rk@tigase.net opened 1 week ago
-
Previous Value Current Value Open
In Progress
-
Final Design Approach:
Proposal: Replace Forgejo with Embedded HTTP-Only Git Service (Sztabina)
Summary
This proposal replaces Forgejo with a lightweight, embedded Git service (Sztabina) that is internal-only, HTTP-based, and fully controlled by Sztab. Git is treated as an internal subsystem, not as a separate product with users, authentication, or UI.
The goal is to align the implementation with the repeatedly stated requirement:
Git must not introduce a separate user base, authentication model, or operational burden.
Core Principles
1. Git is an Internal Subsystem
- Git is not exposed as a product or platform.
- Git has no users, no authentication, no UI.
- Git is accessible only inside the Docker Compose / internal network.
- Sztab owns the entire repository lifecycle.
2. HTTP-Only Git (No SSH)
- Only Git Smart HTTP is supported (clone, push, pull).
- No SSH server, no keys, no system users, no home directories.
- Security boundary is the internal Docker network.
- Eliminates identity, key management, and SSH-related complexity.
This is intentional and directly aligned with the “no Git users” requirement.
Architecture Overview
Components
Sztabina (Git Service)
- Lightweight Go service (Alpine-based)
- Exposes:
- Git Smart HTTP protocol
- Minimal REST API for repository creation/deletion
- Does NOT include:
- Web UI
- User management
- Authentication / authorization
- Uses system git binaries and filesystem-backed repositories
Sztab (Main Application)
- Automatically creates repositories when projects are created
- Uses JGit for:
- Repository browsing
- File inspection
- Metadata access
- Treats Git as infrastructure, not as a user-facing system
Filesystem Model
- A shared Docker volume (git-repos) is mounted into both containers.
- Repositories exist as standard Git directories on disk.
- Benefits:
- No syncing or duplication
- Direct JGit access from Sztab
- Simple backup and inspection
- Git remains “just Git” on disk
Docker Compose Sketch
services: sztabina: image: sztab/sztabina:latest volumes: - git-repos:/repos networks: - sztab-internal # No external exposure
sztab: image: sztab:latest volumes: - git-repos:/repos environment: GIT_SERVICE_URL: http://sztabina:8080 depends_on: - sztabina
volumes: git-repos:
networks: sztab-internal:
Repository Lifecycle
- Repository is created automatically when a Sztab project is created.
- Repository deletion follows project deletion policy.
- No manual initialization steps.
- No separate Git administration required.
External Git Repositories
This proposal does NOT eliminate support for external Git systems.
Clear separation:
- Internal projects: use embedded Git automatically.
- External projects (GitHub, OneDev, etc.):
- Treated as integrations
- Explicitly configured
- Credentialed via tokens
- Typically read-only or limited-scope
Sztab remains capable of observing and integrating with external repositories.
Benefits (Aligned with Requirements)
- Zero external dependencies; Sztab is self-contained
- Single user base; only Sztab users exist
- Automatic repository creation on project creation
- Zero initialization; docker-compose up works
- Direct repository browsing via JGit
- Reduced operational and cognitive load
- Clear product positioning: “Sztab includes built-in Git hosting”
Implementation Notes
- Prefer Git Smart HTTP via system git http-backend wrapped by Go HTTP handlers.
- Avoid scope creep (no hooks UI, no permissions model, no users).
- Document explicitly that this is not a general-purpose Git hosting platform.
Estimated Effort
- Git Smart HTTP wiring: ~2 days
- Repository lifecycle REST API: ~1 day
- Container hardening and packaging: ~1 day
- Sztab integration (project → repo): ~1–2 days
- Testing and cleanup: ~1 day
Total estimate: ~6–7 working days
Key Constraint
This design only works if Git remains:
- Internal
- Userless
- Auth-less
- Infrastructure-level
Any deviation from this reintroduces the complexity this proposal intentionally removes.
Conclusion
This approach directly satisfies the stated requirements:
- No Git users
- No Git authentication
- No separate Git UI
- Internal-only Git service
- Automatic repository management
It simplifies the system, reduces long-term maintenance cost, and keeps Sztab focused on project management rather than Git hosting.
-
Previous Value Current Value In Progress
Closed
| Type |
New Feature
|
| Priority |
Major
|
| Assignee | |
| Version |
1.10
|
| Sprints |
n/a
|
| Customer |
n/a
|
SZ-87.2 — Internal Sztab-Managed Git: Design Options
Parent
SZ-87 — Replace Forgejo with Internal Sztab-Managed Git (Semi-Production Requirement)
Context
As part of SZ-87, Forgejo has been fully removed from the Sztab runtime (stack, ingress, and dependencies).
The system now has no Git service, but still retains Git as a concept (projects, repositories, commits, pull requests).
This issue is a design-focused step to evaluate and decide how Sztab should manage Git repositories internally for a semi-production setup, before any implementation work begins.
Goals
Non-Goals
Design Questions to Answer
Repository form
Access mechanism
git-http-backendbehind internal routing?Visibility & isolation
Operational model
Integration points
sztabinainteracts with repositoriesCandidate Approaches (to be evaluated)
Filesystem + JGit only
Bare repos + git-http-backend
Hybrid
Each option should be evaluated for:
Expected Outcome
By the end of this issue:
This issue is a design checkpoint, not a coding task.
Follow-ups
Time Estimate
Notes
This issue intentionally precedes any code changes to avoid carrying forward assumptions from Forgejo-era designs.