NOTE: I assume that you meant anonymous read-only access; there is no way to distinguish between clone and fetch in git, I think.

Do you want to set up "smart" HTTP (recommended), or "dumb" HTTP one?

For "dumb" HTTP it is enough to forbid (or just do not set up) WebDAV - this is how pushes come with "dumb" HTTP (no git on server side).

For "smart" HTTP follow directions for anonymous read access but authenticated write access in git-http-backend manpage, translating it from Apache to nginx, and modifying slightly. Note that documentation for anonymous read but authenticated write might be incomplete, but you do not worry about authenthicated write (push) access succeding anyway, isn't it?

In his answer, Jakub Narębski suggests:

For "smart" HTTP follow directions for anonymous read access but authenticated write access in git-http-backend manpage, translating it from Apache to nginx, and modifying slightly.

Following his suggestion, I configured nginx and git-http-backend to enable anonymous read access but authenticated write access by using a combination of if, $arg, and rewrite to differentiate between Git read and write operations before invoking git-http-backend:

# /etc/nginx/sites-available/git    
server {
        listen 80;
        server_name myhostname;
        access_log /var/log/nginx/git.access.log;
        error_log /var/log/nginx/git.error.log;
        gzip off;

        location ~ /git(/.*) {
                if ($arg_service = git-receive-pack) {
                        rewrite /git(/.*) /git_write$1 last;
                }

                if ($uri ~ ^/git/.*/git-receive-pack$) {
                        rewrite /git(/.*) /git_write$1 last;
                }

                if ($arg_service = git-upload-pack) {
                        rewrite /git(/.*) /git_read$1 last;
                }

                if ($uri ~ ^/git/.*/git-upload-pack$) {
                        rewrite /git(/.*) /git_read$1 last;
                }
        }

        location ~ /git_read(/.*) {
                include git-http-backend.conf;
        }

        location ~ /git_write(/.*) {
                auth_basic "Pushing to Git repositories is restricted";
                auth_basic_user_file /etc/nginx/.htpasswd;
                include git-http-backend.conf;
        }
}

Configuration file /etc/nginx/git-http-backend.conf contains the common fastcgi directives that prepare the environment for fastcgi to invoke git-http-backend:

# /etc/nginx/git-http-backend.conf 
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
fastcgi_param GIT_PROJECT_ROOT /data/git;
fastcgi_param PATH_INFO $1;
fastcgi_param REMOTE_USER $remote_user;

Maybe this is what you are looking for git daemon: Git serve: I would like it that simple

There are many interesting answers on that page but none specifically for nginx.

You could then add a proxy pass in nginx like so:

location / {
  proxy_set_header Host $host;
  proxy_pass  http://127.0.0.1:9418; # Port 9418 is the default git daemon port
}

I don't know of a way of allowing only cloning... but the git daemon command is already read-only. So it should do it's job.

I hope this helps !