From 8984b8989993b3b3835b0a5366b48db6c0d9a44d Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sun, 27 Jul 2025 11:36:28 +0100
Subject: Remove support for git push via HTTP

It was not working properly anyway, because of the permissions problem,
but intoroduced unnecessary complexity in configuration files.

All others (non-write) git operation should continue to work via HTTP.
---
 roles/gitserver/files/git.conf | 13 -------------
 roles/gitserver/files/htpasswd |  7 -------
 roles/gitserver/tasks/main.yml | 25 -------------------------
 3 files changed, 45 deletions(-)
 delete mode 100644 roles/gitserver/files/htpasswd

(limited to 'roles/gitserver')

diff --git a/roles/gitserver/files/git.conf b/roles/gitserver/files/git.conf
index f4e880d..575d977 100644
--- a/roles/gitserver/files/git.conf
+++ b/roles/gitserver/files/git.conf
@@ -1,17 +1,6 @@
 # Source: https://gist.github.com/kierdwyn/3745400e6a184f621b92
 
 location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) {
-    # Disable authentication by default.
-    set $auth off;
-
-    # Require authentication for push.
-    if ($request ~ git-receive-pack) {
-        set $auth "Restricted";
-    }
-
-    auth_basic $auth;
-    auth_basic_user_file /etc/nginx/auth/git/.htpasswd;
-
     # Set chunks to unlimited, as the body's can be huge.
     client_max_body_size 0;
 
@@ -19,8 +8,6 @@ location ~ /.+/(info/refs|git-upload-pack|git-receive-pack) {
     fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
     fastcgi_param GIT_PROJECT_ROOT /srv/git;
     fastcgi_param PATH_INFO $uri;
-    # Forward REMOTE_USER as we want to know when we are authenticated.
-    fastcgi_param REMOTE_USER $remote_user;
 
     fastcgi_pass unix:/run/fcgiwrap.sock;
 }
diff --git a/roles/gitserver/files/htpasswd b/roles/gitserver/files/htpasswd
deleted file mode 100644
index 1402a2f..0000000
--- a/roles/gitserver/files/htpasswd
+++ /dev/null
@@ -1,7 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-61343632623939306230623762623761363339376231646232313165353432643830383064663066
-6163383831306632333339653130323764393166333464380a613264613935633336643734376161
-37643564663361646564376437663431343937663937656233323164393837626163386430643063
-6234633164303239310a663961373664666465353234373261633662653864633830336132316139
-33616333643963353630623866613765363131656137653561393733633361303138383662626364
-3930656564303830646333306666643262383263313939373266
diff --git a/roles/gitserver/tasks/main.yml b/roles/gitserver/tasks/main.yml
index 9ec412f..cdb7765 100644
--- a/roles/gitserver/tasks/main.yml
+++ b/roles/gitserver/tasks/main.yml
@@ -88,29 +88,6 @@
     state: started
     daemon_reload: true
 
-- name: Setup auth directory for git
-  ansible.builtin.file:
-    path: /etc/nginx/auth/git
-    state: directory
-    owner: root
-    group: root
-    mode: u+rw,g+r,o+r
-
-# Alternative approach is to use community.general.htpasswd module to manage
-# .htpasswd file. Unfortunetly, there are couple of drawbacks:
-# * Target systems should have passlib Python library installed.
-# * Passwords might leak in the Ansible debug output, or even non-debug
-#   without no_log.
-# Seems like managing good old file is more convenient at the moment.
-
-- name: Copy git .htpasswd file to manage HTTP passwords
-  ansible.builtin.copy:
-    src: files/htpasswd
-    dest: /etc/nginx/auth/git/.htpasswd
-    owner: root
-    group: root
-    mode: u+rw,g+rw,o+r
-
 - name: Copy git.conf to handle git HTTP requests
   ansible.builtin.copy:
     src: files/git.conf
@@ -149,5 +126,3 @@
     owner: git
     group: git
     mode: u+rwx,g-rwx,o-rwx
-
-# TODO: figure out proper permissions to fix HTTP protocol push.
-- 
cgit v1.2.3-70-g09d2