gitea: proxy ssh via local git user (#11)

2 years ago · 1976e0f55f
parent 25b78d4a0f
commit 1976e0f55f
4 changed files with 47 additions and 3 deletions
--- a/gitea/add-ssh-user
+++ b/gitea/add-ssh-user
@ -0,0 +1,40 @@
+#!/bin/bash
+die() { echo >&2 "gitea: ERROR $*" ; exit 1 ; }
+info() { echo >&2 "gitea: $*" ; }
+
+if grep -q "^git:" /etc/passwd ; then
+	info "git user already exists"
+	exit 0
+fi
+
+SSHDIR="/home/git/.ssh"
+addgroup --gid 2222 git \
+	|| die "unable to create git group"
+adduser \
+	--uid 2222 \
+	--gid 2222 \
+	--disabled-password \
+	--gecos "Gitea Proxy User" \
+	git \
+	|| die "unable to add git user"
+
+rm -f "$SSHDIR/id_rsa" "$SSHDIR/id_rsa.pub" "$SSHDIR/authorized_keys"
+
+sudo -u git ssh-keygen \
+	-t rsa \
+	-b 4096 \
+	-C "Gitea Proxy User Key" \
+	-N "" \
+	-f "$SSHDIR/id_rsa" \
+|| die "unable to create host key"
+
+sudo -u git tee -a "$SSHDIR/authorized_keys" < "$SSHDIR/id_rsa.pub" \
+	|| die "unable to setup authorized key"
+chmod 600 "$SSHDIR/authorized_keys"
+
+cat <<"EOF" > "/usr/local/bin/gitea"
+#!/bin/sh
+ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
+EOF
+chmod +x "/usr/local/bin/gitea"
+
--- a/gitea/docker-compose.yaml
+++ b/gitea/docker-compose.yaml
@ -12,8 +12,8 @@ services:
      - env.production
      - ../data/gitea/env.secrets
    environment:
-      - USER_UID=1000
-      - USER_GID=1000
+      - USER_UID=2222 # must match git user on host system
+      - USER_GID=2222
      - GITEA__database__DB_TYPE=postgres
      - GITEA__database__HOST=db:5432
      - GITEA__database__NAME=gitea
@ -25,9 +25,10 @@ services:
      - ../data/gitea:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
+      - /home/git/.ssh/:/data/git/.ssh
    ports:
      - "3030:3000"
-      - "222:22"
+      - "2222:22"
    restart: always
    depends_on:
      - db
--- a/gitea/env.production
+++ b/gitea/env.production
@ -4,3 +4,4 @@ GITEA__openid__ENABLE_OPENID_SIGNIN=true
 GITEA__openid__ENABLE_OPENID_SIGNUP=false
 #GITEA__service__DISABLE_REGISTRATION=true
 GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
+GITEA__repository__DEFAULT_BRANCH=main
--- a/gitea/setup
+++ b/gitea/setup
@ -17,6 +17,7 @@ if [ -r "$SECRETS" ]; then
 	exit 0
 fi

+./add-ssh-user || die "unable to add ssh user"

 GITEA_CLIENT_SECRET="$(openssl rand -hex 32)"
 GITEA_ADMIN_PASSWORD="$(openssl rand -hex 8)"
@ -29,6 +30,7 @@ cat <<EOF > "$SECRETS"
 GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
 GITEA_ADMIN_PASSWORD=$GITEA_ADMIN_PASSWORD
 GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/
+GITEA__server__SSH_DOMAIN=$GITEA_HOSTNAME
 GITEA__security__INSTALL_LOCK=true
 GITEA__security__SECRET_KEY=$(openssl rand -hex 32)
 EOF