# Simple git server on OpenBSD

September 11, 2021

Nowadays solutions like Github or Gitlab are popular to host online git repositories. I think that these tools can be quite bloated with features that I likely won't need for my small projects. So I decided to setup a self-hosted simple git server on OpenBSD. Here is how I configured it.

## Creating the repository

Of course, you first need to install git. I personally chose to install the package:

	# pkg_add git

Next you need to add a git user, which will be used to push code to the repositories:

	# adduser
	Enter username []:        git
	Enter full name []:	git
	Enter shell csh git-shell ksh nologin sh [ksh]: 
	Uid [1001]: 
	Login group git [git]: 
	Invite git into other groups: guest no [no]: 
	Login class authpf bgpd daemon default pbuild staff unbound xenodm [default]: 
	Enter password []: xxx
	Enter password again []: xxx

Now you can import the public keys of the developers, by adding them to the file `/home/git/.ssh/authorized_keys` (one key per line). This process can be simplified with the command `ssh-copy-id` that is available on Linux systems.

Initialise a repository, in folder `/var/www/git-repos`:

	# mkdir -p /var/www/git-repos/pelican-minimal.git
	# chown -R git:www /var/www/git-repos
	$ cd /var/www/git-repos/pelican-minimal.git/
	$ git init --bare

The folder choice can seem strange but it will allow us to easily publish the repository through a website a bit later. If you want developers to be able to push code with a URL like `git@git.vdouillet.fr/git/pelican-minimal`, a link does the job:

	# ln -s /var/www/git-repos /git

The repository is ready, developers can push code like so:

	$ git remote add origin git@git.vdouillet.fr:/git/pelican-minimal
	$ git push origin master

Though security is not optimal: developers can open a shell on the server with the git account by using their SSH key. To prevent this, we are going to change the shell of the git account to the `git-shell`. This shell refuses interactive connections:

	# chpass -s git-shell git

It’s better, but developers can still use port forwarding. This can be disabled by prefixing each key in the `authorized_keys` file you edited earlier with the following text:

	no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

## Public access

To make the repository publicly available, I’ve chosen to use [cgit](https://git.zx2c4.com/cgit/). It’s a CGI script for a web interface that also allows to clone the repository through HTTP. Let’s first install cgit:

	# pkg_add cgit

As noted by the README after installation, you need to create a configuration file `/var/www/conf/cgitrc` for cgit. See cgitrc(5) for the complete list of parameters, here is a basic file that exposes only one repository:

	repo.url=pelican-minimal
	repo.path=/git-repos/pelican-minimal
	repo.clone-url=http://git.vdouillet.fr/pelican-minimal
	repo.desc=minimal pelican theme

The httpd web server still needs to be configured, the sample configuration from cgit’s README works just fine, so I copied it into `/etc/httpd.conf`:

	server "git.vdouillet.fr" {
		listen on egress port 80
	
		# don't serve static files from cgit CGI: cgit.css and cgit.png
		location "/cgit.*" {
			root "/cgit"
			no fastcgi
		}
		root "/cgi-bin/cgit.cgi"
		fastcgi socket "/run/slowcgi.sock"
	}

Finally, launch the two required daemons httpd and slowcgi:

	# rcctl enable slowcgi
	# rcctl start slowcgi
	# rcctl enable httpd
	# rcctl start httpd

The repository is now available via [git.vdouillet.fr](//git.vdouillet.fr).

Constructive feedback is welcome on [Twitter](https://twitter.com/vdouillet12/status/1443303913017516037?s=20).

## Sources

* [Git online book](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server)
* cgitrc(5)
* OpenBSD cgit package README