Show More
@@ -1,893 +1,895 b'' | |||
|
1 | 1 | .. _setup: |
|
2 | 2 | |
|
3 | 3 | ===== |
|
4 | 4 | Setup |
|
5 | 5 | ===== |
|
6 | 6 | |
|
7 | 7 | |
|
8 | 8 | Setting up Kallithea |
|
9 | 9 | -------------------- |
|
10 | 10 | |
|
11 | 11 | First, you will need to create a Kallithea configuration file. Run the |
|
12 | 12 | following command to do so:: |
|
13 | 13 | |
|
14 | 14 | gearbox make-config my.ini |
|
15 | 15 | |
|
16 | 16 | This will create the file ``my.ini`` in the current directory. This |
|
17 | 17 | configuration file contains the various settings for Kallithea, e.g. |
|
18 | 18 | proxy port, email settings, usage of static files, cache, Celery |
|
19 | settings, and logging. | |
|
19 | settings, and logging. Extra settings can be specified like:: | |
|
20 | ||
|
21 | gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter | |
|
20 | 22 | |
|
21 | 23 | Next, you need to create the databases used by Kallithea. It is recommended to |
|
22 | 24 | use PostgreSQL or SQLite (default). If you choose a database other than the |
|
23 | 25 | default, ensure you properly adjust the database URL in your ``my.ini`` |
|
24 | 26 | configuration file to use this other database. Kallithea currently supports |
|
25 | 27 | PostgreSQL, SQLite and MySQL databases. Create the database by running |
|
26 | 28 | the following command:: |
|
27 | 29 | |
|
28 | 30 | gearbox setup-db -c my.ini |
|
29 | 31 | |
|
30 | 32 | This will prompt you for a "root" path. This "root" path is the location where |
|
31 | 33 | Kallithea will store all of its repositories on the current machine. After |
|
32 | 34 | entering this "root" path ``setup-db`` will also prompt you for a username |
|
33 | 35 | and password for the initial admin account which ``setup-db`` sets |
|
34 | 36 | up for you. |
|
35 | 37 | |
|
36 | 38 | The ``setup-db`` values can also be given on the command line. |
|
37 | 39 | Example:: |
|
38 | 40 | |
|
39 | 41 | gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos |
|
40 | 42 | |
|
41 | 43 | The ``setup-db`` command will create all needed tables and an |
|
42 | 44 | admin account. When choosing a root path you can either use a new |
|
43 | 45 | empty location, or a location which already contains existing |
|
44 | 46 | repositories. If you choose a location which contains existing |
|
45 | 47 | repositories Kallithea will add all of the repositories at the chosen |
|
46 | 48 | location to its database. (Note: make sure you specify the correct |
|
47 | 49 | path to the root). |
|
48 | 50 | |
|
49 | 51 | .. note:: the given path for Mercurial_ repositories **must** be write |
|
50 | 52 | accessible for the application. It's very important since |
|
51 | 53 | the Kallithea web interface will work without write access, |
|
52 | 54 | but when trying to do a push it will fail with permission |
|
53 | 55 | denied errors unless it has write access. |
|
54 | 56 | |
|
55 | 57 | You are now ready to use Kallithea. To run it simply execute:: |
|
56 | 58 | |
|
57 | 59 | gearbox serve -c my.ini |
|
58 | 60 | |
|
59 | 61 | - This command runs the Kallithea server. The web app should be available at |
|
60 | 62 | http://127.0.0.1:5000. The IP address and port is configurable via the |
|
61 | 63 | configuration file created in the previous step. |
|
62 | 64 | - Log in to Kallithea using the admin account created when running ``setup-db``. |
|
63 | 65 | - The default permissions on each repository is read, and the owner is admin. |
|
64 | 66 | Remember to update these if needed. |
|
65 | 67 | - In the admin panel you can toggle LDAP, anonymous, and permissions |
|
66 | 68 | settings, as well as edit more advanced options on users and |
|
67 | 69 | repositories. |
|
68 | 70 | |
|
69 | 71 | |
|
70 | 72 | Internationalization (i18n support) |
|
71 | 73 | ----------------------------------- |
|
72 | 74 | |
|
73 | 75 | The Kallithea web interface is automatically displayed in the user's preferred |
|
74 | 76 | language, as indicated by the browser. Thus, different users may see the |
|
75 | 77 | application in different languages. If the requested language is not available |
|
76 | 78 | (because the translation file for that language does not yet exist or is |
|
77 | 79 | incomplete), the language specified in setting ``i18n.lang`` in the Kallithea |
|
78 | 80 | configuration file is used as fallback. If no fallback language is explicitly |
|
79 | 81 | specified, English is used. |
|
80 | 82 | |
|
81 | 83 | If you want to disable automatic language detection and instead configure a |
|
82 | 84 | fixed language regardless of user preference, set ``i18n.enabled = false`` and |
|
83 | 85 | set ``i18n.lang`` to the desired language (or leave empty for English). |
|
84 | 86 | |
|
85 | 87 | |
|
86 | 88 | Using Kallithea with SSH |
|
87 | 89 | ------------------------ |
|
88 | 90 | |
|
89 | 91 | Kallithea currently only hosts repositories using http and https. (The addition |
|
90 | 92 | of ssh hosting is a planned future feature.) However you can easily use ssh in |
|
91 | 93 | parallel with Kallithea. (Repository access via ssh is a standard "out of |
|
92 | 94 | the box" feature of Mercurial_ and you can use this to access any of the |
|
93 | 95 | repositories that Kallithea is hosting. See PublishingRepositories_) |
|
94 | 96 | |
|
95 | 97 | Kallithea repository structures are kept in directories with the same name |
|
96 | 98 | as the project. When using repository groups, each group is a subdirectory. |
|
97 | 99 | This allows you to easily use ssh for accessing repositories. |
|
98 | 100 | |
|
99 | 101 | In order to use ssh you need to make sure that your web server and the users' |
|
100 | 102 | login accounts have the correct permissions set on the appropriate directories. |
|
101 | 103 | |
|
102 | 104 | .. note:: These permissions are independent of any permissions you |
|
103 | 105 | have set up using the Kallithea web interface. |
