upstream/kallithea Commit - r7736:ee4fc2d2

1

.. _setup:

1

.. _setup:

2

3

=====

3

=====

4

Setup

4

Setup

5

=====

5

=====

6

7

8

Setting up Kallithea

8

Setting up Kallithea

9

--------------------

9

--------------------

10

11

First, you will need to create a Kallithea configuration file. Run the

11

First, you will need to create a Kallithea configuration file. Run the

12

following command to do so::

12

following command to do so::

13

14

kallithea-cli config-create my.ini

14

kallithea-cli config-create my.ini

15

16

This will create the file ``my.ini`` in the current directory. This

16

This will create the file ``my.ini`` in the current directory. This

17

configuration file contains the various settings for Kallithea, e.g.

17

configuration file contains the various settings for Kallithea, e.g.

18

proxy port, email settings, usage of static files, cache, Celery

18

proxy port, email settings, usage of static files, cache, Celery

19

settings, and logging. Extra settings can be specified like::

19

settings, and logging. Extra settings can be specified like::

20

21

kallithea-cli config-create my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter

21

kallithea-cli config-create my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter

22

23

Next, you need to create the databases used by Kallithea. It is recommended to

23

Next, you need to create the databases used by Kallithea. It is recommended to

24

use PostgreSQL or SQLite (default). If you choose a database other than the

24

use PostgreSQL or SQLite (default). If you choose a database other than the

25

default, ensure you properly adjust the database URL in your ``my.ini``

25

default, ensure you properly adjust the database URL in your ``my.ini``

26

configuration file to use this other database. Kallithea currently supports

26

configuration file to use this other database. Kallithea currently supports

27

PostgreSQL, SQLite and MySQL databases. Create the database by running

27

PostgreSQL, SQLite and MySQL databases. Create the database by running

28

the following command::

28

the following command::

29

30

kallithea-cli db-create -c my.ini

30

kallithea-cli db-create -c my.ini

31

32

This will prompt you for a "root" path. This "root" path is the location where

32

This will prompt you for a "root" path. This "root" path is the location where

33

Kallithea will store all of its repositories on the current machine. After

33

Kallithea will store all of its repositories on the current machine. After

34

entering this "root" path ``db-create`` will also prompt you for a username

34

entering this "root" path ``db-create`` will also prompt you for a username

35

and password for the initial admin account which ``db-create`` sets

35

and password for the initial admin account which ``db-create`` sets

36

up for you.

36

up for you.

37

38

The ``db-create`` values can also be given on the command line.

38

The ``db-create`` values can also be given on the command line.

39

Example::

39

Example::

40

41

kallithea-cli db-create -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos

41

kallithea-cli db-create -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos

42

43

The ``db-create`` command will create all needed tables and an

43

The ``db-create`` command will create all needed tables and an

44

admin account. When choosing a root path you can either use a new

44

admin account. When choosing a root path you can either use a new

45

empty location, or a location which already contains existing

45

empty location, or a location which already contains existing

46

repositories. If you choose a location which contains existing

46

repositories. If you choose a location which contains existing

47

repositories Kallithea will add all of the repositories at the chosen

47

repositories Kallithea will add all of the repositories at the chosen

48

location to its database. (Note: make sure you specify the correct

48

location to its database. (Note: make sure you specify the correct

49

path to the root).

49

path to the root).

50

51

.. note:: the given path for Mercurial_ repositories **must** be write

51

.. note:: the given path for Mercurial_ repositories **must** be write

52

accessible for the application. It's very important since

52

accessible for the application. It's very important since

53

the Kallithea web interface will work without write access,

53

the Kallithea web interface will work without write access,

54

but when trying to do a push it will fail with permission

54

but when trying to do a push it will fail with permission

55

denied errors unless it has write access.

55

denied errors unless it has write access.

56

57

Finally, prepare the front-end by running::

57

Finally, prepare the front-end by running::

58

59

kallithea-cli front-end-build

59

kallithea-cli front-end-build

60

61

You are now ready to use Kallithea. To run it simply execute::

61

You are now ready to use Kallithea. To run it simply execute::

62

63

gearbox serve -c my.ini

63

gearbox serve -c my.ini

64

65

- This command runs the Kallithea server. The web app should be available at

65

- This command runs the Kallithea server. The web app should be available at

66

http://127.0.0.1:5000. The IP address and port is configurable via the

66

http://127.0.0.1:5000. The IP address and port is configurable via the

67

configuration file created in the previous step.

67

configuration file created in the previous step.

68

- Log in to Kallithea using the admin account created when running ``db-create``.

68

- Log in to Kallithea using the admin account created when running ``db-create``.

69

- The default permissions on each repository is read, and the owner is admin.

69

- The default permissions on each repository is read, and the owner is admin.

70

Remember to update these if needed.

70

Remember to update these if needed.

71

- In the admin panel you can toggle LDAP, anonymous, and permissions

71

- In the admin panel you can toggle LDAP, anonymous, and permissions

72

settings, as well as edit more advanced options on users and

72

settings, as well as edit more advanced options on users and

73

repositories.

73

repositories.

74

75

76

Internationalization (i18n support)

76

Internationalization (i18n support)

77

-----------------------------------

77

-----------------------------------

78

79

The Kallithea web interface is automatically displayed in the user's preferred

79

The Kallithea web interface is automatically displayed in the user's preferred

80

language, as indicated by the browser. Thus, different users may see the

80

language, as indicated by the browser. Thus, different users may see the

81

application in different languages. If the requested language is not available

81

application in different languages. If the requested language is not available

82

(because the translation file for that language does not yet exist or is

82

(because the translation file for that language does not yet exist or is

83

incomplete), the language specified in setting ``i18n.lang`` in the Kallithea

83

incomplete), the language specified in setting ``i18n.lang`` in the Kallithea

84

configuration file is used as fallback. If no fallback language is explicitly

84

configuration file is used as fallback. If no fallback language is explicitly

85

specified, English is used.

85

specified, English is used.

86

87

If you want to disable automatic language detection and instead configure a

87

If you want to disable automatic language detection and instead configure a

88

fixed language regardless of user preference, set ``i18n.enabled = false`` and

88

fixed language regardless of user preference, set ``i18n.enabled = false`` and

89

set ``i18n.lang`` to the desired language (or leave empty for English).

89

set ``i18n.lang`` to the desired language (or leave empty for English).

90

91

92

Using Kallithea with SSH

92

Using Kallithea with SSH

93

------------------------

93

------------------------

94

95

Kallithea supports repository access via SSH key based authentication.

95

Kallithea supports repository access via SSH key based authentication.

96

This means:

97

98

- repository URLs like ``ssh://kallithea@example.com/name/of/repository``

99

100

- all network traffic for both read and write happens over the SSH protocol on

101

port 22, without using HTTP/HTTPS nor the Kallithea WSGI application

102

103

- encryption and authentication protocols are managed by the system's ``sshd``

104

process, with all users using the same Kallithea system user (e.g.

105

``kallithea``) when connecting to the SSH server, but with users' public keys

106

in the Kallithea system user's `.ssh/authorized_keys` file granting each user

107

sandboxed access to the repositories.

108

109

- users and admins can manage SSH public keys in the web UI

110

111

- in their SSH client configuration, users can configure how the client should

112

control access to their SSH key - without passphrase, with passphrase, and

113

optionally with passphrase caching in the local shell session (``ssh-agent``).

114

This is standard SSH functionality, not something Kallithea provides or

115

interferes with.

116

117

- network communication between client and server happens in a bidirectional

118

stateful stream, and will in some cases be faster than HTTP/HTTPS with several

119

stateless round-trips.

120

96

121

97

.. note:: At this moment, repository access via SSH has been tested on Unix

122

.. note:: At this moment, repository access via SSH has been tested on Unix

98

only. Windows users that care about SSH are invited to test it and report

123

only. Windows users that care about SSH are invited to test it and report

99

problems, ideally contributing patches that solve these problems.

124

problems, ideally contributing patches that solve these problems.

