From 1976e0f55f9524fa50b862e2866525f7d3f29ced Mon Sep 17 00:00:00 2001
From: Trammell Hudson <hudson@trmm.net>
Date: Thu, 5 May 2022 13:12:25 +0000
Subject: [PATCH] gitea: proxy ssh via local git user (#11)

---
 gitea/add-ssh-user        | 40 +++++++++++++++++++++++++++++++++++++++
 gitea/docker-compose.yaml |  7 ++++---
 gitea/env.production      |  1 +
 gitea/setup               |  2 ++
 4 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100755 gitea/add-ssh-user

diff --git a/gitea/add-ssh-user b/gitea/add-ssh-user
new file mode 100755
index 0000000..b5375eb
--- /dev/null
+++ b/gitea/add-ssh-user
@@ -0,0 +1,40 @@
+#!/bin/bash
+die() { echo >&2 "gitea: ERROR $*" ; exit 1 ; }
+info() { echo >&2 "gitea: $*" ; }
+
+if grep -q "^git:" /etc/passwd ; then
+	info "git user already exists"
+	exit 0
+fi
+
+SSHDIR="/home/git/.ssh"
+addgroup --gid 2222 git \
+	|| die "unable to create git group"
+adduser \
+	--uid 2222 \
+	--gid 2222 \
+	--disabled-password \
+	--gecos "Gitea Proxy User" \
+	git \
+	|| die "unable to add git user"
+
+rm -f "$SSHDIR/id_rsa" "$SSHDIR/id_rsa.pub" "$SSHDIR/authorized_keys"
+
+sudo -u git ssh-keygen \
+	-t rsa \
+	-b 4096 \
+	-C "Gitea Proxy User Key" \
+	-N "" \
+	-f "$SSHDIR/id_rsa" \
+|| die "unable to create host key"
+
+sudo -u git tee -a "$SSHDIR/authorized_keys" < "$SSHDIR/id_rsa.pub" \
+	|| die "unable to setup authorized key"
+chmod 600 "$SSHDIR/authorized_keys"
+
+cat <<"EOF" > "/usr/local/bin/gitea"
+#!/bin/sh
+ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
+EOF
+chmod +x "/usr/local/bin/gitea"
+
diff --git a/gitea/docker-compose.yaml b/gitea/docker-compose.yaml
index df66dbf..0fee41d 100644
--- a/gitea/docker-compose.yaml
+++ b/gitea/docker-compose.yaml
@@ -12,8 +12,8 @@ services:
       - env.production
       - ../data/gitea/env.secrets
     environment:
-      - USER_UID=1000
-      - USER_GID=1000
+      - USER_UID=2222 # must match git user on host system
+      - USER_GID=2222
       - GITEA__database__DB_TYPE=postgres
       - GITEA__database__HOST=db:5432
       - GITEA__database__NAME=gitea
@@ -25,9 +25,10 @@ services:
       - ../data/gitea:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
+      - /home/git/.ssh/:/data/git/.ssh
     ports:
       - "3030:3000"
-      - "222:22"
+      - "2222:22"
     restart: always
     depends_on:
       - db
diff --git a/gitea/env.production b/gitea/env.production
index f7920e2..70b7682 100644
--- a/gitea/env.production
+++ b/gitea/env.production
@@ -4,3 +4,4 @@ GITEA__openid__ENABLE_OPENID_SIGNIN=true
 GITEA__openid__ENABLE_OPENID_SIGNUP=false
 #GITEA__service__DISABLE_REGISTRATION=true
 GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
+GITEA__repository__DEFAULT_BRANCH=main
diff --git a/gitea/setup b/gitea/setup
index d05db79..67d22be 100755
--- a/gitea/setup
+++ b/gitea/setup
@@ -17,6 +17,7 @@ if [ -r "$SECRETS" ]; then
 	exit 0
 fi
 
+./add-ssh-user || die "unable to add ssh user"
 
 GITEA_CLIENT_SECRET="$(openssl rand -hex 32)"
 GITEA_ADMIN_PASSWORD="$(openssl rand -hex 8)"
@@ -29,6 +30,7 @@ cat <<EOF > "$SECRETS"
 GITEA_CLIENT_SECRET=$GITEA_CLIENT_SECRET
 GITEA_ADMIN_PASSWORD=$GITEA_ADMIN_PASSWORD
 GITEA__server__ROOT_URL=https://$GITEA_HOSTNAME/
+GITEA__server__SSH_DOMAIN=$GITEA_HOSTNAME
 GITEA__security__INSTALL_LOCK=true
 GITEA__security__SECRET_KEY=$(openssl rand -hex 32)
 EOF