--- /dev/null
+# path to git projects (<project>.git)
+$projectroot = "/var/www/public_repos";
+
+# directory to use for temp files
+# explicitely set by Debian so it's probably a good choice
+$git_temp = "/tmp";
+
+# git-diff-tree(1) options to use for generated patches
+# we don't want to to guess renames, so empty
+@diff_opts = ();
+
+# Base path for where to find the repos for cloning.
+@git_base_url_list = ('https://REPLACE_fqdn_ECALPER/repos/clone');
+
+# allow snapshots
+$feature{'snapshot'}{'default'} = ['zip', 'tgz'];
+
+# insert header for GDPR compliance
+$site_header = "/var/www/header.html"
 
 }
 
 http {
-        # define content-type headers
-        types {
-            text/html                             html htm shtml;
-            #text/css                              css;
-            #text/xml                              xml;
-            #text/plain                            txt sh rst md;
-            #application/xhtml+xml                 xhtml;
-            #application/pdf                       pdf;
-            #image/jpeg                            jpg jpeg;
-            #image/png                             png;
-        }
-        default_type application/octet_stream;
-        charset utf-8;
+    # define content-type headers
+    types {
+        text/html html htm shtml;
+        text/css  css;
+        text/xml xml;
+        text/plain txt sh rst md;
+        application/xhtml+xml xhtml;
+        application/pdf pdf;
+        image/jpeg jpg jpeg;
+        image/png png;
+    }
+    default_type application/octet_stream;
+    charset utf-8;
+
+    # logging deactivated due to GDPR
+    #access_log /var/log/nginx/access.log;
+    #error_log /var/log/nginx/error.log;
+
+    # HTTP server: only enforce HTTPS
+    server {
+        listen 80;
+        return 301 https://$host$request_uri;
+    }
 
-        # logging deactivated due to DSGVO
-       #access_log /var/log/nginx/access.log;
-       #error_log /var/log/nginx/error.log;
+    # HTTPS server
+    server {
+        listen 443 ssl;
+        server_name REPLACE_fqdn_ECALPER;
+        ssl_certificate /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/privkey.pem;
+        root /var/www/html/;
+        index index.html index.htm index.nginx-debian.html;
+
+        # serve /var/www/public_repos/* for HTTPS git cloning
+        location ~ /repos/clone(/.*) {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+            fastcgi_param GIT_HTTP_EXPORT_ALL "";
+            fastcgi_param GIT_PROJECT_ROOT /var/www/public_repos;
+            fastcgi_param PATH_INFO $1;
+            fastcgi_pass unix:/var/run/fcgiwrap.socket;
+        }
 
-        # HTTP server: only enforce HTTPS
-        server {
-                listen 80;
-                return 301 https://$host$request_uri;
+        # gitweb static files
+        location /repos/static/ {
+            alias /usr/share/gitweb/static/;
         }
 
-       # HTTPS server
-        server {
-                listen 443 ssl;
-                server_name REPLACE_fqdn_ECALPER;
-                ssl_certificate /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/fullchain.pem;
-                ssl_certificate_key /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/privkey.pem;
-                root /var/www/html/;
-               index index.html index.htm index.nginx-debian.html;
+        # gitweb; this needs packages fcgiwrap and gitweb
+        location /repos/ {
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME  /usr/share/gitweb/gitweb.cgi;
+            fastcgi_param GITWEB_CONFIG  /etc/gitweb.conf;
+            fastcgi_pass unix:/var/run/fcgiwrap.socket;
         }
+    }
 }