gitreef

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 2bea7e379a4c837a5d127d81bfe7f2ffe973f572
parent 89ba1e1619ec5e9207159c6d876f8a5f2eb20bc4
Author: Matthias Jaros <jaros@mailbox.org>
Date:   Mon, 27 Oct 2025 14:17:08 +0100

Updated README correction

Diffstat:
MREADME | 86+++++++++++++++++++++++++++++++++++++++++++++++++++++--------------------------
1 file changed, 58 insertions(+), 28 deletions(-)

diff --git a/README b/README @@ -1,33 +1,49 @@ -# README +# git-server -Welcome to git-server, a simple, fast, memory friendly and secure server for your git repos. +Welcome to **git-server** — a simple, fast, memory-friendly, and secure server for your Git repositories. -The scope of this server is to have a minimal git-server with no unnecessary features and management overhead. -It is for everyone who does not need or want a fancy GUI and more features besides of basic ones. Thus it is small, secure, fast and uses barely memory (under 10MB). +The goal of this project is to provide a **minimal Git server** with no unnecessary features or management overhead. +It’s designed for everyone who doesn’t need or want a fancy GUI or advanced functionality beyond the essentials. +As a result, it’s **small, secure, fast**, and uses **under 10 MB of memory**. + +--- ## Features -* Dockerized -* Easy config over command line or docker compose -* Fast & Secure with minimal dependencies: Git, SSH, Fish, Sudo -* Build in user and repo handling. -* Basic ACL with read/write permissions -* Logfile of all git operations +- 🐳 **Dockerized** +- ⚙️ **Simple configuration** via command line or Docker Compose +- 🚀 **Fast & secure**, with minimal dependencies: Git, SSH, Fish, Sudo +- 👥 **Built-in user and repository management** +- 🔐 **Basic ACL system** with per-user read/write permissions +- 📜 **Logging** of all Git operations + +--- ## Security -It is crucial to keep your repos safe from unprivileged access. This is why this server uses a set of limitins settings for ssh and every git operation that is run on it, such as: +Keeping your repositories safe from unauthorized access is a top priority. +This server applies multiple hardening and sandboxing measures, such as: -* Minimum basic alpine image with only few required tools installed -* Only pubkey authentication -* No tty and no normal shell login allowed -* All git commands are sanitized and checked -* Repos are kept in a jail under /srv/repos, no git access out if it is allowed. -* User are restricted using a basic ACL file that checks permissions of each user -* Root and git user login is prohibited +- Minimal Alpine base image with only essential tools installed +- Only **public-key authentication** (no passwords) +- **No TTY and no interactive shell logins** +- All Git commands are **sanitized and validated** +- Repositories are stored under `/srv/repos` and cannot access paths outside that directory +- Per-user **ACL file** checks permissions for each operation +- **Root and “git” user logins are disabled** + +--- ## Examples +### Command Line + +```sh +docker run --rm -p "2222:22" git-server \ + -u "user1:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm +lzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15" \ + -r "/repo1.git;user1:w" + Command line: ```sh docker run --rm -p "2222:22" git-server -u "user1:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm @@ -38,26 +54,40 @@ lzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7 Docker Compose: ```yaml services: - git-server: + git-server: image: docker.it-jaros.com/com.it-jaros.git ports: - "2222:22" environment: - # Note: Variable names cannot have - inside but the values can! - # uid/gid of the user that has access to all repos - - GIT_UID=1000 + # Note: Variable names cannot contain dashes, but values can! + # UID/GID of the user that owns all repositories + - GIT_UID=1000 - GIT_GID=1000 - # Users in form of USER_<some chars>=<username>:<ssh-key> + + # Users in the form USER_<id>=<username>:<ssh-public-key> - USER_user1=user1:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15 - USER_user2=user2:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15 - # Repos in form of REPO_<some chars>=<repo-path>;<user>:<permission>;<user2>:<permission>;... - # Permission can be 'r' or 'w' which stands for read/write - - REPO_repo1=/repo1.git;user1 # user without permission flag has read by default + + # Repositories in the form REPO_<id>=<path>;<user>:<perm>[;<user2>:<perm>;...] + # Permissions: + # r = read + # w = write + # A user without a permission flag has read access by default. + - REPO_repo1=/repo1.git;user1 - REPO_repo2=/repo2.git;user2:w - REPO_repo3=/repo3.git;user1:r;user2:w + volumes: # Basic volumes that should be mapped - ./ssh:/var/ssh - ./repos:/srv/repos - ./log:/var/log -``` -\ No newline at end of file +``` + +## Notes + +You can use any SSH key type supported by Git and your base system. Logs are written to /var/log/git-run by default. ACL files and repository definitions are recreated automatically on container restart. + +## License + +GPLv3 © 2025 Matthias Jaros +\ No newline at end of file