From 41277398778f53584fd6277af6e71da06e307c42 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Tue, 16 Aug 2022 13:53:29 -0400
Subject: gitolite: Override default sshd_config

Provide a config file for the back-end SSH daemon.  Primarily, this
explicitly disables root login, password auth, and additional
unnecessary frills.  Additionally, the sftp subsystem is omitted.

Now that this file is added, hostkey files (and the external volume
containing them) are moved to a new dedicated location (/hostkeys/...).
This allows us to bake sshd_config into the built gitolite image,
instead of it also living in the external volume.  This makes it easier
for future changes to be incorporated by simply updating the image.

Signed-off-by: Malfurious <m@lfurio.us>
---
 docker/Dockerfile.gitolite | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'docker/Dockerfile.gitolite')

diff --git a/docker/Dockerfile.gitolite b/docker/Dockerfile.gitolite
index f953c57..66367b5 100644
--- a/docker/Dockerfile.gitolite
+++ b/docker/Dockerfile.gitolite
@@ -22,8 +22,10 @@ VOLUME /var/lib/gitolite
 
 # sshd host keys are stored in a volume so that rebuilding/updating the
 # image doesn't break user trust
-RUN ssh-keygen -A
-VOLUME /etc/ssh
+COPY sshd_config /etc/ssh/
+RUN mkdir -p /hostkeys/etc/ssh/
+RUN ssh-keygen -A -f /hostkeys
+VOLUME /hostkeys
 
 EXPOSE 22
 CMD ["/usr/bin/sshd", "-D"]
-- 
cgit v1.2.3