1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-25 08:59:31 -05:00
Commit graph

140 commits

Author SHA1 Message Date
zeripath
54d7435d28
Adjust manifest to prevent tagging latest on rcs (#22811) 2023-02-19 09:24:08 -05:00
Melroy van den Berg
fd29071e57
Rootless Docker - Mistake with the repo-avatars parent folder name (#22637)
There was a mistake when choosing the structure for the repo avatars parent folder and it added a spurious /gitea.

The `data` directory should contain folders like:

  - `attachments/`
  - `avatars/`
  - `log/`
  - `repo-avatars/`
2023-01-31 22:42:48 +00:00
Xinyu Zhou
f17edfaf5a
Remove deprecated DSA host key from Docker Container (#21522)
Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public
key algorithm, and recommend against its use.
http://www.openssh.com/legacy.html

## ⚠️ BREAKING ⚠️

This patch will remove DSA host key form OpenSSH daemon configuration
file.

Signed-off-by: baronbunny <its@baronbunny.cn>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-11-03 19:49:12 +08:00
wxiaoguang
7258a124af
Fix the mode of custom dir to 0700 in docker-rootless (#20861) 2022-08-19 11:05:07 -04:00
Thomas Andrade
4a295d4a6c
feat: Add support for extra sshd_config parameters via 'Include' file (#19842)
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-05-31 14:42:19 -04:00
wxiaoguang
4266bd924b
Update document to use FHS /usr/local/bin/gitea instead of /app/... for Docker (#19794)
* Update document to use FHS `/usr/local/bin/gitea` instead of `/app/...` in Docker

* Update docs/content/doc/installation/with-docker.zh-cn.md
2022-05-24 14:57:15 +08:00
Gusted
ba5f2acb9c
Configure OpenSSH log level via Environment in Docker (#19274)
Introduce a new environment variable: SSH_LOG_LEVEL
2022-03-31 11:15:36 +08:00
zeripath
7489d96db6
Fix issue with docker-rootless shimming script (#18690) 2022-02-10 01:15:06 -05:00
zeripath
9f9ca0aae4
Fix pushing to 1-x-dev docker tag (#18578)
* Fix pushing to 1-x-dev docker tag

It appears that #18551 and #18573 have a mistake in that raymond does not have
an {{else}} on {{#equal}}. This PR notes that Sprig has a hasPrefix function
and so we use this with another if.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Fix pushing to 1-x-dev docker tag (part 2)

Although we now have the manifest working, we need to create the images.

Here we adjust the .drone.yml to force building of the images

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Fix pushing to 1-x-dev docker tag

OK now we have the images building we should make sure that the main ones stays
dev and the release/v* ones become *-dev-*

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Apply suggestions from code review
2022-02-03 22:44:51 +01:00
zeripath
104c547d61
Fix manifest.tmpl (#18573)
A spurious {{/if}} appeared on the manifest.tmpl - this PR simply
removes this.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-03 09:51:01 +00:00
zeripath
bc77b28d9d
Make docker gitea/gitea:v1.16-dev etc refer to the latest build on that branch (#18551)
* Make docker gitea/gitea:v1.16-dev etc refer to the latest build on that branch

One of the problems with our current docker tagging is that although we
have strict version tags, latest and dev we do not have a way for docker
users to track the current release branch. This PR simply suggests that
we use the 1.x-dev tag for these and we build and push these. This will
give users who want or need unreleased bug fixes the option of tracking
the pre-release version instead of simply jumping to dev.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-02-03 09:47:27 +01:00
Michael Kriese
de05d71b40
In docker rootless use $GITEA_APP_INI if provided (#18524) 2022-02-01 20:18:57 +00:00
Gusted
5e5740af69
Switch to non-deprecation setting (#18358)
* Switch to non-deprecation setting
  (Avoid by-default: "Deprecated fallback `[server]` `LFS_CONTENT_PATH` present. Use `[lfs]` `PATH` instead. This fallback will be removed in v1.18.0")

* Update all references
2022-01-23 20:02:29 +01:00
Grzegorz Alibożek
4563148a61
Upgrade Alpine from 3.13 to 3.15 (#18050)
* Upgrade alpine to 3.15

* Add executability test to entrypoint for too old dockers

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update docker/rootless/usr/local/bin/docker-entrypoint.sh

Co-authored-by: zeripath <art27@cantab.net>
2022-01-19 16:55:17 -05:00
zeripath
7d0629adf8
Use shadowing script for docker (#17846)
Too many docker users are caught out by the default location for the
app.ini file being environment dependent so that when they docker exec
into the container the gitea commands do not work properly and require
additional -c arguments to correctly pick up the configuration.

