diff options
| -rw-r--r-- | src/cgit/Dockerfile | 9 | ||||
| -rw-r--r-- | src/cgit/VERSION | 2 | ||||
| -rwxr-xr-x | src/cgit/bin/entrypoint.sh | 2 | ||||
| -rw-r--r-- | src/gitolite/Dockerfile | 4 | ||||
| -rw-r--r-- | src/gitolite/VERSION | 2 | ||||
| -rwxr-xr-x | src/gitolite/bin/entrypoint.sh | 5 | ||||
| -rw-r--r-- | src/gitolite/etc/ssh/sshd_config | 125 |
7 files changed, 136 insertions, 13 deletions
diff --git a/src/cgit/Dockerfile b/src/cgit/Dockerfile index 9c3b8e5..e0e31ba 100644 --- a/src/cgit/Dockerfile +++ b/src/cgit/Dockerfile @@ -1,10 +1,11 @@ FROM registry.gitlab.com/grumps/grumpy-containers/base:v0.0.2 SHELL ["/bin/bash", "-c"] RUN APT_OPTS="--no-install-recommends --install-suggests --yes" install_deb cgit uwsgi nginx-light \ - && mkdir -p /run/uwsgi \ - && chown www-data:www-data /run/uwsgi \ - && addgroup --gid 998 git \ - && usermod -a -G git www-data + && install_deb python3-minimal python3-pygments python3-markdown \ + && mkdir -p /run/uwsgi \ + && chown www-data:www-data /run/uwsgi \ + && addgroup --gid 998 git \ + && usermod -a -G git www-data COPY etc/uwsgi/cgit.ini /etc/uwsgi/cgit.ini COPY bin/entrypoint.sh /usr/bin/entrypoint.sh ENTRYPOINT ["/usr/bin/entrypoint.sh"] diff --git a/src/cgit/VERSION b/src/cgit/VERSION index a3dce6c..f9cece5 100644 --- a/src/cgit/VERSION +++ b/src/cgit/VERSION @@ -1 +1 @@ -v0.0.2 +v0.0.3 diff --git a/src/cgit/bin/entrypoint.sh b/src/cgit/bin/entrypoint.sh index 3bb03be..88ecded 100755 --- a/src/cgit/bin/entrypoint.sh +++ b/src/cgit/bin/entrypoint.sh @@ -40,7 +40,7 @@ enable-index-links=1 enable-commit-graph=1 enable-log-filecount=1 enable-log-linecount=1 - +enable-commit-graph=1 css=/cgit.css logo=/cgit.png virtual-root=/ diff --git a/src/gitolite/Dockerfile b/src/gitolite/Dockerfile index 213ddf3..0127e22 100644 --- a/src/gitolite/Dockerfile +++ b/src/gitolite/Dockerfile @@ -1,7 +1,7 @@ FROM registry.gitlab.com/grumps/grumpy-containers/base:v0.0.2 SHELL ["/bin/bash", "-c"] -RUN install_deb gitolite3 +RUN install_deb gitolite3 RUN addgroup --gid 998 git \ && useradd --no-create-home \ --home-dir /var/lib/git \ @@ -10,4 +10,6 @@ RUN addgroup --gid 998 git \ git RUN mkdir -p /run/sshd COPY bin/entrypoint.sh /usr/bin/entrypoint.sh +COPY etc/ssh/sshd_config /etc/ssh/sshd_config ENTRYPOINT ["/usr/bin/entrypoint.sh"] +CMD ["/usr/sbin/sshd"] diff --git a/src/gitolite/VERSION b/src/gitolite/VERSION index a3dce6c..7df503e 100644 --- a/src/gitolite/VERSION +++ b/src/gitolite/VERSION @@ -1 +1 @@ -v0.0.2 +v0.0.4 diff --git a/src/gitolite/bin/entrypoint.sh b/src/gitolite/bin/entrypoint.sh index ac240d0..7dc0075 100755 --- a/src/gitolite/bin/entrypoint.sh +++ b/src/gitolite/bin/entrypoint.sh @@ -35,11 +35,6 @@ if [ "${1}" = 'sshd' ]; then [ -f $keyfile ] || ssh-keygen -q -N '' -f $keyfile -t $algorithm grep -q "HostKey $keyfile" /etc/ssh/sshd_config || echo "HostKey $keyfile" >> /etc/ssh/sshd_config done - # Disable unwanted authentications - # perl -i -pe 's/^#?((?!Kerberos|GSSAPI)\w*Authentication)\s.*/\1 no/; s/^(PubkeyAuthentication) no/\1 yes/' /etc/ssh/sshd_config - # Disable sftp subsystem - perl -i -pe 's/^(Subsystem\ssftp\s)/#\1/' /etc/ssh/sshd_config - perl -i -pe 's/^(AcceptEnv\s)/#\1/' /etc/ssh/sshd_config fi # Fix permissions at every startup diff --git a/src/gitolite/etc/ssh/sshd_config b/src/gitolite/etc/ssh/sshd_config new file mode 100644 index 0000000..4d680dc --- /dev/null +++ b/src/gitolite/etc/ssh/sshd_config @@ -0,0 +1,125 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +#AcceptEnv LANG LC_* + +# override default of no subsystems +#Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +HostKey /etc/ssh/keys/ssh_host_rsa_key +HostKey /etc/ssh/keys/ssh_host_dsa_key +HostKey /etc/ssh/keys/ssh_host_ecdsa_key +HostKey /etc/ssh/keys/ssh_host_ed25519_key |