From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 3 Apr 2018 16:35:29 -0400
Subject: NGINX and linux
In-Reply-To: <ffe8d58a-c7b8-3006-666d-ed265e9be9c4@linuxfoundation.org>
References: <CAFuwghMXvNABkV-hTRWnDybJ59umVzxYnBTg1aD1RdC8phOZtA@mail.gmail.com>
 <20180301122639.GA2349@john.keeping.me.uk> <20180403165144.GO27845@debian>
 <ffe8d58a-c7b8-3006-666d-ed265e9be9c4@linuxfoundation.org>
Message-ID: <CAHmME9oF4SgdQukBO1PBAPKzyraadHKKSia5JTzbvovw8ApzTA@mail.gmail.com>

I run uwsgi+cgit on the actual cgit cgit repo. Here's the setup:

krantz ~ # cat /etc/nginx/sites/cgit.conf
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name git.zx2c4.com;
        access_log /var/log/nginx/cgit.access_log main;
        error_log /var/log/nginx/cgit.error_log info;
        ssl_certificate_key
/var/www/letsencrypt/certs/git.zx2c4.com/privkey.pem;
        ssl_certificate /var/www/letsencrypt/certs/git.zx2c4.com/fullchain.pem;
        include secure-headers.conf;

        location /cgit.cgi {
                internal;
                include uwsgi_params;
                uwsgi_modifier1 9;
                uwsgi_pass unix:/var/run/uwsgi-apps/cgit.socket;
        }
        location ~
"^/[a-zA-Z0-9._-]+/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$"
{
                include uwsgi_params;
                uwsgi_modifier1 9;
                uwsgi_pass unix:/var/run/uwsgi-apps/git-http-backend.socket;
        }
        location / {
                root /var/www/uwsgi/cgit/cgi/;
                try_files $uri /cgit.cgi?url=$uri&$args;
        }
}
server {
        listen 80;
        listen [::]:80;
        server_name git.zx2c4.com;
        include letsencrypt.conf;
        location / {
                return 301 https://$server_name$request_uri;
        }
}

Running as a daemon: { /usr/bin/uwsgi --emperor /etc/uwsgi.d/
--daemonize /var/log/uwsgi.log --master --emperor-on-demand-directory
/var/run/uwsgi-apps --pidfile /var/run/uwsgi/uwsgi.pid }

krantz ~ # cat /etc/uwsgi.d/cgit.ini
[uwsgi]
chdir = /var/www/uwsgi/%n/cgi
master = true
uid = %n
gid = %n
logto = /var/log/uwsgi/%n.log
processes = 8
threads = 8
idle = 1800
die-on-idle = true
plugin = cgi
cgi = /var/www/uwsgi/%n/cgi/%n.cgi
listen = 256
cgroup = /sys/fs/cgroup/cgit
cgroup-opt = memory.limit_in_bytes=1073741824
prio = 10

krantz ~ # cat /etc/uwsgi.d/git-http-backend.ini
[uwsgi]
chdir = /mnt/git
master = true
uid = cgit
gid = cgit
logto = /var/log/uwsgi/%n.log
processes = 16
threads = 16
idle = 1800
die-on-idle = true
plugin = cgi
cgi = /usr/libexec/git-core/%n
listen = 256
prio = 10
env = GIT_PROJECT_ROOT=/mnt/git
env = HOME=/mnt/git
post-buffering = 8192
cgi-close-stdin-on-eof = true

krantz ~ # cat /var/www/uwsgi/cgit/source/cgit.conf
CGIT_SCRIPT_PATH = /var/www/uwsgi/cgit/cgi
CGIT_CONFIG = /var/www/uwsgi/cgit/cgitrc
CACHE_ROOT = /var/www/uwsgi/cgit/cache
prefix = /var/www/uwsgi/cgit
libdir = $(prefix)
filterdir = $(libdir)/filters
NM = gcc-nm
AR = gcc-ar
LD = gcc-ld
CFLAGS = -O3 -march=native -pipe -fomit-frame-pointer -fPIE
-fstack-protector-all -flto -fPIC
LDFLAGS = -Wl,-z,now -Wl,-z,relro -flto -fPIC