Secure, Private, Local Gitorious

I want to have a local Gitorious installation that cannot be accessed outside of my local network, and is as secure and private as possible. The repos will be holding code I need kept private and secure in case of hacking or theft.

I’m not an expert with Linux, and certainly not an expert with git/gitorious, so any tips for improving my installation described below would be most helpful!

  • git add and commit single tracked file in one command
  • Committing specific parts of a file in Git
  • Multiple repositories in one directory
  • git: Pushing Single Commits, Reordering with rebase, Duplicate Commits
  • not able to push file more than 100mb to git hub
  • Extract meaningful changes with git diff
  • I have:

    • Installed Gitorious on a local machine running Ubuntu Server 11.04 64-bit, with an encrypted LVM.
    • Used this guide for Gitorious installation, if anyone is curious.
    • Modified Gitorious to support local IPs as hostnames.
    • In gitorious.yml:
      • host fields are a local IP (e.g. 192.168.xxx.xxx)
      • public_mode: false
      • only_site_admins_can_create_profiles: true
      • hide_http_clone_urls: true
    • git-daemon was installed, but is now removed.
    • No ports forwarded by internet facing router to machine.

    Both git:// based and http:// based requests would normally allow open cloning of repos. Removing git-daemon and setting hide_http_clone_urls to false seems to have disabled both. They both deliver errors now when I attempt to clone.

    With an encrypted LVM the machine is secure in case of physical theft. Also, all cloned repos on other machines are kept on encrypted drives as well. I used a custom script on the encrypted LVM that fills the harddrive with porn in case of too many failed attempts.

    My current concerns:

    • Is repo access through git:// and http:// fully disabled?
    • Are all avenues of repo access secured behind ssh now?
    • Is there a way to block all requests to the machine that don’t originate from within the local network, in case my router gets angry and seeks revenge against me?
    • Anything more I can do to encrypt or protect the repos in case something goes wrong?
    • How do I backup gitorious’s data? Just backup the MySQL database and repos directory?

    Thank you.

  • Git Stash : Dilemma
  • Jenkins and Git info/sparse-checkout
  • How to tell Git that Mergetool Failed?
  • How to check if the revision(commit) exists in a remote Git repository
  • Keep track of file changes on webserver
  • Memoize computational intense result in git repository without potential merge conflicts
  • One Solution collect form web for “Secure, Private, Local Gitorious”

    If your git-daemon is not running then no git:// access.
    hide_http_clone_urls does not disable http, it just does not show the link. To protect it from unauthorized access, you might want to block on apache/nginx all access to git.yourdomain.com.

    You can take a look at my debian package, that have many default configurations, better then the documentations available on the internet:

    https://gitorious.org/gitorious-for-debian/gitorious/

    the base folder is where all configurations is stored, like apache configs and others, there is also the shell scripts that make default users and other things, just explore the source tree.

    being more specific about the apache config, take a look here: https://gitorious.org/gitorious-for-debian/gitorious/blobs/master/base/debian/etc/apache2/sites-available/gitorious

    If, for example, you don’t add the git.yourserver.com alias, then no one should be able to git clone from http.

    You might also want to watch and support the private repositories feature that are planned, which will provide real, safe, control of who can see what.

    Also for the question about ssh, I can say that, yes, it’s safe and will only give access to who have a public key registered on your gitorious installation.

    About the requests question, you could take a look at apache allow, deny rules, where you can create something like:

    Deny from All
    Allow from 192.168.0
    

    For backup, you have to backup your repository folder and mysql databases.

    Git Baby is a git and github fan, let's start git clone.