- SSH Access to repos is controlled using the
~/.ssh/authorized_keys. All (git-)users use the same (ssh-)user.
post-updategit hook is used to automatically create/update a static website for public repositories.
Installation and setup
$ make $ make install
Then setup access control:
- Create a user
- As that user, create the files
~/.ssh/authorized_keys(see next sections).
- Whenever you change the config, run
python3 -m stagitto apply the changes, e.g. create repositories. (Note that this will never delete a repository to prevent data loss.)
[private] ssh = admin hobbs post-update = git --work-tree=/var/www/example checkout -f main [example] desc = my shiny new project ssh = @all http = yes
- Every section defines one repo.
sshkey controls which users can access the repositories via ssh.
- The special user
@allmatches all users.
httpkey is boolean and enables anonymous access via website and git-daemon / git-http-backend.
The authorized keys file should look roughly like this:
command="/usr/lib/stagit/shell admin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa … firstname.lastname@example.org command="/usr/lib/stagit/shell hobbs",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa … email@example.com
It is mostly a regular authorized keys file with some restrictions. Most importantly, the user is restricted to the stagit shell, so no regular shell access is possible.
Note that the stagit shell gets the username to use as first argument.
Differences to the originals
- Everything is stripped down to the essentials (YMMV). That is not to say that the missing features are not relevant, but they are not relevant to my specific usecase.
- The integration between access control and static website is hardcoded, which makes it simpler but also less flexible.
- Compared to stagit
- The UI takes some inspiration from github.
- README is rendered using cmark.
- I wanted to use a proper (but minimal) templating library but did not find one. So I ended up with a crude pre-processing script.
- Compared to gitolite
- Config and keys are not tracked in an admin repository. I can just as well log into the server.
- If you want to add custom hooks you should add them directly to the source code.
- The conffile format is different and does not support some advanced features.
- The access control scripts are implemented in python instead of perl. I just don't know much perl, that's why.
The source code is meant to be hackable, so feel free to mess around.