RemoteRepo-Draft
Summary
This document describes a way to configure a remote repo for hosting via git/got. The goal is to provide shared hosting of repos without needing to grant shared group privileges or even accounts on the hosting server. Users will store their repos in ~/public/gitgot/ which can be on the host, or on a different server all together. They will push/pull changes to it locally or via ssh as normal. A cronjob on the machine hosting the users home directory will rsync the users repo to a staging area in /var/gitgot/username/ and their ownership and permissions changed as configured. The script will need an account with permission to do this on the web host.
A second script running on the web host will take the files from the staging area, change their ownership and permissions as needed to place them where needed to share them via gotweb or git clone. The use of the staging area is to allow for a remote script to place the files using ssh keys without a password and without permissions to modify anything except the git files on the public host. Both scripts will need to run as root on their respective machines, have doas capability, or use the openbsd pledge/unveil mechanism.
The repo will be staged in /var/gitgot/user/repo directory structure.
Setup the Hosts
User Host
The user host can also be the web host, but we'll discuss them as being separate with notes as needed. You'll want to add a ~/public/gitgot folder to the users home directory if it already exists. This can be done automatically for new users by adding it to /etc/skel directory like this:
doas mkdir -p /etc/skel/public/gitgot doas chown root.wheel /etc/skel/public/gitgot doas chmod 755 /etc/skel/public/gitgot
The script that does the moving of the files should have an account with access to the files in the staging area. It will need permissions to read the users home directory as well as write to the staging area. For now, we'll assume it'll be a script running via roots crontab, but ideally it should be run as a restricted user. It will need to have an ssh key to access the remote web host so we'll generate that also:
doas useradd -m gitgot doas su - gitgot ssh-keygen -t ed25519
Use the default path for the key file and leave the password empty. The output will look something like this:
Generating public/private ed25519 key pair. Enter file in which to save the key (/home/gitgot/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/gitgot/.ssh/id_ed25519 Your public key has been saved in /home/gitgot/.ssh/id_ed25519.pub The key fingerprint is: SHA256:lyrfN6pDSRuVI112nfZiMh02aOoHxvgq5Y5jyY2QKpI gitgot@planetofnix.com The key's randomart image is: +--[ED25519 256]--+ | . oo....| | . =.o.+o.| | = + o.o.| | + =.o + .| | . .SBo. + . | | o =oo . | | . . o.B.. . | |E . B+=. o | |.. ..++ooo . | +----[SHA256]-----+
We'll put the script for copying the files in ~/bin/gitgot-staging.pl These commands assume you are still logged in as the gitgot user.
mkdir bin vim bin/gitgot-staging.pl
Using the Repo
%commands%[@ ssh username@got.ircnow.org git init --bare /var/git/reponame
git remote add origin ssh://got.ircnow.org/var/git/reponame git push --set-upstream origin master