girocco: support fetching bundles
[girocco.git] / Girocco / Config.pm
blob87aa668c650bbc02e7e4b58f8ec8373ffa1183ce
1 package Girocco::Config;
3 use strict;
4 use warnings;
7 ## Basic settings
9 # Name of the service
10 our $name = "GiroccoEx";
12 # Nickname of the service (undef for initial part of $name upto first '.')
13 our $nickname = undef;
15 # Title of the service (as shown in gitweb)
16 our $title = "Example Girocco Hosting";
18 # Path to the Git binary to use (you MUST set this, even if to /usr/bin/git!)
19 our $git_bin = '/usr/bin/git';
21 # Path to the git-daemon binary to use (undef to use default)
22 # If $gitpullurl is undef this will never be used (assuming no git inetd
23 # service has been set up in that case).
24 # The default if this is undef is `$git_bin --exec-path`/git-daemon
25 # Setting this explicitly is slightly more efficient as it avoids calling --exec-path
26 our $git_daemon_bin = undef;
28 # Path to the git-http-backend binary to use (undef to use default)
29 # If both $httppullurl and $httpspushurl are undef this will never be used
30 # The default if this is undef is `$git_bin --exec-path`/git-http-backend
31 # Setting this explicitly is slightly more efficient as it avoids calling --exec-path
32 our $git_http_backend_bin = undef;
34 # Name (if in $PATH) or full path to netcat executable that accepts a -U option
35 # to connect to a unix socket. This may simply be 'nc' on many systems.
36 our $nc_openbsd_bin = 'nc.openbsd';
38 # Path to the sendmail instance to use. It should understand the -f <from>, -i and -t
39 # options as well as accepting a list of recipient addresses in order to be used here.
40 # You MUST set this, even if to '/usr/sbin/sendmail'!
41 # Setting this to 'sendmail.pl' is special and will automatically be expanded to
42 # a full path to the ../bin/sendmail.pl executable in this Girocco installation.
43 # sendmail.pl is a sendmail-compatible script that delivers the message directly
44 # using SMTP to a mail relay host. This is the recommended configuration as it
45 # minimizes the information exposed to recipients (no sender account names or uids),
46 # can talk to an SMTP server on another host (eliminating the need for a working
47 # sendmail and/or SMTP server on this host) and avoids any unwanted address rewriting.
48 # By default it expects the mail relay to be listening on localhost port 25.
49 # See the sendmail.pl section below for more information on configuring sendmail.pl.
50 our $sendmail_bin = 'sendmail.pl';
52 # E-mail of the site admin
53 our $admin = 'admin@example.org';
55 # Sender of emails
56 # This is the SMTP 'MAIL FROM:' value
57 # It will be passed to $sendmail_bin with the -f option
58 # Some sites may not allow non-privileged users to pass the -f option to
59 # $sendmail_bin. In that case set this to undef and no -f option will be
60 # passed which means the 'MAIL FROM:' value will be the user the mail is
61 # sent as (either $cgi_user or $mirror_user depending on the activity).
62 # To avoid having bounce emails go to $admin, this may be set to something
63 # else such as 'admin-noreply@example.org' and then the 'admin-noreply' address
64 # may be redirected to /dev/null. Setting this to '' or '<>' is not
65 # recommended because that will likely cause the emails to be marked as SPAM
66 # by the receiver's SPAM filter. If $sendmail_bin is set to 'sendmail.pl' this
67 # value must be acceptable to the receiving SMTP server as a 'MAIL FROM:' value.
68 # If this is set to undef and 'sendmail.pl' is used, the 'MAIL FROM:' value will
69 # be the user the mail is sent as (either $cgi_user or $mirror_user).
70 our $sender = $admin;
72 # Copy $admin on failure/recovery messages?
73 our $admincc = 1;
75 # Girocco branch to use for html.cgi view source links (undef for HEAD)
76 our $giroccobranch = undef;
79 ## Git user agent strings
81 # Git clients (i.e. fetch/clone) always send a user agent string when fetching
82 # over HTTP. Since version 1.7.12.1 an 'agent=' capability string is included
83 # as well which affects git:, smart HTTP and ssh: protocols.
