cgit with nginx on CentOS

Today I've set cgit on this server, but the more software I configure, the more cumbersome it would be to switch to another system: there already are XMPP, all the email business, some websites, Gopher server, IRC bouncer, and some helper things. So, I'd better be more active in writing these things down as notes – and they may be useful for others, too.

Alternatively, one could write e.g. ansible roles, as some actually do. It may be nice, but they would require more maintenance, would be less handy to read and adapt, and would depend on ansible (or other configuration management system, in case of a different choice). Another seemingly nice approach is "literate devops" with org (which would also fit into this org-generated website nicely), though perhaps less useful when it's mostly about configuration file editing. And apparently Nix can be handy for that as well.

cgit supports CGI, nginx supports FastCGI, so fcgi and spawn-fcgi should be installed. Most of the configuration goes into nginx, that's what I'm using (/etc/nginx/conf.d/git.conf):

server {
    listen 80;
    listen [::]:80;
    return 301 https://$server_name$request_uri;

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

    access_log /var/log/nginx/git_access_log main;
    error_log /var/log/nginx/git_error_log info;

    root /usr/share/cgit;
    try_files             $uri @cgit;

    location ~ ^/cgit-data/(.*)$ {
        alias /usr/share/cgit/$1;

    location @cgit {
      include             /etc/nginx/fastcgi_params;
      fastcgi_param       SCRIPT_FILENAME /var/www/cgi-bin/cgit;
      fastcgi_param       PATH_INFO       $uri;
      fastcgi_pass        unix:/var/run/fcgiwrap.socket;

It's partly borrowed from ArchWiki, just adapted for CentOS and for this system in particular. repoquery -l cgit had assisted in finding /var/www/cgi-bin/cgit. That's with default /etc/nginx/fastcgi_params from epel's nginx package.

/etc/cgitrc only required to add virtual-root=/ (as ArchWiki suggested) to fix some paths, otherwise the configuration is straightforward. The highlight-based highlighting is rather poor and buggy/wrong, seems to be better without it.

To get one more LE certificate (it already was mostly set, as letsencrypt user – instead of the root user, which certbot used by default):

sudo -u letsencrypt certbot certonly --webroot \
        -w /usr/share/nginx/uberspace -d

And I've changed the CSS so that it doesn't hurt my eyes when used with a browser without color overriding: cgit-uberspace.css (+ result).

cgit is not perfect, but it is fast, and helps to reduce centralization imposed by github. Besides, its web UI is considerably more lightweight and less broken than that of github.

See also: