Commit graph

32 commits

Author SHA1 Message Date
Loïc Dachary 1a673c0ff6
[BRANDING] container images: set APP_NAME
(cherry picked from commit 12d7bc447edb272327200389c73bb04bb5fccc14)
(cherry picked from commit 1335b17fc35b8b873b94435fddcc23c5cdf0117e)
(cherry picked from commit 0d7da06c47ac3a7278602871b95234f823e11f1d)
(cherry picked from commit 095c1ab679bce39dbaa89e8a86eaeab8a9b823ad)
(cherry picked from commit 2220f00d09e2692d10e0d07f1e8ae2232a636a7d)
(cherry picked from commit f0be8bbdbfb758fd13f2f9325358ad292f6c030c)
(cherry picked from commit 15188180a15adb58bbde418018612561b68b6927)
(cherry picked from commit 96c471d7d36a24824835b254bf785689f898d715)
(cherry picked from commit 709052f1e79bbb0ee417f8001c9c0dbd03e78791)
(cherry picked from commit 98cd2f5deee05ae9be67250c85fc17e31eaaf28a)
(cherry picked from commit a1014654b13e338eaf35cd96d6115fe88459480f)
(cherry picked from commit a16f4dc51dce3f9d22cf899186fc61931a82f35e)
(cherry picked from commit abbed33d1699daa99620acdec5322846f562cb8d)
(cherry picked from commit 4871447def0794027227280059bdfa29cacc0a23)
(cherry picked from commit ea1218b237017fa3ca3e5204afd56a18e8336650)
(cherry picked from commit 6dd67d60de567e70a36524db940b8e88420251c0)
(cherry picked from commit 71761f04afff6d1552c5604fcf7f9b5a27cf01ba)
(cherry picked from commit 7cb28a3a06b1b665a6ac9d2687c79ef5ceed0dba)
(cherry picked from commit d116336cb5a2df68260fbec42b606fa35c27ba30)
(cherry picked from commit 4138a698b2744f504cc6e3590ab8b14753cb719d)
(cherry picked from commit 38c572bc1928fc138503a88b66aa8e6d1c06aa6e)
(cherry picked from commit 94c759b47f93dde23473d45eff2309dce5055d8a)
(cherry picked from commit e1f52bf1d5087df6c7905afc08a7cbada6854f7f)
(cherry picked from commit 8bc7000cfa7d0caa87f99c07543f36925fbe984b)
(cherry picked from commit fa60007c3464a8d7fc278df1f6d51fb40c6ed130)
(cherry picked from commit 0328db39c9a9359046aea0a422002a3072509345)
(cherry picked from commit d028010b64e9d12dc3698fadd8b6f017ea2762ef)
(cherry picked from commit 0283c920f01e8ec599613f8e28fa39157f698e4c)
(cherry picked from commit f5bdf3e11f93c508d03ce38d66550aadeb41abdd)
(cherry picked from commit e3beb523007fe87951a4e901596aaef965de0771)
(cherry picked from commit a63d5afc91a5c7f29969c5ed722c6718c1452e6d)
(cherry picked from commit 7d43e1a828139d20b5baafe1df706e11ed4d83a8)
(cherry picked from commit a551fbd0fa00231a886c101d5fe438b184c01b93)
(cherry picked from commit cdff0ddbb67237638d60ed5a6180670813ce24d0)
(cherry picked from commit f2462ab1d0d0bf70c9d6cec4408bb6f9a05a6019)
(cherry picked from commit 7231dcc0a7a16b8f1dc6a5a67e589cdf9ee310ed)
(cherry picked from commit 1cbe55f8329f5ec70aaef39d6c66551f555e0b96)
(cherry picked from commit 483d9534989bb6abdc65d87eed1f4806ea78f6eb)
(cherry picked from commit e0b863d2e9b983c77a63199a14c50e1724688c1e)
(cherry picked from commit 34dc719b4d55e87832f7dd38152d8503a9438ec0)
(cherry picked from commit 200f1ddec3129f8722265531817bf4489ef02f6e)
(cherry picked from commit 892435f00f6b22fa41bc572d58e1f3168677d3d2)
(cherry picked from commit 188d1d387a933812a88e58241ac8fe3ceb1a1d36)
(cherry picked from commit 8589533bfebf21233ca91a4b90d41532e34efad2)
(cherry picked from commit 8e7e83ffe59044e67f954f20bce3a5be901e7777)
(cherry picked from commit 4f86171d68d6a363d7c813cd8eb439ed656d3c6d)
(cherry picked from commit ece61fd4f649e48e14811ffc2e20deae487244b8)
(cherry picked from commit ff34eb0023be8e07e37cf63787bfc7187f9da3a6)
(cherry picked from commit 845b0ecc8cbea1a7985b7623c92237f1bbf5710c)
2024-02-05 16:02:13 +01:00
mainboarder c533991519
Expanded minimum RSA Keylength to 3072 (#26604)
German Federal Office for Information Security requests in its technical
guideline BSI TR-02102-1 RSA Keylength not shorter than 3000bits
starting 2024, in the year 2023 3000bits as a recommendation. Gitea
should request longer RSA Keys by default in favor of security and drop
old clients which do not support longer keys.


https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=9
- Page 19, Table 1.2

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-08-28 00:53:16 +00:00
wxiaoguang 79c3329502
Do not use deprecated log config options by default (#26592)
Simplify the log config

* Remove unnecessary `ROUTER` config, it defaults to the `MODE`.
* `XORM` config was deprecated
2023-08-20 01:05:29 +00:00
Jason Song 5b7b7c4f3c
Correct permissions for .ssh and authorized_keys (#25721)
Set the correct permissions on the .ssh directory and authorized_keys
file, or sshd will refuse to use them and lead to clone/push/pull
failures.

It could happen when users have copied their data to a new volume and
changed the file permission by accident, and it would be very hard to
troubleshoot unless users know how to check the logs of sshd which is
started by s6.

Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-06 17:00:38 +02:00
Xinyu Zhou f17edfaf5a
Remove deprecated DSA host key from Docker Container (#21522)
Since OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public
key algorithm, and recommend against its use.
http://www.openssh.com/legacy.html

## ⚠️ BREAKING ⚠️

This patch will remove DSA host key form OpenSSH daemon configuration
file.

Signed-off-by: baronbunny <its@baronbunny.cn>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-11-03 19:49:12 +08:00
Thomas Andrade 4a295d4a6c
feat: Add support for extra sshd_config parameters via 'Include' file (#19842)
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-05-31 14:42:19 -04:00
Gusted ba5f2acb9c
Configure OpenSSH log level via Environment in Docker (#19274)
Introduce a new environment variable: SSH_LOG_LEVEL
2022-03-31 11:15:36 +08:00
Gusted 5e5740af69
Switch to non-deprecation setting (#18358)
* Switch to non-deprecation setting
  (Avoid by-default: "Deprecated fallback `[server]` `LFS_CONTENT_PATH` present. Use `[lfs]` `PATH` instead. This fallback will be removed in v1.18.0")

* Update all references
2022-01-23 20:02:29 +01:00
zeripath 7d0629adf8
Use shadowing script for docker (#17846)
Too many docker users are caught out by the default location for the
app.ini file being environment dependent so that when they docker exec
into the container the gitea commands do not work properly and require
additional -c arguments to correctly pick up the configuration.

This PR simply shadows the gitea binary using variants of the FHS
compatible script to make the command gitea have the default locations
by default.

Fix #14468
Reference #17497
Reference #12082
Reference #8941
... amongst others ...
Replace #17501

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-12-01 18:08:27 +00:00
luzpaz e0296b6a6d
Fix various documentation, user-facing, and source comment typos (#16367)
* Fix various doc, user-facing, and source comment typos

Found via `codespell -q 3 -S ./options/locale,./vendor -L ba,pullrequest,pullrequests,readby`
2021-07-08 13:38:13 +02:00
zeripath 8947422781
Fix bug due to missing MaxStartups and MaxSessions (#16046)
Unforunately #16009 makes these settings mandatory. This PR uses the same technique
as used for the certificates to make these settings non-mandatory.

Fix #16044

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
2021-06-01 15:55:17 -04:00
Dario Louzado 5de01e21a1
Make sshd_config more flexible regarding connections (#16009)
* Make sshd_config more flexible regarding
MaxStartups and MaxSessions.

See https://man.openbsd.org/sshd_config
for more information.

* make property prefix equals
other existing Gitea SSH properties.

Co-authored-by: dlouzado <dlouzado@senado.leg.br>
2021-05-31 21:33:50 -04:00
zeripath 0ada74edbc
Only offer hostcertificates if they exist (#15849)
A common bug report is the otherwise harmless sshd logging:

```
Could not load host certificate "/data/ssh/ssh_host_ed25519_cert": No such file or directory
```

This PR simply checks if these files exist before creation of sshd_config and if
they do not exist, doesn't add a reference to them.

