add gitolite/cgit

1 files changed, 49 insertions, 0 deletions

diff --git a/files/usr/local/etc/nginx/vhosts.conf.git_server b/files/usr/local/etc/nginx/vhosts.conf.git_server
new file mode 100644
index 0000000..fdd5f53
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.git_server
@@ -0,0 +1,49 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+$(if [ "$git_public_fqdn" != "$fqdn" ]; then
+    cat <<EOF
+  ssl_certificate         ${acme_cert_dir}/nginx.crt;
+  ssl_certificate_key     ${acme_cert_dir}/nginx.key;
+  ssl_trusted_certificate ${acme_cert_dir}/nginx.ca.crt;
+EOF
+  else
+    cat <<EOF
+  ssl_certificate      ${git_https_cert};
+  ssl_certificate_key  ${git_https_key};
+EOF
+fi)
+
+  auth_gss_keytab ${git_keytab};
+  auth_gss_allow_basic_fallback ${git_basic_auth};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  root ${cgit_webroot};
+  try_files \$uri @cgit;
+
+  location ~ '^.+/(HEAD|info/refs|objects/(info/[^/]+|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))|git-(upload|receive)-pack)$' {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME /usr/local/libexec/gitolite/gitolite-shell;
+    fastcgi_param PATH_INFO \$uri;
+    fastcgi_param GIT_HTTP_EXPORT_ALL '';
+    fastcgi_param GIT_PROJECT_ROOT ${gitolite_home}/repositories;
+    fastcgi_param GITOLITE_HTTP_HOME ${gitolite_home};
+    fastcgi_param PATH /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin;
+    fastcgi_pass unix:${gitolite_fcgiwrap_socket};
+  }
+
+  location @cgit {
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME ${cgit_webroot}/cgit.cgi;
+    fastcgi_param SCRIPT_NAME '';
+    fastcgi_param PATH_INFO \$uri;
+    fastcgi_pass unix:${cgit_fcgiwrap_socket};
+  }
+}