From e6359a9ceb5fba89ab0d152ce6ead2da7b8afa57 Mon Sep 17 00:00:00 2001 From: memdmp Date: Fri, 3 Jan 2025 01:03:27 +0100 Subject: feat: a sensible setup, for once --- image/Caddyfile | 26 ++++++++++ image/cgitrc | 119 ++++++++++++++++++++++++++++++++++++++++++ image/fcgiwrap-launcher | 15 ++++++ image/prepare-container.sh | 57 ++++++++++++++++++++ image/sshd_config | 118 +++++++++++++++++++++++++++++++++++++++++ image/syntax-highlighting.sh | 121 +++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 456 insertions(+) create mode 100644 image/Caddyfile create mode 100644 image/cgitrc create mode 100755 image/fcgiwrap-launcher create mode 100755 image/prepare-container.sh create mode 100644 image/sshd_config create mode 100644 image/syntax-highlighting.sh (limited to 'image') diff --git a/image/Caddyfile b/image/Caddyfile new file mode 100644 index 0000000..b50dccc --- /dev/null +++ b/image/Caddyfile @@ -0,0 +1,26 @@ +http:// { + route { + root * /var/lib/git/static + file_server { + pass_thru + } + } + + route { + root * /usr/share/webapps/cgit + file_server { + pass_thru + } + } + + reverse_proxy unix//run/fcgiwrap/fcgiwrap.sock { + transport fastcgi { + env SCRIPT_FILENAME /usr/share/webapps/cgit/cgit.cgi + env PATH_INFO {http.request.uri} + env QUERY_STRING {query} + # env GIT_HTTP_EXPORT_ALL 1 + # env GIT_PROJECT_ROOT /var/lib/git/repositories + # env HOME /var/lib/git + } + } +} diff --git a/image/cgitrc b/image/cgitrc new file mode 100644 index 0000000..60d0bef --- /dev/null +++ b/image/cgitrc @@ -0,0 +1,119 @@ +# Enable caching of up to 1000 output entries +cache-size=1000 + +# Specify some default clone prefixes +clone-prefix=http://git.mydomain.com/git ssh://git@git.mydomain.com + +# Specify the css url +css=/cgit.css + +# Show extra links for each repository on the index page +enable-index-links=1 + +# Show number of affected files per commit on the log pages +enable-log-filecount=1 + +# Show number of added/removed lines per commit on the log pages +enable-log-linecount=1 + +# Enable ASCII art commit history graph on the log pages +enable-commit-graph=1 + +# Add a cgit favicon +#favicon=/favicon.ico + +# Use a custom logo +logo=/cgit.png + +# Enable statistics per week, month and quarter +max-stats=month + +# Set the title and heading of the repository index page +root-title=Welcome ! + +# Set a subheading for the repository index page +root-desc=Some information... + +# Include some more info about foobar.com on the index page +#root-readme=/var/www/htdocs/about.html + +# Allow download of tar.gz, tar.bz2 and zip-files +snapshots=tar.gz tar.bz2 zip + +robots=noindex, nofollow +enable-git-config=1 +#source-filter=/opt/highlight.sh +source-filter=/usr/local/lib/cgit/filters/syntax-highlighting.py + + +## +## Search for these files in the root of the default branch of repositories +## for coming up with the about page: +## +readme=:README.md +readme=:readme.md +readme=:README.mkd +readme=:readme.mkd +readme=:README.rst +readme=:readme.rst +readme=:README.html +readme=:readme.html +readme=:README.htm +readme=:readme.htm +readme=:README.txt +readme=:readme.txt +readme=:README +readme=:readme +readme=:INSTALL.md +readme=:install.md +readme=:INSTALL.mkd +readme=:install.mkd +readme=:INSTALL.rst +readme=:install.rst +readme=:INSTALL.html +readme=:install.html +readme=:INSTALL.htm +readme=:install.htm +readme=:INSTALL.txt +readme=:install.txt +readme=:INSTALL +readme=:install + +about-filter=/usr/local/lib/cgit/filters/about-formatting.sh + +## +### List of common mimetypes +### + +mimetype.git=image/git +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + +## +## List of repositories. +## PS: Any repositories listed when repo.group is unset will not be +## displayed under a group heading +## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos') +## and included like this: +## include=/etc/cgitrepos +## + +#### +section=my repo + +#repo.url=testing +#repo.path=/var/lib/git/testing.git +#repo.desc=Testing repo created by Gitolite +#repo.owner=admin@mynetwork.com +# + + + +# Auto scan +scan-path=/var/lib/git/repositories + + diff --git a/image/fcgiwrap-launcher b/image/fcgiwrap-launcher new file mode 100755 index 0000000..0970ec4 --- /dev/null +++ b/image/fcgiwrap-launcher @@ -0,0 +1,15 @@ +#!