# Installation 1. Install Gitolite Follow instructions at https://gitolite.com/gitolite/fool_proof_setup.html When Gitolite is installed, clone the gitolite-admin repository and add this to conf/gitolite.conf: repo CREATOR/..* C = @all RW+ = CREATOR R = @all The rule above will allow any registered user (@all) to create a repository. CREATOR is a gitolite keywords and it's replaced with the username who created the repo. To create a new repository, just use "git clone git@domain:username/reponame". Since the regexp CREATOR/..* will replace CREATOR with the user name, the logged in user will be allowed to create new repositories *only* under their username. Adding new users is as simple as adding their key to gitolite-admin/keydir/.pub Gitolite does not do authentication, it only does authorization. The name of the logged in user is provided as an environment variable. In order to allow anonymous HTTP clones, ie. for allowing "git clone https://..." without any authentication, the web app automatically sets a generic username value of "anonymous". We need to let Gitolite know what the unauthenticated user is going to be called so that it can check authorization. To do this, just add the following to ~/.gitolite.rc in the section marked "rc variables used by various features". This is explained at https://gitolite.com/gitolite/http.html#allowing-unauthenticated-access HTTP_ANON_USER => 'anonymous', Enable some non-core commands that are useful to us. This is done by editing ~/.gitolite.rc: 'ENABLE' => [ ... existing commands # Allow to change HEAD reference (default branch) like this: # ssh git@host symbolic-ref HEAD refs/heads/ 'symbolic-ref', ] 2. Emails Start by downloading the clif repository: git clone /home/git Change the settings inside the emails.py file. Add the following to /etc/postfix/main.cf. This will forward all emails to the system user "git" luser_relay = git local_recipient_maps = Then add the following to /home/git/.forward. ".forward" is a sendmail file, also used by postfix, used for deciding how to deliver the message the the system user. For our purposes, we instruct postfix to pipe all the emails for user "git" to our script: |/home/git/clif/emails.py make sure the script is executable: chmod +x /home/git/clif/emails.py 3. Web UI Start by downloading the clif repository: git clone /home/git Install the requirements: cd /home/git/clif python3 -m venv venv source venv/bin/activate pip install -r requirements.txt Change the settings inside the web.py file. Install a SystemD service: cp web.service /etc/systemd/system/clif-web.service systemctl daemon-reload systemctl enable clif-web systemctl start clif-web 4. TLS certificate Now we create a new TLS certificate for supporting HTTPS connections: apt-get install certbot certbot certonly --webroot -w /var/www/html -d domain.tld The cert is created in /etc/letsencrypt/live// Lighttpd requires the certificate and private key to be in a single file: cat privkey.pem cert.pem > privkey+cert.pem Configure lighttpd reverse proxy: vim /etc/lighttpd/lighttpd.conf server.modules += ( "mod_fastcgi", "mod_proxy", ) $HTTP["scheme"] == "http" { url.redirect = ("" => "https://${url.authority}${url.path}${qsa}") url.redirect-code = 308 } $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/letsencrypt/live//privkey+cert.pem" ssl.ca-file = "/etc/letsencrypt/live//chain.pem" $HTTP["host"] == "" { proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 5000 ) ) ) # server.document-root = "/var/www/html" # Document Root # server.errorlog = "/" # accesslog.filename = "/" } } Let's Encrypt certificates expire every 90 days, so we need to setup a cron job that will generate a new privkey+cert.pem file, and reload lighttpd too. vim /etc/cron.weekly/clif-letsencrypt chmod +x /etc/cron.weekly/clif-letsencrypt certbot renew cd /etc/letsencrypt/live/ cat privkey.pem cert.pem > privkey+cert.pem service lighttpd restart # Development gunicorn --reload --bind localhost:5000 web:application