Please find attached the .service I am using on Debian 11. You don't need all of this crap, I guess.
* The msmtp stuff is only needed if you have a git post-commit hook that makes git send an email. * The nginx stuff is only needed if you want to have >1 web app on the standard port. * The tmpfiles stuff (and git config core.sharedRepository) is only needed if users want to bypass the web UI and edit .pages directly. It's also a bit broken (adds needless execute permissions) right now. * The theme stuff is only needed if you hate the default theme. https://github.com/trentbuck/gitit-bootstrap-theme/ For simple cases, you could probably replace the sysusers file with DynamicUser=yes, and just have gitit store all its state in /var/lib/gitit (StateDirectory=%p). The only issue I've had with this setup so far is gitit claiming static files disappear, when they don't. There's no user-visible impact when this happens. It wasn't happening on the old (2010-era) gitit install I had running under upstart. -- Journal begins at Sat 2022-08-06 18:32:36 AEST, ends at Tue 2022-10-04 15:29:20 AEDT. -- Sep 26 12:54:20 heavy systemd[1]: Started gitit.service. Sep 26 12:55:19 heavy gitit[2522]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe) Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/bootstrap4/css/bootstrap.min.css: withFd: resource vanished (Broken pipe) Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd: resource vanished (Broken pipe) Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe) Sep 26 12:55:29 heavy gitit[2522]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe) Sep 26 12:55:41 heavy gitit[2522]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe) Sep 26 12:55:46 heavy gitit[2522]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe) Sep 26 16:26:34 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe) Sep 26 18:00:09 heavy gitit[2522]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe) Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe) Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe) Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/fonts-fork-awesome/fonts/forkawesome-webfont.woff2: withFd: resource vanished (Broken pipe) Sep 26 23:43:33 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Connection reset by peer) Sep 27 12:53:13 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe) Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/gitit/data/static/js/footnotes.js: withFd: resource vanished (Broken pipe) Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd: resource vanished (Broken pipe) Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished (Broken pipe) Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe) Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe) Sep 28 19:24:59 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe) Sep 28 19:25:00 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe) Sep 28 19:25:27 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe) Sep 29 10:02:17 heavy gitit[2522]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe) Oct 03 06:44:23 heavy systemd[1]: Stopping gitit.service... Oct 03 06:44:23 heavy systemd[1]: gitit.service: Succeeded. Oct 03 06:44:23 heavy systemd[1]: Stopped gitit.service. Oct 03 06:44:23 heavy systemd[1]: gitit.service: Consumed 8h 33min 81ms CPU time. Oct 03 06:44:23 heavy systemd[1]: Started gitit.service. Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd: resource vanished (Broken pipe) Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/logo.svg: withFd: resource vanished (Broken pipe) Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished (Broken pipe) Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe) Oct 04 12:28:54 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe) Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/js/sidebar.js: withFd: resource vanished (Broken pipe) Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/js/jquery.min.js: withFd: resource vanished (Broken pipe) Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd: resource vanished (Broken pipe) Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/js/footnotes.js: withFd: resource vanished (Broken pipe) Oct 04 13:36:44 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe) Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/bootstrap4/css/bootstrap.min.css: withFd: resource vanished (Broken pipe) Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe) Oct 04 13:45:34 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe) Oct 04 13:48:29 heavy gitit[1990076]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe) Oct 04 13:55:23 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/js/custom.js: withFd: resource vanished (Broken pipe) Oct 04 14:28:10 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe) Oct 04 14:28:10 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/img/icon.png: withFd: resource vanished (Broken pipe) Oct 04 14:28:17 heavy gitit[1990076]: HTTP request failed with: Network.Socket.sendBuf: resource vanished (Broken pipe) Oct 04 14:29:48 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe) Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/screen.css: withFd: resource vanished (Broken pipe) Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with: /usr/share/gitit/data/static/css/highlighting.css: withFd: resource vanished (Broken pipe) Oct 04 14:38:14 heavy gitit[1990076]: HTTP request failed with: /usr/share/javascript/gitit-bootstrap-theme/static/css/print.css: withFd: resource vanished (Broken pipe)
