git-shell-verify: only check read-only mode for receive-pack
[girocco.git] / Girocco / Config.pm
blob3d1123b5d93e632b165f301df80f4c7a331e4386
1 package Girocco::Config;
3 use strict;
4 use warnings;
8 ## --------------
9 ## Basic settings
10 ## --------------
13 # Name of the service (typically a single word or a domain name)
14 # (no spaces allowed)
15 our $name = "GiroccoEx";
17 # Nickname of the service (undef for initial part of $name upto first '.')
18 # (no spaces allowed)
19 our $nickname = undef;
21 # Title of the service (as shown in gitweb)
22 # (may contain spaces)
23 our $title = "Example Girocco Hosting";
25 # Path to the Git binary to use (you MUST set this, even if to /usr/bin/git!)
26 our $git_bin = '/usr/bin/git';
28 # Path to the git-daemon binary to use (undef to use default)
29 # If $gitpullurl is undef this will never be used (assuming no git inetd
30 # service has been set up in that case).
31 # The default if this is undef is `$git_bin --exec-path`/git-daemon
32 our $git_daemon_bin = undef;
34 # Path to the git-http-backend binary to use (undef to use default)
35 # If both $httppullurl and $httpspushurl are undef this will never be used
36 # The default if this is undef is `$git_bin --exec-path`/git-http-backend
37 our $git_http_backend_bin = undef;
39 # Name (if in $PATH) or full path to netcat executable that accepts a -U option
40 # to connect to a unix socket. This may simply be 'nc' on many systems.
41 # See the ../src/dragonfly/README file for a DragonFly BSD nc with -U support.
42 # For a Linux-like system try installing the 'netcat-openbsd' package.
43 our $nc_openbsd_bin = 'nc.openbsd';
45 # Path to POSIX sh executable to use. Set to undef to use /bin/sh
46 our $posix_sh_bin = undef;
48 # Path to Perl executable to use. Set to undef to use Perl found in $PATH
49 our $perl_bin = undef;
51 # Path to gzip executable to use. Set to undef to use gzip found in $PATH
52 our $gzip_bin = undef;
54 # Path to OpenSSL/LibreSSL executable to use.
55 # Set to undef to use openssl found in $PATH
56 # Not used unless $httpspushurl is defined
57 our $openssl_bin = undef;
59 # Path to the sendmail instance to use. It should understand the -f <from>, -i and -t
60 # options as well as accepting a list of recipient addresses in order to be used here.
61 # You MUST set this, even if to '/usr/sbin/sendmail'!
62 # Setting this to 'sendmail.pl' is special and will automatically be expanded to
63 # a full path to the ../bin/sendmail.pl executable in this Girocco installation.
64 # sendmail.pl is a sendmail-compatible script that delivers the message directly
65 # using SMTP to a mail relay host. This is the recommended configuration as it
66 # minimizes the information exposed to recipients (no sender account names or uids),
67 # can talk to an SMTP server on another host (eliminating the need for a working
68 # sendmail and/or SMTP server on this host) and avoids any unwanted address rewriting.
69 # By default it expects the mail relay to be listening on localhost port 25.
70 # See the sendmail.pl section below for more information on configuring sendmail.pl.
71 our $sendmail_bin = 'sendmail.pl';
73 # E-mail of the site admin
74 our $admin = 'admin@example.org';
76 # Sender of emails
77 # This is the SMTP 'MAIL FROM:' value
78 # It will be passed to $sendmail_bin with the -f option
79 # Some sites may not allow non-privileged users to pass the -f option to
80 # $sendmail_bin. In that case set this to undef and no -f option will be
81 # passed which means the 'MAIL FROM:' value will be the user the mail is
82 # sent as (either $cgi_user or $mirror_user depending on the activity).
83 # To avoid having bounce emails go to $admin, this may be set to something
84 # else such as 'admin-noreply@example.org' and then the 'admin-noreply' address
85 # may be redirected to /dev/null. Setting this to '' or '<>' is not
86 # recommended because that will likely cause the emails to be marked as SPAM
87 # by the receiver's SPAM filter. If $sendmail_bin is set to 'sendmail.pl' this
88 # value must be acceptable to the receiving SMTP server as a 'MAIL FROM:' value.
89 # If this is set to undef and 'sendmail.pl' is used, the 'MAIL FROM:' value will
90 # be the user the mail is sent as (either $cgi_user or $mirror_user).
91 our $sender = $admin;
93 # Copy $admin on failure/recovery messages?
94 our $admincc = 1;
96 # Girocco branch to use for html.cgi view source links (undef for HEAD)
97 our $giroccobranch = undef;
99 # PATH adjustments
100 # If the PATH needs to be customized to find required executables on
101 # the system, it can be done here.
102 # IMPORTANT: If PATH is NOT set here,
103 # it *will* be set to `/usr/bin/getconf PATH`!
104 # To keep whatever PATH is in effect when Girocco is installed use:
105 #$ENV{PATH} = $ENV{PATH};
106 # To add /usr/local/bin to the standard PATH, use something like this:
107 #use Girocco::Dumper qw(GetConfPath);
108 #$ENV{PATH} = GetConfPath().":/usr/local/bin";
112 ## ----------------------
113 ## Git user agent strings
114 ## ----------------------
117 # Git clients (i.e. fetch/clone) always send a user agent string when fetching
118 # over HTTP. Since version 1.7.12.1 an 'agent=' capability string is included
119 # as well which affects git:, smart HTTP and ssh: protocols.
121 # These settings allow the default user agent string to be changed independently
122 # for fetch/clone operations (only matters if $mirror is true) and server
123 # operations (some other Git client fetching from us). Note that it is not
124 # possible to suppress the capability entirely although it can be set to an
125 # empty string. If these values are not set, the default user agent string
126 # will be used. Typically (unless Git was built with non-standard options) the
127 # default is "git/" plus the version. So for example "git/1.8.5.6" or
128 # "git/2.1.4" might be seen.
130 # One might want to change the default user agent strings in order to prevent
131 # an attacker from learning the exact Git version being used to avoid being
132 # able to quickly target any version-specific vulnerabilities. Note that
133 # no matter what's set here, an attacker can easily determine whether a server
134 # is running JGit, libgit2 or Git and for Git whether it's version 1.7.12.1 or
135 # later. A reasonable value to hide the exact Git version number while
136 # remaining compatible with servers that require a "Git/" user agent string
137 # would be something like "git/2" or even just "git/".
139 # The GIT_USER_AGENT value to use when acting as a client (i.e. clone/fetch)
140 # This value is only used if $mirror is true and at least one mirror is set up.
141 # Setting this to the empty string will suppress the HTTP User-Agent header,
142 # but will still include an "agent=" capability in the packet protocol. The
143 # empty string is not recommended because some servers match on "git/".
144 # Leave undef to use the default Git user agent string
145 # IMPORTANT: some server sites will refuse to serve up Git repositories unless
146 # the client user agent string contains "Git/" (matched case insensitively)!
147 our $git_client_ua = undef;
149 # The GIT_USER_AGENT value to use when acting as a server (i.e. some Git client
150 # is fetching/cloning from us).
151 # Leave undef to use the default Git user agent string
152 our $git_server_ua = undef;
156 ## -------------
157 ## Feature knobs
158 ## -------------
161 # Enable mirroring mode if true (see "Foreign VCS mirrors" section below)
162 our $mirror = 1;
164 # Enable push mode if true
165 our $push = 1;
167 # If both $mirror and $push are enabled, setting this to 'mirror' pre-selects
168 # mirror mode on the initial regproj display, otherwise 'push' mode will be
169 # pre-selected. When forking the initial mode will be 'push' if $push enabled.
170 our $initial_regproj_mode = 'mirror';
172 # Enable user management if true; this means the interface for registering
173 # user accounts and uploading SSH keys. This implies full chroot.
