From 63c4cd76a76b84ccca53c46be1555b861685e6f1 Mon Sep 17 00:00:00 2001 From: Roscoe Rubin-Rottenberg Date: Sun, 1 Jun 2025 18:15:53 -0400 Subject: [PATCH] docker: fix authorized-keys & add config options port env var Update docker-compose.yml Revert "Update docker-compose.yml" This reverts commit ee4f170177bd976b1a619a49383b8c50139160ae. Update docker-compose.yml Update tangled_sshd.conf is this anything optional caddy fix stupid stuff Update docker-compose.yml fix authkeyscommand docker: config fixes port env var Update docker-compose.yml Revert "Update docker-compose.yml" This reverts commit ee4f170177bd976b1a619a49383b8c50139160ae. Update docker-compose.yml Update tangled_sshd.conf is this anything optional caddy fix stupid stuff Update docker-compose.yml fix authkeyscommand wrapper script fix fix --- docker/Dockerfile | 11 +++++++++-- docker/docker-compose.yml | 10 ++++++---- docker/rootfs/etc/s6-overlay/scripts/keys-wrapper | 13 +++++++++++++ .../rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf | 2 +- 4 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 docker/rootfs/etc/s6-overlay/scripts/keys-wrapper diff --git a/docker/Dockerfile b/docker/Dockerfile index 891e68f..a7cb27f 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,6 +1,7 @@ FROM docker.io/golang:1.24-alpine3.21 AS build ENV CGO_ENABLED=1 +ENV KNOT_REPO_SCAN_PATH=/home/git/repositories WORKDIR /usr/src/app COPY go.mod go.sum ./ @@ -22,7 +23,7 @@ LABEL org.opencontainers.image.licenses=MIT LABEL org.opencontainers.image.url=https://tangled.sh LABEL org.opencontainers.image.source=https://tangled.sh/@tangled.sh/core -RUN apk add --no-cache shadow s6-overlay execline openssh git && \ +RUN apk add --no-cache shadow s6-overlay execline openssh git curl && \ adduser --disabled-password git && \ # We need to set password anyway since otherwise ssh won't work head -c 32 /dev/random | base64 | tr -dc 'a-zA-Z0-9' | passwd git --stdin && \ @@ -30,8 +31,14 @@ RUN apk add --no-cache shadow s6-overlay execline openssh git && \ COPY --from=build /usr/local/bin/knot /usr/local/bin COPY docker/rootfs/ . +RUN chmod +x /etc/s6-overlay/scripts/keys-wrapper && \ + chown git:git /app && \ + chown -R git:git /home/git/repositories EXPOSE 22 EXPOSE 5555 -ENTRYPOINT ["/bin/sh", "-c", "chown git:git /app && chown git:git /home/git/repositories && /init"] +HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ + CMD curl -f http://localhost:5555/health || exit 1 + +ENTRYPOINT ["/init"] \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 7a1ad94..0041415 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -8,12 +8,15 @@ services: KNOT_SERVER_SECRET: ${KNOT_SERVER_SECRET} KNOT_SERVER_DB_PATH: "/app/knotserver.db" KNOT_REPO_SCAN_PATH: "/home/git/repositories" + KNOT_SERVER_INTERNAL_LISTEN_ADDR: "localhost:5444" volumes: - "./keys:/etc/ssh/keys" - "./repositories:/home/git/repositories" - "./server:/app" ports: + - "5555:5555" - "2222:22" + restart: always frontend: image: caddy:2-alpine command: > @@ -24,10 +27,9 @@ services: depends_on: - knot ports: - - "443:443" - - "443:443/udp" + - "${KNOT_SERVER_PORT:-443}:443" + - "${KNOT_SERVER_PORT:-443}:443/udp" volumes: - caddy_data:/data restart: always -volumes: - caddy_data: + profiles: ["caddy"] diff --git a/docker/rootfs/etc/s6-overlay/scripts/keys-wrapper b/docker/rootfs/etc/s6-overlay/scripts/keys-wrapper new file mode 100644 index 0000000..8bdee26 --- /dev/null +++ b/docker/rootfs/etc/s6-overlay/scripts/keys-wrapper @@ -0,0 +1,13 @@ +#!/bin/sh + +# Default values +INTERNAL_API=${KNOT_SERVER_INTERNAL_LISTEN_ADDR:-localhost:5444} +REPO_PATH=${KNOT_REPO_SCAN_PATH:-/home/git/repositories} +LOG_PATH="/tmp/knotguard.log" + +# Execute the knot keys command +exec /usr/local/bin/knot keys \ + -output authorized-keys \ + -internal-api "http://${INTERNAL_API}" \ + -git-dir "${REPO_PATH}" \ + -log-path "${LOG_PATH}" \ No newline at end of file diff --git a/docker/rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf b/docker/rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf index f09360e..d75f31e 100644 --- a/docker/rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf +++ b/docker/rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf @@ -5,5 +5,5 @@ HostKey /etc/ssh/keys/ssh_host_ed25519_key PasswordAuthentication no Match User git - AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys + AuthorizedKeysCommand /etc/s6-overlay/scripts/keys-wrapper AuthorizedKeysCommandUser nobody -- 2.43.0