Gitolite ------------------------------------------------------------------------------- Follow instructions at https://gitolite.com/gitolite/fool_proof_setup.html TL;DR: su - git git clone https://github.com/sitaramc/gitolite gitolite/install -to $HOME/bin $HOME/bin/gitolite setup -pk .pub Gitolite does not do authentication, it only does authorization. The name of the logged in user is provided as an environment variable. In order to allow anonymous HTTP clones, ie. for allowing "git clone https://..." without any authentication, the web app automatically sets a generic username value of "anonymous". We need to let Gitolite know what the unauthenticated user is going to be called so that it can check authorization. To do this, just add the following to ~/.gitolite.rc in the section marked "rc variables used by various features". This is explained at https://gitolite.com/gitolite/http.html#allowing-unauthenticated-access HTTP_ANON_USER => 'anonymous', Enable some non-core commands that are useful to us. This is done by editing ~/.gitolite.rc: 'ENABLE' => [ ... existing commands # Allow to change HEAD reference (default branch) like this: # ssh git@host symbolic-ref HEAD refs/heads/ 'symbolic-ref', ] Web UI ------------------------------------------------------------------------------- The CLIF repository is assumed to having been cloned into /home/git/clif. 1. There are a couple of settings at the top of web.py. Change them. 2. Install the Python dependencies: cd /home/git/clif python3 -m venv venv venv/bin/pip install -r requirements.txt 3. Install a SystemD service for controlling the UI: cp web.service /etc/systemd/system/clif-web.service systemctl daemon-reload systemctl enable clif-web systemctl start clif-web Mailing Lists ------------------------------------------------------------------------------- 1. There are a couple of settings at the top of emails.py. Change them. 2. Add the following to /etc/postfix/main.cf. This will forward all emails to the system user "git" luser_relay = git local_recipient_maps = 3. Create the file /home/git/.forward with the content: |/home/git/clif/emails.py This is a sendmail file, also used by postfix, for deciding how incoming messages shall be delivered to the the system user. For our purposes, we instruct postfix to pipe all the emails for user "git" to our script. Make sure the script is executable. Let's Encrypt certificate ------------------------------------------------------------------------------- apt-get install certbot certbot certonly --webroot -w /var/www/html -d your-domain.tld The cert is created in /etc/letsencrypt/live// Lighttpd requires the certificate and private key to be in a single file: cat privkey.pem cert.pem > privkey+cert.pem Configure lighttpd reverse proxy: vim /etc/lighttpd/lighttpd.conf server.modules += ( "mod_fastcgi", "mod_proxy", ) $HTTP["scheme"] == "http" { url.redirect = ("" => "https://${url.authority}${url.path}${qsa}") url.redirect-code = 308 } $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/letsencrypt/live//privkey+cert.pem" ssl.ca-file = "/etc/letsencrypt/live//chain.pem" $HTTP["host"] == "" { proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => 5000 ) ) ) # server.document-root = "/var/www/html" # Document Root # server.errorlog = "/" # accesslog.filename = "/" } } Let's Encrypt certificates expire every 90 days, so we need to setup a cron job that will generate a new privkey+cert.pem file, and reload lighttpd too. vim /etc/cron.weekly/clif-letsencrypt chmod +x /etc/cron.weekly/clif-letsencrypt certbot renew cd /etc/letsencrypt/live/ cat privkey.pem cert.pem > privkey+cert.pem service lighttpd restart