85 # These settings allow the default user agent string to be changed independently
86 # for fetch/clone operations (only matters if $mirror is true) and server
87 # operations (some other Git client fetching from us). Note that it is not
88 # possible to suppress the capability entirely although it can be set to an
89 # empty string. If these values are not set, the default user agent string
90 # will be used. Typically (unless Git was built with non-standard options) the
91 # default is "git/" plus the version. So for example "git/1.8.5.6" or
92 # "git/2.1.4" might be seen.
94 # One might want to change the default user agent strings in order to prevent
95 # an attacker from learning the exact Git version being used to avoid being
96 # able to quickly target any version-specific vulnerabilities. Note that
97 # no matter what's set here, an attacker can easily determine whether a server
98 # is running JGit, libgit2 or Git and for Git whether it's version 1.7.12.1 or
99 # later. A reasonable value to hide the exact Git version number while
100 # remaining compatible with servers that require a "Git/" user agent string
101 # would be something like "git/2" or even just "git/".
103 # The GIT_USER_AGENT value to use when acting as a client (i.e. clone/fetch)
104 # This value is only used if $mirror is true and at least one mirror is set up.
105 # Setting this to the empty string will suppress the HTTP User-Agent header,
106 # but will still include an "agent=" capability in the packet protocol. The
107 # empty string is not recommended because some servers match on "git/".
108 # Leave undef to use the default Git user agent string
109 # IMPORTANT: some server sites will refuse to serve up Git repositories unless
110 # the client user agent string contains "Git/" (matched case insensitively)!
111 our $git_client_ua = undef;
113 # The GIT_USER_AGENT value to use when acting as a server (i.e. some Git client
114 # is fetching/cloning from us).
115 # Leave undef to use the default Git user agent string
116 our $git_server_ua = undef;
119 ## Feature knobs
121 # Enable mirroring mode if true (see "Foreign VCS mirrors" section below)
122 our $mirror = 1;
124 # Enable push mode if true
125 our $push = 1;
127 # If both $mirror and $push are enabled, setting this to 'mirror' pre-selects
128 # mirror mode on the initial regproj display, otherwise 'push' mode will be
129 # pre-selected. When forking the initial mode will be 'push' if $push enabled.
130 our $initial_regproj_mode = 'mirror';
132 # Enable user management if true; this means the interface for registering
133 # user accounts and uploading SSH keys. This implies full chroot.
134 our $manage_users = 1;
136 # Minimum key length (in bits) for uploaded SSH RSA/DSA keys.
137 # If this is not set (i.e. undef) keys as small as 512 bits will be allowed.
138 # Nowadays keys less than 2048 bits in length should probably not be allowed.
139 # Note, however, that versions of OpenSSH starting with 4.3p1 will only generate
140 # DSA keys of exactly 1024 bits in length even though that length is no longer
141 # recommended. (OpenSSL can be used to generate DSA keys with lengths > 1024.)
142 # OpenSSH does not have any problem generating RSA keys longer than 1024 bits.
143 # This setting is only checked when new keys are added so setting it/increasing it
144 # will not affect existing keys. For maximum compatibility a value of 1024 may
145 # be used however 2048 is recommended. Setting it to anything other than 1024,
146 # 2048 or 3072 may have the side effect of making it very difficult to generate
147 # DSA keys that satisfy the restriction (but RSA keys should not be a problem).
148 # Note that no matter what setting is specified here keys smaller than 512 bits
149 # will never be allowed via the reguser.cgi/edituser.cgi interface.
150 # RECOMMENDED VALUE: 2048 (ok) or 3072 (better)
151 our $min_key_length = 1024;
153 # Disable DSA public keys?
154 # If this is set to 1, adding DSA keys at reguser.cgi/edituser.cgi time will be
155 # prohibited. If $pushurl is undef then this is implicitly set to 1 since DSA
156 # keys are not usable with https push.
157 # OpenSSH will only generate 1024 bit DSA keys starting with version 4.3p1.
158 # Even if OpenSSL is used to generate a longer DSA key (which can then be used
159 # with OpenSSH), the SSH protocol itself still forces use of SHA-1 in the DSA
160 # signature blob which tends to defeat the purpose of going to a longer key in
161 # the first place. So it may be better from a security standpoint to simply
162 # disable DSA keys especially if $min_key_length and $rsakeylength have been set
163 # to something higher such as 3072 or 4096. This setting is only checked when
164 # new keys are added so setting it/increasing it will not affect existing keys.
