5 files changed, 160 insertions, 0 deletions

diff --git a/files/usr/local/etc/cgitrc.git_server b/files/usr/local/etc/cgitrc.git_server
new file mode 100644
index 0000000..5cebd6c
--- /dev/null
+++ b/files/usr/local/etc/cgitrc.git_server
@@ -0,0 +1,66 @@
+clone-prefix=${cgit_clone_urls}
+enable-http-clone=0
+enable-blame=1
+enable-commit-graph=1
+enable-log-filecount=1
+enable-log-linecount=1
+branch-sort=name
+
+max-stats=none
+root-title=${cgit_root_title}
+root-desc=${cgit_root_desc}
+remove-suffix=1
+repository-sort=name
+snapshots=tar.gz
+local-time=1
+robots=index, nofollow
+
+cache-root=${cgit_cache_dir}
+cache-size=${cgit_cache_size}
+
+source-filter=/usr/local/lib/cgit/filters/syntax-highlighting-custom.py
+about-filter=/usr/local/lib/cgit/filters/about-formatting.sh
+
+favicon=/custom-favicon.ico
+logo=/custom-logo.png
+css=/custom-style.css
+robots=/custom-robots.txt
+head-include=${cgit_webroot}/custom-head-include.html
+header=${cgit_webroot}/custom-header.html
+
+mimetype.gif=image/gif
+mimetype.html=text/html
+mimetype.jpg=image/jpeg
+mimetype.jpeg=image/jpeg
+mimetype.pdf=application/pdf
+mimetype.png=image/png
+mimetype.svg=image/svg+xml
+
+readme=:README.md
+readme=:readme.md
+readme=:README.mkd
+readme=:readme.mkd
+readme=:README.html
+readme=:readme.html
+readme=:README.htm
+readme=:readme.htm
+readme=:README.txt
+readme=:readme.txt
+readme=:README
+readme=:readme
+readme=:INSTALL.md
+readme=:install.md
+readme=:INSTALL.mkd
+readme=:install.mkd
+readme=:INSTALL.html
+readme=:install.html
+readme=:INSTALL.htm
+readme=:install.htm
+readme=:INSTALL.txt
+readme=:install.txt
+readme=:INSTALL
+readme=:install
+
+enable-git-config=1
+project-list=${gitolite_home}/projects.list
+scan-path=${gitolite_home}/repositories
diff --git a/files/usr/local/etc/nginx/fastcgi_params.git_server b/files/usr/local/etc/nginx/fastcgi_params.git_server
new file mode 100644
index 0000000..49201e8
--- /dev/null
+++ b/files/usr/local/etc/nginx/fastcgi_params.git_server
@@ -0,0 +1,32 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+# Intentionally omitted here for cgit:
+#   SCRIPT_FILENAM0E
+#   SCRIPT_NAME
+#   PATH_INFO
+#   PATH_TRANSLATED
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $host;
+fastcgi_param  REMOTE_USER        $remote_user if_not_empty;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;
+
+# Protect against HTTPoxy vuln
+fastcgi_param  HTTP_PROXY         "";
diff --git a/files/usr/local/etc/nginx/vhosts.conf.git_server b/files/usr/local/etc/nginx/vhosts.conf.git_server
new file mode 100644
index 0000000..fdd5f53
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.git_server
@@ -0,0 +1,49 @@
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+$(if [ "$git_public_fqdn" != "$fqdn" ]; then
+    cat <<EOF
+  ssl_certificate         ${acme_cert_dir}/nginx.crt;
+  ssl_certificate_key     ${acme_cert_dir}/nginx.key;
+  ssl_trusted_certificate ${acme_cert_dir}/nginx.ca.crt;
+EOF
+  else
+    cat <<EOF
+  ssl_certificate      ${git_https_cert};
+  ssl_certificate_key  ${git_https_key};
+EOF
+fi)
+
+  auth_gss_keytab ${git_keytab};
+  auth_gss_allow_basic_fallback ${git_basic_auth};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  root ${cgit_webroot};
+  try_files \$uri @cgit;
+
+  location ~ '^.+/(HEAD|info/refs|objects/(info/[^/]+|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))|git-(upload|receive)-pack)$' {
+    auth_gss on;
+    satisfy any;
+$(printf '    deny %s;\n' $kerberized_cidrs)
+    allow all;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME /usr/local/libexec/gitolite/gitolite-shell;
+    fastcgi_param PATH_INFO \$uri;
+    fastcgi_param GIT_HTTP_EXPORT_ALL '';
+    fastcgi_param GIT_PROJECT_ROOT ${gitolite_home}/repositories;
+    fastcgi_param GITOLITE_HTTP_HOME ${gitolite_home};
+    fastcgi_param PATH /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin;
+    fastcgi_pass unix:${gitolite_fcgiwrap_socket};
+  }
+
+  location @cgit {
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME ${cgit_webroot}/cgit.cgi;
+    fastcgi_param SCRIPT_NAME '';
+    fastcgi_param PATH_INFO \$uri;
+    fastcgi_pass unix:${cgit_fcgiwrap_socket};
+  }
+}
diff --git a/files/usr/local/etc/ssh/sshd_config.d/gitolite.conf.git_server b/files/usr/local/etc/ssh/sshd_config.d/gitolite.conf.git_server
new file mode 100644
index 0000000..33b9282
--- /dev/null
+++ b/files/usr/local/etc/ssh/sshd_config.d/gitolite.conf.git_server
@@ -0,0 +1,12 @@
+Match User ${gitolite_local_user}
+  GSSAPIAuthentication no
+  KbdInteractiveAuthentication no
+  PasswordAuthentication no
+  PubkeyAuthentication yes
+  AuthenticationMethods publickey
+  AuthorizedKeysFile none
+  AuthorizedKeysCommand /usr/local/libexec/gitolite-authorizedkeys ${gitolite_admin_role} ${gitolite_access_role}
+  AuthorizedKeysCommandUser ${gitolite_local_user}
+  DisableForwarding yes
+  PermitUserRC no
+  PermitTTY no
diff --git a/files/usr/local/etc/sudoers.d/acme.git_server b/files/usr/local/etc/sudoers.d/acme.git_server
new file mode 100644
index 0000000..9ca89b8
--- /dev/null
+++ b/files/usr/local/etc/sudoers.d/acme.git_server
@@ -0,0 +1 @@
+${acme_user} ALL=(root) NOPASSWD: /usr/sbin/service nginx reload