From 1152d4b300cd5ff03c5642fce71bda53b5baaa6d Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sat, 26 Jul 2025 20:03:08 +0100
Subject: Make smart http git protocol work without authentication

Ask to authenticate only when trying to push to repository. All other
operations do not require authentication anymore. Http protocol is still
not fully usable, because of the git (git) and fcgiwrap (http) are
running under different user.

`GIT_HTTP_EXPORT_ALL` was removed to forbid export of private
repositories via http protocol.
---
 roles/gitserver/files/git.conf  | 11 +++++++++--
 roles/gitserver/files/gitconfig |  2 ++
 roles/gitserver/tasks/main.yml  |  8 ++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 roles/gitserver/files/gitconfig

(limited to 'roles/gitserver')

diff --git a/roles/gitserver/files/git.conf b/roles/gitserver/files/git.conf
index 3d6d6a3..f4e880d 100644
--- a/roles/gitserver/files/git.conf
+++ b/roles/gitserver/files/git.conf
@@ -1,7 +1,15 @@
 # Source: https://gist.github.com/kierdwyn/3745400e6a184f621b92
 
 location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) {
-    auth_basic "Restricted";
+    # Disable authentication by default.
+    set $auth off;
+
+    # Require authentication for push.
+    if ($request ~ git-receive-pack) {
+        set $auth "Restricted";
+    }
+
+    auth_basic $auth;
     auth_basic_user_file /etc/nginx/auth/git/.htpasswd;
 
     # Set chunks to unlimited, as the body's can be huge.
@@ -9,7 +17,6 @@ location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) {
 
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
-    fastcgi_param GIT_HTTP_EXPORT_ALL "";
     fastcgi_param GIT_PROJECT_ROOT /srv/git;
     fastcgi_param PATH_INFO $uri;
     # Forward REMOTE_USER as we want to know when we are authenticated.
diff --git a/roles/gitserver/files/gitconfig b/roles/gitserver/files/gitconfig
new file mode 100644
index 0000000..3209b9f
--- /dev/null
+++ b/roles/gitserver/files/gitconfig
@@ -0,0 +1,2 @@
+[safe]
+	directory = /srv/git/*
diff --git a/roles/gitserver/tasks/main.yml b/roles/gitserver/tasks/main.yml
index c007c6e..9ec412f 100644
--- a/roles/gitserver/tasks/main.yml
+++ b/roles/gitserver/tasks/main.yml
@@ -65,6 +65,14 @@
     group: git
     mode: u+rwx,g+r,o+r
 
+- name: Configure git system-wide
+  ansible.builtin.copy:
+    src: files/gitconfig
+    dest: /etc/gitconfig
+    owner: git
+    group: git
+    mode: u+rwx,g+r,o+r
+
 - name: Configure git-daemon systemd service
   ansible.builtin.copy:
     src: files/git-daemon.service
-- 
cgit v1.2.3-70-g09d2