165 # There is no way to disable DSA keys in the OpenSSH server config file itself.
166 # If this is set to 1, no ssh_host_dsa_key will be generated or used with the
167 # sshd running in the jail (but if the sshd_config has already been generated
168 # in the jail, it must be removed and 'sudo make install' run again or otherwise
169 # the sshd_config needs to be edited by hand for the change to take effect).
170 # RECOMMENDED VALUE: 1
171 our $disable_dsa = 0;
173 # Enable the special 'mob' user if set to 'mob'
174 our $mob = "mob";
176 # Let users set admin passwords; if false, all password inputs are assumed empty.
177 # This will make new projects use empty passwords and all operations on them
178 # unrestricted, but you will be able to do no operations on previously created
179 # projects you have set a password on.
180 our $project_passwords = 1;
182 # How to determine project owner; 'email' adds a form item asking for their
183 # email contact, 'source' takes realname of owner of source repository if it
184 # is a local path (and empty string otherwise). 'source' is suitable in case
185 # the site operates only as mirror of purely local-filesystem repositories.
186 our $project_owners = 'email';
188 # Which project fields to make editable, out of 'shortdesc', 'homepage',
189 # 'README', 'notifymail', 'notifyjson', 'notifycia'. (This is currently
190 # soft restriction - form fields aren't used, but manually injected values
191 # *are* used. Submit a patch if that's an issue for you.)
192 our @project_fields = qw(homepage shortdesc README notifymail notifyjson notifycia);
194 # Minimal number of seconds to pass between two updates of a project.
195 our $min_mirror_interval = 3600; # 1 hour
197 # Minimal number of seconds to pass between two garbage collections of a project.
198 our $min_gc_interval = 604800; # 1 week
200 # Maximum window memory size when repacking. If this is set, it will be used
201 # instead of the automatically computed value if it's less than that value.
202 # May use a 'k', 'm', or 'g' suffix otherwise value is in bytes.
203 our $max_gc_window_memory_size = undef;
205 # Whether or not to run the ../bin/update-pwd-db script whenever the etc/passwd
206 # database is changed. This is typically needed (i.e. set to a true value) for
207 # FreeBSD style systems when using an sshd chroot jail for push access. So if
208 # $pushurl is undef or the system Girocco is running on is not like FreeBSD
209 # (e.g. a master.passwd file that must be transformed into pwd.db and spwd.db), then
210 # this setting should normally be left false (i.e. 0). See comments in the
211 # provided ../bin/update-pwd-db script about when and how it's invoked.
212 our $update_pwd_db = 0;
214 # Port the sshd running in the jail should listen on
215 # Be sure to update $pushurl to match
216 # Not used if $pushurl is undef
217 our $sshd_jail_port = 22;
219 # If this is true then host names used in mirror source URLs will be checked
220 # and any that are not DNS names (i.e. IPv4 or IPv6) or match one of the DNS
221 # host names in any of the URL settings below will be rejected.
222 our $restrict_mirror_hosts = 1;
224 # If $restrict_mirror_hosts is enabled this is the minimum number of labels
225 # required in a valid dns name. Normally 2 is the correct value, but if
226 # Girocco is being used internally where a common default or search domain
227 # is set for everyone then this should be changed to 1 to allow a dns name
228 # with a single label in it. No matter what is set here at least 1 label
229 # is always required when $restrict_mirror_hosts is enabled.
230 our $min_dns_labels = 2;
232 # If $xmllint_readme is true then the contents of the README.html section
233 # will be passed through xmllint and any errors must be corrected before
234 # it can be saved. If this is set to true then xmllint must be in the $PATH.
235 # RECOMMENDED VALUE: 1
236 our $xmllint_readme = 0;
239 ## Foreign VCS mirrors
241 # Note that if any of these settings are changed from true to false, then
242 # any pre-existing mirrors using the now-disabled foreign VCS will stop
243 # updating, new mirrors using the now-disabled foreign VCS will be disallowed
244 # and attempts to update ANY project settings for a pre-existing project that
245 # uses a now-disabled foreign VCS source URL will also be disallowed.
247 # If $mirror is true and $mirror_svn is true then mirrors from svn source
248 # repositories will be allowed (and be converted to Git). These URLs have
249 # the form svn://... or svn+http://... or svn+https://...
