Commit Graph

123 Commits (894742278154781ba4cb347ac4c7efd7d6dcd1c8)

Author SHA1 Message Date
zeripath 8947422781
Fix bug due to missing MaxStartups and MaxSessions (#16046)
Unforunately #16009 makes these settings mandatory. This PR uses the same technique
as used for the certificates to make these settings non-mandatory.

Fix #16044

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
2021-06-01 15:55:17 -04:00
Dario Louzado 5de01e21a1
Make sshd_config more flexible regarding connections (#16009)
* Make sshd_config more flexible regarding
MaxStartups and MaxSessions.

See https://man.openbsd.org/sshd_config
for more information.

* make property prefix equals
other existing Gitea SSH properties.

Co-authored-by: dlouzado <dlouzado@senado.leg.br>
2021-05-31 21:33:50 -04:00
zeripath 0ada74edbc
Only offer hostcertificates if they exist (#15849)
A common bug report is the otherwise harmless sshd logging:

```
Could not load host certificate "/data/ssh/ssh_host_ed25519_cert": No such file or directory
```

This PR simply checks if these files exist before creation of sshd_config and if
they do not exist, doesn't add a reference to them.

Fix #14110 amongst others.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-05-13 15:11:28 +03:00
Lauris BH 044cd4d016
Add reverse proxy configuration support for remote IP address (#14959)
* Add reverse proxy configuration support for remote IP address validation

* Trust all IP addresses in containerized environments by default

* Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-03-16 00:27:28 +02:00
Kyle D 61f347e349
Add environment-to-ini to docker image (#14762)
* Add environment-to-app.ini routine

* Call environment-to-ini in docker setup scripts

* Automatically convert section vars to lower case to match documentation

* Remove git patch instructions

* Add env variable documentation to Install Docker
2021-02-23 20:21:44 +01:00
Lunny Xiao 0cd87d64ff
Update docs and comments to remove macaron (#14491) 2021-01-29 16:35:30 +01:00
silverwind bc455ed257
Set RUN_MODE prod by default (#13765)
I think it's a bad default to have "dev" as the default run mode which
enables debugging and now also disables HTTP caching. It's better to
just default to a value suitable for general deployments.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-11-30 14:52:04 -05:00
6543 e7b47c5215
Format files (#13698)
* align "make help"

* format

* untouch build/generate-svg.js

* untouch .eslintrc

* combine editorconfig's

* rm editorconfig

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-11-28 01:12:22 -05:00
Antoine GIRARD bcb94ed589
fix docker rootless manifest (#13386) 2020-11-02 14:50:13 -05:00
Antoine GIRARD 563165abe4
Remove specific indexer path (#13388)
Co-authored-by: Lauris BH <lauris@nix.lv>
2020-11-01 18:34:38 -05:00
Antoine GIRARD fe458ce877
docker: rootless image (#10154)
* docker: rootless image

* improve docs + remove check for write perm on custom

* add more info on ssh passtrough

* Add comment for internal ssh server in container config
2020-10-31 20:58:22 -04:00
Anders Eurenius Runvald 01f991ac88
Update sshd_config (#13143)
Afaik, adding these lines does nothing unless the file(s) are present. Having them in let's admins supply certs instead of relying on TOFU.

Co-authored-by: zeripath <art27@cantab.net>
2020-10-14 13:01:11 -04:00
Wim 9066d09c57
Add ssh certificate support (#12281)
* Add ssh certificate support

* Add ssh certificate support to builtin ssh

* Write trusted-user-ca-keys.pem based on configuration

* Update app.example.ini

* Update templates/user/settings/keys_principal.tmpl

Co-authored-by: silverwind <me@silverwind.io>

* Remove unused locale string

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* Add missing creation of SSH.Rootpath

* Update cheatsheet, example and locale strings

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

* Optimizations based on feedback

* Validate CA keys for external sshd

* Add filename option and change default filename

Add a SSH_TRUSTED_USER_CA_KEYS_FILENAME option which default is
RUN_USER/.ssh/gitea-trusted-user-ca-keys.pem

Do not write a file when SSH_TRUSTED_USER_CA_KEYS is empty.

Add some more documentation.

