##// END OF EJS Templates
make-config: allow configuration of any ini value...
Mads Kiilerich -
r6823:a8b9f2d6 default
parent child Browse files
Show More
@@ -1,893 +1,895 b''
1 1 .. _setup:
2 2
3 3 =====
4 4 Setup
5 5 =====
6 6
7 7
8 8 Setting up Kallithea
9 9 --------------------
10 10
11 11 First, you will need to create a Kallithea configuration file. Run the
12 12 following command to do so::
13 13
14 14 gearbox make-config my.ini
15 15
16 16 This will create the file ``my.ini`` in the current directory. This
17 17 configuration file contains the various settings for Kallithea, e.g.
18 18 proxy port, email settings, usage of static files, cache, Celery
19 settings, and logging.
19 settings, and logging. Extra settings can be specified like::
20
21 gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
20 22
21 23 Next, you need to create the databases used by Kallithea. It is recommended to
22 24 use PostgreSQL or SQLite (default). If you choose a database other than the
23 25 default, ensure you properly adjust the database URL in your ``my.ini``
24 26 configuration file to use this other database. Kallithea currently supports
25 27 PostgreSQL, SQLite and MySQL databases. Create the database by running
26 28 the following command::
27 29
28 30 gearbox setup-db -c my.ini
29 31
30 32 This will prompt you for a "root" path. This "root" path is the location where
31 33 Kallithea will store all of its repositories on the current machine. After
32 34 entering this "root" path ``setup-db`` will also prompt you for a username
33 35 and password for the initial admin account which ``setup-db`` sets
34 36 up for you.
35 37
36 38 The ``setup-db`` values can also be given on the command line.
37 39 Example::
38 40
39 41 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
40 42
41 43 The ``setup-db`` command will create all needed tables and an
42 44 admin account. When choosing a root path you can either use a new
43 45 empty location, or a location which already contains existing
44 46 repositories. If you choose a location which contains existing
45 47 repositories Kallithea will add all of the repositories at the chosen
46 48 location to its database. (Note: make sure you specify the correct
47 49 path to the root).
48 50
49 51 .. note:: the given path for Mercurial_ repositories **must** be write
50 52 accessible for the application. It's very important since
51 53 the Kallithea web interface will work without write access,
52 54 but when trying to do a push it will fail with permission
53 55 denied errors unless it has write access.
54 56
55 57 You are now ready to use Kallithea. To run it simply execute::
56 58
57 59 gearbox serve -c my.ini
58 60
59 61 - This command runs the Kallithea server. The web app should be available at
60 62 http://127.0.0.1:5000. The IP address and port is configurable via the
61 63 configuration file created in the previous step.
62 64 - Log in to Kallithea using the admin account created when running ``setup-db``.
63 65 - The default permissions on each repository is read, and the owner is admin.
64 66 Remember to update these if needed.
65 67 - In the admin panel you can toggle LDAP, anonymous, and permissions
66 68 settings, as well as edit more advanced options on users and
67 69 repositories.
68 70
69 71
70 72 Internationalization (i18n support)
71 73 -----------------------------------
72 74
73 75 The Kallithea web interface is automatically displayed in the user's preferred
74 76 language, as indicated by the browser. Thus, different users may see the
75 77 application in different languages. If the requested language is not available
76 78 (because the translation file for that language does not yet exist or is
77 79 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
78 80 configuration file is used as fallback. If no fallback language is explicitly
79 81 specified, English is used.
80 82
81 83 If you want to disable automatic language detection and instead configure a
82 84 fixed language regardless of user preference, set ``i18n.enabled = false`` and
83 85 set ``i18n.lang`` to the desired language (or leave empty for English).
84 86
85 87
86 88 Using Kallithea with SSH
87 89 ------------------------
88 90
89 91 Kallithea currently only hosts repositories using http and https. (The addition
90 92 of ssh hosting is a planned future feature.) However you can easily use ssh in
91 93 parallel with Kallithea. (Repository access via ssh is a standard "out of
92 94 the box" feature of Mercurial_ and you can use this to access any of the
93 95 repositories that Kallithea is hosting. See PublishingRepositories_)
94 96
95 97 Kallithea repository structures are kept in directories with the same name
96 98 as the project. When using repository groups, each group is a subdirectory.
97 99 This allows you to easily use ssh for accessing repositories.
98 100
99 101 In order to use ssh you need to make sure that your web server and the users'
100 102 login accounts have the correct permissions set on the appropriate directories.
