From 7bd52ea1ae10870cc2ff8aa5c237679c30ffda72 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Mon, 29 Dec 2025 20:01:17 +0800
Subject: ssh keyfiles support

---
 Dockerfile         |  8 +++++---
 README             | 29 ++++++++++++++---------------
 config.env         |  3 ++-
 entrypoint.sh      |  8 ++++++++
 sshd_config        |  6 ++++++
 start_container.sh | 12 +++++++++++-
 6 files changed, 46 insertions(+), 20 deletions(-)
 create mode 100644 sshd_config

diff --git a/Dockerfile b/Dockerfile
index 35208e9..86352b4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,14 +7,16 @@ RUN apk add --no-cache \
     fcgiwrap \
     spawn-fcgi \
     gettext \
-    openssl
+    openssl \
+    openssh-server
 
 COPY cgitrc.template /etc/cgitrc.template
 COPY Caddyfile /etc/caddy/Caddyfile
+COPY sshd_config /etc/ssh/sshd_config
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
-# 80 required for Let's Encrypt HTTP-01 challenge, 443 for HTTPS
-EXPOSE 80 443
+# 80 required for Let's Encrypt HTTP-01 challenge, 443 for HTTPS, 22 for git SSH
+EXPOSE 80 443 22
 
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/README b/README
index 99ecf57..c71655b 100644
--- a/README
+++ b/README
@@ -1,12 +1,11 @@
-CGIT-CADDY CONTAINER
+CGIT CONTAINER
 
 Cgit with automatic HTTPS (cgit + caddy + Let's Encrypt).
 
 Requirements:
-    - Public IPv4 address pointed to this machine
-    - /git directory on host for bare git repos
-    - Domain name pointing to the public IP
-TLS certificates are auto-generated by Caddy and stored in a container volume.
+    - Public IPv4 address
+    - Domain pointing to the IP
+    - /git directory for bare repos
 
 Host setup (one-time):
     cat > /etc/sysctl.d/99-container-routing.conf << 'EOF'
@@ -14,12 +13,9 @@ Host setup (one-time):
     net.ipv4.conf.enp1s0.proxy_arp=1
     EOF
     sysctl -p /etc/sysctl.d/99-container-routing.conf
-    mkdir -p /git
+    mkdir -p /git/.ssh
 
-Build:
-    podman build -t cgit-caddy .
-
-Run (first time or after changes):
+Run:
     ./start_container.sh
 
 Run (manual):
@@ -31,19 +27,25 @@ Run (manual):
         --env-file config.env \
         -v cgit_data:/data \
         -v /git:/git \
-        localhost/cgit-caddy
+        localhost/cgit
 
     sleep 2
     podman exec cgit ip addr add 37.27.166.242/32 dev eth0
     ip route add 37.27.166.242/32 via 10.89.0.2
 
+SSH keys:
+    Drop .pub files in /git/.ssh/, they're combined into authorized_keys on run.
+
+Create repo:
+    git init --bare /git/myrepo
+
 Restart:
     podman restart cgit
 
 Stop:
     podman stop cgit && podman rm cgit && ip route del 37.27.166.242/32
 
-Cleanup (remove everything):
+Cleanup:
     podman stop cgit
     podman rm cgit
     podman volume rm cgit_data
@@ -55,6 +57,3 @@ Logs:
 
 Shell:
     podman exec -it cgit sh
-
-Create repo:
-    git init --bare /git/myrepo
diff --git a/config.env b/config.env
index 417ce14..0f623f9 100644
--- a/config.env
+++ b/config.env
@@ -10,7 +10,8 @@ NETWORK=public-routed
 
 # Paths (inside container)
 GIT_PATH=/git
-XDG_DATA_HOME=/data   # mounted as caddy_data volume, stores SSL certs
+# Caddy stores SSL certs here, mounted as ${CONTAINER_NAME}_data volume
+XDG_DATA_HOME=/data
 CGIT_CSS=/cgit.css
 CGIT_LOGO=/cgit.png
 FCGI_SOCK=/run/fcgiwrap.sock
diff --git a/entrypoint.sh b/entrypoint.sh
index bf3753f..3e2dcc0 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -13,6 +13,14 @@ fi
 # Generate cgitrc from template
 envsubst < /etc/cgitrc.template > /etc/cgitrc
 
+# Setup SSH
+ssh-keygen -A  # Generate host keys if missing
+mkdir -p /git/.ssh
+touch /git/.ssh/authorized_keys
+chmod 700 /git/.ssh
+chmod 600 /git/.ssh/authorized_keys
+/usr/sbin/sshd
+
 spawn-fcgi -s ${FCGI_SOCK} /usr/bin/fcgiwrap
 chmod 666 ${FCGI_SOCK}
 
diff --git a/sshd_config b/sshd_config
new file mode 100644
index 0000000..ab4c469
--- /dev/null
+++ b/sshd_config
@@ -0,0 +1,6 @@
+Port 22
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+PubkeyAuthentication yes
+AuthorizedKeysFile /git/.ssh/authorized_keys
+Subsystem sftp /usr/lib/ssh/sftp-server
diff --git a/start_container.sh b/start_container.sh
index bf1c167..25fcb10 100755
--- a/start_container.sh
+++ b/start_container.sh
@@ -17,6 +17,16 @@ podman stop ${CONTAINER_NAME} 2>/dev/null || true
 podman rm ${CONTAINER_NAME} 2>/dev/null || true
 ip route del ${PUBLIC_IP}/32 2>/dev/null || true
 
+# Rebuild authorized_keys from .pub files
+mkdir -p /git/.ssh
+rm -f /git/.ssh/authorized_keys
+cat /git/.ssh/*.pub > /git/.ssh/authorized_keys 2>/dev/null || true
+chmod 600 /git/.ssh/authorized_keys
+
+# Build image
+echo "Building image..."
+podman build -t cgit "$(dirname "$0")"
+
 # Run container
 podman run -d \
     --name ${CONTAINER_NAME} \
@@ -26,7 +36,7 @@ podman run -d \
     --env-file "$(dirname "$0")/config.env" \
     -v ${CONTAINER_NAME}_data:/data \
     -v /git:/git \
-    localhost/cgit-caddy
+    localhost/cgit
 
 # Setup public IP
 sleep 2
-- 
cgit v1.2.3