* Remove unneeded principalkey functions

* Add blank line

* Apply suggestions from code review

Co-authored-by: zeripath <art27@cantab.net>

* Add SSH_AUTHORIZED_PRINCIPALS_ALLOW option

This adds a SSH_AUTHORIZED_PRINCIPALS_ALLOW which is default
email,username this means that users only can add the principals
that match their email or username.

To allow anything the admin need to set the option anything.

This allows for a safe default in gitea which protects against malicious
users using other user's prinicipals. (before that user could set it).

This commit also has some small other fixes from the last code review.

* Rewrite principal keys file on user deletion

* Use correct rewrite method

* Set correct AuthorizedPrincipalsBackup default setting

* Rewrite principalsfile when adding principals

* Add update authorized_principals option to admin dashboard

* Handle non-primary emails

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Add the command actually to the dashboard template

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* By default do not show principal options unless there are CA keys set or they are explicitly set

Signed-off-by: Andrew Thornton <art27@cantab.net>

* allow settings when enabled

* Fix typos in TrustedUserCAKeys path

* Allow every CASignatureAlgorithms algorithm

As this depends on the content of TrustedUserCAKeys we should allow all
signature algorithms as admins can choose the specific algorithm on their
signing CA

* Update models/ssh_key.go

Co-authored-by: Lauris BH <lauris@nix.lv>

* Fix linting issue

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <matti@mdranta.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-10-10 20:38:09 -04:00
zeripath d65cd5677a
Change default log configuration (#13088)
* Change default log configuration

This PR changes the install page and the docker default
logging configuration to match the suggested configuration
that I repeatedly end up suggesting on issues.

It further improves the logging configuration docs to
recommend specific instructions for how to configure logs
for posting to issues.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update docs/content/doc/advanced/logging-documentation.en-us.md
2020-10-10 18:19:50 +03:00
zeripath ea69ec6f0f
Disable DSA ssh keys by default (#13056)
* Disable DSA ssh keys by default

OpenSSH has disabled DSA keys since version 7.0

As the docker runs openssh > v7.0 we should just disable
DSA keys by default.

Refers to #11417

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Just disable DSA keys by default

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove DSA type

* Fix Tests

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2020-10-09 09:52:57 +03:00
Kevin Schweikert f220286c00
Fix typo in README.md (#12369)
Changed Dockefile to Dockerfile
2020-07-29 09:29:51 -05:00
techknowlogick 366ca88eea
merge docker makefile into main one (#12289)
* merge docker makefile into main one

* add readme for docker folder

* don't include a file that doesn't exist anymore

Co-authored-by: Lauris BH <lauris@nix.lv>
2020-07-21 16:41:03 -04:00
Cirno the Strongest 594db7fb43
Fix missing CGO_EXTRA_FLAGS build arg for docker (#11782)
Co-authored-by: zeripath <art27@cantab.net>
2020-06-06 17:42:32 -04:00
Adrian POIGET 99082eebd7
Fix; declare DOMAIN variable for docker setup (#10780)
In the /install form, the value for SSH Server Domain is taken form the DOMAIN variable
and overwrites SSH_DOMAIN environment variable set the first time if nothing done

Co-authored-by: Adrian POIGET <adrian.poiget@viveris.fr>
2020-05-04 10:50:29 +01:00
Lunny Xiao 48be1889cd Fix latest docker image haven't include static files. (#9252)
* add warnging on docs

* fix docs
2019-12-05 12:18:28 -05:00
Antoine GIRARD 6e578dd0c9 docker: ask s6 to stop all service when gitea stop (#9171)
* fix: ask s6 to stop all service when gitea stop

https://github.com/just-containers/s6-overlay#writing-an-optional-finish-script

* change service folder
2019-11-27 13:08:57 -05:00
zeripath 0a96e59884 Fix #8453 by making openssh listen on SSH_LISTEN_PORT not SSH_PORT (#8477) 2019-10-12 23:45:00 +08:00
jpellegrini 852b8e2d81 Make AllowedUsers configurable in sshd_config (#8094)
docker/root/usr/bin/entrypoint already allows for the specification
of USER, USER_UID, USER_GID. But since AllowedUsers is hardcoded in
sshd_config, one cannot log in as a user different ftom git.
This change substitutes ${USER} for git in the sshd_config template.

Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
2019-09-05 22:20:55 +02:00
leigh capili 70d2244e49 Support SSH_LISTEN_PORT env var in docker app.ini template (#7829)
Signed-off-by: leigh capili <leigh@null.net>
2019-08-24 01:44:24 +02:00
Antoine GIRARD d4667a4949 drone/docker: prepare multi-arch release + provide arm64 image (#7571)
* drone/docker: prepare multi-arch release

* Add docker-linux-arm64 pipeline

* add arm 64 build to manifest

* tag dry-run + indent

* Fix notify dependency
2019-07-24 13:21:12 -04:00
Christopher Thomas 75d4414386 Implement the ability to change the ssh port to match what is in the gitea config (#7286)
* - rearrange the templates to make it more logical because now ssh_config is a template
- implemented the updating of the port to the same as the port sent to the gitea config

* change the filename back
2019-07-06 21:57:53 -04:00
Marat Radchenko e07ff2f890 [docker] Add LFS_START_SERVER option to control git-lfs support (#7281) 2019-06-24 01:33:56 -04:00
Sergey Dryabzhinsky 3fd18838aa Repository avatars (#6986)
* Repository avatars

- first variant of code from old work for gogs
- add migration 87
- add new option in app.ini
- add en-US locale string
- add new class in repository.less

* Add changed index.css, remove unused template name

* Update en-us doc about configuration options

* Add comments to new functions, add new option to docker app.ini

* Add comment for lint

* Remove variable, not needed

* Fix formatting

* Update swagger api template

* Check if avatar exists

* Fix avatar link/path checks

* Typo

* TEXT column can't have a default value

* Fixes:

- remove old avatar file on upload
- use ID in name of avatar file - users may upload same files
- add simple tests

* Fix fmt check

* Generate PNG instead of "static" GIF

* More informative comment

* Fix error message

* Update avatar upload checks:

- add file size check
- add new option
- update config docs
- add new string to en-us locale

* Fixes:

- use FileHEader field for check file size
- add new test - upload big image

* Fix formatting

* Update comments

* Update log message

* Removed wrong style - not needed

* Use Sync2 to migrate

* Update repos list view

- bigger avatar
- fix html blocks alignment

* A little adjust avatar size

* Use small icons for explore/repo list

* Use new cool avatar preparation func by @lafriks

* Missing changes for new function

* Remove unused import, move imports

* Missed new option definition in app.ini

Add file size check in user/profile avatar upload

* Use smaller field length for Avatar

* Use session to update repo DB data, update DeleteAvatar - use session too

* Fix err variable definition

* As suggested @lafriks - return as soon as possible, code readability
2019-05-29 22:22:26 -04:00
Jakob Ackermann 36b68fdb01 [docker] support for custom GITEA_CUSTOM env var (#6608) 2019-05-13 18:19:37 -04:00
Jakob Ackermann dab38c375d [docker] drop the docker Makefile from the image (#6507) 2019-05-05 22:49:32 -04:00
zeripath 8d0d7bc28d Make CustomPath, CustomConf and AppWorkPath configurable at build (#6631) 2019-04-29 14:08:21 -04:00
Jakob Ackermann 62b35964e3 [docker] let the ssh daemon speak for itself and drop the syslog daemon (#6529)
The sshd flag `-e` instructs sshd to output any logs to stderr instead
 of the syslog. Redirect this output to stdout then.

Signed-off-by: Jakob Ackermann <das7pad@outlook.com>
2019-04-16 21:08:25 -04:00
Jakob Ackermann 3f4e2d9d37 [docker] drop the bits argument when generating an ed25519 key (#6504)
From the man page of ssh-keygen:

  Ed25519 keys have a fixed length and the -b flag will be ignored.

