Knowledge Base (Posts about selfhosting)

Trying owntracks to track my mobile devices

bgstack15 — Tue, 11 Nov 2025 13:40:00 GMT

I was reading some discussion on Hacker News and the fine folks there mentioned Dawarich, a self-hostable server for managing your location data. I got interested in this sort of thing. I've never really used stuff like this before for myself, even from the big names. I use Google Maps for navigation, but not for showing myself my location history. I'm sure the setting for "do not record my location" merely turns off my ability to look it up; I'm sure Google still knows exactly where my mobile device has been (that is not the same as where I have been) across all of time.

But F-Droid didn't have the Dawarich app, but it had the app for owntracks, a similar tool.

Stackrpms installation of owntracks

This application is for tracking my location history on my own infrastructure.

Goals

I want to be able to view my location history. In the past, I used Google Maps location history to find where I had stayed on a particular vacation. I want to be able to do this sort of auditing without depending on external vendors.

Setup

This application is installed in docker on server4.

sudo useradd owntracks
sudo usermod -a -G docker owntracks
sudo su - owntracks
mkdir -p compose ; cd compose

I established file docker-compose.yml and config.js. I just picked random ports available, including server4:8083 for recorder, and server4:8085 for frontend.

On server3, set up custom apache httpd config owntracks.cnf which is an adaptation of [Reference #5][5]. Adapt local_mirror.conf to include this for VirtualHosts 443 (internal https) and 444 (external https).

Establish new password repository. Use password scheme 3j.

# as root@server3
htpasswd -c .owntracks device5
htpasswd -c .owntracks device4

Added a port in the firewall on server4.

sudo firewall-cmd --add-port=8083/tcp
sudo firewall-cmd --add-port=8085/tcp
sudo firewall-cmd --add-port=1883/tcp
sudo firewall-cmd --add-port=8883/tcp

I established the container mosquitto, which uses its own TLS cert. The openssl req needed to be run on a newer system where parameter -addext can be used. I ran the ipa cert-request from server4 which owns the service we add here.

openssl genpkey -algorithm RSA -out https-server4.ipa.internal.com.key
openssl req -new -key https-server4.ipa.internal.com.key -subj "/O=IPA.INTERNAL.COM/CN=server4.ipa.internal.com" -addext "subjectAltName = DNS:server4.ipa.internal.com,DNS:www.example.com" -out https-server4.ipa.internal.com.csr
ipa service-add --force HTTP/server4.ipa.internal.com
ipa cert-request --principal=HTTP/server4.ipa.internal.com https-server4.ipa.internal.com.csr --certificate-out=https-server4.ipa.internal.com.pem

I configured the main router to forward port 8883/tcp to server4:8883. There might be a way to use an apache httpd reverse proxy for websockets to mqtt, but I have not investigated that.

To establish the mosquitto password database, use -c in the command, inside the container.

mosquitto_passwd -c /mosquitto/config/password_file recorder

The rest of the commands will omit -c.

The mosquitto config is in file mosquitto-conf/mosquitto.conf, and uses TLS.

Establishing useful contact info with cards

I want to be able to see pretty names/faces for "friends". https://owntracks.org/booklet/features/card/

I Used https://github.com/owntracks/recorder/raw/refs/heads/master/contrib/faces/image2card.sh from https://github.com/owntracks/recorder/blob/master/contrib/faces/image2card.sh to do this:

sh image2card.sh user1.jpg "user1" "na" > device5-device5.json
sh image2card.sh user2.png "user2" "nn" > device4-device4.json
sh image2card.sh user3.png "user3" "eo" > device2-device2.json

I prepared these so they are accessible for container mosquitto in /mosquitto/config/cards/, and then entered the container and ran these commands.

docker-compose exec mosquitto /bin/sh
mosquitto_pub -L 'mqtt://recorder:KEEPASS@localhost:1883/owntracks/device5/device5/info' -f /mosquitto/config/cards/device5-device5.json -r -q 2 -d

To remove/delete a card:

mosquitto_pub -L 'mqtt://recorder:KEEPASS@localhost:1883/owntracks/device5/device5/info' -n -r -d

Associated files

On server server4.

/home/owntracks/compose
- config.js, taken from official example https://github.com/owntracks/frontend/blob/main/public/config/config.example.js for frontend.
- docker-compose.yml, very simple combination of official compose example files for recorder (backend) and frontend.
- mosquitto-conf/password_file
- mosquitto-conf/mosquitto.conf
- mosquitto-conf/https-server4.ipa.internal.com.key
- mosquitto-conf/https-server4.ipa.internal.com.pem
- mosquitto-conf/ca-ipa.internal.com.pem
- mosquitto-conf/cards directory of custom .json files for "cards" that describe the various devices, and the script that loads them
  
  !/bin/sh
  
  cd "${1}" for word in *.json ; do echo "${word%%.json}" | while IFS='-' read a b ; do mosquitto_pub -L "mqtt://recorder:KEEPASS@localhost:1883/owntracks/${a}/${b}/info" -f "${word}" -r -q 2 -d ; done ; done

On server server3, the main web server.

/etc/httpd/conf.d/owntracks.cnf
/etc/httpd/conf.d/local_mirror.conf includes owntracks.cnf in virtualhosts 443 and 444.
/etc/httpd/.owntracks (or similar) for the credential.

Associated urls

http://server4.ipa.internal.com:8083 recorder. The main url for the apps includes virtual path /pub.
http://server4.ipa.internal.com:8085 frontend
https://www.example.com/owntracks reverse proxy to recorder.

Operations

Restarting the containers

Connect to owntracks@server4.

docker-compose pull ; docker-compose down ; docker-compose up -d

Adding a new device

Adding a device for MQTT auth

Connect to the mosquitto container and then modify the existing password file. The username will probably be the device name.

docker-compose exec mosquitto /bin/sh
mosquitto_passwd /mosquitto/config/password_file <username>
<password>

I am not sure if container mosquitto needs to be restarted to take effect.

Configure the client settings Connection.

Mode=MQTT
Host=www.example.com
Port=8883
Client ID=<device name>
Use Websockets=True
Device ID=<device name>
Tracker ID=?????
Username=<from password_file>
Password=<from password_file>
TLS=True

Make sure the android device trusts the CA cert, which is available at https://server3/internal/certs/ca-ipa.internal.com.crt

Adding a device for http auth

WARNING I think this might work, but it also might not work anymore now with MQTT usage.

