Soft Serve

A tasty, self-hostable Git server for the command line. 🍦

Easy to navigate TUI available over SSH

Clone repos over SSH, HTTP, or Git protocol

Manage repos with SSH

Create repos on demand with SSH or git push

Browse repos, files and commits with SSH-accessible

Print files over SSH with or without syntax highlighting and line numbers

Easy access control with SSH

Allow/disallow anonymous access

Add collaborators with SSH public keys

Repos can be public or private

Where can I see it?

Just run ssh git.charm.sh for an example. You can also try some of the following commands:

``` shell
# Jump directly to a repo in the TUI
ssh git.charm.sh -t soft-serve
# Print out a directory tree for a repo
ssh git.charm.sh repo tree soft-serve
# Print a specific file
ssh git.charm.sh repo blob soft-serve cmd/soft/root.go
# Print a file with syntax highlighting and line numbers
ssh git.charm.sh repo blob soft-serve cmd/soft/root.go -c -l
```

Installation

Soft Serve is a single binary called soft. You can get it from a package manager:

``` shell
# macOS or Linux
brew tap charmbracelet/tap && brew install charmbracelet/tap/soft-serve
# Arch Linux
pacman -S soft-serve
# Nix
nix-env -iA nixpkgs.soft-serve
# Debian/Ubuntu
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://repo.charm.sh/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/charm.gpg
echo "deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * *" | sudo tee /etc/apt/sources.list.d/charm.list
sudo apt update && sudo apt install soft-serve
# Fedora/RHEL
echo '[charm]
name=Charm
baseurl=https://repo.charm.sh/yum/
enabled=1
gpgcheck=1
gpgkey=https://repo.charm.sh/yum/gpg.key' | sudo tee /etc/yum.repos.d/charm.repo
sudo yum install soft-serve
```

You can also download a binary from the releases page. Packages are available in Alpine, Debian, and RPM formats. Binaries are available for Linux, macOS, and Windows.

Or just install it with go :

``` shell
go install github.com/charmbracelet/soft-serve/cmd/soft@latest
```

A Docker image is also available.

Setting up a server

Make sure git is installed, then run soft serve. That’s it.

This will create a data directory that will store all the repos, ssh keys, and database.

To change the default data path use SOFT_SERVE_DATA_PATH environment variable.

``` shell
SOFT_SERVE_DATA_PATH=/var/lib/soft-serve soft serve
```

When you run Soft Serve for the first time, make sure you have the SOFT_SERVE_INITIAL_ADMIN_KEYS environment variable is set to your ssh authorized key. Any added key to this variable will be treated as admin with full privileges.

Using this environment variable, Soft Serve will create a new admin user that has full privileges. You can rename and change the user settings later.

Server Settings

Once you start the server for the first time, the settings will be in config.yaml under your data directory. The default config.yaml is self-explanatory and will look like this:

``` yaml
# Soft Serve Server configurations
# The name of the server.
# This is the name that will be displayed in the UI.
name: "Soft Serve"
# Log format to use. Valid values are "json", "logfmt", and "text".
log_format: "text"
# The SSH server configuration.
ssh:
# The address on which the SSH server will listen.
listen_addr: ":23231"
# The public URL of the SSH server.
# This is the address that will be used to clone repositories.
public_url: "ssh://localhost:23231"
# The path to the SSH server's private key.
key_path: "ssh/soft_serve_host"
# The path to the SSH server's client private key.
# This key will be used to authenticate the server to make git requests to
# ssh remotes.
client_key_path: "ssh/soft_serve_client"
# The maximum number of seconds a connection can take.
# A value of 0 means no timeout.
max_timeout: 0
# The number of seconds a connection can be idle before it is closed.
idle_timeout: 120
# The Git daemon configuration.
git:
# The address on which the Git daemon will listen.
listen_addr: ":9418"
# The maximum number of seconds a connection can take.
# A value of 0 means no timeout.
max_timeout: 0
# The number of seconds a connection can be idle before it is closed.
idle_timeout: 3
# The maximum number of concurrent connections.
max_connections: 32
# The HTTP server configuration.
http:
# The address on which the HTTP server will listen.
listen_addr: ":23232"
# The path to the TLS private key.
tls_key_path: ""
# The path to the TLS certificate.
tls_cert_path: ""
# The public URL of the HTTP server.
# This is the address that will be used to clone repositories.
# Make sure to use https:// if you are using TLS.
public_url: "http://localhost:23232"
# The stats server configuration.
stats:
# The address on which the stats server will listen.
listen_addr: ":23233"
# Additional admin keys.
#initial_admin_keys:
# - "ssh-rsa AAAAB3NzaC1yc2..."
```

