commit 2bea7e379a4c837a5d127d81bfe7f2ffe973f572
parent 89ba1e1619ec5e9207159c6d876f8a5f2eb20bc4
Author: Matthias Jaros <jaros@mailbox.org>
Date: Mon, 27 Oct 2025 14:17:08 +0100
Updated README correction
Diffstat:
| M | README | | | 86 | +++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------- |
1 file changed, 58 insertions(+), 28 deletions(-)
diff --git a/README b/README
@@ -1,33 +1,49 @@
-# README
+# git-server
-Welcome to git-server, a simple, fast, memory friendly and secure server for your git repos.
+Welcome to **git-server** — a simple, fast, memory-friendly, and secure server for your Git repositories.
-The scope of this server is to have a minimal git-server with no unnecessary features and management overhead.
-It is for everyone who does not need or want a fancy GUI and more features besides of basic ones. Thus it is small, secure, fast and uses barely memory (under 10MB).
+The goal of this project is to provide a **minimal Git server** with no unnecessary features or management overhead.
+It’s designed for everyone who doesn’t need or want a fancy GUI or advanced functionality beyond the essentials.
+As a result, it’s **small, secure, fast**, and uses **under 10 MB of memory**.
+
+---
## Features
-* Dockerized
-* Easy config over command line or docker compose
-* Fast & Secure with minimal dependencies: Git, SSH, Fish, Sudo
-* Build in user and repo handling.
-* Basic ACL with read/write permissions
-* Logfile of all git operations
+- 🐳 **Dockerized**
+- ⚙️ **Simple configuration** via command line or Docker Compose
+- 🚀 **Fast & secure**, with minimal dependencies: Git, SSH, Fish, Sudo
+- 👥 **Built-in user and repository management**
+- 🔐 **Basic ACL system** with per-user read/write permissions
+- 📜 **Logging** of all Git operations
+
+---
## Security
-It is crucial to keep your repos safe from unprivileged access. This is why this server uses a set of limitins settings for ssh and every git operation that is run on it, such as:
+Keeping your repositories safe from unauthorized access is a top priority.
+This server applies multiple hardening and sandboxing measures, such as:
-* Minimum basic alpine image with only few required tools installed
-* Only pubkey authentication
-* No tty and no normal shell login allowed
-* All git commands are sanitized and checked
-* Repos are kept in a jail under /srv/repos, no git access out if it is allowed.
-* User are restricted using a basic ACL file that checks permissions of each user
-* Root and git user login is prohibited
+- Minimal Alpine base image with only essential tools installed
+- Only **public-key authentication** (no passwords)
+- **No TTY and no interactive shell logins**
+- All Git commands are **sanitized and validated**
+- Repositories are stored under `/srv/repos` and cannot access paths outside that directory
+- Per-user **ACL file** checks permissions for each operation
+- **Root and “git” user logins are disabled**
+
+---
## Examples
+### Command Line
+
+```sh
+docker run --rm -p "2222:22" git-server \
+ -u "user1:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm
+lzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15" \
+ -r "/repo1.git;user1:w"
+
Command line:
```sh
docker run --rm -p "2222:22" git-server -u "user1:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm
@@ -38,26 +54,40 @@ lzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7
Docker Compose:
```yaml
services:
- git-server:
+ git-server:
image: docker.it-jaros.com/com.it-jaros.git
ports:
- "2222:22"
environment:
- # Note: Variable names cannot have - inside but the values can!
- # uid/gid of the user that has access to all repos
- - GIT_UID=1000
+ # Note: Variable names cannot contain dashes, but values can!
+ # UID/GID of the user that owns all repositories
+ - GIT_UID=1000
- GIT_GID=1000
- # Users in form of USER_<some chars>=<username>:<ssh-key>
+
+ # Users in the form USER_<id>=<username>:<ssh-public-key>
- USER_user1=user1:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15
- USER_user2=user2:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15
- # Repos in form of REPO_<some chars>=<repo-path>;<user>:<permission>;<user2>:<permission>;...
- # Permission can be 'r' or 'w' which stands for read/write
- - REPO_repo1=/repo1.git;user1 # user without permission flag has read by default
+
+ # Repositories in the form REPO_<id>=<path>;<user>:<perm>[;<user2>:<perm>;...]
+ # Permissions:
+ # r = read
+ # w = write
+ # A user without a permission flag has read access by default.
+ - REPO_repo1=/repo1.git;user1
- REPO_repo2=/repo2.git;user2:w
- REPO_repo3=/repo3.git;user1:r;user2:w
+
volumes:
# Basic volumes that should be mapped
- ./ssh:/var/ssh
- ./repos:/srv/repos
- ./log:/var/log
-```
-\ No newline at end of file
+```
+
+## Notes
+
+You can use any SSH key type supported by Git and your base system. Logs are written to /var/log/git-run by default. ACL files and repository definitions are recreated automatically on container restart.
+
+## License
+
+GPLv3 © 2025 Matthias Jaros
+\ No newline at end of file