I have decided to use a separate http credential for each device. Visit server3 and set up a new credential in the password file. This example shows adding device4.

sudo htpasswd -c /etc/httpd/.owntracks device4
<enter a password, probably "KEEPASS">

It is not necessary to reload the web server. Then configure OwnTracks on the new device to use this http endpoint.

URL=https://www.example.com/owntracks/pub
Device ID=device4
Tracker ID=<anything will do fine>
Username=device4
Password=<same as from htpasswd command>

Removing data about an old user/device combo.

To remove user "user" device "device5", run this command:

# on server4
sudo rm -rf /home/owntracks/compose/owntracks-recorder/store/last/user/device5

I am not sure if this removes info in the frontend for this user+device.

Viewing server app logs

docker-compose logs -f otrecorder mosquitto

Viewing location history

Visit http://server4:8085/ which is container frontend.

Re-adding the cards

A card is the pretty info about a device, such as user name and picture. These are hand-curated with a useful script (search image2card.sh in the install section), and after a container restart, you need to reload these.

docker-compose exec mosquitto /mosquitto/config/cards/import-cards /mosquitto/config/cards

References

Alternate reading

In case I want to experiment with using httpd to reverse-proxy MQTT or websockets.

https://www.rushworth.us/lisa/?p=358

proxy - Mosquitto + Apache - Super User

<VirtualHost *:1883>
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass /mqtt ws://$Broker-IP:$Broker-Port
        ProxyPassReverse /mqtt ws://$Broker-IP:$Broker-Port
</VirtualHost>

n8n apache2 reverse proxy fix websockets – 🔐 Karlo Luiten

<IfModule mod_ssl.c>
<VirtualHost *:443>
    SSLEngine off
    ServerAdmin webmaster@karloluiten.nl
    ServerName n8n.karloluiten.nl
    DocumentRoot "/var/www/html/"
    ErrorLog "${APACHE_LOG_DIR}/error_n8n.servar_nl.log"
    CustomLog ${APACHE_LOG_DIR}/access_n8n.servar_nl.log combined

    RequestHeader set X-Forwarded-Proto https
    RemoteIPHeader X-Forwarded-For
    RequestHeader set X-Forwarded-Host "%{SERVER_NAME}e"

    ProxyPreserveHost Off
    ProxyPass        / http://10.0.40.54:5678/
    ProxyPassReverse / http://10.0.40.54:5678/

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           ws://10.0.40.54:5678/$1 [P,L]
    RewriteCond %{HTTP:Upgrade} !=websocket [NC]
    RewriteRule /(.*)           http://10.0.40.54:5678/$1 [P,L]
    ProxyPassReverse /          https://n8n.karloluiten.nl
    SSLCertificateFile /etc/letsencrypt/live/n8n.karloluiten.nl/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/n8n.karloluiten.nl/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Obviously fill in your own details/domains/ip.

Also for env vars:

N8N_BASIC_AUTH_ACTIVE=true
N8N_BASIC_AUTH_USER=admin
N8N_BASIC_AUTH_PASSWORD=xxx
N8N_SECURE_COOKIE=false
WEBHOOK_URL=https://n8n.karloluiten.nl/
N8N_PROXY_HOPS=1

Reverse Proxying WebSockets through mod_proxy — HTTP Failback – Lisa's Home Page

I’ve been successfully reverse proxying MQTT over WebSockets via Apache HTTPD for quite some time now. The last few weeks, my phone isn’t able to connect. There’s no good rational presented (and manually clicking the “send data” button on my client successfully connects). It was time to upgrade the server anyway. Once I got the latest Linux distro on the server, I couldn’t connect at all to my MQTT server. The error log showed AH00898: Error reading from remote server returned by /mqtt

Evidently, httpd 2.4.47 added functionality to upgrade and tunnel in accordance with RFC 7230. And that doesn’t work at all in my scenario. Haven’t dug in to the why of it yet, but adding ProxyWebsocketFallbackToProxyHttp Off to the reverse proxy config allowed me to successfully communicate with the MQTT server through the reverse proxy.

Luanti serverlist self-hosted in Docker

bgstack15 — Tue, 29 Apr 2025 12:46:00 GMT

The official Luanti serverlist is really cool, and is free software! The game client uses this list to show you the public instances. I forked it so I could make it work better with the arbitrary server addresses, and I built a docker container for it. I needed it to accept a server_address = dockerhost.ipa.example.com$30001 so that it would publish that hostname and port, rather than the connected IP address (an internal docker one) of 172.24.0.2 with port 30000 like the container always runs. This means my serverlist trusts the entry coming from the Luanti instance and does not do anything with the actual requester IP address, so it's not as secure.

No, it's not published on hub.docker.com or anywhere else. But it's pretty simple to build.

To build your own docker image with the static files, and no nodejs components, run this command in the repo directory, in my branch. My branch includes the generated servers.js downloaded from the public instance which for some reason took a whole node project to build?! I hate nodepm and never figured out how to use it, and I suppose this docker container is now overkill for just a small Flask project, but it fits nicely with my other docker infrastructure at this point.

docker build . -- tag luantiserverlist

Adjust docker-compose.yml if necessary, and mkdir /home/luanti/serverlist/run. The initial assets will be copied to this volume, for you adjust afterwards. Then you can run docker-compose.

docker-compose up -d

The included docker-compose.yml exposes port 8082.

For an easy reverse proxy in apache httpd, to serve at https://reverseproxy.example.com/games/luantiserverlist which you can place in your minetest.conf variable serverlist_url.

# Inside your virtual host.
ProxyPass        /games/luantiserverlist http://dockerhost.int.example.com:8082/
ProxyPassReverse /games/luantiserverlist http://dockerhost.int.example.com:8082/
<Location "/games/luantiserverlist">
   RequestHeader append X-Forwarded-Prefix "/games/luantiserverlist/"
</Location>

And then you can configure servers and clients to use this value.

serverlist_url = http://webserver.ipa.example.com/games/luantiserverlist/

It's really great to be able to list your own servers with pretty names and descriptions!

Praise the Lord for people who are willing to make FLOSS. I doubt many people will want my modifications, but they're there for anyone who would like it.

References

Dockerizing a Python Flask App: A Step-by-Step Guide to Containerizing Your Web Application | by GeeekFa | Medium

Hosting a Flatpak repo

bgstack15 — Thu, 17 Apr 2025 12:33:00 GMT

In the last post, I explained how I built my first flatpak! So now that I have a flatpak I want to distribute to my users, how do I do that? A web-based repository, like everything else!

