I have this:
repo dotfiles
RW+CD @dev = @ben.boeckel
RW refs/heads/master = @ben.boeckel
repo priv/dotfiles
RW+C refs/heads/non-public = @ben.boeckel
RW+C refs/heads/$hostname = @ben.boeckel
- = @all
config gitolite-options.deny-repo = 1
config core.sharedRepository = 0700
Where the $hostname
line is repeated for each host-specific branch I have. This effectively ensures that any non-dev/
branch (the @dev
) other than master is accessible is denied. The private repo is then locked down to just those branches.
The repositories are served over git-daemon
and cgit
in different jails which do not have user access to the repositories (and are mounted using ro
and nullfs
, so if the deny-repo
option ever fails, the filesystem will deny the access as a failsafe.