I recently decided to move all my code under GIT, I’ve used it before and I’ve used also SVN, but I find GIT to be more straightforward in some aspects.
In order to use git I needed a place online where to store my projects, and I thought that github could be a good place, but the fact that you have to pay to keep a project private just didn’t sound right in my opinion. Of course github is there to make money (specially now that M$ bought it), but I prefer to have a simpler setup and be able to do things my way as much as possible.
So I started planning what I wanted my git server to have. Here’s a list:
- Security – I decided to make it work only under ssh, that way only someone who has the key can clone or access the repository. I also added an unprivileged git user that has only access to very few commands, so even if somebody manages to access through ssh he’ll find himrself with only very few options available.
- Notifications – my server already tells me a lot of what happens, so I wanted my git service to do the same. I implemented a mail service that notifies me every time a new repository is added or everytime there’s a push to a repository.
- Automation – I wanted to have less steps possible between creation of the project and deployment to production. Now in two steps I can create a repository and clone it to my local computer, and when I’m done I just need to push my modifications and the code is deployed automatically.
- Visibility – I haven’t yet decided if I want my code to be visible, so I haven’t even started thinking about this possibility.
Installing a git server is quite simple once you know how it works, on my server it was a matter of having a bare repository setup but in order to have the level of security that I wanted there were a few steps involved.
A bit of a disclaimer here, I use a Slackware64-14.2 on my server and Slackware64-current on my laptop, so all the commands here worked for me but I can’t be sure if the procedures that I followed will work on different distros with different setups. If you have any trouble following what I’ve done let me know in the comments and I’ll try to help you.
I’ve added a new user and group to my server but before doing so I added /usr/bin/git-shell to /etc/shells in order to use it as login shell for my git user.
# echo "/usr/bin/git-shell" >> /etc/shells # groupadd git # mkdir /var/git # useradd -d /var/git -g git -M -s /usr/bin/git-shell
now the user is all set and ready to be used. Next step will be to create the .ssh directory and the authorized_keys file to hold the keys for the developers that have to access the git server. Here’s how I did it:
# mkdir /var/git/.ssh # touch /var/git/.ssh/authorized_keys # chown -R git:git /var/git # chmod 0700 /var/git/.ssh # chmod 0600 /var/git/.ssh/authorized_keys
ok, now the files are in place and the permissions are correct for ssh to work well.
Let’s head back to my working computer, I created an ssh keypair for my usual user and copied the public key to the authorized_keys file on the server. I won’t go into much detail on how to do so, but just a suggestion, keep it without password, it’ll be much faster to work later.
Since I have ssh access to the same server for my normal user I used the ~/.ssh/config file on my computer to set a new host that will ease my access routine for the git user as well as my regular user, that’s my config (more or less):
$ cat ~/.ssh/config Host regular_ssh HostName server.tld User myuser IdentityFile ~/.ssh/id_rsa Host git_ssh HostName server.tld User git IdentityFile ~/.ssh/git_rsa
Now when I need to access the server with my regular user I’ll just run
$ ssh regular_ssh
and when I need to access as git user I’ll run
$ ssh git_ssh
and ssh will take care of all the options and start the connection with the correct credentials for me. Neat!
Now that the access for the git user is setup we have one last thing to do before being able to use it. We’ll give him only limited commands to use, That way the git user will be even more limited and much more secure. Inside the documentation shipped with git there’s a lot of scripts to get you started with this, so we’ll copy them inside a special directory called git-shell-commands, like this:
# cp -R /usr/doc/git-2.14.4/contrib/git-shell-commands /var/git # chown -R git:git /var/git
Now we have 2 commands inside the git-shell-commands directory, list and help, the first will show all projects inside the /var/git directory and the other will show a simple help text and a list of all the commands available. Now to give you an example of how easy it is to add commands to the git-shell I will create a simple command that acts as the clear command, it will clean the screen, to do so, from inside the /var/git directory I did:
# echo $(which clear) > git-shell-commands/clear # chmod 0755 git-shell-commands/clear
and now I have a “clear” command available for my git user. Another useful command will be “create” to add a repository and a “destroy” to remove it. Let’s see them in the next page.