Preparing the repo

A flatpak repo is just a web directory. For one of these hipster modern techs, they made a good decision for a web repo!

I built a custom internal.flatpakrepo file, and for convenience I placed in in that same directory, but it doesn't have to be there.

[Flatpak Repo]
Title=Internal Flatpak Repo
Url=http://server3/internal/repo/flatpak/
Homepage=http://server3/internal/repo/flatpak/
Comment=Local flatpak repo
Description=All my local flatpaks go here
Icon=http://server3/internal/repo/flatpak/icon.png

At least Gnome Software does not seem to use the repo icon, so I guess my chasing one down was pointless, but whatever. I think it works better with a 128x128 icon for the repo, and letting Gnome Software cache it a few times before you expect it to see it (?), but sometimes it works.

Self-host a pip repo

bgstack15 — Sat, 11 Jan 2025 14:28:00 GMT

tl;dr

Use apache httpd with autoindex on. In the module project, make file pyproject.toml. Run python3 -m build and take the dist/*.tar.gz files and place in the apache web directories underneath a normalized directory name.

/var/www/
- python/
  - tkstackrpms/
    - tkstackrpms-0.0.1.tar.gz
    - tkstackrpms-0.0.2.tar.gz

Using your self-hosted repo

pip install --extra-index-url http://server3/internal/repo/python/ --trusted-host server3 tkstackrpms

Or load into ~/.config/pip/pip.conf the following.

[global]
trusted-host = server3
extra-index-url = http://server3/internal/repo/python
                  https://www.example.com/internal/repo/python

Narrative

I have a small python module I wrote, and I want it to be available to me inside a python virtual environment (venv). Since I don't really want to go through whatever rigamarole would be required for a public package, and not sure I want to burden the world with my creation, I wanted to self-host a repository.

Inside a venv one can't just install my dpkg, so I needed a proper pip web repository.

Thankfully, the process is well documented and works with some basic httpd configuration I already was using!

References

See all links in-line.

Thoughts on self-hosted youtube alternatives

bgstack15 — Sun, 24 Jul 2022 12:41:04 GMT

The whole topic of self-hosted youtube alternatives is rather scant on the Internet, which surprised me.

I found a nice web-based yt-dlp frontend! I have a single Docker server for other purposes, so it was nice to play around with this metube. Ultimately it wasn't better than running yt-dlp in a terminal and dragging links into that command to append the url to the command.

And for the viewing frontend, I tried https://git.mills.io/prologic/tube which sounded so promising! The video upload operations never completed for me. I think it was trying to encode the videos (transcode?) but it never actually populated the web page with contents even after ffmpeg stopped running.

So I then tried MediaCMS which I really, really wanted to like. It's a Django (python) app, which I have no experience with. I was unable to get this reverse-proxied behind Apache httpd under a virtual path (or prefix, i.e., https://example.com/media/). I gave up and then used a different port number, so all the traffic on port 1285 went to the application. This one worked with uploaded videos. I had to change a few settings in the deploy/docker/local_settings.py:

MINIMUM_RESOLUTIONS_TO_ENCODE = [240, 360, 1080]
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

The last two are the bog-standard Django reverse-proxy instructions that deal with https. This is needed for any proxying tasks. I removed my manipulated STATIC_URL, MEDIA_URL, and FORCE_SCRIPT_NAME components which never actually completely worked.

The MediaCMS web presentation looks slick. With the 1080 minimum resolution (which ended up producing a file twice as large as the 1080p files I uploaded), it was acceptable. There is even a little button over the video for "Cast video." From a mobile browser, the cast failed to send to my Chromecast. From a desktop's chromium, it did work to cast to a Chromecast. It started as screen mirroring, and then it asked me if I wanted to send just the video.

So the usability was missing a little bit.

And none of this was actually better than Jellyfin, and also just visiting the files over nfs, except the awesome youtube interface. The quadruple files per video was a little excessive but storage is cheap these days, right?

Calendar solution for internal network

bgstack15 — Sat, 21 May 2022 12:58:53 GMT

Overview

As part of my efforts to de-google my life, the Calendar solution is a fully self-hosted and FLOSS project. This project uses Radicale caldav server, which is already packaged for EL7 (but I repackage a newer version). The project also uses InfCloud which is a web client for caldav, which is loosely hardcoded to use this existing radicale instance.

Additional components include the F-droid packages of davX⁵ (carddav sync utility) and ETar, a calendar client.

Prequisites

Apache httpd is installed. TLS certificates are in use, to protect the password traffic.

Building

CentOS 7 provides radicale 1.1, which is not the current version. I adapted the radicale and various python dependencies from Fedora, and also wrote the rpm spec for InfCloud. A copy of Git repository for build-radicale-el7 exists here. See build-radicale-el7/README.md for this whole process. NOTE: this includes one patch that I wrote to allow automatic login using the reverse proxy apache ldap authentication.

I established a copr to hold the rpm packages.

Installing on production

On server1, I ran a number of steps which are also documented in the [main server log][3].

Add the copr repo.

curl https://copr.fedorainfracloud.org/coprs/bgstack15/radicale-el7/repo/epel-7/bgstack15-radicale-el7-epel-7.repo | sudo tee /etc/yum.repos.d/bgstack15-radicale-el7.repo
sudo yum install radicale3 infcloud

Customize /etc/radicale/config and /etc/infcloud/config.js.

Add redirects for my http virtual host in httpd:

# Force https for these pages or apps
RewriteCond %{HTTPS} !=on
Redirect /radicale/ https://www.example.com/radicale/
RewriteCond %{HTTPS} !=on
Redirect /calendar/ https://www.example.com/calendar/

Also add useful VirtualHost contents to my apache config file ssl-common.cnf:

# 2022-05-17
#ServerName calendar.example.com
RewriteEngine On
RewriteRule ^/radicale$ /radicale/ [R,L]
<Location "/radicale/">
   ProxyPreserveHost On
   Order deny,allow
   Deny from all
   AuthType Basic
   AuthName "LDAP protected"
   AuthBasicProvider ldap
   AuthLDAPGroupAttribute member
   AuthLDAPSubGroupClass group
   # If anonymous search is disabled, provide dn and pw.
   #AuthLDAPBindDN uid=service-account,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
   #AuthLDAPBindPassword mypw
   AuthLDAPGroupAttributeIsDN On
   AuthLDAPURL "ldaps://dns1.ipa.internal.com:636 dns2.ipa.internal.com:636/cn=users,cn=accounts,dc=ipa,dc=internal,dc=com?uid,memberof,gecos?sub?(objectClass=person)"
   #?sub?(objectClass=*)
   Require valid-user
   Satisfy any
   # My radical set up uses HTTP_X_REMOTE_USER as username for authentication
   RequestHeader set X_REMOTE_USER "%{AUTHENTICATE_uid}e"
   # This does not populate correctly. Probably the ldap memberOf attribute is derived and not real?
   RequestHeader set X_GROUPS "%{AUTHENTICATE_memberOf}e"
   # This populates correctly
   RequestHeader set X_GECOS "%{AUTHENTICATE_gecos}e"
   ProxyPass        http://localhost:5232/ retry=20 connectiontimeout=300 timeout=300
   ProxyPassReverse http://localhost:5232/
   RequestHeader    set X-Script-Name /radicale
</Location>

I customized the storage of calendars (aka collections) to be on the main storage area:

sudo mkdir -p /var/server1/shares/public/Support/Systems/server1/var/lib/radicale/collections
sudo mv /var/lib/radicale/collections /var/server1/shares/public/Support/Systems/server1/var/lib/radicale
sudo ln -s /var/server1/shares/public/Support/Systems/server1/var/lib/radicale/collections /var/lib/radicale/collections
sudo semanage fcontext -a -t radicale_var_lib_t '/var/server1/shares/public/Support/Systems/server1/var/lib/radicale/collections(/.*)?'

I also added all these aforementioned config files to the host-bup config file.

Start and enable radicale service.

sudo systemctl enable radicale
sudo systemctl start radicale

Make a symlink in the web root directory that points to the infcloud contents.

sudo ln -s /usr/share/infcloud/radicale_infcloud/web /var/www/html/calendar

Making good config choices

In order for InfCloud to save which calendars are enabled/visible by default, you need to turn "settingsAccount" on in config.js. This attribute causes InfCloud to store some metadata about the user choices on the caldav server (Radicale). Without this feature, the InfCloud user cannot even change which calendars are visible!

Summary of associated files

On server1, the production server:

/etc/radicale/config
/etc/infcloud/config.js symlinked to with /var/www/calendar/
/etc/infcloud/cache.manifest symlinked to within /var/www/html/calendar/
/usr/sbin/update-infcloud-cache
/var/www/html/calendar is a symlink to /usr/share/infcloud/radicale_infcloud/web

Operations

Some tasks that will happen over time are listed here.

Modifying InfCloud files or config

After making any changes to anything for InfCloud (the web client), you need to update the cache manifest file. It is possible that touching the file works, but a method for updating the version number in the file is with script:

sudo update-infcloud-cache

Controling collections

To add, modify, or remove personal collections (calendars, address books, and todo lists), visit https://www.example.com/radicale/. Log in with a domain credential.

Adding a client

To connect a carddav/caldav client to the Calendar service, use url https://www.example.com/radicale/ and select "Use username and password."

Using a web calendar

To use a rich web client, visit https://www.example.com/calendar/ and type in your domain username and password.

Sending invitations for event from web calendar

In the web client, select an event. Select button "Download," which saves a .ics file. Send this .ics file in your preferred mail client to your guests.

Importing event to web calendar

Feature not implemented yet. Gotta say unh!

Sharing calendar with other Radicale user

This step has to happen first, before the following Sharing operations can work.

An admin has to modify file storage:/etc/radicale/rights and add some steps. Create one rule per [uniquely-named-section]. Use uppercase permission letters for a "root" collection, i.e., a username. Use lowercase letters for any child collections. The uuid of a collection is required: the pretty name is not accepted.

The following is a way to allow all authenticated users to enumerate the items owned by domainjoin, and also read all those items.

[public-principal]
user: .+
collection: domainjoin
permissions: rRi
[public-calendars]
user: .+
collection: domainjoin/[^/]+
permissions: rRi

Adding a "w" or "W" as appropriate to the permissions: entry would enable write access. Another example, for username2 to write to a specific bgstack15 calendar:

[rule1]
user: username2
collection: bgstack15
permissions: R
[rule2]
user: username2
collection: bgstack15/68cb9dbf-7546-8023-ca4c-c69bc64918a2
permissions: rwi

It is probable that read access to the root collection is required in order for the web calendar to be able to enumerate the one shared calendar, but further experimentation should be done.

Opening a shared calendar in web calendar

Unfortunately this so far is only known to work by modifying /etc/infcloud/config.js which requires admin access to server1. If all users of the web calendar should be able to view/edit a collection, add the owning user to attribute additionalResources: ['user5'] inside var globalNetworkCheckSettings. In this example, user5 owns a shared collection, as defined by heading Sharing calendar with other Radicale user. Of course, after modifying config.js, run update-infcloud-cache.

For a specific login to access another specific login root collection (because InfCloud relies on enumerating collections underneath a root collection, i.e., user, rather than pointing to a specific collectioN), you can use the custom stackrpms attribute perUserAdditionalResources such as this example:

var globalNetworkCheckSettings={
  perUserAdditionalResources: [
     { name:"bgstack15", allowed: ["username2"] },
     { name:"username2", allowed: ["bgstack15"] }
  ]
}

Now, the shared collections should populate in the web calendar. If the logged-in user does not have access to this resource, an unfixable and unhideable exclamation mark "!" will appear in the web calendar in the left-hand side menu. It will not be clear to the user what has gone wrong.

Opening a shared calendar with davX⁵

Unfortunately the only plan for accessing shared calendars is to set up a new connection in DavX⁵ with the exact url of the target calendar, e.g. https://www.example.com/radicale/domainjoin/338119a7-3556-0a9b-67ab-be391db1ae77/ which is selectable for copy-paste when the owning user visits /radicale/ and enumerates his collections.

This task will make a new entry that enumerates that logged-in user collections, and also this one exact collection.

Future improvements

Investigate more calendar sharing. Migrate address books.

References

Internal files

[3]: server1 history log

Git repositories

[6]: https://gitlab.com/bgstack15/radicale_auth_ldap.git I ended up not using this, but it is worthy of mentioning.

Weblinks

conaclos An interesting alternative is Radicale 1. Both are very lightweight. I mainly chose Radicale over Baïkal because it is written in Python. On the client side DAVx⁵ 2 do a good job. 1 https://radicale.org/v3.html 2 https://www.davx5.com/ cube00 I've been using Radicale for a few years now and it has been fantastic. Extremely lightweight but also quite flexible with its permissions model since we have a shared family calendar. The backend storage is simply ics/vcf files and while I'm sure it's not the most efficient if you had a large number of users, for our small group it's been perfect and very satisfying knowing your data is there in plain text files. Although if I'm honest I'm just cheap and wanted to get by on the smallest VM offered by my cloud provider and NextCloud was too demanding for that. jamessb > Extremely lightweight but also quite flexible with its permissions model since we have a shared family calendar. How are you doing this? A while ago I skimmed the documentation for a couple of CalDAV servers to try and figure out how I could self-host a shared calendar, but couldn't see an easy way to do this. I've just done some more searching, and it seems there are two suggested ways to do this with Radicale: * create a separate account for the shared calendar, and tell everyone who needs write access the password * create the calendar in one use's directory, and add a symlink to it in the user directories for any other users who need write access. Both of which seem like a bit of hack compared to bring able to explicitly state that a list of users have write access to a calendar in a config file or through a UI. cube00 I created a collection with the name of our domain name and then used this example1 to regex the domain out of the user's login email address to allow them access to the shared collection. 1: https://github.com/Kozea/Radicale/blob/497b5141b066d266c318e...

Example: Grant users of the form user@domain.tld read access to the

collection "domain.tld"

Allow reading the domain collection

[read-domain-principal]

user: .+@([^@]+)

collection:

permissions: R

Allow reading all calendars and address books that are direct children of

the domain collection

[read-domain-calendars]

user: .+@([^@]+)

collection: {0}/[^/]+

permissions: r

Mirror a copr, all architectures and releases and versions

bgstack15 — Fri, 20 Aug 2021 12:44:20 GMT

coprmirror is my yum mirror solution, with a wrapper to mirror specifically a named COPR repository.

Overview

COPR is a distro-run community offering that lets users build yum/dnf repositories with their own software (primarily if not exclusively in rpm format). COPR performs the builds, and then hosts the binary and source rpms for client machines. My project today downloads using native GNU/Linux tools the yum repositories that collectively make up a COPR, so each release-releasever-basearch triplet. The end goal is to have a local copy of the entire current yum repos. This does not copy the build assets or log files; just what a yum repository defines and also the gpg public key. Notably this utility needs the yum python packages present only for evaluating yum variables in the inurl (baseurl from a .repo file), so if you have a string literal as the inurl value, you can run this on a system that does not have yum installed.

Using

Configure coprmirror.conf from the provided .example file, and then run:

COPRMIRROR_CONF=coprmirror.conf VERBOSE=1 DEBUG=1 ./coprmirror.sh

Upstream

Original content The get_file function was improved after being imported from my Reference 1 script.

Alternatives

I felt like ansible and system are overkill, but if you like those, this is perfect for you: https://github.com/ganto/ansible-copr_reposync

Dependencies

wget, grep, awk, sed, jq

References

obsmirror Mirror an OBS repository locally — update 1 [this blog]

Populating my new cgit instance

bgstack15 — Sun, 25 Apr 2021 13:15:44 GMT

Overview

Gitlab is the curent source of truth for all repos, except for the secure data stored locally at /mnt/public/packages. To prepare my on-prem git repos, I need to be be able to synchronize my repositories from the sources of truth. This process sets up the bare repos on the main git and web server, and sets up the sync-location git repos on any VM.

Preparing list assets

We need the csv lists that show the old and new locations.

Generating gitlab token

Visit gitlab.com in web browser, sign in, and visit "Edit profile" in user icon menu. Visit "Access Tokens" in left-side menu, and create a personal access token that is read-only. Save the token, which will resemble string MnrEnTVfA-7kujMarjsG, to file /mnt/public/work/gitlab/gitlab.com.personal_access_token.

Generating list of all relevant projects

Use generate-list.sh to pull the list of all my personal projects from gitlab. It is not complete, because even Your projects on gitlab shows 70 projects total, not the 60 the API returns. So after running that file, manually add any additional entries that should be synced.

./generate-list.sh > list.csv
# manually add any additional repos to list.csv.

To add the destination links, run add-dest.sh with redirection in and out.

< list.csv ./add-dest.sh > repos.csv

Preparing main git destinations

With all the lists created, now prepare the final destinations of the repositories.

Preparing blank repositories on git server

You need to make the blank repositories ahead of time due to how git-over-http works: It only accepts pushes for extant projects. For this task, run make- blank.sh.

time < repos.csv sh -x ./make-blank.sh

On main web server, fix the permissions of these new git repos.

sudo chgrp apache -R /mnt/public/www/git ; sudo chmod g+rwX -R /mnt/public/www/git ;

Setting up sync locations and synchronizing

Now that the destinations are prepared, use a temporary (or at least alternate) location to pull and then push the repositories.

Initialize sync-location git repos

VM d2-03a is the main implementation of the sync-location. This will be the system that performs the main work of pulling all git repos and contents down, and pushing them up to the server.

time OUTDIR=~/dev/sync-git INFILE=/mnt/public/Support/Programs/cgit/populate/repos.csv /mnt/public/Support/Programs/cgit/populate/populate-git-remotes.sh

The above command will need APPLY=1 as a variable when ready for real execution.

Perform synchronization of all git repos

This is the main operation of this whole process. It could take some time to execute.

INDIR=~/dev/sync-git /mnt/public/Support/Programs/cgit/populate/sync-all.sh

Build initial permissions list

To restrict push access to all the new repos, run this command, and save its output inside /etc/git_access.conf.

find /var/www/git -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | awk '{print "Use Project "$0" \"user bgstack15\" \"all granted\""}' | sort

And of course an httpd -t and then reload.

