diff options
Diffstat (limited to 'gitolite')
| -rw-r--r-- | gitolite/Dockerfile | 51 | ||||
| -rw-r--r-- | gitolite/dotfiles/.gitconfig | 8 | ||||
| -rw-r--r-- | gitolite/dotfiles/.gitolite.rc | 206 | ||||
| -rwxr-xr-x | gitolite/dotfiles/local/triggers/push | 18 | ||||
| -rwxr-xr-x | gitolite/entrypoint.sh | 15 | ||||
| -rw-r--r-- | gitolite/gitolite.conf | 12 | ||||
| -rwxr-xr-x | gitolite/initialize.sh | 16 | ||||
| -rw-r--r-- | gitolite/sshd_config | 22 |
8 files changed, 348 insertions, 0 deletions
diff --git a/gitolite/Dockerfile b/gitolite/Dockerfile new file mode 100644 index 0000000..5d34312 --- /dev/null +++ b/gitolite/Dockerfile @@ -0,0 +1,51 @@ +# https://gitolite.com/gitolite/index.html +# https://github.com/sitaramc/gitolite + +FROM debian + +ENV DEBIAN_FRONTEND=noninteractive + +# Install SSH and gitolite packages +RUN apt update \ + && apt full-upgrade --yes \ + && apt install --yes openssh-server gitolite3 \ + && apt clean + +# Create git user +RUN useradd \ + --uid 2000 \ + --home-dir /git \ + --skel /dev/null \ + --create-home \ + git + +# Install files +COPY --chown=git:git dotfiles /git/ +COPY sshd_config /etc/ssh/ +COPY gitolite.conf entrypoint.sh initialize.sh /app/ + +# Setup SSH keys +# We manually generate and store host keys in a separate volume, so that +# rebuilding the image doesn't break user trust. A key pair is generated for +# the root user for gitolite file initialization, so we don't need a file +# supplied by the user every time they update the image. +RUN mkdir -p /hostkeys/etc/ssh /run/sshd \ + && ssh-keygen -A -f /hostkeys \ + && ssh-keygen -f /root/.ssh/id_rsa -N "" \ + && cp /root/.ssh/id_rsa* /app + +# Patch `gitolite setup` script +# The acting gitolite.conf file is managed by the gitolite-admin repository. In +# order to install our default version of the file, we need to patch its contents +# into the Setup.pm file in the gitolite installation. This helps maintain +# separation of normalmode and gitolite-admin version control. +RUN grep -B1000000 __DATA__ /usr/share/gitolite3/lib/Gitolite/Setup.pm >/app/Setup.pm \ + && cat /app/gitolite.conf >>/app/Setup.pm \ + && cp /app/Setup.pm /usr/share/gitolite3/lib/Gitolite/Setup.pm + +# Initialize gitolite files +RUN su git -c "gitolite setup -pk /app/id_rsa.pub" \ + && chmod -R 755 /git/repositories + +EXPOSE 22 +CMD ["/app/entrypoint.sh"] diff --git a/gitolite/dotfiles/.gitconfig b/gitolite/dotfiles/.gitconfig new file mode 100644 index 0000000..6e33a9e --- /dev/null +++ b/gitolite/dotfiles/.gitconfig @@ -0,0 +1,8 @@ +[init] + defaultBranch = master +[user] + useConfigOnly = true + name = gitolite + email = gitolite +[receive] + denyDeleteCurrent = warn diff --git a/gitolite/dotfiles/.gitolite.rc b/gitolite/dotfiles/.gitolite.rc new file mode 100644 index 0000000..eefc022 --- /dev/null +++ b/gitolite/dotfiles/.gitolite.rc @@ -0,0 +1,206 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0022, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => 'gitweb.owner', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # logging options + # 1. leave this section as is for 'normal' gitolite logging (default) + # 2. uncomment this line to log ONLY to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + # 4. prefixing "repo-log," to any of the above will **also** log just the + # update records to "gl-log" in the bare repo directory: + # LOG_DEST => 'repo-log,normal', + # LOG_DEST => 'repo-log,syslog', + # LOG_DEST => 'repo-log,syslog,normal', + # syslog 'facility': defaults