[skip ci]

Signed-off-by: Jakob Ackermann <das7pad@outlook.com>
2019-04-04 08:09:38 +03:00
techknowlogick ec9331510c
Disable auto-migrate in docker container (#5730) 2019-01-17 22:31:14 -05:00
Julian f59bfe893a docker: stop modifying file permission before migrating database (#5707) 2019-01-12 11:14:01 -05:00
Pierre-Alexis Ciavaldini 0236856924 migrate database if app.ini found (#5290)
* migrate database if app.ini found

* replacing hard-coded user id by env variable

* Update per @zeripath's feedback
2019-01-05 13:16:38 -05:00
Moshi Binyamini 76060613ef Fix bug on modifying sshd username (#5624)
Should fix #5623
2019-01-02 17:42:33 -05:00
Lunny Xiao 6e114f6791 add git protocol v2 support via SSH on Docker image (#5520)
* add git protocol v2 support via SSH on Docker image

* remove new layer on dockerfile
2018-12-11 12:20:04 -05:00
Fabian Braun d0f614a25b only chown directories during docker setup if necessary. Fix #4425 (#5064)
Signed-off-by: Fabian Braun <fabian-braun@mailbox.org>
2018-10-30 11:41:41 -04:00
Mura Li 25c49cf930 Update build tags for sqlite_unlock_notify (#5144) 2018-10-23 19:47:59 +08:00
Andrew Phillips b30f6b4099 Remove UsePrivilegeSeparation from the Docker sshd_config, see #2876 (#4722)
Signed-off-by: Andrew Phillips <theasp@gmail.com>
2018-08-16 01:58:12 +03:00
Tao Wang 823318bfbe Add missing path in the Docker app.ini template (#2181) 2018-07-03 20:44:46 -04:00
techknowlogick e2721b6190
Remove call to update certs (#4296) 2018-06-21 17:12:56 -04:00
Fluf b299d7bceb Add Environment Variables to Docker template (#4012)
* Add disable registration as an environment variable

for docker

* Add REQUIRE_SIGNIN_VIEW as env var to docker

* Add variables to template

* Update docker docs
2018-05-23 23:31:12 +08:00
techknowlogick ecfc401eaa Allow Gitea to run as different USER in Docker (#3961)
* If using a different $USER then rename git user

* Chown based on $USER env

* Target only one part of passwd

* su-exec based on $USER

not a hardcoded value
2018-05-16 23:58:44 +08:00
Jone Marius Vignes cb87f29b76 Update certificates to enable self-signed certs (#3708)
Why:

* We are using self-signed ssl certificates for internal services, which results in failures when gitea tries to communicate through webhooks with these. We would like to enable gitea to be able to use these certificates without having to build custom docker images.

How

* We add the internal certificates to /usr/local/share/ca-certificates on the host
* We read-only mount /usr/local/share/ca-certificates from the host to /usr/local/share/ca-certificates in the container 
* We do a update-ca-certificates in the alpine container before starting gitea

This should have no consequence for users that do not have the need to handle self-signed certificates, as update-ca-certificates should be idempotent.
2018-03-25 13:47:06 +03:00
Antoine GIRARD 0e26db8bcd Docker multi-stage (#2927)
* Setup docker multi-stage and little sugar at it

* Make codacy happy ?

* Revert back to what the official docker documentation suggest

Codacy don't seems to follow https://docs.docker.com/engine/reference/builder/#maintainer-deprecated

* Update golang version
2018-03-12 11:59:13 +02:00
Piotr Orzechowski 7bab3d2fb1 Enable content trust when building image (#2972) 2017-12-03 18:21:10 +08:00
Antoine GIRARD dac0f14f34 Docker multi-arch base (#1985)
* Create docker/manifest/base.yml

serve as base for build docker image for most platform (386,amd64,arm,arm64)

* Add make task docker-multi-arch-push-manifest

To update references of a multi-arch image on docker registry.

* Use SED_INPLACE generic sed command

* Delete Dockerfile.aarch64

Delete Dockerfile.rpi

* Use gitea/gitea-base as base

and replace deprecated MAINTAINER by LABEL (https://docs.docker.com/engine/reference/builder/#maintainer-deprecated)

* Fix rebase

* Use sapk/gitea-base as base

* Split makefile for docker

* Fix version to v3.6

Could use in later version edge of alpine official library that support multi-arch for armhf.

* Remove sapk/gitea-base and use directly new official alpine multi-arch
2017-11-16 15:16:40 +02:00
Henrik Bengtsson 9bdce5d21b Launch Gitea with custom UID/GID for 'git' user (fixes #2286) (#2791) 2017-11-05 10:40:31 +08:00