This PR simply shadows the gitea binary using variants of the FHS
compatible script to make the command gitea have the default locations
by default.

Fix #14468
Reference #17497
Reference #12082
Reference #8941
... amongst others ...
Replace #17501

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-12-01 18:08:27 +00:00
techknowlogick
e180456983
Change docker tag logic (#16421)
* Change docker logic

* Apply suggestions from code review

Co-authored-by: Kyle D. <kdumontnu@gmail.com>

* docs

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: Kyle D. <kdumontnu@gmail.com>
2021-07-14 18:08:43 +01:00
luzpaz
e0296b6a6d
Fix various documentation, user-facing, and source comment typos (#16367)
* Fix various doc, user-facing, and source comment typos

Found via `codespell -q 3 -S ./options/locale,./vendor -L ba,pullrequest,pullrequests,readby`
2021-07-08 13:38:13 +02:00
zeripath
8947422781
Fix bug due to missing MaxStartups and MaxSessions (#16046)
Unforunately #16009 makes these settings mandatory. This PR uses the same technique
as used for the certificates to make these settings non-mandatory.

Fix #16044

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
2021-06-01 15:55:17 -04:00
Dario Louzado
5de01e21a1
Make sshd_config more flexible regarding connections (#16009)
* Make sshd_config more flexible regarding
MaxStartups and MaxSessions.

See https://man.openbsd.org/sshd_config
for more information.

* make property prefix equals
other existing Gitea SSH properties.

Co-authored-by: dlouzado <dlouzado@senado.leg.br>
2021-05-31 21:33:50 -04:00
zeripath
0ada74edbc
Only offer hostcertificates if they exist (#15849)
A common bug report is the otherwise harmless sshd logging:

```
Could not load host certificate "/data/ssh/ssh_host_ed25519_cert": No such file or directory
```

This PR simply checks if these files exist before creation of sshd_config and if
they do not exist, doesn't add a reference to them.

Fix #14110 amongst others.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-05-13 15:11:28 +03:00
Lauris BH
044cd4d016
Add reverse proxy configuration support for remote IP address (#14959)
* Add reverse proxy configuration support for remote IP address validation

* Trust all IP addresses in containerized environments by default

* Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-03-16 00:27:28 +02:00
Kyle D
61f347e349
Add environment-to-ini to docker image (#14762)
* Add environment-to-app.ini routine

* Call environment-to-ini in docker setup scripts

* Automatically convert section vars to lower case to match documentation

* Remove git patch instructions

* Add env variable documentation to Install Docker
2021-02-23 20:21:44 +01:00
Lunny Xiao
0cd87d64ff
Update docs and comments to remove macaron (#14491) 2021-01-29 16:35:30 +01:00
silverwind
bc455ed257
Set RUN_MODE prod by default (#13765)
I think it's a bad default to have "dev" as the default run mode which
enables debugging and now also disables HTTP caching. It's better to
just default to a value suitable for general deployments.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-11-30 14:52:04 -05:00
6543
e7b47c5215
Format files (#13698)
* align "make help"

* format

* untouch build/generate-svg.js

* untouch .eslintrc

* combine editorconfig's

* rm editorconfig

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-11-28 01:12:22 -05:00
Antoine GIRARD
bcb94ed589
fix docker rootless manifest (#13386) 2020-11-02 14:50:13 -05:00
Antoine GIRARD
563165abe4
Remove specific indexer path (#13388)
Co-authored-by: Lauris BH <lauris@nix.lv>
2020-11-01 18:34:38 -05:00
Antoine GIRARD
fe458ce877
docker: rootless image (#10154)
* docker: rootless image

* improve docs + remove check for write perm on custom

* add more info on ssh passtrough

* Add comment for internal ssh server in container config
2020-10-31 20:58:22 -04:00
Anders Eurenius Runvald
01f991ac88
Update sshd_config (#13143)
Afaik, adding these lines does nothing unless the file(s) are present. Having them in let's admins supply certs instead of relying on TOFU.

