install.sh: verify correct install user
[girocco.git] / Girocco / Config.pm
blob14bdc96428cc95694e8c50608a6717145ac83602
1 package Girocco::Config;
3 use strict;
4 use warnings;
8 ## --------------
9 ## Basic settings
10 ## --------------
13 # Name of the service (typically a single word or a domain name)
14 # (no spaces allowed)
15 our $name = "GiroccoEx";
17 # Nickname of the service (undef for initial part of $name upto first '.')
18 # (no spaces allowed)
19 our $nickname = undef;
21 # Title of the service (as shown in gitweb)
22 # (may contain spaces)
23 our $title = "Example Girocco Hosting";
25 # Path to the Git binary to use (you MUST set this, even if to /usr/bin/git!)
26 our $git_bin = '/usr/bin/git';
28 # Path to the git-daemon binary to use (undef to use default)
29 # If $gitpullurl is undef this will never be used (assuming no git inetd
30 # service has been set up in that case).
31 # The default if this is undef is `$git_bin --exec-path`/git-daemon
32 our $git_daemon_bin = undef;
34 # Path to the git-http-backend binary to use (undef to use default)
35 # If both $httppullurl and $httpspushurl are undef this will never be used
36 # The default if this is undef is `$git_bin --exec-path`/git-http-backend
37 our $git_http_backend_bin = undef;
39 # Name (if in $PATH) or full path to netcat executable that accepts a -U option
40 # to connect to a unix socket. This may simply be 'nc' on many systems.
41 # See the ../src/dragonfly/README file for a DragonFly BSD nc with -U support.
42 our $nc_openbsd_bin = 'nc.openbsd';
44 # Path to POSIX sh executable to use. Set to undef to use /bin/sh
45 our $posix_sh_bin = undef;
47 # Path to Perl executable to use. Set to undef to use Perl found in $PATH
48 our $perl_bin = undef;
50 # Path to gzip executable to use. Set to undef to use gzip found in $PATH
51 our $gzip_bin = undef;
53 # Path to the sendmail instance to use. It should understand the -f <from>, -i and -t
54 # options as well as accepting a list of recipient addresses in order to be used here.
55 # You MUST set this, even if to '/usr/sbin/sendmail'!
56 # Setting this to 'sendmail.pl' is special and will automatically be expanded to
57 # a full path to the ../bin/sendmail.pl executable in this Girocco installation.
58 # sendmail.pl is a sendmail-compatible script that delivers the message directly
59 # using SMTP to a mail relay host. This is the recommended configuration as it
60 # minimizes the information exposed to recipients (no sender account names or uids),
61 # can talk to an SMTP server on another host (eliminating the need for a working
62 # sendmail and/or SMTP server on this host) and avoids any unwanted address rewriting.
63 # By default it expects the mail relay to be listening on localhost port 25.
64 # See the sendmail.pl section below for more information on configuring sendmail.pl.
65 our $sendmail_bin = 'sendmail.pl';
67 # E-mail of the site admin
68 our $admin = 'admin@example.org';
70 # Sender of emails
71 # This is the SMTP 'MAIL FROM:' value
72 # It will be passed to $sendmail_bin with the -f option
73 # Some sites may not allow non-privileged users to pass the -f option to
74 # $sendmail_bin. In that case set this to undef and no -f option will be
75 # passed which means the 'MAIL FROM:' value will be the user the mail is
76 # sent as (either $cgi_user or $mirror_user depending on the activity).
77 # To avoid having bounce emails go to $admin, this may be set to something
78 # else such as 'admin-noreply@example.org' and then the 'admin-noreply' address
79 # may be redirected to /dev/null. Setting this to '' or '<>' is not
80 # recommended because that will likely cause the emails to be marked as SPAM
81 # by the receiver's SPAM filter. If $sendmail_bin is set to 'sendmail.pl' this
82 # value must be acceptable to the receiving SMTP server as a 'MAIL FROM:' value.
83 # If this is set to undef and 'sendmail.pl' is used, the 'MAIL FROM:' value will
84 # be the user the mail is sent as (either $cgi_user or $mirror_user).
85 our $sender = $admin;
87 # Copy $admin on failure/recovery messages?
88 our $admincc = 1;
90 # Girocco branch to use for html.cgi view source links (undef for HEAD)
91 our $giroccobranch = undef;
93 # PATH adjustments
94 # If the PATH needs to be customized to find required executables on
95 # the system, it can be done here.
96 # For example something like this:
97 #$ENV{PATH} = substr(`/usr/bin/getconf PATH`,0,-1).":/usr/local/bin";
101 ## ----------------------
102 ## Git user agent strings
103 ## ----------------------
106 # Git clients (i.e. fetch/clone) always send a user agent string when fetching
107 # over HTTP. Since version 1.7.12.1 an 'agent=' capability string is included
108 # as well which affects git:, smart HTTP and ssh: protocols.
110 # These settings allow the default user agent string to be changed independently
111 # for fetch/clone operations (only matters if $mirror is true) and server
112 # operations (some other Git client fetching from us). Note that it is not
113 # possible to suppress the capability entirely although it can be set to an
114 # empty string. If these values are not set, the default user agent string
115 # will be used. Typically (unless Git was built with non-standard options) the
116 # default is "git/" plus the version. So for example "git/1.8.5.6" or
117 # "git/2.1.4" might be seen.
119 # One might want to change the default user agent strings in order to prevent
120 # an attacker from learning the exact Git version being used to avoid being
121 # able to quickly target any version-specific vulnerabilities. Note that
122 # no matter what's set here, an attacker can easily determine whether a server
123 # is running JGit, libgit2 or Git and for Git whether it's version 1.7.12.1 or
124 # later. A reasonable value to hide the exact Git version number while
125 # remaining compatible with servers that require a "Git/" user agent string
126 # would be something like "git/2" or even just "git/".
128 # The GIT_USER_AGENT value to use when acting as a client (i.e. clone/fetch)
129 # This value is only used if $mirror is true and at least one mirror is set up.
130 # Setting this to the empty string will suppress the HTTP User-Agent header,
131 # but will still include an "agent=" capability in the packet protocol. The
132 # empty string is not recommended because some servers match on "git/".
133 # Leave undef to use the default Git user agent string
134 # IMPORTANT: some server sites will refuse to serve up Git repositories unless
135 # the client user agent string contains "Git/" (matched case insensitively)!
136 our $git_client_ua = undef;
138 # The GIT_USER_AGENT value to use when acting as a server (i.e. some Git client
139 # is fetching/cloning from us).
140 # Leave undef to use the default Git user agent string
141 our $git_server_ua = undef;
145 ## -------------
146 ## Feature knobs
147 ## -------------
150 # Enable mirroring mode if true (see "Foreign VCS mirrors" section below)
151 our $mirror = 1;
153 # Enable push mode if true
154 our $push = 1;
156 # If both $mirror and $push are enabled, setting this to 'mirror' pre-selects
157 # mirror mode on the initial regproj display, otherwise 'push' mode will be
158 # pre-selected. When forking the initial mode will be 'push' if $push enabled.
159 our $initial_regproj_mode = 'mirror';
161 # Enable user management if true; this means the interface for registering
162 # user accounts and uploading SSH keys. This implies full chroot.
163 our $manage_users = 1;
165 # Minimum key length (in bits) for uploaded SSH RSA/DSA keys.
166 # If this is not set (i.e. undef) keys as small as 512 bits will be allowed.
167 # Nowadays keys less than 2048 bits in length should probably not be allowed.