174 our $manage_users = 1;
176 # Minimum key length (in bits) for uploaded SSH RSA/DSA keys.
177 # If this is not set (i.e. undef) keys as small as 512 bits will be allowed.
178 # Nowadays keys less than 2048 bits in length should probably not be allowed.
179 # Note, however, that versions of OpenSSH starting with 4.3p1 will only generate
180 # DSA keys of exactly 1024 bits in length even though that length is no longer
181 # recommended. (OpenSSL can be used to generate DSA keys with lengths > 1024.)
182 # OpenSSH does not have any problem generating RSA keys longer than 1024 bits.
183 # This setting is only checked when new keys are added so setting it/increasing it
184 # will not affect existing keys. For maximum compatibility a value of 1024 may
185 # be used however 2048 is recommended. Setting it to anything other than 1024,
186 # 2048 or 3072 may have the side effect of making it very difficult to generate
187 # DSA keys that satisfy the restriction (but RSA keys should not be a problem).
188 # Note that no matter what setting is specified here keys smaller than 512 bits
189 # will never be allowed via the reguser.cgi/edituser.cgi interface.
190 # RECOMMENDED VALUE: 2048 (ok) or 3072 (better)
191 our $min_key_length = 3072;
193 # Disable DSA public keys?
195 # If this is set to 1, adding DSA keys at reguser.cgi/edituser.cgi time will be
196 # prohibited. If $pushurl is undef then this is implicitly set to 1 since DSA
197 # keys are not usable with https push.
199 # OpenSSH will only generate 1024 bit DSA keys starting with version 4.3p1.
200 # Even if OpenSSL is used to generate a longer DSA key (which can then be used
201 # with OpenSSH), the SSH protocol itself still forces use of SHA-1 in the DSA
202 # signature blob which tends to defeat the purpose of going to a longer key in
203 # the first place. So it may be better from a security standpoint to simply
204 # disable DSA keys especially if $min_key_length and $rsakeylength have been set
205 # to something higher such as 3072 or 4096.
207 # This setting is only checked when new keys are added so changing it will not
208 # affect existing keys. There is no way to disable DSA keys in the sshd_config
209 # file of older versions of the OpenSSH server, but newer versions of OpenSSH
210 # WILL DISABLE DSA KEYS BY DEFAULT!
212 # IMPORTANT: If you do enable DSA keys ($disable_dsa is set to 0) and you are
213 # using a more recent version of the OpenSSH server software in the
214 # chroot jail, you MUST manually ADD the following line
215 # (the "+" IS REQUIRED) to the $chroot/j/etc/ssh/sshd_config file
216 # otherwise dsa keys WILL NOT BE ACCEPTED!
218 # PubkeyAcceptedKeyTypes +ssh-dss
220 # If this is set to 1, no ssh_host_dsa_key will be generated or used with the
221 # sshd running in the jail (but if the sshd_config has already been generated
222 # in the jail, it must be removed and 'sudo make install' run again or otherwise
223 # the sshd_config needs to be edited by hand for the change to take effect).
225 # RECOMMENDED VALUE: 1
226 our $disable_dsa = 1;
228 # Enable the special 'mob' user if set to 'mob'
229 our $mob = "mob";
231 # Let users set admin passwords; if false, all password inputs are assumed empty.
232 # This will make new projects use empty passwords and all operations on them
233 # unrestricted, but you will be able to do no operations on previously created
234 # projects you have set a password on.
235 our $project_passwords = 1;
237 # How to determine project owner; 'email' adds a form item asking for their
238 # email contact, 'source' takes realname of owner of source repository if it
239 # is a local path (and empty string otherwise). 'source' is suitable in case
240 # the site operates only as mirror of purely local-filesystem repositories.
241 our $project_owners = 'email';
243 # Which project fields to make editable, out of 'shortdesc', 'homepage', 'README',
244 # 'cleanmirror', 'notifymail', 'reverseorder', 'summaryonly', 'notifytag' and 'notifyjson'
245 # 'notifycia' was used by the now defunct CIA service and while allowing it to
246 # be edited does work and the value is saved, the value is totally ignored by Girocco
247 our @project_fields = qw(cleanmirror homepage shortdesc README notifymail reverseorder summaryonly notifytag notifyjson);
249 # Which project fields to protect -- they will first require the project
250 # password to be entered before they can even be viewed on the editproj page
251 our $protect_fields = {map({$_ => 1} qw(notifymail notifytag notifyjson))};
253 # Registration/Edit expiration time
254 # The registration form must be completed within this amount of time
255 # or it will time out and require starting over. The project edit page
256 # must be submitted within this amount of time or it will time out and
257 # require starting over.
258 our $project_edit_timeout = 1800; # 30 minutes
260 # Minimal number of seconds to pass between two updates of a project.
261 our $min_mirror_interval = 3600; # 1 hour
263 # Minimal number of seconds to pass between two garbage collections of a project.
264 our $min_gc_interval = 604800; # 1 week
266 # Minimal number of seconds to pass after first failure before sending failure email.
267 # A mirror update failed message will not be sent until mirror updates have been
268 # failing for at least this long. Set to 0 to send a failure message right away
269 # (provided the $min_mirror_failure_message_count condition has been met).
270 our $min_mirror_failure_message_interval = 216000; # 2.5 days
272 # Minimal number of consecutive failures required before sending failure email.
273 # A mirror update failed message will not be sent until mirror updates have failed
274 # for this many consecutive updates. Set to 0 to send a failure message right away
275 # (provided the $min_mirror_failure_message_interval condition has been met).
276 our $min_mirror_failure_message_count = 3;
278 # Maximum window memory size when repacking. If this is set, it will be used
279 # instead of the automatically computed value if it's less than that value.
280 # May use a 'k', 'm', or 'g' suffix otherwise value is in bytes.
281 our $max_gc_window_memory_size = undef;
283 # Maximum big file threshold size when repacking. If this is set, it will be
284 # used instead of the automatically computed value if it's less than that value.
285 # May use a 'k', 'm', or 'g' suffix otherwise value is in bytes.
286 our $max_gc_big_file_threshold_size = undef;
288 # Whether or not to run the ../bin/update-pwd-db script whenever the etc/passwd
289 # database is changed. This is typically needed (i.e. set to a true value) for
290 # FreeBSD style systems when using an sshd chroot jail for push access. So if
291 # $pushurl is undef or the system Girocco is running on is not like FreeBSD
292 # (e.g. a master.passwd file that must be transformed into pwd.db and spwd.db), then
293 # this setting should normally be left false (i.e. 0). See comments in the
294 # provided ../bin/update-pwd-db script about when and how it's invoked.
295 our $update_pwd_db = 0;
297 # Port the sshd running in the jail should listen on
298 # Be sure to update $pushurl to match
299 # Not used if $pushurl is undef
300 our $sshd_jail_port = 22;
302 # If this is true then host names used in mirror source URLs will be checked
303 # and any that are not DNS names (i.e. IPv4 or IPv6) or match one of the DNS
304 # host names in any of the URL settings below will be rejected.
305 our $restrict_mirror_hosts = 1;
307 # If $restrict_mirror_hosts is enabled this is the minimum number of labels
308 # required in a valid dns name. Normally 2 is the correct value, but if
309 # Girocco is being used internally where a common default or search domain
310 # is set for everyone then this should be changed to 1 to allow a dns name
311 # with a single label in it. No matter what is set here at least 1 label
312 # is always required when $restrict_mirror_hosts is enabled.
313 our $min_dns_labels = 2;
315 # If defined, pass this value to format-readme as its `-m` option
316 # When format-readme is formatting an automatic readme, it will skip
317 # anything larger than this. The default is 32768 if unset.
318 # See `bin/format-readme -h` for details.
