1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
# Simple git server on OpenBSD
September 11, 2021
Nowadays solutions like Github or Gitlab are popular to host online git repositories. I think that these tools can be quite bloated with features that I likely won't need for my small projects. So I decided to setup a self-hosted simple git server on OpenBSD. Here is how I configured it.
## Creating the repository
Of course, you first need to install git. I personally chose to install the package:
# pkg_add git
Next you need to add a git user, which will be used to push code to the repositories:
# adduser
Enter username []: git
Enter full name []: git
Enter shell csh git-shell ksh nologin sh [ksh]:
Uid [1001]:
Login group git [git]:
Invite git into other groups: guest no [no]:
Login class authpf bgpd daemon default pbuild staff unbound xenodm [default]:
Enter password []: xxx
Enter password again []: xxx
Now you can import the public keys of the developers, by adding them to the file `/home/git/.ssh/authorized_keys` (one key per line). This process can be simplified with the command `ssh-copy-id` that is available on Linux systems.
Initialise a repository, in folder `/var/www/git-repos`:
# mkdir -p /var/www/git-repos/pelican-minimal.git
# chown -R git:www /var/www/git-repos
$ cd /var/www/git-repos/pelican-minimal.git/
$ git init --bare
The folder choice can seem strange but it will allow us to easily publish the repository through a website a bit later. If you want developers to be able to push code with a URL like `git@git.vdouillet.fr/git/pelican-minimal`, a link does the job:
# ln -s /var/www/git-repos /git
The repository is ready, developers can push code like so:
$ git remote add origin git@git.vdouillet.fr:/git/pelican-minimal
$ git push origin master
Though security is not optimal: developers can open a shell on the server with the git account by using their SSH key. To prevent this, we are going to change the shell of the git account to the `git-shell`. This shell refuses interactive connections:
# chpass -s git-shell git
It’s better, but developers can still use port forwarding. This can be disabled by prefixing each key in the `authorized_keys` file you edited earlier with the following text:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
## Public access
To make the repository publicly available, I’ve chosen to use [cgit](https://git.zx2c4.com/cgit/). It’s a CGI script for a web interface that also allows to clone the repository through HTTP. Let’s first install cgit:
# pkg_add cgit
As noted by the README after installation, you need to create a configuration file `/var/www/conf/cgitrc` for cgit. See cgitrc(5) for the complete list of parameters, here is a basic file that exposes only one repository:
repo.url=pelican-minimal
repo.path=/git-repos/pelican-minimal
repo.clone-url=http://git.vdouillet.fr/pelican-minimal
repo.desc=minimal pelican theme
The httpd web server still needs to be configured, the sample configuration from cgit’s README works just fine, so I copied it into `/etc/httpd.conf`:
server "git.vdouillet.fr" {
listen on egress port 80
# don't serve static files from cgit CGI: cgit.css and cgit.png
location "/cgit.*" {
root "/cgit"
no fastcgi
}
root "/cgi-bin/cgit.cgi"
fastcgi socket "/run/slowcgi.sock"
}
Finally, launch the two required daemons httpd and slowcgi:
# rcctl enable slowcgi
# rcctl start slowcgi
# rcctl enable httpd
# rcctl start httpd
The repository is now available via [git.vdouillet.fr](//git.vdouillet.fr).
Constructive feedback is welcome on [Twitter](https://twitter.com/vdouillet12/status/1443303913017516037?s=20).
## Sources
* [Git online book](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server)
* cgitrc(5)
* OpenBSD cgit package README
|
