1 .\"
2 .\" Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
3 .\"
4 .\" Permission to use, copy, modify, and distribute this software for any
5 .\" purpose with or without fee is hereby granted, provided that the above
6 .\" copyright notice and this permission notice appear in all copies.
7 .\"
8 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 .\"
16 .Dd $Mdocdate$
17 .Dt GOTD.CONF 5
18 .Os
19 .Sh NAME
20 .Nm gotd.conf
21 .Nd gotd configuration file
22 .Sh DESCRIPTION
23 .Nm
24 is the run-time configuration file for
25 .Xr gotd 8 .
26 .Pp
27 The file format is line-based, with one configuration directive per line.
28 Any lines beginning with a
29 .Sq #
30 are treated as comments and ignored.
31 .Sh GLOBAL CONFIGURATION
32 The available global configuration directives are as follows:
33 .Bl -tag -width Ds
34 .It Ic connection Ar option
35 Set the specified options and limits for connections to the
36 .Xr gotd 8
37 unix socket.
38 .Pp
39 The
40 .Ic connection
41 directive may be specified multiple times, and multiple
42 .Ar option
43 arguments may be specified within curly braces:
44 .Pp
45 .Ic connection Brq Ar ...
46 .Pp
47 Each option should only be specified once.
48 If a given option is listed multiple times, the last line which sets this
49 option wins.
50 .Pp
51 Valid connection options are:
52 .Bl -tag -width Ds
53 .It Ic request timeout Ar seconds
54 Specify the inactivity timeout for operations between client and server.
55 If this timeout is exceeded while a Git protocol request is being processed,
56 the request will be aborted and the connection will be terminated.
57 .Pp
58 The timeout value may also have a suffix indicating its unit of measure.
59 Supported suffixes are:
60 .Pp
61 .Bl -tag -compact -width tenletters
62 .It Ar s No or Ar S
63 seconds
64 .It Ar m No or Ar M
65 minutes
66 .It Ar h No or Ar H
67 hours
68 .El
69 .Pp
70 The default timeout is 1h (3600 seconds, one hour).
71 This should only be changed if legitimate requests are exceeding the default
72 timeout for some reason, such as the server spending an extraordinary
73 amount of time generating a pack file.
74 .It Ic limit Ic user Ar identity Ar number
75 Limit the maximum amount of concurrent connections by the user with
76 the username
77 .Ar identity
78 to
79 .Ar number .
80 Numeric user IDs are also accepted.
81 .Pp
82 The default per-user limit is 4.
83 This should only be changed if concurrent connections from a given user are
84 expected to exceed the default limit, for example if an anonymous user
85 is granted read access and many concurrent connections will share this
86 anonymous user identity.
87 .El
88 .It Ic unix_socket Ar path
89 Set the path to the unix socket which
90 .Xr gotd 8
91 should listen on.
92 If not specified, the path
93 .Pa /var/run/gotd.sock
94 will be used.
95 .It Ic unix_group Ar group
96 Set the
97 .Ar group ,
98 defined in the
99 .Xr group 5
100 file, which is allowed to access
101 .Xr gotd 8
102 via
103 .Xr gotsh 1 .
104 The
105 .Xr gotd 8
106 user must be a secondary member of this group.
107 If not specified, the group _gotsh will be used.
108 .It Ic user Ar user
109 Set the
110 .Ar user
111 which will run
112 .Xr gotd 8 .
113 Initially,
114 .Xr gotd 8
115 requires root privileges in order to create its unix socket.
116 Afterwards,
117 .Xr gotd 8
118 drops privileges to the specified
119 .Ar user .
120 If not specified, the user _gotd will be used.
121 .El
122 .Sh REPOSITORY CONFIGURATION
123 At least one repository context must exist for
124 .Xr gotd 8
125 to function.
126 For each repository, access rules must be configured using the
127 .Ic permit
128 and
129 .Ic deny
130 configuration directives.
131 Multiple access rules can be specified, and the last matching rule
132 determines the action taken.
133 If no rule matches, access to the repository is denied.
134 .Pp
135 A repository context is declared with a unique
136 .Ar name ,
137 followed by repository-specific configuration directives inside curly braces:
138 .Pp
139 .Ic repository Ar name Brq ...
140 .Pp
141 .Xr got 1
142 and
143 .Xr git 1
144 clients can connect to a repository by including the repository's unique
145 .Ar name
146 in the request URL.
147 Clients appending the string
148 .Dq .git
149 to the
150 .Ar name
151 will also be accepted.
152 .Pp
153 If desired, the
154 .Ar name
155 may contain path-separators,
156 .Dq / ,
157 to expose repositories as part of a virtual client-visible directory hierarchy.
158 .Pp
159 The available repository configuration directives are as follows:
160 .Bl -tag -width Ds
161 .It Ic deny Ar identity
162 Deny repository access to users with the username
163 .Ar identity .
164 Group names may be matched by prepending a colon
165 .Pq Sq \&:
166 to
167 .Ar identity .
168 Numeric IDs are also accepted.
169 .It Ic path Ar path
170 Set the path to the Git repository.
171 Must be specified.
172 .It Ic permit Ar mode Ar identity
173 Permit repository access to users with the username
174 .Ar identity .
175 The
176 .Ar mode
177 argument must be set to either
178 .Ic ro
179 for read-only access,
180 or
181 .Ic rw
182 for read-write access.
183 Group names may be matched by prepending a colon
184 .Pq Sq \&:
185 to
186 .Ar identity .
187 Numeric IDs are also accepted.
188 .El
189 .Sh FILES
190 .Bl -tag -width Ds -compact
191 .It Pa /etc/gotd.conf
192 Location of the
193 .Nm
194 configuration file.
195 .El
196 .Sh EXAMPLES
197 .Bd -literal -offset indent
198 # Default unix_group and user values:
199 unix_group _gotsh
200 user _gotd
201 
202 # This repository can be accessed via ssh://user@example.com/src
203 repository "src" {
204 	path "/var/git/src.git"
205 	permit rw flan_hacker
206 	permit rw :developers
207 	permit ro anonymous
208 }
209 
210 # This repository can be accessed via
211 # ssh://user@example.com/openbsd/ports
212 repository "openbsd/ports" {
213 	path "/var/git/ports.git"
214 	permit rw :porters
215 	permit ro anonymous
216 	deny flan_hacker
217 }
218 
219 # Use a larger request timeout value:
220 connection request timeout 2h
221 
222 # Some users are granted a higher concurrent connection limit:
223 connection {
224 	limit user flan_hacker 16
225 	limit user anonymous 32
226 }
227 .Ed
228 .Sh SEE ALSO
229 .Xr got 1 ,
230 .Xr gotsh 1 ,
231 .Xr group 5 ,
232 .Xr gotd 8