diff options
| -rw-r--r-- | Dockerfile | 8 | ||||
| -rw-r--r-- | README | 29 | ||||
| -rw-r--r-- | config.env | 3 | ||||
| -rw-r--r-- | entrypoint.sh | 8 | ||||
| -rw-r--r-- | sshd_config | 6 | ||||
| -rwxr-xr-x | start_container.sh | 12 |
6 files changed, 46 insertions, 20 deletions
| @@ -7,14 +7,16 @@ RUN apk add --no-cache \ | |||
| 7 | fcgiwrap \ | 7 | fcgiwrap \ |
| 8 | spawn-fcgi \ | 8 | spawn-fcgi \ |
| 9 | gettext \ | 9 | gettext \ |
| 10 | openssl | 10 | openssl \ |
| 11 | openssh-server | ||
| 11 | 12 | ||
| 12 | COPY cgitrc.template /etc/cgitrc.template | 13 | COPY cgitrc.template /etc/cgitrc.template |
| 13 | COPY Caddyfile /etc/caddy/Caddyfile | 14 | COPY Caddyfile /etc/caddy/Caddyfile |
| 15 | COPY sshd_config /etc/ssh/sshd_config | ||
| 14 | COPY entrypoint.sh /entrypoint.sh | 16 | COPY entrypoint.sh /entrypoint.sh |
| 15 | RUN chmod +x /entrypoint.sh | 17 | RUN chmod +x /entrypoint.sh |
| 16 | 18 | ||
| 17 | # 80 required for Let's Encrypt HTTP-01 challenge, 443 for HTTPS | 19 | # 80 required for Let's Encrypt HTTP-01 challenge, 443 for HTTPS, 22 for git SSH |
| 18 | EXPOSE 80 443 | 20 | EXPOSE 80 443 22 |
| 19 | 21 | ||
| 20 | ENTRYPOINT ["/entrypoint.sh"] | 22 | ENTRYPOINT ["/entrypoint.sh"] |
| @@ -1,12 +1,11 @@ | |||
| 1 | CGIT-CADDY CONTAINER | 1 | CGIT CONTAINER |
| 2 | 2 | ||
| 3 | Cgit with automatic HTTPS (cgit + caddy + Let's Encrypt). | 3 | Cgit with automatic HTTPS (cgit + caddy + Let's Encrypt). |
| 4 | 4 | ||
| 5 | Requirements: | 5 | Requirements: |
| 6 | - Public IPv4 address pointed to this machine | 6 | - Public IPv4 address |
| 7 | - /git directory on host for bare git repos | 7 | - Domain pointing to the IP |
| 8 | - Domain name pointing to the public IP | 8 | - /git directory for bare repos |
| 9 | TLS certificates are auto-generated by Caddy and stored in a container volume. | ||
| 10 | 9 | ||
| 11 | Host setup (one-time): | 10 | Host setup (one-time): |
| 12 | cat > /etc/sysctl.d/99-container-routing.conf << 'EOF' | 11 | cat > /etc/sysctl.d/99-container-routing.conf << 'EOF' |
| @@ -14,12 +13,9 @@ Host setup (one-time): | |||
| 14 | net.ipv4.conf.enp1s0.proxy_arp=1 | 13 | net.ipv4.conf.enp1s0.proxy_arp=1 |
| 15 | EOF | 14 | EOF |
| 16 | sysctl -p /etc/sysctl.d/99-container-routing.conf | 15 | sysctl -p /etc/sysctl.d/99-container-routing.conf |
| 17 | mkdir -p /git | 16 | mkdir -p /git/.ssh |
| 18 | 17 | ||
| 19 | Build: | 18 | Run: |
| 20 | podman build -t cgit-caddy . | ||
| 21 | |||
| 22 | Run (first time or after changes): | ||
| 23 | ./start_container.sh | 19 | ./start_container.sh |
| 24 | 20 | ||
| 25 | Run (manual): | 21 | Run (manual): |
| @@ -31,19 +27,25 @@ Run (manual): | |||
| 31 | --env-file config.env \ | 27 | --env-file config.env \ |
| 32 | -v cgit_data:/data \ | 28 | -v cgit_data:/data \ |
| 33 | -v /git:/git \ | 29 | -v /git:/git \ |
| 34 | localhost/cgit-caddy | 30 | localhost/cgit |
| 35 | 31 | ||
| 36 | sleep 2 | 32 | sleep 2 |
| 37 | podman exec cgit ip addr add 37.27.166.242/32 dev eth0 | 33 | podman exec cgit ip addr add 37.27.166.242/32 dev eth0 |
| 38 | ip route add 37.27.166.242/32 via 10.89.0.2 | 34 | ip route add 37.27.166.242/32 via 10.89.0.2 |
| 39 | 35 | ||
| 36 | SSH keys: | ||
| 37 | Drop .pub files in /git/.ssh/, they're combined into authorized_keys on run. | ||
| 38 | |||
| 39 | Create repo: | ||
| 40 | git init --bare /git/myrepo | ||
| 41 | |||
| 40 | Restart: | 42 | Restart: |
| 41 | podman restart cgit | 43 | podman restart cgit |
| 42 | 44 | ||
| 43 | Stop: | 45 | Stop: |
| 44 | podman stop cgit && podman rm cgit && ip route del 37.27.166.242/32 | 46 | podman stop cgit && podman rm cgit && ip route del 37.27.166.242/32 |
