From: Stefan Sperling <stsp@stsp.name>
Subject: Re: gotd & gotwebd depository redundancy
To: Sylvain Saboua <sylvain@saboua.me>
Cc: gameoftrees@openbsd.org
Date: Thu, 11 Dec 2025 09:31:52 +0100

On Wed, Dec 10, 2025 at 06:32:13PM +0100, Sylvain Saboua wrote:
> I have some projects I want accessible via public repositories.
> In my mind, it would be normal that both gotd (via ssh://repo@server)
> and gotwebd (via https://got.myserver.tld/repo) would allow access to
> the same repositories.
> 
> But currently I have to configure the following as a turnaround:
> 
>  $ more /etc/gotd.conf
> repository geomant {
>         path '/var/www/got/public/geomant'
>         permit rw sylvain
>         permit ro anonymous
> }
> repository nwpg {
>         path '/var/www/got/public/nwpg'
>         permit rw sylvain
>         permit ro anonymous
> 
> Is it considered normal that gotd and gotwebd both use separate
> repository bases ? Is there a standard turnaround ? Am I doing
> something wrong ?

gotwebd used to be confined to the chroot directory of the web server, i.e.
usually the /var/www directory. This made a separate copy of repositories
for gotwebd pretty much necessary.

As of got 0.111 keeping repositories inside the chroot is no longer
required by gotwebd. The repos_path in /etc/gotwebd.conf can be set
a path anywhere on the filesystem.
However, you should not be using this feature on -portable with releases
older than 0.118 because versions from 0.111 up to and including 0.117
had a bug which allowed the browser to request repositories from anywhere
on the filesystem via gotwebd, even outside the designated repos_path.
(This was never a problem on OpenBSD where unveil(2) prevents gotwebd
from seeing unrelated parts of the filesystem.)

Additionally, gotwebd from got >= 0.119 supports user authentication
which makes it possible to make only a subset of repositories public.

So for example, if you have your Git repositories in the /git directory,
and you have gotwebd from got >= 0.119 you can set things up as follows:

Either:
	chown -R _gotd:_gotwebd /git'
	chmod 750 /git /git/*
Or:
	chown -R _gotd:_gotd /git'
	chmod 750 /git /git/*
	usermod -G _gotd _gotwebd  # add _gotwebd user to _gotd group


/etc/gotd.conf:

user _gotd

repository "geomant" {
        path '/git/geomant'
        permit rw sylvain
        permit ro anonymous
}
repository "nwpg" {
        path '/git/nwpg'
        permit rw sylvain
        permit ro anonymous
}



/etc/gotwebd.conf:

user _gotwebd

server "got.myserver.tld" {
	repos_path "/git"

	enable authentication
	login hint user anonymous

	# Allow sylvain to browse any repository found in "/git"
	permit sylvain

	# Allow anonymous for specific repositories only:
	repository "geomant" {
		permit anonymous
	}
	repository "nwpg" {
		permit anonymous
	}
}