From 91690b59663b89bbc3d8c7febe2b046de1424672 Mon Sep 17 00:00:00 2001
From: Yuqian Yang <crupest@crupest.life>
Date: Fri, 7 Mar 2025 19:15:31 +0800
Subject: fix(git): public/private repo problem, enable cgit for private.

---
 services/docker/git-server/Dockerfile              |  7 +--
 services/docker/git-server/app/git/gitconfig       |  3 ++
 services/docker/git-server/app/git/hooks/update    | 38 +++++++++++++++
 .../docker/git-server/app/lighttpd-wrapper.bash    |  9 ++++
 services/docker/git-server/app/lighttpd/auth.conf  |  3 ++
 .../docker/git-server/app/lighttpd/lighttpd.conf   | 57 ++++++++++++++++++++++
 services/docker/git-server/git-auth.conf           |  3 --
 services/docker/git-server/git-lighttpd.conf       | 48 ------------------
 services/docker/git-server/gitconfig               |  6 ---
 services/docker/git-server/hooks/update            | 38 ---------------
 services/docker/git-server/lighttpd-wrapper.bash   |  8 ---
 services/templates/cgit/cgitrc.template            | 26 ++++++++++
 services/templates/cgit/private-list               |  1 +
 services/templates/cgitrc.template                 | 21 --------
 services/templates/docker-compose.yaml.template    |  2 +-
 15 files changed, 140 insertions(+), 130 deletions(-)
 create mode 100644 services/docker/git-server/app/git/gitconfig
 create mode 100755 services/docker/git-server/app/git/hooks/update
 create mode 100755 services/docker/git-server/app/lighttpd-wrapper.bash
 create mode 100644 services/docker/git-server/app/lighttpd/auth.conf
 create mode 100644 services/docker/git-server/app/lighttpd/lighttpd.conf
 delete mode 100644 services/docker/git-server/git-auth.conf
 delete mode 100644 services/docker/git-server/git-lighttpd.conf
 delete mode 100644 services/docker/git-server/gitconfig
 delete mode 100755 services/docker/git-server/hooks/update
 delete mode 100755 services/docker/git-server/lighttpd-wrapper.bash
 create mode 100644 services/templates/cgit/cgitrc.template
 create mode 100644 services/templates/cgit/private-list
 delete mode 100644 services/templates/cgitrc.template

(limited to 'services')

diff --git a/services/docker/git-server/Dockerfile b/services/docker/git-server/Dockerfile
index 274ba6a..867021c 100644
--- a/services/docker/git-server/Dockerfile
+++ b/services/docker/git-server/Dockerfile
@@ -5,12 +5,9 @@ RUN apt-get update && apt-get install -y \
     rm -rf /var/lib/apt/lists/*
 RUN groupadd -g 1000 git && useradd -m -u 1000 -g 1000 -s /usr/bin/bash git
 
-ENV GIT_CONFIG_SYSTEM=/etc/gitconfig GIT_CONFIG_GLOBAL=/git/private/gitconfig
-
-ADD gitconfig /etc/gitconfig
-ADD hooks/* /etc/git/hooks/
-ADD git-lighttpd.conf git-auth.conf lighttpd-wrapper.bash /app/
+ENV GIT_CONFIG_SYSTEM=/app/git/gitconfig GIT_CONFIG_GLOBAL=/git/gitconfig
 
+ADD app /app
 USER git:git
 VOLUME [ "/git" ]
 CMD [ "tini", "--", "/app/lighttpd-wrapper.bash" ]
diff --git a/services/docker/git-server/app/git/gitconfig b/services/docker/git-server/app/git/gitconfig
new file mode 100644
index 0000000..5cc41dd
--- /dev/null
+++ b/services/docker/git-server/app/git/gitconfig
@@ -0,0 +1,3 @@
+[core]
+	autocrlf = false
+	hooksPath = /app/git/hooks/
diff --git a/services/docker/git-server/app/git/hooks/update b/services/docker/git-server/app/git/hooks/update
new file mode 100755
index 0000000..d6bfc1a
--- /dev/null
+++ b/services/docker/git-server/app/git/hooks/update
