Setup NGINX + CGIT on a Ubuntu 20.04

setup.sh

#!/bin/bash

set -euxo pipefail

# Configurations
# the new user that's to be added for logging in (comment out `create_user` from the `main` if you already have a admin user)
NEW_USER="admin"
DUMMY_PASS="dummyPassword123"

# your public key to be replaced here
KEY_FILE="ssh-rsa ..."

# the address to add cgit to
WEBSITE_NAME="git.example.com"


install_deps(){
    apt -y update
    apt -y upgrade
    apt -y install fcgiwrap libc6 liblua5.1-0 zlib1g python3-docutils\
        python3-markdown python3-pygments build-essential nginx zlib* libssl-dev
}

create_user (){
    adduser $NEW_USER || echo "User already exists."
    echo "$NEW_USER:$DUMMY_PASS" | chpasswd
    usermod -G sudo $NEW_USER
    mkdir /home/$NEW_USER/.ssh
    echo "${KEY_FILE}" > /home/$NEW_USER/.ssh/authorized_keys

    chown -R $NEW_USER:$NEW_USER /home/$NEW_USER/.ssh
    chmod 700 /home/$NEW_USER/.ssh
    chmod 644 /home/$NEW_USER/.ssh/authorized_keys
}

disable_root_login(){
    sed -i s/.*PubkeyAuthentication.*// /etc/ssh/sshd_config
    sed -i s/.*PasswordAuthentication.*// /etc/ssh/sshd_config
    sed -i s/.*PermitRootLogin.*// /etc/ssh/sshd_config

    echo "PermitRootLogin no" >> /etc/ssh/sshd_config
    echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
    echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config

    service ssh restart
    ufw allow ssh
    ufw enable
}

create_git_user(){
    adduser --system --group --disabled-password --home /var/lib/git git
    chown git:git /var/lib/git
    mkdir /var/lib/git/.ssh
    echo "${KEY_FILE}" > /var/lib/git/.ssh/authorized_keys
    chsh -s /bin/bash git
}

setup_cgit(){
    cd /tmp
    git clone https://git.zx2c4.com/cgit
    cd cgit 
    git submodule init
    git submodule update

cat <<EOF > ./cgit.conf
    CGIT_SCRIPT_PATH = /var/www/html/cgit/cgi
    CGIT_CONFIG = /var/www/html/cgit/cgitrc
    CACHE_ROOT = /var/www/html/cgit/cache
    prefix = /var/www/html/cgit
    libdir = \$(prefix)
    filterdir = \$(libdir)/filters
EOF

    make && make install
    cd
    systemctl enable fcgiwrap
    systemctl start fcgiwrap
}



setup_nginx(){
cat <<EOF > /etc/nginx/sites-available/$WEBSITE_NAME.conf
server {
    server_name  $WEBSITE_NAME;

    listen [::]:80;
    listen 80;

    access_log  /var/log/nginx/cgit-access.log;
    error_log   /var/log/nginx/cgit-error.log;

    root /var/www/html/cgit/cgi;
    try_files \$uri @cgit;

    location @cgit {
        include          fastcgi_params;
        fastcgi_param    SCRIPT_FILENAME /var/www/html/cgit/cgi/cgit.cgi;
        fastcgi_pass     unix:/run/fcgiwrap.socket;

        fastcgi_param    PATH_INFO    \$uri;
        fastcgi_param    QUERY_STRING \$args;
        fastcgi_param    HTTP_HOST    \$server_name;
    }
}
EOF
ln -sf /etc/nginx/sites-available/$WEBSITE_NAME.conf /etc/nginx/sites-enabled/$WEBSITE_NAME.conf
service nginx restart
ufw allow http
}

primary(){
    install_deps
    create_git_user
    setup_cgit
    setup_nginx
}

security(){
    # to create a new user
    create_user
    # disable root from logging in and only be able to 
    # use the above created user
    disable_root_login
}

main(){
# uncomment next line only if you wish to setup a new user and disable root from logging in
    security
    primary
}

main

You can run this on the server after the instance is ready or you can use something like below to run it from your local system

#!/bin/bash

CMD="$CMD
$(<script.sh)
"

SSHUSER="root"
HOST="example.com"

echo "$CMD" | ssh $SSHUSER@$HOST sudo /bin/bash

where script.sh contains the above gist code