46 Commits

Author SHA1 Message Date
Catherine 6f84e0f0d4 Allow limiting maximum lifetime of preview sites. 2026-05-28 22:20:49 +00:00
Catherine a7063e00ef Implement site expiration.
Requires `feature = ["expiration"]`.
2026-05-29 00:13:44 +02:00
Catherine 5258bf756b Add support for Netlify Basic-Auth: mechanism. 2026-03-29 12:11:56 +00:00
Catherine 1ca67f0590 Add a configurable limit on concurrent blob uploads.
Otherwise uploading a site with over 50,000 files will fail with
the default Go runtime configuration.
2026-03-26 14:52:11 +00:00
Maxim Slipenko c74ec4ad23 Add configuration file example with default values only.
Reviewed-on: https://codeberg.org/git-pages/git-pages/pulls/127
Co-authored-by: Maxim Slipenko <maxim@slipenko.com>
Co-committed-by: Maxim Slipenko <maxim@slipenko.com>
2026-03-26 12:19:34 +01:00
Catherine 0d33c64372 [breaking-change] Only allow a single [[wildcard]].index-repo.
The git-pages webhook security model depends on there being
a 1:1 mapping between site URLs and repositories; being able to
specify multiple of them breaks this model, as anyone could switch
the published site from one to the other if both repositories exist.
2026-01-19 02:25:01 +00:00
Catherine 07133df6d2 Fix the Docker build script. 2025-12-24 14:44:23 +00:00
miyuko 91f05e210e [breaking-change] Remove the log-level config option.
This reverts commit 351d0a0c85.

This option does not have any effect at the moment and may potentially
confuse users. It can be easily reintroduced later (by reverting this
commit) once we start logging at any level other than `info`.
2025-12-07 13:12:45 +00:00
Catherine 8b049da3c7 Treat allowed-repository-url-prefixes = [] the same as unspecified.
Previously, this would disallow all git clones except for those via
wildcard domains. This is highly unintuitive. It also meant that
disabling this function via environment variable was not possible.
2025-12-07 12:55:41 +00:00
Catherine fc9e6fcf7b [breaking-change] Listen only on localhost by default.
It is expected that in most deployments, a reverse proxy server like
Caddy or Nginx will be connecting to Caddy; listening on any address
by default is a privacy and security concern.
2025-12-07 07:17:54 +00:00
miyuko e9edfb8f5c [breaking-change] Read principal's IP address from X-Forwarded-For. 2025-12-06 00:04:42 +00:00
Catherine 1ad5d5590c Optionally include principal's IP address in audit record metadata.
Currently this doesn't handle `X-Forwarded-For` and as such isn't very
useful. It is surprisingly difficult to find a high-quality library for
parsing `X-Forwarded-For` and a solution will have to be found.
2025-12-04 06:17:11 +00:00
Catherine 6e7b42b942 Implement audit notifications. 2025-12-03 06:32:07 +00:00
Catherine e226f51dd4 Implement auditing of important site lifecycle actions.
The list of audit events is:
  - `CommitManifest`
  - `DeleteManifest`
  - `FreezeDomain`
  - `UnfreezeDomain`

Currently these are the main abuse/moderation-relevant actions.
If collection is enabled, these events will be logged to `audit/...`
storage hierarchy; a way to examine audit logs will be added in
the future.

The auditing interposer backend is enabled with feature `audit`.
2025-12-03 04:19:41 +00:00
Catherine f089208ca7 [breaking-change] Make fallback handler per-instance, not per-wildcard.
There was never a particularly good reason to tie the fallback handler
to a wildcard domain; most importantly, this prevented it from being
used for custom domains, which is required for migrating custom domains
from Codeberg Pages v2 server.
2025-12-03 00:39:07 +00:00
David Leadbeater 351d0a0c85 Add a log level config option 2025-11-20 17:33:54 +11:00
Catherine 0b2db170b8 Allow updating wildcard domain sites from an archive with a forge token. 2025-11-19 04:10:02 +00:00
Catherine c90b453d44 Default to allowed-custom-headers = ["X-Clacks-Overhead"].
X-Clacks-Overhead: GNU Terry Pratchett
2025-11-11 15:38:11 +00:00
Catherine 26b29ec4be Add Netlify _headers support. 2025-11-11 15:36:14 +00:00
Catherine c4b3671a53 Add [[wildcard]].index-repo-branch option (pages by default). 2025-11-05 23:00:32 +00:00
Catherine 9b19eeae82 Add missing [limits] keys to default configuration. 2025-11-05 22:58:12 +00:00
miyuko eda3e8a791 Add stale-while-revalidate support to the cache. 2025-10-15 23:53:12 +01:00
miyuko 8bb6d0ff28 Unconditionally sample HTTP requests for tracing that take too long. 2025-10-15 18:26:33 +01:00
Catherine 5b8cb4ba11 Clean up Caddyfile, removing Fly.io-isms.
The grebedoc.dev infrastructure is no longer directly tied to
the container built from this repository, so we don't have to
pollute the configuration with Fly.io-isms.
2025-10-09 14:43:41 +00:00
Catherine 217f3a9320 Switch log handling to slog.
This currently doesn't add any structure to the logs, changing just
the handler and output format. It does also add Sentry logging support.

