A git-based wiki featuring markdown, a WYSIWYG Editor, PlantUML, and much more
MIT License
A lightweight version of cloudogu's git-based wiki system smeagol, the lightning-fast alternative to gollum.
Runs without a full Cloudogu ecosystem, but still features
docker run -p 8443:8443 ghcr.io/schnatterer/smeagol-galore
Note that
plugin-config.yml
, e.g. by mounting your own version into the-v your-plugin-config.yml:/etc/scm/plugin-config.yml
./smeagol
).admin/admin
(see bellow for custom credentials)Mount SCMM Volume to persist your repos/wikis: -v $(pwd)/dev/scm:/home/tomcat/.scm
.
This will also persist SCMM plugins, so the second start will be much faster.
Make sure the smeagol galore container use (UID 1001) is allowed to write to this folder by either chown
ing or
chmod
. For development the following will do
mkdir -p dev/scm
chmod 777 dev/scm
docker run --rm --name smeagol-galore -p 8443:8443 -v $(pwd)/dev/scm:/home/tomcat/.scm schnatterer/s
meagol-galore
Although not strictly necessary, it is recommended to persist Smeagol's repo Cache at /home/tomcat/.smeagol
.
Without it smeagol will have to clone every repo from SCM-Manager again. Especially for large repos (100MB+) this will
slow down the first request to each repo after the container has been restarted.
The self-signed certificate that is generated on startup by default is only a valid option for trying out and development. In production, you should provide a proper certificate, which can be done by either:
Note that smeagol, cas and SCMM communicate with each other via HTTPS.
If you're certificate is not trusted by the JVM you should add it to the trust store and then mount it like so:
-v $(pwd)/dev/cacerts:/opt/java/openjdk/lib/security/cacerts
.
See entrypoint.sh for an example.
Just mount your certs into the container like so: -v $(pwd)/certs:/config/certs/${FQDN}
.
Smeagol galore's server loads the certs from the following files inside the /config/certs/${FQDN}
folder:
cert.pem
fullchain.pem
privkey.pem
If you don't have any reverse proxy infrastructure that handles TLS temrination, the most convenient way of handling TLS is to use Smeagol Galore's built-in Let's Encrypt support.
Before getting started, make sure
-p443:8443
) and-p80:8080
)Then just enable let's encrypt via the environment:
-e ENABLE_LETSENCRYPT=true
- enable let's encrypt support-eFQDN=example.com
- determines the domain to request the cert for-eSTAGING=true
- If set to true
creates certs against Lets Encrypt's staging, which has no rate limit but is notFor a full example see examples.
At startup Smeagol Galore still generates self-signed certs, if none are there, as it needs cert files to get the server started. Once the server is up, a background process queries the certs from Let's Encrypt, if their validity is less than 30 days. The process checks once a day if the certs are valid less than 30 days and renews them, if necessary.
Note that the git arg -c http.sslVerify=false
is only necessary for testing with a self-signed cert .
If you use an official TLS cert this won't be necessary.
git -c http.sslVerify=false clone https://admin@localhost:8443/scm/git/test
.smeagol.yml
file: touch .smeagol.yml && git add .smeagol.yml && git commit -m 'Create smeagol wiki'
git -c http.sslVerify=false push
All in one:
git -c http.sslVerify=false clone https://admin@localhost:8443/scm/git/test
cd test
touch .smeagol.yml
git add .smeagol.yml
git commit -m 'Creates smeagol wiki'
git -c http.sslVerify=false push --set-upstream origin master
Default user/pw: admin/admin
Credentials defined in /etc/cas/users.txt
and /etc/cas/attributes.xml
. Custom ones can be mounted into the container like so for example: -v $(pwd)/dev/users.txt:/etc/cas/users.txt
.
See users.txt and attributes.xml.
CAS has "pluggable authentication support (LDAP, database, X.509, 2-factor)" see CAS 4 docs. Get started at deployerConfigContext.xml
Via Environment Variables:
ADMIN_GROUP
FQDN
/etc/hosts
: 127.0.0.1 smeagol
and then passing-v /etc/hosts:/etc/hosts -e FQDN=smeagol:8443
. You can then reach smeagolhttps://smeagol:8443
.HTTP_PORT
and HTTPS_PORT
. Ports to listen on. Note that FQDN contains the HTTPS port (if != 443).tomcat
user is allowed to listen on ports 80,443 and of course > 1024.docker run -u0
), which you shouldn't.Socket bind failed: [13] [Permission denied].
0.2.0-SNAPSHOT-2e1ec28f
. If this works for you, you might want to-e DEBUG=true
exposes port 8000 as Tomcat debug portCMD
, e.g.docker run ghcr.io/schnatterer/smeagol-galore '-Xmx1g -Dabc=def'
EXTRA_JVM_ARGUMENTS
, e.g.docker run -e EXTRA_JVM_ARGUMENTS='-Xmx1g -Dabc=def' ghcr.io/schnatterer/smeagol-galore
-XmX2g
to virtual machine / tomcat processcas.properties
anddocker run -e EXTRA_JVM_ARGUMENTS='-Dproperty.name=value'...
) ordocker run -e -e PROPERTY_NAME=value ...
).SMEAGOL_GALORE_LOGIN_WELCOME
you can customize the welcome message on the login screen. Default is Smeagol Galore
The container is run as with UID and GID = 1000.
If you want to run it as a different user you pass -u
param when running the container.
However, you should make sure that the user exists (e.g. mount /etc/passwd
).
Another option is to build your own image and set --build-arg USER_ID
and GROUP_ID
to your liking.
See example for a more substantial example using docker-compose.
There was an example on how to deploy to kubernetes see this revision. It was no longer maintained, so if needed it could be used as a starting point. Even more convenient would be a helm chart. PRs welcome.
touch .smeagol.yml
mkdir docs
mkdir docs
git mv -k * docs #-k ignores errors such as moving docs to docs
git mv -k .* docs #hidden files
rename
or git mv
them.
ll | grep ' \.md'.
find ./ -printf "%f\n" | grep -Pv '^[\w\.\-_/ ]+$'
.rename 's/[(),#+~&]/_/g' *
(add more characters to replace in the first part of the regex, if needed).https://mygoll.um/uploads
) or relative links starting in /
/uploads
) you should change all to uploads
. grep -r https://mygoll.um/uploads/
and grep -r /uploads/
.Details for SCM-Manager, CAS, and Smeagol bellow. Process is the same for each component:
See also more substantial example using docker-compose.
logback.xml
-v $(pwd)scm-logback.xml:/tomcat/webapps/scm/WEB-INF/classes/logback.xml
logback.xml
-v $(pwd)/smeagol-logback.xml:/tomcat/webapps/smeagol/WEB-INF/classes/logback.xml
log4j.xml
-v $(pwd)/cas-log4j.xml:/tomcat/webapps/cas/WEB-INF/classes/log4j.xml
-p8000:8000 -e DEBUG=true
Smeagol-galore does not use Log4j version 2, so it is not affected.
JMSAppender
class could abused for an attack similar to log4shell.So in Smeagol galore >= 1.6.1-1-r1, with default SCM-Manager plugins there is no vulnerability similar to log4shell, according to current knowledge, as of 22 December, 2021.
Unidata/tomcat-docker: Security-hardened Tomcat container
docker build -t smeagol-galore .
--build-arg PLANTUMLSERVER="https://[...]/png/"