gitolite/doc/2-admin.mkd

# administering and running gitolite

*Note*: some of the paths in this document use variable names.  Just refer to
`~/.gitolite.rc` for the correct values for *your* installation.

In this document:

  * administer
      * adding users and repos
      * specifying gitweb and daemon access
      * custom hooks
      * custom git config

### administer

First of all, ***do NOT add new repos manually***, unless you know how to add
the required hook as well.  Without the hook, branch-level access control will
not work for that repo, which sorta defeats the idea of using gitolite :-)

Please read on to see how to do this correctly.

#### adding users and repos

  * ask each user who will get access to send you a public key.  See other
    sources (for example [here][genpub]) for how to do this

[genpub]: http://sitaramc.github.com/0-installing/2-access-gitolite.html#generating_a_public_key

  * rename each public key according to the user's name, with a `.pub`
    extension, like `sitaram.pub` or `john-smith.pub`.  You can also use
    periods and underscores

  * copy all these `*.pub` files to `keydir` in your gitolite-admin repo clone

  * edit the config file (`conf/gitolite.conf` in your admin repo clone).  See
    `conf/example.conf` in the gitolite source for details on what goes in
    that file, syntax, etc.  Just add new repos as needed, and add new users
    and give them permissions as required.  The users names should be exactly
    the same as their keyfile names, but without the `.pub` extension

  * when done, commit your changes and push

#### specifying gitweb and daemon access

This is a feature that I personally do not use (corporate environments don't
like unauthenticated access of any kind to any repo!), but someone wanted it,
so here goes.

To make a repo or repo group accessible via "git daemon", just give read
permission to the special user "daemon".  See the [faq, tips, etc][ss]
document for easy ways to specify access for multiple repositories.

[ss]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#gwd

There's a special user called "gitweb" also, which works the same way.
However, setting a description for the project also enables gitweb permissions
so you may as well use that method and kill two birds with one stone, like so:

    gitolite = "fast, secure, access control for git in a corporate environment"

You can also specify an owner for gitweb to show, if you like:

    gitolite "Sitaram Chamarty" = "fast, secure, access control for git in a corporate environment"

Note that gitolite does **not** install or configure gitweb/daemon -- that is
a one-time setup you must do separately.  All this does is:

  * for daemon, create the file `git-daemon-export-ok` in the repository
  * for gitweb, add the repo (plus owner name, if given) to the list of
    projects to be served by gitweb (see the config file variable
    `$PROJECTS_LIST`, which should have the same value you specified for
    `$projects_list` when setting up gitweb)
  * put the description, if given, in `$repo/description`

The "compile" script will keep these files consistent with the config settings
-- this includes removing such settings/files if you remove "read" permissions
for the special usernames or remove the description line.

#### custom hooks

If you want to put in your own, custom, hooks every time a new repo is created
by gitolite, put a **tested** hook script in `src/hooks`.  As distributed, the
only file there is the `update` hook, but everything (*everything*) in that
directory will get copied to the `hooks/` subdirectory of every *new* repo
created.

In order to push a new or updated hook script to *existing* repos as well,
just run easy install once again; it'll do it to existing repos also.

**VERY IMPORTANT SECURITY NOTE:  the `update` hook in `src/hooks` is what
implements all the branch-level permissions in gitolite.  If you fiddle with
the hooks directory, please make sure you do not mess with this file
accidentally, or all your fancy per-branch permissions will stop working.**

#### custom git config

The custom hooks feature is a blunt instrument -- all repos get the hook you
specified and will run it.  In order to make it a little more fine-grained,
you could set your hooks to only work if a certain "gitconfig" variable was
set.  Which means we now need a way to specify "git config" settings on a per
repository basis.

Thanks to Teemu (teemu dot matilainen at iki dot fi), gitolite now does this
very easily.  For security reasons, this can only be done from the master
config file (i.e., if you're using delegation, the delegated admins cannot
specify git config settings).

Please see `conf/example.conf` for syntax.  Note that this only supports the
basic forms of the "git config" command:

    git config              section.key value   # value may be an empty string
    git config --unset-all  section.key

It does not (currently) support other options like `--add`, the `value_regex`,
etc.
doc changes after split 2009-08-27 11:54:23 +02:00			`# administering and running gitolite`

doc fixes: - install is even clearer now (I hope!), esp to people with root access who seem to expect something else :) - used path vars (from ~/.gitolite.rc) more consistently, and - added refeerences to ~/.gitolite.rc for resolving them 2009-08-30 08:38:54 +02:00			`Note: some of the paths in this document use variable names. Just refer to`
			`~/.gitolite.rc` for the correct values for your installation.
admin doc: clarified the instructions a little more ...it seems some admins are, well, not quite ready to be admins :) (also some minor typo fixes slipped in) 2009-08-29 07:21:48 +02:00
all src: (please read full commit message): allow local admin-defined hooks You can now add your own hooks into src/hooks/ and they get propagated along with the update hook that is present there now. Please read the new section in the admin document, and make sure you understand the security implications of accidentally fiddling with the "update" script. This also prompted a major rename spree of all the files to be consistent, etc. Plus people said that the .sh and .pl suffixes should be avoided (and I was feeling the same way). I've also been inconsistent with that "gl-" prefix, so I cleaned that up, and the 00- and 99- were also funny animals. Time to get all this cleaned up before we get 1.0 :) So these are the changes, in case you're looking at just the commit message and not the diffstat: src/pta-hook.sh -> src/ga-post-update-hook src/conf-convert.pl -> src/gl-conf-convert src/00-easy-install.sh -> src/gl-easy-install src/99-emergency-addkey.sh -> src/gl-emergency-addkey src/install.pl -> src/gl-install src/update-hook.pl -> src/hooks/update 2009-11-13 00:33:09 +01:00			`In this document:`

