -0,0 +1,94 @@
+# Simple git server on OpenBSD
+
+September 11, 2021
+
+Nowadays solutions like Github or Gitlab are popular to host online git repositories. I think that these tools can be quite bloated with features that I likely won't need for my small projects. So I decided to setup a self-hosted simple git server on OpenBSD. Here is how I configured it.
+
+## Creating the repository
+
+Of course, you first need to install git. I personally chose to install the package:
+
+	# pkg_add git
+
+Next you need to add a git user, which will be used to push code to the repositories:
+
+	# adduser
+	Enter username []:        git
+	Enter full name []:	git
+	Enter shell csh git-shell ksh nologin sh [ksh]: 
+	Uid [1001]: 
+	Login group git [git]: 
+	Invite git into other groups: guest no [no]: 
+	Login class authpf bgpd daemon default pbuild staff unbound xenodm [default]: 
+	Enter password []: xxx
+	Enter password again []: xxx
+
+Now you can import the public keys of the developers, by adding them to the file `/home/git/.ssh/authorized_keys` (one key per line). This process can be simplified with the command `ssh-copy-id` that is available on Linux systems.
+
+Initialise a repository, in folder `/var/www/git-repos`:
+
+	# mkdir -p /var/www/git-repos/pelican-minimal.git
+	# chown -R git:www /var/www/git-repos
+	$ cd /var/www/git-repos/pelican-minimal.git/
+	$ git init --bare
+
+The folder choice can seem strange but it will allow us to easily publish the repository through a website a bit later. If you want developers to be able to push code with a URL like `git@git.vdouillet.fr/git/pelican-minimal`, a link does the job:
+
+	# ln -s /var/www/git-repos /git
+
+The repository is ready, developers can push code like so:
+
+	$ git remote add origin git@git.vdouillet.fr:/git/pelican-minimal
+	$ git push origin master
+
+Though security is not optimal: developers can open a shell on the server with the git account by using their SSH key. To prevent this, we are going to change the shell of the git account to the `git-shell`. This shell refuses interactive connections:
+
+	# chpass -s git-shell git
+
+It’s better, but developers can still use port forwarding. This can be disabled by prefixing each key in the `authorized_keys` file you edited earlier with the following text:
+
+	no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+
+## Public access
+
+To make the repository publicly available, I’ve chosen to use [cgit](https://git.zx2c4.com/cgit/). It’s a CGI script for a web interface that also allows to clone the repository through HTTP. Let’s first install cgit:
+
+	# pkg_add cgit
+
+As noted by the README after installation, you need to create a configuration file `/var/www/conf/cgitrc` for cgit. See cgitrc(5) for the complete list of parameters, here is a basic file that exposes only one repository:
+
+	repo.url=pelican-minimal
+	repo.path=/git-repos/pelican-minimal
+	repo.clone-url=http://git.vdouillet.fr/pelican-minimal
+	repo.desc=minimal pelican theme
+
+The httpd web server still needs to be configured, the sample configuration from cgit’s README works just fine, so I copied it into `/etc/httpd.conf`:
+
+	server "git.vdouillet.fr" {
+		listen on egress port 80
+	
+		# don't serve static files from cgit CGI: cgit.css and cgit.png
+		location "/cgit.*" {
+			root "/cgit"
+			no fastcgi
+		}
+		root "/cgi-bin/cgit.cgi"
+		fastcgi socket "/run/slowcgi.sock"
+	}
+
+Finally, launch the two required daemons httpd and slowcgi:
+
+	# rcctl enable slowcgi
+	# rcctl start slowcgi
+	# rcctl enable httpd
+	# rcctl start httpd
+
+The repository is now available via [git.vdouillet.fr](//git.vdouillet.fr).
+
+Constructive feedback is welcome on [Twitter](https://twitter.com/vdouillet12/status/1443303913017516037?s=20).
+
+## Sources
+
+* [Git online book](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server)
+* cgitrc(5)
+* OpenBSD cgit package README