|
104 | 106 | |
|
105 | 107 | If your main directory (the same as set in Kallithea settings) is for |
|
106 | 108 | example set to ``/srv/repos`` and the repository you are using is |
|
107 | 109 | named ``kallithea``, then to clone via ssh you should run:: |
|
108 | 110 | |
|
109 | 111 | hg clone ssh://user@kallithea.example.com/srv/repos/kallithea |
|
110 | 112 | |
|
111 | 113 | Using other external tools such as mercurial-server_ or using ssh key-based |
|
112 | 114 | authentication is fully supported. |
|
113 | 115 | |
|
114 | 116 | .. note:: In an advanced setup, in order for your ssh access to use |
|
115 | 117 | the same permissions as set up via the Kallithea web |
|
116 | 118 | interface, you can create an authentication hook to connect |
|
117 | 119 | to the Kallithea db and run check functions for permissions |
|
118 | 120 | against that. |
|
119 | 121 | |
|
120 | 122 | |
|
121 | 123 | Setting up Whoosh full text search |
|
122 | 124 | ---------------------------------- |
|
123 | 125 | |
|
124 | 126 | Kallithea provides full text search of repositories using `Whoosh`__. |
|
125 | 127 | |
|
126 | 128 | .. __: https://pythonhosted.org/Whoosh/ |
|
127 | 129 | |
|
128 | 130 | For an incremental index build, run:: |
|
129 | 131 | |
|
130 | 132 | gearbox make-index -c my.ini |
|
131 | 133 | |
|
132 | 134 | For a full index rebuild, run:: |
|
133 | 135 | |
|
134 | 136 | gearbox make-index -c my.ini -f |
|
135 | 137 | |
|
136 | 138 | The ``--repo-location`` option allows the location of the repositories to be overridden; |
|
137 | 139 | usually, the location is retrieved from the Kallithea database. |
|
138 | 140 | |
|
139 | 141 | The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list:: |
|
140 | 142 | |
|
141 | 143 | gearbox make-index -c my.ini --index-only=vcs,kallithea |
|
142 | 144 | |
|
143 | 145 | To keep your index up-to-date it is necessary to do periodic index builds; |
|
144 | 146 | for this, it is recommended to use a crontab entry. Example:: |
|
145 | 147 | |
|
146 | 148 | 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini |
|
147 | 149 | |
|
148 | 150 | When using incremental mode (the default), Whoosh will check the last |
|
149 | 151 | modification date of each file and add it to be reindexed if a newer file is |
|
150 | 152 | available. The indexing daemon checks for any removed files and removes them |
|
151 | 153 | from index. |
|
152 | 154 | |
|
153 | 155 | If you want to rebuild the index from scratch, you can use the ``-f`` flag as above, |
|
154 | 156 | or in the admin panel you can check the "build from scratch" checkbox. |
|
155 | 157 | |
|
156 | 158 | .. _ldap-setup: |
|
157 | 159 | |
|
158 | 160 | |
|
159 | 161 | Setting up LDAP support |
|
160 | 162 | ----------------------- |
|
161 | 163 | |
|
162 | 164 | Kallithea supports LDAP authentication. In order |
|
163 | 165 | to use LDAP, you have to install the python-ldap_ package. This package is |
|
164 | 166 | available via PyPI, so you can install it by running:: |
|
165 | 167 | |
|
166 | 168 | pip install python-ldap |
|
167 | 169 | |
|
168 | 170 | .. note:: ``python-ldap`` requires some libraries to be installed on |
|
169 | 171 | your system, so before installing it check that you have at |
|
170 | 172 | least the ``openldap`` and ``sasl`` libraries. |
|
171 | 173 | |
|
172 | 174 | Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button |
|
173 | 175 | and then *Save*, to enable the LDAP plugin and configure its settings. |
|
174 | 176 | |
|
175 | 177 | Here's a typical LDAP setup:: |
|
176 | 178 | |
|
177 | 179 | Connection settings |
|
178 | 180 | Enable LDAP = checked |
|
179 | 181 | Host = host.example.com |
|
180 | 182 | Account = <account> |
|
181 | 183 | Password = <password> |
|
182 | 184 | Connection Security = LDAPS |
|
183 | 185 | Certificate Checks = DEMAND |
|
184 | 186 | |
|
185 | 187 | Search settings |
|
186 | 188 | Base DN = CN=users,DC=host,DC=example,DC=org |
|
187 | 189 | LDAP Filter = (&(objectClass=user)(!(objectClass=computer))) |
|
188 | 190 | LDAP Search Scope = SUBTREE |
|
189 | 191 | |
|
190 | 192 | Attribute mappings |
|
191 | 193 | Login Attribute = uid |
|
192 | 194 | First Name Attribute = firstName |
|
193 | 195 | Last Name Attribute = lastName |
|
194 | 196 | Email Attribute = mail |
|
195 | 197 | |
|
196 | 198 | If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs:: |
|
197 | 199 | |
|
198 | 200 | Search settings |
|
199 | 201 | Base DN = DC=host,DC=example,DC=org |
|
200 | 202 | LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user)) |
|
201 | 203 | LDAP Search Scope = SUBTREE |
|
202 | 204 | |
|
203 | 205 | .. _enable_ldap: |
|
204 | 206 | |
|
205 | 207 | Enable LDAP : required |
|
206 | 208 | Whether to use LDAP for authenticating users. |
|
207 | 209 | |
|
208 | 210 | .. _ldap_host: |
|
209 | 211 | |
|
210 | 212 | Host : required |
|
211 | 213 | LDAP server hostname or IP address. Can be also a comma separated |
|
212 | 214 | list of servers to support LDAP fail-over. |
|
213 | 215 | |
|
214 | 216 | .. _Port: |
|
215 | 217 | |
|
216 | 218 | Port : optional |
|
217 | 219 | Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS. |
|
218 | 220 | Defaults to 636 for LDAPS. |
|
219 | 221 | |
|
220 | 222 | .. _ldap_account: |
|
221 | 223 | |
|
222 | 224 | Account : optional |
|
223 | 225 | Only required if the LDAP server does not allow anonymous browsing of |
|
224 | 226 | records. This should be a special account for record browsing. This |
|
225 | 227 | will require `LDAP Password`_ below. |
|
226 | 228 | |
|
227 | 229 | .. _LDAP Password: |
|
228 | 230 | |
|
229 | 231 | Password : optional |
|
230 | 232 | Only required if the LDAP server does not allow anonymous browsing of |
|
231 | 233 | records. |
|
232 | 234 | |
|
233 | 235 | .. _Enable LDAPS: |
|
234 | 236 | |
|
235 | 237 | Connection Security : required |
|
236 | 238 | Defines the connection to LDAP server |