Appendix A: File listings

generate-list.sh

#!/bin/sh
# Startdate: 2021-04-16 20:16
# Goal: generate csv to stdout of directory,origin,dest
# STEP 1
# Notes:
#    the gitlab api doesn't show the "contributed" projects in the API at all, so the output from this is incomplete. The output file will need to be curated with additional entries for projects not from my userspace.
# Dependencies:
#    Gitlab token at /mnt/public/work/gitlab/gitlab.com.personal_access_token
#    jq
# Reference: 
#    https://stackoverflow.com/questions/57242240/jq-object-cannot-be-csv-formatted-only-array
#    https://stackoverflow.com/questions/32960857/how-to-convert-arbitrary-simple-json-to-csv-using-jq/32965227#32965227

test -z "${TOKEN_FILE}" && TOKEN_FILE="/mnt/public/work/gitlab/gitlab.com.personal_access_token"

test ! -r "${TOKEN_FILE}" && { echo "Fatal! Cannot find token file ${TOKEN_FILE}. Aborted." 1>&2 ; exit 1 ; }
TOKEN="$( cat "${TOKEN_FILE}" )"
echo "${TOKEN}" | grep -qE "token:" && { TOKEN="$( echo "${TOKEN}" | awk '/^token:/{print $NF}' )" ; }

GUSER=bgstack15

# Functions
handle_pagination() {
   # call: handle_pagination "https://gitlab.com/api/v4/users/${GUSER}/projects"
   # return: stdout: a single json list of of all returned objects from all pages
   # GLOBALS USED: TOKEN
   ___hp_url="${1}"
   ___hp_next_link="dummy value"
   ___hp_json=""
   ___hp_MAX=30 # safety valve
   x=0
   ___hp_thisurl="${___hp_url}"
   while test -n "${___hp_next_link}" && test ${x} -lt ${___hp_MAX} ;
   do
      x=$((x+1))
      raw="$( curl --include --header "PRIVATE-TOKEN: ${TOKEN}" "${___hp_thisurl}" )"
      set +x ; links="$( echo "${raw}" | awk '/^link:/' )" ; set -x
      ___hp_next_link="$( echo "${links}" | tr ',' '\n' | sed -n -r -e '/rel="next"/{s/.*<!--/;s/-->;.*$//;p;}' )" # will be blank if next_link is not valid; that is, if this is the last page.
      ___hp_thisurl="${___hp_next_link}"
      set +x ; ___hp_json="${___hp_json}$( echo "${raw}" | awk '/^\[/' )" ; set -x
   done
   # combine all json lists into one
   # ref: https://stackoverflow.com/a/34477713/3569534
   echo "${___hp_json}" | jq --compact-output --null-input 'reduce inputs as $in (null; . + $in)'
}

# MAIN
json="$( handle_pagination "https://gitlab.com/api/v4/users/${GUSER}/projects" )"
echo "${json}" | jq '.[] | [{ web_url, path }]' | jq -r '(map(keys) | add | unique) as $cols | map(. as $row|$cols|map($row[.])) as $rows | $cols, $rows[] | @csv' | awk 'NR == 1 {print} NR >1 && !/"web_url"/{print}'

list.csv

Just a snippet:

"ansible01","https://gitlab.com/bgstack15/ansible01"
"ansible-ssh-tunnel-for-proxy","https://gitlab.com/bgstack15/ansible-ssh-tunnel-for-proxy"
el7-gnupg2-debmirror/gnupg2,https://gitlab.com/el7-gnupg2-debmirror/gnupg2
el7-gnupg2-debmirror/libksba,https://gitlab.com/el7-gnupg2-debmirror/libksba
el7-gnupg2-debmirror/libassuan,https://gitlab.com/el7-gnupg2-debmirror/libassuan

add-dest.sh

#!/bin/sh
# Startdate: 2021-04-17
# STEP 2
# Goal: fix column names, and also parse to add dest column.
test -z "${GIT_URL_BASE}" && GIT_URL_BASE="https://www.example.com/git"
{
   # fix column name, and then add the dest link
   sed -r -e '1s/web_url/origin/;' | tr -d '"' | \
   awk -v "topurl=${GIT_URL_BASE}" -F',' 'BEGIN{OFS=","} NR==1 {print $0",dest"} NR>1 {$NF=$NF","topurl"/"$1;print}'
}

repos.csv

The final list asset. Just a snippet:

ansible01,https://gitlab.com/bgstack15/ansible01,https://www.example.com/git/ansible01
ansible-ssh-tunnel-for-proxy,https://gitlab.com/bgstack15/ansible-ssh-tunnel-for-proxy,https://www.example.com/git/ansible-ssh-tunnel-for-proxy
el7-gnupg2-debmirror/gnupg2,https://gitlab.com/el7-gnupg2-debmirror/gnupg2,https://www.example.com/git/el7-gnupg2-debmirror/gnupg2
el7-gnupg2-debmirror/libksba,https://gitlab.com/el7-gnupg2-debmirror/libksba,https://www.example.com/git/el7-gnupg2-debmirror/libksba
el7-gnupg2-debmirror/libassuan,https://gitlab.com/el7-gnupg2-debmirror/libassuan,https://www.example.com/git/el7-gnupg2-debmirror/libassuan

make-blank.sh

#!/bin/sh
# Startdate: 2021-04-17 16:13
# Goal: given the repos.csv output from STEP 2 add-dest.sh script, make the blank git repos for each of those on the final destination server
# STEP 3

test -z "${GIT_URL_BASE}" && GIT_URL_BASE="https://www.example.com/git"
test -z "${GIT_TOP_DIR}" && GIT_TOP_DIR="/mnt/public/www/git"

cd "${GIT_TOP_DIR}"
# this awk will read stdin, and skip the first line which is the headers for the columns
for word in $( awk -F',' -v "topurl=${GIT_URL_BASE%%/}/" 'NR>1 {gsub(topurl,"",$3);print $3}' ) ;
do
   # if OVERWRITE and the dir already exists, then delete it
   test -d "${word}" && test -n "${OVERWRITE}" && rm -r "${word}"

   # If inside a namespace, then perform a few extra steps.
   echo "${word}" | grep -qE "\/" && {
      # make any subdirs between here and there
      mkdir -p "${word}"
   # DISABLED; can just use section-from-path=1 in main cgitrc
   ## if in a subdir, add a cgitrc file for this repo that indicates its section.
   #   section="$( echo "${word}" | awk -F'/' 'BEGIN{OFS="/"} {$NF="";print}' )"
   #   if ! grep -qE "section=.+" "${word}/cgitrc" 2>/dev/null ;
   #   then
   #      echo "section=${section%%/}" >> "${word}/cgitrc"
   #   fi
   }

   # actually make the blank git repo
   git init --bare "${word}" &

done
wait

sync-all.sh

#!/bin/sh
# STEP 5 repeating
# Startdate: 2020-05-21
# Goal: download every single git repository in full from bitbucket cloud for migration to bitbucket on-prem.
# History:
#    2021-04-17 forked from gituser.tgz to Support/Programs/cgit/populate project
# Usage:
#    INDIR=~/dev/sync-git 
# References:
#    git-sync-all.ps1
# Dependencies:

