diff options
| author | Malfurious <m@lfurio.us> | 2023-09-15 06:02:18 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2023-09-15 10:53:24 -0400 |
| commit | 90858ead45f6702bdde31671246ad9c56fc7803e (patch) | |
| tree | 4ce1cdbfd64ae494c26ced31a8e6a53bf836c944 | |
| parent | c3e4b42c98dd433bbc2f90beeae102a4993c17e5 (diff) | |
| download | srcnode-90858ead45f6702bdde31671246ad9c56fc7803e.tar.gz srcnode-90858ead45f6702bdde31671246ad9c56fc7803e.zip | |
gitolite: Refactor Dockerfile for debian base
Building from debian:latest will make for a smaller image, a faster
build, and will make the image more accessible to a wider variety of
platforms.
The effort started by 19e7dc8932c is expanded upon such that the image
cleanly bakes in all static config files into the image - ie. the entire
hosting user's home directory, except for the repositories directory.
This removal of config management from the gitolite-admin repo is part
of the reason why it is being decoupled from this repo.
The gitolite image will now never utilize a user pubkey during build.
Instead, it can be invoked with an alternative entrypoint to
interactively configure a new install.
Signed-off-by: Malfurious <m@lfurio.us>
| -rw-r--r-- | docker/Dockerfile.gitolite | 25 | ||||
| -rwxr-xr-x | docker/gitolite_init.sh | 6 | ||||
| -rw-r--r-- | gitolite/Dockerfile | 51 | ||||
| -rwxr-xr-x | gitolite/entrypoint.sh | 15 |
4 files changed, 66 insertions, 31 deletions
diff --git a/docker/Dockerfile.gitolite b/docker/Dockerfile.gitolite deleted file mode 100644 index d2ca1ae..0000000 --- a/docker/Dockerfile.gitolite +++ /dev/null @@ -1,25 +0,0 @@ -# https://gitolite.com/gitolite/index.html -# https://github.com/sitaramc/gitolite -# https://wiki.archlinux.org/title/Gitolite - -FROM archlinux - -# The gitolite package implies git, openssh, and creates the host user -RUN pacman-key --init -RUN pacman -Syu --needed --noconfirm gitolite - -# Initialize the gitolite datastore -COPY . /app -RUN if [ -f "/app/admin.pub" ]; \ - then runuser -u gitolite -- /app/gitolite_init.sh "/app/admin.pub"; fi -VOLUME /var/lib/gitolite - -# sshd host keys are stored in a volume so that rebuilding/updating the -# image doesn't break user trust -COPY sshd_config /etc/ssh/ -RUN mkdir -p /hostkeys/etc/ssh/ -RUN ssh-keygen -A -f /hostkeys -VOLUME /hostkeys - -EXPOSE 22 -CMD ["/usr/bin/sshd", "-D"] diff --git a/docker/gitolite_init.sh b/docker/gitolite_init.sh deleted file mode 100755 index bd70222..0000000 --- a/docker/gitolite_init.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -gitolite setup -pk "$1" -chmod 755 /var/lib/gitolite -chmod -R 755 /var/lib/gitolite/repositories -ln -sf .gitolite/conf/.gitolite.rc /var/lib/gitolite -ln -sf .gitolite/conf/.gitconfig /var/lib/gitolite diff --git a/gitolite/Dockerfile b/gitolite/Dockerfile new file mode 100644 index 0000000..e3ff032 --- /dev/null +++ b/gitolite/Dockerfile @@ -0,0 +1,51 @@ +# https://gitolite.com/gitolite/index.html +# https://github.com/sitaramc/gitolite + +FROM debian + +ENV DEBIAN_FRONTEND=noninteractive + +# Install SSH and gitolite packages +RUN apt update \ + && apt full-upgrade --yes \ + && apt install --yes openssh-server gitolite3 \ + && apt clean + +# Create git user +RUN useradd \ + --uid 2000 \ + --home-dir /git \ + --skel /dev/null \ + --create-home \ + git + +# Install files +COPY --chown=git:git dotfiles /git/ +COPY sshd_config /etc/ssh/ +COPY gitolite.conf entrypoint.sh /app/ + +# Setup SSH keys +# We manually generate and store host keys in a separate volume, so that +# rebuilding the image doesn't break user trust. A key pair is generated for +# the root user for gitolite file initialization, so we don't need a file +# supplied by the user every time they update the image. +RUN mkdir -p /hostkeys/etc/ssh /run/sshd \ + && ssh-keygen -A -f /hostkeys \ + && ssh-keygen -f /root/.ssh/id_rsa -N "" \ + && cp /root/.ssh/id_rsa* /app + +# Patch `gitolite setup` script +# The acting gitolite.conf file is managed by the gitolite-admin repository. In +# order to install our default version of the file, we need to patch its contents +# into the Setup.pm file in the gitolite installation. This helps maintain +# separation of normalmode and gitolite-admin version control. +RUN grep -B1000000 __DATA__ /usr/share/gitolite3/lib/Gitolite/Setup.pm >/app/Setup.pm \ + && cat /app/gitolite.conf >>/app/Setup.pm \ + && cp /app/Setup.pm /usr/share/gitolite3/lib/Gitolite/Setup.pm + +# Initialize gitolite files +RUN su git -c "gitolite setup -pk /app/id_rsa.pub" \ + && chmod -R 755 /git/repositories + +EXPOSE 22 +CMD ["/app/entrypoint.sh"] diff --git a/gitolite/entrypoint.sh b/gitolite/entrypoint.sh new file mode 100755 index 0000000..613a968 --- /dev/null +++ b/gitolite/entrypoint.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# On startup of the gitolite container, force a receive of the gitolite-admin +# files from the persistent volume, to cause the user's real pubkeys and config +# files to take effect. +main() { + sleep 5 + ssh -o StrictHostKeyChecking=accept-new git@localhost info # cache hostkey + git clone --bare git@localhost:gitolite-admin.git /tmp/gladmin.git + git --git-dir=/tmp/gladmin.git push origin :master # remove rmt master + git --git-dir=/tmp/gladmin.git push origin master # replace rmt master +} + +main & +/usr/sbin/sshd -D |