| 45 | 47 | ||
| 46 | Cleanup (remove everything): | 48 | Cleanup: |
| 47 | podman stop cgit | 49 | podman stop cgit |
| 48 | podman rm cgit | 50 | podman rm cgit |
| 49 | podman volume rm cgit_data | 51 | podman volume rm cgit_data |
| @@ -55,6 +57,3 @@ Logs: | |||
| 55 | 57 | ||
| 56 | Shell: | 58 | Shell: |
| 57 | podman exec -it cgit sh | 59 | podman exec -it cgit sh |
| 58 | |||
| 59 | Create repo: | ||
| 60 | git init --bare /git/myrepo | ||
| @@ -10,7 +10,8 @@ NETWORK=public-routed | |||
| 10 | 10 | ||
| 11 | # Paths (inside container) | 11 | # Paths (inside container) |
| 12 | GIT_PATH=/git | 12 | GIT_PATH=/git |
| 13 | XDG_DATA_HOME=/data # mounted as caddy_data volume, stores SSL certs | 13 | # Caddy stores SSL certs here, mounted as ${CONTAINER_NAME}_data volume |
| 14 | XDG_DATA_HOME=/data | ||
| 14 | CGIT_CSS=/cgit.css | 15 | CGIT_CSS=/cgit.css |
| 15 | CGIT_LOGO=/cgit.png | 16 | CGIT_LOGO=/cgit.png |
| 16 | FCGI_SOCK=/run/fcgiwrap.sock | 17 | FCGI_SOCK=/run/fcgiwrap.sock |
diff --git a/entrypoint.sh b/entrypoint.sh index bf3753f..3e2dcc0 100644 --- a/entrypoint.sh +++ b/entrypoint.sh | |||
| @@ -13,6 +13,14 @@ fi | |||
| 13 | # Generate cgitrc from template | 13 | # Generate cgitrc from template |
| 14 | envsubst < /etc/cgitrc.template > /etc/cgitrc | 14 | envsubst < /etc/cgitrc.template > /etc/cgitrc |
| 15 | 15 | ||
| 16 | # Setup SSH | ||
| 17 | ssh-keygen -A # Generate host keys if missing | ||
| 18 | mkdir -p /git/.ssh | ||
| 19 | touch /git/.ssh/authorized_keys | ||
| 20 | chmod 700 /git/.ssh | ||
| 21 | chmod 600 /git/.ssh/authorized_keys | ||
| 22 | /usr/sbin/sshd | ||
| 23 | |||
| 16 | spawn-fcgi -s ${FCGI_SOCK} /usr/bin/fcgiwrap | 24 | spawn-fcgi -s ${FCGI_SOCK} /usr/bin/fcgiwrap |
| 17 | chmod 666 ${FCGI_SOCK} | 25 | chmod 666 ${FCGI_SOCK} |
| 18 | 26 | ||
diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..ab4c469 --- /dev/null +++ b/sshd_config | |||
| @@ -0,0 +1,6 @@ | |||
| 1 | Port 22 | ||
| 2 | PermitRootLogin prohibit-password | ||
| 3 | PasswordAuthentication no | ||
| 4 | PubkeyAuthentication yes | ||
| 5 | AuthorizedKeysFile /git/.ssh/authorized_keys | ||
| 6 | Subsystem sftp /usr/lib/ssh/sftp-server | ||
diff --git a/start_container.sh b/start_container.sh index bf1c167..25fcb10 100755 --- a/start_container.sh +++ b/start_container.sh | |||
| @@ -17,6 +17,16 @@ podman stop ${CONTAINER_NAME} 2>/dev/null || true | |||
| 17 | podman rm ${CONTAINER_NAME} 2>/dev/null || true | 17 | podman rm ${CONTAINER_NAME} 2>/dev/null || true |
| 18 | ip route del ${PUBLIC_IP}/32 2>/dev/null || true | 18 | ip route del ${PUBLIC_IP}/32 2>/dev/null || true |
| 19 | 19 | ||
| 20 | # Rebuild authorized_keys from .pub files | ||
| 21 | mkdir -p /git/.ssh | ||
| 22 | rm -f /git/.ssh/authorized_keys | ||
| 23 | cat /git/.ssh/*.pub > /git/.ssh/authorized_keys 2>/dev/null || true | ||
| 24 | chmod 600 /git/.ssh/authorized_keys | ||
| 25 | |||
| 26 | # Build image | ||
| 27 | echo "Building image..." | ||
| 28 | podman build -t cgit "$(dirname "$0")" | ||
| 29 | |||
| 20 | # Run container | 30 | # Run container |
| 21 | podman run -d \ | 31 | podman run -d \ |
| 22 | --name ${CONTAINER_NAME} \ | 32 | --name ${CONTAINER_NAME} \ |
| @@ -26,7 +36,7 @@ podman run -d \ | |||
| 26 | --env-file "$(dirname "$0")/config.env" \ | 36 | --env-file "$(dirname "$0")/config.env" \ |
| 27 | -v ${CONTAINER_NAME}_data:/data \ | 37 | -v ${CONTAINER_NAME}_data:/data \ |
| 28 | -v /git:/git \ | 38 | -v /git:/git \ |
| 29 | localhost/cgit-caddy | 39 | localhost/cgit |
| 30 | 40 | ||
| 31 | # Setup public IP | 41 | # Setup public IP |
| 32 | sleep 2 | 42 | sleep 2 |