Git Setup: Public Repositories, Secure Commits
I did this primarily based on blog postings at http://scie.nti.st/2007/11/14/hosting-git-repositories-the-easy-and-secure-way, and also http://book.git-scm.com/4_setting_up_a_public_repository.html. See these posts to see what I did pretty much verbatim.
The big configuration difference is that I wanted the git repositories to reside on the elastic-block store, but be accessible in the usual way. So, after installing git and gitosis and adjusting my gitosis-admin repository, I moved all the repostories from /home/git/repositories to /mnt/ebs/git/repositories. A symlink in the /home/git/ directory links to the repositories on the elastic block store, which makes them accessible to the git user as they need to be.
In order to provide the files publically in a read-only fasion via HTTP, Apache needs to serve the files, but not be able to write to them. In /var/www I created a symlink to the repositories on the elastic-block store, which allows Apache to serve the files. I added the www-data user to the git group, which has r-x privileges on the git repositories, so Apache cannot write to the repositories, as I wanted.
The Bottom Line:
The Geoportal repository can be accessed via:
- email@example.com:geoportal.git: For users who are authenticated via ssh keys (see below). This allows commit privileges if the user is defined properly in Gitosis (also see below)
- http://code.usgin.org/git/geoportal.git: For read-only access to the repository.
- firstname.lastname@example.org:gitosis-admin: As it stands right now, I'm the only person who should be able to make changes to this one.
- Adding a new repository:
- Make sure a user is defined who can write to that repository in gitosis-admin. Let's say it is called "new-repo"
- Create a local repository called new-repo, make changes, commit.
- Push the local repository to the server with the following commands:
- git remote add origin email@example.com:new-repo.git
- git push origin master:refs/heads/master
- On the server, make sure the repository is being shared publically properly with the following commands:
- cd ../path/to/repository/..
- sudo git --bare update-server-info
- Adding a user with commit privileges:
- The user must create a public/private key-pair.
- In a local instance of the gitosis-admin repository (I have one on my desktop), copy the public key into the keydir/ directory.
- Adjust gitosis.conf to give that user appropriate privileges to the correct repositories.
- Stage changes to the local repository, commit them, push them to the server.
The Git Daemon
The git daemon will serve repositories at urls like git://code.usgin.org/new-repo.git, and will not allow commits. This is apparently the "preferred" way of running public repositories, although it works through port 9418, which may be closed to some users behind firewalls they cannot control.
The git daemon can be started with the command: sudo -u git git daemon --base-path=/home/git/repositories/ and will serve any repositories which contain a file called git-daemon-export-ok. There is a way to run the daemon as a service (see a little ways down on http://www.kernel.org/pub/software/scm/git/docs/git-daemon.html), but I'm not sure yet if its worth it for us.