SYNCSCRIPT=/mnt/public/Support/Programs/cgit/populate/sync.sh

if test -z "${INDIR}" || ! test -r "${INDIR}" ;
then
   echo "Fatal! Invalid INDIR ${INDIR} which is either absent or unreadable. Aborted" 1>&2
   exit 1
fi

cd "${INDIR}"
x=0
for dir in $( find . -maxdepth 2 -mindepth 1 -type d -name '.git' -printf '%h\n' ) ;
do
   x=$(( x=x+1 ))
   lecho "Starting repo $x ${dir}"
   cd "${INDIR}/${dir}"
   "${SYNCSCRIPT}"
done

sync.sh

#!/bin/sh
# STEP 5 or manual
# Startdate: 2020-05-21
# Goal: sync just this one directory git repo.
# History:
#    2021-04-17 forked from gituser.tgz to Supoprt/Programs/cgit/populate project
# References:
#    How to actually pull all branches from the remote https://stackoverflow.com/questions/67699/how-to-clone-all-remote-branches-in-git/16563327#16563327
# Dependencies:
#    $PWD is the git repo in question.
git pull --all
{
   git branch -a | sed -n "/\/HEAD /d; /remotes\/origin/p;" | xargs -L1 git checkout -t
} 2>&1 | grep -vE 'fatal:.* already exists'
git push dest --all

Cgit solution for my network

bgstack15 — Wed, 21 Apr 2021 12:36:21 GMT

History

Experimentation using gitweb and cgit was carried out on d2-02a at some point before 2020-10. Cgit on Devuan (d2-02a) was examined after investigating a key Stackoverflow post and determined to meet my needs.

Overview

Git-scm itself provides native mechanisms to allow operations through http, and basic Apache httpd configuration examples abound. Adding a decent web frontend with cgit is a small additional step. This setup also uses Apache httpd basic auth to limit read and write access to the true git projects, but not the cgit simple http clone operations.

Prerequisites

Apache httpd is installed. TLS certificate exists and is already in use.

Installing entire cgit solution

Installing and configuring cgit

Install cgit from stackrpms repo for el8, which uses https://src.fedoraproject.org/fork/tmz/rpms/cgit or https://src.fedoraproject.org/forks/tmz/rpms/cgit.git to build the rpm. Tmz is the Fedora maintainer of this package, so his adaptation of it for el8 is trustworthy.

sudo dnf install cgit

Modify /etc/cgitrc with my own customizations. See internal file /mnt/public/Support/Programs/cgit/files/cgitrc for the original configuration. Install a few dependencies. Python3-markdown is also from stackrpms for el8, because I had to build it on my copr, also from its source https://src.fedoraproject.org/rpms/python-markdown.

sudo dnf install python3-pygments python3-markdown

These dependencies support displaying markdown (.md) files as the cgit and repo "about" pages. I tend to use markdown for these types of files. Copy in a logo file for myself to /usr/share/cgit/bgstack15_64.png. The top-level readme file is configured in the example cgitrc to /var/www/git/readme.md

Configuring httpd

Set up file /etc/git_access.conf with snippets that will be included by the httpd config. This file will control access to the git repositories over git itself, not the cgit web presentation.

# File /etc/git_access.conf
# Part of cgit solution for Mersey network, 2021-04-15
# The last phrase can be "all granted" to allow anybody to read.
# Use httpd "Require" strings for param2, param3. Param2 grants read/write permission, Param3 is read-only.
#Use Project dirname "user alice bob charlie" "all granted"
#Use Project dirname "user charlie" "user bob alice"

Use Project certreq "user bgstack15" "all granted"

In the above example, the "certreq" is a project name (directory name under /var/www/git). The second and third parameters, the "user bgstack15" and "all granted" will be passed to Apache "Require" directives. They represent "read- write access" and "read-only access" respectively. Apache interprets the example, resolved "Required all granted" as anonymous read access is allowed. One of the main operations described under the Operations heading below is adding new entries to this list of projects. Set up file /etc/gitweb.conf which is traditionally for gitweb, a different implementation of serving git repos over http, but can also be used here.

$export_auth_hook = sub {
    my $repo = shift;
    my $user = $cgi->remote_user;
    if($repo =~ s/\/var\/www\/git\///) {
        open FILE, '/etc/git_access.conf'; 
        while(<FILE>) {
            if ($_ =~ m/Use Project $repo \"(.*)\" \"(.*)\"/)
            {
                my $users = $1 . ' ' . $2;
                $users =~ s/all granted/$user/;
                $users =~ s/user//;
                if ( $users =~ m/$user/ ) {
                    return 1;
                }
            }              
        }
    }
    return 0;
};

I do not understand this perl file: It came straight from reference 2. Set up file /etc/git_access with htpasswd(1).

sudo htpasswd -c /etc/git_access bgstack15

Set up file /etc/httpd/conf.d/cgit.conf with modifications. This file is laid down by the cgit rpm, but might need some adjustments. The exact contents as of the time of this writing are the following.

Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit /var/www/cgi-bin/cgit
RedirectMatch ^/cgit$ /git/
<Directory "/usr/share/cgit/">
    AllowOverride None
    Require all granted
</Directory>

Set up the apache virtualhost. For server storage1, this means modifying extant file /etc/httpd/conf.d/local_mirror.conf. Inside the main VirtualHost definition (the port 80 one), add contents:

# cgit + git. See /mnt/public/Support/Programs/cgit/cgit-README.md
SetEnv GIT_PROJECT_ROOT /var/www/git
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
SetEnv GITWEB_CONFIG /etc/gitweb.conf

ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
<Directory "/usr/libexec/git-core*">
    Options +ExecCGI +Indexes
    Order allow,deny
    Allow from all
    Require all granted
</Directory>

# a2enmod macro # for Devuan
<Macro Project $repository $rwstring $rostring>
    <LocationMatch "^/git/$repository.*$">
        AuthType Basic
        AuthName "Git Access"
        AuthUserFile /etc/git_access
        Require $rwstring
        Require $rostring
    </LocationMatch>
    <LocationMatch "^/git/$repository/git-receive-pack$">
        AuthType Basic
        AuthName "Git Access"
        AuthUserFile /etc/git_access
        Require $rwstring
    </LocationMatch>
</Macro>
# Devuan apache2 works with IncludeOptional but EL8 httpd doesn't work with it.
Include /etc/git_access.conf

# https://ic3man5.wordpress.com/2013/01/26/installing-cgit-on-debian/
# depends on conf-enabled/cgit.conf (available as cgit.conf.devuan)
<Directory "/usr/share/cgit/">
    SetEnv CGIT_CONFIG /etc/cgitrc
    SetEnv GIT_URL cgit
    AllowOverride all
    Options +ExecCGI +FollowSymLinks +Indexes
    DirectoryIndex cgit.cgi
    AddHandler cgi-script .cgi
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule (.*) /cgit/cgit.cgi/$1 [END,QSA]
</Directory>

After making changes to these files, test (sudo httpd -t), and then reload or restart httpd.