250 # Note that for this to work the "svn" command line command must be available
251 # in PATH and the "git svn" commands must work (which generally requires both
252 # Perl and the subversion perl bindings be installed).
253 our $mirror_svn = 1;
255 # Prior to Git v1.5.1, git-svn always used a log window size of 1000.
256 # Starting with Git v1.5.1, git-svn defaults to using a log window size of 100
257 # and provides a --log-window-size= option to change it. Starting with Git
258 # v2.2.0, git-svn disconnects and reconnects to the server every log window size
259 # interval to attempt to reduce memory use by git-svn. If $svn_log_window_size
260 # is undefined, Girocco will use a log window size of 250 (instead of the
261 # the default 100). If $svn_log_window_size is set, Girocco will use that
262 # value instead. Beware that setting it too low (i.e. < 50) will almost
263 # certainly cause performance issues if not failures. Unless there are concerns
264 # about git-svn memory use on a server with extremely limited memory, the
265 # value of 250 that Girocco uses by default should be fine. Obviously if
266 # $mirror or $mirror_svn is false this setting is irrelevant.
267 our $svn_log_window_size = undef;
269 # If $mirror is true and $mirror_darcs is true then mirrors from darcs source
270 # repositories will be allowed (and be converted to Git). These URLs have
271 # the form darcs://...
272 # Note that for this to work the "darcs" command line command must be available
273 # in PATH and so must python (required to run the darcs-fast-export script).
274 our $mirror_darcs = 1;
276 # If $mirror is true and $mirror_bzr is true then mirrors from bzr source
277 # repositories will be allowed (and be converted to Git). These URLs have
278 # the form bzr://...
279 # Note that for this to work the "bzr" command line command must be available
280 # in PATH (it's a python script so python is required as well).
281 our $mirror_bzr = 1;
283 # If $mirror is true and $mirror_hg is true then mirrors from hg source
284 # repositories will be allowed (and be converted to Git). These URLs have
285 # the form hg+http://... or hg+https://...
286 # Note that for this to work the "hg" command line command must be available
287 # in PATH and so must python (required to run the hg-fast-export.py script).
288 # Note that if the PYTHON environment variable is set that will be used instead
289 # of just plain "python" to run the hg-fast-export.py script (which needs to
290 # be able to import from mercurial).
291 our $mirror_hg = 1;
294 ## Paths
296 # Path where the main chunk of Girocco files will be installed
297 # This will get COMPLETELY OVERWRITTEN by each make install!!!
298 our $basedir = '/home/repo/repomgr';
300 # Path where the automatically generated non-user certificates will be stored
301 # (The per-user certificates are always stored in $chroot/etc/sshcerts/)
302 # This is preserved by each make install and MUST NOT be under $basedir!
303 # Not used unless $httpspushurl is defined
304 our $certsdir = '/home/repo/certs';
306 # The repository collection
307 # "$reporoot/_recyclebin" will also be created for use by toolbox/trash-project.pl
308 our $reporoot = "/srv/git";
310 # The repository collection's location within the chroot jail
311 # Normally $reporoot will be bind mounted onto $chroot/$jailreporoot
312 # Should NOT start with '/'
313 our $jailreporoot = "srv/git";
315 # The chroot for ssh pushing; location for project database and other run-time
316 # data even in non-chroot setups
317 our $chroot = "/home/repo/j";
319 # The gitweb files web directory (corresponds to $gitwebfiles)
320 # Note that it is safe to place this under $basedir since it's set up after
321 # $basedir is completely replaced during install time. Be WARNED, however,
322 # that normally the install process only adds/replaces things in $webroot,
323 # but if $webroot is under $basedir then it will be completely removed and
324 # rebuilt each time "make install" is run. This will make gitweb/git-browser
325 # web services very briefly unavailable while this is happening.
326 our $webroot = "/home/repo/www";
328 # The CGI-enabled web directory (corresponds to $gitweburl and $webadmurl)
329 # This will not be web-accessible except that if any aliases point to
330 # a *.cgi file in here it will be allowed to run as a cgi-script.
331 # Note that it is safe to place this under $basedir since it's set up after
332 # $basedir is completely replaced during install time. Be WARNED, however,
333 # that normally the install process only adds/replaces things in $cgiroot,
334 # but if $cgiroot is under $basedir then it will be completely removed and
335 # rebuilt each time "make install" is run. This will make gitweb/git-browser
336 # web services very briefly unavailable while this is happening.
337 our $cgiroot = "/home/repo/cgibin";
339 # A web-accessible symlink to $reporoot (corresponds to $httppullurl, can be undef)
340 # If using the sample apache.conf (with paths suitably updated) this is not required
341 # to serve either smart or non-smart HTTP repositories to the Git client
342 our $webreporoot = "/home/repo/www/r";
345 ## Certificates (only used if $httpspushurl is defined)
347 # path to root certificate (undef to use automatic root cert)
348 # this certificate is made available for easy download and should be whatever
349 # the root certificate is for the https certificate being used by the web server
350 our $rootcert = undef;
352 # The certificate to sign user push client authentication certificates with (undef for auto)
353 # The automatically generated certificate should always be fine
354 our $clientcert = undef;
356 # The private key for $clientcert (undef for auto)
357 # The automatically generated key should always be fine
358 our $clientkey = undef;
360 # The client certificate chain suffix (a pemseq file to append to user client certs) (undef for auto)
361 # The automatically generated chain should always be fine
362 # This suffix will also be appended to the $mobusercert before making it available for download
363 our $clientcertsuffix = undef;
365 # The mob user certificate signed by $clientcert (undef for auto)
366 # The automatically generated certificate should always be fine
367 # Not used unless $mob is set to 'mob'
368 # The $clientcertsuffix will be appended before making $mobusercert available for download
369 our $mobusercert = undef;
371 # The private key for $mobusercert (undef for auto)
372 # The automatically generated key should always be fine
373 # Not used unless $mob is set to 'mob'
374 our $mobuserkey = undef;
376 # Server alt names to embed in the auto-generated girocco_www_crt.pem certificate.
377 # The common name (CN) in the server certificate is the host name from $httpspushurl.
378 # By default no server alt names are embedded (not even the host from $httpspushurl).
379 # If the web server configuration is not using this auto-generated server certificate
380 # then the values set here will have no impact and this setting can be ignored.
381 # To embed server alternative names, list each (separated by spaces). The names
382 # may be DNS names, IPv4 addresses or IPv6 addresses (NO surrounding '[' ']' please).
383 # If ANY DNS names are included here be sure to also include the host name from
384 # the $httpspushurl or else standards-conforming clients will fail with a host name
385 # mismatch error when they attempt to verify the connection.
386 #our $wwwcertaltnames = 'example.com www.example.com git.example.com 127.0.0.1 ::1';
387 our $wwwcertaltnames = undef;
389 # The key length for automatically generated RSA private keys (in bits).
390 # These keys are then used to create the automatically generated certificates.
391 # If undef or set to a value less than 2048, then 2048 will be used.
392 # Set to 3072 to generate more secure keys/certificates. Set to 4096 (or higher) for
393 # even greater security. Be warned that setting to a non-multiple of 8 and/or greater
394 # than 4096 could negatively impact compatibility with some clients.
395 # The values 2048, 3072 and 4096 are expected to be compatible with all clients.
396 # Note that OpenSSL has no problem with > 4096 or non-multiple of 8 lengths.
397 # See also the $min_key_length setting above to restrict user key sizes.
398 # This value is also used when generating the ssh_host_rsa_key for the chroot jail sshd.
399 # RECOMMENDED VALUE: 3072
400 our $rsakeylength = undef;
403 ## URL addresses
405 # URL of the gitweb.cgi script (must be in pathinfo mode)
406 # If mod_rewrite is enabled and the sample apache.conf configuration is used
407 # (with paths suitably updated), the trailing "/w" is optional for all browsers
408 # that send a User-Agent string WITHOUT (case insensitively) "git/". Alternatively
409 # a minor change to the sample apache.conf can redirect (301 or 302) URLs without
410 # the "/w" to a URL with it where appropriate.
411 our $gitweburl = "http://repo.or.cz/w";
413 # URL of the extra gitweb files (CSS, .js files, images, ...)
414 our $gitwebfiles = "http://repo.or.cz";
416 # URL of the Girocco CGI web admin interface (Girocco cgi/ subdirectory)
417 our $webadmurl = "http://repo.or.cz";
419 # URL of the Girocco CGI html templater (Girocco cgi/html.cgi)
420 our $htmlurl = "http://repo.or.cz/h";
422 # HTTP URL of the repository collection (undef if N/A)
423 # If mod_rewrite is enabled and the sample apache.conf configuration is used
424 # (with paths suitably updated), the trailing "/r" is optional for Git clients
425 # that send a User-Agent string containing "git/" (case insensitively).
