##
## On all sites, enable gitweb web interface. Also enable git-http-backend on
## when performing upload/receive operations on the URL.
##
## Requires the following Apache modules to be enabled:
##   mod_cgi or mod_cgid
##   mod_rewrite
##

# All git operations are handled by git-http-backend CGI script. Rest of the
# HTTP requests (say sent by the browser) are handled by gitweb.
ScriptAliasMatch \
    "(?x)^/gitweb/([^/]+/(HEAD | \
                       info/refs | \
                       objects/(info/[^/]+ | \
                                [0-9a-f]{2}/[0-9a-f]{38} | \
                                pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                       git-(upload|receive)-pack))$" \
    /usr/lib/git-core/git-http-backend/$1

Alias /gitweb /usr/share/gitweb

<Directory /usr/share/gitweb>
    # Make gitweb work with custom FreedomBox configuration.
    SetEnv GITWEB_CONFIG /etc/gitweb-freedombox.conf

    <If "%{HTTP_COOKIE} =~ /auth_pubtkt=.*tokens.*(admin|git-access)/">
        Include includes/freedombox-single-sign-on.conf
        <IfModule mod_auth_pubtkt.c>
            TKTAuthToken "git-access" "admin"
        </IfModule>
    </If>

    # Allow index.cgi symlink to gitweb.cgi to work. Treat gitweb.cgi as CGI
    # script and execute it.
    Options +FollowSymLinks +ExecCGI
    AddHandler cgi-script .cgi

    # Allow files in /usr/share/gitweb/static/ to be served directly by Apache.
    # Pass every other URL as argument to gitweb.cgi to enable short and clean
    # URLs.
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^.* /gitweb/gitweb.cgi/$0 [L,PT]
</Directory>

<Directory /usr/lib/git-core/>
    # Configure git-http-backend to work with our repository path.
    SetEnv GIT_PROJECT_ROOT /var/lib/git

    # Tell git-http-backend to work with all the projects even when they don't
    # have the file 'git-daemon-export-ok'.
    SetEnv GIT_HTTP_EXPORT_ALL

    # Authentication is required when performing git push (git send-pack).
    SetEnvIfExpr "%{QUERY_STRING} =~ /service=git-receive-pack/" AUTHREQUIRED
    SetEnvIfExpr "%{REQUEST_URI} =~ /git-receive-pack$/" AUTHREQUIRED
    # Authentication is required for any operation if repository is private.
    SetEnvIfExpr "%{REQUEST_URI} =~ m#^/gitweb/([^/]+)# && ( -f '/var/lib/git/$1/private' || -f '/var/lib/git/$1.git/private' )" AUTHREQUIRED

    # Either authentication is not required for this operation and repository
    # combination, or...
    <RequireAll>
        Require all granted
        Require not env AUTHREQUIRED
    </RequireAll>

    # ...user belongs to admin or git-access groups, with basic auth via LDAP.
    Include includes/freedombox-auth-ldap.conf
    Require ldap-group cn=admin,ou=groups,dc=thisbox
    Require ldap-group cn=git-access,ou=groups,dc=thisbox
</Directory>