You can also use environment variables, to override these settings. All server settings environment variables start with SOFT_SERVE_ followed by the setting name all in uppercase. Here are some examples:

SOFT_SERVE_NAME : The name of the server that will appear in the TUI

SOFT_SERVE_SSH_LISTEN_ADDR : SSH listen address

SOFT_SERVE_SSH_KEY_PATH : SSH host key-pair path

SOFT_SERVE_HTTP_LISTEN_ADDR : HTTP listen address

SOFT_SERVE_HTTP_PUBLIC_URL : HTTP public URL used for cloning

SOFT_SERVE_GIT_MAX_CONNECTIONS : The number of simultaneous connections to git daemon

Configuration

Configuring Soft Serve is simple and straightforward. Use the SSH command-line interface to manage access settings, users, and repos.

Try ssh localhost -i ~/.ssh/id_ed25519 -p 23231 help for more info. Make sure you use your key here.

For ease of use, instead of specifying the key, port, and hostname every time you SSH into Soft Serve, add your own Soft Serve instance entry to your SSH config. For instance, to use ssh soft instead of typing `ssh localhost -i /.ssh/id_ed25519 -p 23231, we can define a soft entry in our SSH config file /.ssh/config`.

``` sh
Host soft
HostName localhost
Port 23231
IdentityFile ~/.ssh/id_ed25519
```

Now, we can do ssh soft to SSH into Soft Serve. Since git is also aware of this config, you can use soft as the hostname for your clone commands.

``` shell
git clone ssh://soft/dotfiles
# make changes
# add & commit
git push origin main
```

NoteThe -i part will be omitted in the examples below for brevity. You can add your server settings to your sshconfig for quicker access.

Access Levels

Soft Serve offers a simple access control. There are four access levels, no-access, read-only, read-write, and admin-access.

admin-access has full control of the server and can make changes to users and repos.

read-write access gets full control of repos.

read-only can read public repos.

no-access denies access to all repos.

Authentication

Everything that needs authentication is done using SSH. Make sure you have added an entry for your Soft Serve instance in your ~/.ssh/config file.

By default, Soft Serve gives ready-only permission to anonymous connections to any of the above protocols. This is controlled by two settings anon-access and allow-keyless.

anon-access : Defines the access level for anonymous users. Available options are no-access, read-only, read-write, and admin-access. Default is read-only.

allow-keyless : Whether to allow connections that doesn't use keys to pass. Setting this to false would disable access to SSH keyboard-interactive, HTTP, and Git protocol connections. Default is true.

``` shell
$ ssh -p 23231 localhost settings
Manage server settings
Usage:
ssh -p 23231 localhost settings [command]
Available Commands:
allow-keyless Set or get allow keyless access to repositories
anon-access Set or get the default access level for anonymous users
Flags:
-h, --help help for settings
Use "ssh -p 23231 localhost settings [command] --help" for more information about a command.
```

NoteThese settings can only be changed by admins.

When allow-keyless is disabled, connections that don't use SSH Public Key authentication will get denied. This means cloning repos over HTTP(s) or git:// will get denied.

Meanwhile, anon-access controls the access level granted to connections that use SSH Public Key authentication but are not registered users. The default setting for this is read-only. This will grant anonymous connections that use SSH Public Key authentication read-only access to public repos.

anon-access is also used in combination with allow-keyless to determine the access level for HTTP(s) and git:// clone requests.

Authorization

Admins can manage users and their keys using the user command. Once a user is created and has access to the server, they can manage their own keys and settings.

To create a new user simply use user create :

``` shell
# Create a new user
ssh -p 23231 localhost user create beatrice
# Add user keys
ssh -p 23231 localhost user add-pubkey beatrice ssh-rsa AAAAB3Nz...
ssh -p 23231 localhost user add-pubkey beatrice ssh-ed25519 AAAA...
# Create another user with public key
ssh -p 23231 localhost user create frankie '-k "ssh-ed25519 AAAATzN..."'
# Need help?
ssh -p 23231 localhost user help
```

Once a user is created, they get read-only access to public repositories. They can also create new repositories on the server.

