forked from thomiceli/opengist
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
324 additions
and
194 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Fail2ban setup | ||
|
||
Fail2ban can be used to ban IPs that try to bruteforce the login page. | ||
Log level must be set at least to `warn`. | ||
|
||
Add this filter in `etc/fail2ban/filter.d/opengist.conf` : | ||
```ini | ||
[Definition] | ||
failregex = Invalid .* authentication attempt from <HOST> | ||
ignoreregex = | ||
``` | ||
|
||
Add this jail in `etc/fail2ban/jail.d/opengist.conf` : | ||
```ini | ||
[opengist] | ||
enabled = true | ||
filter = opengist | ||
logpath = /home/*/.opengist/log/opengist.log | ||
maxretry = 10 | ||
findtime = 3600 | ||
bantime = 600 | ||
banaction = iptables-allports | ||
port = anyport | ||
``` | ||
|
||
Then run | ||
```shell | ||
service fail2ban restart | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Use Nginx as a reverse proxy | ||
|
||
Configure Nginx to proxy requests to Opengist. Here is an example configuration file : | ||
``` | ||
server { | ||
listen 80; | ||
server_name opengist.example.com; | ||
location / { | ||
proxy_pass https://127.0.0.1:6157; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
} | ||
} | ||
``` | ||
|
||
Then run : | ||
```shell | ||
service nginx restart | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Use OAuth providers | ||
|
||
Opengist can be configured to use OAuth to authenticate users, with GitHub, Gitea, or OpenID Connect. | ||
|
||
## Github | ||
|
||
* Add a new OAuth app in your [Github account settings](https://github.com/settings/applications/new) | ||
* Set 'Authorization callback URL' to `https://opengist.domain/oauth/github/callback` | ||
* Copy the 'Client ID' and 'Client Secret' and add them to the [configuration](/docs/configuration/cheat-sheet.md) : | ||
```yaml | ||
github.client-key: <key> | ||
github.secret: <secret> | ||
``` | ||
|
||
|
||
## Gitea | ||
|
||
* Add a new OAuth app in Application settings from the [Gitea instance](https://gitea.com/user/settings/applications) | ||
* Set 'Redirect URI' to `https://opengist.domain/oauth/gitea/callback` | ||
* Copy the 'Client ID' and 'Client Secret' and add them to the [configuration](/docs/configuration/cheat-sheet.md) : | ||
```yaml | ||
gitea.client-key: <key> | ||
gitea.secret: <secret> | ||
# URL of the Gitea instance. Default: https://gitea.com/ | ||
gitea.url: https://localhost:3000 | ||
``` | ||
|
||
|
||
## OpenID Connect | ||
|
||
* Add a new OAuth app in Application settings of your OIDC provider | ||
* Set 'Redirect URI' to `https://opengist.domain/oauth/openid-connect/callback` | ||
* Copy the 'Client ID', 'Client Secret', and the discovery endpoint, and add them to the [configuration](/docs/configuration/cheat-sheet.md) : | ||
```yaml | ||
oidc.client-key: <key> | ||
oidc.secret: <secret> | ||
# Discovery endpoint of the OpenID provider. Generally something like https://auth.example.com/.well-known/openid-configuration | ||
oidc.discovery-url: https://auth.example.com/.well-known/openid-configuration | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Configuration Cheat Sheet | ||
|
||
| YAML Config Key | Environment Variable | Default value | Description | | ||
|-----------------------|--------------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------| | ||
| log-level | OG_LOG_LEVEL | `warn` | Set the log level to one of the following: `trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic`. | | ||
| external-url | OG_EXTERNAL_URL | none | Public URL for the Git HTTP/SSH connection. If not set, uses the URL from the request. | | ||
| opengist-home | OG_OPENGIST_HOME | home directory | Path to the directory where Opengist stores its data. | | ||
| db-filename | OG_DB_FILENAME | `opengist.db` | Name of the SQLite database file. | | ||
| sqlite.journal-mode | OG_SQLITE_JOURNAL_MODE | `WAL` | Set the journal mode for SQLite. More info [here](https://www.sqlite.org/pragma.html#pragma_journal_mode) | | ||
| http.host | OG_HTTP_HOST | `0.0.0.0` | The host on which the HTTP server should bind. | | ||
| http.port | OG_HTTP_PORT | `6157` | The port on which the HTTP server should listen. | | ||
| http.git-enabled | OG_HTTP_GIT_ENABLED | `true` | Enable or disable git operations (clone, pull, push) via HTTP. (`true` or `false`) | | ||
| ssh.git-enabled | OG_SSH_GIT_ENABLED | `true` | Enable or disable git operations (clone, pull, push) via SSH. (`true` or `false`) | | ||
| ssh.host | OG_SSH_HOST | `0.0.0.0` | The host on which the SSH server should bind. | | ||
| ssh.port | OG_SSH_PORT | `2222` | The port on which the SSH server should listen. | | ||
| ssh.external-domain | OG_SSH_EXTERNAL_DOMAIN | none | Public domain for the Git SSH connection, if it has to be different from the HTTP one. If not set, uses the URL from the request. | | ||
| ssh.keygen-executable | OG_SSH_KEYGEN_EXECUTABLE | `ssh-keygen` | Path to the SSH key generation executable. | | ||
| github.client-key | OG_GITHUB_CLIENT_KEY | none | The client key for the GitHub OAuth application. | | ||
| github.secret | OG_GITHUB_SECRET | none | The secret for the GitHub OAuth application. | | ||
| gitea.client-key | OG_GITEA_CLIENT_KEY | none | The client key for the Gitea OAuth application. | | ||
| gitea.secret | OG_GITEA_SECRET | none | The secret for the Gitea OAuth application. | | ||
| gitea.url | OG_GITEA_URL | `https://gitea.com/` | The URL of the Gitea instance. | | ||
| oidc.client-key | OG_OIDC_CLIENT_KEY | none | The client key for the OpenID application. | | ||
| oidc.secret | OG_OIDC_SECRET | none | The secret for the OpenID application. | | ||
| oidc.discovery-url | OG_OIDC_DISCOVERY_URL | none | Discovery endpoint of the OpenID provider. | |
Oops, something went wrong.