100

125

101

Users and admins can upload SSH public keys (e.g. ``.ssh/id_rsa.pub``) through

126

Users and admins can upload SSH public keys (e.g. ``.ssh/id_rsa.pub``) through

102

the web interface. The server's ``.ssh/authorized_keys`` file is automatically

127

the web interface. The server's ``.ssh/authorized_keys`` file is automatically

103

maintained with an entry for each SSH key. Each entry will tell ``sshd`` to run

128

maintained with an entry for each SSH key. Each entry will tell ``sshd`` to run

104

``kallithea-cli`` with the ``ssh-serve`` sub-command and the right Kallithea user ID

129

``kallithea-cli`` with the ``ssh-serve`` sub-command and the right Kallithea user ID

105

when encountering the corresponding SSH key.

130

when encountering the corresponding SSH key.

106

131

107

To enable SSH repository access, Kallithea must be configured with the path to

132

To enable SSH repository access, Kallithea must be configured with the path to

108

the ``.ssh/authorized_keys`` file for the Kallithea user, and the path to the

133

the ``.ssh/authorized_keys`` file for the Kallithea user, and the path to the

109

``kallithea-cli`` command. Put something like this in the ``.ini`` file::

134

``kallithea-cli`` command. Put something like this in the ``.ini`` file::

110

135

111

ssh_enabled = true

136

ssh_enabled = true

112

ssh_authorized_keys = /home/kallithea/.ssh/authorized_keys

137

ssh_authorized_keys = /home/kallithea/.ssh/authorized_keys

113

kallithea_cli_path = /srv/kallithea/venv/bin/kallithea-cli

138

kallithea_cli_path = /srv/kallithea/venv/bin/kallithea-cli

114

139

115

The SSH service must be running, and the Kallithea user account must be active

140

The SSH service must be running, and the Kallithea user account must be active

116

(not necessarily with password access, but public key access must be enabled),

141

(not necessarily with password access, but public key access must be enabled),

117

all file permissions must be set as sshd wants it, and ``authorized_keys`` must

142

all file permissions must be set as sshd wants it, and ``authorized_keys`` must

118

be writeable by the Kallithea user.

143

be writeable by the Kallithea user.

119

144

120

.. note:: The ``authorized_keys`` file will be rewritten from scratch on

145

.. note:: The ``authorized_keys`` file will be rewritten from scratch on

121

each update. If it already exists with other data, Kallithea will not

146

each update. If it already exists with other data, Kallithea will not

122

overwrite the existing ``authorized_keys``, and the server process will

147

overwrite the existing ``authorized_keys``, and the server process will

123

instead throw an exception. The system administrator thus cannot ssh

148

instead throw an exception. The system administrator thus cannot ssh

124

directly to the Kallithea user but must use su/sudo from another account.

149

directly to the Kallithea user but must use su/sudo from another account.

125

150

126

If ``/home/kallithea/.ssh/`` (the directory of the path specified in the

151

If ``/home/kallithea/.ssh/`` (the directory of the path specified in the

127

``ssh_authorized_keys`` setting of the ``.ini`` file) does not exist as a

152

``ssh_authorized_keys`` setting of the ``.ini`` file) does not exist as a

128

directory, Kallithea will attempt to create it. If that path exists but is

153

directory, Kallithea will attempt to create it. If that path exists but is

129

*not* a directory, or is not readable-writable-executable by the server

154

*not* a directory, or is not readable-writable-executable by the server

130

process, the server process will raise an exception each time it attempts to

155

process, the server process will raise an exception each time it attempts to

131

write the ``authorized_keys`` file.

156

write the ``authorized_keys`` file.

132

157

133

.. warning:: The handling of SSH access is steered directly by the command

158

.. warning:: The handling of SSH access is steered directly by the command

134

specified in the ``authorized_keys`` file. There is no interaction with the

159

specified in the ``authorized_keys`` file. There is no interaction with the

135

web UI. Once SSH access is correctly configured and enabled, it will work

160

web UI. Once SSH access is correctly configured and enabled, it will work

136

regardless of whether the Kallithea web process is actually running. Hence,

161

regardless of whether the Kallithea web process is actually running. Hence,

137

if you want to perform repository or server maintenance and want to fully

162

if you want to perform repository or server maintenance and want to fully

138

disable all access to the repositories, disable SSH access by setting

163

disable all access to the repositories, disable SSH access by setting

139

``ssh_enabled = false`` in the correct ``.ini`` file (i.e. the ``.ini`` file

164

``ssh_enabled = false`` in the correct ``.ini`` file (i.e. the ``.ini`` file

140

specified in the ``authorized_keys`` file.)

165

specified in the ``authorized_keys`` file.)

141

166

142

The ``authorized_keys`` file can be updated manually with ``kallithea-cli

167

The ``authorized_keys`` file can be updated manually with ``kallithea-cli

143

ssh-update-authorized-keys -c my.ini``. This command is not needed in normal

168

ssh-update-authorized-keys -c my.ini``. This command is not needed in normal

144

operation but is for example useful after changing SSH-related settings in the

169

operation but is for example useful after changing SSH-related settings in the

145

``.ini`` file or renaming that file. (The path to the ``.ini`` file is used in

170

``.ini`` file or renaming that file. (The path to the ``.ini`` file is used in

146

the generated ``authorized_keys`` file).

171

the generated ``authorized_keys`` file).

147

172

148

173

149

Setting up Whoosh full text search

174

Setting up Whoosh full text search

150

----------------------------------

175

----------------------------------

151

176

152

Kallithea provides full text search of repositories using `Whoosh`__.

177

Kallithea provides full text search of repositories using `Whoosh`__.

153

178

154

.. __: https://whoosh.readthedocs.io/en/latest/

179

.. __: https://whoosh.readthedocs.io/en/latest/

155

180

156

For an incremental index build, run::

181

For an incremental index build, run::

157

182

158

kallithea-cli index-create -c my.ini

183

kallithea-cli index-create -c my.ini

159

184

160

For a full index rebuild, run::

185

For a full index rebuild, run::

161

186

162

kallithea-cli index-create -c my.ini --full

187

kallithea-cli index-create -c my.ini --full

163

188

164

The ``--repo-location`` option allows the location of the repositories to be overridden;

189

The ``--repo-location`` option allows the location of the repositories to be overridden;

165

usually, the location is retrieved from the Kallithea database.

190

usually, the location is retrieved from the Kallithea database.

166

191

167

The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::

192

The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::

168

193

169

kallithea-cli index-create -c my.ini --index-only=vcs,kallithea

194

kallithea-cli index-create -c my.ini --index-only=vcs,kallithea

170

195

171

To keep your index up-to-date it is necessary to do periodic index builds;

196

To keep your index up-to-date it is necessary to do periodic index builds;

172

for this, it is recommended to use a crontab entry. Example::

197

for this, it is recommended to use a crontab entry. Example::

173

198

174

0 3 * * * /path/to/virtualenv/bin/kallithea-cli index-create -c /path/to/kallithea/my.ini

199

0 3 * * * /path/to/virtualenv/bin/kallithea-cli index-create -c /path/to/kallithea/my.ini

175

200

176

When using incremental mode (the default), Whoosh will check the last

201

When using incremental mode (the default), Whoosh will check the last

177

modification date of each file and add it to be reindexed if a newer file is

202

modification date of each file and add it to be reindexed if a newer file is

178

available. The indexing daemon checks for any removed files and removes them

203

available. The indexing daemon checks for any removed files and removes them

179

from index.

204

from index.

180

205

181

If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,

206

If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,

182

or in the admin panel you can check the "build from scratch" checkbox.

207

or in the admin panel you can check the "build from scratch" checkbox.

183

208

184

209

185

Integration with issue trackers

210

Integration with issue trackers

186

-------------------------------

211

-------------------------------

187

212

188

Kallithea provides a simple integration with issue trackers. It's possible

213

Kallithea provides a simple integration with issue trackers. It's possible

189

to define a regular expression that will match an issue ID in commit messages,

214

to define a regular expression that will match an issue ID in commit messages,

190

and have that replaced with a URL to the issue.