[Service] ExecStart=gitit --config-file=/etc/gitit.conf [Install] WantedBy=multi-user.target # Hardening [Service] User=%p LogsDirectory=%p StateDirectory=%p RuntimeDirectory=%p WorkingDirectory=/run/%p CacheDirectory=%p ConfigurationDirectory=%p ReadWritePaths=/srv/vcs/kb # FIXME: gitit cannot listen on gitit.sock or systemd socket-activate yet. # https://github.com/jgm/gitit/issues/675 # therefore we cannot do # PrivateNetwork=yes # RestrictAddressFamilies=~AF_INET # RestrictAddressFamilies=~AF_INET6 # IPAddressDeny=any CapabilityBoundingSet= RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 DevicePolicy=closed IPAddressDeny=any IPAddressAllow=localhost NoNewPrivileges=yes PrivateDevices=yes PrivateUsers=yes PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=invisible ProtectSystem=strict RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallFilter=~@privileged SystemCallFilter=~@resources RestrictRealtime=yes LockPersonality=yes MemoryDenyWriteExecute=yes RemoveIPC=yes UMask=0077 ProtectHostname=yes ProcSubset=pid
NAME DESCRIPTION EXPOSURE ✗ PrivateNetwork= Service has access to the host's network 0.5 ✓ User=/DynamicUser= Service runs under a static non-root user identity ✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces ✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets ✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities ✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks ✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service defines IP address allow list with only localhost entries 0.1 ✓ KeyringMode= Service doesn't share key material with other services ✓ NoNewPrivileges= Service processes cannot acquire new privileges ✓ NotifyAccess= Service child processes cannot alter service state ✓ PrivateDevices= Service has no access to hardware devices ✓ PrivateMounts= Service cannot install system mounts ✓ PrivateTmp= Service has no access to other software's temporary files ✓ PrivateUsers= Service does not have access to other users ✓ ProtectClock= Service cannot write to the hardware clock or system clock ✓ ProtectControlGroups= Service cannot modify the control group file system ✓ ProtectHome= Service has no access to home directories ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer ✓ ProtectKernelModules= Service cannot load or read kernel modules ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) ✓ ProtectProc= Service has restricted access to process tree (/proc hidepid=) ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets ✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted ✓ SystemCallArchitectures= Service may execute system calls only with native ABI ✓ SystemCallFilter=~@clock System call allow list defined for service, and @clock is not included ✓ SystemCallFilter=~@debug System call allow list defined for service, and @debug is not included ✓ SystemCallFilter=~@module System call allow list defined for service, and @module is not included ✓ SystemCallFilter=~@mount System call allow list defined for service, and @mount is not included ✓ SystemCallFilter=~@raw-io System call allow list defined for service, and @raw-io is not included ✓ SystemCallFilter=~@reboot System call allow list defined for service, and @reboot is not included ✓ SystemCallFilter=~@swap System call allow list defined for service, and @swap is not included ✓ SystemCallFilter=~@privileged System call allow list defined for service, and @privileged is not included ✓ SystemCallFilter=~@resources System call allow list defined for service, and @resources is not included ✓ AmbientCapabilities= Service process does not receive ambient capabilities ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access ✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging ✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters ✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespaces ✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces ✓ RestrictNamespaces=~CLONE_NEWNET Service cannot create network namespaces ✓ RestrictNamespaces=~CLONE_NEWNS Service cannot create file system namespaces ✓ RestrictNamespaces=~CLONE_NEWPID Service cannot create process namespaces ✓ RestrictRealtime= Service realtime scheduling access is restricted ✓ SystemCallFilter=~@cpu-emulation System call allow list defined for service, and @cpu-emulation is not included ✓ SystemCallFilter=~@obsolete System call allow list defined for service, and @obsolete is not included ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✓ SupplementaryGroups= Service has no supplementary groups ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() ✓ Delegate= Service does not maintain its own delegated control group subtree ✓ LockPersonality= Service cannot change ABI personality ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings ✓ RemoveIPC= Service user cannot leave SysV IPC objects around ✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname namespaces ✓ UMask= Files created by service are accessible only by service's own user by default ✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable ✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() ✓ ProtectHostname= Service cannot change system host/domainname ✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() ✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 ✓ ProcSubset= Service has no access to non-process /proc files (/proc subset=) → Overall exposure level for gitit.service: 1.0 OK 🙂
