The git daemon doesn’t require any privileges (assuming the repositories
are world-readable), and the git user owns /gitweb-socket (and possibly
also the repositories). ReadOnlyDirectories=/ should prevent the git
daemon to make any modifications to those directories, but still,
there’s no harm done in locking it down even further.
This removes the need for running `git update-server-info` on the
repositories regularly (or on update), possibly speeds up clones (at
least, git clone can now show progress information), and almost
certainly improves reliability on a pull concurrent with a push to the
same repository (the git daemon can respect lock files, nginx can’t).
(We can also probably remove /srv/git from front-nginx, but I’ll do that
in a separate change.)
Serves all repositories in /data/git on the code. subdomain with gitweb,
and allows cloning them via https:// and git://.
NOTE: For clone over HTTP(S), git update-server-info needs to be run in
the repositories; this is expected to be done via a post-update hook in
the repositories, and not configured here.
Felix [Tue, 1 Nov 2016 11:10:57 +0000 (12:10 +0100)]
initial import
Current features include:
- setup of gigi, cassiopeia-client, quiz-system, minimalist exim, nginx
- setup of gigi-database from scratch (including validation of own domain and issuing own certificates
- optional cassiopeia-signer in own container with communication via tcpserial
- hop container for administrators connecting to the system