168 # Note, however, that versions of OpenSSH starting with 4.3p1 will only generate
169 # DSA keys of exactly 1024 bits in length even though that length is no longer
170 # recommended. (OpenSSL can be used to generate DSA keys with lengths > 1024.)
171 # OpenSSH does not have any problem generating RSA keys longer than 1024 bits.
172 # This setting is only checked when new keys are added so setting it/increasing it
173 # will not affect existing keys. For maximum compatibility a value of 1024 may
174 # be used however 2048 is recommended. Setting it to anything other than 1024,
175 # 2048 or 3072 may have the side effect of making it very difficult to generate
176 # DSA keys that satisfy the restriction (but RSA keys should not be a problem).
177 # Note that no matter what setting is specified here keys smaller than 512 bits
178 # will never be allowed via the reguser.cgi/edituser.cgi interface.
179 # RECOMMENDED VALUE: 2048 (ok) or 3072 (better)
180 our $min_key_length = 3072;
182 # Disable DSA public keys?
183 # If this is set to 1, adding DSA keys at reguser.cgi/edituser.cgi time will be
184 # prohibited. If $pushurl is undef then this is implicitly set to 1 since DSA
185 # keys are not usable with https push.
186 # OpenSSH will only generate 1024 bit DSA keys starting with version 4.3p1.
187 # Even if OpenSSL is used to generate a longer DSA key (which can then be used
188 # with OpenSSH), the SSH protocol itself still forces use of SHA-1 in the DSA
189 # signature blob which tends to defeat the purpose of going to a longer key in
190 # the first place. So it may be better from a security standpoint to simply
191 # disable DSA keys especially if $min_key_length and $rsakeylength have been set
192 # to something higher such as 3072 or 4096. This setting is only checked when
193 # new keys are added so setting it/increasing it will not affect existing keys.
194 # There is no way to disable DSA keys in the OpenSSH server config file itself.
195 # If this is set to 1, no ssh_host_dsa_key will be generated or used with the
196 # sshd running in the jail (but if the sshd_config has already been generated
197 # in the jail, it must be removed and 'sudo make install' run again or otherwise
198 # the sshd_config needs to be edited by hand for the change to take effect).
199 # RECOMMENDED VALUE: 1
200 our $disable_dsa = 1;
202 # Enable the special 'mob' user if set to 'mob'
203 our $mob = "mob";
205 # Let users set admin passwords; if false, all password inputs are assumed empty.
206 # This will make new projects use empty passwords and all operations on them
207 # unrestricted, but you will be able to do no operations on previously created
208 # projects you have set a password on.
209 our $project_passwords = 1;
211 # How to determine project owner; 'email' adds a form item asking for their
212 # email contact, 'source' takes realname of owner of source repository if it
213 # is a local path (and empty string otherwise). 'source' is suitable in case
214 # the site operates only as mirror of purely local-filesystem repositories.
215 our $project_owners = 'email';
217 # Which project fields to make editable, out of 'shortdesc', 'homepage', 'README',
218 # 'cleanmirror', 'notifymail', 'reverseorder', 'summaryonly', 'notifytag' and 'notifyjson'
219 # 'notifycia' was used by the now defunct CIA service and while allowing it to
220 # be edited does work and the value is saved, the value is totally ignored by Girocco
221 our @project_fields = qw(cleanmirror homepage shortdesc README notifymail reverseorder summaryonly notifytag notifyjson);
223 # Minimal number of seconds to pass between two updates of a project.
224 our $min_mirror_interval = 3600; # 1 hour
226 # Minimal number of seconds to pass between two garbage collections of a project.
227 our $min_gc_interval = 604800; # 1 week
229 # Minimal number of seconds to pass after first failure before sending failure email.
230 # A mirror update failed message will not be sent until mirror updates have been
231 # failing for at least this long. Set to 0 to send a failure message right away
232 # (provided the $min_mirror_failure_message_count condition has been met).
233 our $min_mirror_failure_message_interval = 216000; # 2.5 days
235 # Minimal number of consecutive failures required before sending failure email.
236 # A mirror update failed message will not be sent until mirror updates have failed
237 # for this many consecutive updates. Set to 0 to send a failure message right away
238 # (provided the $min_mirror_failure_message_interval condition has been met).
239 our $min_mirror_failure_message_count = 3;
241 # Maximum window memory size when repacking. If this is set, it will be used
242 # instead of the automatically computed value if it's less than that value.
243 # May use a 'k', 'm', or 'g' suffix otherwise value is in bytes.
244 our $max_gc_window_memory_size = undef;
246 # Maximum big file threshold size when repacking. If this is set, it will be
247 # used instead of the automatically computed value if it's less than that value.
248 # May use a 'k', 'm', or 'g' suffix otherwise value is in bytes.
249 our $max_gc_big_file_threshold_size = undef;
251 # Whether or not to run the ../bin/update-pwd-db script whenever the etc/passwd
252 # database is changed. This is typically needed (i.e. set to a true value) for
253 # FreeBSD style systems when using an sshd chroot jail for push access. So if
254 # $pushurl is undef or the system Girocco is running on is not like FreeBSD
255 # (e.g. a master.passwd file that must be transformed into pwd.db and spwd.db), then
256 # this setting should normally be left false (i.e. 0). See comments in the
257 # provided ../bin/update-pwd-db script about when and how it's invoked.
258 our $update_pwd_db = 0;
260 # Port the sshd running in the jail should listen on
261 # Be sure to update $pushurl to match
262 # Not used if $pushurl is undef
263 our $sshd_jail_port = 22;
265 # If this is true then host names used in mirror source URLs will be checked
266 # and any that are not DNS names (i.e. IPv4 or IPv6) or match one of the DNS
267 # host names in any of the URL settings below will be rejected.
268 our $restrict_mirror_hosts = 1;
270 # If $restrict_mirror_hosts is enabled this is the minimum number of labels
271 # required in a valid dns name. Normally 2 is the correct value, but if
272 # Girocco is being used internally where a common default or search domain
273 # is set for everyone then this should be changed to 1 to allow a dns name
274 # with a single label in it. No matter what is set here at least 1 label
275 # is always required when $restrict_mirror_hosts is enabled.
276 our $min_dns_labels = 2;
278 # If $xmllint_readme is true then the contents of the README.html section
279 # will be passed through xmllint and any errors must be corrected before
280 # it can be saved. If this is set to true then xmllint must be in the $PATH.
281 # RECOMMENDED VALUE: 1
282 our $xmllint_readme = 0;
284 # Maximum size of any single email sent by mail.sh in K (1024-byte) units
285 # If message is larger it will be truncated with a "...e-mail trimmed" line
286 # RECOMMENDED VALUE: 256 - 5120 (.25M - 5M)
287 our $mailsh_sizelimit = 512;
291 ## -------------------
292 ## Foreign VCS mirrors
293 ## -------------------
296 # Note that if any of these settings are changed from true to false, then
297 # any pre-existing mirrors using the now-disabled foreign VCS will stop
298 # updating, new mirrors using the now-disabled foreign VCS will be disallowed
299 # and attempts to update ANY project settings for a pre-existing project that
300 # uses a now-disabled foreign VCS source URL will also be disallowed.
302 # If $mirror is true and $mirror_svn is true then mirrors from svn source
303 # repositories will be allowed (and be converted to Git). These URLs have
304 # the form svn://... or svn+http://... or svn+https://...
305 # Note that for this to work the "svn" command line command must be available
306 # in PATH and the "git svn" commands must work (which generally requires both
307 # Perl and the subversion perl bindings be installed).
308 our $mirror_svn = 1;
310 # Prior to Git v1.5.1, git-svn always used a log window size of 1000.
311 # Starting with Git v1.5.1, git-svn defaults to using a log window size of 100
312 # and provides a --log-window-size= option to change it. Starting with Git
313 # v2.2.0, git-svn disconnects and reconnects to the server every log window size
314 # interval to attempt to reduce memory use by git-svn. If $svn_log_window_size
315 # is undefined, Girocco will use a log window size of 250 (instead of the
316 # the default 100). If $svn_log_window_size is set, Girocco will use that
317 # value instead. Beware that setting it too low (i.e. < 50) will almost
318 # certainly cause performance issues if not failures. Unless there are concerns
319 # about git-svn memory use on a server with extremely limited memory, the
320 # value of 250 that Girocco uses by default should be fine. Obviously if
321 # $mirror or $mirror_svn is false this setting is irrelevant.
322 our $svn_log_window_size = undef;
324 # If $mirror is true and $mirror_darcs is true then mirrors from darcs source
325 # repositories will be allowed (and be converted to Git). These URLs have
326 # the form darcs://...
327 # Note that for this to work the "darcs" command line command must be available
328 # in PATH and so must python (required to run the darcs-fast-export script).
329 our $mirror_darcs = 1;
331 # If $mirror is true and $mirror_bzr is true then mirrors from bzr source
332 # repositories will be allowed (and be converted to Git). These URLs have
333 # the form bzr://...
334 # Note that for this to work the "bzr" command line command must be available
335 # in PATH (it's a python script so python is required as well).
336 our $mirror_bzr = 1;
338 # If $mirror is true and $mirror_hg is true then mirrors from hg source
339 # repositories will be allowed (and be converted to Git). These URLs have
340 # the form hg+http://... or hg+https://...
341 # Note that for this to work the "hg" command line command must be available
342 # in PATH and so must python (required to run the hg-fast-export.py script).
343 # Note that if the PYTHON environment variable is set that will be used instead
344 # of just plain "python" to run the hg-fast-export.py script (which needs to
345 # be able to import from mercurial).
346 our $mirror_hg = 1;
350 ## -----
351 ## Paths
352 ## -----
355 # Path where the main chunk of Girocco files will be installed
356 # This will get COMPLETELY OVERWRITTEN by each make install!!!
357 # MUST be an absolute path
358 our $basedir = '/home/repo/repomgr';
360 # Path where the automatically generated non-user certificates will be stored
361 # (The per-user certificates are always stored in $chroot/etc/sshcerts/)
362 # This is preserved by each make install and MUST NOT be under $basedir!
363 # Not used unless $httpspushurl is defined
364 # MUST be an absolute path
365 our $certsdir = '/home/repo/certs';
367 # The repository collection
368 # "$reporoot/_recyclebin" will also be created for use by toolbox/trash-project.pl
369 # MUST be an absolute path
370 our $reporoot = "/srv/git";
372 # The repository collection's location within the chroot jail
373 # Normally $reporoot will be bind mounted onto $chroot/$jailreporoot
374 # Should NOT start with '/'
375 our $jailreporoot = "srv/git";
377 # The chroot for ssh pushing; location for project database and other run-time
378 # data even in non-chroot setups
379 # MUST be an absolute path
380 our $chroot = "/home/repo/j";
382 # An installation that will never run a chrooted sshd should set this
383 # to a true value (e.g. 1) to guarantee that jailsetup for a chrooted
384 # sshd never takes place no matter what user runs `make install`.
385 # Note that the "jailsetup.sh" script will still run to do the database
386 # setup that's stored in $chroot regardless of this setting, it will just
387 # always run in "dbonly" mode when this setting is true.
388 our $disable_jailsetup = 0;
390 # The gitweb files web directory (corresponds to $gitwebfiles)
391 # Note that it is safe to place this under $basedir since it's set up after
392 # $basedir is completely replaced during install time. Be WARNED, however,
393 # that normally the install process only adds/replaces things in $webroot,
394 # but if $webroot is under $basedir then it will be completely removed and
395 # rebuilt each time "make install" is run. This will make gitweb/git-browser
396 # web services very briefly unavailable while this is happening.
397 # MUST be an absolute path
398 our $webroot = "/home/repo/www";
400 # The CGI-enabled web directory (corresponds to $gitweburl and $webadmurl)
401 # This will not be web-accessible except that if any aliases point to
402 # a *.cgi file in here it will be allowed to run as a cgi-script.
403 # Note that it is safe to place this under $basedir since it's set up after
404 # $basedir is completely replaced during install time. Be WARNED, however,
405 # that normally the install process only adds/replaces things in $cgiroot,
406 # but if $cgiroot is under $basedir then it will be completely removed and
407 # rebuilt each time "make install" is run. This will make gitweb/git-browser
408 # web services very briefly unavailable while this is happening.
409 # MUST be an absolute path
410 our $cgiroot = "/home/repo/cgibin";
412 # A web-accessible symlink to $reporoot (corresponds to $httppullurl, can be undef)
413 # If using the sample apache.conf (with paths suitably updated) this is not required
414 # to serve either smart or non-smart HTTP repositories to the Git client
415 # MUST be an absolute path if not undef
416 our $webreporoot = "/home/repo/www/r";
418 # The location to store the project list cache, gitweb project list and gitweb
419 # cache file. Normally this should not be changed. Note that it must be in
420 # a directory that is writable by $mirror_user and $cgi_user (just in case the
421 # cache file is missing). The directory should have its group set to $owning_group.
422 # Again, this setting should not normally need to be changed.
423 # MUST be an absolute path
424 our $projlist_cache_dir = "$chroot/etc";
428 ## ----------------------------------------------------
429 ## Certificates (only used if $httpspushurl is defined)
430 ## ----------------------------------------------------
433 # path to root certificate (undef to use automatic root cert)
434 # this certificate is made available for easy download and should be whatever
435 # the root certificate is for the https certificate being used by the web server
436 our $rootcert = undef;
438 # The certificate to sign user push client authentication certificates with (undef for auto)
439 # The automatically generated certificate should always be fine
440 our $clientcert = undef;
442 # The private key for $clientcert (undef for auto)
443 # The automatically generated key should always be fine
444 our $clientkey = undef;
446 # The client certificate chain suffix (a pemseq file to append to user client certs) (undef for auto)
447 # The automatically generated chain should always be fine
448 # This suffix will also be appended to the $mobusercert before making it available for download
449 our $clientcertsuffix = undef;
451 # The mob user certificate signed by $clientcert (undef for auto)
452 # The automatically generated certificate should always be fine
453 # Not used unless $mob is set to 'mob'
454 # The $clientcertsuffix will be appended before making $mobusercert available for download
455 our $mobusercert = undef;
457 # The private key for $mobusercert (undef for auto)
458 # The automatically generated key should always be fine
459 # Not used unless $mob is set to 'mob'
460 our $mobuserkey = undef;
462 # Server alt names to embed in the auto-generated girocco_www_crt.pem certificate.
463 # The common name (CN) in the server certificate is the host name from $httpspushurl.
464 # By default no server alt names are embedded (not even the host from $httpspushurl).
465 # If the web server configuration is not using this auto-generated server certificate
466 # then the values set here will have no impact and this setting can be ignored.
467 # To embed server alternative names, list each (separated by spaces). The names
468 # may be DNS names, IPv4 addresses or IPv6 addresses (NO surrounding '[' ']' please).
469 # If ANY DNS names are included here be sure to also include the host name from
470 # the $httpspushurl or else standards-conforming clients will fail with a host name
471 # mismatch error when they attempt to verify the connection.
472 #our $wwwcertaltnames = 'example.com www.example.com git.example.com 127.0.0.1 ::1';
473 our $wwwcertaltnames = undef;
475 # The key length for automatically generated RSA private keys (in bits).
476 # These keys are then used to create the automatically generated certificates.
477 # If undef or set to a value less than 2048, then 2048 will be used.
478 # Set to 3072 to generate more secure keys/certificates. Set to 4096 (or higher) for
479 # even greater security. Be warned that setting to a non-multiple of 8 and/or greater
480 # than 4096 could negatively impact compatibility with some clients.
481 # The values 2048, 3072 and 4096 are expected to be compatible with all clients.
482 # Note that OpenSSL has no problem with > 4096 or non-multiple of 8 lengths.
483 # See also the $min_key_length setting above to restrict user key sizes.
484 # This value is also used when generating the ssh_host_rsa_key for the chroot jail sshd.
485 # RECOMMENDED VALUE: 3072
486 our $rsakeylength = 3072;
490 ## -------------
491 ## URL addresses
492 ## -------------
495 # URL of the gitweb.cgi script (must be in pathinfo mode). If the sample
496 # apache.conf configuration is used, the trailing "/w" is optional.
497 our $gitweburl = "http://repo.or.cz/w";
499 # URL of the extra gitweb files (CSS, .js files, images, ...)
500 our $gitwebfiles = "http://repo.or.cz";
502 # URL of the Girocco CGI web admin interface (Girocco cgi/ subdirectory)
503 # e.g. reguser.cgi, edituser.cgi, regproj.cgi, editproj.cgi etc.
504 our $webadmurl = "http://repo.or.cz";
506 # URL of the Girocco CGI bundles information generator (Girocco cgi/bundles.cgi)
507 # If the sample apache.conf configuration is used, the trailing "/b" is optional.
508 # This is different from $httpbundleurl. This URL lists all available bundles
509 # for a project and returns that as an HTML page.
510 our $bundlesurl = "http://repo.or.cz/b";
512 # URL of the Girocco CGI html templater (Girocco cgi/html.cgi)
513 # If mod_rewrite is enabled and the sample apache.conf configuration is used,
514 # the trailing "/h" is optional when the template file name ends in ".html"
515 # (which all the provided ones do).
516 our $htmlurl = "http://repo.or.cz/h";
518 # HTTP URL of the repository collection (undef if N/A)
519 # If the sample apache.conf configuration is used, the trailing "/r" is optional.
520 our $httppullurl = "http://repo.or.cz/r";
522 # HTTP URL of the repository collection when fetching a bundle (undef if N/A)
523 # Normally this will be the same as $httppullurl, but note that the bundle
524 # fetching logic is located in git-http-backend-verify so whatever URL is
525 # given here MUST end up running the git-http-backend-verify script!
526 # For example, if we're fetching the 'clone.bundle' for the 'girocco.git'
527 # repository, the final URL will be "$httpbundleurl/girocco.git/clone.bundle"
528 # If the sample apache.conf configuration is used, the trailing "/r" is optional.
529 # This is different from $bundlesurl. This URL fetches a single Git-format
530 # .bundle file that is only usable with the 'git bundle' command.
531 our $httpbundleurl = "http://repo.or.cz/r";
533 # HTTPS push URL of the repository collection (undef if N/A)
534 # If this is defined, the openssl command must be available
535 # The sample apache.conf configuration requires mod_ssl, mod_authn_anon and
536 # mod_rewrite be enabled to support https push operations.
537 # Normally this should be set to $httppullurl with http: replaced with https:
538 # If the sample apache.conf configuration is used, the trailing "/r" is optional.
539 our $httpspushurl = undef;
541 # Git URL of the repository collection (undef if N/A)
542 # (You need to set up git-daemon on your system, and Girocco will not
543 # do this particular thing for you.)
544 our $gitpullurl = "git://repo.or.cz";
546 # Pushy SSH URL of the repository collection (undef if N/A)
547 # Note that the "/$jailreporoot" portion is optional and will be automatically
548 # added if appropriate when omitted by the client so this URL can typically
549 # be made the same as $gitpullurl with git: replaced with ssh:
550 our $pushurl = "ssh://repo.or.cz/$jailreporoot";
552 # URL of gitweb of this Girocco instance (set to undef if you're not nice
553 # to the community)
554 our $giroccourl = "$Girocco::Config::gitweburl/girocco.git";
558 ## -------------------
559 ## web server controls
560 ## -------------------
563 # If true then non-smart HTTP access will be disabled
564 # There's normally no reason to leave non-smart HTTP access enabled
565 # since downloadable bundles are provided. However, in case the
566 # non-smart HTTP access is needed for some reason, this can be set to undef or 0.
567 # This affects access via http: AND https: and processing of apache.conf.in.
568 # Note that this setting does not affect gitweb, ssh: or git: URL access in any way.
569 # RECOMMENDED VALUE: 1
570 our $SmartHTTPOnly = 1;
572 # If true, the https <VirtualHost ...> section in apache.conf.in will be
573 # automatically enabled when it's converted to apache.conf by the conversion
574 # script. Do NOT enable this unless the required Apache modules are present
575 # and loaded (mod_ssl, mod_rewrite, mod_authn_anon) AND $httpspushurl is
576 # defined above otherwise the server will fail to start (with various errors)
577 # when the resulting apache.conf is used.
578 our $TLSHost = 0;
580 # If true, the information about configuring a Git client to trust
581 # a Girocco-generated TLS root will be suppressed presuming that some other
582 # means (such as LetsEncrypt.org) has been used to generate a TLS web
583 # certificate signed by a pre-trusted root. This does NOT affect the
584 # information on how to configure https push certificates as those are still
585 # required in order to push over https regardless of what web server certificate
586 # may be in use.
587 # RECOMMENDED VALUE: 0 (for girocco-generated root & server certificates)
588 # RECOMMENDED VALUE: 1 (for LetsEncrypt etc. generated server certificates)
589 our $pretrustedroot = 0;
593 ## ------------------------
594 ## Some templating settings
595 ## ------------------------
598 # Legal warning (on reguser and regproj pages)
599 our $legalese = <<EOT;
600 <p>By submitting this form, you are confirming that you will mirror or push
601 only what we can store and show to anyone else who can visit this site without
602 breaking any law, and that you will be nice to all small furry animals.
603 <sup class="sup"><span><a href="/h/about.html">(more details)</a></span></sup>
604 </p>
607 # Pre-configured mirror sources (set to undef for none)
608 # Arrayref of name - record pairs, the record has these attributes:
609 # label: The label of this source
610 # url: The template URL; %1, %2, ... will be substituted for inputs
611 # desc: Optional VERY short description
612 # link: Optional URL to make the desc point at
613 # inputs: Arrayref of hashref input records:
614 # label: Label of input record
615 # suffix: Optional suffix
616 # If the inputs arrayref is undef, single URL input is shown,
617 # pre-filled with url (probably empty string).
618 our $mirror_sources = [
620 label => 'Anywhere',
621 url => '',
622 desc => 'Any HTTP/Git/rsync pull URL - bring it on!',
623 inputs => undef
626 label => 'GitHub',
627 url => 'https://github.com/%1/%2.git',
628 desc => 'GitHub Social Code Hosting',
629 link => 'https://github.com/',
630 inputs => [ { label => 'User:' }, { label => 'Project:', suffix => '.git' } ]
633 label => 'GitLab',
634 url => 'https://gitlab.com/%1/%2.git',
635 desc => 'Engulfed the Green and Orange Boxes',
636 link => 'https://gitlab.com/',
637 inputs => [ { label => 'Project:' }, { label => 'Repository:', suffix => '.git' } ]
641 # You can customize the gitweb interface widely by editing
642 # gitweb/gitweb_config.perl
646 ## -------------------
647 ## Permission settings
648 ## -------------------
651 # Girocco needs some way to manipulate write permissions to various parts of
652 # all repositories; this concerns three entities:
653 # - www-data: the web interface needs to be able to rewrite few files within
654 # the repository
655 # - repo: a user designated for cronjobs; handles mirroring and repacking;
656 # this one is optional if not $mirror
657 # - others: the designated users that are supposed to be able to push; they
658 # may have account either within chroot, or outside of it
660 # There are several ways how to use Girocco based on a combination of the
661 # following settings.
663 # (Non-chroot) UNIX user the CGI scripts run on; note that if some non-related
664 # untrusted CGI scripts run on this account too, that can be a big security
665 # problem and you'll probably need to set up suexec (poor you).
666 # This must always be set.
667 our $cgi_user = 'www-data';
669 # (Non-chroot) UNIX user performing mirroring jobs; this is the user who
670 # should run all the daemons and cronjobs and
671 # the user who should be running make install (if not root).
672 # This must always be set.
673 our $mirror_user = 'repo';
675 # (Non-chroot) UNIX group owning the repositories by default; it owns whole
676 # mirror repositories and at least web-writable metadata of push repositories.
677 # If you undefine this, all the data will become WORLD-WRITABLE.
678 # Both $cgi_user and $mirror_user should be members of this group!
679 our $owning_group = 'repo';
681 # Whether to use chroot jail for pushing; this must be always the same
682 # as $manage_users.
683 # TODO: Gitosis support for $manage_users and not $chrooted?
684 our $chrooted = $manage_users;
686 # How to control permissions of push-writable data in push repositories:
687 # * 'Group' for the traditional model: The $chroot/etc/group project database
688 # file is used as the UNIX group(5) file; the directories have gid appropriate
689 # for the particular repository and are group-writable. This works only if
690 # $chrooted so that users are put in the proper groups on login when using
691 # SSH push. Smart HTTPS push does not require a chroot to work -- simply
692 # run "make install" as the non-root $mirror_user user, but leave
693 # $manage_users and $chrooted enabled.
694 # * 'ACL' for a model based on POSIX ACL: The directories are coupled with ACLs
695 # listing the users with push permissions. This works for both chroot and
696 # non-chroot setups, however it requires ACL support within the filesystem.
697 # This option is BASICALLY UNTESTED, too. And UNIMPLEMENTED. :-)
698 # * 'Hooks' for a relaxed model: The directories are world-writable and push
699 # permission control is purely hook-driven. This is INSECURE and works only
700 # when you trust all your users; on the other hand, the attack vectors are
701 # mostly just DoS or fully-traceable tinkering.
702 our $permission_control = 'Group';
704 # Path to alternate screen multiuser acl file (see screen/README, undef for none)
705 our $screen_acl_file = undef;
707 # Reserved project name and user name suffixes.
709 # Note that with personal mob branches enabled, a user name can end up being a
710 # file name after having a 'mob.' prefix added or a directory name after having
711 # a 'mob_' prefix added. If there is ANY possibility that a file with a
712 # .suffix name may need to be served by the web server, lc(suffix) SHOULD be in
713 # this hash! Pre-existing project names or user names with a suffix in this
714 # table can continue to be used, but no new projects or users can be created
715 # that have a suffix (case-insensitive) listed here.
716 our %reserved_suffixes = (
717 # Entries must be lowercase WITHOUT a leading '.'
718 bmp => 1,
719 bz2 => 1,
720 cer => 1,
721 cgi => 1,
722 crt => 1,
723 css => 1,
724 dmg => 1,
725 fcgi => 1,
726 gif => 1,
727 gz => 1,
728 htm => 1,
729 html => 1,
730 ico => 1,
731 jp2 => 1,
732 jpeg => 1,
733 jpg => 1,
734 jpg2 => 1,
735 js => 1,
736 pdf => 1,
737 pem => 1,
738 php => 1,
739 png => 1,
740 sig => 1,
741 shtml => 1,
742 svg => 1,
743 svgz => 1,
744 tar => 1,
745 text => 1,
746 tgz => 1,
747 tif => 1,
748 tiff => 1,
749 txt => 1,
750 xbm => 1,
751 xht => 1,
752 xhtml => 1,
753 xz => 1,
754 zip => 1,
759 ## -------------------------
760 ## sendmail.pl configuration
761 ## -------------------------
764 # Full information on available sendmail.pl settings can be found by running
765 # ../bin/sendmail.pl -v -h
767 # These settings will only used if $sendmail_bin is set to 'sendmail.pl'
769 # sendmail.pl host name
770 #$ENV{'SENDMAIL_PL_HOST'} = 'localhost'; # localhost is the default
772 # sendmail.pl port name
773 #$ENV{'SENDMAIL_PL_PORT'} = '25'; # port 25 is the default
775 # sendmail.pl nc executable
776 #$ENV{'SENDMAIL_PL_NCBIN'} = "$chroot/bin/nc.openbsd"; # default is nc found in $PATH
778 # sendmail.pl nc options
779 # multiple options may be included, e.g. '-4 -X connect -x 192.168.100.10:8080'
780 #$ENV{'SENDMAIL_PL_NCOPT'} = '-4'; # force IPv4, default is to allow IPv4 & IPv6
784 ## -------------------------
785 ## Obscure Tuneable Features
786 ## -------------------------
789 # Throttle classes configured here override the defaults for them that
790 # are located in taskd/taskd.pl. See comments in that file for more info.
791 our @throttle_classes = ();
793 # Any tag names listed here will be allowed even if they would otherwise not be.
794 # Note that @allowed_tags takes precedence over @blocked_tags.
795 our @allowed_tags = (qw( ));
797 # Any tag names listed here will be disallowed in addition to the standard
798 # list of nonsense words etc. that are blocked as tags.
799 our @blocked_tags = (qw( ));
801 # Case folding tags
802 # If this setting is true, then tags that differ only in case will always use
803 # the same-cased version. If this setting is enabled and the tag is present in
804 # @allowed_tags (or the embedded white list in Util.pm) then the case of the
805 # tag will match the white list entry otherwise it will be all lowercased.
806 # If this setting is disabled (false) tags are used with their case left as-is.
807 # RECOMMENDED VALUE: 1 (true)
808 our $foldtags = 1;
810 # If there are no more than this many objects, then all deltas will be
811 # recomputed when gc takes place. Note that this does not affect any
812 # fast-import created packs as they ALWAYS have their deltas recomputed.
813 # Also when combining small packs, if the total object count in the packs
814 # to be combined is no more than this then the new, combined pack will have
815 # its deltas recomputed during the combine operation.
816 # Leave undef to use the default (which should generally be fine).
817 # Lowering this from the default can increase disk use.
818 # Values less than 1000 * number of CPU cores will be silently ignored.
819 # The "girocco.redelta" config item can be used to modify this behavior on
820 # a per-repository basis. See the description of it in gc.sh.
821 our $new_delta_threshold = undef;
823 # This setting is irrelevant unless foreign vcs mirrors that use git fast-import
824 # are enabled (e.g. $mirror_darcs, $mirror_bzr or $mirror_hg -- $mirror_svn does
825 # NOT use git fast-import and is not affected by this setting).
826 # The packs generated by git fast-import are very poor quality. For this reason
827 # they ALWAYS have their deltas recomputed at some point. Normally this is
828 # delayed until the next full (or mini) gc takes place. For this reason a full
829 # gc is always scheduled immediately after a fresh mirror clone completes.
830 # However, in the case of normal mirror updates, several git fast-import created
831 # packs may exist as a result of changes fetched during the normal mirror update
832 # process. These packs will persist (with their git fast-import poor quality)
833 # until the next full (or mini) gc triggers. The bad deltas in these update
834 # packs could be sent down to clients who fetch updates before the next gc
835 # triggers. To reduce (i.e. practically eliminate) the likelihood of this
836 # occurring, this setting can be changed to a false (0 or undef) value in which
837 # case after each mirror update of a git fast-import mirror, any newly created
838 # git fast-import packs (as a result of the mirror update running) will have
839 # their deltas recomputed shortly thereafter instead of waiting for the next gc.
840 # Recomputing deltas immediately (almost immediately) will result in an extra
841 # redeltification step (with associated CPU cost) that would otherwise not
842 # occur and, in some cases (mainly large repositories), could ultimately result
843 # in slightly less efficient deltas being retained.
844 # RECOMMENDED VALUE: 1
845 our $delay_gfi_redelta = 1;
847 # If this is set to a true value, then core.packedGitWindowSize will be set
848 # to 1 MiB (the same as if Git was compiled with NO_MMAP set). If this is NOT
849 # set, core.packedGitWindowSize will be set to 32 MiB (even on 64-bit) to avoid
850 # memory blowout. If your Git was built with NO_MMAP set and will not work
851 # without NO_MMAP set, you MUST set this to a true value!
852 our $git_no_mmap = undef;
854 # If set to a true value, the "X-Girocco: $gitweburl" header included in all
855 # Girocco-generated emails will be suppressed.
856 our $suppress_x_girocco = undef;
858 # Number of days to keep reflogs around
859 # May be set to a value between 1 and 30 (inclusive)
860 # The default of one day should normally suffice unless there's a need to
861 # support a "Where's the undo? WHERE IS THE UNDO?!!!" option ;)
862 our $reflogs_lifetime = 1;
864 # The pack.window size to use with git upload-pack
865 # When Git is creating a pack to send down to a client, if it needs to send
866 # down objects that are deltas against objects it is not sending and that it
867 # does not know the client already has, it must undelta and recompute deltas
868 # for those objects. This is the remote's "Compressing objects" phase the
869 # client sees during a fetch or clone. If this value is unset, the normal
870 # Git default of 10 will be used for the window size during these operations.
871 # This value may be set to a number between 2 and 50 inclusive to change the
872 # window size during upload pack operations. A window size of 2 provides the
873 # fastest response at the expense of less efficient deltas for the objects
874 # being recompressed (meaning more data to send to the client). A window
875 # size of 5 typically reduces the compression time by almost half and is
876 # usually nearly as fast as a window size of 2 while providing better deltas.
877 # A window size of 50 will increase the time spent in the "Compressing objects"
878 # phase by as much as 5 times but will produce deltas similar to those that
879 # Girocco generates when it performs garbage collection.
880 # RECOMMENDED VALUE: undef or 5
881 our $upload_pack_window = undef;
883 # If this is true then remote fetching of refs/stash and refs/tgstash will
884 # be allowed. Git does not allow single-level ref names to be pushed so the
885 # only way they could get in there is if a linked working tree (or, gasp, a
886 # non-bare Girocco repository) created them or they arrived via a non-clean
887 # mirror fetch. The client almost certainly does not want to see them.
888 # Unless this config item is true they will also be left out of the bundle too.
889 # Since both stash and tgstash are used with their ref logs and there's no way
890 # for a remote to fetch ref logs, the "log --walk-reflogs" feature could not be
891 # used with them by a remote that fetched them anyway.
893 # NOTE: The reason this doesn't just control all single-level refs is that the
894 # "hideRefs" configuration mechanism isn't flexible enough to hide all
895 # single-level refs without knowing their names. In addition, it hides the
896 # entire refs hierarchy so refs/stash/foo will also be hidden along with
897 # refs/stash, but Git doesn't actually support ref names that introduce a
898 # directory/file confict (aka D/F conflict) and "refs/stash" represents an
899 # official Git ref name therefore any refs/stash/... names really aren't
900 # allowed in the first place so it's no problem if they're incidentally hidden
901 # along with refs/stash itself.
903 # NOTE: Git 1.8.2 or later is required to actually hide the refs from fetchers
904 # over the "git:" protocol and Git 2.3.5 or later is required to properly hide
905 # them over the smart "http:" protocol (Girocco will not attempt to "hide" them
906 # on a smart HTTP fetch if Git is < 2.3.5 to avoid Git bugs.) They will never
907 # be hidden via the non-smart HTTP fetch or any other non-smart protocols that
908 # also make use of the $gitdir/info/refs file as they are not excluded from it.
909 # Nor will they be hidden when accessed via any non-Girocco mechanism.
910 # They will, however, always be excluded from the primary (aka .bitmap) pack
911 # and bundle no matter what version of Git is used unless this is set to a
912 # true value. It's only the server's Git version that matters when hiding refs.
914 # RECOMMENDED VALUE: undef or 0
915 our $fetch_stash_refs = undef;
917 # When set to a true value, Girocco will attempt to pick up ref changes made
918 # outside of Girocco itself and process them using the usual Girocco
919 # notification mechanism. Git lacks any "post-ref-change" hook capability that
920 # could facilitate this. This feature is primarily intended to detect running
921 # of "git fetch" in linked working trees of a Girocco repository. In many
922 # cases after running a command Git runs "git gc --auto". With the correct
923 # encouragement we can always induce Git to run our pre-auto-gc hook at that
924 # time. "git fetch" invokes "git gc --auto" after the fetch. Girocco needs
925 # to do additional maintenance to make this work properly so do not enable this
926 # unless it's really needed. Additionally, there are a number of commands
927 # (such as "git commit") that do not invoke "git gc --auto". Even with this
928 # enabled, additional hooks for post-rewrite and post-checkout
929 # would really be needed to catch more things and even then there are some
930 # Git commands that would never be caught ("git filter-branch",
931 # "git update-ref", "git reset", etc.) so this is hardly a complete solution.
932 # But it WILL catch "git fetch" changes although the hashes it uses for the
933 # "old" ref values may not be all that recent, the new ref values will be.
934 # When this is false, the hack is completely disabled.
935 # When this is true, the hack is enabled by default for all repositories,
936 # but can be controlled on an individual repository basis by setting the
937 # girocco.autogchack value explicitly to true (enable) or false (disable).
938 # If this is set to the special value "mirror" then it will behave as true
939 # for mirrors and false for non-mirrors thereby completely eliminating any
940 # overhead for push projects but detecting external "git fetch"s for mirrors.
941 # If this is enabled for a project, any third party script/tool can trigger
942 # the Girocco ref notification mechanism simply by making a ref change and
943 # then running "git gc --auto --quiet" on the project. In a capitulation to
944 # use of linked working trees, Girocco installs a post-commit hook that will
945 # trigger these notifications as well when this is enabled.
946 our $autogchack = 0;
948 # When set to a true value the initial setting for core.hooksPath will point
949 # to the repository's own hooks directory instead of $reporoot/_global/hooks.
950 # Due to the unfortunate implementation of core.hooksPath, Girocco must always
951 # ensure the value gets set in each repository's config file. Normally it
952 # just sets it to $reporoot/_global/hooks and that's that. However, the
953 # update-all-config script will also tolerate it pointing at the repository's
954 # own hooks directory -- Girocco maintains symbolic links in there to the
955 # global hooks to make sure they get run when using older versions of Git;
956 # therefore that setting is basically equivalent. The difference is that
957 # repository-specific hooks can be added when hooksPath is pointing at the
958 # repository's hooks directory but not when it's pointing at _global/hooks.
959 # A repository's setting can be changed manually (and it will stick), but
960 # sometimes it may be desirable to always just default to pointing at the
961 # repository's own hooks directory from the start. Perhaps linked working
962 # trees will be in use and software that needs to set repository-specific hooks
963 # will be in use. If $autogchack has been set to true this may very likely be
964 # the case.
965 our $localhooks = 0;
967 # If this is set to a true value changes to single-level refs (e.g. refs/stash)
968 # will be passed through to the notification machinery.
969 # Usually this is NOT wanted, especially when linked working trees are being
970 # used with the repository.
971 # However, in the unlikely event that changes to such ref names should NOT be
972 # ignored, this value may be set to any true value.
973 # RECOMMENDED VALUE: 0
974 our $notify_single_level = 0;
976 # If this is set to a non-empty value it will become the default value for
977 # all repositories' girocco.notifyHook value.
978 # Whenever taskd.pl receives a batch of ref changes for processing, it first
979 # sends them off to any configured "girocco.notifyHook" (same semantics as
980 # a post-receive hook except it also gets four command-line arguments like
981 # so: cat ref-changes | notifyhook $projname $user $linecount $contextlinecount
982 # There is no default notify hook, but each repository may set its own by
983 # setting the `girocco.notifyHook` config value which will be eval'd by the
984 # shell (like $GIT_EDITOR is) with the current directory set to the
985 # repository's git-dir and the changes on standard input.
986 # Note that normal notification processing does not take place until after
987 # this command (if it's not null) gets run (regardless of its result code).
988 our $default_notifyhook = undef;
990 # UNIX group owning the repositories' htmlcache subdirectory
991 # If not defined defaults to $owning_group
992 # If gitweb access is provided but only on a read-only basis, then setting
993 # this to a group to which Both $cgi_user and $mirror_user belong will still
994 # allow summary page caching.
995 # $mirror_user should always belong to this group
996 our $htmlcache_owning_group = undef;
998 # UNIX group owning the repositories' ctags subdirectory
999 # If not defined defaults to $owning_group
1000 # If gitweb access is provided but only on a read-only basis, then setting
1001 # this to a group to which Both $cgi_user and $mirror_user belong will still
1002 # allow tags to be added to the repository in gitweb (provided that feature
1003 # is enabled in gitweb/gitweb_config.perl).
1004 # $mirror_user should always belong to this group
1005 our $ctags_owning_group = undef;
1007 # When using pack bitmaps and computing data to send to clients over a fetch,
1008 # having pack.writeBitmapHashCache set to true produces better deltas (thereby
1009 # potentially reducing the amount of data that needs to be sent). However,
1010 # JGit does not understand this extra data, so if JGit needs to use the bitmaps
1011 # generated when Girocco runs Git, this setting needs to be set to a true value
1012 # so that the hash cache is excluded when Git generates the bitmaps thereby
1013 # making them compatible with JGit.
1014 # Note that changes to this setting will not take effect until the next time
1015 # gc is scheduled to run on a project and then only if gc actually takes place.
1016 # Use the $basedir/toolbox/make-all-gc-eligible.sh script to force all projects
1017 # to actually do a gc the next time they are scheduled for one.
1018 # RECOMMENDED VALUE: undef or 0
1019 our $jgit_compatible_bitmaps = 0;
1021 # Set the default value of receive.maxInputSize
1022 # This is only effective for receives (aka an incoming push) and causes the
1023 # push to abort if the incoming pack (which is generally thin and does not
1024 # have any index) exceeds this many bytes in size (a 'k', 'm' or 'g' suffix
1025 # may be used on the value). If undef or set to 0 there is no limit. This
1026 # limit is only effective when Girocco is running Git v2.11.0 or later.
1027 our $max_receive_size = undef;
1029 # Select the sshd to be installed into the chroot
1030 # If set this MUST be an absolute path
1031 # Ignored unless a chroot is actually being created
1032 # Leaving this undef will find sshd in "standard" system locations and
1033 # is the recommended value. Only set this if you need to override the
1034 # "standard" sshd for some reason.
1035 # RECOMMENDED VALUE: undef
1036 our $sshd_bin = undef;
1040 ## ------------------------
1041 ## Sanity checks & defaults
1042 ## ------------------------
1044 # Changing anything in this section can result in unexpected breakage
1046 # Couple of sanity checks and default settings (do not change these)
1047 use Digest::MD5 qw(md5);
1048 use MIME::Base64 qw(encode_base64);
1049 $name =~ s/\s+/_/gs;
1050 $nickname = lc((split(/[.]/, $name))[0]) unless $nickname;
1051 $nickname =~ s/\s+/_/gs;
1052 our $tmpsuffix = substr(encode_base64(md5($name.':'.$nickname)),0,6);
1053 $tmpsuffix =~ tr,+/,=_,;
1054 ($mirror_user) or die "Girocco::Config: \$mirror_user must be set even if to current user";
1055 ($basedir) or die "Girocco::Config: \$basedir must be set";
1056 ($sendmail_bin) or die "Girocco::Config: \$sendmail_bin must be set";
1057 $sendmail_bin = "$basedir/bin/sendmail.pl" if $sendmail_bin eq "sendmail.pl";
1058 $screen_acl_file = "$basedir/screen/giroccoacl" unless $screen_acl_file;
1059 $jailreporoot =~ s,^/+,,;
1060 ($reporoot) or die "Girocco::Config \$reporoot must be set";
1061 ($jailreporoot) or die "Girocco::Config \$jailreporoot must be set";
1062 $disable_jailsetup = $disable_jailsetup ? 1 : '';
1063 $notify_single_level = $notify_single_level ? 1 : '';
1064 $fetch_stash_refs = $fetch_stash_refs ? 1 : '';
1065 (not $mob or $mob eq 'mob') or die "Girocco::Config \$mob must be undef (or '') or 'mob'";
1066 (not $min_key_length or $min_key_length =~ /^[1-9][0-9]*$/)
1067 or die "Girocco::Config \$min_key_length must be undef or numeric";
1068 (defined $mailsh_sizelimit and $mailsh_sizelimit =~ /^[1-9][0-9]*$/)
1069 or die "Girocco::Config \$mailsh_sizelimit must be a positive number";
1070 $admincc = $admincc ? 1 : 0;
1071 $rootcert = "$certsdir/girocco_root_crt.pem" if $httpspushurl && !$rootcert;
1072 $clientcert = "$certsdir/girocco_client_crt.pem" if $httpspushurl && !$clientcert;
1073 $clientkey = "$certsdir/girocco_client_key.pem" if $httpspushurl && !$clientkey;
1074 $clientcertsuffix = "$certsdir/girocco_client_suffix.pem" if $httpspushurl && !$clientcertsuffix;
1075 $mobusercert = "$certsdir/girocco_mob_user_crt.pem" if $httpspushurl && $mob && !$mobusercert;
1076 $mobuserkey = "$certsdir/girocco_mob_user_key.pem" if $httpspushurl && $mob && !$mobuserkey;
1077 our $mobpushurl = $pushurl;
1078 $mobpushurl =~ s,^ssh://,ssh://mob@,i if $mobpushurl;
1079 $disable_dsa = 1 unless $pushurl;
1080 $disable_dsa = $disable_dsa ? 1 : '';
1081 our $httpdnsname = ($gitweburl =~ m,https?://([A-Za-z0-9.-]+),i) ? lc($1) : undef if $gitweburl;
1082 our $httpsdnsname = ($httpspushurl =~ m,https://([A-Za-z0-9.-]+),i) ? lc($1) : undef if $httpspushurl;
1083 $SmartHTTPOnly = $SmartHTTPOnly ? 1 : '';
1084 $TLSHost = $TLSHost ? 1 : '';
1085 $pretrustedroot = $pretrustedroot ? 1 : '';
1086 ($mirror or $push) or die "Girocco::Config: neither \$mirror nor \$push is set?!";
1087 (not $push or ($pushurl or $httpspushurl or $gitpullurl or $httppullurl)) or die "Girocco::Config: no pull URL is set";
1088 (not $push or ($pushurl or $httpspushurl)) or die "Girocco::Config: \$push set but \$pushurl and \$httpspushurl are undef";
1089 (not $mirror or $mirror_user) or die "Girocco::Config: \$mirror set but \$mirror_user is undef";
1090 ($manage_users == $chrooted) or die "Girocco::Config: \$manage_users and \$chrooted must be set to the same value";
1091 (not $chrooted or $permission_control ne 'ACL') or die "Girocco::Config: resolving uids for ACL not supported when using chroot";
1092 (grep { $permission_control eq $_ } qw(Group Hooks)) or die "Girocco::Config: \$permission_control must be set to Group or Hooks";
1093 ($chrooted or not $mob) or die "Girocco::Config: mob user supported only in the chrooted mode";
1094 (not $httpspushurl or $httpsdnsname) or die "Girocco::Config invalid \$httpspushurl does not start with https://domainname";
1095 (not $svn_log_window_size or $svn_log_window_size =~ /^[1-9][0-9]*$/)
1096 or die "Girocco::Config \$svn_log_window_size must be undef or numeric";
1097 (not $posix_sh_bin or $posix_sh_bin !~ /\s/) or die "Girocco::Config: \$posix_sh_bin must not contain any whitespace";
1098 (not $perl_bin or $perl_bin !~ /\s/) or die "Girocco::Config: \$perl_bin must not contain any whitespace";
1099 !$delay_gfi_redelta and $delay_gfi_redelta = undef;
1100 !$git_no_mmap and $git_no_mmap = undef;
1101 !$suppress_x_girocco and $suppress_x_girocco = undef;
1102 !$jgit_compatible_bitmaps and $jgit_compatible_bitmaps = undef;
1103 !$autogchack and $autogchack = undef;
1104 (not $reflogs_lifetime or $reflogs_lifetime !~ /^[1-9][0-9]*$/) and $reflogs_lifetime = 1;
1105 $reflogs_lifetime = 0 + $reflogs_lifetime;
1106 $reflogs_lifetime >= 0 or $reflogs_lifetime = 1;
1107 $reflogs_lifetime <= 30 or $reflogs_lifetime = 30;
1108 (not defined $upload_pack_window or $upload_pack_window =~ /^[1-9][0-9]*$/)
1109 or die "Girocco::Config \$upload_pack_window must be undef or numeric";
1110 (not defined $upload_pack_window or $upload_pack_window >= 2 && $upload_pack_window <= 50)
1111 or die "Girocco::Config \$upload_pack_window must be in range 2..50";
1112 (not defined $max_receive_size or $max_receive_size =~ /^\d+[kKmMgG]?$/)
1113 or die "Girocco::Config \$max_receive_size setting is invalid";
1114 defined($ENV{'SENDMAIL_PL_HOST'}) and our $sendmail_pl_host = $ENV{'SENDMAIL_PL_HOST'};
1115 defined($ENV{'SENDMAIL_PL_PORT'}) and our $sendmail_pl_port = $ENV{'SENDMAIL_PL_PORT'};
1116 defined($ENV{'SENDMAIL_PL_NCBIN'}) and our $sendmail_pl_ncbin = $ENV{'SENDMAIL_PL_NCBIN'};
1117 defined($ENV{'SENDMAIL_PL_NCOPT'}) and our $sendmail_pl_ncopt = $ENV{'SENDMAIL_PL_NCOPT'};
1118 defined($ENV{'PYTHON'}) and our $python = $ENV{'PYTHON'};
1119 my $op; BEGIN {$op = $ENV{'PATH'}}
1120 defined($op) && defined($ENV{'PATH'}) && $op ne $ENV{'PATH'} and our $path=$ENV{'PATH'};
1122 # jailreporoot MUST NOT be absolute
1123 defined($jailreporoot) && substr($jailreporoot, 0, 1) ne "/" or
1124 die "\$jailreporoot MUST NOT be an absolute path\n";
1126 # webreporoot can be undef
1127 !defined($webreporoot) || substr($webreporoot, 0, 1) eq "/" or
1128 die "\$webreporoot MUST be an absolute path if not undef\n";
1130 # All these MUST be absolute paths
1132 no strict 'refs';
1133 defined(${$_}) && substr(${$_}, 0, 1) eq "/" or
1134 die "\$$_ MUST be an absolute path\n"
1135 foreach qw(basedir certsdir reporoot chroot webroot cgiroot projlist_cache_dir);
1138 # Make sure Git has a consistent and reproducible environment
1140 $ENV{'XDG_CONFIG_HOME'} = $chroot.'/var/empty';
1141 $ENV{'HOME'} = $chroot.'/etc/girocco';
1142 $ENV{'TMPDIR'} = '/tmp';
1143 $ENV{'GIT_CONFIG_NOSYSTEM'} = 1;
1144 $ENV{'GIT_ATTR_NOSYSTEM'} = 1;
1145 $ENV{'GIT_NO_REPLACE_OBJECTS'} = 1;
1146 $ENV{'GIT_TERMINAL_PROMPT'} = 0;
1147 $ENV{'GIT_ASKPASS'} = $basedir.'/bin/git-askpass-password';
1148 delete $ENV{'GIT_USER_AGENT'};
1149 $ENV{'GIT_USER_AGENT'} = $git_client_ua if defined($git_client_ua);
1150 delete $ENV{'GIT_HTTP_USER_AGENT'};
1151 delete $ENV{'GIT_CONFIG_PARAMETERS'};
1152 delete $ENV{'GIT_ALTERNATE_OBJECT_DIRECTORIES'};
1153 delete $ENV{'GIT_CONFIG'};
1154 delete $ENV{'GIT_DIR'};
1155 delete $ENV{'GIT_GRAFT_FILE'};
1156 delete $ENV{'GIT_INDEX_FILE'};
1157 delete $ENV{'GIT_OBJECT_DIRECTORY'};
1158 delete $ENV{'GIT_NAMESPACE'};
1160 # Guarantee a sane umask for Girocco
1162 umask(umask() & ~0770);