3 years ago · 3e87fd638e
--- a/Dockerfile
+++ b/Dockerfile
@@ -0,0 +1,39 @@
 
				+FROM docker.io/debian:10.8-slim
			
 
				+
			
 
				+ARG GITOLITE_PACKAGE_VERSION=3.6.11-2
			
 
				+ARG GIT_ANNEX_PACKAGE_VERSION=7.20190129-3
			
 
				+ARG GIT_PACKAGE_VERSION=1:2.20.1-2+deb10u3
			
 
				+ARG OPENSSH_SERVER_PACKAGE_VERSION=1:7.9p1-10+deb10u2
			
 
				+ARG USER=git
			
 
				+ARG GITOLITE_HOME_PATH=/var/lib/gitolite
			
 
				+ENV SSHD_HOST_KEYS_DIR=/etc/ssh/host_keys
			
 
				+RUN apt-get update \
			
 
				+    && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends --yes \
			
 
				+        git-annex=$GIT_ANNEX_PACKAGE_VERSION \
			
 
				+        git=$GIT_PACKAGE_VERSION \
			
 
				+        gitolite3=$GITOLITE_PACKAGE_VERSION \
			
 
				+        openssh-server=$OPENSSH_SERVER_PACKAGE_VERSION \
			
 
				+    && rm -rf /var/lib/apt/lists/* \
			
 
				+    && rm /etc/ssh/ssh_host_*_key* \
			
 
				+    && useradd --home-dir "$GITOLITE_HOME_PATH" --create-home "$USER" \
			
 
				+    && getent passwd "$USER" \
			
 
				+    && if grep --extended-regex --invert-match '^[a-z0-9_-]+:[\*!]:' /etc/shadow; then exit 1; fi \
			
 
				+    && mkdir "$SSHD_HOST_KEYS_DIR" \
			
 
				+    && chown -c "$USER" "$SSHD_HOST_KEYS_DIR"
			
 
				+VOLUME $GITOLITE_HOME_PATH
			
 
				+VOLUME $SSHD_HOST_KEYS_DIR
			
 
				+
			
 
				+COPY sshd_config /etc/ssh/sshd_config
			
 
				+EXPOSE 2200/tcp
			
 
				+
			
 
				+COPY entrypoint.sh /
			
 
				+ENTRYPOINT ["/entrypoint.sh"]
			
 
				+
			
 
				+USER $USER
			
 
				+CMD ["/usr/sbin/sshd", "-D", "-e"]
			
 
				+
			
 
				+# https://github.com/opencontainers/image-spec/blob/v1.0.1/annotations.md
			
 
				+ARG REVISION=
			
 
				+LABEL org.opencontainers.image.title="gitolite with support for git-annex" \
			
 
				+    org.opencontainers.image.source="https://github.com/fphammerle/docker-gitolite" \
			
 
				+    org.opencontainers.image.revision="$REVISION"
			
--- a/Makefile
+++ b/Makefile
@@ -0,0 +1,36 @@
 
				+# sync with https://github.com/fphammerle/docker-onion-service/blob/master/Makefile
			
 
				+
			
 
				+IMAGE_NAME = docker.io/fphammerle/gitolite
			
 
				+PROJECT_VERSION = $(shell git describe --match=v* --abbrev=0 --dirty | sed -e 's/^v//')
			
 
				+GITOLITE_PACKAGE_VERSION = $(shell grep -Po 'GITOLITE_PACKAGE_VERSION=\K.+' Dockerfile | tr - _)
			
 
				+GIT_ANNEX_PACKAGE_VERSION = $(shell grep -Po 'GIT_ANNEX_PACKAGE_VERSION=\K.+' Dockerfile | tr - _)
			
 
				+GIT_PACKAGE_VERSION = $(shell grep -Po 'GIT_PACKAGE_VERSION=1:\K.+' Dockerfile | tr + _)
			
 
				+ARCH = $(shell arch)
			
 
				+# architecture[arm_variant]
			
