gitolite: Refactor Dockerfile for debian base

Building from debian:latest will make for a smaller image, a faster
build, and will make the image more accessible to a wider variety of
platforms.

The effort started by 19e7dc8932c is expanded upon such that the image
cleanly bakes in all static config files into the image - ie. the entire
hosting user's home directory, except for the repositories directory.
This removal of config management from the gitolite-admin repo is part
of the reason why it is being decoupled from this repo.

The gitolite image will now never utilize a user pubkey during build.
Instead, it can be invoked with an alternative entrypoint to
interactively configure a new install.

Signed-off-by: Malfurious <m@lfurio.us>

2 files changed, 66 insertions, 0 deletions

diff --git a/gitolite/Dockerfile b/gitolite/Dockerfile
new file mode 100644
index 0000000..e3ff032
--- /dev/null
+++ b/gitolite/Dockerfile
@@ -0,0 +1,51 @@
+# https://gitolite.com/gitolite/index.html
+# https://github.com/sitaramc/gitolite
+
+FROM debian
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install SSH and gitolite packages
+RUN apt update \
+ && apt full-upgrade --yes \
+ && apt install --yes openssh-server gitolite3 \
+ && apt clean
+
+# Create git user
+RUN useradd \
+    --uid 2000 \
+    --home-dir /git \
+    --skel /dev/null \
+    --create-home \
+    git
+
+# Install files
+COPY --chown=git:git dotfiles /git/
+COPY sshd_config /etc/ssh/
+COPY gitolite.conf entrypoint.sh /app/
+
+# Setup SSH keys
+# We manually generate and store host keys in a separate volume, so that
+# rebuilding the image doesn't break user trust.  A key pair is generated for
+# the root user for gitolite file initialization, so we don't need a file
+# supplied by the user every time they update the image.
+RUN mkdir -p /hostkeys/etc/ssh /run/sshd \
+ && ssh-keygen -A -f /hostkeys \
+ && ssh-keygen -f /root/.ssh/id_rsa -N "" \
+ && cp /root/.ssh/id_rsa* /app
+
+# Patch `gitolite setup` script
+# The acting gitolite.conf file is managed by the gitolite-admin repository.  In
+# order to install our default version of the file, we need to patch its contents
+# into the Setup.pm file in the gitolite installation.  This helps maintain
+# separation of normalmode and gitolite-admin version control.
+RUN grep -B1000000 __DATA__ /usr/share/gitolite3/lib/Gitolite/Setup.pm >/app/Setup.pm \
+ && cat /app/gitolite.conf >>/app/Setup.pm \
+ && cp /app/Setup.pm /usr/share/gitolite3/lib/Gitolite/Setup.pm
+
+# Initialize gitolite files
+RUN su git -c "gitolite setup -pk /app/id_rsa.pub" \
+ && chmod -R 755 /git/repositories
+
+EXPOSE 22
+CMD ["/app/entrypoint.sh"]
diff --git a/gitolite/entrypoint.sh b/gitolite/entrypoint.sh
new file mode 100755
index 0000000..613a968
--- /dev/null
+++ b/gitolite/entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# On startup of the gitolite container, force a receive of the gitolite-admin
+# files from the persistent volume, to cause the user's real pubkeys and config
+# files to take effect.
+main() {
+    sleep 5
+    ssh -o StrictHostKeyChecking=accept-new git@localhost info # cache hostkey
+    git clone --bare git@localhost:gitolite-admin.git /tmp/gladmin.git
+    git --git-dir=/tmp/gladmin.git push origin :master # remove rmt master
+    git --git-dir=/tmp/gladmin.git push origin master  # replace rmt master
+}
+
+main &
+/usr/sbin/sshd -D