Minimal git Infrastructure: Difference between revisions
No edit summary |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 66: | Line 66: | ||
=== Create local repos and set the git server as origin === | === Create local repos and set the git server as origin === | ||
On your machine and | On your machine and '''after the repos on the git server was created''': | ||
mkdir name-of-the-repos | mkdir name-of-the-repos | ||
cd name-of-the-repos | cd name-of-the-repos | ||
Line 76: | Line 76: | ||
=== Clone existing repos to contribute === | === Clone existing repos to contribute === | ||
git clone server-name:/var/www/git.lurk.org/repos/name-of-the-repos.git | git clone server-name:/var/www/git.lurk.org/repos/name-of-the-repos.git | ||
== PRO TIPS == | |||
=== Post-receive Hook Goodness === | |||
Say that one of your repos is a static website, and that you would like to have this very website updated live as you push to your repos and served on your server from <code>/var/www/www.lurk.org</code>. You can tweak the default stagit related post-receive git hook to do all this. | |||
'''SKIPPED:''' From this point we assume that you have configured your HTTP server to serve www.lurk.org from <code>/var/www/www.lurk.org</code> and that of course this path exits. | |||
* As root: | |||
setfacl -Rm g:gitusers:rwX /var/www/www.lurk.org/ | |||
setfacl -d -Rm g:gitusers:rwX /var/www/www.lurk.org/ | |||
As any user from the <code>gitusers</code> you can do the following: | |||
* Clone the repos | |||
cd /var/www/www.lurk.org/ | |||
git clone /var/www/git.lurk.org/repos/www.lurk.org.git . | |||
* Go to your repos' hook folder | |||
cd /var/www/git.lurk.org/repos/www.lurk.org.git/hooks | |||
* Delete the current post-receive hook (currently a ''symlink'' to <code>update_single.sh</code>) | |||
rm post-receive | |||
* Copy the same script again | |||
cp ../../../update_single.sh post-receive | |||
* Edit <code>post-receive</code> and append the following: | |||
<pre> | |||
# HERE IS THE EXTRA BIT! | |||
unset GIT_DIR | |||
git -C /var/www/www.lurk.org pull | |||
printf "done updating website\n" | |||
</pre> | |||
=== Allowing a Limited User to Push to the Repos === | |||
The both great and crappy thing about this setup is that it makes use of the OS level for user management, so if you want to add another committer, you need to give them a shell access to your server. Obviously you're better off with something like gitea if you intend to allow many users to join and contribute to your awesome software, as it will be a PITA to <code>adduser</code> new people all the time. | |||
However, if it's something exceptional and it's convenient to give someone read-write access to your repos without a full shell access you can do it like this: | |||
adduser somebody | |||
chsh -s /usr/bin/git-shell somebody | |||
'''Note:''' don't consider this as a fail-proof security thing, if you don't trust the user, maybe you should not give them a shell in the first place. | |||
[[Category:git]] |
Latest revision as of 21:59, 1 August 2019
Goal: To run your own minimal git infrastructure exclusively for your shell users (sorry no guest, no wiki, no issue tracker, and send patches via email plz or GTFO), making use of ancient ACL magic, and providing a web interface with stagit
for public repos browsing and anonymous read-only clone/pull. In this example we use LURK's domain name and server setup as an example.
Prerequisites
Installs
- Install
libgit2
headers and ACL tools, on Debian:
apt install libgit2-dev acl
- Compile and install
stagit
, a staticgit
page generator:
cd /usr/src git clone git://git.codemadness.org/stagit cd stagit # Optional: edit stagit-index.c to customize some settings like the site header, etc. make && make install
configs
We need two directories, one for serving the public static files, and one for keeping the bare git
repositories.
