mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 05:30:45 +00:00
git: Reuse host keys, add Github key authorization
This commit is contained in:
parent
e0b7b635ab
commit
3ace3b517b
@ -4,7 +4,7 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \
|
||||
ca-certificates git openssh-server
|
||||
|
||||
RUN addgroup --system --gid 10000 git
|
||||
RUN adduser --system --uid 10000 --ingroup git --shell /usr/bin/git-shell --home /home/git git
|
||||
RUN adduser --system --uid 10000 --ingroup git --shell /usr/bin/git-shell --home /var/lib/git git
|
||||
RUN mkdir -p /var/run/sshd
|
||||
|
||||
COPY container/config /etc/ssh
|
||||
|
@ -1,7 +1,7 @@
|
||||
# Supported HostKey algorithms by order of preference.
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/keys/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/keys/ssh_host_rsa_key
|
||||
HostKey /etc/ssh/keys/ssh_host_ecdsa_key
|
||||
|
||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
@ -1,8 +1,20 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Generate host keys if none were found.
|
||||
for t in rsa ecdsa ed25519; do
|
||||
if test ! -f /etc/ssh/keys/ssh_host_${t}_key; then
|
||||
ssh-keygen -q -t $t -f /etc/ssh/keys/ssh_host_${t}_key -C '' -N '' > /dev/null
|
||||
fi
|
||||
done
|
||||
|
||||
# Create any missing directories.
|
||||
mkdir -p /var/lib/git/.ssh
|
||||
|
||||
# Correct permissions where needed.
|
||||
chown -R git:git /home/git
|
||||
chmod -R u+rwX,go-rwxX /home/git/.ssh
|
||||
chown -R git:git /var/lib/git
|
||||
chmod -R u+rwX,go-rwxX /var/lib/git/.ssh
|
||||
chmod 0644 /etc/ssh/keys/ssh_host_*_key.pub
|
||||
chmod 0600 /etc/ssh/keys/ssh_host_*_key
|
||||
|
||||
# Run SSH daemon.
|
||||
/usr/sbin/sshd -D -e
|
||||
|
@ -12,6 +12,8 @@ systemd:
|
||||
enabled: true
|
||||
- name: git-ssh-ed25519@.service
|
||||
enabled: true
|
||||
- name: git-ssh-github@.service
|
||||
enabled: true
|
||||
- name: git-ssh-pubkey@-etc-ssh-ssh_host_rsa_key.pub.service
|
||||
enabled: true
|
||||
dropins:
|
||||
|
@ -1,19 +1,19 @@
|
||||
[Unit]
|
||||
Description=Git SSH authentication via ed25519 key %I
|
||||
Wants=git.service
|
||||
After=git.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=true
|
||||
PrivateTmp=true
|
||||
Environment=GIT_HOME=/var/lib/container-service/git
|
||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -m 0700 -d ${GIT_HOME}/.ssh
|
||||
ExecStartPre=/bin/install -d ${GIT_HOME}/.ssh/authorized_keys.d
|
||||
ExecStart=/bin/sh -c "echo 'ssh-ed25519 %I' > ${GIT_HOME}/.ssh/authorized_keys.d/%i"
|
||||
ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
|
||||
ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i
|
||||
ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
|
||||
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
|
||||
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
|
||||
ExecStart=/bin/podman exec git sh -c "echo 'ssh-ed25519 %I' > /var/lib/git/.ssh/authorized_keys.d/%i"
|
||||
ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||
ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i
|
||||
ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
21
config/service/git/systemd/git-ssh-github@.service
Normal file
21
config/service/git/systemd/git-ssh-github@.service
Normal file
@ -0,0 +1,21 @@
|
||||
[Unit]
|
||||
Description=Git SSH authentication via key for Github user %I
|
||||
Wants=git.service
|
||||
After=git.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=true
|
||||
PrivateTmp=true
|
||||
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
|
||||
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
|
||||
ExecStartPre=/usr/bin/curl --silent --fail -o /tmp/keys https://github.com/%i.keys
|
||||
ExecStart=/bin/podman cp /tmp/keys git:/var/lib/git/.ssh/authorized_keys.d/github-%i
|
||||
ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||
ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/github-%i
|
||||
ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,19 +1,20 @@
|
||||
[Unit]
|
||||
Description=Git SSH authentication via public key file %I
|
||||
Wants=git.service
|
||||
After=git.service
|
||||
ConditionPathExists=%I
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=true
|
||||
PrivateTmp=true
|
||||
Environment=GIT_HOME=/var/lib/container-service/git
|
||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -m 0700 -d ${GIT_HOME}/.ssh
|
||||
ExecStart=/bin/install -m 0600 -D %I ${GIT_HOME}/.ssh/authorized_keys.d/%i
|
||||
ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
|
||||
ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i
|
||||
ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
|
||||
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
|
||||
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
|
||||
ExecStart=/bin/podman cp %I git:/var/lib/git/.ssh/authorized_keys.d/%i
|
||||
ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||
ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i
|
||||
ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||
ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
@ -1,15 +1,15 @@
|
||||
[Unit]
|
||||
Description=Git server over SSH
|
||||
Wants=container-build@%N.service container-network@%N.service container-network@internal.service
|
||||
After=container-build@%N.service container-network@%N.service container-network@internal.service
|
||||
Wants=container-build@%N.service
|
||||
After=container-build@%N.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N
|
||||
ExecStart=/bin/podman run --replace --pull never --net internal,%N --cap-add AUDIT_WRITE \
|
||||
ExecStart=/bin/podman run --replace --pull never --net internal --name %N --cap-add AUDIT_WRITE \
|
||||
--publish 468:22 \
|
||||
--volume /var/lib/container-service/%N:/home/git:z \
|
||||
--name %N localhost/%N:latest
|
||||
--volume %N:/var/lib/git:z \
|
||||
--volume %N-ssh:/etc/ssh/keys:z \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user