
How to Host Your Own Private Git Repositories - eklitzke
https://eklitzke.org/how-to-how-your-own-private-git-repositories
======
peterkelly
For those who aren't aware, Git is actually a fully decentralised system. It
doesn't _require_ a central server as such - though most teams use one, as
it's a convenient setup for most projects.

Even if you are hosting on github/bitbucket/et. al. though, that repository is
just one of many equals. You can push and pull from multiple peers as long as
you have access set up appropriately.

I recommend the chapter on distributed workflows in Pro Git:

[https://git-scm.com/book/en/v2/Distributed-Git-Distributed-W...](https://git-
scm.com/book/en/v2/Distributed-Git-Distributed-Workflows)

There's also an explanation of the different supported protocols here:

[https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protoco...](https://git-
scm.com/book/en/v2/Git-on-the-Server-The-Protocols)

~~~
maccard
> Even if you are hosting on github/bitbucket/et. al.

Normally if you're hosting on one of those sites, you're using other features
(wiki/issues), which may _not_ be decentralised

------
spapas82
Gitlab also can be run in your own server. It actually has an enterprise and
an open source version. We use the open source one for a couple of years and
it is really great - I recommend it with all my heart.

It has great instructions for installing directly from source and you don't
really need to be familiar with ruby to install it. It requires some standard
components (web server, database) which should exist on all servers and then
you follow the instructions and presto! You have your own gitlab!! It also has
great upgrade instructions so you can always be up-to-date.

I know gitlab can also be used through the cloud version (and it even has free
private repos) however some organizations feel better if the source code of
their projects stay inside the organization.

~~~
treve
Gitlab is massive though. I think it's a great solution for teams on dedicated
hardware, but if you need something quick, low-maintenance and lightweight
Gitlab might be a bit overkill.

~~~
kewleus
You can't get much quicker or low maintenance than gitlab, though it is
definitely not lightweight.

~~~
Mo3
Gogs? Gitolite?

~~~
matt_kantor
Or just plain git, as in TFA.

------
uiri
This is a good setup if you are the only one accessing the repo.

If you need something a little bit more complex, I would highly recommend
gitolite for managing repositories & users. Configuration is done via some
INI/TOML-like files in a git repo. User public keys are stored in the same
repo.

~~~
fizixer
What about Gitlab? Isn't that more popular than gitolite?

~~~
uiri
My impression is that GitLab is a web application. It does not really serve
the same use case. Web access is good for open source projects where people
may want to read the source without downloading the full repo. In the case of
private projects, chances are that everyone involved will want to clone the
whole repo anyways.

~~~
mgbmtl
I don't mean to be pedantic, but Gitlab helps to host your own private git
repos, which fits the title of the article. The article goes further, giving
an example of how you can do some bare metal git hosting on a lightweight VM.

It's the same as running postfix/dovecot for configuring your own mail server
(which could run on a lightweight VM), or using a turnkey solution such as
Zimbra (which will include spam/virus filters, LDAP, calendars and much more).

Depends on your organisation: how often do you create accounts? who can do the
sysadmin work? etc. I'm happy to sit back and let managers handle account
management, and to be able to put Gitlab/Zimbra on a job description if we
need to hire someone.

------
falava
I've been using Gogs happily for two years:

[https://gogs.io/docs/installation](https://gogs.io/docs/installation)

~~~
zzalpha
Eh. The method described in this post (ie bare repositories on a filesystem
and ssh transport) is perfectly sufficient for my personal use if I'm hosting.
The minute there's a MySQL dependency I'm a hard pass...

I buy the need for the gitlabs of the world when multiple users show up, if
only because managing credentials is a pain. But for single user use cases I
wouldn't waste my time.

~~~
oldrny
The instructions say that you can just use SQLite, though.

"Based on your choice, install one of supported databases or _skip this step_
"

------
Symbiote
Assuming you already have files in your home directory on the server backed
up, and SSH access, then a repository for a single user is as simple as

    
    
      mkdir project.git; cd project.git
      git init --bare
    

And to clone

    
    
      git clone user@example.com:project.git

------
md_
"Doing this is cheaper than paying GitHub, and it will give you the
satisfaction of being a True Hacker."

Or I could work on problems that really matter and leave the sysadmin job to
someone who gets paid to do it. ;)

More seriously, when I was in college, I spent a lot of time doing things like
running my own mailserver, selfhosting various projects, etc. I learned a lot.
But in the Real World, I don't want to be responsible for more than I have to
be; off the shelf products are just better for me, most of the time.