319 our $max_readme_size = undef;
321 # Maximum size of any single email sent by mail.sh in K (1024-byte) units
322 # If message is larger it will be truncated with a "...e-mail trimmed" line
323 # RECOMMENDED VALUE: 256 - 5120 (.25M - 5M)
324 our $mailsh_sizelimit = 512;
328 ## ----------------------
329 ## Miscellaneous Settings
330 ## ----------------------
333 # When creating a push project the initial branch will, by default, be
334 # set to refs/heads/$initial_branch even on Git versions that do not have
335 # support for `git init --initial-branch=$initial_branch`.
336 # If this value is unset or invalid the default initial branch will always
337 # be "master". Note that this only applies to newly created "push" projects;
338 # mirror projects and "adopted" projects ignore this setting.
339 # Set the $empty_commit_message setting to make this setting truly take effect.
340 # RECOMMENDED VALUE: whatever-your-favored-initial-branch-name-is
341 #our $initial_branch = "supercalifragilisticexpialidocious";
342 #our $initial_branch = "frabjous";
343 our $initial_branch = undef;
345 # When creating a new push project, if this is DEFINED to any value (including
346 # the empty string), then an initial empty commit will be added to the newly
347 # created push project that has an empty tree and contains the $empty_commit_message
348 # as its commit message. By doing so, the initial branch will NOT be unborn and
349 # as a result, when cloning such a project the clone WILL respect the $initial_branch
350 # setting and set up its HEAD symbolic-ref to match. Since the initial commit will
351 # have an empty tree it should be no less convenient than cloning a project with an
352 # unborn initial branch. In fact, it should be more convenient as the expected
353 # $initial_branch will be checked out rather than whatever random initial branch the
354 # client might otherwise be inclined to set up for a newly initialized empty project.
355 # Defining this will also suppress the "You appear to have cloned an empty repository."
356 # message that would otherwise be generated by the Git client when cloning a newly
357 # created push project since the project will no longer technically be "empty".
358 # RECOMMENDED VALUE: defined if the $initial_branch setting should be respected
359 #our $empty_commit_message = "create project";
360 #our $empty_commit_message = "initial empty commit";
361 #our $empty_commit_message = "initial commit\n\ngit add ...\ngit commit\ngit push";
362 #our $empty_commit_message = "";
363 our $empty_commit_message = undef;
367 ## -------------------
368 ## Foreign VCS mirrors
369 ## -------------------
372 # Note that if any of these settings are changed from true to false, then
373 # any pre-existing mirrors using the now-disabled foreign VCS will stop
374 # updating, new mirrors using the now-disabled foreign VCS will be disallowed
375 # and attempts to update ANY project settings for a pre-existing project that
376 # uses a now-disabled foreign VCS source URL will also be disallowed.
378 # If $mirror is true and $mirror_svn is true then mirrors from svn source
379 # repositories will be allowed (and be converted to Git). These URLs have
380 # the form svn://... or svn+http://... or svn+https://...
381 # Since this functionality makes use of the "git svn" command and is maintained
382 # with Git, it tends to be kept up-to-date and highly usable.
383 # Note that for this to work the "svn" command line command must be available
384 # in PATH and the "git svn" commands must work (which generally requires both
385 # Perl and the subversion perl bindings be installed).
386 # RECOMMENDED VALUE: 1 (if the necessary prerequisites are installed)
387 our $mirror_svn = 1;
389 # Prior to Git v1.5.1, git-svn always used a log window size of 1000.
390 # Starting with Git v1.5.1, git-svn defaults to using a log window size of 100
391 # and provides a --log-window-size= option to change it. Starting with Git
392 # v2.2.0, git-svn disconnects and reconnects to the server every log window size
393 # interval to attempt to reduce memory use by git-svn. If $svn_log_window_size
394 # is undefined, Girocco will use a log window size of 250 (instead of the
395 # the default 100). If $svn_log_window_size is set, Girocco will use that
396 # value instead. Beware that setting it too low (i.e. < 50) will almost
397 # certainly cause performance issues if not failures. Unless there are concerns
398 # about git-svn memory use on a server with extremely limited memory, the
399 # value of 250 that Girocco uses by default should be fine. Obviously if
400 # $mirror or $mirror_svn is false this setting is irrelevant.
401 our $svn_log_window_size = undef;
403 # If $mirror is true and $mirror_darcs is true then mirrors from darcs source
404 # repositories will be allowed (and be converted to Git). These URLs have
405 # the form darcs+http://... darcs+https://... (and deprecated darcs://...)
406 # Note that for this to work the "darcs" command line command must be available
407 # in PATH and so must python (required to run the darcs-fast-export script).
408 # This support depends on items updated separately from Git and which may easily
409 # become out-of-date or incompatible (e.g. new python version).
410 # NOTE: If this is set to 0, the girocco-darcs-fast-export.git
411 # submodule need not be initialized or checked out.
412 # RECOMMENDED VALUE: 0 (unless you have a need to mirror darcs repos)
413 our $mirror_darcs = 0;
415 # If $mirror is true and $mirror_bzr is true then mirrors from bzr source
416 # repositories will be allowed (and be converted to Git). These URLs have
417 # the form bzr://...
418 # Note that for this to work the "bzr" command line command must be available
419 # in PATH (it's a python script so python is required as well).
420 # This support depends on items updated separately from Git and which may easily
421 # become out-of-date or incompatible (e.g. new python version).
422 # RECOMMENDED VALUE: 0 (unless you have a need to mirror bzr repos)
423 our $mirror_bzr = 0;
425 # If $mirror is true and $mirror_hg is true then mirrors from hg source
426 # repositories will be allowed (and be converted to Git). These URLs have
427 # the form hg+http://... or hg+https://...
428 # Note that for this to work the "hg" command line command must be available
429 # in PATH and so must python (required to run the hg-fast-export.py script).
430 # Note that if the PYTHON environment variable is set that will be used instead
431 # of just plain "python" to run the hg-fast-export.py script (which needs to
432 # be able to import from mercurial). Currently the hg-fast-export.py script
433 # used for this feature is likely incompatible with python 3 or later.
434 # Repositories created via this facility may need to be "reset" if the upstream
435 # hg repository moves the tip revision backwards and creates "unnamed heads".
436 # This support depends on items updated separately from Git and which may easily
437 # become out-of-date or incompatible (e.g. new python version).
438 # NOTE: If this is set to 0, the girocco-hg-fast-export.git
439 # submodule need not be initialized or checked out.
440 # RECOMMENDED VALUE: 0 (unless you have a need to mirror hg repos)
441 our $mirror_hg = 0;
445 ## -----
446 ## Paths
447 ## -----
450 # Path where the main chunk of Girocco files will be installed
451 # This will get COMPLETELY OVERWRITTEN by each make install!!!
452 # MUST be an absolute path
453 our $basedir = '/home/repo/repomgr';
455 # Path where the automatically generated non-user certificates will be stored
456 # (The per-user certificates are always stored in $chroot/etc/sshcerts/)
457 # This is preserved by each make install and MUST NOT be under $basedir!
458 # The secrets used to generate TimedTokens are also stored in here.
459 # MUST be an absolute path
460 our $certsdir = '/home/repo/certs';
462 # The repository collection
463 # "$reporoot/_recyclebin" will also be created for use by toolbox/trash-project.pl
464 # MUST be an absolute path
465 our $reporoot = "/srv/git";
467 # The repository collection's location within the chroot jail
468 # Normally $reporoot will be bind mounted onto $chroot/$jailreporoot
469 # Should NOT start with '/'
470 our $jailreporoot = "srv/git";
472 # The chroot for ssh pushing; location for project database and other run-time
473 # data even in non-chroot setups
474 # MUST be an absolute path
475 our $chroot = "/home/repo/j";
477 # An installation that will never run a chrooted sshd should set this
478 # to a true value (e.g. 1) to guarantee that jailsetup for a chrooted
479 # sshd never takes place no matter what user runs `make install`.
480 # Note that the "jailsetup.sh" script will still run to do the database
481 # setup that's stored in $chroot regardless of this setting, it will just
482 # always run in "dbonly" mode when this setting is true.
483 our $disable_jailsetup = 0;
485 # The gitweb files web directory (corresponds to $gitwebfiles)
486 # Note that it is safe to place this under $basedir since it's set up after
487 # $basedir is completely replaced during install time. Be WARNED, however,
488 # that normally the install process only adds/replaces things in $webroot,
489 # but if $webroot is under $basedir then it will be completely removed and
490 # rebuilt each time "make install" is run. This will make gitweb/git-browser
491 # web services very briefly unavailable while this is happening.
492 # MUST be an absolute path
493 our $webroot = "/home/repo/www";
495 # The CGI-enabled web directory (corresponds to $gitweburl and $webadmurl)
496 # This will not be web-accessible except that if any aliases point to
497 # a *.cgi file in here it will be allowed to run as a cgi-script.
498 # Note that it is safe to place this under $basedir since it's set up after
499 # $basedir is completely replaced during install time. Be WARNED, however,
500 # that normally the install process only adds/replaces things in $cgiroot,
501 # but if $cgiroot is under $basedir then it will be completely removed and
502 # rebuilt each time "make install" is run. This will make gitweb/git-browser
503 # web services very briefly unavailable while this is happening.
504 # MUST be an absolute path
505 our $cgiroot = "/home/repo/cgibin";
507 # A web-accessible symlink to $reporoot (corresponds to $httppullurl, can be undef)
508 # If using the sample apache.conf (with paths suitably updated) this is not required
509 # to serve either smart or non-smart HTTP repositories to the Git client
510 # MUST be an absolute path if not undef
511 our $webreporoot = "/home/repo/www/r";
513 # The location to store the project list cache, gitweb project list and gitweb
514 # cache file. Normally this should not be changed. Note that it must be in
515 # a directory that is writable by $mirror_user and $cgi_user (just in case the
516 # cache file is missing). The directory should have its group set to $owning_group.
517 # Again, this setting should not normally need to be changed.
518 # MUST be an absolute path
519 our $projlist_cache_dir = "$chroot/etc";
523 ## ----------------------------------------------------
524 ## Certificates (only used if $httpspushurl is defined)
525 ## ----------------------------------------------------
528 # path to root certificate (undef to use automatic root cert)
529 # this certificate is made available for easy download and should be whatever
530 # the root certificate is for the https certificate being used by the web server
531 our $rootcert = undef;
533 # The certificate to sign user push client authentication certificates with (undef for auto)
534 # The automatically generated certificate should always be fine
535 our $clientcert = undef;
537 # The private key for $clientcert (undef for auto)
538 # The automatically generated key should always be fine
539 our $clientkey = undef;
541 # The client certificate chain suffix (a pemseq file to append to user client certs) (undef for auto)
542 # The automatically generated chain should always be fine
543 # This suffix will also be appended to the $mobusercert before making it available for download
544 our $clientcertsuffix = undef;
546 # The mob user certificate signed by $clientcert (undef for auto)
547 # The automatically generated certificate should always be fine
548 # Not used unless $mob is set to 'mob'
549 # The $clientcertsuffix will be appended before making $mobusercert available for download
550 our $mobusercert = undef;
552 # The private key for $mobusercert (undef for auto)
553 # The automatically generated key should always be fine
554 # Not used unless $mob is set to 'mob'
555 our $mobuserkey = undef;
557 # Server alt names to embed in the auto-generated girocco_www_crt.pem certificate.
558 # The common name (CN) in the server certificate is the host name from $httpspushurl.
559 # By default no server alt names are embedded (not even the host from $httpspushurl).
560 # If the web server configuration is not using this auto-generated server certificate
561 # then the values set here will have no impact and this setting can be ignored.
562 # To embed server alternative names, list each (separated by spaces). The names
563 # may be DNS names, IPv4 addresses or IPv6 addresses (NO surrounding '[' ']' please).
564 # If ANY DNS names are included here be sure to also include the host name from
565 # the $httpspushurl or else standards-conforming clients will fail with a host name
566 # mismatch error when they attempt to verify the connection.
567 #our $wwwcertaltnames = 'example.com www.example.com git.example.com 127.0.0.1 ::1';
568 our $wwwcertaltnames = undef;
570 # The key length for automatically generated RSA private keys (in bits).
571 # These keys are then used to create the automatically generated certificates.
572 # If undef or set to a value less than 2048, then 2048 will be used.
573 # Set to 3072 to generate more secure keys/certificates. Set to 4096 (or higher) for
574 # even greater security. Be warned that setting to a non-multiple of 8 and/or greater
575 # than 4096 could negatively impact compatibility with some clients.
576 # The values 2048, 3072 and 4096 are expected to be compatible with all clients.
577 # Note that OpenSSL has no problem with > 4096 or non-multiple of 8 lengths.
578 # See also the $min_key_length setting above to restrict user key sizes.
579 # This value is also used when generating the ssh_host_rsa_key for the chroot jail sshd.
580 # RECOMMENDED VALUE: 3072
581 our $rsakeylength = 3072;
585 ## -------------
586 ## URL addresses
587 ## -------------
590 # URL of the gitweb.cgi script (must be in pathinfo mode). If the sample
591 # apache.conf configuration is used, the trailing "/w" is optional.
592 our $gitweburl = "http://repo.or.cz/w";
594 # URL of the extra gitweb files (CSS, .js files, images, ...)
595 our $gitwebfiles = "http://repo.or.cz";
597 # URL of the Girocco CGI web admin interface (Girocco cgi/ subdirectory)
598 # e.g. reguser.cgi, edituser.cgi, regproj.cgi, editproj.cgi etc.
599 our $webadmurl = "http://repo.or.cz";
601 # URL of the Girocco CGI bundles information generator (Girocco cgi/bundles.cgi)
602 # If the sample apache.conf configuration is used, the trailing "/b" is optional.
603 # This is different from $httpbundleurl. This URL lists all available bundles
604 # for a project and returns that as an HTML page.
605 our $bundlesurl = "http://repo.or.cz/b";
607 # URL of the Girocco CGI html templater (Girocco cgi/html.cgi)
608 # If mod_rewrite is enabled and the sample apache.conf configuration is used,
609 # the trailing "/h" is optional when the template file name ends in ".html"
610 # (which all the provided ones do).
611 our $htmlurl = "http://repo.or.cz/h";
613 # HTTP URL of the repository collection (undef if N/A)
614 # If the sample apache.conf configuration is used, the trailing "/r" is optional.
615 our $httppullurl = "http://repo.or.cz/r";
617 # HTTP URL of the repository collection when fetching a bundle (undef if N/A)
618 # Normally this will be the same as $httppullurl, but note that the bundle
619 # fetching logic is located in git-http-backend-verify so whatever URL is
620 # given here MUST end up running the git-http-backend-verify script!
621 # For example, if we're fetching the 'clone.bundle' for the 'girocco.git'
622 # repository, the final URL will be "$httpbundleurl/girocco.git/clone.bundle"
623 # If the sample apache.conf configuration is used, the trailing "/r" is optional.
624 # This is different from $bundlesurl. This URL fetches a single Git-format
625 # .bundle file that is only usable with the 'git bundle' command.
626 our $httpbundleurl = "http://repo.or.cz/r";
628 # HTTPS push URL of the repository collection (undef if N/A)
629 # If this is defined, the openssl command must be available
630 # The sample apache.conf configuration requires mod_ssl, mod_authn_anon and
631 # mod_rewrite be enabled to support https push operations.
632 # Normally this should be set to $httppullurl with http: replaced with https:
633 # If the sample apache.conf configuration is used, the trailing "/r" is optional.
634 our $httpspushurl = undef;
636 # Git URL of the repository collection (undef if N/A)
637 # (You need to set up git-daemon on your system, and Girocco will not
638 # do this particular thing for you.)