			`* administer`
			`* adding users and repos`
			`* specifying gitweb and daemon access`
			`* custom hooks`
document repo config support 2009-12-09 07:46:22 +01:00			`* custom git config`
all src: (please read full commit message): allow local admin-defined hooks You can now add your own hooks into src/hooks/ and they get propagated along with the update hook that is present there now. Please read the new section in the admin document, and make sure you understand the security implications of accidentally fiddling with the "update" script. This also prompted a major rename spree of all the files to be consistent, etc. Plus people said that the .sh and .pl suffixes should be avoided (and I was feeling the same way). I've also been inconsistent with that "gl-" prefix, so I cleaned that up, and the 00- and 99- were also funny animals. Time to get all this cleaned up before we get 1.0 :) So these are the changes, in case you're looking at just the commit message and not the diffstat: src/pta-hook.sh -> src/ga-post-update-hook src/conf-convert.pl -> src/gl-conf-convert src/00-easy-install.sh -> src/gl-easy-install src/99-emergency-addkey.sh -> src/gl-emergency-addkey src/install.pl -> src/gl-install src/update-hook.pl -> src/hooks/update 2009-11-13 00:33:09 +01:00
doc changes after split 2009-08-27 11:54:23 +02:00			`### administer`

doc warnings: doc/admin: add warning about creating repos manually! doc/4: add warning on compile errors when using p-t-a 2009-09-16 06:46:11 +02:00			`First of all, *do NOT add new repos manually*, unless you know how to add`
			`the required hook as well. Without the hook, branch-level access control will`
			`not work for that repo, which sorta defeats the idea of using gitolite :-)`

			`Please read on to see how to do this correctly.`

			`#### adding users and repos`

doc changes after split 2009-08-27 11:54:23 +02:00			`* ask each user who will get access to send you a public key. See other`
doc/src: major doc/help text revamp also removed some dead code from compile (pre PTA days) 2009-10-30 16:55:06 +01:00			`sources (for example [here][genpub]) for how to do this`

			`[genpub]: http://sitaramc.github.com/0-installing/2-access-gitolite.html#generating_a_public_key`
admin doc: clarify why authkeys is needed and what it does I was very insistently told by a user that I should just create the file if it does not exist, but this is as far as I am willing to go 2009-08-30 17:49:36 +02:00
admin doc: clarified the instructions a little more ...it seems some admins are, well, not quite ready to be admins :) (also some minor typo fixes slipped in) 2009-08-29 07:21:48 +02:00			* rename each public key according to the user's name, with a `.pub`
			extension, like `sitaram.pub` or `john-smith.pub`. You can also use
			`periods and underscores`
admin doc: clarify why authkeys is needed and what it does I was very insistently told by a user that I should just create the file if it does not exist, but this is as far as I am willing to go 2009-08-30 17:49:36 +02:00
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			* copy all these `*.pub` files to `keydir` in your gitolite-admin repo clone
admin doc: clarify why authkeys is needed and what it does I was very insistently told by a user that I should just create the file if it does not exist, but this is as far as I am willing to go 2009-08-30 17:49:36 +02:00
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			* edit the config file (`conf/gitolite.conf` in your admin repo clone). See
			`conf/example.conf` in the gitolite source for details on what goes in
			`that file, syntax, etc. Just add new repos as needed, and add new users`
			`and give them permissions as required. The users names should be exactly`
			the same as their keyfile names, but without the `.pub` extension
doc warnings: doc/admin: add warning about creating repos manually! doc/4: add warning on compile errors when using p-t-a 2009-09-16 06:46:11 +02:00
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`* when done, commit your changes and push`
doc warnings: doc/admin: add warning about creating repos manually! doc/4: add warning on compile errors when using p-t-a 2009-09-16 06:46:11 +02:00
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item 2009-09-25 08:47:33 +02:00			`#### specifying gitweb and daemon access`