Co-authored-by: zeripath <art27@cantab.net>
2020-10-14 13:01:11 -04:00
Wim
9066d09c57
Add ssh certificate support (#12281)
* Add ssh certificate support

* Add ssh certificate support to builtin ssh

* Write trusted-user-ca-keys.pem based on configuration

* Update app.example.ini

* Update templates/user/settings/keys_principal.tmpl

Co-authored-by: silverwind <me@silverwind.io>

* Remove unused locale string

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* Add missing creation of SSH.Rootpath

* Update cheatsheet, example and locale strings

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

* Optimizations based on feedback

* Validate CA keys for external sshd

* Add filename option and change default filename

Add a SSH_TRUSTED_USER_CA_KEYS_FILENAME option which default is
RUN_USER/.ssh/gitea-trusted-user-ca-keys.pem

Do not write a file when SSH_TRUSTED_USER_CA_KEYS is empty.

Add some more documentation.

* Remove unneeded principalkey functions

* Add blank line

* Apply suggestions from code review

Co-authored-by: zeripath <art27@cantab.net>

* Add SSH_AUTHORIZED_PRINCIPALS_ALLOW option

This adds a SSH_AUTHORIZED_PRINCIPALS_ALLOW which is default
email,username this means that users only can add the principals
that match their email or username.

To allow anything the admin need to set the option anything.

This allows for a safe default in gitea which protects against malicious
users using other user's prinicipals. (before that user could set it).

This commit also has some small other fixes from the last code review.

* Rewrite principal keys file on user deletion

* Use correct rewrite method

* Set correct AuthorizedPrincipalsBackup default setting

* Rewrite principalsfile when adding principals

* Add update authorized_principals option to admin dashboard

* Handle non-primary emails

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Add the command actually to the dashboard template

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* By default do not show principal options unless there are CA keys set or they are explicitly set

Signed-off-by: Andrew Thornton <art27@cantab.net>

* allow settings when enabled

* Fix typos in TrustedUserCAKeys path

* Allow every CASignatureAlgorithms algorithm

As this depends on the content of TrustedUserCAKeys we should allow all
signature algorithms as admins can choose the specific algorithm on their
signing CA

* Update models/ssh_key.go

Co-authored-by: Lauris BH <lauris@nix.lv>

* Fix linting issue

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <matti@mdranta.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-10-10 20:38:09 -04:00
zeripath
d65cd5677a
Change default log configuration (#13088)
* Change default log configuration

This PR changes the install page and the docker default
logging configuration to match the suggested configuration
that I repeatedly end up suggesting on issues.

It further improves the logging configuration docs to
recommend specific instructions for how to configure logs
for posting to issues.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update docs/content/doc/advanced/logging-documentation.en-us.md
2020-10-10 18:19:50 +03:00
zeripath
ea69ec6f0f
Disable DSA ssh keys by default (#13056)
* Disable DSA ssh keys by default

OpenSSH has disabled DSA keys since version 7.0

As the docker runs openssh > v7.0 we should just disable
DSA keys by default.

Refers to #11417

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Just disable DSA keys by default

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove DSA type

* Fix Tests

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2020-10-09 09:52:57 +03:00
Kevin Schweikert
f220286c00
Fix typo in README.md (#12369)
Changed Dockefile to Dockerfile
2020-07-29 09:29:51 -05:00
techknowlogick
366ca88eea
merge docker makefile into main one (#12289)
* merge docker makefile into main one

* add readme for docker folder

* don't include a file that doesn't exist anymore

Co-authored-by: Lauris BH <lauris@nix.lv>
2020-07-21 16:41:03 -04:00
Cirno the Strongest
594db7fb43
Fix missing CGO_EXTRA_FLAGS build arg for docker (#11782)
Co-authored-by: zeripath <art27@cantab.net>
2020-06-06 17:42:32 -04:00
Adrian POIGET
99082eebd7
Fix; declare DOMAIN variable for docker setup (#10780)
In the /install form, the value for SSH Server Domain is taken form the DOMAIN variable
and overwrites SSH_DOMAIN environment variable set the first time if nothing done

Co-authored-by: Adrian POIGET <adrian.poiget@viveris.fr>
2020-05-04 10:50:29 +01:00
Lunny Xiao
48be1889cd Fix latest docker image haven't include static files. (#9252)
* add warnging on docs

* fix docs
2019-12-05 12:18:28 -05:00
Antoine GIRARD
6e578dd0c9 docker: ask s6 to stop all service when gitea stop (#9171)
* fix: ask s6 to stop all service when gitea stop

https://github.com/just-containers/s6-overlay#writing-an-optional-finish-script

* change service folder
2019-11-27 13:08:57 -05:00
zeripath
0a96e59884 Fix #8453 by making openssh listen on SSH_LISTEN_PORT not SSH_PORT (#8477) 2019-10-12 23:45:00 +08:00
jpellegrini
852b8e2d81 Make AllowedUsers configurable in sshd_config (#8094)
docker/root/usr/bin/entrypoint already allows for the specification
of USER, USER_UID, USER_GID. But since AllowedUsers is hardcoded in
sshd_config, one cannot log in as a user different ftom git.
This change substitutes ${USER} for git in the sshd_config template.

Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
2019-09-05 22:20:55 +02:00
leigh capili
70d2244e49 Support SSH_LISTEN_PORT env var in docker app.ini template (#7829)
Signed-off-by: leigh capili <leigh@null.net>
2019-08-24 01:44:24 +02:00
Antoine GIRARD
d4667a4949 drone/docker: prepare multi-arch release + provide arm64 image (#7571)
* drone/docker: prepare multi-arch release

* Add docker-linux-arm64 pipeline

* add arm 64 build to manifest

* tag dry-run + indent

* Fix notify dependency
2019-07-24 13:21:12 -04:00
Christopher Thomas
75d4414386 Implement the ability to change the ssh port to match what is in the gitea config (#7286)
* - rearrange the templates to make it more logical because now ssh_config is a template
- implemented the updating of the port to the same as the port sent to the gitea config

* change the filename back
2019-07-06 21:57:53 -04:00
Marat Radchenko
e07ff2f890 [docker] Add LFS_START_SERVER option to control git-lfs support (#7281) 2019-06-24 01:33:56 -04:00
Sergey Dryabzhinsky
3fd18838aa Repository avatars (#6986)
* Repository avatars

- first variant of code from old work for gogs
- add migration 87
- add new option in app.ini
- add en-US locale string
- add new class in repository.less

* Add changed index.css, remove unused template name

* Update en-us doc about configuration options

* Add comments to new functions, add new option to docker app.ini

* Add comment for lint

* Remove variable, not needed

* Fix formatting

* Update swagger api template

* Check if avatar exists

* Fix avatar link/path checks

* Typo

* TEXT column can't have a default value

* Fixes:

- remove old avatar file on upload
- use ID in name of avatar file - users may upload same files
- add simple tests

* Fix fmt check

* Generate PNG instead of "static" GIF

* More informative comment

* Fix error message

* Update avatar upload checks:

- add file size check
- add new option
- update config docs
- add new string to en-us locale

* Fixes:

- use FileHEader field for check file size
- add new test - upload big image

* Fix formatting

* Update comments

* Update log message

* Removed wrong style - not needed

* Use Sync2 to migrate

* Update repos list view

- bigger avatar
- fix html blocks alignment

* A little adjust avatar size

* Use small icons for explore/repo list

* Use new cool avatar preparation func by @lafriks

* Missing changes for new function

* Remove unused import, move imports

* Missed new option definition in app.ini

Add file size check in user/profile avatar upload

* Use smaller field length for Avatar

* Use session to update repo DB data, update DeleteAvatar - use session too

* Fix err variable definition

* As suggested @lafriks - return as soon as possible, code readability
2019-05-29 22:22:26 -04:00
Jakob Ackermann
36b68fdb01 [docker] support for custom GITEA_CUSTOM env var (#6608) 2019-05-13 18:19:37 -04:00
Jakob Ackermann
dab38c375d [docker] drop the docker Makefile from the image (#6507) 2019-05-05 22:49:32 -04:00
zeripath
8d0d7bc28d Make CustomPath, CustomConf and AppWorkPath configurable at build (#6631) 2019-04-29 14:08:21 -04:00
Jakob Ackermann
62b35964e3 [docker] let the ssh daemon speak for itself and drop the syslog daemon (#6529)
The sshd flag `-e` instructs sshd to output any logs to stderr instead
 of the syslog. Redirect this output to stdout then.

Signed-off-by: Jakob Ackermann <das7pad@outlook.com>
2019-04-16 21:08:25 -04:00
Jakob Ackermann
3f4e2d9d37 [docker] drop the bits argument when generating an ed25519 key (#6504)
From the man page of ssh-keygen:

  Ed25519 keys have a fixed length and the -b flag will be ignored.

[skip ci]

Signed-off-by: Jakob Ackermann <das7pad@outlook.com>
2019-04-04 08:09:38 +03:00