Unknown and partly hidden

Notes on lighttpd and git

Much to my surprise vicious became very popular in just over a month. About a dozen people grab the code every day, and they should be able to preview the repo and browse trough it - so I decided to serve it with cgit, a fast web interface for git. Connecting it to lighttpd revealed some quirks, so I'll describe my setup in short.

On my web server all web sites are served from "/var/www" so when building cgit I decided to install it in "/var/www/cgit":

$ make CGIT_SCRIPT_PATH=/var/www/cgit

Cgit binary, default css style sheet and logo will be stored there, configuration file is "/etc/cgitrc" and cache (if enabled later) is stored in "/var/cache/cgit".

After creating a new sub-domain I proceeded to configure lighttpd.

# {{{ git.webhost.tld
$HTTP["host"] == "git.webhost.tld" {
  server.document-root = "/var/www/cgit"
  index-file.names     = ( "cgit.cgi" )
  cgi.assign           = ( "cgit.cgi" => "/var/www/cgit/cgit.cgi" )
  url.rewrite-once     = (
    "^/([^?/]+/[^?]*)?(?:\?(.*))?$"   => "/cgit.cgi?url=$1&$2",
)}
# }}}

Before restarting lighttpd I did some quick changes on the default cgitrc. Since web sites are stored in "/var/www" I decided to keep public git repos in "/var/git" (as you might notice from the example repo below). Here are only the most relevant parts. Pay attention to the virtual-root which, together with the above rewrite line, fixes the cgit cache - otherwise it would constantly serve one and the same page.

# URL used as root for all cgit links
#   - fixes caching with the above rewrite
virtual-root=/

# Specify some default clone prefixes
#   - repos are served only trough http
clone-prefix=http://git.sysphere.org

# Specify the css url
css=/cgit.css

# Use a custom logo
logo=http://sysphere.org/images/cgit.png

# Set a custom footer message instead of default "generated by..."
footer=footer.html

## List of repositories
repo.url=myproject
repo.path=/var/git/myproject.git
repo.desc=my project that does something interesting
repo.owner=user
repo.readme=README.html

Serving it this way, beside the cache problem, had other quirks. The png logo cgit tried to serve as yet another repo. I had to link to it directly. The css file on the other hand was OK, custom footer too.


Since I'm talking about git again I'll add a few notes on top of my previous article about it. For years I've been sharing my dotfiles trough a simple directory index, the most popular of them I would convert to HTML. I was getting tired of the whole process (even though Emacs makes it a bit easier with htmlize and scpaste), and now that I'm keeping my dotfiles in git anyway I decided to make that repo public too.

If you read my previous article it is evident that my dotfiles repo could be full of sensitive information, for example a lot of dotfiles contain passwords these days. Once you get that information in there, and publish it (i.e. by mistake) it is hard to get it out. I thought about it for a few days and tried a few approaches. Maybe it would be best to strip all sensitive information and keep a separate repo. But that would require twice as much work, provided I was willing to stay on top of it.

Long story short, I eventually created a new branch called public in my dotfiles.git repo. I push only the public branch to the server and of course I'm careful that it stays clean of all sensitive data. When something changes in master, and it's worth publishing, I only cherry-pick specific commits.