Update cgit config/deps, remove password auth on gitolite

7 files changed, 136 insertions, 13 deletions

diff --git a/src/cgit/Dockerfile b/src/cgit/Dockerfile
index 9c3b8e5..e0e31ba 100644
--- a/src/cgit/Dockerfile
+++ b/src/cgit/Dockerfile
@@ -1,10 +1,11 @@
 FROM registry.gitlab.com/grumps/grumpy-containers/base:v0.0.2
 SHELL ["/bin/bash", "-c"]
 RUN APT_OPTS="--no-install-recommends --install-suggests --yes" install_deb cgit uwsgi nginx-light \
-        && mkdir -p /run/uwsgi \
-            && chown www-data:www-data /run/uwsgi \
-                && addgroup --gid 998 git \
-                    && usermod -a -G git www-data
+        && install_deb python3-minimal python3-pygments python3-markdown \
+            && mkdir -p /run/uwsgi \
+                && chown www-data:www-data /run/uwsgi \
+                    && addgroup --gid 998 git \
+                        && usermod -a -G git www-data
 COPY etc/uwsgi/cgit.ini /etc/uwsgi/cgit.ini
 COPY bin/entrypoint.sh /usr/bin/entrypoint.sh
 ENTRYPOINT ["/usr/bin/entrypoint.sh"]
diff --git a/src/cgit/VERSION b/src/cgit/VERSION
index a3dce6c..f9cece5 100644
--- a/src/cgit/VERSION
+++ b/src/cgit/VERSION
@@ -1 +1 @@
-v0.0.2
+v0.0.3
diff --git a/src/cgit/bin/entrypoint.sh b/src/cgit/bin/entrypoint.sh
index 3bb03be..88ecded 100755
--- a/src/cgit/bin/entrypoint.sh
+++ b/src/cgit/bin/entrypoint.sh
@@ -40,7 +40,7 @@ enable-index-links=1
 enable-commit-graph=1
 enable-log-filecount=1
 enable-log-linecount=1
-
+enable-commit-graph=1
 css=/cgit.css
 logo=/cgit.png
 virtual-root=/
diff --git a/src/gitolite/Dockerfile b/src/gitolite/Dockerfile
index 213ddf3..0127e22 100644
--- a/src/gitolite/Dockerfile
+++ b/src/gitolite/Dockerfile
@@ -1,7 +1,7 @@
 FROM registry.gitlab.com/grumps/grumpy-containers/base:v0.0.2
 SHELL ["/bin/bash", "-c"]
-RUN install_deb gitolite3
 
+RUN install_deb gitolite3
 RUN addgroup --gid 998 git \
         && useradd --no-create-home \
             --home-dir /var/lib/git \
@@ -10,4 +10,6 @@ RUN addgroup --gid 998 git \
             git
 RUN mkdir -p /run/sshd
 COPY bin/entrypoint.sh /usr/bin/entrypoint.sh
+COPY etc/ssh/sshd_config /etc/ssh/sshd_config
 ENTRYPOINT ["/usr/bin/entrypoint.sh"]
+CMD ["/usr/sbin/sshd"]
diff --git a/src/gitolite/VERSION b/src/gitolite/VERSION
index a3dce6c..7df503e 100644
--- a/src/gitolite/VERSION
+++ b/src/gitolite/VERSION
@@ -1 +1 @@
-v0.0.2
+v0.0.4
diff --git a/src/gitolite/bin/entrypoint.sh b/src/gitolite/bin/entrypoint.sh
index ac240d0..7dc0075 100755
--- a/src/gitolite/bin/entrypoint.sh
+++ b/src/gitolite/bin/entrypoint.sh
@@ -35,11 +35,6 @@ if [ "${1}" = 'sshd' ]; then
     [ -f $keyfile ] || ssh-keygen -q -N '' -f $keyfile -t $algorithm
     grep -q "HostKey $keyfile" /etc/ssh/sshd_config || echo "HostKey $keyfile" >> /etc/ssh/sshd_config
   done
-  # Disable unwanted authentications
-  # perl -i -pe 's/^#?((?!Kerberos|GSSAPI)\w*Authentication)\s.*/\1 no/; s/^(PubkeyAuthentication) no/\1 yes/' /etc/ssh/sshd_config
-  # Disable sftp subsystem
-  perl -i -pe 's/^(Subsystem\ssftp\s)/#\1/' /etc/ssh/sshd_config
-  perl -i -pe 's/^(AcceptEnv\s)/#\1/' /etc/ssh/sshd_config
 fi
 
 # Fix permissions at every startup
diff --git a/src/gitolite/etc/ssh/sshd_config b/src/gitolite/etc/ssh/sshd_config
new file mode 100644
index 0000000..4d680dc
--- /dev/null
+++ b/src/gitolite/etc/ssh/sshd_config
@@ -0,0 +1,125 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+#AcceptEnv LANG LC_*
+
+# override default of no subsystems
+#Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+HostKey /etc/ssh/keys/ssh_host_rsa_key
+HostKey /etc/ssh/keys/ssh_host_dsa_key
+HostKey /etc/ssh/keys/ssh_host_ecdsa_key
+HostKey /etc/ssh/keys/ssh_host_ed25519_key