 
				+# https://github.com/opencontainers/image-spec/blob/v1.0.1/image-index.md#image-index-property-descriptions
			
 
				+IMAGE_TAG_ARCH_aarch64 = arm64
			
 
				+IMAGE_TAG_ARCH_armv6l = armv6
			
 
				+IMAGE_TAG_ARCH_armv7l = armv7
			
 
				+IMAGE_TAG_ARCH_x86_64 = amd64
			
 
				+IMAGE_TAG_ARCH = ${IMAGE_TAG_ARCH_${ARCH}}
			
 
				+IMAGE_TAG = ${PROJECT_VERSION}-gitolite${GITOLITE_PACKAGE_VERSION}-git${GIT_PACKAGE_VERSION}-gitannex${GIT_ANNEX_PACKAGE_VERSION}
			
 
				+BUILD_PARAMS = --tag="${IMAGE_NAME}:${IMAGE_TAG}" \
			
 
				+	--build-arg=REVISION="$(shell git rev-parse HEAD)"
			
 
				+
			
 
				+.PHONY: worktree-clean docker-build podman-build docker-push
			
 
				+
			
 
				+worktree-clean:
			
 
				+	git diff --exit-code
			
 
				+	git diff --staged --exit-code
			
 
				+
			
 
				+docker-build: worktree-clean
			
 
				+	sudo docker build ${BUILD_PARAMS} .
			
 
				+
			
 
				+podman-build: worktree-clean
			
 
				+	# --format=oci (default) not fully supported by hub.docker.com
			
 
				+	# https://github.com/docker/hub-feedback/issues/1871#issuecomment-748924149
			
 
				+	podman build --format=docker ${BUILD_PARAMS} .
			
 
				+
			
 
				+docker-push: docker-build
			
 
				+	sudo docker push "${IMAGE_NAME}:${IMAGE_TAG}"
			
 
				+	@echo git tag --sign --message '$(shell sudo docker image inspect --format '{{join .RepoDigests "\n"}}' "${IMAGE_NAME}:${IMAGE_TAG}")' docker/${IMAGE_TAG} $(shell git rev-parse HEAD)
			
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -0,0 +1,14 @@
 
				+#!/bin/sh
			
 
				+
			
 
				+set -eu
			
 
				+
			
 
				+if [ ! -f "$SSHD_HOST_KEYS_DIR/rsa" ]; then
			
 
				+    ssh-keygen -t rsa -b 4096 -N '' -f "$SSHD_HOST_KEYS_DIR/rsa"
			
 
				+fi
			
 
				+if [ ! -f "$SSHD_HOST_KEYS_DIR/ed25519" ]; then
			
 
				+    ssh-keygen -t ed25519 -N '' -f "$SSHD_HOST_KEYS_DIR/ed25519"
			
 
				+fi
			
 
				+
			
 
				+set -x
			
 
				+
			
 
				+exec "$@"
			
--- a/sshd_config
+++ b/sshd_config
@@ -0,0 +1,30 @@
 
				+LogLevel INFO
			
 
				+#LogLevel DEBUG
			
 
				+
			
 
				+PidFile none
			
 
				+
			
 
				+Port 2200
			
 
				+Protocol 2
			
 
				+
			
 
				+HostKey /etc/ssh/host_keys/rsa
			
 
				+HostKey /etc/ssh/host_keys/ed25519
			
 
				+
			
 
				+# https://www.ssh-audit.com/hardening_guides.html#ubuntu_20_04_lts
			
 
				+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
			
 
				+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
			
 
				+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
			
 
				+HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
			
 
				+
			
 
				+UsePAM no
			
 
				+PermitRootLogin no
			
 
				+PasswordAuthentication no
			
 
				+ChallengeResponseAuthentication no
			
 
				+StrictModes no
			
 
				+
			
 
				+AllowAgentForwarding no
			
 
				+AllowTcpForwarding no
			
 
				+GatewayPorts no
			
 
				+X11Forwarding no
			
 
				+PermitUserEnvironment no
			
 
				+PrintMotd no
			
 
				+PermitTTY no