/bin/zsh +set -eax +command="/usr/bin/fcgiwrap" +user="fcgiwrap" +group="www-data" +: ${socket:="unix:/run/fcgiwrap/fcgiwrap.sock"} +case "$socket" in +unix:/*) + local socket_path="${socket#unix:}" + /usr/libexec/rc/bin/checkpath --directory --mode 2775 --owner "${user}:${group}" \ + "${socket_path%/*}" + ;; +esac + +exec sudo -u "$user" -g "$group" "$command" -c "${nproc:-$(nproc)}" -s "$socket" diff --git a/image/prepare-container.sh b/image/prepare-container.sh new file mode 100755 index 0000000..66ccb2f --- /dev/null +++ b/image/prepare-container.sh @@ -0,0 +1,57 @@ +#!/bin/sh +set -e + +# Warning : this no standard docker entrypoint, we use dumb-init ! +ensureKeyAlgo() { + if [ ! -f "/etc/ssh/ssh_host_${1}_key" ]; then + # generate fresh $1 key + ssh-keygen -f /etc/ssh/ssh_host_${1}_key -N '' -t "${1}" + fi +} +ensureKeyAlgo ed25519 +ensureKeyAlgo rsa +ensureKeyAlgo ecdsa +[[ -f /etc/sshd_config ]] && mv /etc/sshd_config /etc/ssh/sshd_config || [[ -f /etc/ssh/sshd_config ]] +chmod -w /etc/ssh/sshd_config + +# prepare run dir +if ! [[ -d "/var/run/sshd" ]]; then + mkdir -p /var/run/sshd +fi + +# Run sshd +echo "Starting sshd" +/usr/sbin/sshd + +# Volume permissions +echo "Setting up permissions" +mkdir -p /var/lib/git/.gitolite/logs +chown -R git /var/lib/git +chgrp -R www-data /var/lib/git +chmod -R 775 /var/lib/git + +# If no cgitrc, let's copy one from /etc/cgitrc.default. This happens when bindmounting /var/lib/git +if [ ! -f "/var/lib/git/cgitrc" ]; then + echo '# This is an autogenrated file. Do not edit it by hand, changes will be lost.' | cat - /etc/cgitrc.default > /var/lib/git/cgitrc + chown git /var/lib/git/cgitrc + chmod 711 /var/lib/git/cgitrc +fi +if [ ! -f "/var/lib/git/.ssh/authorized_keys" ]; then + # Gitolite configuration (admin pubkey) + if [ -n "$SSH_KEY" ]; then + echo "$SSH_KEY" > "/tmp/admin.pub" + su - git -c "gitolite setup -pk \"/tmp/admin.pub\"" + rm "/tmp/admin.pub" + else + echo "You need to specify SSH_KEY on first run to setup gitolite" + echo 'Example: podman run --rm -dit -v git-data:/var/lib/git -v git-ssh:/etc/ssh -e SSH_KEY="$(cat /home//.ssh/id_rsa.pub)" gjbs84/gitolite-cgit:latest' + exit 1 + fi + echo "First launch: container is now shut down" + halt +else + # Check setup at every startup + su - git -c "gitolite setup" +fi + +#exec "$@" diff --git a/image/sshd_config b/image/sshd_config new file mode 100644 index 0000000..553d298 --- /dev/null +++ b/image/sshd_config @@ -0,0 +1,118 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +StrictModes no +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +# Feel free to re-enable these if your use case requires them. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/image/syntax-highlighting.sh b/image/syntax-highlighting.sh new file mode 100644 index 0000000..3de95fa --- /dev/null +++ b/image/syntax-highlighting.sh @@ -0,0 +1,121 @@ +#!