101 103
102 104 .. note:: These permissions are independent of any permissions you
103 105 have set up using the Kallithea web interface.
104 106
105 107 If your main directory (the same as set in Kallithea settings) is for
106 108 example set to ``/srv/repos`` and the repository you are using is
107 109 named ``kallithea``, then to clone via ssh you should run::
108 110
109 111 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
110 112
111 113 Using other external tools such as mercurial-server_ or using ssh key-based
112 114 authentication is fully supported.
113 115
114 116 .. note:: In an advanced setup, in order for your ssh access to use
115 117 the same permissions as set up via the Kallithea web
116 118 interface, you can create an authentication hook to connect
117 119 to the Kallithea db and run check functions for permissions
118 120 against that.
119 121
120 122
121 123 Setting up Whoosh full text search
122 124 ----------------------------------
123 125
124 126 Kallithea provides full text search of repositories using `Whoosh`__.
125 127
126 128 .. __: https://pythonhosted.org/Whoosh/
127 129
128 130 For an incremental index build, run::
129 131
130 132 gearbox make-index -c my.ini
131 133
132 134 For a full index rebuild, run::
133 135
134 136 gearbox make-index -c my.ini -f
135 137
136 138 The ``--repo-location`` option allows the location of the repositories to be overridden;
137 139 usually, the location is retrieved from the Kallithea database.
138 140
139 141 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
140 142
141 143 gearbox make-index -c my.ini --index-only=vcs,kallithea
142 144
143 145 To keep your index up-to-date it is necessary to do periodic index builds;
144 146 for this, it is recommended to use a crontab entry. Example::
145 147
146 148 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
147 149
148 150 When using incremental mode (the default), Whoosh will check the last
149 151 modification date of each file and add it to be reindexed if a newer file is
150 152 available. The indexing daemon checks for any removed files and removes them
151 153 from index.
152 154
153 155 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
154 156 or in the admin panel you can check the "build from scratch" checkbox.
155 157
156 158 .. _ldap-setup:
157 159
158 160
159 161 Setting up LDAP support
160 162 -----------------------
161 163
162 164 Kallithea supports LDAP authentication. In order
163 165 to use LDAP, you have to install the python-ldap_ package. This package is
164 166 available via PyPI, so you can install it by running::
165 167
166 168 pip install python-ldap
167 169
168 170 .. note:: ``python-ldap`` requires some libraries to be installed on
169 171 your system, so before installing it check that you have at
170 172 least the ``openldap`` and ``sasl`` libraries.
171 173
172 174 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
173 175 and then *Save*, to enable the LDAP plugin and configure its settings.
174 176
175 177 Here's a typical LDAP setup::
176 178
177 179 Connection settings
178 180 Enable LDAP = checked
179 181 Host = host.example.com
180 182 Account = <account>
181 183 Password = <password>
182 184 Connection Security = LDAPS
183 185 Certificate Checks = DEMAND
184 186
185 187 Search settings
186 188 Base DN = CN=users,DC=host,DC=example,DC=org
187 189 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
188 190 LDAP Search Scope = SUBTREE
189 191
190 192 Attribute mappings
191 193 Login Attribute = uid
192 194 First Name Attribute = firstName
193 195 Last Name Attribute = lastName
194 196 Email Attribute = mail
195 197
196 198 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
197 199
198 200 Search settings
199 201 Base DN = DC=host,DC=example,DC=org
200 202 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
201 203 LDAP Search Scope = SUBTREE
202 204
203 205 .. _enable_ldap:
204 206
205 207 Enable LDAP : required
206 208 Whether to use LDAP for authenticating users.
207 209
208 210 .. _ldap_host:
209 211
210 212 Host : required
211 213 LDAP server hostname or IP address. Can be also a comma separated
212 214 list of servers to support LDAP fail-over.
213 215
214 216 .. _Port:
215 217
216 218 Port : optional
217 219 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
218 220 Defaults to 636 for LDAPS.
219 221
220 222 .. _ldap_account:
221 223
222 224 Account : optional
223 225 Only required if the LDAP server does not allow anonymous browsing of
224 226 records. This should be a special account for record browsing. This
225 227 will require `LDAP Password`_ below.
226 228
227 229 .. _LDAP Password:
228 230
229 231 Password : optional
230 232 Only required if the LDAP server does not allow anonymous browsing of
231 233 records.
232 234
233 235 .. _Enable LDAPS:
234 236
235 237 Connection Security : required
236 238 Defines the connection to LDAP server
237 239
238 240 PLAIN
239 241 Plain unencrypted LDAP connection.