215

and have that replaced with a URL to the issue.

191

216

192

This is achieved with following three variables in the ini file::

217

This is achieved with following three variables in the ini file::

193

218

194

issue_pat = #(\d+)

219

issue_pat = #(\d+)

195

issue_server_link = https://issues.example.com/{repo}/issue/\1

220

issue_server_link = https://issues.example.com/{repo}/issue/\1

196

issue_sub =

221

issue_sub =

197

222

198

``issue_pat`` is the regular expression describing which strings in

223

``issue_pat`` is the regular expression describing which strings in

199

commit messages will be treated as issue references. The expression can/should

224

commit messages will be treated as issue references. The expression can/should

200

have one or more parenthesized groups that can later be referred to in

225

have one or more parenthesized groups that can later be referred to in

201

``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups

226

``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups

202

can be used instead of simple parenthesized groups.

227

can be used instead of simple parenthesized groups.

203

228

204

If the pattern should only match if it is preceded by whitespace, add the

229

If the pattern should only match if it is preceded by whitespace, add the

205

following string before the actual pattern: ``(?:^|(?<=\s))``.

230

following string before the actual pattern: ``(?:^|(?<=\s))``.

206

If the pattern should only match if it is followed by whitespace, add the

231

If the pattern should only match if it is followed by whitespace, add the

207

following string after the actual pattern: ``(?:$|(?=\s))``.

232

following string after the actual pattern: ``(?:$|(?=\s))``.

208

These expressions use lookbehind and lookahead assertions of the Python regular

233

These expressions use lookbehind and lookahead assertions of the Python regular

209

expression module to avoid the whitespace to be part of the actual pattern,

234

expression module to avoid the whitespace to be part of the actual pattern,

210

otherwise the link text will also contain that whitespace.

235

otherwise the link text will also contain that whitespace.

211

236

212

Matched issue references are replaced with the link specified in

237

Matched issue references are replaced with the link specified in

213

``issue_server_link``, in which any backreferences are resolved. Backreferences

238

``issue_server_link``, in which any backreferences are resolved. Backreferences

214

can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.

239

can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.

215

The special token ``{repo}`` is replaced with the full repository path

240

The special token ``{repo}`` is replaced with the full repository path

216

(including repository groups), while token ``{repo_name}`` is replaced with the

241

(including repository groups), while token ``{repo_name}`` is replaced with the

217

repository name (without repository groups).

242

repository name (without repository groups).

218

243

219

The link text is determined by ``issue_sub``, which can be a string containing

244

The link text is determined by ``issue_sub``, which can be a string containing

220

backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is

245

backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is

221

empty, then the text matched by ``issue_pat`` is used verbatim.

246

empty, then the text matched by ``issue_pat`` is used verbatim.

222

247

223

The example settings shown above match issues in the format ``#<number>``.

248

The example settings shown above match issues in the format ``#<number>``.

224

This will cause the text ``#300`` to be transformed into a link:

249

This will cause the text ``#300`` to be transformed into a link:

225

250

226

.. code-block:: html

251

.. code-block:: html

227

252

228

253

229

254

230

The following example transforms a text starting with either of 'pullrequest',

255

The following example transforms a text starting with either of 'pullrequest',

231

'pull request' or 'PR', followed by an optional space, then a pound character

256

'pull request' or 'PR', followed by an optional space, then a pound character

232

(#) and one or more digits, into a link with the text 'PR #' followed by the

257

(#) and one or more digits, into a link with the text 'PR #' followed by the

233

digits::

258

digits::

234

259

235

issue_pat = (pullrequest|pull request|PR) ?#(\d+)

260

issue_pat = (pullrequest|pull request|PR) ?#(\d+)

236

issue_server_link = https://issues.example.com/\2

261

issue_server_link = https://issues.example.com/\2

237

issue_sub = PR #\2

262

issue_sub = PR #\2

238

263

239

The following example demonstrates how to require whitespace before the issue

264

The following example demonstrates how to require whitespace before the issue

240

reference in order for it to be recognized, such that the text ``issue#123`` will

265

reference in order for it to be recognized, such that the text ``issue#123`` will

241

not cause a match, but ``issue #123`` will::

266

not cause a match, but ``issue #123`` will::

242

267

243

issue_pat = (?:^|(?<=\s))#(\d+)

268

issue_pat = (?:^|(?<=\s))#(\d+)

244

issue_server_link = https://issues.example.com/\1

269

issue_server_link = https://issues.example.com/\1

245

issue_sub =

270

issue_sub =

246

271

247

If needed, more than one pattern can be specified by appending a unique suffix to

272

If needed, more than one pattern can be specified by appending a unique suffix to

248

the variables. For example, also demonstrating the use of named groups::

273

the variables. For example, also demonstrating the use of named groups::

249

274

250

issue_pat_wiki = wiki-(?P<pagename>\S+)

275

issue_pat_wiki = wiki-(?P<pagename>\S+)

251

issue_server_link_wiki = https://wiki.example.com/\g<pagename>

276

issue_server_link_wiki = https://wiki.example.com/\g<pagename>

252

issue_sub_wiki = WIKI-\g<pagename>

277

issue_sub_wiki = WIKI-\g<pagename>

253

278

254

With these settings, wiki pages can be referenced as wiki-some-id, and every

279

With these settings, wiki pages can be referenced as wiki-some-id, and every

255

such reference will be transformed into:

280

such reference will be transformed into:

256

281

257

.. code-block:: html

282

.. code-block:: html

258

283

259

284

260

285

261

Refer to the `Python regular expression documentation`_ for more details about

286

Refer to the `Python regular expression documentation`_ for more details about

262

the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.

287

the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.

263

288

264

289

265

Hook management

290

Hook management

266

---------------

291

---------------

267

292

268

Hooks can be managed in similar way to that used in ``.hgrc`` files.

293

Hooks can be managed in similar way to that used in ``.hgrc`` files.

269

To manage hooks, choose *Admin > Settings > Hooks*.

294

To manage hooks, choose *Admin > Settings > Hooks*.

270

295

271

The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.

296

The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.

272

297

273

To add another custom hook simply fill in the first textbox with

298

To add another custom hook simply fill in the first textbox with

274

``<name>.<hook_type>`` and the second with the hook path. Example hooks

299

``<name>.<hook_type>`` and the second with the hook path. Example hooks

275

can be found in ``kallithea.lib.hooks``.

300

can be found in ``kallithea.lib.hooks``.

276

301

277

302

278

Changing default encoding

303

Changing default encoding

279

-------------------------

304

-------------------------

280

305

281

By default, Kallithea uses UTF-8 encoding.

306

By default, Kallithea uses UTF-8 encoding.

282

This is configurable as ``default_encoding`` in the .ini file.

307

This is configurable as ``default_encoding`` in the .ini file.

283

This affects many parts in Kallithea including user names, filenames, and

308

This affects many parts in Kallithea including user names, filenames, and

284

encoding of commit messages. In addition Kallithea can detect if the ``chardet``

309

encoding of commit messages. In addition Kallithea can detect if the ``chardet``

285

library is installed. If ``chardet`` is detected Kallithea will fallback to it

310

library is installed. If ``chardet`` is detected Kallithea will fallback to it

286

when there are encode/decode errors.

311

when there are encode/decode errors.

287

312

288

The Mercurial encoding is configurable as ``hgencoding``. It is similar to

313

The Mercurial encoding is configurable as ``hgencoding``. It is similar to

289

setting the ``HGENCODING`` environment variable, but will override it.

314

setting the ``HGENCODING`` environment variable, but will override it.

290

315

291

316

292

Celery configuration

317

Celery configuration

293

--------------------

318

--------------------

294

319

295

Kallithea can use the distributed task queue system Celery_ to run tasks like

320

Kallithea can use the distributed task queue system Celery_ to run tasks like

296

cloning repositories or sending emails.

321

cloning repositories or sending emails.