/bin/sh +# This script can be used to implement syntax highlighting in the cgit +# tree-view by referring to this file with the source-filter or repo.source- +# filter options in cgitrc. +# +# This script requires a shell supporting the ${var##pattern} syntax. +# It is supported by at least dash and bash, however busybox environments +# might have to use an external call to sed instead. +# +# Note: the highlight command (http://www.andre-simon.de/) uses css for syntax +# highlighting, so you'll probably want something like the following included +# in your css file: +# +# Style definition file generated by highlight 2.4.8, http://www.andre-simon.de/ +# +# table.blob .num { color:#2928ff; } +# table.blob .esc { color:#ff00ff; } +# table.blob .str { color:#ff0000; } +# table.blob .dstr { color:#818100; } +# table.blob .slc { color:#838183; font-style:italic; } +# table.blob .com { color:#838183; font-style:italic; } +# table.blob .dir { color:#008200; } +# table.blob .sym { color:#000000; } +# table.blob .kwa { color:#000000; font-weight:bold; } +# table.blob .kwb { color:#830000; } +# table.blob .kwc { color:#000000; font-weight:bold; } +# table.blob .kwd { color:#010181; } +# +# +# Style definition file generated by highlight 2.6.14, http://www.andre-simon.de/ +# +# body.hl { background-color:#ffffff; } +# pre.hl { color:#000000; background-color:#ffffff; font-size:10pt; font-family:'Courier New';} +# .hl.num { color:#2928ff; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#ff0000; } +# .hl.dstr { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.dir { color:#008200; } +# .hl.sym { color:#000000; } +# .hl.line { color:#555555; } +# .hl.mark { background-color:#ffffbb;} +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#830000; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# Style definition file generated by highlight 3.8, http://www.andre-simon.de/ +# +# body.hl { background-color:#e0eaee; } +# pre.hl { color:#000000; background-color:#e0eaee; font-size:10pt; font-family:'Courier New';} +# .hl.num { color:#b07e00; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#bf0303; } +# .hl.pps { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.ppc { color:#008200; } +# .hl.opt { color:#000000; } +# .hl.lin { color:#555555; } +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#0057ae; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# Style definition file generated by highlight 3.13, http://www.andre-simon.de/ +# +# body.hl { background-color:#e0eaee; } +# pre.hl { color:#000000; background-color:#e0eaee; font-size:10pt; font-family:'Courier New',monospace;} +# .hl.num { color:#b07e00; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#bf0303; } +# .hl.pps { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.ppc { color:#008200; } +# .hl.opt { color:#000000; } +# .hl.ipl { color:#0057ae; } +# .hl.lin { color:#555555; } +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#0057ae; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# The following environment variables can be used to retrieve the configuration +# of the repository for which this script is called: +# CGIT_REPO_URL ( = repo.url setting ) +# CGIT_REPO_NAME ( = repo.name setting ) +# CGIT_REPO_PATH ( = repo.path setting ) +# CGIT_REPO_OWNER ( = repo.owner setting ) +# CGIT_REPO_DEFBRANCH ( = repo.defbranch setting ) +# CGIT_REPO_SECTION ( = section setting ) +# CGIT_REPO_CLONE_URL ( = repo.clone-url setting ) +# + +# store filename and extension in local vars +BASENAME="$1" +EXTENSION="${BASENAME##*.}" + +[ "${BASENAME}" = "${EXTENSION}" ] && EXTENSION=txt +[ -z "${EXTENSION}" ] && EXTENSION=txt + +# map Makefile and Makefile.* to .mk +[ "${BASENAME%%.*}" = "Makefile" ] && EXTENSION=mk + +# highlight versions 2 and 3 have different commandline options. Specifically, +# the -X option that is used for version 2 is replaced by the -O xhtml option +# for version 3. +# +# Version 2 can be found (for example) on EPEL 5, while version 3 can be +# found (for example) on EPEL 6. +# +# This is for version 2 +#exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null + +# This is for version 3 +exec highlight --force --inline-css -f -I -O xhtml -S "$EXTENSION" 2>/dev/null -- cgit v1.2.3