@@ -0,0 +1,38 @@
+#!/usr/bin/bash
+
+set -e -o pipefail
+
+ref="$1"
+old="$2"
+new="$3"
+protected_file="$GIT_DIR/protected"
+
+die() {
+  echo "error: $*" > /dev/stderr
+  exit 1
+}
+
+if [[ -f "$protected_file" ]]; then
+  while read -r line; do
+    if grep -q -E "$line" - <<< "$ref" ; then
+      if grep -q -E "^0+$" <<< "$new"; then
+        die "protected branch $ref (rule: $line) cannot be deleted"
+      fi
+
+      if ! git merge-base --is-ancestor "$old" "$new"; then
+        die "protected branch $ref (rule: $line) is not fast-forward $(expr substr "$old" 1 8) -> $(expr substr "$new" 1 8)"
+      fi
+    fi
+  done <"$protected_file"
+fi
+
+global_hook="/git/hooks/update"
+local_hook="$GIT_DIR/hooks/update"
+
+if [[ -x "$global_hook" ]]; then
+  "$global_hook" "$ref" "$old" "$new"
+fi
+
+if [[ -x "$local_hook" ]]; then
+  "$local_hook" "$ref" "$old" "$new"
+fi
diff --git a/services/docker/git-server/app/lighttpd-wrapper.bash b/services/docker/git-server/app/lighttpd-wrapper.bash
new file mode 100755
index 0000000..54079ad
--- /dev/null
+++ b/services/docker/git-server/app/lighttpd-wrapper.bash
@@ -0,0 +1,9 @@
+#!/usr/bin/bash
+
+set -e
+
+[[ -f /git/user-info ]] || touch -a /git/user-info
+
+exec 3>&1
+exec 4>&1
+exec lighttpd -D -f /app/lighttpd/lighttpd.conf
diff --git a/services/docker/git-server/app/lighttpd/auth.conf b/services/docker/git-server/app/lighttpd/auth.conf
new file mode 100644
index 0000000..d643659
--- /dev/null
+++ b/services/docker/git-server/app/lighttpd/auth.conf
@@ -0,0 +1,3 @@
+auth.backend = "htpasswd"
+auth.backend.htpasswd.userfile = "/git/user-info"
+auth.require = ( "" => ("method" => "basic", "realm" => "Git Access", "require" => "valid-user") )
diff --git a/services/docker/git-server/app/lighttpd/lighttpd.conf b/services/docker/git-server/app/lighttpd/lighttpd.conf
new file mode 100644
index 0000000..a96a778
--- /dev/null
+++ b/services/docker/git-server/app/lighttpd/lighttpd.conf
@@ -0,0 +1,57 @@
+server.modules += ("mod_accesslog")
+server.modules += ("mod_rewrite")
+server.modules += ("mod_auth", "mod_authn_file", "mod_access")
+server.modules += ("mod_alias", "mod_setenv", "mod_cgi")
+
+server.port = 3636
+server.document-root = "/var/www/html/"
+accesslog.filename = "/dev/fd/3"
+server.breakagelog = "/dev/fd/4"
+
+$HTTP["url"] =^ "/git" {
+    mimetype.assign = ( ".css" => "text/css" )
+
+    $HTTP["url"] =^ "/git/private" {
+        include "auth.conf"
+    }
+
+    $HTTP["url"] =~ "^/git/.*/(HEAD|info/refs|objects/info/[^/]+|git-(upload|receive)-pack)$" {
+        url.rewrite-once = (
+            "^/git/private"  => "$0",
+            "^/git(.*)" => "/git/public$1"
+        )
+
+        $HTTP["querystring"] =~ "service=git-receive-pack" {
+            include "auth.conf"
+        }
+        $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
+            include "auth.conf"
+        }
+        alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend" )
+        setenv.add-environment = (
+            "GIT_PROJECT_ROOT" => "/git/repos",
+            "GIT_HTTP_EXPORT_ALL" => ""
+        )
+        cgi.assign = ("" => "")
+    }
+    else $HTTP["url"] =~ "^/git/.*/((objects/[0-9a-f]{2}/[0-9a-f]{38})|(pack/pack-[0-9a-f]{40}.(pack|idx)))$" {
+        alias.url += (
+            "/git/private" => "/git/repos/private",
+            "/git" => "/git/repos/public",