297

322

298

Kallithea will in most setups work perfectly fine out of the box (without

323

Kallithea will in most setups work perfectly fine out of the box (without

299

Celery), executing all tasks in the web server process. Some tasks can however

324

Celery), executing all tasks in the web server process. Some tasks can however

300

take some time to run and it can be better to run such tasks asynchronously in

325

take some time to run and it can be better to run such tasks asynchronously in

301

a separate process so the web server can focus on serving web requests.

326

a separate process so the web server can focus on serving web requests.

302

327

303

For installation and configuration of Celery, see the `Celery documentation`_.

328

For installation and configuration of Celery, see the `Celery documentation`_.

304

Note that Celery requires a message broker service like RabbitMQ_ (recommended)

329

Note that Celery requires a message broker service like RabbitMQ_ (recommended)

305

or Redis_.

330

or Redis_.

306

331

307

The use of Celery is configured in the Kallithea ini configuration file.

332

The use of Celery is configured in the Kallithea ini configuration file.

308

To enable it, simply set::

333

To enable it, simply set::

309

334

310

use_celery = true

335

use_celery = true

311

336

312

and add or change the ``celery.*`` and ``broker.*`` configuration variables.

337

and add or change the ``celery.*`` and ``broker.*`` configuration variables.

313

338

314

Remember that the ini files use the format with '.' and not with '_' like

339

Remember that the ini files use the format with '.' and not with '_' like

315

Celery. So for example setting `BROKER_HOST` in Celery means setting

340

Celery. So for example setting `BROKER_HOST` in Celery means setting

316

`broker.host` in the configuration file.

341

`broker.host` in the configuration file.

317

342

318

To start the Celery process, run::

343

To start the Celery process, run::

319

344

320

kallithea-cli celery-run -c my.ini

345

kallithea-cli celery-run -c my.ini

321

346

322

Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``

347

Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``

323

for more info.

348

for more info.

324

349

325

.. note::

350

.. note::

326

Make sure you run this command from the same virtualenv, and with the same

351

Make sure you run this command from the same virtualenv, and with the same

327

user that Kallithea runs.

352

user that Kallithea runs.

328

353

329

354

330

HTTPS support

355

HTTPS support

331

-------------

356

-------------

332

357

333

Kallithea will by default generate URLs based on the WSGI environment.

358

Kallithea will by default generate URLs based on the WSGI environment.

334

359

335

Alternatively, you can use some special configuration settings to control

360

Alternatively, you can use some special configuration settings to control

336

directly which scheme/protocol Kallithea will use when generating URLs:

361

directly which scheme/protocol Kallithea will use when generating URLs:

337

362

338

- With ``https_fixup = true``, the scheme will be taken from the

363

- With ``https_fixup = true``, the scheme will be taken from the

339

``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header

364

``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header

340

(default ``http``).

365

(default ``http``).

341

- With ``force_https = true`` the default will be ``https``.

366

- With ``force_https = true`` the default will be ``https``.

342

- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

367

- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

343

368

344

.. _nginx_virtual_host:

369

.. _nginx_virtual_host:

345

370

346

371

347

Nginx virtual host example

372

Nginx virtual host example

348

--------------------------

373

--------------------------

349

374

350

Sample config for Nginx using proxy:

375

Sample config for Nginx using proxy:

351

376

352

.. code-block:: nginx

377

.. code-block:: nginx

353

378

354

upstream kallithea {

379

upstream kallithea {

355

server 127.0.0.1:5000;

380

server 127.0.0.1:5000;

356

# add more instances for load balancing

381

# add more instances for load balancing

357

#server 127.0.0.1:5001;

382

#server 127.0.0.1:5001;

358

#server 127.0.0.1:5002;

383

#server 127.0.0.1:5002;

359

}

384

}

360

385

361

## gist alias

386

## gist alias

362

server {

387

server {

363

listen 443;

388

listen 443;

364

server_name gist.example.com;

389

server_name gist.example.com;

365

access_log /var/log/nginx/gist.access.log;

390

access_log /var/log/nginx/gist.access.log;

366

error_log /var/log/nginx/gist.error.log;

391

error_log /var/log/nginx/gist.error.log;

367

392

368

ssl on;

393

ssl on;

369

ssl_certificate gist.your.kallithea.server.crt;

394

ssl_certificate gist.your.kallithea.server.crt;

370

ssl_certificate_key gist.your.kallithea.server.key;

395

ssl_certificate_key gist.your.kallithea.server.key;

371

396

372

ssl_session_timeout 5m;

397

ssl_session_timeout 5m;

373

398

374

ssl_protocols SSLv3 TLSv1;

399

ssl_protocols SSLv3 TLSv1;

375

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

400

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

376

ssl_prefer_server_ciphers on;

401

ssl_prefer_server_ciphers on;

377

402

378

rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;

403

rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;

379

rewrite (.*) https://kallithea.example.com/_admin/gists;

404

rewrite (.*) https://kallithea.example.com/_admin/gists;

380

}

405

}

381

406

382

server {

407

server {

383

listen 443;

408

listen 443;

384

server_name kallithea.example.com

409

server_name kallithea.example.com

385

access_log /var/log/nginx/kallithea.access.log;

410

access_log /var/log/nginx/kallithea.access.log;

386

error_log /var/log/nginx/kallithea.error.log;

411

error_log /var/log/nginx/kallithea.error.log;

387

412

388

ssl on;

413

ssl on;

389

ssl_certificate your.kallithea.server.crt;

414

ssl_certificate your.kallithea.server.crt;

390

ssl_certificate_key your.kallithea.server.key;

415

ssl_certificate_key your.kallithea.server.key;

391

416

392

ssl_session_timeout 5m;

417

ssl_session_timeout 5m;

393

418

394

ssl_protocols SSLv3 TLSv1;

419

ssl_protocols SSLv3 TLSv1;

395

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

420

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

396

ssl_prefer_server_ciphers on;

421

ssl_prefer_server_ciphers on;

397

422

398

## uncomment root directive if you want to serve static files by nginx

423

## uncomment root directive if you want to serve static files by nginx

399

## requires static_files = false in .ini file

424

## requires static_files = false in .ini file

400

#root /srv/kallithea/kallithea/kallithea/public;

425

#root /srv/kallithea/kallithea/kallithea/public;

401

include /etc/nginx/proxy.conf;

426

include /etc/nginx/proxy.conf;

402

location / {

427

location / {

403

try_files $uri @kallithea;

428

try_files $uri @kallithea;

404

}

429

}

405

430

406

location @kallithea {

431

location @kallithea {

407

proxy_pass http://127.0.0.1:5000;

432

proxy_pass http://127.0.0.1:5000;

408

}

433

}

409

434

410

}

435

}

411

436

412

Here's the proxy.conf. It's tuned so it will not timeout on long

437

Here's the proxy.conf. It's tuned so it will not timeout on long

413

pushes or large pushes::

438

pushes or large pushes::

414

439

415

proxy_redirect off;

440

proxy_redirect off;

416

proxy_set_header Host $host;

441

proxy_set_header Host $host;

417

## needed for container auth

442

## needed for container auth

418

#proxy_set_header REMOTE_USER $remote_user;

443

#proxy_set_header REMOTE_USER $remote_user;

419

#proxy_set_header X-Forwarded-User $remote_user;

444

#proxy_set_header X-Forwarded-User $remote_user;

420

proxy_set_header X-Url-Scheme $scheme;

445

proxy_set_header X-Url-Scheme $scheme;

421

proxy_set_header X-Host $http_host;

446

proxy_set_header X-Host $http_host;

422

proxy_set_header X-Real-IP $remote_addr;

447

proxy_set_header X-Real-IP $remote_addr;

423

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

448

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

424

proxy_set_header Proxy-host $proxy_host;

449

proxy_set_header Proxy-host $proxy_host;

425

proxy_buffering off;

450

proxy_buffering off;

426

proxy_connect_timeout 7200;

451

proxy_connect_timeout 7200;

427

proxy_send_timeout 7200;

452

proxy_send_timeout 7200;

428

proxy_read_timeout 7200;

453

proxy_read_timeout 7200;

429

proxy_buffers 8 32k;

454

proxy_buffers 8 32k;