Fix #14110 amongst others.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-05-13 15:11:28 +03:00
Lauris BH 044cd4d016
Add reverse proxy configuration support for remote IP address (#14959)
* Add reverse proxy configuration support for remote IP address validation

* Trust all IP addresses in containerized environments by default

* Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-03-16 00:27:28 +02:00
Kyle D 61f347e349
Add environment-to-ini to docker image (#14762)
* Add environment-to-app.ini routine

* Call environment-to-ini in docker setup scripts

* Automatically convert section vars to lower case to match documentation

* Remove git patch instructions

* Add env variable documentation to Install Docker
2021-02-23 20:21:44 +01:00
Lunny Xiao 0cd87d64ff
Update docs and comments to remove macaron (#14491) 2021-01-29 16:35:30 +01:00
silverwind bc455ed257
Set RUN_MODE prod by default (#13765)
I think it's a bad default to have "dev" as the default run mode which
enables debugging and now also disables HTTP caching. It's better to
just default to a value suitable for general deployments.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-11-30 14:52:04 -05:00
6543 e7b47c5215
Format files (#13698)
* align "make help"

* format

* untouch build/generate-svg.js

* untouch .eslintrc

* combine editorconfig's

* rm editorconfig

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-11-28 01:12:22 -05:00
Anders Eurenius Runvald 01f991ac88
Update sshd_config (#13143)
Afaik, adding these lines does nothing unless the file(s) are present. Having them in let's admins supply certs instead of relying on TOFU.

Co-authored-by: zeripath <art27@cantab.net>
2020-10-14 13:01:11 -04:00
Wim 9066d09c57
Add ssh certificate support (#12281)
* Add ssh certificate support

* Add ssh certificate support to builtin ssh

* Write trusted-user-ca-keys.pem based on configuration

* Update app.example.ini

* Update templates/user/settings/keys_principal.tmpl

Co-authored-by: silverwind <me@silverwind.io>

* Remove unused locale string

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update options/locale/locale_en-US.ini

Co-authored-by: silverwind <me@silverwind.io>

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* Add missing creation of SSH.Rootpath

* Update cheatsheet, example and locale strings

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

Co-authored-by: zeripath <art27@cantab.net>

* Update models/ssh_key.go

* Optimizations based on feedback

* Validate CA keys for external sshd

* Add filename option and change default filename

Add a SSH_TRUSTED_USER_CA_KEYS_FILENAME option which default is
RUN_USER/.ssh/gitea-trusted-user-ca-keys.pem

Do not write a file when SSH_TRUSTED_USER_CA_KEYS is empty.

Add some more documentation.

* Remove unneeded principalkey functions

* Add blank line

* Apply suggestions from code review

Co-authored-by: zeripath <art27@cantab.net>

* Add SSH_AUTHORIZED_PRINCIPALS_ALLOW option

This adds a SSH_AUTHORIZED_PRINCIPALS_ALLOW which is default
email,username this means that users only can add the principals
that match their email or username.

To allow anything the admin need to set the option anything.

This allows for a safe default in gitea which protects against malicious
users using other user's prinicipals. (before that user could set it).

This commit also has some small other fixes from the last code review.

* Rewrite principal keys file on user deletion

* Use correct rewrite method

* Set correct AuthorizedPrincipalsBackup default setting

* Rewrite principalsfile when adding principals

* Add update authorized_principals option to admin dashboard

* Handle non-primary emails

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Add the command actually to the dashboard template

* Update models/ssh_key.go

Co-authored-by: silverwind <me@silverwind.io>

* By default do not show principal options unless there are CA keys set or they are explicitly set

Signed-off-by: Andrew Thornton <art27@cantab.net>

* allow settings when enabled

* Fix typos in TrustedUserCAKeys path

* Allow every CASignatureAlgorithms algorithm

As this depends on the content of TrustedUserCAKeys we should allow all
signature algorithms as admins can choose the specific algorithm on their
signing CA

* Update models/ssh_key.go

Co-authored-by: Lauris BH <lauris@nix.lv>

* Fix linting issue

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <matti@mdranta.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-10-10 20:38:09 -04:00
zeripath d65cd5677a
Change default log configuration (#13088)
* Change default log configuration

This PR changes the install page and the docker default
logging configuration to match the suggested configuration
that I repeatedly end up suggesting on issues.

