Git (gitolite + git-http-backend + gitweb) configuration

By default repos are be readable by gitweb and the web server ('gitweb' and
'www-data' are both in the 'gitolite' group).  Private repo owners will have
'chmod -R og-rwx' manually.

To automatically add new repos to gitweb's 'project.list' file, make it
readable to the special 'gitweb' user.

See /usr/share/doc/gitolite3/README.txt.gz for details.

1 files changed, 78 insertions, 0 deletions

diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
new file mode 100644
index 0000000..9510620
--- /dev/null
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -0,0 +1,78 @@
+server {
+    listen      80;
+    listen [::]:80;
+
+    server_name  git.fripost.org;
+
+    access_log /var/log/nginx/git.access.log;
+    error_log  /var/log/nginx/git.error.log info;
+
+    # Bypass the CGI to return static files stored on disk. Try first repo with
+    # a trailing '.git', then without.
+    location ~* "^/((?U)[^/]+)(?:\.git)?/objects/([0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" {
+        root /var/lib/gitolite/repositories;
+        try_files /$1.git/objects/$2 /$1/objects/$2 =404;
+    }
+
+    # Disallow push over HTTP(S)
+    location ~* ^/[^/]+/git-receive-pack$ {
+        return 403;
+    }
+
+    location ~* ^/[^/]+/(:?HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$ {
+        fastcgi_param PATH_INFO $uri;
+        fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+        fastcgi_param GIT_HTTP_EXPORT_ALL 1;
+        fastcgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
+        include fastcgi/params;
+        fastcgi_pass unix:/var/run/fcgiwrap.socket;
+        gzip off;
+    }
+
+    # Redirect to gitweb otherwise
+    location ~ ^/([^/]+/?)?$ {
+        return 302 $scheme://gitweb.fripost.org/$1;
+    }
+}
+
+
+server {
+    listen      443;
+    listen [::]:443;
+
+    server_name  git.fripost.org;
+
+    include ssl/config;
+    ssl_certificate     /etc/nginx/ssl/git.fripost.org.pem;
+    ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
+
+    access_log /var/log/nginx/git.access.log;
+    error_log  /var/log/nginx/git.error.log info;
+
+    # Bypass the CGI to return static files stored on disk. Try first repo with
+    # a trailing '.git', then without.
+    location ~* "^/((?U)[^/]+)(?:\.git)?/objects/([0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" {
+        root /var/lib/gitolite/repositories;
+        try_files /$1.git/objects/$2 /$1/objects/$2 =404;
+    }
+
+    # Disallow push over HTTP(S)
+    location ~* ^/[^/]+/git-receive-pack$ {
+        return 403;
+    }
+
+    location ~* ^/[^/]+/(:?HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$ {
+        fastcgi_param PATH_INFO $uri;
+        fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+        fastcgi_param GIT_HTTP_EXPORT_ALL 1;
+        fastcgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
+        include fastcgi/params;
+        fastcgi_pass unix:/var/run/fcgiwrap.socket;
+        gzip off;
+    }
+
+    # Redirect to gitweb otherwise
+    location ~ ^/([^/]+/?)?$ {
+        return 302 $scheme://gitweb.fripost.org/$1;
+    }
+}