# Tell systemd to create system user 'gitit' u gitit - - -
# Tell systemd to create grant user 'gitit' write access to KB repo # FIXME: this was not working. # When browsing to gitit, the browser got back this: # "git: runProcess: runInteractiveProcess: chdir: permission denied (Permission denied)" # That was while the files looked like this: # # $ ls -la /srv/vcs/kb # total 32 # drwxrwSr-x+ 3 twb cyber 4 Sep 9 23:10 . # drwxrwsr-x 3 root cyber 3 Sep 9 23:10 .. # drwxrwSr-x+ 8 twb cyber 13 Sep 9 23:10 .git # -rw-rw-r--+ 1 twb cyber 26 Sep 9 23:10 'Knowledge Base.page' # # However a simple "sudo chown -Rh gitit:cyber /srv/vcs/kb" worked... # # A /srv/vcs/kb - - - - d:user:gitit:rwx,user:gitit:rw- # # What if I try being a bit more liberal? # Seems to be better with this config: # # # # getfacl: Removing leading '/' from absolute path names # # file: srv/vcs/kb # # owner: root # # group: root # user::rwx # user:gitit:rwx # group::rwx # group:gitit:rwx # group:cyber:rwx # mask::rwx # other::--- # default:user::rwx # default:user:gitit:rwx # default:group::rwx # default:group:cyber:rwx # default:mask::rwx # default:other::--- # # getfacl: Removing leading '/' from absolute path names # # file: srv/vcs/kb/.git/config # # owner: root # # group: root # user::rwx # user:gitit:rwx # group::rwx # group:gitit:rwx # group:cyber:rwx # mask::rwx # other::--- # A /srv/vcs/kb - - - - default:user::rwx,user::rwx A+ /srv/vcs/kb - - - - default:user:gitit:rwx,user:gitit:rwx A+ /srv/vcs/kb - - - - default:group::rwx,group:gitit:rwx A+ /srv/vcs/kb - - - - default:group:cyber:rwx,group:cyber:rwx A+ /srv/vcs/kb - - - - default:other::---,other::---
# See gitit --print-default-config for documentation. default-page-type: RST log-file: /var/log/gitit/gitit.log # Use this to log every GET request. # NOTE: if you do this, set up a logrotate rule for gitit! #log-level: INFO port: 5001 repository-path: /srv/vcs/kb static-dir: /usr/share/javascript/gitit-bootstrap-theme/static templates-dir: /usr/share/javascript/gitit-bootstrap-theme/templates user-file: /var/lib/gitit/gitit-users wiki-title: Knowledge Base - Cyber IT Solutions # FIXME: the cache doesn't know about updates made directly via git # (as opposed to via the web UI). This could be fixed by having git # delete the cached version of a file when its source is updated. #use-cache: yes cache-dir: /var/cache/gitit # We used to use apache-mod-ldap to authenticate. # Now we use in-app authentication (like apache). # Then our theme sets everyone's password to a dummy password. # This is because it is behind the VPN, and # we do not give a shit about employees spoofing one another in the KB. # They could always do it via "git commit --author=" anyway. # authentication-method: form # Long ago the cyber IRC bot would cross-announce RSS changes. # Nobody cared about this, and the new limnoria bot did not keep this. # Therefore, turn off the server side of it. # use-feed: yes #pandoc-user-data: /usr/share/pandoc/data/ #pdf-export: no front-page: Knowledge Base no-delete: no-edit: # Default upload size from the web UI is 100kB; # uploads from git are of course unrestricted. # Since Ron is too lazy to learn git, I am obliged to add this line. # UPDATE: Ron knows git these days. #max-upload-size: 1M # Disable mathjax -- IMO we do not need to hotlink to cdnjs.cloudflare.com. math: no # A security thing. Probably on by default, but does not hurt to be explicit. xss-sanitize: yes
# This is necessary so a hardened daemon (e.g. gitit.service) can # send mail. The normal /usr/sbin/sendmail is setgid maildrop. # If the systemd unit is hardened, NoNewPrivileges= prevents setgid. # So, instead, be an SMTP client to localhost. # postfix trusts localhost, so then postfix can take over from there. account default host localhost auto_from on maildomain cyber.com.au # Unlike "dpkg-reconfigure msmtp", we want syslog to be on for easier debugging. syslog on # Don't use /etc/aliases, because postfix will/does use it, and # postfix has substantially more complicated flows than msmtprc. # UPDATE: actually don't use this at all, for now. -- twb, Sep 2022 #aliases /etc/msmtprc-aliases # We don't really care about this one, but it does not hurt. tls_trust_file /etc/ssl/certs/ca-certificates.crt
default: sysadmin-he...@cyber.com.au
server { listen 80; listen [::]:80; server_name kb.cyber.com.au; # Serve ACME http-01 challenges directly. location /.well-known/ { root /var/www/html/; } location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name kb.cyber.com.au; ssl_certificate /etc/letsencrypt-uacme/kb.cyber.com.au/cert.pem; ssl_certificate_key /etc/letsencrypt-uacme/private/kb.cyber.com.au/key.pem; # Serve ACME http-01 challenges directly. location /.well-known/ { root /var/www/html/; } # Everything else serve directly. # BUT ONLY TO PEOPLE IN THE OFFICE OR ON THE VPN!!! location / { proxy_pass http://localhost:5001/; allow 203.7.155.0/24; allow 10.194.71.0/24; # wireguard users allow 127.0.0.0/8; deny all; } }