I first tried to install cgit and get it working by just reading around. Was not successful. Then i found
this, and was able to get it working.
First we create a jail, cgit, from host. Assuming we already have other jails running.
ps. not sure if i will make git.smurfd.me publicly available, or if i just keep it as my own, then use github and codeberg as mirrors.
$ doas mkdir -p /home/jails/cgit
$ doas bsdinstall jail /home/jails/cgit
/etc/jail.conf
www {
host.hostname = git.smurfd.me; # Hostname
ip4.addr = 192.168.0.62; # IP address of the jail
path = "/home/jails/cgit"; # Path to the jail
mount.devfs; # Mount devfs inside the jail
exec.start = "/bin/sh /etc/rc"; # Start command
exec.stop = "/bin/sh /etc/rc.shutdown"; # Stop command
}
/etc/sysctl
security.jail.allow_raw_sockets=1
net.inet.ip.forwarding=1
/etc/rc.conf
jail_cgit_parameters="allow.raw_sockets=1"
Start the jail and upgrade to the version you want.
$ doas service jail start cgit
$ doas freebsd-update -j cgit -r 13.5-RELEASE upgrade install
$ doas service jail restart cgit
$ doas freebsd-update -j cgit -r 13.5-RELEASE install
Enter jail and install the needed packages. Create the user git, change owner of /srv/git and add git to www group (this is the part i think i was missing before)
$ doas jexec cgit /bin/sh
$ pkg install cgit fcgiwrap git nginx vim py311-pygments py311-markdown python3
$ pw useradd git -d /srv/git
$ mkdir -p /srv/git/git /usr/local/etc/nginx/sites-available
# in user git's folder, use folder git for repositories
$ chown -R git:git /srv/git
$ pw usermod www -G www,git
$ chmod -R g+rX /srv/git
$ cp /usr/local/www/cgit/* /srv/git # copy stylesheet and cgi to www root
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \
/etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
$ openssl dhparam -out /usr/local/etc/nginx/dhparam.pem 4096
$ service git_daemon start
$ service fcgiwrap start
$ service nginx start
Before you start fcgiwrap and nginx in the jail, apply below configs
If you dont have a certificate, create a
selfsigned?
Probably just use certbot right? After you have your cert and key, change these parameters to point to their paths ssl_certificate & ssl_certificate_key
See the bottom of the page for initialization of first repo.
If you get an issue at first push, yet you can connect to port 22. Restart jail. has done the trick for me so far.
if you then want to just keep one repo for several remotes, so like codeberg, github and own. This should work
$ git remote set-url --add --push all git://github.com/repo.git
$ git remote set-url --add --push all git://codeberg.org/repo.git
$ git remote set-url --add --push all git://smurfd.me/repo.git
$ git push all master
# cat /etc/rc.conf
sshd_enable="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
dumpdev="AUTO"
git_daemon_enable="YES"
git_daemon_directory="/srv/git"
git_daemon_flags="--syslog --base-path=/srv/git --export-all --reuseaddr --detach"
nginx_enable="YES"
fcgiwrap_enable="YES"
fcgiwrap_profiles="git"
fcgiwrap_git_socket="unix:/var/run/fcgiwrap/git.socket"
fcgiwrap_git_user="git"
fcgiwrap_git_group="git"
fcgiwrap_git_socket_owner="www"
fcgiwrap_git_socket_group="www"
# cat /usr/local/etc/cgitrc
robots=noindex, nofollow
clone-url=https://git.smurfd.me/$CGIT_REPO_URL
snapshots=tar.gz tar.bz2 zip
mimetype.gif=image/gif
mimetype.html=text/html
mimetype.jpg=image/jpeg
mimetype.jpeg=image/jpeg
mimetype.pdf=application/pdf
mimetype.png=image/png
mimetype.svg=image/svg+xml
source-filter=/usr/local/lib/cgit/filters/syntax-highlighting.py
about-filter=/usr/local/lib/cgit/filters/about-formatting.sh
readme=:README.md
css=/cgit.css
logo=/cgit.png
enable-git-config=1
enable-index-owner=0
enable-commit-graph=1
enable-index-links=1
enable-log-linecount=1
enable-log-filecount=1
remove-suffix=1
side-by-side-diffs=1
virtual-root=/
root-title=smurf wrk
root-desc=smurf hosted git
clone-prefix=https://git.smurfd.me ssh://git@smurfd.me/git
scan-path=/srv/git/git
# cat /usr/local/etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# cat /usr/local/etc/nginx/nginx.conf
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
include sites-available/git.smurfd.me.conf;
}
# cat /usr/local/etc/nginx/sites-available/git.smurfd.me.conf
server {
listen 80;
server_name git.smurfd.me;
location / {
return 308 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
server_name git.smurfd.me;
root /srv/git;
try_files $uri @cgit;
location @cgit {
client_max_body_size 0;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/local/www/cgit/cgit.cgi;
fastcgi_param PATH_INFO $uri;
fastcgi_param QUERY_STRING $args;
fastcgi_param HTTP_HOST $server_name;
fastcgi_pass unix:/var/run/fcgiwrap/git.socket;
fastcgi_read_timeout 300;
}
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
}
Generate a key pair, on client:
$ ssh-keygen
$ cat ~/.ssh/id_ed25519.pub (copy output and paste to /srv/git/ssh/authorized_keys)
On the server, for every new repo
$ cd /srv/git/git
$ mkdir project.git
$ cd project.git
$ git init --bare
$ git config --global init.defaultBranch smurfer # or master if you want the same on gh and others.
$ chown -R git:git ../project.git
On the client
$ cd myproject
$ git init
$ git add .
$ git commit -m 'initial commit'
$ git remote add origin git@192.168.0.61:/srv/git/git/project.git
$ git push -u origin smurfer