639 our $gitpullurl = "git://repo.or.cz";
641 # Pushy SSH URL of the repository collection (undef if N/A)
642 # Note that the "/$jailreporoot" portion is optional and will be automatically
643 # added if appropriate when omitted by the client so this URL can typically
644 # be made the same as $gitpullurl with git: replaced with ssh:
645 our $pushurl = "ssh://repo.or.cz/$jailreporoot";
647 # URL of gitweb of this Girocco instance (set to undef if you're not nice
648 # to the community)
649 our $giroccourl = "$Girocco::Config::gitweburl/girocco.git";
653 ## -------------------
654 ## Web server controls
655 ## -------------------
658 # If true then non-smart HTTP access will be disabled
659 # There's normally no reason to leave non-smart HTTP access enabled
660 # since downloadable bundles are provided. However, in case the
661 # non-smart HTTP access is needed for some reason, this can be set to undef or 0.
662 # This affects access via http: AND https: and processing of apache.conf.in.
663 # Note that this setting does not affect gitweb, ssh: or git: URL access in any way.
664 # RECOMMENDED VALUE: 1
665 our $SmartHTTPOnly = 1;
667 # If true, the https <VirtualHost ...> section in apache.conf.in will be
668 # automatically enabled when it's converted to apache.conf by the conversion
669 # script. Do NOT enable this unless the required Apache modules are present
670 # and loaded (mod_ssl, mod_rewrite, mod_authn_anon) AND $httpspushurl is
671 # defined above otherwise the server will fail to start (with various errors)
672 # when the resulting apache.conf is used.
673 our $TLSHost = 0;
675 # If true, the information about configuring a Git client to trust
676 # a Girocco-generated TLS root will be suppressed presuming that some other
677 # means (such as LetsEncrypt.org) has been used to generate a TLS web
678 # certificate signed by a pre-trusted root. This does NOT affect the
679 # information on how to configure https push certificates as those are still
680 # required in order to push over https regardless of what web server certificate
681 # may be in use.
682 # RECOMMENDED VALUE: 0 (for girocco-generated root & server certificates)
683 # RECOMMENDED VALUE: 1 (for LetsEncrypt etc. generated server certificates)
684 our $pretrustedroot = 0;
688 ## ------------------------
689 ## Lighttpd server controls
690 ## ------------------------
693 # Of course, the lighttp.conf.in file can be edited directly, but these
694 # settings allow it to contain conditional sections that show how the
695 # various configurations can be achieved.
697 # If lighttpd will not be used, these settings can be ignored.
699 # N.B. The lighttpd.conf.in file MUST be edited if lighttpd should listen
700 # on ports other than 80 (http) and 443 (https)
702 # If true, the lighttpd.conf.in file will be processed into a lighttpd.conf
703 # file that tries very hard to be a complete, standalone configuration file for
704 # a lighttpd server. In other words, it will set things in the lighttpd global
705 # configuration that would not be needed (or safe) if it were being included
706 # to provide only a "virtual host" configuration.
707 # RECOMMENDED VALUE: 0 (for use as an included "virtual host" configuration)
708 # RECOMMENDED VALUE: 1 (for use as a standalone configuration file)
709 our $lighttpd_standalone = 0;
711 # Only applicable if $lighttpd_standlone has been set to a true value,
712 # otherwise this setting has no effect.
713 # If true, the parts of the standalone lighttpd configuration that would
714 # require privileges (e.g. log file, pid file, etc.) will be redirected to
715 # "unprivileged" locations and neither the username nor groupname settings
716 # will be set. Otherwise "standard" locations and so forth will be used
717 # (such as /var/run, /var/log etc.). Note that this will NOT change the
718 # ports lighttpd attempts to listen on -- edit lighttpd.conf.in to do that
719 # and note that the port numbers will likely need to be changed in order to
720 # run in unprivileged mode (e.g. to 8080 and 8443).
721 # RECOMMENDED_VALUE: 0 (if running privileged as $lighttpd_standalone)
722 # RECOMMENDED_VALUE: 1 (if running unprivileged as $lighttpd_standalone)
723 our $lighttpd_unprivileged = 0;
725 # If true, listen only to the loopback interface (i.e. 127.0.0.1/::1)
726 # Otherwise allow incoming connections from anywhere
727 # RECOMMENDED_VALUE: 0 (for an externally accessible girocco web interface)
728 # RECOMMENDED_VALUE: 1 (for a localhost-accessible-only girocco web interface)
729 our $lighttpd_loopback_only = 0;
731 # This will be ignored unless $lighttpd_standalone is a false value
732 # See the copious comments in lighttpd.conf.in (search for TLSHost)
733 # RECOMMENDED_VALUE: 0 (if !$lighttpd_standalone but no other TLS hosts)
734 # RECOMMENDED_VALUE: 1 (if !$lighttpd_standalone and other TLS hosts are present)
735 our $lighttpd_tls_virtualhost = 1;
739 ## ------------------------
740 ## Some templating settings
741 ## ------------------------
744 # Legal warning (on reguser and regproj pages)
745 our $legalese = <<EOT;
746 <p>By submitting this form, you are confirming that you will mirror or push
747 only what we can store and show to anyone else who can visit this site without
748 breaking any law, and that you will be nice to all small furry animals.
749 <sup class="sup"><span><a href="/h/about.html">(more details)</a></span></sup>
750 </p>
753 # Pre-configured mirror sources (set to undef for none)
754 # Arrayref of name - record pairs, the record has these attributes:
755 # label: The label of this source
756 # url: The template URL; %1, %2, ... will be substituted for inputs
757 # desc: Optional VERY short description
758 # link: Optional URL to make the desc point at
759 # inputs: Arrayref of hashref input records:
760 # label: Label of input record
761 # suffix: Optional suffix
762 # If the inputs arrayref is undef, single URL input is shown,
763 # pre-filled with url (probably empty string).
764 our $mirror_sources = [
766 label => 'Anywhere',
767 url => '',
768 desc => 'Any HTTP/Git/rsync pull URL - bring it on!',
769 inputs => undef
772 label => 'GitHub',
773 url => 'https://github.com/%1/%2.git',
774 desc => 'GitHub Social Code Hosting',
775 link => 'https://github.com/',
776 inputs => [ { label => 'User:' }, { label => 'Project:', suffix => '.git' } ]
779 label => 'GitLab',
780 url => 'https://gitlab.com/%1/%2.git',
781 desc => 'Engulfed the Green and Orange Boxes',
782 link => 'https://gitlab.com/',
783 inputs => [ { label => 'User:' }, { label => 'Project:', suffix => '.git' } ]
786 label => 'Bitbucket',
787 url => 'https://bitbucket.org/%1/%2.git',
788 desc => 'Embraced the best DVCS',
789 link => 'https://bitbucket.org/',
790 inputs => [ { label => 'User:' }, { label => 'Project:', suffix => '.git' } ]
794 # You can customize the gitweb interface widely by editing
795 # gitweb/gitweb_config.perl
799 ## -------------------
800 ## Permission settings
801 ## -------------------
804 # Girocco needs some way to manipulate write permissions to various parts of
805 # all repositories; this concerns three entities:
806 # - www-data: the web interface needs to be able to rewrite few files within
807 # the repository
808 # - repo: a user designated for cronjobs; handles mirroring and repacking;
809 # this one is optional if not $mirror
810 # - others: the designated users that are supposed to be able to push; they
811 # may have account either within chroot, or outside of it
813 # There are several ways how to use Girocco based on a combination of the
814 # following settings.
816 # (Non-chroot) UNIX user the CGI scripts run on; note that if some non-related
817 # untrusted CGI scripts run on this account too, that can be a big security
818 # problem and you'll probably need to set up suexec (poor you).
819 # This must always be set.
