commit 4e66ee748be57dbd7785084b64490778e17a6acb · keea.dog/knot-spindle

+9 -2

Dockerfile

···

       1
       1
        
       FROM docker.io/golang:1.24-alpine3.21 AS build

     

       2
       2
        
       

     

       3
       3
        
       ENV CGO_ENABLED=1

     

       4
       4
       +
       ENV KNOT_REPO_SCAN_PATH=/home/git/repositories

     

       4
       5
        
       WORKDIR /usr/src/app

     

       5
       6
        
       COPY go.mod go.sum ./

     

       6
       7
        
       

     
···

       22
       23
        
       LABEL org.opencontainers.image.url=https://tangled.sh

     

       23
       24
        
       LABEL org.opencontainers.image.source=https://tangled.sh/@tangled.sh/core

     

       24
       25
        
       

     

       25
       25
       -
       RUN apk add --no-cache shadow s6-overlay execline openssh git && \

     

       26
       26
       +
       RUN apk add --no-cache shadow s6-overlay execline openssh git curl && \

     

       26
       27
        
           adduser --disabled-password git && \

     

       27
       28
        
           # We need to set password anyway since otherwise ssh won't work

     

       28
       29
        
           head -c 32 /dev/random | base64 | tr -dc 'a-zA-Z0-9' | passwd git --stdin && \

     
···

       30
       31
        
       

     

       31
       32
        
       COPY --from=build /usr/local/bin/knot /usr/local/bin

     

       32
       33
        
       COPY docker/rootfs/ .

     

       34
       34
       +
       RUN chmod +x /etc/s6-overlay/scripts/keys-wrapper && \

     

       35
       35
       +
           chown git:git /app && \

     

       36
       36
       +
           chown -R git:git /home/git/repositories

     

       33
       37
        
       

     

       34
       38
        
       EXPOSE 22

     

       35
       39
        
       EXPOSE 5555

     

       36
       40
        
       

     

       37
       37
       -
       ENTRYPOINT ["/bin/sh", "-c", "chown git:git /app && chown git:git /home/git/repositories && /init"]

     

       41
       41
       +
       HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \

     

       42
       42
       +
           CMD curl -f http://localhost:5555/ || exit 1

     

       43
       43
       +
       

     

       44
       44
       +
       ENTRYPOINT ["/init"]

+6 -4

docker-compose.yml

···

       8
       8
        
             KNOT_SERVER_SECRET: ${KNOT_SERVER_SECRET}

     

       9
       9
        
             KNOT_SERVER_DB_PATH: "/app/knotserver.db"

     

       10
       10
        
             KNOT_REPO_SCAN_PATH: "/home/git/repositories"

     

       11
       11
       +
             KNOT_SERVER_INTERNAL_LISTEN_ADDR: "localhost:5444"

     

       11
       12
        
           volumes:

     

       12
       13
        
             - "./keys:/etc/ssh/keys"

     

       13
       14
        
             - "./repositories:/home/git/repositories"

     

       14
       15
        
             - "./server:/app"

     

       15
       16
        
           ports:

     

       17
       17
       +
             - "5555:5555"

     

       16
       18
        
             - "2222:22"

     

       19
       19
       +
           restart: always

     

       17
       20
        
         frontend:

     

       18
       21
        
           image: caddy:2-alpine

     

       19
       22
        
           command: >

     
···

       24
       27
        
           depends_on:

     

       25
       28
        
             - knot

     

       26
       29
        
           ports:

     

       27
       27
       -
             - "443:443"

     

       28
       28
       -
             - "443:443/udp"

     

       30
       30
       +
             - "${KNOT_SERVER_PORT:-443}:443"

     

       31
       31
       +
             - "${KNOT_SERVER_PORT:-443}:443/udp"

     

       29
       32
        
           volumes:

     

       30
       33
        
             - caddy_data:/data

     

       31
       34
        
           restart: always

     

       32
       32
       -
       volumes:

     

       33
       33
       -
         caddy_data:

     

       35
       35
       +
           profiles: ["caddy"]

+8

rootfs/etc/s6-overlay/scripts/keys-wrapper

···

       1
       1
       +
       #!/bin/sh

     

       2
       2
       +
       

     

       3
       3
       +
       # Execute the knot keys command with proper shell context

     

       4
       4
       +
       exec /bin/sh -c '/usr/local/bin/knot keys \

     

       5
       5
       +
           -output authorized-keys \

     

       6
       6
       +
           -internal-api "http://${KNOT_SERVER_INTERNAL_LISTEN_ADDR:-localhost:5444}" \

     

       7
       7
       +
           -git-dir "${KNOT_REPO_SCAN_PATH:-/home/git/repositories}" \

     

       8
       8
       +
           -log-path "/tmp/knotguard.log"'

+1 -1

rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf

···

       5
       5
        
       PasswordAuthentication no

     

       6
       6
        
       

     

       7
       7
        
       Match User git

     

       8
       8
       -
         AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys

     

       8
       8
       +
         AuthorizedKeysCommand /etc/s6-overlay/scripts/keys-wrapper

     

       9
       9
        
         AuthorizedKeysCommandUser nobody