426 our $httppullurl = "http://repo.or.cz/r";
428 # HTTP URL of the repository collection when fetching a bundle (undef if N/A)
429 # Normally this will be the same as $httppullurl, but note that the bundle
430 # fetching logic is located in git-http-backend-verify so whatever URL is
431 # given here MUST end up running the git-http-backend-verify script!
432 # For example, if we're fetching the 'clone.bundle' for the 'girocco.git'
433 # repository, the final URL will be "$httpbundleurl/girocco.git/clone.bundle"
434 # If mod_rewrite is enabled and the sample apache.conf configuration is used
435 # (with paths suitably updated), the trailing "/r" is optional for all clients.
436 our $httpbundleurl = "http://repo.or.cz/r";
438 # HTTPS push URL of the repository collection (undef if N/A)
439 # If this is defined, the openssl command must be available
440 # The sample apache.conf configuration requires mod_rewrite be enabled to
441 # support https push operations.
442 # Normally this should be set to $httppullurl with http: replaced with https:
443 # If the sample apache.conf configuration is used (with paths suitably updated),
444 # the trailing "/r" is optional for Git clients that send a User-Agent string
445 # containing "git/" (case insensitively).
446 our $httpspushurl = undef;
448 # Git URL of the repository collection (undef if N/A)
449 # (You need to set up git-daemon on your system, and Girocco will not
450 # do this particular thing for you.)
451 our $gitpullurl = "git://repo.or.cz";
453 # Pushy SSH URL of the repository collection (undef if N/A)
454 # Note that the "/$jailreporoot" portion is optional and will be automatically
455 # added if appropriate when omitted by the client so this URL can typically
456 # be made the same as $gitpullurl with git: replaced with ssh:
457 our $pushurl = "ssh://repo.or.cz/$jailreporoot";
459 # URL of gitweb of this Girocco instance (set to undef if you're not nice
460 # to the community)
461 our $giroccourl = "$Girocco::Config::gitweburl/girocco.git";
464 ## Some templating settings
466 # Legal warning (on reguser and regproj pages)
467 our $legalese = <<EOT;
468 <p>By submitting this form, you are confirming that you will mirror or push
469 only what we can store and show to anyone else who can visit this site without
470 breaking any law, and that you will be nice to all small furry animals.
471 <sup><a href="/h/about.html">(more details)</a></sup>
472 </p>
475 # Pre-configured mirror sources (set to undef for none)
476 # Arrayref of name - record pairs, the record has these attributes:
477 # label: The label of this source
478 # url: The template URL; %1, %2, ... will be substituted for inputs
479 # desc: Optional VERY short description
480 # link: Optional URL to make the desc point at
481 # inputs: Arrayref of hashref input records:
482 # label: Label of input record
483 # suffix: Optional suffix
484 # If the inputs arrayref is undef, single URL input is shown,
485 # pre-filled with url (probably empty string).
486 our $mirror_sources = [
488 label => 'Anywhere',
489 url => '',
490 desc => 'Any HTTP/Git/rsync pull URL - bring it on!',
491 inputs => undef
494 label => 'GitHub',
495 url => 'git://github.com/%1/%2.git',
496 desc => 'GitHub Social Code Hosting',
497 link => 'http://github.com/',
498 inputs => [ { label => 'User:' }, { label => 'Project:', suffix => '.git' } ]
501 label => 'Gitorious',
502 url => 'git://gitorious.org/%1/%2.git',
503 desc => 'Green and Orange Boxes',
504 link => 'http://gitorious.org/',
505 inputs => [ { label => 'Project:' }, { label => 'Repository:', suffix => '.git' } ]
509 # You can customize the gitweb interface widely by editing
510 # gitweb/gitweb_config.perl
513 ## Permission settings
515 # Girocco needs some way to manipulate write permissions to various parts of
516 # all repositories; this concerns three entities:
517 # - www-data: the web interface needs to be able to rewrite few files within
518 # the repository
519 # - repo: a user designated for cronjobs; handles mirroring and repacking;
520 # this one is optional if not $mirror
521 # - others: the designated users that are supposed to be able to push; they
522 # may have account either within chroot, or outside of it
524 # There are several ways how to use Girocco based on a combination of the
525 # following settings.