It further improves the logging configuration docs to
recommend specific instructions for how to configure logs
for posting to issues.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update docs/content/doc/advanced/logging-documentation.en-us.md
2020-10-10 18:19:50 +03:00
zeripath ea69ec6f0f
Disable DSA ssh keys by default (#13056)
* Disable DSA ssh keys by default

OpenSSH has disabled DSA keys since version 7.0

As the docker runs openssh > v7.0 we should just disable
DSA keys by default.

Refers to #11417

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Just disable DSA keys by default

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Appears we need to set the minimum key sizes too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Remove DSA type

* Fix Tests

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2020-10-09 09:52:57 +03:00
Adrian POIGET 99082eebd7
Fix; declare DOMAIN variable for docker setup (#10780)
In the /install form, the value for SSH Server Domain is taken form the DOMAIN variable
and overwrites SSH_DOMAIN environment variable set the first time if nothing done

Co-authored-by: Adrian POIGET <adrian.poiget@viveris.fr>
2020-05-04 10:50:29 +01:00
Antoine GIRARD 6e578dd0c9 docker: ask s6 to stop all service when gitea stop (#9171)
* fix: ask s6 to stop all service when gitea stop

https://github.com/just-containers/s6-overlay#writing-an-optional-finish-script

* change service folder
2019-11-27 13:08:57 -05:00
zeripath 0a96e59884 Fix #8453 by making openssh listen on SSH_LISTEN_PORT not SSH_PORT (#8477) 2019-10-12 23:45:00 +08:00
jpellegrini 852b8e2d81 Make AllowedUsers configurable in sshd_config (#8094)
docker/root/usr/bin/entrypoint already allows for the specification
of USER, USER_UID, USER_GID. But since AllowedUsers is hardcoded in
sshd_config, one cannot log in as a user different ftom git.
This change substitutes ${USER} for git in the sshd_config template.

Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
2019-09-05 22:20:55 +02:00
leigh capili 70d2244e49 Support SSH_LISTEN_PORT env var in docker app.ini template (#7829)
Signed-off-by: leigh capili <leigh@null.net>
2019-08-24 01:44:24 +02:00
Christopher Thomas 75d4414386 Implement the ability to change the ssh port to match what is in the gitea config (#7286)
* - rearrange the templates to make it more logical because now ssh_config is a template
- implemented the updating of the port to the same as the port sent to the gitea config

* change the filename back
2019-07-06 21:57:53 -04:00
Marat Radchenko e07ff2f890 [docker] Add LFS_START_SERVER option to control git-lfs support (#7281) 2019-06-24 01:33:56 -04:00
Sergey Dryabzhinsky 3fd18838aa Repository avatars (#6986)
* Repository avatars

- first variant of code from old work for gogs
- add migration 87
- add new option in app.ini
- add en-US locale string
- add new class in repository.less

* Add changed index.css, remove unused template name

* Update en-us doc about configuration options

* Add comments to new functions, add new option to docker app.ini

* Add comment for lint

* Remove variable, not needed

* Fix formatting

* Update swagger api template

* Check if avatar exists

* Fix avatar link/path checks

* Typo

* TEXT column can't have a default value

* Fixes:

- remove old avatar file on upload
- use ID in name of avatar file - users may upload same files
- add simple tests

* Fix fmt check

* Generate PNG instead of "static" GIF

* More informative comment

* Fix error message

* Update avatar upload checks:

- add file size check
- add new option
- update config docs
- add new string to en-us locale

* Fixes:

- use FileHEader field for check file size
- add new test - upload big image

* Fix formatting

* Update comments

* Update log message

* Removed wrong style - not needed

* Use Sync2 to migrate

* Update repos list view

- bigger avatar
- fix html blocks alignment

* A little adjust avatar size

* Use small icons for explore/repo list

* Use new cool avatar preparation func by @lafriks

* Missing changes for new function

* Remove unused import, move imports

* Missed new option definition in app.ini

Add file size check in user/profile avatar upload

* Use smaller field length for Avatar

* Use session to update repo DB data, update DeleteAvatar - use session too

* Fix err variable definition

* As suggested @lafriks - return as soon as possible, code readability
2019-05-29 22:22:26 -04:00
Jakob Ackermann 36b68fdb01 [docker] support for custom GITEA_CUSTOM env var (#6608) 2019-05-13 18:19:37 -04:00
Jakob Ackermann dab38c375d [docker] drop the docker Makefile from the image (#6507) 2019-05-05 22:49:32 -04:00