430

client_max_body_size 1024m;

455

client_max_body_size 1024m;

431

client_body_buffer_size 128k;

456

client_body_buffer_size 128k;

432

large_client_header_buffers 8 64k;

457

large_client_header_buffers 8 64k;

433

458

434

.. _apache_virtual_host_reverse_proxy:

459

.. _apache_virtual_host_reverse_proxy:

435

460

436

461

437

Apache virtual host reverse proxy example

462

Apache virtual host reverse proxy example

438

-----------------------------------------

463

-----------------------------------------

439

464

440

Here is a sample configuration file for Apache using proxy:

465

Here is a sample configuration file for Apache using proxy:

441

466

442

.. code-block:: apache

467

.. code-block:: apache

443

468

444

469

445

ServerName kallithea.example.com

470

ServerName kallithea.example.com

446

471

447

472

448

# For Apache 2.4 and later:

473

# For Apache 2.4 and later:

449

Require all granted

474

Require all granted

450

475

451

# For Apache 2.2 and earlier, instead use:

476

# For Apache 2.2 and earlier, instead use:

452

# Order allow,deny

477

# Order allow,deny

453

# Allow from all

478

# Allow from all

454

</Proxy>

479

</Proxy>

455

480

456

#important !

481

#important !

457

#Directive to properly generate url (clone url) for Kallithea

482

#Directive to properly generate url (clone url) for Kallithea

458

ProxyPreserveHost On

483

ProxyPreserveHost On

459

484

460

#kallithea instance

485

#kallithea instance

461

ProxyPass / http://127.0.0.1:5000/

486

ProxyPass / http://127.0.0.1:5000/

462

ProxyPassReverse / http://127.0.0.1:5000/

487

ProxyPassReverse / http://127.0.0.1:5000/

463

488

464

#to enable https use line below

489

#to enable https use line below

465

#SetEnvIf X-Url-Scheme https HTTPS=1

490

#SetEnvIf X-Url-Scheme https HTTPS=1

466

</VirtualHost>

491

</VirtualHost>

467

492

468

Additional tutorial

493

Additional tutorial

469

http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons

494

http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons

470

495

471

.. _apache_subdirectory:

496

.. _apache_subdirectory:

472

497

473

498

474

Apache as subdirectory

499

Apache as subdirectory

475

----------------------

500

----------------------

476

501

477

Apache subdirectory part:

502

Apache subdirectory part:

478

503

479

.. code-block:: apache

504

.. code-block:: apache

480

505

481

506

482

ProxyPass http://127.0.0.1:5000/PREFIX

507

ProxyPass http://127.0.0.1:5000/PREFIX

483

ProxyPassReverse http://127.0.0.1:5000/PREFIX

508

ProxyPassReverse http://127.0.0.1:5000/PREFIX

484

SetEnvIf X-Url-Scheme https HTTPS=1

509

SetEnvIf X-Url-Scheme https HTTPS=1

485

</Location>

510

</Location>

486

511

487

Besides the regular apache setup you will need to add the following line

512

Besides the regular apache setup you will need to add the following line

488

into ``[app:main]`` section of your .ini file::

513

into ``[app:main]`` section of your .ini file::

489

514

490

filter-with = proxy-prefix

515

filter-with = proxy-prefix

491

516

492

Add the following at the end of the .ini file::

517

Add the following at the end of the .ini file::

493

518

494

[filter:proxy-prefix]

519

[filter:proxy-prefix]

495

use = egg:PasteDeploy#prefix

520

use = egg:PasteDeploy#prefix

496

prefix = /PREFIX

521

prefix = /PREFIX

497

522

498

then change ``PREFIX`` into your chosen prefix

523

then change ``PREFIX`` into your chosen prefix

499

524

500

.. _apache_mod_wsgi:

525

.. _apache_mod_wsgi:

501

526

502

527

503

Apache with mod_wsgi

528

Apache with mod_wsgi

504

--------------------

529

--------------------

505

530

506

Alternatively, Kallithea can be set up with Apache under mod_wsgi. For

531

Alternatively, Kallithea can be set up with Apache under mod_wsgi. For

507

that, you'll need to:

532

that, you'll need to:

508

533

509

- Install mod_wsgi. If using a Debian-based distro, you can install

534

- Install mod_wsgi. If using a Debian-based distro, you can install

510

the package libapache2-mod-wsgi::

535

the package libapache2-mod-wsgi::

511

536

512

aptitude install libapache2-mod-wsgi

537

aptitude install libapache2-mod-wsgi

513

538

514

- Enable mod_wsgi::

539

- Enable mod_wsgi::

515

540

516

a2enmod wsgi

541

a2enmod wsgi

517

542

518

- Add global Apache configuration to tell mod_wsgi that Python only will be

543

- Add global Apache configuration to tell mod_wsgi that Python only will be

519

used in the WSGI processes and shouldn't be initialized in the Apache

544

used in the WSGI processes and shouldn't be initialized in the Apache

520

processes::

545

processes::

521

546

522

WSGIRestrictEmbedded On

547

WSGIRestrictEmbedded On

523

548

524

- Create a WSGI dispatch script, like the one below. Make sure you

549

- Create a WSGI dispatch script, like the one below. Make sure you

525

check that the paths correctly point to where you installed Kallithea

550

check that the paths correctly point to where you installed Kallithea

526

and its Python Virtual Environment.

551

and its Python Virtual Environment.

527

552

528

.. code-block:: python

553

.. code-block:: python

529

554

530

import os

555

import os

531

os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'

556

os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'

532

557

533

# sometimes it's needed to set the current dir

558

# sometimes it's needed to set the current dir

534

os.chdir('/srv/kallithea/')

559

os.chdir('/srv/kallithea/')

535

560

536

import site

561

import site

537

site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")

562

site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")

538

563

539

ini = '/srv/kallithea/my.ini'

564

ini = '/srv/kallithea/my.ini'

540

from logging.config import fileConfig

565

from logging.config import fileConfig

541

fileConfig(ini)

566

fileConfig(ini)

542

from paste.deploy import loadapp

567

from paste.deploy import loadapp

543

application = loadapp('config:' + ini)

568

application = loadapp('config:' + ini)

544

569

545

Or using proper virtualenv activation:

570

Or using proper virtualenv activation:

546

571

547

.. code-block:: python

572

.. code-block:: python

548

573

549

activate_this = '/srv/kallithea/venv/bin/activate_this.py'

574

activate_this = '/srv/kallithea/venv/bin/activate_this.py'

550

execfile(activate_this, dict(__file__=activate_this))

575

execfile(activate_this, dict(__file__=activate_this))

551

576

552

import os

577

import os

553

os.environ['HOME'] = '/srv/kallithea'

578

os.environ['HOME'] = '/srv/kallithea'

554

579

555

ini = '/srv/kallithea/kallithea.ini'

580

ini = '/srv/kallithea/kallithea.ini'

556

from logging.config import fileConfig

581

from logging.config import fileConfig

557

fileConfig(ini)

582

fileConfig(ini)

558

from paste.deploy import loadapp

583

from paste.deploy import loadapp

559

application = loadapp('config:' + ini)

584

application = loadapp('config:' + ini)

560

585

561

- Add the necessary ``WSGI*`` directives to the Apache Virtual Host configuration

586

- Add the necessary ``WSGI*`` directives to the Apache Virtual Host configuration

562

file, like in the example below. Notice that the WSGI dispatch script created

587

file, like in the example below. Notice that the WSGI dispatch script created

563

above is referred to with the ``WSGIScriptAlias`` directive.

588

above is referred to with the ``WSGIScriptAlias`` directive.

564

The default locale settings Apache provides for web services are often not

589

The default locale settings Apache provides for web services are often not

565

adequate, with `C` as the default language and `ASCII` as the encoding.

590

adequate, with `C` as the default language and `ASCII` as the encoding.

566

Instead, use the ``lang`` parameter of ``WSGIDaemonProcess`` to specify a

591

Instead, use the ``lang`` parameter of ``WSGIDaemonProcess`` to specify a

567

suitable locale. See also the :ref:`overview` section and the

592

suitable locale. See also the :ref:`overview` section and the

568

`WSGIDaemonProcess documentation`_.