- create these directories for your repos and for
stagit
:
mkdir -p /var/www/git.lurk.org/repos
- Get a style
cp /usr/src/stagit/style.css /var/www/git.lurk.org # Optional: further stylify style.css
- Get a logo
wget https://things.bleu255.com/runyourown/images/d/d5/Runyourown.png -O /var/www/git.lurk.org/logo.png
- Copy the following handy shell scripts and put them in
/var/www/git.lurk.org/
:new_repos.sh
: https://git.bleu255.com/stagit/file/scripts/new_repos.sh.htmlreset_all.sh
: https://git.bleu255.com/stagit/file/scripts/reset_all.sh.htmlupdate_all.sh
: https://git.bleu255.com/stagit/file/scripts/update_all.sh.htmlupdate_single.sh
: https://git.bleu255.com/stagit/file/scripts/update_single.sh.html
- dont' forget to
chmod +x
them :) - Edit
new_repos.sh
,update_all.sh
, andupdate_single.sh
to update hardcoded paths and others! - Create a group for the users who will be allowed to create and contribute to any of the hosted repos:
addgroup gitusers
- Give this group the permissions to modify each others files in the git folders:
setfacl -Rm g:gitusers:rwX /var/www/git.lurk.org/ setfacl -d -Rm g:gitusers:rwX /var/www/git.lurk.org/
- Add the local users who should have access to full read-write access to the
gitusers
group:
adduser alice gitusers adduser bob gitusers # etc...
- Create a new nginx site config for the static website in
/etc/nginx/sites-enabled/sites-available/git.lurk.org
:
server { listen 443; server_name git.lurk.org; root /var/www/git.lurk.org/; autoindex on; access_log /var/log/nginx/git.lurk.org-access.log; error_log /var/log/nginx/git.lurk.org-error.log; }
- Enable it and reload nginx:
ln -s /etc/nginx/sites-available/git.lurk.org /etc/nginx/sites-enabled/ service nginx reload
DONE! Now you should make some repos :)
Usage
Create a new repos on the git server
This can be done by any user in the group gitusers
, no need to be root:
cd /var/www/git.lurk.org ./new_repos.sh name-of-the-repos "oneline about the repos"
Create local repos and set the git server as origin
On your machine and after the repos on the git server was created:
mkdir name-of-the-repos cd name-of-the-repos git init # now add and git commit some files git remote add origin server-name:/var/www/git.lurk.org/repos/name-of-the-repos.git git push --set-upstream origin master
Clone existing repos to contribute
git clone server-name:/var/www/git.lurk.org/repos/name-of-the-repos.git
PRO TIPS
Post-receive Hook Goodness
Say that one of your repos is a static website, and that you would like to have this very website updated live as you push to your repos and served on your server from /var/www/www.lurk.org
. You can tweak the default stagit related post-receive git hook to do all this.
SKIPPED: From this point we assume that you have configured your HTTP server to serve www.lurk.org from /var/www/www.lurk.org
and that of course this path exits.
- As root:
setfacl -Rm g:gitusers:rwX /var/www/www.lurk.org/ setfacl -d -Rm g:gitusers:rwX /var/www/www.lurk.org/
As any user from the gitusers
you can do the following:
- Clone the repos
cd /var/www/www.lurk.org/ git clone /var/www/git.lurk.org/repos/www.lurk.org.git .
- Go to your repos' hook folder
cd /var/www/git.lurk.org/repos/www.lurk.org.git/hooks
- Delete the current post-receive hook (currently a symlink to
update_single.sh
)
rm post-receive
- Copy the same script again
cp ../../../update_single.sh post-receive
- Edit
post-receive
and append the following:
# HERE IS THE EXTRA BIT! unset GIT_DIR git -C /var/www/www.lurk.org pull printf "done updating website\n"
Allowing a Limited User to Push to the Repos
The both great and crappy thing about this setup is that it makes use of the OS level for user management, so if you want to add another committer, you need to give them a shell access to your server. Obviously you're better off with something like gitea if you intend to allow many users to join and contribute to your awesome software, as it will be a PITA to adduser
new people all the time.
However, if it's something exceptional and it's convenient to give someone read-write access to your repos without a full shell access you can do it like this:
adduser somebody chsh -s /usr/bin/git-shell somebody
Note: don't consider this as a fail-proof security thing, if you don't trust the user, maybe you should not give them a shell in the first place.