|
237 | 239 | |
|
238 | 240 | PLAIN |
|
239 | 241 | Plain unencrypted LDAP connection. |
|
240 | 242 | This will by default use `Port`_ 389. |
|
241 | 243 | |
|
242 | 244 | LDAPS |
|
243 | 245 | Use secure LDAPS connections according to `Certificate |
|
244 | 246 | Checks`_ configuration. |
|
245 | 247 | This will by default use `Port`_ 636. |
|
246 | 248 | |
|
247 | 249 | START_TLS |
|
248 | 250 | Use START TLS according to `Certificate Checks`_ configuration on an |
|
249 | 251 | apparently "plain" LDAP connection. |
|
250 | 252 | This will by default use `Port`_ 389. |
|
251 | 253 | |
|
252 | 254 | .. _Certificate Checks: |
|
253 | 255 | |
|
254 | 256 | Certificate Checks : optional |
|
255 | 257 | How SSL certificates verification is handled -- this is only useful when |
|
256 | 258 | `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security |
|
257 | 259 | with mandatory certificate validation, while the other options are |
|
258 | 260 | susceptible to man-in-the-middle attacks. |
|
259 | 261 | |
|
260 | 262 | NEVER |
|
261 | 263 | A serve certificate will never be requested or checked. |
|
262 | 264 | |
|
263 | 265 | ALLOW |
|
264 | 266 | A server certificate is requested. Failure to provide a |
|
265 | 267 | certificate or providing a bad certificate will not terminate the |
|
266 | 268 | session. |
|
267 | 269 | |
|
268 | 270 | TRY |
|
269 | 271 | A server certificate is requested. Failure to provide a |
|
270 | 272 | certificate does not halt the session; providing a bad certificate |
|
271 | 273 | halts the session. |
|
272 | 274 | |
|
273 | 275 | DEMAND |
|
274 | 276 | A server certificate is requested and must be provided and |
|
275 | 277 | authenticated for the session to proceed. |
|
276 | 278 | |
|
277 | 279 | HARD |
|
278 | 280 | The same as DEMAND. |
|
279 | 281 | |
|
280 | 282 | .. _Custom CA Certificates: |
|
281 | 283 | |
|
282 | 284 | Custom CA Certificates : optional |
|
283 | 285 | Directory used by OpenSSL to find CAs for validating the LDAP server certificate. |
|
284 | 286 | Python 2.7.10 and later default to using the system certificate store, and |
|
285 | 287 | this should thus not be necessary when using certificates signed by a CA |
|
286 | 288 | trusted by the system. |
|
287 | 289 | It can be set to something like `/etc/openldap/cacerts` on older systems or |
|
288 | 290 | if using self-signed certificates. |
|
289 | 291 | |
|
290 | 292 | .. _Base DN: |
|
291 | 293 | |
|
292 | 294 | Base DN : required |
|
293 | 295 | The Distinguished Name (DN) where searches for users will be performed. |
|
294 | 296 | Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_. |
|
295 | 297 | |
|
296 | 298 | .. _LDAP Filter: |
|
297 | 299 | |
|
298 | 300 | LDAP Filter : optional |
|
299 | 301 | A LDAP filter defined by RFC 2254. This is more useful when `LDAP |
|
300 | 302 | Search Scope`_ is set to SUBTREE. The filter is useful for limiting |
|
301 | 303 | which LDAP objects are identified as representing Users for |
|
302 | 304 | authentication. The filter is augmented by `Login Attribute`_ below. |
|
303 | 305 | This can commonly be left blank. |
|
304 | 306 | |
|
305 | 307 | .. _LDAP Search Scope: |
|
306 | 308 | |
|
307 | 309 | LDAP Search Scope : required |
|
308 | 310 | This limits how far LDAP will search for a matching object. |
|
309 | 311 | |
|
310 | 312 | BASE |
|
311 | 313 | Only allows searching of `Base DN`_ and is usually not what you |
|
312 | 314 | want. |
|
313 | 315 | |
|
314 | 316 | ONELEVEL |
|
315 | 317 | Searches all entries under `Base DN`_, but not Base DN itself. |
|
316 | 318 | |
|
317 | 319 | SUBTREE |
|
318 | 320 | Searches all entries below `Base DN`_, but not Base DN itself. |
|
319 | 321 | When using SUBTREE `LDAP Filter`_ is useful to limit object |
|
320 | 322 | location. |
|
321 | 323 | |
|
322 | 324 | .. _Login Attribute: |
|
323 | 325 | |
|
324 | 326 | Login Attribute : required |
|
325 | 327 | The LDAP record attribute that will be matched as the USERNAME or |
|
326 | 328 | ACCOUNT used to connect to Kallithea. This will be added to `LDAP |
|
327 | 329 | Filter`_ for locating the User object. If `LDAP Filter`_ is specified as |
|
328 | 330 | "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has |
|
329 | 331 | connected as "jsmith" then the `LDAP Filter`_ will be augmented as below |
|
330 | 332 | :: |
|
331 | 333 | |
|
332 | 334 | (&(LDAPFILTER)(uid=jsmith)) |
|
333 | 335 | |
|
334 | 336 | .. _ldap_attr_firstname: |
|
335 | 337 | |
|
336 | 338 | First Name Attribute : required |
|
337 | 339 | The LDAP record attribute which represents the user's first name. |
|
338 | 340 | |
|
339 | 341 | .. _ldap_attr_lastname: |
|
340 | 342 | |
|
341 | 343 | Last Name Attribute : required |
|
342 | 344 | The LDAP record attribute which represents the user's last name. |
|
343 | 345 | |
|
344 | 346 | .. _ldap_attr_email: |
|
345 | 347 | |
|
346 | 348 | Email Attribute : required |
|
347 | 349 | The LDAP record attribute which represents the user's email address. |
|
348 | 350 | |
|
349 | 351 | If all data are entered correctly, and python-ldap_ is properly installed |
|
350 | 352 | users should be granted access to Kallithea with LDAP accounts. At this |
|
351 | 353 | time user information is copied from LDAP into the Kallithea user database. |
|
352 | 354 | This means that updates of an LDAP user object may not be reflected as a |
|
353 | 355 | user update in Kallithea. |
|
354 | 356 | |
|
355 | 357 | If You have problems with LDAP access and believe You entered correct |
|
356 | 358 | information check out the Kallithea logs, any error messages sent from LDAP |
|
357 | 359 | will be saved there. |
|
358 | 360 | |
|
359 | 361 | Active Directory |
|
360 | 362 | ^^^^^^^^^^^^^^^^ |
|
361 | 363 | |
|
362 | 364 | Kallithea can use Microsoft Active Directory for user authentication. This |
|
