git: Reuse host keys, add Github key authorization

config/service/git/Containerfile

@@ -4,7 +4,7 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \
     ca-certificates git openssh-server
 
 RUN addgroup --system --gid 10000 git
-RUN adduser --system --uid 10000 --ingroup git --shell /usr/bin/git-shell --home /home/git git
+RUN adduser --system --uid 10000 --ingroup git --shell /usr/bin/git-shell --home /var/lib/git git
 RUN mkdir -p /var/run/sshd
 
 COPY container/config /etc/ssh

config/service/git/container/config/sshd_config

@@ -1,7 +1,7 @@
 # Supported HostKey algorithms by order of preference.
-HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/keys/ssh_host_ed25519_key
-HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/keys/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/keys/ssh_host_ecdsa_key
 
 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

config/service/git/container/run-git-server

@@ -1,8 +1,20 @@
 #!/bin/sh
 
+# Generate host keys if none were found.
+for t in rsa ecdsa ed25519; do
+    if test ! -f /etc/ssh/keys/ssh_host_${t}_key; then
+        ssh-keygen -q -t $t -f /etc/ssh/keys/ssh_host_${t}_key -C '' -N '' > /dev/null
+    fi
+done
+
+# Create any missing directories.
+mkdir -p /var/lib/git/.ssh
+
 # Correct permissions where needed.
-chown -R git:git /home/git
+chown -R git:git /var/lib/git
-chmod -R u+rwX,go-rwxX /home/git/.ssh
+chmod -R u+rwX,go-rwxX /var/lib/git/.ssh
+chmod 0644 /etc/ssh/keys/ssh_host_*_key.pub
+chmod 0600 /etc/ssh/keys/ssh_host_*_key
 
 # Run SSH daemon.
 /usr/sbin/sshd -D -e

config/service/git/spec.bu

@@ -12,6 +12,8 @@ systemd:
       enabled: true
     - name: git-ssh-ed25519@.service
       enabled: true
+    - name: git-ssh-github@.service
+      enabled: true
     - name: git-ssh-pubkey@-etc-ssh-ssh_host_rsa_key.pub.service
       enabled: true
       dropins:

config/service/git/systemd/git-ssh-ed25519@.service

@@ -1,19 +1,19 @@
 [Unit]
 Description=Git SSH authentication via ed25519 key %I
+Wants=git.service
+After=git.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=true
-PrivateTmp=true
+ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
-Environment=GIT_HOME=/var/lib/container-service/git
+ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
-ExecStartPre=/bin/install --owner 10000 --group 10000 -m 0700 -d ${GIT_HOME}/.ssh
+ExecStart=/bin/podman exec git sh -c "echo 'ssh-ed25519 %I' > /var/lib/git/.ssh/authorized_keys.d/%i"
-ExecStartPre=/bin/install -d ${GIT_HOME}/.ssh/authorized_keys.d
+ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
-ExecStart=/bin/sh -c "echo 'ssh-ed25519 %I' > ${GIT_HOME}/.ssh/authorized_keys.d/%i"
+ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
-ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
+ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i
-ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
+ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
-ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i
+ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
-ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
-ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
 
 [Install]
 WantedBy=multi-user.target

config/service/git/systemd/git-ssh-github@.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Git SSH authentication via key for Github user %I
+Wants=git.service
+After=git.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+PrivateTmp=true
+ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
+ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
+ExecStartPre=/usr/bin/curl --silent --fail -o /tmp/keys https://github.com/%i.keys
+ExecStart=/bin/podman cp /tmp/keys git:/var/lib/git/.ssh/authorized_keys.d/github-%i
+ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
+ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
+ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/github-%i
+ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
+ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
+
+[Install]
+WantedBy=multi-user.target

config/service/git/systemd/git-ssh-pubkey@.service

@@ -1,19 +1,20 @@
 [Unit]
 Description=Git SSH authentication via public key file %I
+Wants=git.service
+After=git.service
 ConditionPathExists=%I
 
 [Service]
 Type=oneshot
 RemainAfterExit=true
-PrivateTmp=true
+ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
-Environment=GIT_HOME=/var/lib/container-service/git
+ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
-ExecStartPre=/bin/install --owner 10000 --group 10000 -m 0700 -d ${GIT_HOME}/.ssh
+ExecStart=/bin/podman cp %I git:/var/lib/git/.ssh/authorized_keys.d/%i
-ExecStart=/bin/install -m 0600 -D %I ${GIT_HOME}/.ssh/authorized_keys.d/%i
+ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
-ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
+ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
-ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
+ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i
-ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i
+ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
-ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
+ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
-ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
 
 [Install]
 WantedBy=multi-user.target

config/service/git/systemd/git.service

@@ -1,15 +1,15 @@
 [Unit]
 Description=Git server over SSH
-Wants=container-build@%N.service container-network@%N.service container-network@internal.service
+Wants=container-build@%N.service
-After=container-build@%N.service container-network@%N.service container-network@internal.service
+After=container-build@%N.service
 
 [Service]
 Restart=always
-ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N
+ExecStart=/bin/podman run --replace --pull never --net internal --name %N --cap-add AUDIT_WRITE \
-ExecStart=/bin/podman run --replace --pull never --net internal,%N --cap-add AUDIT_WRITE \
                           --publish 468:22 \
-                          --volume /var/lib/container-service/%N:/home/git:z \
+                          --volume %N:/var/lib/git:z \
-                          --name %N localhost/%N:latest
+                          --volume %N-ssh:/etc/ssh/keys:z \
+                          localhost/%N:latest
 ExecStop=/bin/podman stop --time 10 %N
 ExecStopPost=/bin/podman rm --force %N