820 our $cgi_user = 'www-data';
822 # (Non-chroot) UNIX user performing mirroring jobs; this is the user who
823 # should run all the daemons and cronjobs and
824 # the user who should be running make install (if not root).
825 # This must always be set.
826 our $mirror_user = 'repo';
828 # (Non-chroot) UNIX group owning the repositories by default; it owns whole
829 # mirror repositories and at least web-writable metadata of push repositories.
830 # If you undefine this, all the data will become WORLD-WRITABLE.
831 # Both $cgi_user and $mirror_user should be members of this group!
832 our $owning_group = 'repo';
834 # Whether to use chroot jail for pushing; this must be always the same
835 # as $manage_users.
836 # TODO: Gitosis support for $manage_users and not $chrooted?
837 our $chrooted = $manage_users;
839 # How to control permissions of push-writable data in push repositories:
840 # * 'Group' for the traditional model: The $chroot/etc/group project database
841 # file is used as the UNIX group(5) file; the directories have gid appropriate
842 # for the particular repository and are group-writable. This works only if
843 # $chrooted so that users are put in the proper groups on login when using
844 # SSH push. Smart HTTPS push does not require a chroot to work -- simply
845 # run "make install" as the non-root $mirror_user user, but leave
846 # $manage_users and $chrooted enabled.
847 # * 'ACL' for a model based on POSIX ACL: The directories are coupled with ACLs
848 # listing the users with push permissions. This works for both chroot and
849 # non-chroot setups, however it requires ACL support within the filesystem.
850 # This option is BASICALLY UNTESTED, too. And UNIMPLEMENTED. :-)
851 # * 'Hooks' for a relaxed model: The directories are world-writable and push
852 # permission control is purely hook-driven. This is INSECURE and works only
853 # when you trust all your users; on the other hand, the attack vectors are
854 # mostly just DoS or fully-traceable tinkering.
855 our $permission_control = 'Group';
857 # Path to alternate screen multiuser acl file (see screen/README, undef for none)
858 our $screen_acl_file = undef;
860 # Reserved project name and user name suffixes.
862 # Note that with personal mob branches enabled, a user name can end up being a
863 # file name after having a 'mob.' prefix added or a directory name after having
864 # a 'mob_' prefix added. If there is ANY possibility that a file with a
865 # .suffix name may need to be served by the web server, lc(suffix) SHOULD be in
866 # this hash! Pre-existing project names or user names with a suffix in this
867 # table can continue to be used, but no new projects or users can be created
868 # that have a suffix (case-insensitive) listed here.
869 our %reserved_suffixes = (
870 # Entries must be lowercase WITHOUT a leading '.'
871 bmp => 1,
872 bz2 => 1,
873 cer => 1,
874 cgi => 1,
875 crt => 1,
876 css => 1,
877 dmg => 1,
878 fcgi => 1,
879 gif => 1,
880 gz => 1,
881 htm => 1,
882 html => 1,
883 ico => 1,
884 jp2 => 1,
885 jpeg => 1,
886 jpg => 1,
887 jpg2 => 1,
888 js => 1,
889 mp3 => 1,
890 mp4 => 1,
891 pdf => 1,
892 pem => 1,
893 php => 1,
894 png => 1,
895 sig => 1,
896 shtml => 1,
897 svg => 1,
898 svgz => 1,
899 tar => 1,
900 text => 1,
901 tgz => 1,
902 tif => 1,
903 tiff => 1,
904 txt => 1,
905 xbm => 1,
906 xht => 1,
907 xhtml => 1,
908 xz => 1,
909 zip => 1,
914 ## -------------------
915 ## Size limit settings
916 ## -------------------
919 # If this is set to a non-zero value, whenever a receive-pack, mirror fetch
920 # or clone runs, git will be run with a UL_SETFSIZE value set to this value.
922 # The limit is not active while performing garbage collection or other
923 # maintenance tasks.
925 # If git attempts to create a file larger than this limit, it will receive a
926 # SIGXFSZ signal which will cause git to terminate.
928 # Note that if the actual value of UL_GETFSIZE at runtime is already less than
929 # the value set here, then that value will be silently used instead.
931 # The value represents the maximum file size allowed in units of 512-byte blocks
932 # and must be <= 2147483647 (which represents a size of 1 TiB less 512 bytes).
934 our $max_file_size512 = undef; # default is no limit
936 # If this is set to a non-zero value, after an otherwise successful clone,
937 # if the repository contains more than this many objects, the clone will
938 # be considered to fail.
940 # This setting only takes effect after an otherwise successful clone which
941 # means that if $max_file_size512 is non-zero that the resulting clone did
942 # not exceed the file size limit if it fails this check.
944 our $max_clone_objects = undef; # default is no limit
948 ## -------------------------
949 ## sendmail.pl configuration
950 ## -------------------------
953 # Full information on available sendmail.pl settings can be found by running
954 # ../bin/sendmail.pl -v -h
956 # These settings will only be used if $sendmail_bin is set to 'sendmail.pl'
958 # sendmail.pl host name
959 #$ENV{'SENDMAIL_PL_HOST'} = 'localhost'; # localhost is the default
961 # sendmail.pl port name
962 #$ENV{'SENDMAIL_PL_PORT'} = '25'; # port 25 is the default
964 # sendmail.pl nc executable
965 #$ENV{'SENDMAIL_PL_NCBIN'} = "$chroot/bin/nc.openbsd"; # default is nc found in $PATH
967 # sendmail.pl nc options
968 # multiple options may be included, e.g. '-4 -X connect -x 192.168.100.10:8080'
969 #$ENV{'SENDMAIL_PL_NCOPT'} = '-4'; # force IPv4, default is to allow IPv4 & IPv6
973 ## -------------------------
974 ## Obscure Tuneable Features
975 ## -------------------------
978 # Throttle classes configured here override the defaults for them that
979 # are located in taskd/taskd.pl. See comments in that file for more info.
980 our @throttle_classes = ();
982 # Any tag names listed here will be allowed even if they would otherwise not be.
983 # Note that @allowed_tags takes precedence over @blocked_tags.
984 our @allowed_tags = (qw( ));
986 # Any tag names listed here will be disallowed in addition to the standard
987 # list of nonsense words etc. that are blocked as tags.
988 our @blocked_tags = (qw( ));
990 # Case folding tags
991 # If this setting is true, then tags that differ only in case will always use
992 # the same-cased version. If this setting is enabled and the tag is present in
993 # @allowed_tags (or the embedded white list in Util.pm) then the case of the
994 # tag will match the white list entry otherwise it will be all lowercased.
995 # If this setting is disabled (false) tags are used with their case left as-is.
996 # RECOMMENDED VALUE: 1 (true)
997 our $foldtags = 1;
999 # If there are no more than this many objects, then all deltas will be
1000 # recomputed when gc takes place. Note that this does not affect any
1001 # fast-import created packs as they ALWAYS have their deltas recomputed.
1002 # Also when combining small packs, if the total object count in the packs
1003 # to be combined is no more than this then the new, combined pack will have
1004 # its deltas recomputed during the combine operation.
1005 # Leave undef to use the default (which should generally be fine).
1006 # Lowering this from the default can increase disk use.
1007 # Values less than 1000 * number of CPU cores will be silently ignored.
1008 # The "girocco.redelta" config item can be used to modify this behavior on
1009 # a per-repository basis. See the description of it in gc.sh.
1010 our $new_delta_threshold = undef;
1012 # This setting is irrelevant unless foreign vcs mirrors that use git fast-import
1013 # are enabled (e.g. $mirror_darcs, $mirror_bzr or $mirror_hg -- $mirror_svn does
1014 # NOT use git fast-import and is not affected by this setting).
1015 # The packs generated by git fast-import are very poor quality. For this reason
1016 # they ALWAYS have their deltas recomputed at some point. Normally this is
1017 # delayed until the next full (or mini) gc takes place. For this reason a full
1018 # gc is always scheduled immediately after a fresh mirror clone completes.
