Skip to content

Instantly share code, notes, and snippets.

@walkerjeffd

walkerjeffd/Synology-Diskstation-Git.md

Last active April 21, 2024 22:19
Show Gist options
  • Save walkerjeffd/374750c366605cd5123d to your computer and use it in GitHub Desktop.
Save walkerjeffd/374750c366605cd5123d to your computer and use it in GitHub Desktop.
Download ZIP
Instructions for setting up git server on Synology Diskstation
Raw
Synology-Diskstation-Git.md

Configure Synology NAS as Git Server

Instructions for setting up a git server on a Synology NAS with Diskstation. Specifically, I am using a DS414 with DSM 5.0.

Set Up User and Folder

  • Create user gituser via Diskstation interface (with File Station and WebDAV privilages)
  • Add new shared folder called git (located at /volume1/git) with read/write access for gituser and admin. This folder will hold all the repos.
  • Install Git Server package via Diskstation
  • Open Git Server and allow gituser permissions
  • Enable SSH access on Diskstation (Control Panel > Terminal & SNMP > Enable SSH Service)

Configure SSH Access

  • create ~/.ssh folder for gituser on server
ssh admin@diskstation.local
mkdir /volume1/homes/gituser/.ssh
  • copy public rsa key from local computer to gituser account on server
scp ~/.ssh/id_rsa.pub admin@diskstation.local:/volume1/homes/gituser/.ssh
  • connect via SSH as root and rename id_rsa.pub to authorized_keys on NAS (or append if already exists, cat id_rsa.pub >> authorized_keys)
ssh root@diskstation.local
mv /volume1/homes/gituser/.ssh/id_rsa.pub /volume1/homes/gituser/.ssh/authorized_keys
  • change permissions while logged in as root
cd /volume1/homes/gituser/
chown -R gituser:users .ssh
chmod 700 .ssh
chmod 644 .ssh/authorized_keys

Set Up New Repo on NAS

  • create bare repo as root
ssh root@diskstation.local
cd /volume1/git/
git --bare init <repo-name>.git
chown -R gituser:users <repo-name>.git
cd <repo-name>.git
git update-server-info

NOTE: I'm not entirely sure if git update-server-info must be run for each repo or just initially. It seems to work without running this command, but I'm suspcicious that it might cause problems later.

Add NAS as Remote for Local Repo

  • Clone repo from NAS
git clone ssh://gituser@diskstation.local/volume1/git/<repo-name>.git

References

http://blog.osdev.org/git/2014/02/13/using-git-on-a-synology-nas.html http://stackoverflow.com/questions/20074692/set-up-git-on-a-nas-with-synologys-official-package http://www.heidilux.com/2014/02/setup-git-server-synology-nas/

@whytong
Copy link

whytong commented Oct 24, 2021
edited

@dmurphyoz I have been trying to follow your scripts but the problem I ran into is that the remote execution could not find these scripts.
running a remote env command gives PATH=/usr/bin:/bin:/usr/sbin:/sbin. The login shell of gituser is /bin/sh, I tried to add a ~/.profile, ~/.shinit file, did not load, I also tried to change the login shell to /bin/bash but then access was denied. Could you provide more insight? I'm using DSM7 btw.

Create repositories remotely using supported mechanism

Thank you for this guide! It is extremely useful. Thank you @walkerjeffd

@CameronD73
Copy link

Six years on and this still seems the best documentation available for this process - thank you. Unfortunately I did not find it until near the end of the process.
In my case I was using DSM 7.1.? and then then found I could manually upgrade to 7.2.1.
Each version upgrade seems to tie the system down even tighter in terms of "security", but the measures taken seem to me somewhat arbitrary. There are at least three layers of actively blocking me trying to get a login shell for the git user (just so I can get things set up).

Here are some other observations people might find useful

Openssh requirements for public key use.

From the manual for opensshd, on Linux systems it requires only that group and other permissions are set to be not writable. Whether you apply mode 0600, 700, 711 or 755 should not make any difference. As mentioned, this requirement applies to:

  1. the git user's login dir,
  2. ~/.ssh and
  3. authorized_keys under that.

What I don't know the answer to is how much DSM's default to inherited ACL permissions breaks this.
The presence of a "+" in the permission list of ls -l indicates ACLs are in operation and the unix-mode flags are fabrications. In some cases, different users will see different flags shown for the same directory.
Using chmod on a file or directory will disable the ACLs and assign the unix-mode values you have specified, but if your home directory is not set suitably then you may think it is safe, but to root it reports as world- or group-writable.
In the end, I used the undocumented synoacltool to remove inheritance and delete write-access to 'admin'. So, the lesson is, if you see a "+" on the permission flags with ls then apply a chmod, even if the values already look ok.

Did Synology modify opensshd to take ACLs into account? I doubt it.

sftp chroot

Another thing that threw me for a bit was that ssh in a default config will log you in with access to the full file system. However, sftp and scp do something like a chroot and they only expose shared folders you have permission to access.
So, what looks like /volume1/gitfiles/ when you log in, becomes /gitfiles under sftp and scp. And the default starting folder with scp is not your home dir - I've not found a way that does not need a full path specified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment