This article describes how I set up a git server on an Amazon Linux EC2 T3 instance. I used this article as a guide, adapting a few things to the EC-2 environment along the way.

Note: This article assumes you have git installed on your EC2 Linux server. If not, install it with sudo yum install git.

Note 2: Some steps from the article are modified with full paths because not all paths in a Linux EC-2 instance are available that would be if su was used.

As explained in the article above, creating this form of git server has advantages for a smaller project repository:

• The use of ssh public keys for each authorized user allows a form of access control. If someone leaves the project, the admin just deletes their key. Adding a user is just as easy.

• The use of git-shell in stock form means that users other than admin cannot access the server directly via a command shell.

• Implementing git hooks is easier. (I don't currently use them.)

• Having all code saved in the repository as the same user makes for easy maintenance and backup.

This type of server is great for small groups of developers, but lacks a couple of things that sites like github have:

• No web access to view, modify, or checkout code. No personal spaces, etc.

• Managing large numbers of users would quickly become difficult because admin must do all the work.

• The admin must create the remote repositories.

For me, the improved security and ease of continued management are work the time to set up. I had previous used SSH to work with remove repositories, but access them via the default EC-2 user account. Providing different accounts to maintain good security practices and roles is a good habit to have. Now this is up and running, the advantages were immediately obvious.

Creating the git Server Configuration

First, we create a user called 'gituser', create the needed ssh configuration for that user, then add the 'gituser' group to ec2-user's account for easy maintenance:

sudo bash

# Create gituser
/usr/sbin/adduser gituser

# Setup ssh
cd /home/gituser
mkdir .ssh
touch .ssh/known_hosts
chmod 600 .ssh/known_hosts
chmod 700 .ssh
chown -R gituser: .ssh/

# Add the gituser group account to ec2-user's groups:
/usr/sbin/usermod -a -G gituser ec2-user

exit

Log off, then log back in to the EC-2 instance so that the group change takes effect.

Next, setup gituser's repository. I chose /opt/gituser/Repos for a base path.

sudo bash

mkdir -p /opt/gituser/Repos
chown -R gituser: /opt/gituser
chmod -R 770 /opt/gituser
cd /home/gituser
ln -s /opt/gituser/Repos

exit

Change gituser's shell from bash to git-shell. With no options, git-shell only allows remote commands to fetch, push, pull, etc:

sudo /usr/sbin/usermod -s /usr/bin/git-shell gituser

The git server is ready!

Adding User Access to git Server

Before a user can access there repository via SSH, their ssh public key must be added to known_hosts. Have your users get you the public key in a secure manner. The example below assumes you have a file called joes_key.pub, and have uploaded that file to the server via scp to ec-2 user's home directory. Log in and:

sudo bash

# Make sure to use two '>' on the next line to append to the file!
cat joes_key.pub >> /home/gituser/.ssh/known_hosts

exit

Removing User Access to the git Server

Removing access is done by editing the known_hosts file as root. To do that, find the public key of the user and delete that line from the file. Here one way to do it that should work:

sudo bash

cp /home/gituser/.ssh/known_hosts gituser_known_hosts
nano github_known_hosts #remove the user's key now and save...
cat github_known_hosts >/home/gituser/.ssh/known_hosts

exit

Creating a new bare repository in '/opt/gituser/Repos'

It is as easy as:

sudo bash

# replace new-repos.git with your repos name below.
git init --bare /opt/gituser/Repos/new-repos.git
chown -R gituser: /opt/gituser/Repos/new-repos.git
chmod -R 770 /opt/gituser/Repos/new-repos.git

exit

Optional: Backup the gituser repositories to Amazon S3

Since ec2-user has group access to the repository tree, backups to S3 can be made with bash script if aws tools are installed and configured. Once you have a script working like you want it do, user crontab to run it' automatically.

Here is a sample script named ReposBackup.sh derived from one I use. Feel free to modify it any way you like.

#!/bin/bash

# Script to backup Repos folder to S3 storage.
# Create folder $HOME/log before using!

PATH=$PATH:/usr/local/bin:$HOME/bin

REPOSBUCKET=s3://my-repository-backup-bucket # Change this to the name of your S3 bucket.
REPOSPATH=/opt/gituser/Repos              # repository location
TLOG=/tmp/`basename $0 .sh`.$$         # temporary logfile location
LOGFILE=$HOME/logs/ReposBackup.log  #log file (entries appended)
ARCHFILE=/tmp/ReposBackup-`date +'%m-%d-%Y_%H%M%S'`.tgz

cd $HOME

# Redirect all output to the log file.
exec >>$TLOG 2>>$TLOG

# Write the log header entry.
echo "`date` - Starting script: ReposBackup.sh"

echo "Archiving Repositories:"
for X in `find $REPOSPATH -type d -iname "*.git"`; do 
    echo "    - $X"; 
done
echo "        into file $ARCHFILE"
tar -czf $ARCHFILE $REPOSPATH/*

eval aws s3 cp $ARCHFILE $REPOSBUCKET
rm -f $ARCHFILE

# Write the log ending entry.
echo "`date` - Finished script: ReposBackup.sh"
echo -n "****************************************"
echo "***************************************"

# Clean up the upload progress updates in the log before saving.
sed -e 's/\(.*\r\)//g;' <$TLOG >> $LOGFILE
rm -f $TLOG

exit 0

Until next time,

Duane