Difference between revisions of "Gitolite"

From ArchWiki
Jump to: navigation, search
(ssh access: simplified and extended the instructions now that the installation instructions create equivalent environments)
(update Pkg/AUR templates (https://github.com/lahwaacz/wiki-scripts/blob/master/update-package-templates.py))
Line 3: Line 3:
  
 
== Installation ==
 
== Installation ==
{{AUR|gitolite}} is available in the [[Arch User Repository]], but installation is easier when done manually via the [https://github.com/sitaramc/gitolite/ Git repository] on GitHub.
+
{{Pkg|gitolite}} is available in the [[Arch User Repository]], but installation is easier when done manually via the [https://github.com/sitaramc/gitolite/ Git repository] on GitHub.
  
 
== Configuration ==
 
== Configuration ==
Line 114: Line 114:
  
 
== Gitosis-like ssh usernames ==
 
== Gitosis-like ssh usernames ==
If you want to distinguish users with the same login (like username@server1, username@server2) you may want to do the following (for {{AUR|gitolite}}-3.04-1):
+
If you want to distinguish users with the same login (like username@server1, username@server2) you may want to do the following (for {{Pkg|gitolite}}-3.04-1):
  
 
* edit {{ic|/usr/lib/gitolite/triggers/post-compile/ssh-authkeys}} and replace
 
* edit {{ic|/usr/lib/gitolite/triggers/post-compile/ssh-authkeys}} and replace

Revision as of 19:29, 29 March 2015

Gitolite allows you to host Git repositories easily and securely.

Installation

gitolite is available in the Arch User Repository, but installation is easier when done manually via the Git repository on GitHub.

Configuration

  • Installing Git from pacman automatically adds a "git" user to the system, but the home directory needs to be set manually:
# install -o git -g git -m 700 -d /srv/git
# usermod -d /srv/git git
  • If installing manually from the Git repository create a new user named "git":
# useradd -r -U -b /srv -m -k /dev/null -c "git daemon user" -s /bin/bash git

ssh access

  1. Copy *your* SSH public key to /srv/git/<your_username>.pub
$ sudo install -o git -g git ~/.ssh/id_rsa.pub /srv/git/<your_username>.pub
  • Run the Gitolite setup script as git. Substitute *your* username below
# su - git
$ gitolite setup -pk <your_username>.pub

This puts your public key into the gitolite-admin keydir and gives your username RW+ access to the gitolite-admin repository

You can now remove the SSH public key you copied and exit the git user shell

$ rm <your_username>.pub
$ exit

Now as your user you can check that everything went correctly

$ ssh git@<your_server> info
hello <your_username>, this is git@<your_server> running gitolite3 v3.6.2 on git 2.3.3

 R W    gitolite-admin
 R W    testing

Do NOT add repositories or users directly as git on the server! You MUST manage the server by cloning the special gitolite-admin repository

$ git clone git@<your_server>:gitolite-admin

For reference see Gitolite

Adding http(s) access via Apache (with basic authentication)

  • We need to create an suEXEC wrapper script. To satisfy suEXEC's security requirements, the script and the directory containing it must be owned by git:git and below /srv/http in the directory hierarchy. For this example, we create the directory as /srv/http/git/cgi-bin.
# sudo install -o git -g git -d /srv/http/git/cgi-bin
  • Create an suEXEC wrapper for the gitolite shell with the contents below. For this example, we create it as /srv/http/git/cgi-bin/gitolite-suexec-wrapper.
#!/usr/bin/bash
#
# suEXEC wrapper for gitolite-shell
#

export GIT_PROJECT_ROOT=/srv/git/repositories
export GITOLITE_HTTP_HOME=/srv/git

exec /usr/lib/gitolite/gitolite-shell
  • Make the wrapper executable and owned by git:git.
# sudo chown git:git /srv/http/git/cgi-bin/gitolite-suexec-wrapper
# sudo chmod 0755 /srv/http/git/cgi-bin/gitolite-suexec-wrapper
  • Create an empty password database file, owned by git:http
# sudo install -o git -g http -m 0640 /dev/null /srv/http/git/htpasswd
  • Apache's basic authentication mechanism is separate from ssh, and therefore requires a separate set of credentials. Create your web users using htpasswd.
# sudo htpasswd /srv/http/git/htpasswd <your_username>
  • Add the following to your Apache vhost configuration:
SuexecUserGroup git git
ScriptAlias /git/ /srv/http/git/cgi-bin/gitolite-suexec-wrapper/

<Directory /srv/http/git/cgi-bin>
    Require all granted
</Directory>

<Location /git>
    AuthType Basic
    AuthName "Git Access"
    AuthBasicProvider file
    AuthUserFile /srv/http/git/htpasswd
    Require valid-user
</Location>
  • Reload Apache.
# sudo systemctl reload httpd
  • Finally, in the gitolite-admin repository you cloned in the previous section, edit conf/gitolite.conf, add an R = daemon access rule to all repositories you want to make available via http, and push the changes.

Add users

ssh users

Ask each user who will get access to send you a public key. On their workstation generate the pair of ssh keys:

$ ssh-keygen

Rename each public key according to the user's name, with a .pub extension, like sitaram.pub or john-smith.pub. You can also use periods and underscores. Have the users send you the keys.

Copy all these *.pub files to keydir in your gitolite-admin repo clone. You can also organise them into various subdirectories of keydir if you wish, since the entire tree is searched.

Edit the config file (conf/gitolite.conf in your admin repo clone). See the gitolite.conf documentation (http://sitaramc.github.com/gitolite/admin.html#conf) for details on what goes in that file, syntax, etc. Just add new repos as needed, and add new users and give them permissions as required. The users names should be exactly the same as their keyfile names, but without the .pub extension

$ nano conf/gitolite.conf

Commit and push the changes them:

git commit -a
git push

http(s) users

User management for http(s) is more suitable for single-user setups. To add a new user or to change an existing user's password:

# sudo htpasswd /srv/http/git/htpasswd <username>

Gitosis-like ssh usernames

If you want to distinguish users with the same login (like username@server1, username@server2) you may want to do the following (for gitolite-3.04-1):

  • edit /usr/lib/gitolite/triggers/post-compile/ssh-authkeys and replace
$user =~ s/(\@[^.]+)?\.pub$//;    # baz.pub, baz@home.pub -> baz

by

$user =~ s/\.pub$//;              # baz@home.pub -> baz@home
  • update authorized_keys file (for example, by pushing into the gitolite-admin repository)

See also

http://sitaramc.github.com/gitolite/index.html