363 | 365 | is done through an LDAP or LDAPS connection to Active Directory. The |
|
364 | 366 | following LDAP configuration settings are typical for using Active |
|
365 | 367 | Directory :: |
|
366 | 368 | |
|
367 | 369 | Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local |
|
368 | 370 | Login Attribute = sAMAccountName |
|
369 | 371 | First Name Attribute = givenName |
|
370 | 372 | Last Name Attribute = sn |
|
371 | 373 | Email Attribute = mail |
|
372 | 374 | |
|
373 | 375 | All other LDAP settings will likely be site-specific and should be |
|
374 | 376 | appropriately configured. |
|
375 | 377 | |
|
376 | 378 | |
|
377 | 379 | Authentication by container or reverse-proxy |
|
378 | 380 | -------------------------------------------- |
|
379 | 381 | |
|
380 | 382 | Kallithea supports delegating the authentication |
|
381 | 383 | of users to its WSGI container, or to a reverse-proxy server through which all |
|
382 | 384 | clients access the application. |
|
383 | 385 | |
|
384 | 386 | When these authentication methods are enabled in Kallithea, it uses the |
|
385 | 387 | username that the container/proxy (Apache or Nginx, etc.) provides and doesn't |
|
386 | 388 | perform the authentication itself. The authorization, however, is still done by |
|
387 | 389 | Kallithea according to its settings. |
|
388 | 390 | |
|
389 | 391 | When a user logs in for the first time using these authentication methods, |
|
390 | 392 | a matching user account is created in Kallithea with default permissions. An |
|
391 | 393 | administrator can then modify it using Kallithea's admin interface. |
|
392 | 394 | |
|
393 | 395 | It's also possible for an administrator to create accounts and configure their |
|
394 | 396 | permissions before the user logs in for the first time, using the :ref:`create-user` API. |
|
395 | 397 | |
|
396 | 398 | Container-based authentication |
|
397 | 399 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
|
398 | 400 | |
|
399 | 401 | In a container-based authentication setup, Kallithea reads the user name from |
|
400 | 402 | the ``REMOTE_USER`` server variable provided by the WSGI container. |
|
401 | 403 | |
|
402 | 404 | After setting up your container (see `Apache with mod_wsgi`_), you'll need |
|
403 | 405 | to configure it to require authentication on the location configured for |
|
404 | 406 | Kallithea. |
|
405 | 407 | |
|
406 | 408 | Proxy pass-through authentication |
|
407 | 409 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
|
408 | 410 | |
|
409 | 411 | In a proxy pass-through authentication setup, Kallithea reads the user name |
|
410 | 412 | from the ``X-Forwarded-User`` request header, which should be configured to be |
|
411 | 413 | sent by the reverse-proxy server. |
|
412 | 414 | |
|
413 | 415 | After setting up your proxy solution (see `Apache virtual host reverse proxy example`_, |
|
414 | 416 | `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to |
|
415 | 417 | configure the authentication and add the username in a request header named |
|
416 | 418 | ``X-Forwarded-User``. |
|
417 | 419 | |
|
418 | 420 | For example, the following config section for Apache sets a subdirectory in a |
|
419 | 421 | reverse-proxy setup with basic auth: |
|
420 | 422 | |
|
421 | 423 | .. code-block:: apache |
|
422 | 424 | |
|
423 | 425 | <Location /someprefix> |
|
424 | 426 | ProxyPass http://127.0.0.1:5000/someprefix |
|
425 | 427 | ProxyPassReverse http://127.0.0.1:5000/someprefix |
|
426 | 428 | SetEnvIf X-Url-Scheme https HTTPS=1 |
|
427 | 429 | |
|
428 | 430 | AuthType Basic |
|
429 | 431 | AuthName "Kallithea authentication" |
|
430 | 432 | AuthUserFile /srv/kallithea/.htpasswd |
|
431 | 433 | Require valid-user |
|
432 | 434 | |
|
433 | 435 | RequestHeader unset X-Forwarded-User |
|
434 | 436 | |
|
435 | 437 | RewriteEngine On |
|
436 | 438 | RewriteCond %{LA-U:REMOTE_USER} (.+) |
|
437 | 439 | RewriteRule .* - [E=RU:%1] |
|
438 | 440 | RequestHeader set X-Forwarded-User %{RU}e |
|
439 | 441 | </Location> |
|
440 | 442 | |
|
441 | 443 | Setting metadata in container/reverse-proxy |
|
442 | 444 | """"""""""""""""""""""""""""""""""""""""""" |
|
443 | 445 | When a new user account is created on the first login, Kallithea has no information about |
|
444 | 446 | the user's email and full name. So you can set some additional request headers like in the |
|
445 | 447 | example below. In this example the user is authenticated via Kerberos and an Apache |
|
446 | 448 | mod_python fixup handler is used to get the user information from a LDAP server. But you |
|
447 | 449 | could set the request headers however you want. |
|
448 | 450 | |
|
449 | 451 | .. code-block:: apache |
|
450 | 452 | |
|
451 | 453 | <Location /someprefix> |
|
452 | 454 | ProxyPass http://127.0.0.1:5000/someprefix |
|
453 | 455 | ProxyPassReverse http://127.0.0.1:5000/someprefix |
|
454 | 456 | SetEnvIf X-Url-Scheme https HTTPS=1 |
|
455 | 457 | |
|
456 | 458 | AuthName "Kerberos Login" |
|
457 | 459 | AuthType Kerberos |
|
458 | 460 | Krb5Keytab /etc/apache2/http.keytab |
|
459 | 461 | KrbMethodK5Passwd off |
|
460 | 462 | KrbVerifyKDC on |
|
461 | 463 | Require valid-user |
|
462 | 464 | |
|
463 | 465 | PythonFixupHandler ldapmetadata |
|
464 | 466 | |
|
465 | 467 | RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e |
|
466 | 468 | RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e |
|
467 | 469 | RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e |
|
468 | 470 | RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e |
|
469 | 471 | </Location> |
|
470 | 472 | |
|
471 | 473 | .. code-block:: python |
|
472 | 474 | |
|
473 | 475 | from mod_python import apache |
|
474 | 476 | import ldap |
|
475 | 477 | |
|
476 | 478 | LDAP_SERVER = "ldaps://server.mydomain.com:636" |
|
477 | 479 | LDAP_USER = "" |
|
478 | 480 | LDAP_PASS = "" |
|
479 | 481 | LDAP_ROOT = "dc=mydomain,dc=com" |
|
480 | 482 | LDAP_FILTER = "sAMAccountName=%s" |