to 'local0', uncomment if needed. For example: + # LOG_FACILITY => 'local4', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + CONTRIBUTORS => 1, + MAINTAINERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + POST_GIT => [ + 'push', + ], + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + #'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + #'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + #'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/gitolite/dotfiles/local/triggers/push b/gitolite/dotfiles/local/triggers/push new file mode 100755 index 0000000..7a3cb56 --- /dev/null +++ b/gitolite/dotfiles/local/triggers/push @@ -0,0 +1,18 @@ +#!/bin/sh + +[ "$4" = "W" ] || exit 0 + +cd "$GL_REPO_BASE/$2.git" +head=$(git symbolic-ref HEAD) + +if ! [ -f "$head" ]; then + set -- refs/heads/* + if [ "$#" -eq 1 ]; then + git symbolic-ref HEAD "$1" + echo "NOTICE: Default branch set to $1" >&2 + else + echo "WARNING: The default branch is $head, but no such branch exists" >&2 + fi +fi + +git log -1 --all --date-order --format=%ci >agefile diff --git a/gitolite/entrypoint.sh b/gitolite/entrypoint.sh new file mode 100755 index 0000000..613a968 --- /dev/null +++ b/gitolite/entrypoint.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# On startup of the gitolite container, force a receive of the gitolite-admin +# files from the persistent volume, to cause the user's real pubkeys and config +# files to take effect. +main() { + sleep 5 + ssh -o StrictHostKeyChecking=accept-new git@localhost info # cache hostkey + git clone --bare git@localhost:gitolite-admin.git /tmp/gladmin.git + git --git-dir=/tmp/gladmin.git push origin :master # remove rmt master + git --git-dir=/tmp/gladmin.git push origin master # replace rmt master +} + +main & +/usr/sbin/sshd -D diff --git a/gitolite/gitolite.conf b/gitolite/gitolite.conf new file mode 100644 index 0000000..89eb558 --- /dev/null +++ b/gitolite/gitolite.conf @@ -0,0 +1,12 @@ +@administrators = %ADMIN + +repo gitolite-admin + RW+ = @administrators + +repo CREATOR/..* + C = @all + RW+ = CREATOR MAINTAINERS + RW+ contrib/USER/ = CONTRIBUTORS + R = @all + + config gitweb.owner = %GL_CREATOR diff --git a/gitolite/initialize.sh b/gitolite/initialize.sh new file mode 100755 index 0000000..6806acd --- /dev/null +++ b/gitolite/initialize.sh @@ -0,0 +1,16 @@ +#!/bin/bash -e + +# This script is manually invoked when first setting up a site to initialize the +# gitolite repositories database and set up a user-supplied pubkey for initial +# administrator access. + +echo -e "This will erase data in the gitolite repository volume!" +echo -e "One SSH pubkey will be used as the initial administrator of the new install." +echo -e "\nKey selected: $1" +cat "/tmp/$1" +echo -e "\nPress Enter/Return to continue..." + +read -r confirm + +rm -rf /git/.gitolite /git/repositories/* +su git -c "gitolite setup -pk /tmp/$1" diff --git a/gitolite/sshd_config b/gitolite/sshd_config new file mode 100644 index 0000000..efc0c52 --- /dev/null +++ b/gitolite/sshd_config @@ -0,0 +1,22 @@ +Port 22 + +HostKey /hostkeys/etc/ssh/ssh_host_rsa_key +HostKey /hostkeys/etc/ssh/ssh_host_ecdsa_key +HostKey /hostkeys/etc/ssh/ssh_host_ed25519_key + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +UsePAM yes +PermitRootLogin no +PasswordAuthentication no +KbdInteractiveAuthentication no +AllowAgentForwarding no +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +PermitTTY no +PrintLastLog no +PermitUserEnvironment no +PermitTunnel no |