rtkay123/Smart HTTP Git and CGIT on Nginx server with Auth on push

## Smart HTTP Git and CGIT on Nginx server with Auth on push
# Just some notes on enabling smart http with nginx as well as authentication on push for repos
# install git, cgit and apache2-utils (for authentication)
  apt install git cgit apache2-utils fcgiwrap

# create a git user
  adduser git
  su git
  cd
  mkdir .ssh && chmod 700 .ssh
  touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys

# append ssh keys to the authorized keys file

# change back to root user
  exit

# As root, create location to store repos and change permissions
  mkdir -p /srv/git
  ln -s /srv/git /git  # optional but I like it so the repos are available on /git if you're ssh cloning
  cd /srv
  chown -R git:git git/

# Configuring nginx
# /etc/nginx/git-http-backend.conf

  fastcgi_pass unix:/run/fcgiwrap.socket;
  include fastcgi_params;
  fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
  fastcgi_param GIT_HTTP_EXPORT_ALL "";
  fastcgi_param GIT_PROJECT_ROOT /srv/git;
  fastcgi_param PATH_INFO $1;
  fastcgi_param REMOTE_USER $remote_user;

# /etc/nginx/sites-available/git.domain.com

  server {
    server_name  git.domain.com www.git.domain.com;

    access_log  /var/log/nginx/cgit-access.log;
    error_log   /var/log/nginx/cgit-error.log debug;

    root /usr/share/cgit;
    try_files $uri @cgit;

    location @cgit {
        include          fastcgi_params;
        fastcgi_param    SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
        fastcgi_param    DOCUMENT_ROOT   /usr/lib/git-core;
        fastcgi_pass     unix:/run/fcgiwrap.socket;

        fastcgi_param    PATH_INFO    $uri;
        fastcgi_param    QUERY_STRING $args;
        fastcgi_param    HTTP_HOST    $server_name;

        fastcgi_param   GIT_HTTP_EXPORT_ALL   "";
        fastcgi_param   GIT_PROJECT_ROOT   /srv/git;
        if ($arg_service = git-receive-pack) {
            rewrite (/.*) /git_write/$1 last;
        }

        if ($uri ~ ^/.*/git-receive-pack$) {
            rewrite (/.*) /git_write/$1 last;
        }

        if ($arg_service = git-upload-pack) {
            rewrite (/.*) /git_read/$1 last;
        }

        if ($uri ~ ^/.*/git-upload-pack$) {
            rewrite (/.*) /git_read/$1 last;
        }
    }

    listen [::]:80 ;
    listen 80 ;

    location ~ /git_read/(.*) {
        include git-http-backend.conf;
    }

    # require auth to upload
    location ~ /git_write/(.*) {
        auth_basic "Pushing to Git repositories is restricted";
        auth_basic_user_file /etc/nginx/htpasswd;
        include git-http-backend.conf;
    }

  }

# enable the configuration
  ln -s /etc/nginx/sites-available/git.domain.com /etc/nginx/sites-enabled/

# Create an http user (with write access)
  htpasswd -c /etc/nginx/htpasswd username # where username is the username you want to use for auth

# configure cgit accordingly at
# /etc/cgitrc
  css=/cgit.css
  logo=/cgit.png
  virtual-root=/
  scan-path=/srv/git

# Create your repository
  su git
  cd /srv/git
  mkdir myrepo.git
  cd myrepo.git
  git init --bare

# As root update permissions to be able to push via http
  chown -R git:www-data /srv/git/
  chmod -R ug+rwX /srv/git/

# To configure the git:// protocol
  # /etc/systemd/system/git-daemon.service
    [Unit]
    Description=Start Git Daemon

    [Service]
    ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/

    Restart=always
    RestartSec=500ms

    StandardOutput=syslog
    StandardError=syslog
    SyslogIdentifier=git-daemon

    User=git
    Group=git

    [Install]
    WantedBy=multi-user.target

# enable and start the unit
  systemctl enable --now git-daemon.service

# You will then want to create a git-daemon-export-ok file inside all of the repos you want git-daemon to check
  cd /srv/git/myrepo.git/
  touch git-daemon-export-ok

