diff --git a/config/service/git/Containerfile b/config/service/git/Containerfile index c680044..dd5bf40 100644 --- a/config/service/git/Containerfile +++ b/config/service/git/Containerfile @@ -4,7 +4,7 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \ ca-certificates git openssh-server RUN addgroup --system --gid 10000 git -RUN adduser --system --uid 10000 --ingroup git --shell /usr/bin/git-shell --home /home/git git +RUN adduser --system --uid 10000 --ingroup git --shell /usr/bin/git-shell --home /var/lib/git git RUN mkdir -p /var/run/sshd COPY container/config /etc/ssh diff --git a/config/service/git/container/config/sshd_config b/config/service/git/container/config/sshd_config index 419074c..c107107 100644 --- a/config/service/git/container/config/sshd_config +++ b/config/service/git/container/config/sshd_config @@ -1,7 +1,7 @@ # Supported HostKey algorithms by order of preference. -HostKey /etc/ssh/ssh_host_ed25519_key -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/keys/ssh_host_ed25519_key +HostKey /etc/ssh/keys/ssh_host_rsa_key +HostKey /etc/ssh/keys/ssh_host_ecdsa_key KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr diff --git a/config/service/git/container/run-git-server b/config/service/git/container/run-git-server index 5b8663b..2b82bf8 100755 --- a/config/service/git/container/run-git-server +++ b/config/service/git/container/run-git-server @@ -1,8 +1,20 @@ #!/bin/sh +# Generate host keys if none were found. +for t in rsa ecdsa ed25519; do + if test ! -f /etc/ssh/keys/ssh_host_${t}_key; then + ssh-keygen -q -t $t -f /etc/ssh/keys/ssh_host_${t}_key -C '' -N '' > /dev/null + fi +done + +# Create any missing directories. +mkdir -p /var/lib/git/.ssh + # Correct permissions where needed. -chown -R git:git /home/git -chmod -R u+rwX,go-rwxX /home/git/.ssh +chown -R git:git /var/lib/git +chmod -R u+rwX,go-rwxX /var/lib/git/.ssh +chmod 0644 /etc/ssh/keys/ssh_host_*_key.pub +chmod 0600 /etc/ssh/keys/ssh_host_*_key # Run SSH daemon. /usr/sbin/sshd -D -e diff --git a/config/service/git/spec.bu b/config/service/git/spec.bu index b234261..fe843eb 100644 --- a/config/service/git/spec.bu +++ b/config/service/git/spec.bu @@ -12,6 +12,8 @@ systemd: enabled: true - name: git-ssh-ed25519@.service enabled: true + - name: git-ssh-github@.service + enabled: true - name: git-ssh-pubkey@-etc-ssh-ssh_host_rsa_key.pub.service enabled: true dropins: diff --git a/config/service/git/systemd/git-ssh-ed25519@.service b/config/service/git/systemd/git-ssh-ed25519@.service index 5a8ec5c..bae08aa 100644 --- a/config/service/git/systemd/git-ssh-ed25519@.service +++ b/config/service/git/systemd/git-ssh-ed25519@.service @@ -1,19 +1,19 @@ [Unit] Description=Git SSH authentication via ed25519 key %I +Wants=git.service +After=git.service [Service] Type=oneshot RemainAfterExit=true -PrivateTmp=true -Environment=GIT_HOME=/var/lib/container-service/git -ExecStartPre=/bin/install --owner 10000 --group 10000 -m 0700 -d ${GIT_HOME}/.ssh -ExecStartPre=/bin/install -d ${GIT_HOME}/.ssh/authorized_keys.d -ExecStart=/bin/sh -c "echo 'ssh-ed25519 %I' > ${GIT_HOME}/.ssh/authorized_keys.d/%i" -ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" -ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys -ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i -ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" -ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys +ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh +ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d +ExecStart=/bin/podman exec git sh -c "echo 'ssh-ed25519 %I' > /var/lib/git/.ssh/authorized_keys.d/%i" +ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" +ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys +ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i +ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" +ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys [Install] WantedBy=multi-user.target diff --git a/config/service/git/systemd/git-ssh-github@.service b/config/service/git/systemd/git-ssh-github@.service new file mode 100644 index 0000000..e23447b --- /dev/null +++ b/config/service/git/systemd/git-ssh-github@.service @@ -0,0 +1,21 @@ +[Unit] +Description=Git SSH authentication via key for Github user %I +Wants=git.service +After=git.service + +[Service] +Type=oneshot +RemainAfterExit=true +PrivateTmp=true +ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh +ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d +ExecStartPre=/usr/bin/curl --silent --fail -o /tmp/keys https://github.com/%i.keys +ExecStart=/bin/podman cp /tmp/keys git:/var/lib/git/.ssh/authorized_keys.d/github-%i +ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" +ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys +ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/github-%i +ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" +ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys + +[Install] +WantedBy=multi-user.target diff --git a/config/service/git/systemd/git-ssh-pubkey@.service b/config/service/git/systemd/git-ssh-pubkey@.service index 7e18af5..5930068 100644 --- a/config/service/git/systemd/git-ssh-pubkey@.service +++ b/config/service/git/systemd/git-ssh-pubkey@.service @@ -1,19 +1,20 @@ [Unit] Description=Git SSH authentication via public key file %I +Wants=git.service +After=git.service ConditionPathExists=%I [Service] Type=oneshot RemainAfterExit=true -PrivateTmp=true -Environment=GIT_HOME=/var/lib/container-service/git -ExecStartPre=/bin/install --owner 10000 --group 10000 -m 0700 -d ${GIT_HOME}/.ssh -ExecStart=/bin/install -m 0600 -D %I ${GIT_HOME}/.ssh/authorized_keys.d/%i -ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" -ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys -ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i -ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" -ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys +ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh +ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d +ExecStart=/bin/podman cp %I git:/var/lib/git/.ssh/authorized_keys.d/%i +ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" +ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys +ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i +ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys" +ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys [Install] WantedBy=multi-user.target diff --git a/config/service/git/systemd/git.service b/config/service/git/systemd/git.service index 4ecdd4c..01c642d 100644 --- a/config/service/git/systemd/git.service +++ b/config/service/git/systemd/git.service @@ -1,15 +1,15 @@ [Unit] Description=Git server over SSH -Wants=container-build@%N.service container-network@%N.service container-network@internal.service -After=container-build@%N.service container-network@%N.service container-network@internal.service +Wants=container-build@%N.service +After=container-build@%N.service [Service] Restart=always -ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N -ExecStart=/bin/podman run --replace --pull never --net internal,%N --cap-add AUDIT_WRITE \ +ExecStart=/bin/podman run --replace --pull never --net internal --name %N --cap-add AUDIT_WRITE \ --publish 468:22 \ - --volume /var/lib/container-service/%N:/home/git:z \ - --name %N localhost/%N:latest + --volume %N:/var/lib/git:z \ + --volume %N-ssh:/etc/ssh/keys:z \ + localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N ExecStopPost=/bin/podman rm --force %N