240 242 This will by default use `Port`_ 389.
241 243
242 244 LDAPS
243 245 Use secure LDAPS connections according to `Certificate
244 246 Checks`_ configuration.
245 247 This will by default use `Port`_ 636.
246 248
247 249 START_TLS
248 250 Use START TLS according to `Certificate Checks`_ configuration on an
249 251 apparently "plain" LDAP connection.
250 252 This will by default use `Port`_ 389.
251 253
252 254 .. _Certificate Checks:
253 255
254 256 Certificate Checks : optional
255 257 How SSL certificates verification is handled -- this is only useful when
256 258 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
257 259 with mandatory certificate validation, while the other options are
258 260 susceptible to man-in-the-middle attacks.
259 261
260 262 NEVER
261 263 A serve certificate will never be requested or checked.
262 264
263 265 ALLOW
264 266 A server certificate is requested. Failure to provide a
265 267 certificate or providing a bad certificate will not terminate the
266 268 session.
267 269
268 270 TRY
269 271 A server certificate is requested. Failure to provide a
270 272 certificate does not halt the session; providing a bad certificate
271 273 halts the session.
272 274
273 275 DEMAND
274 276 A server certificate is requested and must be provided and
275 277 authenticated for the session to proceed.
276 278
277 279 HARD
278 280 The same as DEMAND.
279 281
280 282 .. _Custom CA Certificates:
281 283
282 284 Custom CA Certificates : optional
283 285 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
284 286 Python 2.7.10 and later default to using the system certificate store, and
285 287 this should thus not be necessary when using certificates signed by a CA
286 288 trusted by the system.
287 289 It can be set to something like `/etc/openldap/cacerts` on older systems or
288 290 if using self-signed certificates.
289 291
290 292 .. _Base DN:
291 293
292 294 Base DN : required
293 295 The Distinguished Name (DN) where searches for users will be performed.
294 296 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
295 297
296 298 .. _LDAP Filter:
297 299
298 300 LDAP Filter : optional
299 301 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
300 302 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
301 303 which LDAP objects are identified as representing Users for
302 304 authentication. The filter is augmented by `Login Attribute`_ below.
303 305 This can commonly be left blank.
304 306
305 307 .. _LDAP Search Scope:
306 308
307 309 LDAP Search Scope : required
308 310 This limits how far LDAP will search for a matching object.
309 311
310 312 BASE
311 313 Only allows searching of `Base DN`_ and is usually not what you
312 314 want.
313 315
314 316 ONELEVEL
315 317 Searches all entries under `Base DN`_, but not Base DN itself.
316 318
317 319 SUBTREE
318 320 Searches all entries below `Base DN`_, but not Base DN itself.
319 321 When using SUBTREE `LDAP Filter`_ is useful to limit object
320 322 location.
321 323
322 324 .. _Login Attribute:
323 325
324 326 Login Attribute : required
325 327 The LDAP record attribute that will be matched as the USERNAME or
326 328 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
327 329 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
328 330 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
329 331 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
330 332 ::
331 333
332 334 (&(LDAPFILTER)(uid=jsmith))
333 335
334 336 .. _ldap_attr_firstname:
335 337
336 338 First Name Attribute : required
337 339 The LDAP record attribute which represents the user's first name.
338 340
339 341 .. _ldap_attr_lastname:
340 342
341 343 Last Name Attribute : required
342 344 The LDAP record attribute which represents the user's last name.
343 345
344 346 .. _ldap_attr_email:
345 347
346 348 Email Attribute : required
347 349 The LDAP record attribute which represents the user's email address.
348 350
349 351 If all data are entered correctly, and python-ldap_ is properly installed
350 352 users should be granted access to Kallithea with LDAP accounts. At this
351 353 time user information is copied from LDAP into the Kallithea user database.
352 354 This means that updates of an LDAP user object may not be reflected as a
353 355 user update in Kallithea.
354 356
355 357 If You have problems with LDAP access and believe You entered correct
356 358 information check out the Kallithea logs, any error messages sent from LDAP
357 359 will be saved there.
358 360
359 361 Active Directory
360 362 ^^^^^^^^^^^^^^^^
361 363
362 364 Kallithea can use Microsoft Active Directory for user authentication. This
363 365 is done through an LDAP or LDAPS connection to Active Directory. The
364 366 following LDAP configuration settings are typical for using Active
365 367 Directory ::
366 368
367 369 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
368 370 Login Attribute = sAMAccountName
369 371 First Name Attribute = givenName
370 372 Last Name Attribute = sn
371 373 Email Attribute = mail
372 374
373 375 All other LDAP settings will likely be site-specific and should be
374 376 appropriately configured.
