aboutsummaryrefslogtreecommitdiffstats
path: root/docs/man/gitolfs3-server.1
blob: e1d870e3c4a574f5744813d0e0e8e80dbefe8a02 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
.TH GITOLFS3-SERVER 1 2024-10-22 Gitolfs3 "Gitolfs3 Manual"
.SH NAME
gitolfs3-server \- Gitolfs3 Git LFS server
.SH SYNOPSIS
.B gitolfs3-server
.SH DESCRIPTION
.B server
is the Gitolfs3 Git LFS server. It is primarily configured using environment
variables.
A complete reference of the environment variables can be seen below.

.B Important note:
The working directory of the Gitolfs3 server should be the folder containing all Git repositories.
Otherwise, repositories will not be recognized (and nothing will work).

The Gitolfs3 server uses S3-compatible services as backing storage.
In the configured S3 bucket, a familiar structure is used:
.IP
.TS
tab(%);
l l
l l
l l
l l
l l.
lfs-test.git/               % repository name                   
  lfs/objects/              % namespace                         
    4e/                     % first byte of the object ID (OID) 
      7b/                   % second byte of the OID            
        4e7bfdb[...]11ce013 % OID (SHA256)                      
.TE
.P
Public and private repositories are distinguished using the presence of a
\fIgit-daemon-export-ok\fR file in the bare repository.
Unauthenticated users accessing the service over the public internet are
allowed to download all files from all public repositories.
Unauthenticated users accessing the service over a trusted network are allowed
to download all files from all repositories, so also from all private
repositories.
Only authenticated users are authorized to upload files.
For information on access control in private networks, please see the
documentation for the environment variable
.BR GITOLFS3_TRUSTED_FORWARDED_HOSTS .

This server can be used in combination with the Gitolfs3 Git LFS authentication
agent (see
.BR gitolfs3-authenticate ).
For more information, please see the documentation for the environment variable
.BR GITOLFS3_KEY_PATH .
.SH ENVIRONMENT VARIABLES
.TP
.B GITOLFS3_S3_SECRET_ACCESS_KEY_FILE
.B Required.
Path to the Secret Access Key to access the configured S3 service.
.TP
.B GITOLFS3_S3_ACCESS_KEY_ID_FILE
.B Required.
Path to the Access Key ID to access the configured S3 service.
.TP
.B GITOLFS3_S3_REGION
.B Required.
The S3 region which the configured bucket is in.
.TP
.B GITOLFS3_S3_ENDPOINT
.B Required.
The S3 endpoint to use.
Whether using Amazon S3 or another provider, this URL always be provided.
In the case of Scaleway Object Storage, this may look like
\fIhttps://s3.nl-ams.scw.cloud\fR for the region \fInl-ams\fR.
.TP
.B GITOLFS3_S3_BUCKET
.B Required.
The S3 bucket to use.
Should be in the configured region (see
.BR GITOLFS_S3_ENDPOINT ).
.TP
.B GITOLFS3_BASE_URL
.B Required.
The base URL under which the Gitolfs3 server itself runs.
This is required so that the server can generate hyperlinks that refer to
itself.
.TP
.B GITOLFS3_KEY_PATH
.B Required.
Path to the key that is used to generate and verify tags (MACs) for requests.
The key must be 128-character hexadecimal string, i.e., a 64-byte number.
Such a key can, for example, be generated using OpenSSL, with the following
command:

	openssl rand -hex 64

Must correspond with the key used by
.BR gitolfs3-authenticate (1),
if using.
.TP
.B GITOLFS3_LISTEN_HOST
.B Required.
The host on which the Gitolfs3 server should listen.
.TP
.B GITOLFS3_LISTEN_PORT
.B Required.
The port on which the Gitolfs3 server should listen.
.TP
.B GITOLFS3_DOWNLOAD_LIMIT
.B Required.
The maximum amount of file bytes which may be downloaded within the span of an
hour.

The server keeps track of the amount of bytes downloaded in the last hour in a
file called \fI.gitofls3-dlimit\fR, which it stores in its working directory.
Every hour, the counter is reset.
When the server crashes, the counter is not reset.
This means that the implementation is pretty messy, and that repeated crashes
of the server turn this 'hour' into practical 'infinity'.

The main purpose of this feature is to prevent incurring unforeseen egress
costs.

.B Note:
Only untrusted hosts are held to this limit.
.TP
.B GITOLFS3_TRUSTED_FORWARDED_HOSTS
.B Optional.
A comma-separated list of hosts which can be classified as 'trusted'.

If a request comes in for which the X-Forwarded-Host header contains one of the
hosts in this list, then the user is automatically granted read access to all
repositories, regardless of the presence of a \fIgit-daemon-export-ok\fR file.
Furthermore, presigned URLs are returned for download requests, instead of
downloads being proxied through the Gitolfs3 server.

.B Note:
There must be no space between the comma-separated items.