A mirror clone is done in a very boring way -- by passing the "--mirror" command-line option to git clone.
In this mode, git clone will configure the resulting local repository in such a way that a mere call to git fetch origin will do a full one-way sync with the source remote repository.
Performing synchronization at regular interval is done via scripting the git fetch origin call making your OS's scheduler run this script using whatever schedule you will configure.
Making the repository read-only is the only tricky part in fact. This mostly amounts to the fact Git itself does not provide any
authentication and authorization, and -- by extension -- access control. To add to the picture, Git repositories may be served using a multitude of options (HTTP, SSH, Git's own server).
The native Git wire protocol (git://) served by the git-daemon program is already read-only unless you tweak the repository's
configuration (see that program's manual page for exact detais), so if you intend to serve your repository using git-daemon, that's all you will need to set up.
Otherwise I'd probably recommend to install a simple pre-receive hook into your repository which would output "Write access denied" to its standard error stream and exit with a non-zero exit code. That is, something as simple as
#!/bin/sh
printf 'Write access deniedn' >&2
exit 1
This will reject all pushes from remote repositories right away. Consult the githooks manual page for more info on hooks.
