blob: 58d6900d54ce1ed31e3c743f1595771d40d01a98 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
# README
Welcome to git-server, a simple, fast, memory friendly and secure server for your git repos.
The scope of this server is to have a minimal git-server with no unnecessary features and management overhead.
It is for everyone who does not need or want a fancy GUI and more features besides of basic ones. Thus it is small, secure, fast and uses barely memory (under 10MB).
## Features
* Dockerized
* Easy config over command line or docker compose
* Fast & Secure with minimal dependencies: Git, SSH, Fish, Sudo
* Build in user and repo handling.
* Basic ACL with read/write permissions
* Logfile of all git operations
## Security
It is crucial to keep your repos safe from unprivileged access. This is why this server uses a set of limitins settings for ssh and every git operation that is run on it, such as:
* Minimum basic alpine image with only few required tools installed
* Only pubkey authentication
* No tty and no normal shell login allowed
* All git commands are sanitized and checked
* Repos are kept in a jail under /srv/repos, no git access out if it is allowed.
* User are restricted using a basic ACL file that checks permissions of each user
* Root and git user login is prohibited
## Examples
Command line:
```sh
docker run --rm -p "2222:22" git-server -u "user1:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbm
lzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15" -r "/repo1.git;user1:w"
```
Docker Compose:
```yaml
services:
git-server:
image: docker.it-jaros.com/com.it-jaros.git
ports:
- "2222:22"
environment:
# Note: Variable names cannot have - inside but the values can!
# uid/gid of the user that has access to all repos
- GIT_UID=1000
- GIT_GID=1000
# Users in form of USER_<some chars>=<username>:<ssh-key>
- USER_user1=user1:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15
- USER_user2=user2:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPsl91WPAT8aWwZ6y5WAfXU9PoHzxJ3YG9uFgSmlGQr2HwV+gL/XaTBJ4Brj+pa+R7tfYEBMi+7Navx/ZsEmr9E= mj@xps15
# Repos in form of REPO_<some chars>=<repo-path>;<user>:<permission>;<user2>:<permission>;...
# Permission can be 'r' or 'w' which stands for read/write
- REPO_repo1=/repo1.git;user1 # user without permission flag has read by default
- REPO_repo2=/repo2.git;user2:w
- REPO_repo3=/repo3.git;user1:r;user2:w
volumes:
# Basic volumes that should be mapped
- ./ssh:/var/ssh
- ./repos:/srv/repos
- ./log:/var/log
```
|