diff options
| author | Dmitry Ilvokhin <d@ilvokhin.com> | 2025-07-26 20:03:08 +0100 |
|---|---|---|
| committer | Dmitry Ilvokhin <d@ilvokhin.com> | 2025-07-26 20:32:40 +0100 |
| commit | 1152d4b300cd5ff03c5642fce71bda53b5baaa6d (patch) | |
| tree | e6449147596e02f2f0d1480297e03256a9b2bda7 /roles/gitserver | |
| parent | 21b3c4ee59935aaa6bc23a50492af4ec3e37771c (diff) | |
| download | infra-1152d4b300cd5ff03c5642fce71bda53b5baaa6d.tar.gz infra-1152d4b300cd5ff03c5642fce71bda53b5baaa6d.tar.bz2 infra-1152d4b300cd5ff03c5642fce71bda53b5baaa6d.zip | |
Make smart http git protocol work without authentication
Ask to authenticate only when trying to push to repository. All other
operations do not require authentication anymore. Http protocol is still
not fully usable, because of the git (git) and fcgiwrap (http) are
running under different user.
`GIT_HTTP_EXPORT_ALL` was removed to forbid export of private
repositories via http protocol.
Diffstat (limited to 'roles/gitserver')
| -rw-r--r-- | roles/gitserver/files/git.conf | 11 | ||||
| -rw-r--r-- | roles/gitserver/files/gitconfig | 2 | ||||
| -rw-r--r-- | roles/gitserver/tasks/main.yml | 8 |
3 files changed, 19 insertions, 2 deletions
diff --git a/roles/gitserver/files/git.conf b/roles/gitserver/files/git.conf index 3d6d6a3..f4e880d 100644 --- a/roles/gitserver/files/git.conf +++ b/roles/gitserver/files/git.conf @@ -1,7 +1,15 @@ # Source: https://gist.github.com/kierdwyn/3745400e6a184f621b92 location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) { - auth_basic "Restricted"; + # Disable authentication by default. + set $auth off; + + # Require authentication for push. + if ($request ~ git-receive-pack) { + set $auth "Restricted"; + } + + auth_basic $auth; auth_basic_user_file /etc/nginx/auth/git/.htpasswd; # Set chunks to unlimited, as the body's can be huge. @@ -9,7 +17,6 @@ location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) { include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; - fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param GIT_PROJECT_ROOT /srv/git; fastcgi_param PATH_INFO $uri; # Forward REMOTE_USER as we want to know when we are authenticated. diff --git a/roles/gitserver/files/gitconfig b/roles/gitserver/files/gitconfig new file mode 100644 index 0000000..3209b9f --- /dev/null +++ b/roles/gitserver/files/gitconfig @@ -0,0 +1,2 @@ +[safe] + directory = /srv/git/* diff --git a/roles/gitserver/tasks/main.yml b/roles/gitserver/tasks/main.yml index c007c6e..9ec412f 100644 --- a/roles/gitserver/tasks/main.yml +++ b/roles/gitserver/tasks/main.yml @@ -65,6 +65,14 @@ group: git mode: u+rwx,g+r,o+r +- name: Configure git system-wide + ansible.builtin.copy: + src: files/gitconfig + dest: /etc/gitconfig + owner: git + group: git + mode: u+rwx,g+r,o+r + - name: Configure git-daemon systemd service ansible.builtin.copy: src: files/git-daemon.service |