|
481 | 483 | LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail'] |
|
482 | 484 | |
|
483 | 485 | def fixuphandler(req): |
|
484 | 486 | if req.user is None: |
|
485 | 487 | # no user to search for |
|
486 | 488 | return apache.OK |
|
487 | 489 | else: |
|
488 | 490 | try: |
|
489 | 491 | if('\\' in req.user): |
|
490 | 492 | username = req.user.split('\\')[1] |
|
491 | 493 | elif('@' in req.user): |
|
492 | 494 | username = req.user.split('@')[0] |
|
493 | 495 | else: |
|
494 | 496 | username = req.user |
|
495 | 497 | l = ldap.initialize(LDAP_SERVER) |
|
496 | 498 | l.simple_bind_s(LDAP_USER, LDAP_PASS) |
|
497 | 499 | r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST) |
|
498 | 500 | |
|
499 | 501 | req.subprocess_env['X_REMOTE_USER'] = username |
|
500 | 502 | req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower() |
|
501 | 503 | req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0] |
|
502 | 504 | req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0] |
|
503 | 505 | except Exception, e: |
|
504 | 506 | apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR) |
|
505 | 507 | |
|
506 | 508 | return apache.OK |
|
507 | 509 | |
|
508 | 510 | .. note:: |
|
509 | 511 | If you enable proxy pass-through authentication, make sure your server is |
|
510 | 512 | only accessible through the proxy. Otherwise, any client would be able to |
|
511 | 513 | forge the authentication header and could effectively become authenticated |
|
512 | 514 | using any account of their liking. |
|
513 | 515 | |
|
514 | 516 | |
|
515 | 517 | Integration with issue trackers |
|
516 | 518 | ------------------------------- |
|
517 | 519 | |
|
518 | 520 | Kallithea provides a simple integration with issue trackers. It's possible |
|
519 | 521 | to define a regular expression that will match an issue ID in commit messages, |
|
520 | 522 | and have that replaced with a URL to the issue. To enable this simply |
|
521 | 523 | uncomment the following variables in the ini file:: |
|
522 | 524 | |
|
523 | 525 | issue_pat = (?:^#|\s#)(\w+) |
|
524 | 526 | issue_server_link = https://issues.example.com/{repo}/issue/{id} |
|
525 | 527 | issue_prefix = # |
|
526 | 528 | |
|
527 | 529 | ``issue_pat`` is the regular expression describing which strings in |
|
528 | 530 | commit messages will be treated as issue references. A match group in |
|
529 | 531 | parentheses should be used to specify the actual issue id. |
|
530 | 532 | |
|
531 | 533 | The default expression matches issues in the format ``#<number>``, e.g., ``#300``. |
|
532 | 534 | |
|
533 | 535 | Matched issue references are replaced with the link specified in |
|
534 | 536 | ``issue_server_link``. ``{id}`` is replaced with the issue ID, and |
|
535 | 537 | ``{repo}`` with the repository name. Since the # is stripped away, |
|
536 | 538 | ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't |
|
537 | 539 | necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will |
|
538 | 540 | generate a URL in the format: |
|
539 | 541 | |
|
540 | 542 | .. code-block:: html |
|
541 | 543 | |
|
542 | 544 | <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a> |
|
543 | 545 | |
|
544 | 546 | If needed, more than one pattern can be specified by appending a unique suffix to |
|
545 | 547 | the variables. For example:: |
|
546 | 548 | |
|
547 | 549 | issue_pat_wiki = (?:wiki-)(.+) |
|
548 | 550 | issue_server_link_wiki = https://wiki.example.com/{id} |
|
549 | 551 | issue_prefix_wiki = WIKI- |
|
550 | 552 | |
|
551 | 553 | With these settings, wiki pages can be referenced as wiki-some-id, and every |
|
552 | 554 | such reference will be transformed into: |
|
553 | 555 | |
|
554 | 556 | .. code-block:: html |
|
555 | 557 | |
|
556 | 558 | <a href="https://wiki.example.com/some-id">WIKI-some-id</a> |
|
557 | 559 | |
|
558 | 560 | |
|
559 | 561 | Hook management |
|
560 | 562 | --------------- |
|
561 | 563 | |
|
562 | 564 | Hooks can be managed in similar way to that used in ``.hgrc`` files. |
|
563 | 565 | To manage hooks, choose *Admin > Settings > Hooks*. |
|
564 | 566 | |
|
565 | 567 | The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section. |
|
566 | 568 | |
|
567 | 569 | To add another custom hook simply fill in the first textbox with |
|
568 | 570 | ``<name>.<hook_type>`` and the second with the hook path. Example hooks |
|
569 | 571 | can be found in ``kallithea.lib.hooks``. |
|
570 | 572 | |
|
571 | 573 | |
|
572 | 574 | Changing default encoding |
|
573 | 575 | ------------------------- |
|
574 | 576 | |
|
575 | 577 | By default, Kallithea uses UTF-8 encoding. |
|
576 | 578 | This is configurable as ``default_encoding`` in the .ini file. |
|
577 | 579 | This affects many parts in Kallithea including user names, filenames, and |
|
578 | 580 | encoding of commit messages. In addition Kallithea can detect if the ``chardet`` |
|
579 | 581 | library is installed. If ``chardet`` is detected Kallithea will fallback to it |
|
580 | 582 | when there are encode/decode errors. |
|
581 | 583 | |
|
582 | 584 | |
|
583 | 585 | Celery configuration |
|
584 | 586 | -------------------- |
|
585 | 587 | |
|
586 | 588 | Kallithea can use the distributed task queue system Celery_ to run tasks like |
|
587 | 589 | cloning repositories or sending emails. |
|
588 | 590 | |
|
589 | 591 | Kallithea will in most setups work perfectly fine out of the box (without |
|
590 | 592 | Celery), executing all tasks in the web server process. Some tasks can however |
|
591 | 593 | take some time to run and it can be better to run such tasks asynchronously in |
|
592 | 594 | a separate process so the web server can focus on serving web requests. |
|
593 | 595 | |
|
594 | 596 | For installation and configuration of Celery, see the `Celery documentation`_. |
|
595 | 597 | Note that Celery requires a message broker service like RabbitMQ_ (recommended) |
|
596 | 598 | or Redis_. |