+        )
+    }
+    else $HTTP["url"] =^ "/git/static" {
+        alias.url += (
+            "/git/static" => "/usr/share/cgit",
+        )
+    }
+    else {
+        alias.url += (
+            "/git" => "/usr/lib/cgit/cgit.cgi",
+        )
+        setenv.add-environment = (
+            "CGIT_CONFIG" => "/app/cgit/cgitrc"
+        )
+        cgi.assign = ("" => "")
+    }
+}
diff --git a/services/docker/git-server/git-auth.conf b/services/docker/git-server/git-auth.conf
deleted file mode 100644
index d643659..0000000
--- a/services/docker/git-server/git-auth.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-auth.backend = "htpasswd"
-auth.backend.htpasswd.userfile = "/git/user-info"
-auth.require = ( "" => ("method" => "basic", "realm" => "Git Access", "require" => "valid-user") )
diff --git a/services/docker/git-server/git-lighttpd.conf b/services/docker/git-server/git-lighttpd.conf
deleted file mode 100644
index 44e0fd6..0000000
--- a/services/docker/git-server/git-lighttpd.conf
+++ /dev/null
@@ -1,48 +0,0 @@
-server.modules += ("mod_accesslog")
-server.modules += ("mod_auth", "mod_authn_file", "mod_access")
-server.modules += ("mod_alias", "mod_setenv", "mod_cgi")
-
-server.port = 3636
-server.document-root = "/var/www/html/"
-accesslog.filename = "/dev/fd/3"
-
-$HTTP["url"] =^ "/git" {
-    mimetype.assign = ( ".css" => "text/css" )
-
-    $HTTP["url"] =^ "/git/private" {
-        include "git-auth.conf"
-    }
-
-    $HTTP["url"] =~ "^/git/.*/(HEAD|info/refs|objects/info/[^/]+|git-(upload|receive)-pack)$" {
-        $HTTP["querystring"] =~ "service=git-receive-pack" {
-            include "git-auth.conf"
-        }
-        $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
-            include "git-auth.conf"
-        }
-        alias.url += ( "/git/private" => "/usr/lib/git-core/git-http-backend/private" )
-        alias.url += ( "/git" => "/usr/lib/git-core/git-http-backend/public" )
-        setenv.add-environment = (
-            "GIT_PROJECT_ROOT" => "/git/repos",
-            "GIT_HTTP_EXPORT_ALL" => ""
-        )
-        cgi.assign = ("" => "")
-    }
-    else $HTTP["url"] =~ "^/git/.*/((objects/[0-9a-f]{2}/[0-9a-f]{38})|(pack/pack-[0-9a-f]{40}.(pack|idx)))$" {
-        alias.url += (
-            "/git/private" => "/git/repos/private",
-            "/git" => "/git/repos/public",
-        )
-    }
-    else $HTTP["url"] =^ "/git/static" {
-        alias.url += (
-            "/git/static" => "/usr/share/cgit",
-        )
-    }
-    else {
-        alias.url += (
-            "/git" => "/usr/lib/cgit/cgit.cgi",
-        )
-        cgi.assign = ("" => "")
-    }
-}
diff --git a/services/docker/git-server/gitconfig b/services/docker/git-server/gitconfig
deleted file mode 100644
index 0019ba9..0000000
--- a/services/docker/git-server/gitconfig
+++ /dev/null
@@ -1,6 +0,0 @@
-[core]
-	autocrlf = false
-	hooksPath = /etc/git/hooks/
-
-[receive]
-	advertisePushOptions = true
diff --git a/services/docker/git-server/hooks/update b/services/docker/git-server/hooks/update
deleted file mode 100755
index d6bfc1a..0000000
--- a/services/docker/git-server/hooks/update
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/usr/bin/bash
-
-set -e -o pipefail
-
-ref="$1"
-old="$2"
-new="$3"
-protected_file="$GIT_DIR/protected"
-
-die() {
-  echo "error: $*" > /dev/stderr
-  exit 1
-}
-
-if [[ -f "$protected_file" ]]; then