1019 # However, in the case of normal mirror updates, several git fast-import created
1020 # packs may exist as a result of changes fetched during the normal mirror update
1021 # process. These packs will persist (with their git fast-import poor quality)
1022 # until the next full (or mini) gc triggers. The bad deltas in these update
1023 # packs could be sent down to clients who fetch updates before the next gc
1024 # triggers. To reduce (i.e. practically eliminate) the likelihood of this
1025 # occurring, this setting can be changed to a false (0 or undef) value in which
1026 # case after each mirror update of a git fast-import mirror, any newly created
1027 # git fast-import packs (as a result of the mirror update running) will have
1028 # their deltas recomputed shortly thereafter instead of waiting for the next gc.
1029 # Recomputing deltas immediately (almost immediately) will result in an extra
1030 # redeltification step (with associated CPU cost) that would otherwise not
1031 # occur and, in some cases (mainly large repositories), could ultimately result
1032 # in slightly less efficient deltas being retained.
1033 # RECOMMENDED VALUE: 1
1034 our $delay_gfi_redelta = 1;
1036 # If this is set to a true value, then core.packedGitWindowSize will be set
1037 # to 1 MiB (the same as if Git was compiled with NO_MMAP set). If this is NOT
1038 # set, core.packedGitWindowSize will be set to 32 MiB (even on 64-bit) to avoid
1039 # memory blowout. If your Git was built with NO_MMAP set and will not work
1040 # without NO_MMAP set, you MUST set this to a true value!
1041 our $git_no_mmap = undef;
1043 # If set to a true value, the "X-Girocco: $gitweburl" header included in all
1044 # Girocco-generated emails will be suppressed.
1045 our $suppress_x_girocco = undef;
1047 # Number of days to keep reflogs around
1048 # May be set to a value between 1 and 30 (inclusive)
1049 # The default of one day should normally suffice unless there's a need to
1050 # support a "Where's the undo? WHERE IS THE UNDO?!!!" option ;)
1051 our $reflogs_lifetime = 1;
1053 # The pack.window size to use with git upload-pack
1054 # When Git is creating a pack to send down to a client, if it needs to send
1055 # down objects that are deltas against objects it is not sending and that it
1056 # does not know the client already has, it must undelta and recompute deltas
1057 # for those objects. This is the remote's "Compressing objects" phase the
1058 # client sees during a fetch or clone. If this value is unset, the normal
1059 # Git default of 10 will be used for the window size during these operations.
1060 # This value may be set to a number between 2 and 50 inclusive to change the
1061 # window size during upload pack operations. A window size of 2 provides the
1062 # fastest response at the expense of less efficient deltas for the objects
1063 # being recompressed (meaning more data to send to the client). A window
1064 # size of 5 typically reduces the compression time by almost half and is
1065 # usually nearly as fast as a window size of 2 while providing better deltas.
1066 # A window size of 50 will increase the time spent in the "Compressing objects"
1067 # phase by as much as 5 times but will produce deltas similar to those that
1068 # Girocco generates when it performs garbage collection.
1069 # RECOMMENDED VALUE: undef or 5
1070 our $upload_pack_window = undef;
1072 # If this is true then remote fetching of refs/stash and refs/tgstash will
1073 # be allowed. Git does not allow single-level ref names to be pushed so the
1074 # only way they could get in there is if a linked working tree (or, gasp, a
1075 # non-bare Girocco repository) created them or they arrived via a non-clean
1076 # mirror fetch. The client almost certainly does not want to see them.
1077 # Unless this config item is true they will also be left out of the bundle too.
1078 # Since both stash and tgstash are used with their ref logs and there's no way
1079 # for a remote to fetch ref logs, the "log --walk-reflogs" feature could not be
1080 # used with them by a remote that fetched them anyway.
1082 # NOTE: The reason this doesn't just control all single-level refs is that the
1083 # "hideRefs" configuration mechanism isn't flexible enough to hide all
1084 # single-level refs without knowing their names. In addition, it hides the
1085 # entire refs hierarchy so refs/stash/foo will also be hidden along with
1086 # refs/stash, but Git doesn't actually support ref names that introduce a
1087 # directory/file confict (aka D/F conflict) and "refs/stash" represents an
1088 # official Git ref name therefore any refs/stash/... names really aren't
1089 # allowed in the first place so it's no problem if they're incidentally hidden
1090 # along with refs/stash itself.
1092 # NOTE: Git 1.8.2 or later is required to actually hide the refs from fetchers
1093 # over the "git:" protocol and Git 2.3.5 or later is required to properly hide
1094 # them over the smart "http:" protocol (Girocco will not attempt to "hide" them
1095 # on a smart HTTP fetch if Git is < 2.3.5 to avoid Git bugs.) They will never
1096 # be hidden via the non-smart HTTP fetch or any other non-smart protocols that
1097 # also make use of the $gitdir/info/refs file as they are not excluded from it.
1098 # Nor will they be hidden when accessed via any non-Girocco mechanism.
1099 # They will, however, always be excluded from the primary (aka .bitmap) pack
1100 # and bundle no matter what version of Git is used unless this is set to a
1101 # true value. It's only the server's Git version that matters when hiding refs.
1103 # RECOMMENDED VALUE: undef or 0
1104 our $fetch_stash_refs = undef;
1106 # When set to a true value, Girocco will attempt to pick up ref changes made
1107 # outside of Girocco itself and process them using the usual Girocco
1108 # notification mechanism. Git lacks any "post-ref-change" hook capability that
1109 # could facilitate this prior to the introduction of the reference-transation
1110 # hook in Git v2.28.0. This feature is primarily intended to detect running
1111 # of "git fetch" in linked working trees of a Girocco repository. In many
1112 # cases after running a command Git runs "git gc --auto". With the correct
1113 # encouragement we can always induce Git to run our pre-auto-gc hook at that
1114 # time. "git fetch" invokes "git gc --auto" after the fetch. Girocco needs
1115 # to do additional maintenance to make this work properly so do not enable this
1116 # unless it's really needed. Additionally, there are a number of commands
1117 # (such as "git commit") that do not invoke "git gc --auto". Even with this
1118 # enabled, additional hooks for post-rewrite and post-checkout
1119 # would really be needed to catch more things and even then there are some
1120 # Git commands that would never be caught ("git filter-branch",
1121 # "git update-ref", "git reset", etc.) so this is hardly a complete solution.
1122 # But it WILL catch "git fetch" changes although the hashes it uses for the
1123 # "old" ref values may not be all that recent, the new ref values will be.
1124 # When this is false, the hack is completely disabled.
1125 # When this is true, the hack is enabled by default for all repositories,
1126 # but can be controlled on an individual repository basis by setting the
1127 # girocco.autogchack value explicitly to true (enable) or false (disable).
1128 # If this is set to the special value "mirror" then it will behave as true
1129 # for mirrors and false for non-mirrors thereby completely eliminating any
1130 # overhead for push projects but detecting external "git fetch"s for mirrors.
1131 # If this is enabled for a project, any third party script/tool can trigger
1132 # the Girocco ref notification mechanism simply by making a ref change and
1133 # then running "git gc --auto --quiet" on the project. In a capitulation to
1134 # use of linked working trees, Girocco installs a post-commit hook that will
1135 # trigger these notifications as well when this is enabled.
1136 our $autogchack = 0;
1138 # When set to a true value the initial setting for core.hooksPath will point
1139 # to the repository's own hooks directory instead of $reporoot/_global/hooks.
1140 # Due to the unfortunate implementation of core.hooksPath, Girocco must always
1141 # ensure the value gets set in each repository's config file. Normally it
1142 # just sets it to $reporoot/_global/hooks and that's that. However, the
1143 # update-all-config script will also tolerate it pointing at the repository's
1144 # own hooks directory -- Girocco maintains symbolic links in there to the
1145 # global hooks to make sure they get run when using older versions of Git;
1146 # therefore that setting is basically equivalent. The difference is that
1147 # repository-specific hooks can be added when hooksPath is pointing at the
1148 # repository's hooks directory but not when it's pointing at _global/hooks.