|
597 | 599 | |
|
598 | 600 | The use of Celery is configured in the Kallithea ini configuration file. |
|
599 | 601 | To enable it, simply set:: |
|
600 | 602 | |
|
601 | 603 | use_celery = true |
|
602 | 604 | |
|
603 | 605 | and add or change the ``celery.*`` and ``broker.*`` configuration variables. |
|
604 | 606 | |
|
605 | 607 | Remember that the ini files use the format with '.' and not with '_' like |
|
606 | 608 | Celery. So for example setting `BROKER_HOST` in Celery means setting |
|
607 | 609 | `broker.host` in the configuration file. |
|
608 | 610 | |
|
609 | 611 | To start the Celery process, run:: |
|
610 | 612 | |
|
611 | 613 | gearbox celeryd -c <configfile.ini> |
|
612 | 614 | |
|
613 | 615 | Extra options to the Celery worker can be passed after ``--`` - see ``-- -h`` |
|
614 | 616 | for more info. |
|
615 | 617 | |
|
616 | 618 | .. note:: |
|
617 | 619 | Make sure you run this command from the same virtualenv, and with the same |
|
618 | 620 | user that Kallithea runs. |
|
619 | 621 | |
|
620 | 622 | |
|
621 | 623 | HTTPS support |
|
622 | 624 | ------------- |
|
623 | 625 | |
|
624 | 626 | Kallithea will by default generate URLs based on the WSGI environment. |
|
625 | 627 | |
|
626 | 628 | Alternatively, you can use some special configuration settings to control |
|
627 | 629 | directly which scheme/protocol Kallithea will use when generating URLs: |
|
628 | 630 | |
|
629 | 631 | - With ``https_fixup = true``, the scheme will be taken from the |
|
630 | 632 | ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header |
|
631 | 633 | (default ``http``). |
|
632 | 634 | - With ``force_https = true`` the default will be ``https``. |
|
633 | 635 | - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https. |
|
634 | 636 | |
|
635 | 637 | |
|
636 | 638 | Nginx virtual host example |
|
637 | 639 | -------------------------- |
|
638 | 640 | |
|
639 | 641 | Sample config for Nginx using proxy: |
|
640 | 642 | |
|
641 | 643 | .. code-block:: nginx |
|
642 | 644 | |
|
643 | 645 | upstream kallithea { |
|
644 | 646 | server 127.0.0.1:5000; |
|
645 | 647 | # add more instances for load balancing |
|
646 | 648 | #server 127.0.0.1:5001; |
|
647 | 649 | #server 127.0.0.1:5002; |
|
648 | 650 | } |
|
649 | 651 | |
|
650 | 652 | ## gist alias |
|
651 | 653 | server { |
|
652 | 654 | listen 443; |
|
653 | 655 | server_name gist.example.com; |
|
654 | 656 | access_log /var/log/nginx/gist.access.log; |
|
655 | 657 | error_log /var/log/nginx/gist.error.log; |
|
656 | 658 | |
|
657 | 659 | ssl on; |
|
658 | 660 | ssl_certificate gist.your.kallithea.server.crt; |
|
659 | 661 | ssl_certificate_key gist.your.kallithea.server.key; |
|
660 | 662 | |
|
661 | 663 | ssl_session_timeout 5m; |
|
662 | 664 | |
|
663 | 665 | ssl_protocols SSLv3 TLSv1; |
|
664 | 666 | ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; |
|
665 | 667 | ssl_prefer_server_ciphers on; |
|
666 | 668 | |
|
667 | 669 | rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1; |
|
668 | 670 | rewrite (.*) https://kallithea.example.com/_admin/gists; |
|
669 | 671 | } |
|
670 | 672 | |
|
671 | 673 | server { |
|
672 | 674 | listen 443; |
|
673 | 675 | server_name kallithea.example.com |
|
674 | 676 | access_log /var/log/nginx/kallithea.access.log; |
|
675 | 677 | error_log /var/log/nginx/kallithea.error.log; |
|
676 | 678 | |
|
677 | 679 | ssl on; |
|
678 | 680 | ssl_certificate your.kallithea.server.crt; |
|
679 | 681 | ssl_certificate_key your.kallithea.server.key; |
|
680 | 682 | |
|
681 | 683 | ssl_session_timeout 5m; |
|
682 | 684 | |
|
683 | 685 | ssl_protocols SSLv3 TLSv1; |
|
684 | 686 | ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; |
|
685 | 687 | ssl_prefer_server_ciphers on; |
|
686 | 688 | |
|
687 | 689 | ## uncomment root directive if you want to serve static files by nginx |
|
688 | 690 | ## requires static_files = false in .ini file |
|
689 | 691 | #root /srv/kallithea/kallithea/kallithea/public; |
|
690 | 692 | include /etc/nginx/proxy.conf; |
|
691 | 693 | location / { |
|
692 | 694 | try_files $uri @kallithea; |
|
693 | 695 | } |
|
694 | 696 | |
|
695 | 697 | location @kallithea { |
|
696 | 698 | proxy_pass http://127.0.0.1:5000; |
|
697 | 699 | } |
|
698 | 700 | |
|
699 | 701 | } |
|
700 | 702 | |
|
701 | 703 | Here's the proxy.conf. It's tuned so it will not timeout on long |
|
702 | 704 | pushes or large pushes:: |
|
703 | 705 | |
|
704 | 706 | proxy_redirect off; |
|
705 | 707 | proxy_set_header Host $host; |
|
706 | 708 | ## needed for container auth |
|
707 | 709 | #proxy_set_header REMOTE_USER $remote_user; |
|
708 | 710 | #proxy_set_header X-Forwarded-User $remote_user; |
|
709 | 711 | proxy_set_header X-Url-Scheme $scheme; |
|
710 | 712 | proxy_set_header X-Host $http_host; |
|
711 | 713 | proxy_set_header X-Real-IP $remote_addr; |
|
712 | 714 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
713 | 715 | proxy_set_header Proxy-host $proxy_host; |
|
714 | 716 | proxy_buffering off; |
|
715 | 717 | proxy_connect_timeout 7200; |
|
716 | 718 | proxy_send_timeout 7200; |
|
717 | 719 | proxy_read_timeout 7200; |
|
718 | 720 | proxy_buffers 8 32k; |
|
719 | 721 | client_max_body_size 1024m; |
|
720 | 722 | client_body_buffer_size 128k; |
|
721 | 723 | large_client_header_buffers 8 64k; |
|
722 | 724 | |
|
723 | 725 | |
|
724 | 726 | Apache virtual host reverse proxy example |
|
725 | 727 | ----------------------------------------- |
|
726 | 728 | |
|
727 | 729 | Here is a sample configuration file for Apache using proxy: |
|
728 | 730 | |
|
729 | 731 | .. code-block:: apache |
|
730 | 732 | |
|
731 | 733 | <VirtualHost *:80> |
|
732 | 734 | ServerName kallithea.example.com |
|
733 | 735 | |
|
734 | 736 | <Proxy *> |
|
735 | 737 | # For Apache 2.4 and later: |
|
736 | 738 | Require all granted |
|
737 | 739 | |
|
738 | 740 | # For Apache 2.2 and earlier, instead use: |
|
739 | 741 | # Order allow,deny |