-  while read -r line; do
-    if grep -q -E "$line" - <<< "$ref" ; then
-      if grep -q -E "^0+$" <<< "$new"; then
-        die "protected branch $ref (rule: $line) cannot be deleted"
-      fi
-
-      if ! git merge-base --is-ancestor "$old" "$new"; then
-        die "protected branch $ref (rule: $line) is not fast-forward $(expr substr "$old" 1 8) -> $(expr substr "$new" 1 8)"
-      fi
-    fi
-  done <"$protected_file"
-fi
-
-global_hook="/git/hooks/update"
-local_hook="$GIT_DIR/hooks/update"
-
-if [[ -x "$global_hook" ]]; then
-  "$global_hook" "$ref" "$old" "$new"
-fi
-
-if [[ -x "$local_hook" ]]; then
-  "$local_hook" "$ref" "$old" "$new"
-fi
diff --git a/services/docker/git-server/lighttpd-wrapper.bash b/services/docker/git-server/lighttpd-wrapper.bash
deleted file mode 100755
index a33015a..0000000
--- a/services/docker/git-server/lighttpd-wrapper.bash
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/bash
-
-set -e
-
-touch -a /git/user-info
-
-exec 3>&1
-exec lighttpd -D -f /app/git-lighttpd.conf
diff --git a/services/templates/cgit/cgitrc.template b/services/templates/cgit/cgitrc.template
new file mode 100644
index 0000000..ed581bd
--- /dev/null
+++ b/services/templates/cgit/cgitrc.template
@@ -0,0 +1,26 @@
+css=/git/static/cgit.css
+logo=/git/static/cgit.png
+root-title=crupest Git Repos
+source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
+about-filter=/usr/lib/cgit/filters/about-formatting.sh
+
+enable-http-clone=0
+enable-commit-graph=1
+enable-index-links=1
+enable-index-owner=0
+enable-log-filecount=1
+enable-log-linecount=1
+enable-git-config=1
+snapshots=tar.gz tar.bz2 zip
+
+readme=:README.md
+readme=:README
+
+clone-prefix=@@CRUPEST_ROOT_URL@@git
+section-from-path=1
+scan-path=/git/repos/public
+
+strict-export=cgit-export
+section-from-path=-1
+project-list=/app/cgit/private-list
+scan-path=/git/repos
diff --git a/services/templates/cgit/private-list b/services/templates/cgit/private-list
new file mode 100644
index 0000000..c8c6761
--- /dev/null
+++ b/services/templates/cgit/private-list
@@ -0,0 +1 @@
+private
\ No newline at end of file
diff --git a/services/templates/cgitrc.template b/services/templates/cgitrc.template
deleted file mode 100644
index 45ee262..0000000
--- a/services/templates/cgitrc.template
+++ /dev/null
@@ -1,21 +0,0 @@
-css=/git/static/cgit.css
-logo=/git/static/cgit.png
-root-title=crupest Git Repos
-source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
-about-filter=/usr/lib/cgit/filters/about-formatting.sh
-
-enable-http-clone=0
-enable-commit-graph=1
-enable-index-links=1
-enable-index-owner=0
-enable-log-filecount=1
-enable-log-linecount=1
-enable-git-config=1
-snapshots=tar.gz tar.bz2 zip
-
-readme=:README.md
-readme=:README
-
-clone-prefix=@@CRUPEST_ROOT_URL@@git/
-section-from-path=1
-scan-path=/git/repos/public
diff --git a/services/templates/docker-compose.yaml.template b/services/templates/docker-compose.yaml.template
index 3523023..842037b 100644
--- a/services/templates/docker-compose.yaml.template
+++ b/services/templates/docker-compose.yaml.template
@@ -84,7 +84,7 @@ services:
     hostname: git-server
     volumes:
       - "./@@CRUPEST_DATA_GIT_DIR@@:/git"
-      - "./@@CRUPEST_GENERATED_DIR@@/cgitrc:/etc/cgitrc:ro"
+      - "./@@CRUPEST_GENERATED_DIR@@/cgit:/app/cgit"
     restart: on-failure:3
 
   roundcubemail:
-- 
cgit v1.2.3