mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 05:30:45 +00:00
git: Reuse host keys, add Github key authorization
This commit is contained in:
parent
e0b7b635ab
commit
3ace3b517b
@ -4,7 +4,7 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \
|
|||||||
ca-certificates git openssh-server
|
ca-certificates git openssh-server
|
||||||
|
|
||||||
RUN addgroup --system --gid 10000 git
|
RUN addgroup --system --gid 10000 git
|
||||||
RUN adduser --system --uid 10000 --ingroup git --shell /usr/bin/git-shell --home /home/git git
|
RUN adduser --system --uid 10000 --ingroup git --shell /usr/bin/git-shell --home /var/lib/git git
|
||||||
RUN mkdir -p /var/run/sshd
|
RUN mkdir -p /var/run/sshd
|
||||||
|
|
||||||
COPY container/config /etc/ssh
|
COPY container/config /etc/ssh
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
# Supported HostKey algorithms by order of preference.
|
# Supported HostKey algorithms by order of preference.
|
||||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
HostKey /etc/ssh/keys/ssh_host_ed25519_key
|
||||||
HostKey /etc/ssh/ssh_host_rsa_key
|
HostKey /etc/ssh/keys/ssh_host_rsa_key
|
||||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
HostKey /etc/ssh/keys/ssh_host_ecdsa_key
|
||||||
|
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||||
|
@ -1,8 +1,20 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Generate host keys if none were found.
|
||||||
|
for t in rsa ecdsa ed25519; do
|
||||||
|
if test ! -f /etc/ssh/keys/ssh_host_${t}_key; then
|
||||||
|
ssh-keygen -q -t $t -f /etc/ssh/keys/ssh_host_${t}_key -C '' -N '' > /dev/null
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Create any missing directories.
|
||||||
|
mkdir -p /var/lib/git/.ssh
|
||||||
|
|
||||||
# Correct permissions where needed.
|
# Correct permissions where needed.
|
||||||
chown -R git:git /home/git
|
chown -R git:git /var/lib/git
|
||||||
chmod -R u+rwX,go-rwxX /home/git/.ssh
|
chmod -R u+rwX,go-rwxX /var/lib/git/.ssh
|
||||||
|
chmod 0644 /etc/ssh/keys/ssh_host_*_key.pub
|
||||||
|
chmod 0600 /etc/ssh/keys/ssh_host_*_key
|
||||||
|
|
||||||
# Run SSH daemon.
|
# Run SSH daemon.
|
||||||
/usr/sbin/sshd -D -e
|
/usr/sbin/sshd -D -e
|
||||||
|
@ -12,6 +12,8 @@ systemd:
|
|||||||
enabled: true
|
enabled: true
|
||||||
- name: git-ssh-ed25519@.service
|
- name: git-ssh-ed25519@.service
|
||||||
enabled: true
|
enabled: true
|
||||||
|
- name: git-ssh-github@.service
|
||||||
|
enabled: true
|
||||||
- name: git-ssh-pubkey@-etc-ssh-ssh_host_rsa_key.pub.service
|
- name: git-ssh-pubkey@-etc-ssh-ssh_host_rsa_key.pub.service
|
||||||
enabled: true
|
enabled: true
|
||||||
dropins:
|
dropins:
|
||||||
|
@ -1,19 +1,19 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Git SSH authentication via ed25519 key %I
|
Description=Git SSH authentication via ed25519 key %I
|
||||||
|
Wants=git.service
|
||||||
|
After=git.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=true
|
RemainAfterExit=true
|
||||||
PrivateTmp=true
|
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
|
||||||
Environment=GIT_HOME=/var/lib/container-service/git
|
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
|
||||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -m 0700 -d ${GIT_HOME}/.ssh
|
ExecStart=/bin/podman exec git sh -c "echo 'ssh-ed25519 %I' > /var/lib/git/.ssh/authorized_keys.d/%i"
|
||||||
ExecStartPre=/bin/install -d ${GIT_HOME}/.ssh/authorized_keys.d
|
ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||||
ExecStart=/bin/sh -c "echo 'ssh-ed25519 %I' > ${GIT_HOME}/.ssh/authorized_keys.d/%i"
|
ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||||
ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i
|
||||||
ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
|
ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||||
ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i
|
ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||||
ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
|
||||||
ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
21
config/service/git/systemd/git-ssh-github@.service
Normal file
21
config/service/git/systemd/git-ssh-github@.service
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Git SSH authentication via key for Github user %I
|
||||||
|
Wants=git.service
|
||||||
|
After=git.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=true
|
||||||
|
PrivateTmp=true
|
||||||
|
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
|
||||||
|
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
|
||||||
|
ExecStartPre=/usr/bin/curl --silent --fail -o /tmp/keys https://github.com/%i.keys
|
||||||
|
ExecStart=/bin/podman cp /tmp/keys git:/var/lib/git/.ssh/authorized_keys.d/github-%i
|
||||||
|
ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||||
|
ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||||
|
ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/github-%i
|
||||||
|
ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||||
|
ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -1,19 +1,20 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Git SSH authentication via public key file %I
|
Description=Git SSH authentication via public key file %I
|
||||||
|
Wants=git.service
|
||||||
|
After=git.service
|
||||||
ConditionPathExists=%I
|
ConditionPathExists=%I
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=true
|
RemainAfterExit=true
|
||||||
PrivateTmp=true
|
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
|
||||||
Environment=GIT_HOME=/var/lib/container-service/git
|
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
|
||||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -m 0700 -d ${GIT_HOME}/.ssh
|
ExecStart=/bin/podman cp %I git:/var/lib/git/.ssh/authorized_keys.d/%i
|
||||||
ExecStart=/bin/install -m 0600 -D %I ${GIT_HOME}/.ssh/authorized_keys.d/%i
|
ExecStartPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||||
ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
ExecStartPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||||
ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
|
ExecStop=/bin/podman exec git rm -f /var/lib/git/.ssh/authorized_keys.d/%i
|
||||||
ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i
|
ExecStopPost=/bin/podman exec git sh -c "cat /var/lib/git/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
||||||
ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys"
|
ExecStopPost=/bin/podman exec git install --owner 10000 --group 10000 --mode 0600 /tmp/authorized_keys /var/lib/git/.ssh/authorized_keys
|
||||||
ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Git server over SSH
|
Description=Git server over SSH
|
||||||
Wants=container-build@%N.service container-network@%N.service container-network@internal.service
|
Wants=container-build@%N.service
|
||||||
After=container-build@%N.service container-network@%N.service container-network@internal.service
|
After=container-build@%N.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Restart=always
|
Restart=always
|
||||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N
|
ExecStart=/bin/podman run --replace --pull never --net internal --name %N --cap-add AUDIT_WRITE \
|
||||||
ExecStart=/bin/podman run --replace --pull never --net internal,%N --cap-add AUDIT_WRITE \
|
|
||||||
--publish 468:22 \
|
--publish 468:22 \
|
||||||
--volume /var/lib/container-service/%N:/home/git:z \
|
--volume %N:/var/lib/git:z \
|
||||||
--name %N localhost/%N:latest
|
--volume %N-ssh:/etc/ssh/keys:z \
|
||||||
|
localhost/%N:latest
|
||||||
ExecStop=/bin/podman stop --time 10 %N
|
ExecStop=/bin/podman stop --time 10 %N
|
||||||
ExecStopPost=/bin/podman rm --force %N
|
ExecStopPost=/bin/podman rm --force %N
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user