Git server

Step by Step Guide on Setting Up git Server describes setting up an unsecured server on Arch.

By default, the git user is expired ("Your account has expired; please contact your system administrator"). Use chage to remove the expiration condition, e.g. as follows:

chage -E -1 git

You only need to set up an SSH server.

You are able to secure the SSH user account even more allowing only push and pull commands on this user account. This is done by replacing the default login shell by git-shell. Described in Setting Up the Server.

When securing the git server created using the instructions in #General with the instructions of this clause (#SSH), the following additional steps are needed on Arch:

1. Change the home directory: In order for ssh to be able to read /srv/git/.ssh/authorized_keys, the home directory for git in /etc/passwd needs to be changed from / to /srv/git.
2. Change the base path when home directory is corrected: In order for git to serve the repositories, the --base-path in git-daemon\@.service need to be changed to /srv/git if the repositories are served from git's home directory.

"Dumb" in this context means that only WebDAV is involved in pulls and pushes.

Follow the basic WebDAV instructions for nginx. Pushing via WebDAV also requires Locking. Here is an example location block:

/etc/nginx/nginx.conf

location /repos/ {
        auth_basic "Authorized Personnel Only!";
        auth_basic_user_file /etc/nginx/htpasswd;
        dav_methods PUT DELETE MKCOL COPY MOVE;
        dav_ext_methods PROPFIND OPTIONS LOCK UNLOCK;
        dav_access user:rw group:rw all:r;
        dav_ext_lock zone=general;
        create_full_put_path on;
        client_body_temp_path /tmp;
    }

Note the dav_ext_lock zone. Add the specified locking zone to the http section of your config:

/etc/nginx/nginx.conf

dav_ext_lock_zone zone=general:10m;

Now do the ususal steps when preparing a git repo for the server:

• copy the bare repo to the server
• run in the bare repo
• chown the repo to be owned by http:http

You might have noticed that I added HTTP Basic Authentication to have at lease some means of access control. Everyone who has an password entry in the htaccess file can push.

Now you can clone as usual:

$ git clone https://www.example.com/repos/myrepo.git
Cloning into 'qtcv'...
$

Make some changes, add, commit, and push:

$ git push origin main
error: Cannot access URL https://www.example.com/repos/myrepo.git/, return code 22
fatal: git-http-push failed
error: failed to push some refs to 'https://www.example.com/repos/myrepo.git'

Oh noes! For some reason PROPFIND reports 401 Unauthorized and that's all. Nothing in the nginx error logs. Appearently the git client has a problem passing the username and password for all subsequent requests. Running a git credential cache does not help. The only solution that works so far is editing the ~/.netrc (obviously git uses curl for http):

$  > git push origin main
Fetching remote heads...
 refs/
 refs/heads/
 refs/tags/
updating 'refs/heads/main'
 from 03f8860418facfbecedd5e0a81b480131b31bcba
 to   ec5536091e31ebf172a34c6d1ebddfc36e3bd3a6
   sending 3 objects
   done
Updating remote server info
To https://www.example.com/repos/myrepo.git
  0318860..ec55560  main -> main

You might want to specify the clone URL as https://username:password@www.example.com/repos/myrepo.git. This works for the initial clone but for a subsequent push you get an error message in your error log stating that the destination URL is handled by a different repository.

The is a CGI program, allowing efficient cloning, pulling and pushing over HTTP(S).

The setup for this is rather simple as all you need to have installed is the Apache HTTP Server, with mod_cgi, , and enabled) and of course, .

Once you have your basic setup running, add the following to your Apache configuration file, which is usually located at:

This assumes your Git repositories are located at /srv/git and that you want to access them via something like: .

For more detailed documentation, visit the following links:

• https://git-scm.com/book/en/v2/Git-on-the-Server-Smart-HTTP
• https://git-scm.com/docs/git-http-backend

The Git protocol is not encrypted or authenticated, and only allows read access.

The Git daemon () can be started with .

The service uses the and --base-path parameters to serve all repositories placed in /srv/git/.

• Gitweb — the default web interface that comes with Git