Indefero

InstallationScmGit


How to have InDefero controlling the git access rights

Plugin SyncGit by Céondo Ltd

The SyncGit plugin allow the direct creation and synchronisation of git repositories with the InDefero database. This requires giving access to the repositories using a dedicated SSH account, usually the git account.

Prerequisites

A good understanding of:

  • the security issues related to using a SSH account on a server;
  • the principle of public/private SSH keys;
  • the rights/ownership of files on a Linux/BSD/nix system;

Yes, what you are going to do has security implications.

Git user configuration

On your system, you will need to create a new git account. This account will only be used to access the git repositories and at the moment cannot be shared for other use.

First create a new git account:

$ sudo adduser \
      --system \
      --shell /bin/sh \
      --gecos 'git version control' \
      --group \
      --disabled-password \
      --home /home/git \
      git

Then, we need to create the base SSH files with the right permissions:

$ sudo su git
$ mkdir /home/git/.ssh
$ touch /home/git/.ssh/authorized_keys
$ chmod 0700 /home/git/.ssh
$ chmod 0600 /home/git/.ssh/authorized_keys
$ exit

We add the www-data user to the git group so it can access the repositories to read the content:

$ sudo usermod -a -G git www-data

Do not forget to restart Apache or your fastcgi process to take the group addition into account.

Creation of the repositories base

For each project using git in InDefero a corresponding bare repository will be created in /home/git/repositories. For example, if the shortname of your project is wonder, it will be created in /home/git/repositories/wonder.git

$ sudo -H -u git mkdir /home/git/repositories

InDefero Configuration

First, you need to have python installed on your system to be able to run the very small python script gitserve.py in the scripts folder. Here is a configuration example:

$cfg['git_repositories'] = '/home/git/repositories/%s.git';
$cfg['git_remote_url'] = 'git://yourdomain.com/%s.git';
$cfg['idf_plugin_syncgit_path_gitserve'] = '/home/www/indefero/scripts/gitserve.py'; # yes .py
$cfg['idf_plugin_syncgit_path_authorized_keys'] = '/home/git/.ssh/authorized_keys';
$cfg['idf_plugin_syncgit_sync_file'] = '/tmp/SYNC-GIT';
# Remove the git repositories which do not have a corresponding project
# This is run at cron time
$cfg['idf_plugin_syncgit_remove_orphans'] = false;
# git account home dir
$cfg['idf_plugin_syncgit_git_home_dir'] = '/home/git'; 
# where are going to be the git repositories
$cfg['idf_plugin_syncgit_base_repositories'] = '/home/git/repositories';

When someone will change his SSH key or add a new one, the /tmp/SYNC-GIT file will be created. The cron job /home/www/indefero/scripts/gitcron.php will see the file and update the content of the authorized_keys file.

Cron Job Configuration

You need to run a cron job every now and then to synchronize the SSH keys. The command to run in the cron job is:

php /home/www/indefero/scripts/gitcron.php

The user of the cron job must be git.

Git daemon configuration

Put in /etc/event.d/local-git-daemon the following:

start on startup
stop on shutdown

exec /usr/bin/git-daemon \
    --user=git --group=git \
    --verbose \
    --reuseaddr \
    --base-path=/home/git/repositories/ \
    /home/git/repositories/
respawn

Then run:

$ sudo start local-git-daemon

Created: 11 years 7 months ago
by Natalie Adams

Page rendered in 0.07927s using 24 queries.