Make smart http git protocol work without authentication

Ask to authenticate only when trying to push to repository. All other
operations do not require authentication anymore. Http protocol is still
not fully usable, because of the git (git) and fcgiwrap (http) are
running under different user.

`GIT_HTTP_EXPORT_ALL` was removed to forbid export of private
repositories via http protocol.

2 files changed, 11 insertions, 2 deletions

diff --git a/roles/gitserver/files/git.conf b/roles/gitserver/files/git.conf
index 3d6d6a3..f4e880d 100644
--- a/roles/gitserver/files/git.conf
+++ b/roles/gitserver/files/git.conf
@@ -1,7 +1,15 @@
 # Source: https://gist.github.com/kierdwyn/3745400e6a184f621b92
 
 location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) {
-    auth_basic "Restricted";
+    # Disable authentication by default.
+    set $auth off;
+
+    # Require authentication for push.
+    if ($request ~ git-receive-pack) {
+        set $auth "Restricted";
+    }
+
+    auth_basic $auth;
     auth_basic_user_file /etc/nginx/auth/git/.htpasswd;
 
     # Set chunks to unlimited, as the body's can be huge.
@@ -9,7 +17,6 @@ location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) {
 
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
-    fastcgi_param GIT_HTTP_EXPORT_ALL "";
     fastcgi_param GIT_PROJECT_ROOT /srv/git;
     fastcgi_param PATH_INFO $uri;
     # Forward REMOTE_USER as we want to know when we are authenticated.
diff --git a/roles/gitserver/files/gitconfig b/roles/gitserver/files/gitconfig
new file mode 100644
index 0000000..3209b9f
--- /dev/null
+++ b/roles/gitserver/files/gitconfig
@@ -0,0 +1,2 @@
+[safe]
+	directory = /srv/git/*