527 # (Non-chroot) UNIX user the CGI scripts run on; note that if some non-related
528 # untrusted CGI scripts run on this account too, that can be a big security
529 # problem and you'll probably need to set up suexec (poor you).
530 # This must always be set.
531 our $cgi_user = 'www-data';
533 # (Non-chroot) UNIX user performing mirroring jobs; this is the user who
534 # should run all the daemons and cronjobs and
535 # the user who should be running make install (if not root).
536 # This must always be set.
537 our $mirror_user = 'repo';
539 # (Non-chroot) UNIX group owning the repositories by default; it owns whole
540 # mirror repositories and at least web-writable metadata of push repositories.
541 # If you undefine this, all the data will become WORLD-WRITABLE.
542 # Both $cgi_user and $mirror_user should be members of this group!
543 our $owning_group = 'repo';
545 # Whether to use chroot jail for pushing; this must be always the same
546 # as $manage_users.
547 # TODO: Gitosis support for $manage_users and not $chrooted?
548 our $chrooted = $manage_users;
550 # How to control permissions of push-writable data in push repositories:
551 # * 'Group' for the traditional model: The $chroot/etc/group project database
552 # file is used as the UNIX group(5) file; the directories have gid appropriate
553 # for the particular repository and are group-writable. This works only if
554 # $chrooted so that users are put in the proper groups on login when using
555 # SSH push. Smart HTTPS push does not require a chroot to work -- simply
556 # run "make install" as the non-root $mirror_user user, but leave
557 # $manage_users and $chrooted enabled.
558 # * 'ACL' for a model based on POSIX ACL: The directories are coupled with ACLs
559 # listing the users with push permissions. This works for both chroot and
560 # non-chroot setups, however it requires ACL support within the filesystem.
561 # This option is BASICALLY UNTESTED, too. And UNIMPLEMENTED. :-)
562 # * 'Hooks' for a relaxed model: The directories are world-writable and push
563 # permission control is purely hook-driven. This is INSECURE and works only
564 # when you trust all your users; on the other hand, the attack vectors are
565 # mostly just DoS or fully-traceable tinkering.
566 our $permission_control = 'Group';
568 # Path to alternate screen multiuser acl file (see screen/README, undef for none)
569 our $screen_acl_file = undef;
572 ## sendmail.pl configuration
574 # Full information on available sendmail.pl settings can be found by running
575 # ../bin/sendmail.pl -v -h
577 # These settings will only used if $sendmail_bin is set to 'sendmail.pl'
579 # sendmail.pl host name
580 #$ENV{'SENDMAIL_PL_HOST'} = 'localhost'; # localhost is the default
582 # sendmail.pl port name
583 #$ENV{'SENDMAIL_PL_PORT'} = '25'; # port 25 is the default
585 # sendmail.pl nc executable
586 #$ENV{'SENDMAIL_PL_NCBIN'} = "$chroot/bin/nc.openbsd"; # default is nc found in $PATH
588 # sendmail.pl nc options
589 # multiple options may be included, e.g. '-4 -X connect -x 192.168.100.10:8080'
590 #$ENV{'SENDMAIL_PL_NCOPT'} = '-4'; # force IPv4, default is to allow IPv4 & IPv6
593 ## Sanity checks & defaults
595 # Couple of sanity checks and default settings (do not change these)
596 use Digest::MD5 qw(md5);
597 use MIME::Base64 qw(encode_base64);
598 $nickname = (split(/[.]/, $name))[0] unless $nickname;
599 our $tmpsuffix = substr(encode_base64(md5($name.':'.$nickname)),0,6);
600 $tmpsuffix =~ tr,+/,=_,;
601 ($mirror_user) or die "Girocco::Config: \$mirror_user must be set even if to current user";
