home » zplus/clif.git
ID: cb4bfb2e367bd6310e4271d6dbd25e9de5882764
149 lines — 4K — View raw 


  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# Installation

1. Install Gitolite

Follow instructions at https://gitolite.com/gitolite/fool_proof_setup.html
When Gitolite is installed, clone the gitolite-admin repository and add this to
conf/gitolite.conf:

    repo CREATOR/..*
        C   =   @all
        RW+ =   CREATOR
        R   =   @all

The rule above will allow any registered user (@all) to create a repository. CREATOR
is a gitolite keywords and it's replaced with the username who created the repo.
To create a new repository, just use "git clone git@domain:username/reponame".
Since the regexp CREATOR/..* will replace CREATOR with the user name, the logged
in user will be allowed to create new repositories *only* under their username.

Adding new users is as simple as adding their key to gitolite-admin/keydir/<username>.pub

Gitolite does not do authentication, it only does authorization. The name of the
logged in user is provided as an environment variable. In order to allow anonymous
HTTP clones, ie. for allowing "git clone https://..." without any authentication,
the web app automatically sets a generic username value of "anonymous". We need
to let Gitolite know what the unauthenticated user is going to be called so that
it can check authorization. To do this, just add the following to ~/.gitolite.rc
in the section marked "rc variables used by various features". This is explained
at https://gitolite.com/gitolite/http.html#allowing-unauthenticated-access

    HTTP_ANON_USER => 'anonymous',

Enable some non-core commands that are useful to us. This is done by editing ~/.gitolite.rc:

    'ENABLE' => [
        ... existing commands
        
        # Allow to change HEAD reference (default branch) like this:
        # ssh git@host symbolic-ref <repo> HEAD refs/heads/<name>
        'symbolic-ref',
    ]


2. Emails

Start by downloading the clif repository:

    git clone <clif-url> /home/git

Change the settings inside the emails.py file.

Add the following to /etc/postfix/main.cf. This will forward all emails to the
system user "git"

    luser_relay = git
    local_recipient_maps =

Then add the following to /home/git/.forward. ".forward" is a sendmail file, also
used by postfix, used for deciding how to deliver the message the the system user.
For our purposes, we instruct postfix to pipe all the emails for user "git" to our
script:

    |/home/git/clif/emails.py

make sure the script is executable:

    chmod +x /home/git/clif/emails.py

3. Web UI

Start by downloading the clif repository:

    git clone <clif-url> /home/git

Install the requirements:

    cd /home/git/clif
    python3 -m venv venv
    source venv/bin/activate
    pip install -r requirements.txt

Change the settings inside the web.py file.

Install a SystemD service:

    cp web.service /etc/systemd/system/clif-web.service
    systemctl daemon-reload
    systemctl enable clif-web
    systemctl start clif-web

4. TLS certificate

Now we create a new TLS certificate for supporting HTTPS connections:

    apt-get install certbot
    certbot certonly --webroot -w /var/www/html -d domain.tld

The cert is created in /etc/letsencrypt/live/<domain.tld>/

Lighttpd requires the certificate and private key to be in a single file:

    cat privkey.pem cert.pem > privkey+cert.pem

Configure lighttpd reverse proxy:

    vim /etc/lighttpd/lighttpd.conf
    
    server.modules += (
        "mod_fastcgi",
        "mod_proxy",
    )
    
    $HTTP["scheme"] == "http" {
        url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
        url.redirect-code = 308
    }

    $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/<domain.tld>/privkey+cert.pem"
        ssl.ca-file = "/etc/letsencrypt/live/<domain.tld>/chain.pem"

        $HTTP["host"] == "<domain.tld>" {
            proxy.server = (
                "" => (
                    ( "host" => "127.0.0.1", "port" => 5000 )
                )
            )
            # server.document-root = "/var/www/html" # Document Root
            # server.errorlog = "/"
            # accesslog.filename = "/"
        }
    }

Let's Encrypt certificates expire every 90 days, so we need to setup a cron job
that will generate a new privkey+cert.pem file, and reload lighttpd too.

    vim /etc/cron.weekly/clif-letsencrypt
    chmod +x /etc/cron.weekly/clif-letsencrypt
    
    certbot renew
    cd /etc/letsencrypt/live/<domain.tld>
    cat privkey.pem cert.pem > privkey+cert.pem
    service lighttpd restart

# Development

    gunicorn --reload --bind localhost:5000 web:application