# Finally, allow port 9418 for git:// protocol (as root)
  ufw allow 9418
	# Just some notes on enabling smart http with nginx as well as authentication on push for repos
	# install git, cgit and apache2-utils (for authentication)
	apt install git cgit apache2-utils fcgiwrap

	# create a git user
	adduser git
	su git
	cd
	mkdir .ssh && chmod 700 .ssh
	touch .ssh/authorized_keys && chmod 600 .ssh/authorized_keys

	# append ssh keys to the authorized keys file

	# change back to root user
	exit

	# As root, create location to store repos and change permissions
	mkdir -p /srv/git
	ln -s /srv/git /git # optional but I like it so the repos are available on /git if you're ssh cloning
	cd /srv
	chown -R git:git git/

	# Configuring nginx
	# /etc/nginx/git-http-backend.conf

	fastcgi_pass unix:/run/fcgiwrap.socket;
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
	fastcgi_param GIT_HTTP_EXPORT_ALL "";
	fastcgi_param GIT_PROJECT_ROOT /srv/git;
	fastcgi_param PATH_INFO $1;
	fastcgi_param REMOTE_USER $remote_user;

	# /etc/nginx/sites-available/git.domain.com

	server {
	server_name git.domain.com www.git.domain.com;

	access_log /var/log/nginx/cgit-access.log;
	error_log /var/log/nginx/cgit-error.log debug;

	root /usr/share/cgit;
	try_files $uri @cgit;

	location @cgit {
	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
	fastcgi_param DOCUMENT_ROOT /usr/lib/git-core;
	fastcgi_pass unix:/run/fcgiwrap.socket;

	fastcgi_param PATH_INFO $uri;
	fastcgi_param QUERY_STRING $args;
	fastcgi_param HTTP_HOST $server_name;

	fastcgi_param GIT_HTTP_EXPORT_ALL "";
	fastcgi_param GIT_PROJECT_ROOT /srv/git;
	if ($arg_service = git-receive-pack) {
	rewrite (/.*) /git_write/$1 last;
	}

	if ($uri ~ ^/.*/git-receive-pack$) {
	rewrite (/.*) /git_write/$1 last;
	}

	if ($arg_service = git-upload-pack) {
	rewrite (/.*) /git_read/$1 last;
	}

	if ($uri ~ ^/.*/git-upload-pack$) {
	rewrite (/.*) /git_read/$1 last;
	}
	}

	listen [::]:80 ;
	listen 80 ;

	location ~ /git_read/(.*) {
	include git-http-backend.conf;
	}

	# require auth to upload
	location ~ /git_write/(.*) {
	auth_basic "Pushing to Git repositories is restricted";
	auth_basic_user_file /etc/nginx/htpasswd;
	include git-http-backend.conf;
	}

	}

	# enable the configuration
	ln -s /etc/nginx/sites-available/git.domain.com /etc/nginx/sites-enabled/

	# Create an http user (with write access)
	htpasswd -c /etc/nginx/htpasswd username # where username is the username you want to use for auth

	# configure cgit accordingly at
	# /etc/cgitrc
	css=/cgit.css
	logo=/cgit.png
	virtual-root=/
	scan-path=/srv/git

	# Create your repository
	su git
	cd /srv/git
	mkdir myrepo.git
	cd myrepo.git
	git init --bare

	# As root update permissions to be able to push via http
	chown -R git:www-data /srv/git/
	chmod -R ug+rwX /srv/git/

	# To configure the git:// protocol
	# /etc/systemd/system/git-daemon.service
	[Unit]
	Description=Start Git Daemon

	[Service]
	ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/

	Restart=always
	RestartSec=500ms

	StandardOutput=syslog
	StandardError=syslog
	SyslogIdentifier=git-daemon

	User=git
	Group=git

	[Install]
	WantedBy=multi-user.target

	# enable and start the unit
	systemctl enable --now git-daemon.service

	# You will then want to create a git-daemon-export-ok file inside all of the repos you want git-daemon to check
	cd /srv/git/myrepo.git/
	touch git-daemon-export-ok

	# Finally, allow port 9418 for git:// protocol (as root)
	ufw allow 9418