2009-08-26 02:47:27 +02:00
|
|
|
# example conf file for gitolite
|
2009-08-23 07:59:07 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# ----------------------------------------------------------------------------
|
2009-08-24 06:37:33 +02:00
|
|
|
# overall syntax:
|
2009-11-12 13:58:08 +01:00
|
|
|
# - everything is space-separated; no commas, semicolons, etc (except in
|
|
|
|
# the description string for gitweb)
|
2009-08-24 06:37:33 +02:00
|
|
|
# - comments in the normal shell-ish style; no surprises there
|
2009-11-12 13:58:08 +01:00
|
|
|
# - there are NO continuation lines of any kind
|
2009-12-08 10:33:38 +01:00
|
|
|
# - user/repo names as simple as possible; they must start with an
|
|
|
|
# alphanumeric, but after that they can also contain ".", "_", "-".
|
|
|
|
# - usernames can optionally be followed by an "@" and a domainname
|
|
|
|
# containing at least one "." (this allows you to use an email
|
|
|
|
# address as someone's username)
|
|
|
|
# - reponames can contain "/" characters (this allows you to
|
|
|
|
# put your repos in a tree-structure for convenience)
|
2009-08-23 10:14:46 +02:00
|
|
|
|
2009-08-23 07:59:07 +02:00
|
|
|
# objectives, over and above gitosis:
|
|
|
|
# - simpler syntax
|
2009-09-25 08:47:33 +02:00
|
|
|
# - easier gitweb/daemon control
|
|
|
|
# - specify who can push a branch/tag
|
|
|
|
# - specify who can rewind a branch/rewrite a tag
|
|
|
|
|
2009-08-23 07:59:07 +02:00
|
|
|
# ----------------------------------------------------------------------------
|
2009-11-12 13:58:08 +01:00
|
|
|
|
|
|
|
# GROUPS
|
|
|
|
# ------
|
2009-08-24 06:37:33 +02:00
|
|
|
|
|
|
|
# syntax:
|
2009-11-12 13:58:08 +01:00
|
|
|
# @groupname = [one or more names]
|
2009-08-24 06:37:33 +02:00
|
|
|
|
2009-11-30 02:30:31 +01:00
|
|
|
# groups let you club (user or group) names together for convenience
|
|
|
|
|
|
|
|
# * a group is like a #define in C except that it can *accumulate* values
|
|
|
|
# * the config file is parsed in a single-pass, so later *additions* to a
|
|
|
|
# group name cannot affect earlier *uses* of it
|
|
|
|
|
|
|
|
# The following examples should illustrate all this:
|
2009-10-14 07:40:06 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# you can have a group of people...
|
|
|
|
@staff = sitaram some_dev another-dev
|
2009-10-14 07:40:06 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# ...or a group of repos
|
|
|
|
@oss_repos = gitolite linux git perl rakudo entrans vkc
|
2009-08-24 06:37:33 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# even sliced and diced differently
|
|
|
|
@admins = sitaram admin2
|
|
|
|
# notice that sitaram is in 2 groups (staff and admins)
|
2009-08-24 10:00:58 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# if you repeat a group name in another definition line, the
|
|
|
|
# new ones get added to the old ones (they accumulate)
|
|
|
|
@staff = au.thor
|
|
|
|
# so now "@staff" expands to all 4 names
|
2009-08-23 07:59:07 +02:00
|
|
|
|
2009-11-30 02:30:31 +01:00
|
|
|
# groups can include other groups, and the included group will
|
|
|
|
# be expanded to whatever value it currently has
|
2009-11-12 13:58:08 +01:00
|
|
|
@interns = indy james
|
|
|
|
@staff = bob @interns
|
|
|
|
# "@staff" expands to 7 names now
|
2009-11-30 02:30:31 +01:00
|
|
|
@interns = han
|
|
|
|
# "@interns" now has 3 names in it, but note that this does
|
|
|
|
# not change @staff
|
2009-09-15 17:37:00 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# REPO AND BRANCH PERMISSIONS
|
|
|
|
# ---------------------------
|
2009-10-14 07:40:06 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# syntax:
|
|
|
|
# start line:
|
|
|
|
# repo [one or more repos and/or repo groups]
|
|
|
|
# followed by one or more permissions lines:
|
|
|
|
# (R|RW|RW+) [zero or more refexes] = [one or more users]
|
2009-09-15 17:37:00 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# there are 3 types of permissions: R, RW, and RW+. The "+" means permission
|
|
|
|
# to "rewind" (force push a non-fast forward to) a branch
|
2009-08-24 06:37:33 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# how permissions are matched:
|
|
|
|
# - user, repo, and access (W or +) are known. For that combination, if
|
|
|
|
# any of the refexes match the refname being updated, the push succeeds.
|
|
|
|
# If none of them match, it fails
|
|
|
|
|
|
|
|
# what's a refex? a regex to match against the ref being updated (get it?)
|
2009-08-24 06:37:33 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# BASIC PERMISSIONS (repo level only; apply to all branches/tags in repo)
|
2009-08-23 07:59:07 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# most important rule of all -- specify who can make changes
|
|
|
|
# to *this* file take effect
|
|
|
|
repo gitolite-admin
|
|
|
|
RW+ = @admins
|
2009-09-10 15:35:07 +02:00
|
|
|
|
2009-12-08 09:21:11 +01:00
|
|
|
# "@all" is a special, predefined, group name of all users
|
|
|
|
# (everyone who has a pubkey in keydir)
|
2009-11-12 13:58:08 +01:00
|
|
|
repo testing
|
|
|
|
RW+ = @all
|
2009-08-24 06:37:33 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# this repo is visible to staff but only sitaram can write to it
|
|
|
|
repo gitolite
|
|
|
|
R = @staff
|
|
|
|
RW+ = sitaram
|
|
|
|
|
|
|
|
# you can split up access rules for a repo as convenient
|
|
|
|
# (notice that @oss_repos contains gitolite also)
|
|
|
|
repo @oss_repos
|
|
|
|
R = @all
|
|
|
|
|
2009-12-21 00:55:45 +01:00
|
|
|
# set permissions to all already defined repos
|
|
|
|
# (a repository is defined if it has permission rules
|
|
|
|
# associated, empty "repo" stanza or "@group=..." line is
|
2009-12-21 18:28:47 +01:00
|
|
|
# not enough). *Please* do see doc/3-faq-tips-etc.mkd for
|
|
|
|
# some important notes on this feature
|
2009-12-21 00:55:45 +01:00
|
|
|
repo @all
|
|
|
|
RW+ = @admins
|
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# ADVANCED PERMISSIONS USING REFEXES
|
2009-09-16 16:22:03 +02:00
|
|
|
|
|
|
|
# - refexes are specified in perl regex syntax
|
2009-12-01 02:45:05 +01:00
|
|
|
# - refexes are matched without any anchoring, which means a refex like
|
|
|
|
# "refs/tags/v[0-9]" matches anything *containing* that pattern. There
|
|
|
|
# may be text before and after it (example: refs/tags/v4-r3p7), and it
|
|
|
|
# will still match
|
2009-09-16 16:22:03 +02:00
|
|
|
# - if no refex appears, the rule applies to all refs in that repo
|
|
|
|
# - a refex is automatically prefixed by "refs/heads/" if it doesn't start
|
|
|
|
# with "refs/" (so tags have to be explicitly named as
|
|
|
|
# refs/tags/pattern)
|
2009-08-23 07:59:07 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# here's the example from
|
|
|
|
# Documentation/howto/update-hook-example.txt:
|
2009-08-23 07:59:07 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# refs/heads/master junio
|
|
|
|
# +refs/heads/pu junio
|
|
|
|
# refs/heads/cogito$ pasky
|
|
|
|
# refs/heads/bw/.* linus
|
|
|
|
# refs/heads/tmp/.* .*
|
|
|
|
# refs/tags/v[0-9].* junio
|
2009-09-16 16:22:03 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# and here're the equivalent gitolite refexes
