From 57fc721bb02120b33fb9f0152b7e0555828d4e54 Mon Sep 17 00:00:00 2001
From: Yuqian Yang <crupest@crupest.life>
Date: Fri, 7 Mar 2025 19:15:31 +0800
Subject: fix(git): public/private repo problem, enable cgit for private.

---
 services/docker/git-server/app/git/gitconfig       |  3 ++
 services/docker/git-server/app/git/hooks/update    | 38 +++++++++++++++
 .../docker/git-server/app/lighttpd-wrapper.bash    |  9 ++++
 services/docker/git-server/app/lighttpd/auth.conf  |  3 ++
 .../docker/git-server/app/lighttpd/lighttpd.conf   | 57 ++++++++++++++++++++++
 5 files changed, 110 insertions(+)
 create mode 100644 services/docker/git-server/app/git/gitconfig
 create mode 100755 services/docker/git-server/app/git/hooks/update
 create mode 100755 services/docker/git-server/app/lighttpd-wrapper.bash
 create mode 100644 services/docker/git-server/app/lighttpd/auth.conf
 create mode 100644 services/docker/git-server/app/lighttpd/lighttpd.conf

(limited to 'services/docker/git-server/app')

diff --git a/services/docker/git-server/app/git/gitconfig b/services/docker/git-server/app/git/gitconfig
new file mode 100644
index 0000000..5cc41dd
--- /dev/null
+++ b/services/docker/git-server/app/git/gitconfig
@@ -0,0 +1,3 @@
+[core]
+	autocrlf = false
+	hooksPath = /app/git/hooks/
diff --git a/services/docker/git-server/app/git/hooks/update b/services/docker/git-server/app/git/hooks/update
new file mode 100755
index 0000000..d6bfc1a
--- /dev/null
+++ b/services/docker/git-server/app/git/hooks/update
@@ -0,0 +1,38 @@
+#!/usr/bin/bash
+
+set -e -o pipefail
+
+ref="$1"
+old="$2"
+new="$3"
+protected_file="$GIT_DIR/protected"
+
+die() {
+  echo "error: $*" > /dev/stderr
+  exit 1
+}
+
+if [[ -f "$protected_file" ]]; then
+  while read -r line; do
+    if grep -q -E "$line" - <<< "$ref" ; then
+      if grep -q -E "^0+$" <<< "$new"; then
+        die "protected branch $ref (rule: $line) cannot be deleted"
+      fi
+
+      if ! git merge-base --is-ancestor "$old" "$new"; then
+        die "protected branch $ref (rule: $line) is not fast-forward $(expr substr "$old" 1 8) -> $(expr substr "$new" 1 8)"
+      fi
+    fi
+  done <"$protected_file"
+fi
+
+global_hook="/git/hooks/update"
+local_hook="$GIT_DIR/hooks/update"
+
+if [[ -x "$global_hook" ]]; then
+  "$global_hook" "$ref" "$old" "$new"
+fi
+
+if [[ -x "$local_hook" ]]; then
+  "$local_hook" "$ref" "$old" "$new"
+fi
diff --git a/services/docker/git-server/app/lighttpd-wrapper.bash b/services/docker/git-server/app/lighttpd-wrapper.bash
new file mode 100755
index 0000000..54079ad
--- /dev/null
+++ b/services/docker/git-server/app/lighttpd-wrapper.bash
@@ -0,0 +1,9 @@
+#!/usr/bin/bash
+
+set -e
+
+[[ -f /git/user-info ]] || touch -a /git/user-info
+
+exec 3>&1
+exec 4>&1
+exec lighttpd -D -f /app/lighttpd/lighttpd.conf
diff --git a/services/docker/git-server/app/lighttpd/auth.conf b/services/docker/git-server/app/lighttpd/auth.conf
new file mode 100644
index 0000000..d643659
--- /dev/null
+++ b/services/docker/git-server/app/lighttpd/auth.conf
@@ -0,0 +1,3 @@
+auth.backend = "htpasswd"
+auth.backend.htpasswd.userfile = "/git/user-info"
+auth.require = ( "" => ("method" => "basic", "realm" => "Git Access", "require" => "valid-user") )
diff --git a/services/docker/git-server/app/lighttpd/lighttpd.conf b/services/docker/git-server/app/lighttpd/lighttpd.conf
new file mode 100644
index 0000000..a96a778
--- /dev/null
+++ b/services/docker/git-server/app/lighttpd/lighttpd.conf
@@ -0,0 +1,57 @@
+server.modules += ("mod_accesslog")
+server.modules += ("mod_rewrite")
+server.modules += ("mod_auth", "mod_authn_file", "mod_access")
+server.modules += ("mod_alias", "mod_setenv", "mod_cgi")
+
+server.port = 3636
+server.document-root = "/var/www/html/"
+accesslog.filename = "/dev/fd/3"
+server.breakagelog = "/dev/fd/4"
+
+$HTTP["url"] =^ "/git" {
+    mimetype.assign = ( ".css" => "text/css" )
+
+    $HTTP["url"] =^ "/git/private" {
+        include "auth.conf"
+    }
+
+    $HTTP["url"] =~ "^/git/.*/(HEAD|info/refs|objects/info/[^/]+|git-(upload|receive)-pack)$" {
+        url.rewrite-once = (
+            "^/git/private"  => "$0",
+            "^/git(.*)" => "/git/public$1"
+        )
+
+        $HTTP["querystring"] =~ "service=git-receive-pack" {
+            include "auth.conf"
+        }
+        $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
+            include "auth.conf"
+        }
+        alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" )
+        setenv.add-environment = (
+            "GIT_PROJECT_ROOT" => "/git/repos",
+            "GIT_HTTP_EXPORT_ALL" => ""
+        )
+        cgi.assign = ("" => "")
+    }
+    else $HTTP["url"] =~ "^/git/.*/((objects/[0-9a-f]{2}/[0-9a-f]{38})|(pack/pack-[0-9a-f]{40}.(pack|idx)))$" {
+        alias.url += (
+            "/git/private" => "/git/repos/private",
+            "/git" => "/git/repos/public",
+        )
+    }
+    else $HTTP["url"] =^ "/git/static" {
+        alias.url += (
+            "/git/static" => "/usr/share/cgit",
+        )
+    }
+    else {
+        alias.url += (
+            "/git" => "/usr/lib/cgit/cgit.cgi",
+        )
+        setenv.add-environment = (
+            "CGIT_CONFIG" => "/app/cgit/cgitrc"
+        )
+        cgi.assign = ("" => "")
+    }
+}
-- 
cgit v1.2.3