602 ($basedir) or die "Girocco::Config: \$basedir must be set";
603 ($sendmail_bin) or die "Girocco::Config: \$sendmail_bin must be set";
604 $sendmail_bin = "$basedir/bin/sendmail.pl" if $sendmail_bin eq "sendmail.pl";
605 $screen_acl_file = "$basedir/screen/giroccoacl" unless $screen_acl_file;
606 $jailreporoot =~ s,^/+,,;
607 ($reporoot) or die "Girocco::Config \$reporoot must be set";
608 ($jailreporoot) or die "Girocco::Config \$jailreporoot must be set";
609 (not $mob or $mob eq 'mob') or die "Girocco::Config \$mob must be undef (or '') or 'mob'";
610 (not $min_key_length or $min_key_length =~ /^[1-9][0-9]*$/)
611 or die "Girocco::Config \$min_key_length must be undef or numeric";
612 $admincc = $admincc ? 1 : 0;
613 $rootcert = "$certsdir/girocco_root_crt.pem" if $httpspushurl && !$rootcert;
614 $clientcert = "$certsdir/girocco_client_crt.pem" if $httpspushurl && !$clientcert;
615 $clientkey = "$certsdir/girocco_client_key.pem" if $httpspushurl && !$clientkey;
616 $clientcertsuffix = "$certsdir/girocco_client_suffix.pem" if $httpspushurl && !$clientcertsuffix;
617 $mobusercert = "$certsdir/girocco_mob_user_crt.pem" if $httpspushurl && $mob && !$mobusercert;
618 $mobuserkey = "$certsdir/girocco_mob_user_key.pem" if $httpspushurl && $mob && !$mobuserkey;
619 our $mobpushurl = $pushurl;
620 $mobpushurl =~ s,^ssh://,ssh://mob@,i if $mobpushurl;
621 $disable_dsa = 1 unless $pushurl;
622 $disable_dsa = $disable_dsa ? 1 : '';
623 our $httpdnsname = ($gitweburl =~ m,https?://([A-Za-z0-9.-]+),i) ? lc($1) : undef if $gitweburl;
624 our $httpsdnsname = ($httpspushurl =~ m,https://([A-Za-z0-9.-]+),i) ? lc($1) : undef if $httpspushurl;
625 ($mirror or $push) or die "Girocco::Config: neither \$mirror nor \$push is set?!";
626 (not $push or ($pushurl or $httpspushurl or $gitpullurl or $httppullurl)) or die "Girocco::Config: no pull URL is set";
627 (not $push or ($pushurl or $httpspushurl)) or die "Girocco::Config: \$push set but \$pushurl and \$httpspushurl are undef";
628 (not $mirror or $mirror_user) or die "Girocco::Config: \$mirror set but \$mirror_user is undef";
629 ($manage_users == $chrooted) or die "Girocco::Config: \$manage_users and \$chrooted must be set to the same value";
630 (not $chrooted or $permission_control ne 'ACL') or die "Girocco::Config: resolving uids for ACL not supported when using chroot";
631 (grep { $permission_control eq $_ } qw(Group Hooks)) or die "Girocco::Config: \$permission_control must be set to Group or Hooks";
632 ($chrooted or not $mob) or die "Girocco::Config: mob user supported only in the chrooted mode";
633 (not $httpspushurl or $httpsdnsname) or die "Girocco::Config invalid \$httpspushurl does not start with https://domainname";
634 (not $svn_log_window_size or $svn_log_window_size =~ /^[1-9][0-9]*$/)
635 or die "Girocco::Config \$svn_log_window_size must be undef or numeric";
637 # Make sure Git has a consistent and reproducible environment
639 $ENV{'XDG_CONFIG_HOME'} = $chroot.'/var/empty';
640 $ENV{'HOME'} = $chroot.'/etc/girocco';
641 $ENV{'GIT_CONFIG_NOSYSTEM'} = 1;
642 $ENV{'GIT_ATTR_NOSYSTEM'} = 1;
643 $ENV{'GIT_NO_REPLACE_OBJECTS'} = 1;
644 $ENV{'GIT_TERMINAL_PROMPT'} = 0;
645 $ENV{'GIT_ASKPASS'} = $basedir.'/bin/git-askpass-password';
646 delete $ENV{'GIT_USER_AGENT'};
647 $ENV{'GIT_USER_AGENT'} = $git_client_ua if defined($git_client_ua);
648 delete $ENV{'GIT_HTTP_USER_AGENT'};
649 $ENV{'GIT_HTTP_USER_AGENT'} = $git_client_ua if defined($git_client_ua);
651 # Guarantee a sane umask for Girocco
653 umask(umask() & ~0770);