375 377
376 378
377 379 Authentication by container or reverse-proxy
378 380 --------------------------------------------
379 381
380 382 Kallithea supports delegating the authentication
381 383 of users to its WSGI container, or to a reverse-proxy server through which all
382 384 clients access the application.
383 385
384 386 When these authentication methods are enabled in Kallithea, it uses the
385 387 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
386 388 perform the authentication itself. The authorization, however, is still done by
387 389 Kallithea according to its settings.
388 390
389 391 When a user logs in for the first time using these authentication methods,
390 392 a matching user account is created in Kallithea with default permissions. An
391 393 administrator can then modify it using Kallithea's admin interface.
392 394
393 395 It's also possible for an administrator to create accounts and configure their
394 396 permissions before the user logs in for the first time, using the :ref:`create-user` API.
395 397
396 398 Container-based authentication
397 399 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
398 400
399 401 In a container-based authentication setup, Kallithea reads the user name from
400 402 the ``REMOTE_USER`` server variable provided by the WSGI container.
401 403
402 404 After setting up your container (see `Apache with mod_wsgi`_), you'll need
403 405 to configure it to require authentication on the location configured for
404 406 Kallithea.
405 407
406 408 Proxy pass-through authentication
407 409 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
408 410
409 411 In a proxy pass-through authentication setup, Kallithea reads the user name
410 412 from the ``X-Forwarded-User`` request header, which should be configured to be
411 413 sent by the reverse-proxy server.
412 414
413 415 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
414 416 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
415 417 configure the authentication and add the username in a request header named
416 418 ``X-Forwarded-User``.
417 419
418 420 For example, the following config section for Apache sets a subdirectory in a
419 421 reverse-proxy setup with basic auth:
420 422
421 423 .. code-block:: apache
422 424
423 425 <Location /someprefix>
424 426 ProxyPass http://127.0.0.1:5000/someprefix
425 427 ProxyPassReverse http://127.0.0.1:5000/someprefix
426 428 SetEnvIf X-Url-Scheme https HTTPS=1
427 429
428 430 AuthType Basic
429 431 AuthName "Kallithea authentication"
430 432 AuthUserFile /srv/kallithea/.htpasswd
431 433 Require valid-user
432 434
433 435 RequestHeader unset X-Forwarded-User
434 436
435 437 RewriteEngine On
436 438 RewriteCond %{LA-U:REMOTE_USER} (.+)
437 439 RewriteRule .* - [E=RU:%1]
438 440 RequestHeader set X-Forwarded-User %{RU}e
439 441 </Location>
440 442
441 443 Setting metadata in container/reverse-proxy
442 444 """""""""""""""""""""""""""""""""""""""""""
443 445 When a new user account is created on the first login, Kallithea has no information about
444 446 the user's email and full name. So you can set some additional request headers like in the
445 447 example below. In this example the user is authenticated via Kerberos and an Apache
446 448 mod_python fixup handler is used to get the user information from a LDAP server. But you
447 449 could set the request headers however you want.
448 450
449 451 .. code-block:: apache
450 452
451 453 <Location /someprefix>
452 454 ProxyPass http://127.0.0.1:5000/someprefix
453 455 ProxyPassReverse http://127.0.0.1:5000/someprefix
454 456 SetEnvIf X-Url-Scheme https HTTPS=1
455 457
456 458 AuthName "Kerberos Login"
457 459 AuthType Kerberos
458 460 Krb5Keytab /etc/apache2/http.keytab
459 461 KrbMethodK5Passwd off
460 462 KrbVerifyKDC on
461 463 Require valid-user
462 464
463 465 PythonFixupHandler ldapmetadata
464 466
465 467 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
466 468 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
467 469 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
468 470 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
469 471 </Location>
470 472
471 473 .. code-block:: python
472 474
473 475 from mod_python import apache
474 476 import ldap
475 477
476 478 LDAP_SERVER = "ldaps://server.mydomain.com:636"
477 479 LDAP_USER = ""
478 480 LDAP_PASS = ""
479 481 LDAP_ROOT = "dc=mydomain,dc=com"
480 482 LDAP_FILTER = "sAMAccountName=%s"
481 483 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
482 484
483 485 def fixuphandler(req):
484 486 if req.user is None:
485 487 # no user to search for
486 488 return apache.OK
487 489 else:
488 490 try:
489 491 if('\\' in req.user):
490 492 username = req.user.split('\\')[1]
491 493 elif('@' in req.user):
492 494 username = req.user.split('@')[0]
493 495 else:
494 496 username = req.user
495 497 l = ldap.initialize(LDAP_SERVER)
496 498 l.simple_bind_s(LDAP_USER, LDAP_PASS)
497 499 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
498 500
499 501 req.subprocess_env['X_REMOTE_USER'] = username
500 502 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
501 503 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
502 504 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
503 505 except Exception, e:
504 506 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
505 507
506 508 return apache.OK
507 509
508 510 .. note::
509 511 If you enable proxy pass-through authentication, make sure your server is
510 512 only accessible through the proxy. Otherwise, any client would be able to
511 513 forge the authentication header and could effectively become authenticated
512 514 using any account of their liking.
