[[!tag gitano]]

I recently set up a Gitano instance as http://git.liw.fi/. Gitano is a very nice git server, which adds user and group management and access control in front of git itself, and keeps all configuration in git, where it's traceable and auditable nicely. It's also a command line based thing, rather than a slow, resource-hungry web application, and so much more to my liking.

Daniel, the Gitano upstream, has a "gitano-all" source tree for creating an unofficial Gitano Debian package, which includes cgit, a fast git web interface. This is not ever going to be accepted in Debian, of course, but it makes it easier to install Gitano on your server. This hanky-panky is needed because Gitano and cgit both use libgit2, and that's a library without a stable API at this time. This makes is difficult to package for Debian. cgit seems to embed other such projects as well.

Anyway, once you've installed the Gitano software (and cgit, if you want that), there's the matter of setting up a Gitano instance.

Each Gitano instance is its own Unix user, accessed over ssh. Thus, one machine can host any number of Gitano instances, and they'll be nicely isolated from each other by normal Unix setup. Each instance manages its own set of Gitano users and group, which only exist within that instance. Users are identified by ssh public keys: there are no passwords.

Here's my slightly edited checklist for setting up a Gitano instance. It assumes Gitano and cgit and their dependencies are installed.

Setup Gitano itself:

  • adduser --disabled-password git
    • create the Unix user
    • I chose git as the username, so that git@git.liw.fi is my Gitano instance
  • copy your ssh public key to the system; you'll need it for gitano-setup
    • the key file needs to be readable by the Gitano instance Unix user
  • run gitano-setup as the Gitano instance user
    • su - git
    • gitano-setup
    • answer questions: I chose defaults for most things
    • if you screw this up, you can start over by deleting everything in the home directory
  • from your own ssh account: ssh git@host whoami
    • this should produce some output telling you you're in the gitano-admin group
    • if that works, Gitano is correctly setup

Setup a git daemon for public git repositories:

  • edit /etc/inetd.conf to add (though all on one line, this is broken on several lines for display purposes):
git stream tcp nowait nobody /usr/bin/git 
git daemon --inetd 
--interpolated-path=/home/git/repos/%D /home/git/repos
  • /etc/init.d/openbsd-inetd restart

Setup cgit and Apache:

  • edit /etc/apache2/sites-available/SOMETHING to add:
# CGIT stuff
DirectoryIndex /cgi-bin/cgit/cgit.cgi
Alias /cgit.png /usr/share/cgit/htdocs/cgit.png
Alias /cgit.css /usr/share/cgit/htdocs/cgit.css
<Directory "/home/git/repos">
    Options FollowSymlinks Indexes
    Allow from all
    AllowOverride none
    Order allow,deny
</Directory>
  • /etc/init.d/apache2 restart
  • create /etc/cgitrc:
# Enable caching of up to 1000 output entriess
cache-size=1000

# Specify some default clone prefixes
clone-prefix=git://testgit

# Specify the css url
css=/cgit.css

# Specify the logo url
logo=/cgit.png

# Show extra links for each repository on the index page
enable-index-links=1

# Show number of affected files per commit on the log pages
enable-log-filecount=1

# Show number of added/removed lines per commit on the log pages
enable-log-linecount=1

# Set the title and heading of the repository index page
root-title=testgit
root-desc=Lars's test git repositories

# Allow download of tar.gz, tar.bz2 and zip-files
snapshots=tar.gz

#source-filter=/usr/lib/cgit/filters/syntax-highlighting.sh

remove-suffix=1

enable-git-config=1

strict-export=git-daemon-export-ok

scan-path=/home/git/repos

##
## List of common mimetypes
##
mimetype.git=image/git
mimetype.html=text/html
mimetype.jpg=image/jpeg
mimetype.pdf=application/pdf
mimetype.png=image/png
mimetype.svg=image/svg+xml

Finally, you should review, and possibly alter, Gitano access control rules.

  • git clone ssh://git@YOURHOST/gitano-admin
    • to allow anonymous access to all repositories, edit rules/core.lace, uncomment the last line: "allow "Anonymous access is okay" op_read !is_admin_repo"
    • commit and push

Some Gitano commands:

  • ssh git@YOURHOST create foo
  • ssh git@YOURHOST ls

Happy hacking.

PS. I wrote a yarn test suite for my Gitano ACL, which may be interesting if you're new to Gitano.