1149 # A repository's setting can be changed manually (and it will stick), but
1150 # sometimes it may be desirable to always just default to pointing at the
1151 # repository's own hooks directory from the start. Perhaps linked working
1152 # trees will be in use and software that needs to set repository-specific hooks
1153 # will be in use. If $autogchack has been set to true this may very likely be
1154 # the case.
1155 our $localhooks = 0;
1157 # If this is set to a true value changes to single-level refs (e.g. refs/stash)
1158 # will be passed through to the notification machinery.
1159 # Usually this is NOT wanted, especially when linked working trees are being
1160 # used with the repository.
1161 # However, in the unlikely event that changes to such ref names should NOT be
1162 # ignored, this value may be set to any true value.
1163 # RECOMMENDED VALUE: 0
1164 our $notify_single_level = 0;
1166 # If this is set to a non-empty value it will become the default value for
1167 # all repositories' girocco.notifyHook value.
1168 # Whenever taskd.pl receives a batch of ref changes for processing, it first
1169 # sends them off to any configured "girocco.notifyHook" (same semantics as
1170 # a post-receive hook except it also gets four command-line arguments like
1171 # so: cat ref-changes | notifyhook $projname $user $linecount $contextlinecount
1172 # There is no default notify hook, but each repository may set its own by
1173 # setting the `girocco.notifyHook` config value which will be eval'd by the
1174 # shell (like $GIT_EDITOR is) with the current directory set to the
1175 # repository's git-dir and the changes on standard input.
1176 # Note that normal notification processing does not take place until after
1177 # this command (if it's not null) gets run (regardless of its result code).
1178 our $default_notifyhook = undef;
1180 # UNIX group owning the repositories' htmlcache subdirectory
1181 # If not defined defaults to $owning_group
1182 # If gitweb access is provided but only on a read-only basis, then setting
1183 # this to a group to which Both $cgi_user and $mirror_user belong will still
1184 # allow summary page caching.
1185 # $mirror_user should always belong to this group
1186 our $htmlcache_owning_group = undef;
1188 # UNIX group owning the repositories' ctags subdirectory
1189 # If not defined defaults to $owning_group
1190 # If gitweb access is provided but only on a read-only basis, then setting
1191 # this to a group to which Both $cgi_user and $mirror_user belong will still
1192 # allow tags to be added to the repository in gitweb (provided that feature
1193 # is enabled in gitweb/gitweb_config.perl).
1194 # $mirror_user should always belong to this group
1195 our $ctags_owning_group = undef;
1197 # When using pack bitmaps and computing data to send to clients over a fetch,
1198 # having pack.writeBitmapHashCache set to true produces better deltas (thereby
1199 # potentially reducing the amount of data that needs to be sent). However, old
1200 # JGit does not understand this extra data, so if JGit needs to use the bitmaps
1201 # generated when Girocco runs Git, this setting needs to be set to a true value
1202 # so that the hash cache is excluded when Git generates the bitmaps thereby
1203 # making them compatible with JGit prior to JGit v3.5.0 released in late 2014.
1204 # Note that changes to this setting will not take effect until the next time
1205 # gc is scheduled to run on a project and then only if gc actually takes place.
1206 # Use the $basedir/toolbox/make-all-gc-eligible.sh script to force all projects
1207 # to actually do a gc the next time they are scheduled for one.
1208 # (Note that Git version 2.22.0, released 2019-06-07, enabled the HashCache by
1209 # default since it post dates the JGit v3.5.0 release by approximately 5 years
1210 # [that corresponds to a setting of undef or 0 here].)
1211 # RECOMMENDED VALUE: undef or 0
1212 our $jgit_compatible_bitmaps = 0;
1214 # Set the default value of receive.maxInputSize
1215 # This is only effective for receives (aka an incoming push) and causes the
1216 # push to abort if the incoming pack (which is generally thin and does not
1217 # have any index) exceeds this many bytes in size (a 'k', 'm' or 'g' suffix
1218 # may be used on the value). If undef or set to 0 there is no limit. This
1219 # limit is only effective when Girocco is running Git v2.11.0 or later.
1220 our $max_receive_size = undef;
1222 # Suppress git: and ssh: log messages
1223 # Access via http: and/or https: provides logging of the project being
1224 # cloned/fetched/pushed to. There is normally no such logging for access
1225 # via ssh: and/or git: protocols. However, Girocco intercepts those
1226 # accesses to perform sanity and permision checks and also logs the request
1227 # to the system log at that time. By setting this value to any true
1228 # value, that logging of git: and ssh: git activity will be suppressed.
1229 # RECOMMENDED VALUE: 0
1230 our $suppress_git_ssh_logging = 0;
1232 # Select the sshd to be installed into the chroot
1233 # If set this MUST be an absolute path
1234 # Ignored unless a chroot is actually being created
1235 # Leaving this undef will find sshd in "standard" system locations and
1236 # is the recommended value. Only set this if you need to override the
1237 # "standard" sshd for some reason.
1238 # RECOMMENDED VALUE: undef
1239 our $sshd_bin = undef;
1241 # Allow any git-daemon host
1242 # If set to a true value, then the extra "host=" parameter received
1243 # by git-daemon (if present) will be ignored. If the $gitpullurl value
1244 # is undefined or does not start with "git://<hostname>" then any host
1245 # will be allowed by default.
1246 # RECOMMENDED VALUE: undef
1247 our $git_daemon_any_host = undef;
1249 # Restrict git-daemon host names
1250 # If $git_daemon_any_host is any false value (or undef) AND this
1251 # value is set to a space-separated list of host names WITHOUT any
1252 # port numbers, then the "host=" parameter MUST be provided by
1253 # a git daemon client AND it must match one of the names in this
1254 # all-lowercase, space-separated list. Note that IPv6 literal
1255 # addresses MUST NOT be enclosed in brackets. If this value is
1256 # empty or undef it will default to the hostname extracted from
1257 # $gitpullurl if that is set plus several variants of localhost.
1258 # Note, do NOT terminate DNS names with a final "." or they will
1259 # never match!
1260 # EXAMPLE:
1261 # our $git_daemon_host_list = "foo.example.com localhost ::1 127.0.0.1";
1262 our $git_daemon_host_list = undef;
1264 # Shared repository setting
1265 # This is the value to set the core.sharedRepository value to in
1266 # each repository. If this is changed, running update-all-config
1267 # will update each project to the new value.
1268 # By default (if this is left undef) it will be set to 'all' (which
1269 # corresponds to a core.sharedRepository value of '2').
1270 # This makes it so repositories are group-writable and world readable.
1271 # If set to the more restrictive 'group' (which corresponds to a
1272 # core.sharedRepository value of '1'), repositories will still typically
1273 # be world readable as umask 002 is used in most places. However, if
1274 # worktrees are in use and the user has a umask that excludes other
1275 # read permissions, repositories might become only partially world
1276 # readable. This only matters when they are being served by a user
1277 # (such as git-daemon running as 'nobody') that does not have group
1278 # or owner read permission to the repository.
1279 # See the `git help init` output for the possible values of the
1280 # `--shared` option for allowed settings of this value.
1281 # Note that if an explicit octal value is used, any execute bits will
1282 # be removed and u+rw will always be added and there are no promises
1283 # that files will not end up group readable/writable anyway.
1284 # RECOMMENDED VALUE: undef
1285 our $git_shared_repository_setting = undef;
1288 ## ------------------------
1289 ## Sanity checks & defaults
1290 ## ------------------------
1293 # A separate, non-installed module handles the checks and defaults
1294 require Girocco::Validator;