593

`WSGIDaemonProcess documentation`_.

569

594

570

Apache will by default run as a special Apache user, on Linux systems

595

Apache will by default run as a special Apache user, on Linux systems

571

usually ``www-data`` or ``apache``. If you need to have the repositories

596

usually ``www-data`` or ``apache``. If you need to have the repositories

572

directory owned by a different user, use the user and group options to

597

directory owned by a different user, use the user and group options to

573

WSGIDaemonProcess to set the name of the user and group.

598

WSGIDaemonProcess to set the name of the user and group.

574

599

575

Once again, check that all paths are correctly specified.

600

Once again, check that all paths are correctly specified.

576

601

577

.. code-block:: apache

602

.. code-block:: apache

578

603

579

WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \

604

WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \

580

python-home=/srv/kallithea/venv lang=C.UTF-8

605

python-home=/srv/kallithea/venv lang=C.UTF-8

581

WSGIProcessGroup kallithea

606

WSGIProcessGroup kallithea

582

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

607

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

583

WSGIPassAuthorization On

608

WSGIPassAuthorization On

584

609

585

Or if using a dispatcher WSGI script with proper virtualenv activation:

610

Or if using a dispatcher WSGI script with proper virtualenv activation:

586

611

587

.. code-block:: apache

612

.. code-block:: apache

588

613

589

WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 lang=en_US.utf8

614

WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 lang=en_US.utf8

590

WSGIProcessGroup kallithea

615

WSGIProcessGroup kallithea

591

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

616

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

592

WSGIPassAuthorization On

617

WSGIPassAuthorization On

593

618

594

619

595

Other configuration files

620

Other configuration files

596

-------------------------

621

-------------------------

597

622

598

A number of `example init.d scripts`__ can be found in

623

A number of `example init.d scripts`__ can be found in

599

the ``init.d`` directory of the Kallithea source.

624

the ``init.d`` directory of the Kallithea source.

600

625

601

.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .

626

.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .

602

627

603

628

604

.. _virtualenv: http://pypi.python.org/pypi/virtualenv

629

.. _virtualenv: http://pypi.python.org/pypi/virtualenv

605

.. _python: http://www.python.org/

630

.. _python: http://www.python.org/

606

.. _Python regular expression documentation: https://docs.python.org/2/library/re.html

631

.. _Python regular expression documentation: https://docs.python.org/2/library/re.html

607

.. _Mercurial: https://www.mercurial-scm.org/

632

.. _Mercurial: https://www.mercurial-scm.org/

608

.. _Celery: http://celeryproject.org/

633

.. _Celery: http://celeryproject.org/

609

.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html

634

.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html

610

.. _RabbitMQ: http://www.rabbitmq.com/

635

.. _RabbitMQ: http://www.rabbitmq.com/

611

.. _Redis: http://redis.io/

636

.. _Redis: http://redis.io/

612

.. _mercurial-server: http://www.lshift.net/mercurial-server.html

637

.. _mercurial-server: http://www.lshift.net/mercurial-server.html

613

.. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories

638

.. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories

614

.. _WSGIDaemonProcess documentation: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIDaemonProcess.html

639

.. _WSGIDaemonProcess documentation: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIDaemonProcess.html