Configure SELinux

I used the standard mechanisms to troubleshoot SELinux.

sudo setenforce 0
semodule --disable_dontaudit --build
echo "" | sudo tee /var/log/audit/audit.log 1>/dev/null
# perform a large number of git and cgit operations
sudo tail -n15000 /var/log/audit/audit.log | audit2allow -M foo
# manually merge any new entries into cgitmersey.te
semodule --build
_func() {sudo checkmodule -M -m -o cgitmersey.mod cgitmersey.te && sudo semodule_package -o cgitmersey.pp -m cgitmersey.mod && sudo semodule -i cgitmersey.pp ; } ; time _func

Final asset is cgitmersey.te which can be loaded and installed with the last line of the above command block.

module cgitmersey 1.0;

require {
type git_script_t;
type httpd_t;
type httpd_cache_t;
type var_t;
class process { noatsecure rlimitinh siginh };
class file { getattr map open read };
class dir { getattr open read search };
}

#============= git_script_t ==============
allow git_script_t var_t:dir read;
allow git_script_t var_t:file { read getattr open };
allow git_script_t httpd_cache_t:dir { getattr open read search };
allow git_script_t httpd_cache_t:file { map getattr open read };

#============= httpd_t ==============
allow httpd_t git_script_t:process { noatsecure rlimitinh siginh };

Populating cgit with my content

See separate blog post Populating my New Cgit Instance for this whole task.

Summary of associated files

/etc/gitweb.conf
/usr/share/cgit/bgstack15_64.png
/etc/git_access.conf
/etc/git_access
/etc/cgitrc
```
cache-size=300
```
clone-prefix=https://www.example.com/git css=/cgit-data/cgit.css

Disable owner on index page

enable-index-owner=0 enable-index-links=1

Allow http transport git clone

enable-http-clone=1

Show extra links for each repository on the index page

enable-index-links=0

Enable blame page and create links to it from tree page

enable-blame=0

Enable ASCII art commit history graph on the log pages

enable-commit-graph=0

Show number of affected files per commit on the log pages

enable-log-filecount=0

Show number of added/removed lines per commit on the log pages

enable-log-linecount=0

Sort branches by age or name

branch-sort=name

favicon=/favicon.ico

Use a custom logo

logo=/cgit-data/bgstack15_64.png

Enable statistics per week, month, quarter, or year

max-stats=

Set the title and heading of the repository index page

root-title=Stackrpms git root-readme=/var/www/git/readme.md root-desc=Bgstack15 local repos

Allow download of tar.gz, tar.bz2 and zip-files

snapshots=tar.gz tar.bz2 zip mimetype.gif=image/gif mimetype.html=text/html mimetype.jpg=image/jpeg mimetype.jpeg=image/jpeg mimetype.pdf=application/pdf mimetype.png=image/png mimetype.svg=image/svg+xml

Enable syntax highlighting (requires the highlight package)

source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh

Format markdown, restructuredtext, manpages, text files, and html files

through the right converters

about-filter=/usr/libexec/cgit/filters/about-formatting.sh readme=:README.md readme=:readme.md readme=:README.mkd readme=:readme.mkd readme=:README.rst readme=:readme.rst readme=:README.html readme=:readme.html readme=:README.htm readme=:readme.htm readme=:README.txt readme=:readme.txt readme=:README readme=:readme readme=:INSTALL.md readme=:install.md readme=:INSTALL.mkd readme=:install.mkd readme=:INSTALL.rst readme=:install.rst readme=:INSTALL.html readme=:install.html readme=:INSTALL.htm readme=:install.htm readme=:INSTALL.txt readme=:install.txt readme=:INSTALL readme=:install section-from-path=1 enable-subject-links=1 virtual-root=/cgit/ scan-path=/var/www/git/
/etc/httpd/conf.d/cgit.conf
/var/www/git/readme.md
/mnt/public/Support/Programs/cgit/cgitmersey.te

Operations

Some useful operations are described here.

Making a new project

To set up a new project that can receive pushes, you need to initialize a new git bare repo. Make the "newname" project in /var/www/git, and grant access to the apache user.

cd /var/www/git ; git init --bare newname ; sudo chgrp apache -R newname

Set up permissions for the new project in /etc/git_access.conf. For example:

Use Project "newname" "user adminuser1 adminuser2 adminuser3" "user1 user2 user3"

After making changes, ensure httpd accepts the new config (because it loads /etc/git_access.conf as an included file), and then reload httpd.

sudo httpd -t
sudo systemctl reload httpd

Changing cgit-related attributes of a project

Cgit can be configured to read a file named cgitrc within a git repository. I tend to use just the top directory of these bare git repos, so for project certreq, use /var/www/git/certreq/cgitrc. See cgitrc(5) for more info, but a brief list of useful attributes (var=value) include: defbranch, desc, hide, homepage, ignore, logo, name, owner, readme, section, url. For the description of a repo that appears in the main index, use regular file in a git bare repo: description.

Adding a new user

Use regular htpasswd mechanism to add users or change passwords. See htpasswd(1).

htpasswd /etc/git_access bgstack15

Removing a project

Just delete the project directory.

Changing cgitrc values

Changing cgitrc values take effect immediately (when caching is set to 0); no httpd reload is necessary.

References

https://stackoverflow.com/questions/26734933/how-to-set-up-git-over-http git_access.conf
https://stackoverflow.com/a/50317063/3569534 /etc/gitweb.conf and httpd.conf macro and other snippets
https://stackoverflow.com/questions/40924641/setting-up-git-http-backend-with-apache-2-4
https://stackoverflow.com/a/2200662/3569534 had to convert my sample project to a bare git one

Auxiliary reading

https://ic3man5.wordpress.com/2013/01/26/installing-cgit-on-debian/

Alternatives

added 2022-01-18

Shreyas Minocha's Replacing Gitea