This document covers the configuration process for git.sr.ht.
gitsrht-periodic
: The recommended configuration is
*/20 * * * * gitsrht-periodic
.As a repository hosting service, git.sr.ht requires a place for storing
repositories (we recommend /var/lib/git/
). It also requires a git
user who
has ownership over the repository storage location.
To allow users to upload artifacts to git repositories, an S3-compatible object
storage system may be set up and configured (separately from the repository
storage) before filling out the S3-related configuration options in your
config.ini
.
It is necessary to configure git.sr.ht's SSH dispatcher as the system-wide SSH
authorization hook. In /etc/ssh/sshd_config
, configure gitsrht-dispatch like
so:
AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k"
AuthorizedKeysCommandUser=root
PermitUserEnvironment SRHT_*
sshd
will invoke our dispatcher whenever a connection is made to the server
to obtain a list of authorized keys for the connecting user. The default
behavior is to read the .ssh/authorized_keys
file from that user's HOME
directory, but the dispatcher can also "dispatch" to other authentication tools
for other users. This is used to authorize and perform git operations via the
gitsrht-keys
and gitsrht-shell
. See the [dispatch]
section of your
git.sr.ht configuration for details on how this works and how to configure it
for additional services (e.g. man.sr.ht).
Authorization logs are written to /var/log/gitsrht-dispatch
and
gitsrht-shell
.
If you have any issues with dispatch, please make sure the git
user is not
locked by setting a password for it, and also make sure you can otherwise SSH
into it.
git.sr.ht does not handle HTTP(S) cloning for you, so you'll need to set it up yourself with your web server. Here's an example Nginx configuration:
location = /authorize {
proxy_pass http://127.0.0.1:5001;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
auth_request /authorize;
root /var/lib/git;
fastcgi_pass unix:/run/fcgiwrap.sock;
fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
fastcgi_param PATH_INFO $uri;
fastcgi_param GIT_PROJECT_ROOT $document_root;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
include fastcgi_params;
gzip off;
}
It is important that you set up the /authorize
endpoint to enforce the
privacy of private repositories.
If you don't have /run/fcgiwrap.sock
on your system, you'll need to install
the fcgiwrap
package.
commit 64dd454d025e91c76405cd1d04f51ea8e7a4f6a7 Author: wheezard <90904039+wheezard@users.noreply.github.com> Date: 2024-09-07T05:46:36+04:00 man: fixed a typo (missing closing parenthesis)