513 515
514 516
515 517 Integration with issue trackers
516 518 -------------------------------
517 519
518 520 Kallithea provides a simple integration with issue trackers. It's possible
519 521 to define a regular expression that will match an issue ID in commit messages,
520 522 and have that replaced with a URL to the issue. To enable this simply
521 523 uncomment the following variables in the ini file::
522 524
523 525 issue_pat = (?:^#|\s#)(\w+)
524 526 issue_server_link = https://issues.example.com/{repo}/issue/{id}
525 527 issue_prefix = #
526 528
527 529 ``issue_pat`` is the regular expression describing which strings in
528 530 commit messages will be treated as issue references. A match group in
529 531 parentheses should be used to specify the actual issue id.
530 532
531 533 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
532 534
533 535 Matched issue references are replaced with the link specified in
534 536 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
535 537 ``{repo}`` with the repository name. Since the # is stripped away,
536 538 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
537 539 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
538 540 generate a URL in the format:
539 541
540 542 .. code-block:: html
541 543
542 544 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
543 545
544 546 If needed, more than one pattern can be specified by appending a unique suffix to
545 547 the variables. For example::
546 548
547 549 issue_pat_wiki = (?:wiki-)(.+)
548 550 issue_server_link_wiki = https://wiki.example.com/{id}
549 551 issue_prefix_wiki = WIKI-
550 552
551 553 With these settings, wiki pages can be referenced as wiki-some-id, and every
552 554 such reference will be transformed into:
553 555
554 556 .. code-block:: html
555 557
556 558 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
557 559
558 560
559 561 Hook management
560 562 ---------------
561 563
562 564 Hooks can be managed in similar way to that used in ``.hgrc`` files.
563 565 To manage hooks, choose *Admin > Settings > Hooks*.
564 566
565 567 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
566 568
567 569 To add another custom hook simply fill in the first textbox with
568 570 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
569 571 can be found in ``kallithea.lib.hooks``.
570 572
571 573
572 574 Changing default encoding
573 575 -------------------------
574 576
575 577 By default, Kallithea uses UTF-8 encoding.
576 578 This is configurable as ``default_encoding`` in the .ini file.
577 579 This affects many parts in Kallithea including user names, filenames, and
578 580 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
579 581 library is installed. If ``chardet`` is detected Kallithea will fallback to it
580 582 when there are encode/decode errors.
581 583
582 584
583 585 Celery configuration
584 586 --------------------
585 587
586 588 Kallithea can use the distributed task queue system Celery_ to run tasks like
587 589 cloning repositories or sending emails.
588 590
589 591 Kallithea will in most setups work perfectly fine out of the box (without
590 592 Celery), executing all tasks in the web server process. Some tasks can however
591 593 take some time to run and it can be better to run such tasks asynchronously in
592 594 a separate process so the web server can focus on serving web requests.
593 595
594 596 For installation and configuration of Celery, see the `Celery documentation`_.
595 597 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
596 598 or Redis_.
597 599
598 600 The use of Celery is configured in the Kallithea ini configuration file.
599 601 To enable it, simply set::
600 602
601 603 use_celery = true
602 604
603 605 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
604 606
605 607 Remember that the ini files use the format with '.' and not with '_' like
606 608 Celery. So for example setting `BROKER_HOST` in Celery means setting
607 609 `broker.host` in the configuration file.
608 610
609 611 To start the Celery process, run::
610 612
611 613 gearbox celeryd -c <configfile.ini>
612 614
613 615 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
614 616 for more info.
615 617
616 618 .. note::
617 619 Make sure you run this command from the same virtualenv, and with the same
618 620 user that Kallithea runs.
