install.sh raw

   1  #!/bin/sh
   2  set -e
   3  
   4  DOMAIN="${1:?Usage: $0 <domain> [repo-dir]}"
   5  REPO_DIR="${2:-/home/git}"
   6  
   7  for cmd in git sshd; do
   8  	command -v "$cmd" >/dev/null || { echo "missing: $cmd"; exit 1; }
   9  done
  10  
  11  echo "==> git user"
  12  if ! id git >/dev/null 2>&1; then
  13  	adduser --system --group --home "$REPO_DIR" --shell /usr/bin/git-shell git
  14  fi
  15  mkdir -p "$REPO_DIR/.ssh"
  16  chmod 700 "$REPO_DIR/.ssh"
  17  touch "$REPO_DIR/.ssh/authorized_keys"
  18  chmod 600 "$REPO_DIR/.ssh/authorized_keys"
  19  chown -R git:git "$REPO_DIR"
  20  
  21  echo "==> gitweb binary"
  22  install -m 755 gitweb /usr/local/bin/gitweb
  23  
  24  echo "==> sshd-git (port 2222)"
  25  cat > /etc/ssh/sshd_config_git <<EOF
  26  Port 2222
  27  ListenAddress 0.0.0.0
  28  HostKey /etc/ssh/ssh_host_ed25519_key
  29  HostKey /etc/ssh/ssh_host_rsa_key
  30  AuthorizedKeysFile $REPO_DIR/.ssh/authorized_keys
  31  PermitRootLogin no
  32  PasswordAuthentication no
  33  PubkeyAuthentication yes
  34  AllowUsers git
  35  PermitUserEnvironment yes
  36  X11Forwarding no
  37  AllowTcpForwarding no
  38  PermitTTY no
  39  UsePAM yes
  40  EOF
  41  
  42  cat > /etc/systemd/system/sshd-git.service <<'EOF'
  43  [Unit]
  44  Description=OpenSSH git-only SSH (port 2222)
  45  After=network.target
  46  [Service]
  47  Type=notify
  48  ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_config_git
  49  Restart=on-failure
  50  [Install]
  51  WantedBy=multi-user.target
  52  EOF
  53  
  54  echo "==> gitweb service"
  55  cat > /etc/systemd/system/gitweb.service <<EOF
  56  [Unit]
  57  Description=gitweb
  58  After=network.target
  59  [Service]
  60  Type=simple
  61  ExecStart=/usr/local/bin/gitweb -repos $REPO_DIR -listen 127.0.0.1:3000 -host $DOMAIN
  62  User=www-data
  63  Group=www-data
  64  Restart=on-failure
  65  [Install]
  66  WantedBy=multi-user.target
  67  EOF
  68  
  69  echo "==> caddy"
  70  if command -v caddy >/dev/null 2>&1; then
  71  	grep -q "$DOMAIN" /etc/caddy/Caddyfile 2>/dev/null || cat >> /etc/caddy/Caddyfile <<EOF
  72  
  73  $DOMAIN {
  74  	reverse_proxy 127.0.0.1:3000
  75  }
  76  EOF
  77  else
  78  	echo "caddy not found — install it and add reverse_proxy 127.0.0.1:3000 for $DOMAIN"
  79  fi
  80  
  81  echo "==> firewall"
  82  iptables -C INPUT -p tcp --dport 2222 -j ACCEPT 2>/dev/null || \
  83  	iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
  84  command -v netfilter-persistent >/dev/null && netfilter-persistent save 2>/dev/null || true
  85  
  86  echo "==> start"
  87  systemctl daemon-reload
  88  systemctl enable --now sshd-git gitweb
  89  command -v caddy >/dev/null && systemctl reload caddy
  90  
  91  echo "done. add keys to $REPO_DIR/.ssh/authorized_keys"
  92  echo "create repos: sudo -u git git init --bare $REPO_DIR/name.git"
  93