Simple git server on OpenBSD
September 11, 2021
Nowadays solutions like Github or Gitlab are popular to host online git repositories. I think that these tools can be quite bloated with features that I likely won't need for my small projects. So I decided to setup a self-hosted simple git server on OpenBSD. Here is how I configured it.
Creating the repository
Of course, you first need to install git. I personally chose to install the package:
# pkg_add git
Next you need to add a git user, which will be used to push code to the repositories:
# adduser
Enter username []: git
Enter full name []: git
Enter shell csh git-shell ksh nologin sh [ksh]:
Uid [1001]:
Login group git [git]:
Invite git into other groups: guest no [no]:
Login class authpf bgpd daemon default pbuild staff unbound xenodm [default]:
Enter password []: xxx
Enter password again []: xxx
Now you can import the public keys of the developers, by adding them to the file /home/git/.ssh/authorized_keys (one key per line). This process can be simplified with the command ssh-copy-id that is available on Linux systems.
Initialise a repository, in folder /var/www/git-repos:
# mkdir -p /var/www/git-repos/pelican-minimal.git
# chown -R git:www /var/www/git-repos
$ cd /var/www/git-repos/pelican-minimal.git/
$ git init --bare
The folder choice can seem strange but it will allow us to easily publish the repository through a website a bit later. If you want developers to be able to push code with a URL like git@git.vdouillet.fr/git/pelican-minimal, a link does the job:
# ln -s /var/www/git-repos /git
The repository is ready, developers can push code like so:
$ git remote add origin git@git.vdouillet.fr:/git/pelican-minimal
$ git push origin master
Though security is not optimal: developers can open a shell on the server with the git account by using their SSH key. To prevent this, we are going to change the shell of the git account to the git-shell. This shell refuses interactive connections:
# chpass -s git-shell git
It’s better, but developers can still use port forwarding. This can be disabled by prefixing each key in the authorized_keys file you edited earlier with the following text:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
Public access
To make the repository publicly available, I’ve chosen to use cgit. It’s a CGI script for a web interface that also allows to clone the repository through HTTP. Let’s first install cgit:
# pkg_add cgit
As noted by the README after installation, you need to create a configuration file /var/www/conf/cgitrc for cgit. See cgitrc(5) for the complete list of parameters, here is a basic file that exposes only one repository:
repo.url=pelican-minimal
repo.path=/git-repos/pelican-minimal
repo.clone-url=http://git.vdouillet.fr/pelican-minimal
repo.desc=minimal pelican theme
The httpd web server still needs to be configured, the sample configuration from cgit’s README works just fine, so I copied it into /etc/httpd.conf:
server "git.vdouillet.fr" {
listen on egress port 80
# don't serve static files from cgit CGI: cgit.css and cgit.png
location "/cgit.*" {
root "/cgit"
no fastcgi
}
root "/cgi-bin/cgit.cgi"
fastcgi socket "/run/slowcgi.sock"
}
Finally, launch the two required daemons httpd and slowcgi:
# rcctl enable slowcgi
# rcctl start slowcgi
# rcctl enable httpd
# rcctl start httpd
The repository is now available via git.vdouillet.fr.
Constructive feedback is welcome on Twitter.
Sources