619 621
620 622
621 623 HTTPS support
622 624 -------------
623 625
624 626 Kallithea will by default generate URLs based on the WSGI environment.
625 627
626 628 Alternatively, you can use some special configuration settings to control
627 629 directly which scheme/protocol Kallithea will use when generating URLs:
628 630
629 631 - With ``https_fixup = true``, the scheme will be taken from the
630 632 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
631 633 (default ``http``).
632 634 - With ``force_https = true`` the default will be ``https``.
633 635 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
634 636
635 637
636 638 Nginx virtual host example
637 639 --------------------------
638 640
639 641 Sample config for Nginx using proxy:
640 642
641 643 .. code-block:: nginx
642 644
643 645 upstream kallithea {
644 646 server 127.0.0.1:5000;
645 647 # add more instances for load balancing
646 648 #server 127.0.0.1:5001;
647 649 #server 127.0.0.1:5002;
648 650 }
649 651
650 652 ## gist alias
651 653 server {
652 654 listen 443;
653 655 server_name gist.example.com;
654 656 access_log /var/log/nginx/gist.access.log;
655 657 error_log /var/log/nginx/gist.error.log;
656 658
657 659 ssl on;
658 660 ssl_certificate gist.your.kallithea.server.crt;
659 661 ssl_certificate_key gist.your.kallithea.server.key;
660 662
661 663 ssl_session_timeout 5m;
662 664
663 665 ssl_protocols SSLv3 TLSv1;
664 666 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
665 667 ssl_prefer_server_ciphers on;
666 668
667 669 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
668 670 rewrite (.*) https://kallithea.example.com/_admin/gists;
669 671 }
670 672
671 673 server {
672 674 listen 443;
673 675 server_name kallithea.example.com
674 676 access_log /var/log/nginx/kallithea.access.log;
675 677 error_log /var/log/nginx/kallithea.error.log;
676 678
677 679 ssl on;
678 680 ssl_certificate your.kallithea.server.crt;
679 681 ssl_certificate_key your.kallithea.server.key;
680 682
681 683 ssl_session_timeout 5m;
682 684
683 685 ssl_protocols SSLv3 TLSv1;
684 686 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
685 687 ssl_prefer_server_ciphers on;
686 688
687 689 ## uncomment root directive if you want to serve static files by nginx
688 690 ## requires static_files = false in .ini file
689 691 #root /srv/kallithea/kallithea/kallithea/public;
690 692 include /etc/nginx/proxy.conf;
691 693 location / {
692 694 try_files $uri @kallithea;
693 695 }
694 696
695 697 location @kallithea {
696 698 proxy_pass http://127.0.0.1:5000;
697 699 }
698 700
699 701 }
700 702
701 703 Here's the proxy.conf. It's tuned so it will not timeout on long
702 704 pushes or large pushes::
703 705
704 706 proxy_redirect off;
705 707 proxy_set_header Host $host;
706 708 ## needed for container auth
707 709 #proxy_set_header REMOTE_USER $remote_user;
708 710 #proxy_set_header X-Forwarded-User $remote_user;
709 711 proxy_set_header X-Url-Scheme $scheme;
710 712 proxy_set_header X-Host $http_host;
711 713 proxy_set_header X-Real-IP $remote_addr;
712 714 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
713 715 proxy_set_header Proxy-host $proxy_host;
714 716 proxy_buffering off;
715 717 proxy_connect_timeout 7200;
716 718 proxy_send_timeout 7200;
717 719 proxy_read_timeout 7200;
718 720 proxy_buffers 8 32k;
719 721 client_max_body_size 1024m;
720 722 client_body_buffer_size 128k;
721 723 large_client_header_buffers 8 64k;
722 724
723 725
724 726 Apache virtual host reverse proxy example
725 727 -----------------------------------------
726 728
727 729 Here is a sample configuration file for Apache using proxy:
728 730
729 731 .. code-block:: apache
730 732
731 733 <VirtualHost *:80>
732 734 ServerName kallithea.example.com
733 735
734 736 <Proxy *>
735 737 # For Apache 2.4 and later:
736 738 Require all granted
737 739
738 740 # For Apache 2.2 and earlier, instead use:
739 741 # Order allow,deny
740 742 # Allow from all
741 743 </Proxy>
742 744
743 745 #important !