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             .. _setup:
             =====
             Setup
             =====
             Setting up Kallithea
             --------------------
             First, you will need to create a Kallithea configuration file. Run the
             following command to do so::
                 kallithea-cli config-create my.ini
             This will create the file ``my.ini`` in the current directory. This
             configuration file contains the various settings for Kallithea, e.g.
             proxy port, email settings, usage of static files, cache, Celery
             settings, and logging. Extra settings can be specified like::
                 kallithea-cli config-create my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
             Next, you need to create the databases used by Kallithea. It is recommended to
             use PostgreSQL or SQLite (default). If you choose a database other than the
             default, ensure you properly adjust the database URL in your ``my.ini``
             configuration file to use this other database. Kallithea currently supports
             PostgreSQL, SQLite and MySQL databases. Create the database by running
             the following command::
                 kallithea-cli db-create -c my.ini
             This will prompt you for a "root" path. This "root" path is the location where
             Kallithea will store all of its repositories on the current machine. After
             entering this "root" path ``db-create`` will also prompt you for a username
             and password for the initial admin account which ``db-create`` sets
             up for you.
             The ``db-create`` values can also be given on the command line.
             Example::
                 kallithea-cli db-create -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
             The ``db-create`` command will create all needed tables and an
             admin account. When choosing a root path you can either use a new
             empty location, or a location which already contains existing
             repositories. If you choose a location which contains existing
             repositories Kallithea will add all of the repositories at the chosen
             location to its database.  (Note: make sure you specify the correct
             path to the root).
             .. note:: the given path for Mercurial_ repositories **must** be write
                       accessible for the application. It's very important since
                       the Kallithea web interface will work without write access,
                       but when trying to do a push it will fail with permission
                       denied errors unless it has write access.
             Finally, prepare the front-end by running::
                 kallithea-cli front-end-build
             You are now ready to use Kallithea. To run it simply execute::
                 gearbox serve -c my.ini
             - This command runs the Kallithea server. The web app should be available at
               http://127.0.0.1:5000. The IP address and port is configurable via the
               configuration file created in the previous step.
             - Log in to Kallithea using the admin account created when running ``db-create``.
             - The default permissions on each repository is read, and the owner is admin.
               Remember to update these if needed.
             - In the admin panel you can toggle LDAP, anonymous, and permissions
               settings, as well as edit more advanced options on users and
               repositories.
             Internationalization (i18n support)
             -----------------------------------
             The Kallithea web interface is automatically displayed in the user's preferred
             language, as indicated by the browser. Thus, different users may see the
             application in different languages. If the requested language is not available
             (because the translation file for that language does not yet exist or is
             incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
             configuration file is used as fallback. If no fallback language is explicitly
             specified, English is used.
             If you want to disable automatic language detection and instead configure a
             fixed language regardless of user preference, set ``i18n.enabled = false`` and
             set ``i18n.lang`` to the desired language (or leave empty for English).
             Using Kallithea with SSH
             ------------------------
             Kallithea supports repository access via SSH key based authentication.
+            This means:
+            - repository URLs like ``ssh://kallithea@example.com/name/of/repository``
+            - all network traffic for both read and write happens over the SSH protocol on
+              port 22, without using HTTP/HTTPS nor the Kallithea WSGI application
+            - encryption and authentication protocols are managed by the system's ``sshd``
+              process, with all users using the same Kallithea system user (e.g.
+              ``kallithea``) when connecting to the SSH server, but with users' public keys
+              in the Kallithea system user's `.ssh/authorized_keys` file granting each user
+              sandboxed access to the repositories.
+            - users and admins can manage SSH public keys in the web UI
+            - in their SSH client configuration, users can configure how the client should
+              control access to their SSH key - without passphrase, with passphrase, and
+              optionally with passphrase caching in the local shell session (``ssh-agent``).
+              This is standard SSH functionality, not something Kallithea provides or
+              interferes with.
+            - network communication between client and server happens in a bidirectional
+              stateful stream, and will in some cases be faster than HTTP/HTTPS with several
+              stateless round-trips.
             .. note:: At this moment, repository access via SSH has been tested on Unix
                 only. Windows users that care about SSH are invited to test it and report
                 problems, ideally contributing patches that solve these problems.
             Users and admins can upload SSH public keys (e.g. ``.ssh/id_rsa.pub``) through
             the web interface. The server's ``.ssh/authorized_keys`` file is automatically
             maintained with an entry for each SSH key. Each entry will tell ``sshd`` to run
             ``kallithea-cli`` with the ``ssh-serve`` sub-command and the right Kallithea user ID
             when encountering the corresponding SSH key.
             To enable SSH repository access, Kallithea must be configured with the path to
             the ``.ssh/authorized_keys`` file for the Kallithea user, and the path to the
             ``kallithea-cli`` command. Put something like this in the ``.ini`` file::
                 ssh_enabled = true
                 ssh_authorized_keys = /home/kallithea/.ssh/authorized_keys
                 kallithea_cli_path = /srv/kallithea/venv/bin/kallithea-cli
             The SSH service must be running, and the Kallithea user account must be active
             (not necessarily with password access, but public key access must be enabled),
             all file permissions must be set as sshd wants it, and ``authorized_keys`` must
             be writeable by the Kallithea user.
             .. note:: The ``authorized_keys`` file will be rewritten from scratch on
                 each update. If it already exists with other data, Kallithea will not
                 overwrite the existing ``authorized_keys``, and the server process will
                 instead throw an exception. The system administrator thus cannot ssh
                 directly to the Kallithea user but must use su/sudo from another account.
                 If ``/home/kallithea/.ssh/`` (the directory of the path specified in the
                 ``ssh_authorized_keys`` setting of the ``.ini`` file) does not exist as a
                 directory, Kallithea will attempt to create it. If that path exists but is
                 *not* a directory, or is not readable-writable-executable by the server
                 process, the server process will raise an exception each time it attempts to
                 write the ``authorized_keys`` file.
             .. warning:: The handling of SSH access is steered directly by the command
                 specified in the ``authorized_keys`` file. There is no interaction with the
                 web UI.  Once SSH access is correctly configured and enabled, it will work
                 regardless of whether the Kallithea web process is actually running. Hence,
                 if you want to perform repository or server maintenance and want to fully
                 disable all access to the repositories, disable SSH access by setting
                 ``ssh_enabled = false`` in the correct ``.ini`` file (i.e. the ``.ini`` file
                 specified in the ``authorized_keys`` file.)
             The ``authorized_keys`` file can be updated manually with ``kallithea-cli
             ssh-update-authorized-keys -c my.ini``. This command is not needed in normal
             operation but is for example useful after changing SSH-related settings in the
             ``.ini`` file or renaming that file. (The path to the ``.ini`` file is used in
             the generated ``authorized_keys`` file).
             Setting up Whoosh full text search
             ----------------------------------
             Kallithea provides full text search of repositories using `Whoosh`__.
             .. __: https://whoosh.readthedocs.io/en/latest/
             For an incremental index build, run::
                 kallithea-cli index-create -c my.ini
             For a full index rebuild, run::
                 kallithea-cli index-create -c my.ini --full
             The ``--repo-location`` option allows the location of the repositories to be overridden;
             usually, the location is retrieved from the Kallithea database.
             The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
                 kallithea-cli index-create -c my.ini --index-only=vcs,kallithea
             To keep your index up-to-date it is necessary to do periodic index builds;
             for this, it is recommended to use a crontab entry. Example::
 3  *  *  *  /path/to/virtualenv/bin/kallithea-cli index-create -c /path/to/kallithea/my.ini
             When using incremental mode (the default), Whoosh will check the last
             modification date of each file and add it to be reindexed if a newer file is
             available. The indexing daemon checks for any removed files and removes them
             from index.
             If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
             or in the admin panel you can check the "build from scratch" checkbox.
             Integration with issue trackers
             -------------------------------
             Kallithea provides a simple integration with issue trackers. It's possible
             to define a regular expression that will match an issue ID in commit messages,
             and have that replaced with a URL to the issue.
             This is achieved with following three variables in the ini file::
                 issue_pat = #(\d+)
                 issue_server_link = https://issues.example.com/{repo}/issue/\1
                 issue_sub =
             ``issue_pat`` is the regular expression describing which strings in
             commit messages will be treated as issue references. The expression can/should
             have one or more parenthesized groups that can later be referred to in
             ``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups
             can be used instead of simple parenthesized groups.
             If the pattern should only match if it is preceded by whitespace, add the
             following string before the actual pattern: ``(?:^|(?<=\s))``.
             If the pattern should only match if it is followed by whitespace, add the
             following string after the actual pattern: ``(?:$|(?=\s))``.
             These expressions use lookbehind and lookahead assertions of the Python regular
             expression module to avoid the whitespace to be part of the actual pattern,
             otherwise the link text will also contain that whitespace.
             Matched issue references are replaced with the link specified in
             ``issue_server_link``, in which any backreferences are resolved. Backreferences
             can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.
             The special token ``{repo}`` is replaced with the full repository path
             (including repository groups), while token ``{repo_name}`` is replaced with the
             repository name (without repository groups).
             The link text is determined by ``issue_sub``, which can be a string containing
             backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is
             empty, then the text matched by ``issue_pat`` is used verbatim.
             The example settings shown above match issues in the format ``#<number>``.
             This will cause the text ``#300`` to be transformed into a link:
             .. code-block:: html
               <a href="https://issues.example.com/example_repo/issue/300">#300</a>
             The following example transforms a text starting with either of 'pullrequest',
             'pull request' or 'PR', followed by an optional space, then a pound character
             (#) and one or more digits, into a link with the text 'PR #' followed by the
             digits::
                 issue_pat = (pullrequest|pull request|PR) ?#(\d+)
                 issue_server_link = https://issues.example.com/\2
                 issue_sub = PR #\2
             The following example demonstrates how to require whitespace before the issue
             reference in order for it to be recognized, such that the text ``issue#123`` will
             not cause a match, but ``issue #123`` will::
                 issue_pat = (?:^|(?<=\s))#(\d+)
                 issue_server_link = https://issues.example.com/\1
                 issue_sub =
             If needed, more than one pattern can be specified by appending a unique suffix to
             the variables. For example, also demonstrating the use of named groups::
