Blob

Date:
Message:
introduce connection options to gotd.conf Allow administrators to tweak the default authentication and request timeouts if needed, and to tweak the limit of concurrent connections for specific user accounts. with several tweaks from and ok op@
Actions:
History | Blame | Raw File
1 .\"

2 .\" Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>

3 .\"

4 .\" Permission to use, copy, modify, and distribute this software for any

5 .\" purpose with or without fee is hereby granted, provided that the above

6 .\" copyright notice and this permission notice appear in all copies.

7 .\"

8 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

9 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

10 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

11 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

12 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

13 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

14 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

15 .\"

16 .Dd $Mdocdate$

17 .Dt GOTD.CONF 5

18 .Os

19 .Sh NAME

20 .Nm gotd.conf

21 .Nd gotd configuration file

22 .Sh DESCRIPTION

23 .Nm

24 is the run-time configuration file for

25 .Xr gotd 8 .

26 .Pp

27 The file format is line-based, with one configuration directive per line.

28 Any lines beginning with a

29 .Sq #

30 are treated as comments and ignored.

31 .Sh GLOBAL CONFIGURATION

32 The available global configuration directives are as follows:

33 .Bl -tag -width Ds

34 .It Ic connection Ar option

35 Set the specified options and limits for connections to the

36 .Xr gotd 8

37 unix socket.

38 .Pp

39 The

40 .Ic connection

41 directive may be specified multiple times, and multiple

42 .Ar option

43 arguments may be specified within curly braces:

44 .Pp

45 .Ic connection Brq Ar ...

46 .Pp

47 Each option should only be specified once.

48 If a given option is listed multiple times, the last line which sets this

49 option wins.

50 .Pp

51 Valid connection options are:

52 .Bl -tag -width Ds

53 .It Ic request timeout Ar seconds

54 Specify the inactivity timeout for operations between client and server.

55 If this timeout is exceeded while a Git protocol request is being processed,

56 the request will be aborted and the connection will be terminated.

57 .Pp

58 The default timeout is 3600 seconds (1 hour).

59 This should only be changed if legitimate requests are exceeding the default

60 timeout for some reason, such as the server spending an extraordinary

61 amount of time generating a pack file.

62 .It Ic limit Ic user Ar identity Ar number

63 Limit the maximum amount of concurrent connections by the user with

64 the username

65 .Ar identity

66 to

67 .Ar number .

68 Numeric user IDs are also accepted.

69 .Pp

70 The default per-user limit is 4.

71 This should only be changed if concurrent connections from a given user are

72 expected to exceed the default limit, for example if an anonymous user

73 is granted read access and many concurrent connections will share this

74 anonymous user identity.

75 .El

76 .It Ic unix_socket Ar path

77 Set the path to the unix socket which

78 .Xr gotd 8

79 should listen on.

80 If not specified, the path

81 .Pa /var/run/gotd.sock

82 will be used.

83 .It Ic unix_group Ar group

84 Set the

85 .Ar group ,

86 defined in the

87 .Xr group 5

88 file, which is allowed to access

89 .Xr gotd 8

90 via

91 .Xr gotsh 1 .

92 The

93 .Xr gotd 8

94 user must be a secondary member of this group.

95 If not specified, the group _gotsh will be used.

96 .It Ic user Ar user

97 Set the

98 .Ar user

99 which will run

100 .Xr gotd 8 .

101 Initially,

102 .Xr gotd 8

103 requires root privileges in order to create its unix socket.

104 Afterwards,

105 .Xr gotd 8

106 drops privileges to the specified

107 .Ar user .

108 If not specified, the user _gotd will be used.

109 .El

110 .Sh REPOSITORY CONFIGURATION

111 At least one repository context must exist for

112 .Xr gotd 8

113 to function.

114 For each repository, access rules must be configured using the

115 .Ic permit

116 and

117 .Ic deny

118 configuration directives.

119 Multiple access rules can be specified, and the last matching rule

120 determines the action taken.

121 If no rule matches, access to the repository is denied.

122 .Pp

123 A repository context is declared with a unique

124 .Ar name ,

125 followed by repository-specific configuration directives inside curly braces:

126 .Pp

127 .Ic repository Ar name Brq ...

128 .Pp

129 .Xr got 1

130 and

131 .Xr git 1

132 clients can connect to a repository by including the repository's unique

133 .Ar name

134 in the request URL.

135 Clients appending the string

136 .Dq .git

137 to the

138 .Ar name

139 will also be accepted.

140 .Pp

141 If desired, the

142 .Ar name

143 may contain path-separators,

144 .Dq / ,

145 to expose repositories as part of a virtual client-visible directory hierarchy.

146 .Pp

147 The available repository configuration directives are as follows:

148 .Bl -tag -width Ds

149 .It Ic deny Ar identity

150 Deny repository access to users with the username

151 .Ar identity .

152 Group names may be matched by prepending a colon

153 .Pq Sq \&:

154 to

155 .Ar identity .

156 Numeric IDs are also accepted.

157 .It Ic path Ar path

158 Set the path to the Git repository.

159 Must be specified.

160 .It Ic permit Ar mode Ar identity

161 Permit repository access to users with the username

162 .Ar identity .

163 The

164 .Ar mode

165 argument must be set to either

166 .Ic ro

167 for read-only access,

168 or

169 .Ic rw

170 for read-write access.

171 Group names may be matched by prepending a colon

172 .Pq Sq \&:

173 to

174 .Ar identity .

175 Numeric IDs are also accepted.

176 .El

177 .Sh FILES

178 .Bl -tag -width Ds -compact

179 .It Pa /etc/gotd.conf

180 Location of the

181 .Nm

182 configuration file.

183 .El

184 .Sh EXAMPLES

185 .Bd -literal -offset indent

186 # Default unix_group and user values:

187 unix_group _gotsh

188 user _gotd

190 # This repository can be accessed via ssh://user@example.com/src

191 repository "src" {

192 	path "/var/git/src.git"

193 	permit rw flan_hacker

194 	permit rw :developers

195 	permit ro anonymous

198 # This repository can be accessed via

199 # ssh://user@example.com/openbsd/ports

200 repository "openbsd/ports" {

201 	path "/var/git/ports.git"

202 	permit rw :porters

203 	permit ro anonymous

204 	deny flan_hacker

207 # Use a larger request timeout value:

208 connection request timeout 7200  # 2 hours

210 # Some users are granted a higher concurrent connection limit:

211 connection {

212 	limit user flan_hacker 16

213 	limit user anonymous 32

215 .Ed

216 .Sh SEE ALSO

217 .Xr got 1 ,

218 .Xr gotsh 1 ,

219 .Xr group 5 ,

220 .Xr gotd 8