The fact that Bitbucket and Github will pay a guy to run a git server for me
is amazing (even if it is evidence of some sort of irrational enthusiasm on
part of VC firms). Why would I not want to take advantage?

~~~
hamburglar
Except running a git server is little more than having a place to store a git
repo and giving ssh access to it. There's really no maintenance if you already
have the server. What github et al provide isn't repo hosting so much as fancy
UI tools on top of that.

Edit: seriously, I wonder how many people who just automatically go to github
have ever bothered to try the simple act of creating a git remote on a file
server on their own network, or even just to a different host. It's really
easy, and it really underscores how _simple_ it is to have your repo
distributed without any 3rd party infrastructure. Once you see that, you see
that putting a copy on a shell account on your hosted VM is dirt simple and
requires almost no administrative burden.

~~~
ethomson
On the contrary, there's a ton of maintenance, and the hosting providers like
GitHub and Microsoft pay teams of people to deal with the infrastructure.
(I've worked on both.) This involves not just the physical infrastructure like
the servers, though of course there's that, but also maintaining the bits on
disk. Your repository will get duplicated across multiple disks on multiple
machines, perhaps in different availability zones, and then of course they're
backed up to yet another location.

So what companies like GitHub and Microsoft provide is - yes - the fancy tools
on top but also teams of professionals ensuring that your repositories are
available quickly.

~~~
HelloNurse
GitHub etc. need "a ton of maintenance" because of the "fancy tools", which
are an unusually complex and sophisticated constantly evolving web application
with many users.

A private source repository is far less demanding: it's almost never upgraded,
and for system administrators it's just another server to keep running and
another file system to back up.

~~~
ethomson
I'm not talking about the fancy tools. I'm talking about just serving Git
repositories, not about web applications.

GitHub is distributing your Git repository across multiple servers in multiple
racks in real time for reliability and availability and is the world's largest
Git repository hosting provider. Some nice conference talks discuss this, like
from Git Merge:
[https://www.youtube.com/watch?v=f7ecUqHxD7o](https://www.youtube.com/watch?v=f7ecUqHxD7o)
and GitHub Universe:
[https://www.youtube.com/watch?v=DY0yNRNkYb0](https://www.youtube.com/watch?v=DY0yNRNkYb0)

Visual Studio Team Services is hosting your Git repository across Azure, and
is hosting the world's largest Git repositories.
[https://arstechnica.co.uk/information-
technology/2017/02/mic...](https://arstechnica.co.uk/information-
technology/2017/02/microsoft-hosts-the-windows-source-in-a-monstrous-300gb-
git-repository/)

I have my own Git server as well, and I agree that its maintenance isn't very
demanding. But I'm not putting production bits on it. My open source
repositories go to GitHub and my private repositories go to VSTS - they're
providing a level of service that I simply can't match by myself.

~~~
hamburglar
I'm not talking about putting production bits on my own git server, either.
I'm talking about how easy it is to create a couple of personal remotes just
as a second and third copy of whatever I happen to be working on on my laptop.
One goes to my NAS and one goes to my rackspace VM that I keep around for
random projects.

I have github and bitbucket accounts, but for little projects, I much prefer
the simplicity of effectively just having dupes of my repos on other machines
of mine. And it's really nice that the way I interact with them is precisely
the way I'd interact with github or repositories at work, despite the fact
that they're just directories sitting behind an ssh connection.

------
midnitewarrior
Why do this when [http://bitbucket.com](http://bitbucket.com) will host
private git repos for free? They also have have Large File Storage implemented
as well.

I use GitHib client using BitBucket for repo hosting with LFS and it works
great, no need to host anything.

~~~
RandomOpinion
> _Why do this when[http://bitbucket.com](http://bitbucket.com) will host
> private git repos for free?_

Because you never know when one of these online services will suffer an
outage, suffer a security breach that leasks your private repos or email &
credentials, or even lose your data entirely. The fact that the service is
free doesn't mean that it doesn't come without potential issues.

~~~
dbg31415
But... you are using another online service to host the service yourself, no?
And presumably they are also throwing in backups and redundancy of some
sort... certainly it would take you a minute to set those things up, test
them, monitor they are working... And isn't GitHub basically like everyone's
resume these days?

I don't know... at some point you sort of just have to trust someone... be it
the hosting provider, or the service provider. And I'm old... but I've had to
untangle issues with CVS / VSS / SVN / etc... over the years I don't want
anything to do with that crap -- if I can punt it to someone else to manage
I'm OK paying some tiny subscription fee.

I think there's been one day in the last ~10 years when I couldn't use GitHub.
To me that seems worth the $20 a month, or whatever they charge now.