|
740 | 742 | # Allow from all |
|
741 | 743 | </Proxy> |
|
742 | 744 | |
|
743 | 745 | #important ! |
|
744 | 746 | #Directive to properly generate url (clone url) for Kallithea |
|
745 | 747 | ProxyPreserveHost On |
|
746 | 748 | |
|
747 | 749 | #kallithea instance |
|
748 | 750 | ProxyPass / http://127.0.0.1:5000/ |
|
749 | 751 | ProxyPassReverse / http://127.0.0.1:5000/ |
|
750 | 752 | |
|
751 | 753 | #to enable https use line below |
|
752 | 754 | #SetEnvIf X-Url-Scheme https HTTPS=1 |
|
753 | 755 | </VirtualHost> |
|
754 | 756 | |
|
755 | 757 | Additional tutorial |
|
756 | 758 | http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons |
|
757 | 759 | |
|
758 | 760 | |
|
759 | 761 | Apache as subdirectory |
|
760 | 762 | ---------------------- |
|
761 | 763 | |
|
762 | 764 | Apache subdirectory part: |
|
763 | 765 | |
|
764 | 766 | .. code-block:: apache |
|
765 | 767 | |
|
766 | 768 | <Location /PREFIX > |
|
767 | 769 | ProxyPass http://127.0.0.1:5000/PREFIX |
|
768 | 770 | ProxyPassReverse http://127.0.0.1:5000/PREFIX |
|
769 | 771 | SetEnvIf X-Url-Scheme https HTTPS=1 |
|
770 | 772 | </Location> |
|
771 | 773 | |
|
772 | 774 | Besides the regular apache setup you will need to add the following line |
|
773 | 775 | into ``[app:main]`` section of your .ini file:: |
|
774 | 776 | |
|
775 | 777 | filter-with = proxy-prefix |
|
776 | 778 | |
|
777 | 779 | Add the following at the end of the .ini file:: |
|
778 | 780 | |
|
779 | 781 | [filter:proxy-prefix] |
|
780 | 782 | use = egg:PasteDeploy#prefix |
|
781 | 783 | prefix = /PREFIX |
|
782 | 784 | |
|
783 | 785 | then change ``PREFIX`` into your chosen prefix |
|
784 | 786 | |
|
785 | 787 | |
|
786 | 788 | Apache with mod_wsgi |
|
787 | 789 | -------------------- |
|
788 | 790 | |
|
789 | 791 | Alternatively, Kallithea can be set up with Apache under mod_wsgi. For |
|
790 | 792 | that, you'll need to: |
|
791 | 793 | |
|
792 | 794 | - Install mod_wsgi. If using a Debian-based distro, you can install |
|
793 | 795 | the package libapache2-mod-wsgi:: |
|
794 | 796 | |
|
795 | 797 | aptitude install libapache2-mod-wsgi |
|
796 | 798 | |
|
797 | 799 | - Enable mod_wsgi:: |
|
798 | 800 | |
|
799 | 801 | a2enmod wsgi |
|
800 | 802 | |
|
801 | 803 | - Add global Apache configuration to tell mod_wsgi that Python only will be |
|
802 | 804 | used in the WSGI processes and shouldn't be initialized in the Apache |
|
803 | 805 | processes:: |
|
804 | 806 | |
|
805 | 807 | WSGIRestrictEmbedded On |
|
806 | 808 | |
|
807 | 809 | - Create a wsgi dispatch script, like the one below. Make sure you |
|
808 | 810 | check that the paths correctly point to where you installed Kallithea |
|
809 | 811 | and its Python Virtual Environment. |
|
810 | 812 | - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script, |
|
811 | 813 | as in the following example. Once again, check the paths are |
|
812 | 814 | correctly specified. |
|
813 | 815 | |
|
814 | 816 | Here is a sample excerpt from an Apache Virtual Host configuration file: |
|
815 | 817 | |
|
816 | 818 | .. code-block:: apache |
|
817 | 819 | |
|
818 | 820 | WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \ |
|
819 | 821 | python-home=/srv/kallithea/venv |
|
820 | 822 | WSGIProcessGroup kallithea |
|
821 | 823 | WSGIScriptAlias / /srv/kallithea/dispatch.wsgi |
|
822 | 824 | WSGIPassAuthorization On |
|
823 | 825 | |
|
824 | 826 | Or if using a dispatcher WSGI script with proper virtualenv activation: |
|
825 | 827 | |
|
826 | 828 | .. code-block:: apache |
|
827 | 829 | |
|
828 | 830 | WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 |
|
829 | 831 | WSGIProcessGroup kallithea |
|
830 | 832 | WSGIScriptAlias / /srv/kallithea/dispatch.wsgi |
|
831 | 833 | WSGIPassAuthorization On |
|
832 | 834 | |
|
833 | 835 | Apache will by default run as a special Apache user, on Linux systems |
|
834 | 836 | usually ``www-data`` or ``apache``. If you need to have the repositories |
|
835 | 837 | directory owned by a different user, use the user and group options to |
|
836 | 838 | WSGIDaemonProcess to set the name of the user and group. |
|
837 | 839 | |
|
838 | 840 | Example WSGI dispatch script: |
|
839 | 841 | |
|
840 | 842 | .. code-block:: python |
|
841 | 843 | |
|
842 | 844 | import os |
|
843 | 845 | os.environ["HGENCODING"] = "UTF-8" |
|
844 | 846 | os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache' |
|
845 | 847 | |
|
846 | 848 | # sometimes it's needed to set the current dir |
|
847 | 849 | os.chdir('/srv/kallithea/') |
|
848 | 850 | |
|
849 | 851 | import site |
|
850 | 852 | site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages") |
|
851 | 853 | |
|
852 | 854 | ini = '/srv/kallithea/my.ini' |
|
853 | 855 | from paste.script.util.logging_config import fileConfig |
|
854 | 856 | fileConfig(ini) |
|
855 | 857 | from paste.deploy import loadapp |
|
856 | 858 | application = loadapp('config:' + ini) |
|
857 | 859 | |
|
858 | 860 | Or using proper virtualenv activation: |
|
859 | 861 | |
|
860 | 862 | .. code-block:: python |
|
861 | 863 | |
|
862 | 864 | activate_this = '/srv/kallithea/venv/bin/activate_this.py' |
|
863 | 865 | execfile(activate_this, dict(__file__=activate_this)) |
|
864 | 866 | |
|
865 | 867 | import os |
|
866 | 868 | os.environ['HOME'] = '/srv/kallithea' |
|
867 | 869 | |
|
868 | 870 | ini = '/srv/kallithea/kallithea.ini' |
|
869 | 871 | from paste.script.util.logging_config import fileConfig |
|
870 | 872 | fileConfig(ini) |
|
871 | 873 | from paste.deploy import loadapp |
|
872 | 874 | application = loadapp('config:' + ini) |
|
873 | 875 | |
|
874 | 876 | |
|
875 | 877 | Other configuration files |
|
876 | 878 | ------------------------- |
|
877 | 879 | |
|
878 | 880 | A number of `example init.d scripts`__ can be found in |
|
879 | 881 | the ``init.d`` directory of the Kallithea source. |
|
880 | 882 | |
|
881 | 883 | .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ . |
|
882 | 884 | |
|
883 | 885 | |
|
884 | 886 | .. _virtualenv: http://pypi.python.org/pypi/virtualenv |
|
885 | 887 | .. _python: http://www.python.org/ |
|
886 | 888 | .. _Mercurial: https://www.mercurial-scm.org/ |
|
887 | 889 | .. _Celery: http://celeryproject.org/ |
|
888 | 890 | .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html |
|
889 | 891 | .. _RabbitMQ: http://www.rabbitmq.com/ |
|
890 | 892 | .. _Redis: http://redis.io/ |
|
891 | 893 | .. _python-ldap: http://www.python-ldap.org/ |
|
892 | 894 | .. _mercurial-server: http://www.lshift.net/mercurial-server.html |
|
893 | 895 | .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories |
@@ -1,101 +1,116 b'' | |||
|
1 | 1 | # -*- coding: utf-8 -*- |
|
2 | 2 | # This program is free software: you can redistribute it and/or modify |
|
3 | 3 | # it under the terms of the GNU General Public License as published by |
|
4 | 4 | # the Free Software Foundation, either version 3 of the License, or |
|
5 | 5 | # (at your option) any later version. |
|
6 | 6 | # |
|
7 | 7 | # This program is distributed in the hope that it will be useful, |
|
8 | 8 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
9 | 9 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
10 | 10 | # GNU General Public License for more details. |
|
11 | 11 | # |
|
12 | 12 | # You should have received a copy of the GNU General Public License |
|
13 | 13 | # along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
14 | 14 | """ |
|
15 | 15 | kallithea.lib.paster_commands.make_config |
|
16 | 16 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
17 | 17 | |
|
18 | 18 | make-config gearbox command for Kallithea |
|
19 | 19 | |
|
20 | 20 | :license: GPLv3, see LICENSE.md for more details. |
|
21 | 21 | """ |
|
22 | 22 | |
|
23 | 23 | |
|
24 | 24 | import os |
|
25 | 25 | import sys |
|
26 | 26 | import uuid |
|
27 | 27 | import argparse |
|
28 | from collections import defaultdict | |
|
28 | 29 | |
|
29 | 30 | import mako.exceptions |
|
30 | 31 | |
|
31 | 32 | TMPL = 'template.ini.mako' |
|
32 | 33 | here = os.path.dirname(os.path.abspath(__file__)) |
|
33 | 34 | |
|
34 | 35 | from kallithea.lib.paster_commands.common import BasePasterCommand |
|
35 | 36 | from kallithea.lib import inifile |
|
36 | 37 | |
|
37 | 38 | |
|
38 | 39 | class Command(BasePasterCommand): |
|
39 | 40 | """Kallithea: Create a new config file |
|
40 | 41 | |
|
41 | 42 | make-config is part of a two-phase installation process (the |
|
42 | 43 | second phase is setup-app). make-config creates a bare configuration |
|
43 | 44 | file (possibly filling in defaults from the extra |
|
44 | 45 | variables you give). |
|
46 | ||
|
47 | The first key=value arguments are used to customize the Mako variables that | |
|
48 | are shown with --show-defaults. The following settings will be | |
|
49 | patched/inserted in the [app:main] section ... until another section name | |
|
50 | is specified and change where the following values go. | |
|
45 | 51 | """ |
|
46 | 52 | |
|
47 | 53 | takes_config_file = False # at least not an existing one ... |
|
48 | 54 | |
|
49 | 55 | def take_action(self, args): |
|
50 | 56 | _run(args) |
|
51 | 57 | |
|
52 | 58 | def get_parser(self, prog_name): |
|
53 | 59 | parser = super(Command, self).get_parser(prog_name) |
|
54 | 60 | |
|
55 | 61 | parser.add_argument('config_file', nargs='?', |
|
56 | 62 | help='application config file to write') |
|
57 | 63 | |
|
58 | 64 | parser.add_argument('custom', nargs=argparse.REMAINDER, |
|
59 | 65 | help='custom values for the config file') |
|
60 | 66 | |
|
61 | 67 | parser.add_argument('--show-defaults', action='store_true', |
|
62 | 68 | help="Show the default values that can be overridden") |
|
63 | 69 | |
|
64 | 70 | return parser |
|
65 | 71 | |
|
66 | 72 | |
|
67 | 73 | def _run(args): |
|
68 | 74 | if args.config_file is None: |
|
69 | 75 | if not args.show_defaults: |
|
70 | 76 | raise ValueError("Missing argument: config_file") |
|
71 | 77 | else: |
|
72 | 78 | if args.show_defaults: |
|
73 | 79 | raise ValueError("Can't specify both config_file and --show_defaults") |
|
74 | 80 | |
|
75 | 81 | mako_variable_values = {} |
|
82 | ini_settings = defaultdict(dict) | |
|
76 | 83 | |
|
84 | section_name = None | |
|
77 | 85 | for parameter in args.custom: |
|
78 | 86 | parts = parameter.split('=', 1) |
|
79 | if len(parts) == 2: | |
|
87 | if len(parts) == 1 and parameter.startswith('[') and parameter.endswith(']'): | |
|
88 | section_name = parameter | |
|
89 | elif len(parts) == 2: | |
|
80 | 90 | key, value = parts |
|
81 | mako_variable_values[key] = value | |
|
91 | if section_name is None and key in inifile.default_variables: | |
|
92 | mako_variable_values[key] = value | |
|
93 | else: | |
|
94 | if section_name is None: | |
|
95 | section_name = '[app:main]' | |
|
96 | ini_settings[section_name][key] = value | |
|
82 | 97 | else: |
|
83 | 98 | raise ValueError("Invalid name=value parameter %r" % parameter) |
|
84 | 99 | |
|
85 | 100 | if args.show_defaults: |
|
86 | 101 | for key, value in inifile.default_variables.items(): |
|
87 | 102 | value = mako_variable_values.get(key, value) |
|
88 | 103 | print '%s=%s' % (key, value) |
|
89 | 104 | sys.exit(0) |
|
90 | 105 | |
|
91 | 106 | # use default that cannot be replaced |
|
92 | 107 | mako_variable_values.update({ |
|
93 | 108 | 'uuid': lambda: uuid.uuid4().hex, |
|
94 | 109 | }) |
|
95 | 110 | try: |
|
96 | 111 | config_file = os.path.abspath(args.config_file) |
|
97 |
inifile.create(config_file, mako_variable_values, |
|
|
112 | inifile.create(config_file, mako_variable_values, ini_settings) | |
|
98 | 113 | print 'Wrote new config file in %s' % config_file |
|
99 | 114 | |
|
100 | 115 | except Exception: |
|
101 | 116 | print mako.exceptions.text_error_template().render() |
General Comments 0
You need to be logged in to leave comments.
Login now