Users can manage their keys using the pubkey command:

``` shell
# List user keys
ssh -p 23231 localhost pubkey list
# Add key
ssh -p 23231 localhost pubkey add ssh-ed25519 AAAA...
# Wanna change your username?
ssh -p 23231 localhost set-username yolo
# To display user info
ssh -p 23231 localhost info
```

Repositories

You can manage repositories using the repo command.

``` shell
# Run repo help
$ ssh -p 23231 localhost repo help
Manage repositories
Usage:
ssh -p 23231 localhost repo [command]
Aliases:
repo, repos, repository, repositories
Available Commands:
blob Print out the contents of file at path
branch Manage repository branches
collab Manage collaborators
create Create a new repository
delete Delete a repository
description Set or get the description for a repository
hide Hide or unhide a repository
import Import a new repository from remote
info Get information about a repository
is-mirror Whether a repository is a mirror
list List repositories
private Set or get a repository private property
project-name Set or get the project name for a repository
rename Rename an existing repository
tag Manage repository tags
tree Print repository tree at path
Flags:
-h, --help help for repo
Use "ssh -p 23231 localhost repo [command] --help" for more information about a command.
```

To use any of the above repo commands, a user must be a collaborator in the repository. More on this below.

Creating Repositories

To create a repository, first make sure you are a registered user. Use the repo create <repo> command to create a new repository:

``` shell
# Create a new repository
ssh -p 23231 localhost repo create icecream
# Create a repo with description
ssh -p 23231 localhost repo create icecream '-d "This is an Ice Cream description"'
# ... and project name
ssh -p 23231 localhost repo create icecream '-d "This is an Ice Cream description"' '-n "Ice Cream"'
# I need my repository private!
ssh -p 23231 localhost repo create icecream -p '-d "This is an Ice Cream description"' '-n "Ice Cream"'
# Help?
ssh -p 23231 localhost repo create -h
```

Or you can add your Soft Serve server as a remote to any existing repo, given you have write access, and push to remote:

``` sh
git remote add origin ssh://localhost:23231/icecream
```

After you’ve added the remote just go ahead and push. If the repo doesn’t exist on the server it’ll be created.

``` sh
git push origin main
```

Repositories can be nested too:

``` shell
# Create a new nested repository
ssh -p 23231 localhost repo create charmbracelet/icecream
# Or ...
git remote add charm ssh://localhost:23231/charmbracelet/icecream
git push charm main
```

Deleting Repositories

You can delete repositories using the repo delete <repo> command.

``` shell
ssh -p 23231 localhost repo delete icecream
```

Renaming Repositories

Use the repo rename <old> <new> command to rename existing repositories.

``` shell
ssh -p 23231 localhost repo rename icecream vanilla
```

Repository Collaborators

Sometimes you want to restrict write access to certain repositories. This can be achieved by adding a collaborator to your repository.

Use the repo collab <command> <repo> command to manage repo collaborators.

``` shell
# Add collaborator to soft-serve
ssh -p 23231 localhost repo collab add soft-serve frankie
# Remove collaborator
ssh -p 23231 localhost repo collab remove soft-serve beatrice
# List collaborators
ssh -p 23231 localhost repo collab list soft-serve
```

Repository metadata

You can also change the repo's description, project name, whether it's private, etc using the repo <command> command.

``` shell
# Set description for repo
ssh -p 23231 localhost repo description icecream "This is a new description"
# Hide repo from listing
ssh -p 23231 localhost repo hidden icecream true
# List repository info (branches, tags, description, etc)
ssh -p 23231 localhost repo icecream info
```

To make a repository private, use repo private <repo> [true|false]. Private repos can only be accessed by admins and collaborators.

``` shell
ssh -p 23231 localhost repo icecream private true
```

Repository Branches & Tags

Use repo branch and repo tag to list, and delete branches or tags. You can also use repo branch default to set or get the repository default branch.

Repository Tree

To print a file tree for the project, just use the repo tree command along with the repo name as the SSH command to your Soft Serve server:

``` shell
ssh -p 23231 localhost repo tree soft-serve
```

You can also specify the sub-path and a specific reference or branch.

``` shell
ssh -p 23231 localhost repo tree soft-serve server/config
ssh -p 23231 localhost repo tree soft-serve main server/config
```

From there, you can print individual files using the repo blob command:

``` shell
ssh -p 23231 localhost repo blob soft-serve cmd/soft/root.go
```

You can add the -c flag to enable syntax coloring and -l to print line numbers:

``` shell
ssh -p 23231 localhost repo blob soft-serve cmd/soft/root.go -c -l
```

Use --raw to print raw file contents. This is