~~~
Jach
It's especially sad because git is distributed and every time there's a GitHub
outage I hear online some teams are blocked for the day. But everyone has the
whole repo. You're not screwed like if your SVN or Perforce server goes down.
Anyone could become the new "remote to push to / pull from" until the outage
is resolved, or you could set up one of these bare repos somewhere pretty
quick. When the outage is resolved someone just pushes to the original and
you're all fine.

~~~
taneq
This is what happens when people cargo-cult git because it's what the cool
kids are doing, instead of actually making an informed choice.

~~~
stephenr
S/git/GitHub/

Fixed that for you.

~~~
taneq
Well, that too, but the issue here (thinking that a central repo being offline
means you can't use your decentralized version control system) shows that they
don't understand git in any form.

~~~
stephenr
I think it's honestly that some people think Git === GitHub, or that GitHub
has some magic secret sauce that makes things work.

------
philsnow
If you don't need code review and don't mind a hosted solution, you can get by
with the AWS free tier and use IAM for all your access control.

    
    
        AWS CodeCommit:
        5 active users per month
        50 GB-month of storage per month
        10,000 Git requests per month
        Does not expire at the end of your 12 month AWS Free Tier term.
    

[https://aws.amazon.com/s/dm/optimization/server-side-
test/fr...](https://aws.amazon.com/s/dm/optimization/server-side-test/free-
tier/free_np/)

------
sandGorgon
Very interesting benchmark of gitbucket vs gitea vs gitlab on a raspberry pi
;)

[https://gitbucket.github.io/gitbucket-
news/gitbucket/2017/03...](https://gitbucket.github.io/gitbucket-
news/gitbucket/2017/03/29/benchmark-of-gitbucket.html)

------
sigil
Security question. Can `git-shell` restrict users to their remote home
directory? Or if you give me a git shell, can I still do things like `git
clone me@example.com:/home/you/secret-sauce` ?

This is only an issue if you're sharing the box and/or remote repositories
with other people. For shared remote repositories I've been using the
following setup:

1\. Create a bare, shared repository at `/var/git/foo`. Configure unix group
permissions and the directory setuid bit on it.

2\. Give alice access via a `/home/alice/foo -> /var/git/foo` symlink.

3\. Set alice's shell to a patched version of the git shell I call `git-home-
shell` that sanitizes the repository path argument and makes it relative to
her home dir.

Is there a better way these days?

~~~
Symbiote
Why not just set standard file permissions (owner and group)?

You could create a group for each repository, and add and remove members as
necessary.

~~~
sigil
This is precisely what I do.

But, I'd prefer it if git-shell didn't let users probe and read git
repositories at any absolute path on the remote end. That's not great behavior
for a restricted shell.

~~~
stephenr
Remove the 'others' read/execute permission from user home directories.

~~~
sigil
Sure, but there might be git repos sitting around elsewhere. Why risk exposing
a git repo literally anywhere in the filesystem to a restricted shell account?

~~~
stephenr
Then use a chroot.

~~~
sigil
You could do that, but that means for a shared repo and N git shell accounts
you've got N chroots, presumably using null or bind mounts.

That's a lot more work than a restricted shell which just...restricts.

~~~
stephenr
True, it all depends what your requirements are.

Personally I'd just designate a path for shared repos (e.g.
/srv/vcs/<project>{.git,.hg} etc), give people write access using ACLs and
group membership. If they create repos in their home directories, thats their
business.

------
znpy
Quick note: what this article doesn't explicitly says is that as long as you
have a shell account somewhere with a decent amount of disk space, you can
host or mirror all the repository you want.

If I may make a suggestion, I'd recommend the Super Dimensional Fortress
Public Access UNIX System ([https://sdf.org/](https://sdf.org/)).

They're NetBSD-based if I remember correctly, and for a low fee (36$/lifetime
ARPA membership + 9$/quarter) you can host most of the things you would like
to host.

And you don't have to do system maintenance.

~~~
voltagex_
I thought the ARPA membership was yearly?

------
exceptione
Why self-host your repo but store backups without encryption at google or
amazon? If you want it to be private, just make it so.

edit: thanks anyway for your version!

~~~
Filligree
Privacy isn't binary, and there's a large difference between "Amazon could
_potentially_ read this, but they'd be breaking their own ToS and some laws to
do so" and "Public on the internet".

~~~
exceptione
But what is the difference with BitBucket then?

Besides, if you worry that state actors are interested in your source code, I
do not see how Amazon being law-abiding would be of any help here..

------
agateau
I do self-host a few repositories as well, but I do not set up a separate
user: I just create a git/ dir in the home dir of the account I want to host
the repositories on and put the repositories there.

To simplify the initial setup, I created a handy shell script, reposetup [1].
It makes to create repositories, push to them and remind me their urls.

[1]:
[https://github.com/agateau/reposetup](https://github.com/agateau/reposetup)

------
alpb
If you’re using Google Cloud, you can already use Google Cloud Source
Repositories. [https://cloud.google.com/source-
repositories/](https://cloud.google.com/source-repositories/) It supports git
and the Beta release of Cloud Source Repositories provides free hosting of up
to 1GB of storage.

~~~
amalag
Yup and it can mirror Bitbucket which is also free. So you can just create it
in Bitbucket and get free backups via Google.

------
_cbdev
As others have already stated, this article is a great introduction for when
you'll be the only one to access the repositories, as anyone able to
authenticate for that account will have access to all repos.

There are some tools that restrict access with varying levels of granularity,
but if you just want to restrict access on a per-repo-per-sshkey basis, one of
my projects is a simple shell script that does just that:

[https://github.com/cbdevnet/fugit](https://github.com/cbdevnet/fugit)

It originally came to be because I've found gitolite too big to maintain for
simply sharing some repositories with a few other people. It has since served
me well and is used in some business applications, too.

------
RangerScience
Does anyone know of a good AMI or Docker container that's got all this already
set up, as far as it's possible?

(I know it doesn't look complicated, but if there's a decent "standard"
already out there...)

~~~
Karunamon
Gitlab has their own docker images, and it includes pretty much anything you
could ever want out of a git service.

[https://hub.docker.com/r/gitlab/gitlab-
ce/](https://hub.docker.com/r/gitlab/gitlab-ce/)

------
jis
[http://gitblit.com/](http://gitblit.com/) is also worth looking into. It is
more sophisticated then gitolite (which I also use) and less hairy then
gitlab. It is Java based, but doesn't require a database.

Also, for backup, rather then tar up the ".git" directory, I use "git bundle
<backupfilename> \--all" which creates a flat file with all branches included.
This file can then be uploaded to GCS or S3.

------
gravypod
If you want something light weight and "run and done" then check out GitBucket
[0]. You only need the JVM & git installed. When you run the program it sets
everything up. Very easy, clean interface, and simple to back up (I just
snapshot the entier folder).

[0] -
[https://github.com/gitbucket/gitbucket](https://github.com/gitbucket/gitbucket)

------
tlarkworthy
Just do it in google drive or dropbox, get backups for free.

[https://stackoverflow.com/questions/1960799/using-git-and-
dr...](https://stackoverflow.com/questions/1960799/using-git-and-dropbox-
together-effectively/1961515#1961515)

------
RAWRfftfftfft
Has anyone had any experience in getting Passbolt
([https://github.com/passbolt](https://github.com/passbolt)) working for
authentication with Git?

------
reza_n
I do this often. One thing, if you want to have multiple users all working on
the same repo, which I believe is a common use case, you have to take group
permissions and umask into account. Works really nice.

------
arunc
Kallithea is good enough for this use case. We are using it in a 15 member
team, without any issue.

------
yeukhon
Anyone use AWS's CodeCommit as a mirror for your GitHub repository?

------
dreamcompiler
What this article doesn't cover are how to set up the things that make Github
so useful like issue tracking and pull requests. Github (and similar services
like bitbucket) are more than just Git.

------
lighttower
pip install git-remote-dropbox

Is a git extension to allow a Dropbox to be used as your remote. Works from
the CLI. Been using it for two years.

------
newsat13
Mmm. Just use GitLab/Gogs on cloudron?

------
mwfogleman
I use Gogs and a self-hosted sandstorm.io.

~~~
educar
The gogs package is ancient. I woukd be very careful of running outdated stuff
much less recommending it to others

------
marcinkuzminski
RhodeCode is a good option for hosting, it has an advanced permission system,
streaming push support and it scales well.

~~~
hathawsh
Thanks for the pointer. Your service looks interesting!

A little advice: it's probably best to post a disclaimer that you are the
founder of RhodeCode whenever you post about it on HN. OTOH, you get credit
for including that info in your HN profile.