|
|
|
|
repo git
|
|
|
|
RW master = junio
|
|
|
|
RW+ pu = junio
|
|
|
|
RW cogito$ = pasky
|
|
|
|
RW bw/ = linus
|
|
|
|
RW tmp/ = @all
|
|
|
|
RW refs/tags/v[0-9] = junio
|
2009-09-16 16:22:03 +02:00
|
|
|
|
2009-12-01 02:45:05 +01:00
|
|
|
# DENY/EXCLUDE RULES
|
2009-09-18 14:33:53 +02:00
|
|
|
|
2009-12-01 02:45:05 +01:00
|
|
|
# ***IMPORTANT NOTE: if you use deny rules, the order of the rules also makes
|
|
|
|
# a difference, where earlier it did not. Please review your ruleset
|
2009-12-05 10:11:08 +01:00
|
|
|
# carefully or test it. In particular, do not use `@all` in a deny rule -- it
|
|
|
|
# won't work as you might expect***.
|
2009-09-18 14:33:53 +02:00
|
|
|
|
|
|
|
# in the example above, you cannot easily say "anyone can write any tag,
|
|
|
|
# except version tags can only be written by junio". The following might look
|
|
|
|
# like it works but it doesn't:
|
|
|
|
|
|
|
|
# RW refs/tags/v[0-9] = junio
|
|
|
|
# RW refs/tags/ = junio linus pasky @others
|
|
|
|
|
2009-12-01 02:45:05 +01:00
|
|
|
# if you use "deny" rules, however, you can do this (a "deny" rule just uses
|
|
|
|
# "-" instead of "R" or "RW" or "RW+" in the permission field)
|
2009-09-18 14:33:53 +02:00
|
|
|
|
|
|
|
RW refs/tags/v[0-9] = junio
|
|
|
|
- refs/tags/v[0-9] = linus pasky @others
|
|
|
|
RW refs/tags/ = junio linus pasky @others
|
|
|
|
|
|
|
|
# Briefly, the rule is: the first matching refex that has the operation you're
|
|
|
|
# looking for (`W` or `+`), or a minus (`-`), results in success, or failure,
|
|
|
|
# respectively. A fallthrough also results in failure
|
2009-10-14 07:40:06 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# GITWEB AND DAEMON STUFF
|
|
|
|
# -----------------------
|
2009-08-23 07:59:07 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# No specific syntax for gitweb and daemon access; just make the repo readable
|
|
|
|
# ("R" access) to the special users "gitweb" and "daemon"
|
2009-10-14 07:40:06 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# make "@oss_repos" (all 7 of them!) accessible via git daemon
|
|
|
|
repo @oss_repos
|
|
|
|
R = daemon
|
2009-08-23 07:59:07 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# make the two *large* repos accessible via gitweb
|
|
|
|
repo linux perl
|
|
|
|
R = gitweb
|
2009-10-14 07:40:06 +02:00
|
|
|
|
2009-11-27 09:17:21 +01:00
|
|
|
# REPO OWNER/DESCRIPTION LINE FOR GITWEB
|
2009-08-23 07:59:07 +02:00
|
|
|
|
2009-11-27 09:17:21 +01:00
|
|
|
# syntax, one of:
|
2009-11-12 13:58:08 +01:00
|
|
|
# reponame = "some description string in double quotes"
|
2009-11-27 09:17:21 +01:00
|
|
|
# reponame "owner name" = "some description string in double quotes"
|
2009-09-25 08:47:33 +02:00
|
|
|
|
2009-11-12 13:58:08 +01:00
|
|
|
# note: setting a description also gives gitweb access; you do not have to
|
|
|
|
# give gitweb access as described above if you're specifying a description
|
2009-09-25 08:47:33 +02:00
|
|
|
|
2009-11-27 09:17:21 +01:00
|
|
|
gitolite "Sitaram Chamarty" = "fast, secure, access control for git in a corporate environment"
|
2009-12-09 07:46:22 +01:00
|
|
|
|
|
|
|
# REPO SPECIFIC GITCONFIG
|
|
|
|
# -----------------------
|
|
|
|
|
|
|
|
# (Thanks to teemu dot matilainen at iki dot fi)
|
|
|
|
|
|
|
|
# this should be specified within a "repo" stanza
|
|
|
|
|
|
|
|
# syntax:
|
|
|
|
# config sectionname.keyname = [optional value_string]
|
|
|
|
|
|
|
|
# example usage: if you placed a hook in src/hooks that requires configuration
|
|
|
|
# information that is specific to each repo, you could do this:
|
|
|
|
|
|
|
|
repo gitolite
|
|
|
|
config hooks.mailinglist = gitolite-commits@example.tld
|
|
|
|
config hooks.emailprefix = "[gitolite] "
|
|
|
|
config foo.bar = ""
|
|
|
|
config foo.baz =
|
|
|
|
|
|
|
|
# This does either a plain "git config section.key value" (for the first 3
|
|
|
|
# examples above) or "git config --unset-all section.key" (for the last
|
|
|
|
# example). Other forms (--add, the value_regex, etc) are not supported.
|
2009-12-23 15:26:53 +01:00
|
|
|
|
|
|
|
# SHELL ACCESS
|
|
|
|
# ------------
|
|
|
|
|
|
|
|
# It is possible to give certain users shell access as well as allow them to
|
|
|
|
# use gitolite features for their git repo access. The idea is to eliminate
|
|
|
|
# the need for 2 keys when both shell and gitolite access are needed.
|
|
|
|
|
|
|
|
# To give a user shell access, add the username to the special @SHELL group:
|
|
|
|
|
|
|
|
@SHELL = sitaram
|
|
|
|
|
|
|
|
# Do not add people to this group indiscriminately. AUDITABILITY OF ACCESS
|
|
|
|
# CONTROL CHANGES (AND OF REPO ACCESSES) WILL BE COMPROMISED IF ADMINS CAN
|
|
|
|
# FIDDLE WITH THE ACTUAL (PLAIN TEXT) LOG FILES THAT GITOLITE KEEPS, WHICH
|
|
|
|
# THEY CAN EASILY DO IF THEY HAVE A SHELL.
|