			`This is a feature that I personally do not use (corporate environments don't`
			`like unauthenticated access of any kind to any repo!), but someone wanted it,`
			`so here goes.`

doc/2: add docs for gitweb description, plus some minor cleanup 2009-11-12 14:23:49 +01:00			`To make a repo or repo group accessible via "git daemon", just give read`
			`permission to the special user "daemon". See the [faq, tips, etc][ss]`
			`document for easy ways to specify access for multiple repositories.`
doc/src: major doc/help text revamp also removed some dead code from compile (pre PTA days) 2009-10-30 16:55:06 +01:00
			`[ss]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#gwd`
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item 2009-09-25 08:47:33 +02:00
doc/2: add docs for gitweb description, plus some minor cleanup 2009-11-12 14:23:49 +01:00			`There's a special user called "gitweb" also, which works the same way.`
			`However, setting a description for the project also enables gitweb permissions`
			`so you may as well use that method and kill two birds with one stone, like so:`
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item 2009-09-25 08:47:33 +02:00
doc/2: add docs for gitweb description, plus some minor cleanup 2009-11-12 14:23:49 +01:00			`gitolite = "fast, secure, access control for git in a corporate environment"`

docs: document how to specify "owner" for gitweb 2009-11-27 09:17:21 +01:00			`You can also specify an owner for gitweb to show, if you like:`

			`gitolite "Sitaram Chamarty" = "fast, secure, access control for git in a corporate environment"`

doc/2: add docs for gitweb description, plus some minor cleanup 2009-11-12 14:23:49 +01:00			`Note that gitolite does not install or configure gitweb/daemon -- that is`
			`a one-time setup you must do separately. All this does is:`

			* for daemon, create the file `git-daemon-export-ok` in the repository
docs: document how to specify "owner" for gitweb 2009-11-27 09:17:21 +01:00			`* for gitweb, add the repo (plus owner name, if given) to the list of`
			`projects to be served by gitweb (see the config file variable`
			`$PROJECTS_LIST`, which should have the same value you specified for
			`$projects_list` when setting up gitweb)
doc/2: add docs for gitweb description, plus some minor cleanup 2009-11-12 14:23:49 +01:00			* put the description, if given, in `$repo/description`
compile, all docs/confs: specify gitweb/daemon access + bonus bonus: documented the "bits and pieces" thing properly; should have done this long ago, but it came to the forefront now thanks to this item 2009-09-25 08:47:33 +02:00
lots of doc changes reflecting "push to admin" is default now :) - added comments to easy install to help do it manually - README: some stuff moved to tips doc, brief summary of extras (over gitosis) added - INSTALL: major revamp, easy install and manual install, much shorter and much more readable! plus other docs changed as needed, and updated the tips doc to roll in some details from "update.mkd" in the "ml" branch 2009-10-11 05:01:59 +02:00			`The "compile" script will keep these files consistent with the config settings`
doc/2: add docs for gitweb description, plus some minor cleanup 2009-11-12 14:23:49 +01:00			`-- this includes removing such settings/files if you remove "read" permissions`
			`for the special usernames or remove the description line.`
all src: (please read full commit message): allow local admin-defined hooks You can now add your own hooks into src/hooks/ and they get propagated along with the update hook that is present there now. Please read the new section in the admin document, and make sure you understand the security implications of accidentally fiddling with the "update" script. This also prompted a major rename spree of all the files to be consistent, etc. Plus people said that the .sh and .pl suffixes should be avoided (and I was feeling the same way). I've also been inconsistent with that "gl-" prefix, so I cleaned that up, and the 00- and 99- were also funny animals. Time to get all this cleaned up before we get 1.0 :) So these are the changes, in case you're looking at just the commit message and not the diffstat: src/pta-hook.sh -> src/ga-post-update-hook src/conf-convert.pl -> src/gl-conf-convert src/00-easy-install.sh -> src/gl-easy-install src/99-emergency-addkey.sh -> src/gl-emergency-addkey src/install.pl -> src/gl-install src/update-hook.pl -> src/hooks/update 2009-11-13 00:33:09 +01:00
			`#### custom hooks`

			`If you want to put in your own, custom, hooks every time a new repo is created`
			by gitolite, put a tested hook script in `src/hooks`. As distributed, the
			only file there is the `update` hook, but everything (everything) in that
			directory will get copied to the `hooks/` subdirectory of every new repo
			`created.`

			`In order to push a new or updated hook script to existing repos as well,`
			`just run easy install once again; it'll do it to existing repos also.`

			**VERY IMPORTANT SECURITY NOTE: the `update` hook in `src/hooks` is what
			`implements all the branch-level permissions in gitolite. If you fiddle with`
			`the hooks directory, please make sure you do not mess with this file`
			`accidentally, or all your fancy per-branch permissions will stop working.**`
document repo config support 2009-12-09 07:46:22 +01:00
			`#### custom git config`

			`The custom hooks feature is a blunt instrument -- all repos get the hook you`
			`specified and will run it. In order to make it a little more fine-grained,`
			`you could set your hooks to only work if a certain "gitconfig" variable was`
			`set. Which means we now need a way to specify "git config" settings on a per`
			`repository basis.`

			`Thanks to Teemu (teemu dot matilainen at iki dot fi), gitolite now does this`
			`very easily. For security reasons, this can only be done from the master`
			`config file (i.e., if you're using delegation, the delegated admins cannot`
			`specify git config settings).`

			Please see `conf/example.conf` for syntax. Note that this only supports the
			`basic forms of the "git config" command:`

			`git config section.key value # value may be an empty string`
			`git config --unset-all section.key`

			It does not (currently) support other options like `--add`, the `value_regex`,
			`etc.`