                 issue_pat_wiki = wiki-(?P<pagename>\S+)
                 issue_server_link_wiki = https://wiki.example.com/\g<pagename>
                 issue_sub_wiki = WIKI-\g<pagename>
             With these settings, wiki pages can be referenced as wiki-some-id, and every
             such reference will be transformed into:
             .. code-block:: html
               <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
             Refer to the `Python regular expression documentation`_ for more details about
             the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.
             Hook management
             ---------------
             Hooks can be managed in similar way to that used in ``.hgrc`` files.
             To manage hooks, choose *Admin > Settings > Hooks*.
             The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
             To add another custom hook simply fill in the first textbox with
             ``<name>.<hook_type>`` and the second with the hook path. Example hooks
             can be found in ``kallithea.lib.hooks``.
             Changing default encoding
             -------------------------
             By default, Kallithea uses UTF-8 encoding.
             This is configurable as ``default_encoding`` in the .ini file.
             This affects many parts in Kallithea including user names, filenames, and
             encoding of commit messages. In addition Kallithea can detect if the ``chardet``
             library is installed. If ``chardet`` is detected Kallithea will fallback to it
             when there are encode/decode errors.
             The Mercurial encoding is configurable as ``hgencoding``. It is similar to
             setting the ``HGENCODING`` environment variable, but will override it.
             Celery configuration
             --------------------
             Kallithea can use the distributed task queue system Celery_ to run tasks like
             cloning repositories or sending emails.
             Kallithea will in most setups work perfectly fine out of the box (without
             Celery), executing all tasks in the web server process. Some tasks can however
             take some time to run and it can be better to run such tasks asynchronously in
             a separate process so the web server can focus on serving web requests.
             For installation and configuration of Celery, see the `Celery documentation`_.
             Note that Celery requires a message broker service like RabbitMQ_ (recommended)
             or Redis_.
             The use of Celery is configured in the Kallithea ini configuration file.
             To enable it, simply set::
               use_celery = true
             and add or change the ``celery.*`` and ``broker.*`` configuration variables.
             Remember that the ini files use the format with '.' and not with '_' like
             Celery. So for example setting `BROKER_HOST` in Celery means setting
             `broker.host` in the configuration file.
             To start the Celery process, run::
               kallithea-cli celery-run -c my.ini
             Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
             for more info.
             .. note::
                Make sure you run this command from the same virtualenv, and with the same
                user that Kallithea runs.
             HTTPS support
             -------------
             Kallithea will by default generate URLs based on the WSGI environment.
             Alternatively, you can use some special configuration settings to control
             directly which scheme/protocol Kallithea will use when generating URLs:
             - With ``https_fixup = true``, the scheme will be taken from the
               ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
               (default ``http``).
             - With ``force_https = true`` the default will be ``https``.
             - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
             .. _nginx_virtual_host:
             Nginx virtual host example
             --------------------------
             Sample config for Nginx using proxy:
             .. code-block:: nginx
                 upstream kallithea {
                     server 127.0.0.1:5000;
                     # add more instances for load balancing
                     #server 127.0.0.1:5001;
                     #server 127.0.0.1:5002;
                 }
                 ## gist alias
                 server {
                    listen          443;
                    server_name     gist.example.com;
                    access_log      /var/log/nginx/gist.access.log;
                    error_log       /var/log/nginx/gist.error.log;
                    ssl on;
                    ssl_certificate     gist.your.kallithea.server.crt;
                    ssl_certificate_key gist.your.kallithea.server.key;
                    ssl_session_timeout 5m;
                    ssl_protocols SSLv3 TLSv1;
                    ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
                    ssl_prefer_server_ciphers on;
                    rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
                    rewrite (.*)    https://kallithea.example.com/_admin/gists;
                 }
                 server {
                    listen          443;
                    server_name     kallithea.example.com
                    access_log      /var/log/nginx/kallithea.access.log;
                    error_log       /var/log/nginx/kallithea.error.log;
                    ssl on;
                    ssl_certificate     your.kallithea.server.crt;
                    ssl_certificate_key your.kallithea.server.key;
                    ssl_session_timeout 5m;
                    ssl_protocols SSLv3 TLSv1;
                    ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
                    ssl_prefer_server_ciphers on;
                    ## uncomment root directive if you want to serve static files by nginx
                    ## requires static_files = false in .ini file
                    #root /srv/kallithea/kallithea/kallithea/public;
                    include         /etc/nginx/proxy.conf;
                    location / {
                         try_files $uri @kallithea;
                    }
                    location @kallithea {
                         proxy_pass      http://127.0.0.1:5000;
                    }
                 }
             Here's the proxy.conf. It's tuned so it will not timeout on long
             pushes or large pushes::
                 proxy_redirect              off;
                 proxy_set_header            Host $host;
                 ## needed for container auth
                 #proxy_set_header            REMOTE_USER $remote_user;
                 #proxy_set_header            X-Forwarded-User $remote_user;
                 proxy_set_header            X-Url-Scheme $scheme;
                 proxy_set_header            X-Host $http_host;
                 proxy_set_header            X-Real-IP $remote_addr;
                 proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header            Proxy-host $proxy_host;
                 proxy_buffering             off;
                 proxy_connect_timeout       7200;
                 proxy_send_timeout          7200;
                 proxy_read_timeout          7200;
                 proxy_buffers               8 32k;
                 client_max_body_size        1024m;
                 client_body_buffer_size     128k;
                 large_client_header_buffers 8 64k;
             .. _apache_virtual_host_reverse_proxy:
             Apache virtual host reverse proxy example
             -----------------------------------------
             Here is a sample configuration file for Apache using proxy:
             .. code-block:: apache
                 <VirtualHost *:80>
                         ServerName kallithea.example.com
                         <Proxy *>
                           # For Apache 2.4 and later:
                           Require all granted
                           # For Apache 2.2 and earlier, instead use:
                           # Order allow,deny
                           # Allow from all
                         </Proxy>
                         #important !
                         #Directive to properly generate url (clone url) for Kallithea
                         ProxyPreserveHost On
                         #kallithea instance
                         ProxyPass / http://127.0.0.1:5000/
                         ProxyPassReverse / http://127.0.0.1:5000/
                         #to enable https use line below
                         #SetEnvIf X-Url-Scheme https HTTPS=1
                 </VirtualHost>
             Additional tutorial
             http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
             .. _apache_subdirectory:
             Apache as subdirectory
             ----------------------
             Apache subdirectory part:
             .. code-block:: apache
                 <Location /PREFIX >
                   ProxyPass http://127.0.0.1:5000/PREFIX
                   ProxyPassReverse http://127.0.0.1:5000/PREFIX
                   SetEnvIf X-Url-Scheme https HTTPS=1
                 </Location>
             Besides the regular apache setup you will need to add the following line
             into ``[app:main]`` section of your .ini file::
                 filter-with = proxy-prefix
             Add the following at the end of the .ini file::
                 [filter:proxy-prefix]
                 use = egg:PasteDeploy#prefix
                 prefix = /PREFIX
             then change ``PREFIX`` into your chosen prefix
             .. _apache_mod_wsgi:
             Apache with mod_wsgi
             --------------------
             Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
             that, you'll need to:
             - Install mod_wsgi. If using a Debian-based distro, you can install
               the package libapache2-mod-wsgi::
                 aptitude install libapache2-mod-wsgi
             - Enable mod_wsgi::
                 a2enmod wsgi
             - Add global Apache configuration to tell mod_wsgi that Python only will be
               used in the WSGI processes and shouldn't be initialized in the Apache
               processes::
                 WSGIRestrictEmbedded On
             - Create a WSGI dispatch script, like the one below. Make sure you
               check that the paths correctly point to where you installed Kallithea
               and its Python Virtual Environment.
               .. code-block:: python
                   import os
                   os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
                   # sometimes it's needed to set the current dir
                   os.chdir('/srv/kallithea/')
                   import site
                   site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
                   ini = '/srv/kallithea/my.ini'
                   from logging.config import fileConfig
                   fileConfig(ini)
                   from paste.deploy import loadapp
                   application = loadapp('config:' + ini)
               Or using proper virtualenv activation:
               .. code-block:: python
                   activate_this = '/srv/kallithea/venv/bin/activate_this.py'
                   execfile(activate_this, dict(__file__=activate_this))
                   import os
                   os.environ['HOME'] = '/srv/kallithea'
                   ini = '/srv/kallithea/kallithea.ini'
                   from logging.config import fileConfig
                   fileConfig(ini)
                   from paste.deploy import loadapp
                   application = loadapp('config:' + ini)
             - Add the necessary ``WSGI*`` directives to the Apache Virtual Host configuration
               file, like in the example below. Notice that the WSGI dispatch script created
               above is referred to with the ``WSGIScriptAlias`` directive.
               The default locale settings Apache provides for web services are often not
               adequate, with `C` as the default language and `ASCII` as the encoding.
               Instead, use the ``lang`` parameter of ``WSGIDaemonProcess`` to specify a
               suitable locale. See also the :ref:`overview` section and the
               `WSGIDaemonProcess documentation`_.
               Apache will by default run as a special Apache user, on Linux systems
               usually ``www-data`` or ``apache``. If you need to have the repositories
               directory owned by a different user, use the user and group options to
               WSGIDaemonProcess to set the name of the user and group.
               Once again, check that all paths are correctly specified.
               .. code-block:: apache
                   WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
                       python-home=/srv/kallithea/venv lang=C.UTF-8
                   WSGIProcessGroup kallithea
                   WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
                   WSGIPassAuthorization On
               Or if using a dispatcher WSGI script with proper virtualenv activation:
               .. code-block:: apache
                   WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 lang=en_US.utf8
                   WSGIProcessGroup kallithea
                   WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
                   WSGIPassAuthorization On
             Other configuration files
             -------------------------
             A number of `example init.d scripts`__ can be found in
             the ``init.d`` directory of the Kallithea source.
             .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
             .. _virtualenv: http://pypi.python.org/pypi/virtualenv
             .. _python: http://www.python.org/
             .. _Python regular expression documentation: https://docs.python.org/2/library/re.html
             .. _Mercurial: https://www.mercurial-scm.org/
             .. _Celery: http://celeryproject.org/
             .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
             .. _RabbitMQ: http://www.rabbitmq.com/
             .. _Redis: http://redis.io/
             .. _mercurial-server: http://www.lshift.net/mercurial-server.html
             .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
             .. _WSGIDaemonProcess documentation: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIDaemonProcess.html