Setting up a Self Hosted Git Server

Sat 29th May 2021 By David T. Sadler.

I've always liked the idea of self hosting some of my git repositories. After a bit of research I found that it involves.

• Installing git.
• Creating a git user.
• Setting up ssh so that I can log into the sever securely as the git user.
• Creating a test repository on the server.
• Creating a test project on my local machine.
• Pushing the test project to the git sever.

Installing Git

Since its an Ubuntu server installing git is as simple as.

$ sudo apt install git-core

Creating a User

The git user will serve two purposes.

• The repositories will be stored in the user's home directory.
• The user account will contain the public ssh keys of remote users that can access the repositories.

$ sudo adduser --system --shell /usr/bin/git-shell --group --disabled-password --home /home/git git

• --system Creates a system user user. Not strictly required but since this is not a normal user account I prefer to use this option.
• --shell /usr/bin/git-shell Restrict the git user to only git related activities. This also prevents remote users from obtaining a shell by logging in via ssh. Note that git-shell does not prevent normal git operations, such as pull and push, from working over ssh.
• --group Creates a group that is the same name as the user.
• --disabled-password Prevent logging in with a password. The use of ssh keys is still allowed.
• --home /home/git The home directory for the user.

Setting up SSH

On my local machine git will use ssh to connect to the remote server as the git user. In order to do this I will need to copy my public ssh key to the git user account.

The below commands create the required .ssh directory and authorized_keys file with the correct permissions.

$ sudo mkdir /home/git/.ssh
$ sudo chown git:git /home/git/.ssh
$ sudo chmod 700 /home/git/.ssh
$ sudo touch /home/git/.ssh/authorized_keys
$ sudo chown git:git /home/git/.ssh/authorized_keys
$ sudo chmod 600 /home/git/.ssh/authorized_keys

Now I can copy the public ssh key of anyone who needs access to the repositories. There are a few ways of doing this and I tend to just edit the authorized_keys file and manually copy and paste the keys into it.

$ sudo vim /home/git/.ssh/authorized_keys

Note that to prevent ssh port forwarding via the git user account I prepend the no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty options to the key.

$ sudo cat /home/git/.ssh/authorized_keys

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCB007n/ww+ouN4gSLKssMxXnBOvf9LGt4LojG6rs6h
PB09j9R/T17/x4lhJA0F3FR1rP6kYBRsWj2aThGw6HXLm9/5zytK6Ztg3RPKK+4kYjh6541N
YsnEAZuXz0jTTyAUfrtU3Z5E003C4oxOj6H0rfIF1kKI9MAQLMdpGW1GYEIgS9EzSdfd8AcC
IicTDWbqLAcU4UpkaX8KyGlLwsNuuGztobF8m72ALC/nLF6JLtPofwFBlgc+myivO7TCUSBd
LQlgMVOFq1I2uPWQOkOWQAHukEOmfjy2jctxSDBQ220ymjaNsHT4kgtZg2AYYgPqdAv8JggJ
ICUvax2T9va5 gsg-keypair

On my local machine I can test ssh access.

$ ssh git.davidtsadler.com

fatal: Interactive git shell is not enabled.
hint: ~/git-shell-commands should exist and have read and execute access.

The message that comes back indicates that ssh is working and that the git-shell is been used.

Creating a Test Repository

An empty repository is setup by running git init with the --bare option. I also ensure that the git user owns the repository and that main will be the default branch when its checked out.

$ sudo git init --bare /home/git/test.git/
$ sudo chown -R git:git /home/git/test.git/
$ sudo git --git-dir=/home/git/test.git/ symbolic-ref HEAD refs/heads/main

Creating a Test Project

Back on my local machine I can create a test project and push it to the remote server.

$ mkdir test
$ cd test
$ git init
$ touch readme
$ git add .
$ git commit -m 'Initial commit'
$ git remote add origin git@git.davidtsadler.com:test.git
$ git push origin main

I can also test that I can clone the repository.

rm -rf test
git clone git@git.davidtsadler.com:test.git

Links

I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.

License

Copyright © 2021 David T. Sadler.