744 746 #Directive to properly generate url (clone url) for Kallithea
745 747 ProxyPreserveHost On
746 748
747 749 #kallithea instance
748 750 ProxyPass / http://127.0.0.1:5000/
749 751 ProxyPassReverse / http://127.0.0.1:5000/
750 752
751 753 #to enable https use line below
752 754 #SetEnvIf X-Url-Scheme https HTTPS=1
753 755 </VirtualHost>
754 756
755 757 Additional tutorial
756 758 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
757 759
758 760
759 761 Apache as subdirectory
760 762 ----------------------
761 763
762 764 Apache subdirectory part:
763 765
764 766 .. code-block:: apache
765 767
766 768 <Location /PREFIX >
767 769 ProxyPass http://127.0.0.1:5000/PREFIX
768 770 ProxyPassReverse http://127.0.0.1:5000/PREFIX
769 771 SetEnvIf X-Url-Scheme https HTTPS=1
770 772 </Location>
771 773
772 774 Besides the regular apache setup you will need to add the following line
773 775 into ``[app:main]`` section of your .ini file::
774 776
775 777 filter-with = proxy-prefix
776 778
777 779 Add the following at the end of the .ini file::
778 780
779 781 [filter:proxy-prefix]
780 782 use = egg:PasteDeploy#prefix
781 783 prefix = /PREFIX
782 784
783 785 then change ``PREFIX`` into your chosen prefix
784 786
785 787
786 788 Apache with mod_wsgi
787 789 --------------------
788 790
789 791 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
790 792 that, you'll need to:
791 793
792 794 - Install mod_wsgi. If using a Debian-based distro, you can install
793 795 the package libapache2-mod-wsgi::
794 796
795 797 aptitude install libapache2-mod-wsgi
796 798
797 799 - Enable mod_wsgi::
798 800
799 801 a2enmod wsgi
800 802
801 803 - Add global Apache configuration to tell mod_wsgi that Python only will be
802 804 used in the WSGI processes and shouldn't be initialized in the Apache
803 805 processes::
804 806
805 807 WSGIRestrictEmbedded On
806 808
807 809 - Create a wsgi dispatch script, like the one below. Make sure you
808 810 check that the paths correctly point to where you installed Kallithea
809 811 and its Python Virtual Environment.
810 812 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
811 813 as in the following example. Once again, check the paths are
812 814 correctly specified.
813 815
814 816 Here is a sample excerpt from an Apache Virtual Host configuration file:
815 817
816 818 .. code-block:: apache
817 819
818 820 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
819 821 python-home=/srv/kallithea/venv
820 822 WSGIProcessGroup kallithea
821 823 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
822 824 WSGIPassAuthorization On
823 825
824 826 Or if using a dispatcher WSGI script with proper virtualenv activation:
825 827
826 828 .. code-block:: apache
827 829
828 830 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
829 831 WSGIProcessGroup kallithea
830 832 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
831 833 WSGIPassAuthorization On
832 834
833 835 Apache will by default run as a special Apache user, on Linux systems
834 836 usually ``www-data`` or ``apache``. If you need to have the repositories
835 837 directory owned by a different user, use the user and group options to
836 838 WSGIDaemonProcess to set the name of the user and group.
837 839
838 840 Example WSGI dispatch script:
839 841
840 842 .. code-block:: python
841 843
842 844 import os
843 845 os.environ["HGENCODING"] = "UTF-8"
844 846 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
845 847
846 848 # sometimes it's needed to set the current dir
847 849 os.chdir('/srv/kallithea/')
848 850
849 851 import site
850 852 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
851 853
852 854 ini = '/srv/kallithea/my.ini'
853 855 from paste.script.util.logging_config import fileConfig
854 856 fileConfig(ini)
855 857 from paste.deploy import loadapp
856 858 application = loadapp('config:' + ini)
857 859
858 860 Or using proper virtualenv activation:
859 861
860 862 .. code-block:: python
861 863
862 864 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
863 865 execfile(activate_this, dict(__file__=activate_this))
864 866
865 867 import os
866 868 os.environ['HOME'] = '/srv/kallithea'
867 869
868 870 ini = '/srv/kallithea/kallithea.ini'
869 871 from paste.script.util.logging_config import fileConfig
870 872 fileConfig(ini)
871 873 from paste.deploy import loadapp
872 874 application = loadapp('config:' + ini)
873 875
874 876
875 877 Other configuration files
876 878 -------------------------
877 879
878 880 A number of `example init.d scripts`__ can be found in
879 881 the ``init.d`` directory of the Kallithea source.