The `log-format` configuration value now accepts values `none`, `text`,
and `json`.
2025-09-29 22:10:41 +00:00
Catherine dcabcac106 Rename feature h2c to serve-h2c. 2025-09-29 01:47:13 +00:00
Catherine fc029ad219 [breaking-change] Remove health endpoint handler and renumber metrics.
The previous commit has eliminated any way to use `ServeHealth()`,
but kept it around to not introduce breaking changes. This one has
no such constraint.
2025-09-23 02:39:11 +00:00
Catherine 4c087278cb Fly.io: switch health check method to [[services.http_checks]].
More specifically, remove the dedicated HTTP datapath for health
checks and verify the entire stack, from TLS frontend to S3 backend.
Verifying too little has resulted in a small outage recently when
the pages listener got misconfigured but the health listener happily
accepted connections like normal. This would not happen now that
the health check uses port 443, too.
2025-09-23 02:34:55 +00:00
miyuko 1aef0288e7 Add page operation metrics and expose them in Prometheus text format. 2025-09-22 19:03:59 +01:00
Catherine 789a5e682e [breaking-change] Use type-safe representation for time durations. 2025-09-22 17:05:22 +00:00
Catherine 80e3d7ff56 Turn off Caddy's admin interface and expose metrics on the same port. 2025-09-22 16:26:55 +00:00
Catherine e78f70626e Fly.io: enable Caddy metrics collection. 2025-09-22 09:50:01 +00:00
Catherine a159dba0b8 [breaking-change] Redesign environment var configuration overrides.
This is done using reflection to avoid boilerplate and potential desync
of the two configuration interfaces. The `[[wildcards]]` section did
not fit well into the "splat every config key" paradigm, so it is
unmarshalled as a whole from a JSON payload in an environment variable.

This commit also splits up the `Config` type into small per-section
struct types and removes most references to the global `config` in
favor of passing pointers to sections around.

A new option, `-print-config-env-vars`, shows the names and types of
all of the available configuration knobs.
2025-09-22 07:02:42 +00:00
Catherine d81676fea0 Miscellaneous minor configuration related fixes. 2025-09-22 01:31:41 +00:00
Catherine bf2922f892 [breaking-change] Add default config values where appropriate. 2025-09-21 23:08:27 +00:00
Catherine 51606aac98 Replace hardcoded limits with a config file section. 2025-09-21 19:00:36 +00:00
Catherine e59699ab1a Configure Caddy to use PROXY protocol for X-Forwarded-For. 2025-09-21 14:27:25 +00:00
Catherine d4f5420875 Configure Caddy to use HTTP/3.
Also, add `Alt-Svc:` headers for both H2 and H3.
2025-09-21 14:27:25 +00:00
Catherine 5b471f6677 Add a feature flag for testing h2c:// performance. 2025-09-21 04:38:06 +00:00
Catherine a10e28210a Enable h2c:// (cleartext HTTP/2) protocol on all http:// sockets.
This allows git-pages and Caddy to efficiently use the same connection
for many pipelined requests, which I hope will reduce contention when
some bot decides to send fifty requests in the same millisecond.

This commit also changes built-in Caddy configuration to use HTTP/2
cleartext only when talking to the backend.
2025-09-21 03:36:14 +00:00
Catherine 5765fa7ffa Proxy requests for unknown sites via wildcard fallback URL (if any). 2025-09-21 02:39:44 +00:00
Catherine d5302e4358 [breaking-change] Allow multiple wildcard domains to be configured. 2025-09-21 00:29:51 +00:00
Catherine 9d18700834 Switch from Nix back to Docker for deployment. 2025-09-20 00:12:55 +00:00
Catherine da604215c1 Adapt Caddyfile during the build.
Until https://github.com/ss098/certmagic-s3/pull/25 is merged, this
also uses a fork of certmagic-s3.
2025-09-19 22:12:48 +00:00
Catherine 3d23d58fbb Make supervisord and Caddy less chatty. 2025-09-19 21:08:21 +00:00
bin da212dcb89 Aggressively optimise size of Nix built Docker images 2025-09-19 04:23:57 +00:00