ID: 0fdaee755aa96a8f9eaca4405be284f1023f5cb6
134 lines
—
4K —
View raw
| Gitolite
-------------------------------------------------------------------------------
Follow instructions at https://gitolite.com/gitolite/fool_proof_setup.html
TL;DR:
su - git
git clone https://github.com/sitaramc/gitolite
gitolite/install -to $HOME/bin
$HOME/bin/gitolite setup -pk <admin_key>.pub
Gitolite does not do authentication, it only does authorization. The name of the
logged in user is provided as an environment variable. In order to allow anonymous
HTTP clones, ie. for allowing "git clone https://..." without any authentication,
the web app automatically sets a generic username value of "anonymous". We need
to let Gitolite know what the unauthenticated user is going to be called so that
it can check authorization. To do this, just add the following to ~/.gitolite.rc
in the section marked "rc variables used by various features". This is explained
at https://gitolite.com/gitolite/http.html#allowing-unauthenticated-access
HTTP_ANON_USER => 'anonymous',
Enable some non-core commands that are useful to us. This is done by editing ~/.gitolite.rc:
'ENABLE' => [
... existing commands
# Allow to change HEAD reference (default branch) like this:
# ssh git@host symbolic-ref <repo> HEAD refs/heads/<name>
'symbolic-ref',
]
Web UI
-------------------------------------------------------------------------------
The CLIF repository is assumed to having been cloned into /home/git/clif.
1. There are a couple of settings at the top of web.py. Change them.
2. Install the Python dependencies:
cd /home/git/clif
python3 -m venv venv
venv/bin/pip install -r requirements.txt
3. Install a SystemD service for controlling the UI:
cp web.service /etc/systemd/system/clif-web.service
systemctl daemon-reload
systemctl enable clif-web
systemctl start clif-web
Mailing Lists
-------------------------------------------------------------------------------
1. There are a couple of settings at the top of emails.py. Change them.
2. Add the following to /etc/postfix/main.cf. This will forward all emails to the
system user "git"
luser_relay = git
local_recipient_maps =
3. Create the file /home/git/.forward with the content:
|/home/git/clif/emails.py
This is a sendmail file, also used by postfix, for deciding how incoming messages
shall be delivered to the the system user. For our purposes, we instruct postfix
to pipe all the emails for user "git" to our script. Make sure the script is
executable.
Let's Encrypt certificate
-------------------------------------------------------------------------------
apt-get install certbot
certbot certonly --webroot -w /var/www/html -d your-domain.tld
The cert is created in /etc/letsencrypt/live/<your-domain.tld>/
Lighttpd requires the certificate and private key to be in a single file:
cat privkey.pem cert.pem > privkey+cert.pem
Configure lighttpd reverse proxy:
vim /etc/lighttpd/lighttpd.conf
server.modules += (
"mod_fastcgi",
"mod_proxy",
)
$HTTP["scheme"] == "http" {
url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
url.redirect-code = 308
}
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/<your-domain.tld>/privkey+cert.pem"
ssl.ca-file = "/etc/letsencrypt/live/<your-domain.tld>/chain.pem"
$HTTP["host"] == "<your-domain.tld>" {
proxy.server = (
"" => (
( "host" => "127.0.0.1", "port" => 5000 )
)
)
# server.document-root = "/var/www/html" # Document Root
# server.errorlog = "/"
# accesslog.filename = "/"
}
}
Let's Encrypt certificates expire every 90 days, so we need to setup a cron job
that will generate a new privkey+cert.pem file, and reload lighttpd too.
vim /etc/cron.weekly/clif-letsencrypt
chmod +x /etc/cron.weekly/clif-letsencrypt
certbot renew
cd /etc/letsencrypt/live/<your-domain.tld>
cat privkey.pem cert.pem > privkey+cert.pem
service lighttpd restart
|