880 882
881 883 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
882 884
883 885
884 886 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
885 887 .. _python: http://www.python.org/
886 888 .. _Mercurial: https://www.mercurial-scm.org/
887 889 .. _Celery: http://celeryproject.org/
888 890 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
889 891 .. _RabbitMQ: http://www.rabbitmq.com/
890 892 .. _Redis: http://redis.io/
891 893 .. _python-ldap: http://www.python-ldap.org/
892 894 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
893 895 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
@@ -1,101 +1,116 b''
1 1 # -*- coding: utf-8 -*-
2 2 # This program is free software: you can redistribute it and/or modify
3 3 # it under the terms of the GNU General Public License as published by
4 4 # the Free Software Foundation, either version 3 of the License, or
5 5 # (at your option) any later version.
6 6 #
7 7 # This program is distributed in the hope that it will be useful,
8 8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 10 # GNU General Public License for more details.
11 11 #
12 12 # You should have received a copy of the GNU General Public License
13 13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 14 """
15 15 kallithea.lib.paster_commands.make_config
16 16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17 17
18 18 make-config gearbox command for Kallithea
19 19
20 20 :license: GPLv3, see LICENSE.md for more details.
21 21 """
22 22
23 23
24 24 import os
25 25 import sys
26 26 import uuid
27 27 import argparse
28 from collections import defaultdict
28 29
29 30 import mako.exceptions
30 31
31 32 TMPL = 'template.ini.mako'
32 33 here = os.path.dirname(os.path.abspath(__file__))
33 34
34 35 from kallithea.lib.paster_commands.common import BasePasterCommand
35 36 from kallithea.lib import inifile
36 37
37 38
38 39 class Command(BasePasterCommand):
39 40 """Kallithea: Create a new config file
40 41
41 42 make-config is part of a two-phase installation process (the
42 43 second phase is setup-app). make-config creates a bare configuration
43 44 file (possibly filling in defaults from the extra
44 45 variables you give).
46
47 The first key=value arguments are used to customize the Mako variables that
48 are shown with --show-defaults. The following settings will be
49 patched/inserted in the [app:main] section ... until another section name
50 is specified and change where the following values go.
45 51 """
46 52
47 53 takes_config_file = False # at least not an existing one ...
48 54
49 55 def take_action(self, args):
50 56 _run(args)
51 57
52 58 def get_parser(self, prog_name):
53 59 parser = super(Command, self).get_parser(prog_name)
54 60
55 61 parser.add_argument('config_file', nargs='?',
56 62 help='application config file to write')
57 63
58 64 parser.add_argument('custom', nargs=argparse.REMAINDER,
59 65 help='custom values for the config file')
60 66
61 67 parser.add_argument('--show-defaults', action='store_true',
62 68 help="Show the default values that can be overridden")
63 69
64 70 return parser
65 71
66 72
67 73 def _run(args):
68 74 if args.config_file is None:
69 75 if not args.show_defaults:
70 76 raise ValueError("Missing argument: config_file")
71 77 else:
72 78 if args.show_defaults:
73 79 raise ValueError("Can't specify both config_file and --show_defaults")
74 80
75 81 mako_variable_values = {}
82 ini_settings = defaultdict(dict)
76 83
84 section_name = None
77 85 for parameter in args.custom:
78 86 parts = parameter.split('=', 1)
79 if len(parts) == 2:
87 if len(parts) == 1 and parameter.startswith('[') and parameter.endswith(']'):
88 section_name = parameter
89 elif len(parts) == 2:
80 90 key, value = parts
81 mako_variable_values[key] = value
91 if section_name is None and key in inifile.default_variables:
92 mako_variable_values[key] = value
93 else:
94 if section_name is None:
95 section_name = '[app:main]'
96 ini_settings[section_name][key] = value
82 97 else:
83 98 raise ValueError("Invalid name=value parameter %r" % parameter)
84 99
85 100 if args.show_defaults:
86 101 for key, value in inifile.default_variables.items():
87 102 value = mako_variable_values.get(key, value)
88 103 print '%s=%s' % (key, value)
89 104 sys.exit(0)
90 105
91 106 # use default that cannot be replaced
92 107 mako_variable_values.update({
93 108 'uuid': lambda: uuid.uuid4().hex,
94 109 })
95 110 try:
96 111 config_file = os.path.abspath(args.config_file)
97 inifile.create(config_file, mako_variable_values, {})
112 inifile.create(config_file, mako_variable_values, ini_settings)
98 113 print 'Wrote new config file in %s' % config_file
99 114
100 115 except Exception:
101 116 print mako.exceptions.text_error_template().render()
General Comments 0
You need to be logged in to leave comments. Login now