diff --git a/Makefile b/Makefile index 8fe4de9..a28a925 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -images=backup buku ddclient gitolite gitolite-stagit git-daemon rss-bridge syncthing tasks tor vdirsyncer wallabag xandikos +images=backup buku ddclient gitolite gitolite-pystagit git-daemon rss-bridge syncthing tasks tor vdirsyncer wallabag xandikos .PHONY: all $(images) all: $(images) diff --git a/gitolite-pystagit/Dockerfile b/gitolite-pystagit/Dockerfile new file mode 100644 index 0000000..0153e27 --- /dev/null +++ b/gitolite-pystagit/Dockerfile @@ -0,0 +1,41 @@ +FROM alpine:3.13 + +RUN apk add --no-cache \ + gitolite \ + libgit2 \ + openssh-server \ + python3 \ + su-exec && \ + apk add --no-cache --virtual .build-deps \ + gcc \ + libffi-dev \ + libgit2-dev \ + musl-dev \ + py3-pip \ + python3-dev && \ + git clone https://github.com/gthar/pystagit.git /tmp/pystagit && \ + pip install /tmp/pystagit && \ + rm -r /tmp/pystagit && \ + apk del .build-deps && \ + passwd -u git && \ + mkdir -p /opt/gitolite-local/hooks/common + +COPY sshd_config /etc/ssh/sshd_config +COPY gitolite.rc /var/lib/git/.gitolite.rc + +COPY bin/. /usr/local/bin/ +COPY local_code/. /opt/gitolite-local/ + +RUN chown -R git:git /var/lib/git && \ + chmod +x \ + /usr/local/bin/entrypoint \ + /usr/local/bin/build-pystagit-index \ + /usr/local/bin/build-pystagit-repo \ + /usr/local/bin/build-pystagit-repos \ + /opt/gitolite-local/hooks/common/post-receive \ + /opt/gitolite-local/triggers/build-pystagit-index \ + /opt/gitolite-local/triggers/build-pystagit-repo \ + /opt/gitolite-local/triggers/build-pystagit-repos + +ENTRYPOINT ["/usr/local/bin/entrypoint"] +CMD ["/usr/sbin/sshd", "-D", "-e"] diff --git a/gitolite-pystagit/Makefile b/gitolite-pystagit/Makefile new file mode 100644 index 0000000..a1586e1 --- /dev/null +++ b/gitolite-pystagit/Makefile @@ -0,0 +1,16 @@ +USERNAME = rilla +IMG_NAME = gitolite-pystagit + +.PHONY: build build-nc + +BIN=$(wildcard bin/*) +HOOKS=$(wildcard local_code/hooks/*) +TRIGGERS=$(wildcard local_code/triggers/*) + +DEPS=Dockerfile $(BIN) $(HOOKS) $(TRIGGERS) gitolite.rc sshd_config + +build: $(DEPS) + docker build -t $(USERNAME)/$(IMG_NAME) . + +build-nc: $(DEPS) + docker build --no-cache -t $(USERNAME)/$(IMG_NAME) . diff --git a/gitolite-pystagit/bin/build-pystagit-index b/gitolite-pystagit/bin/build-pystagit-index new file mode 100644 index 0000000..7dcd1c3 --- /dev/null +++ b/gitolite-pystagit/bin/build-pystagit-index @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +PYSTAGIT_BASE="${PYSTAGIT_BASE:-/var/lib/git/stagit}" +GL_REPO_BASE="${GL_REPO_BASE:-/var/lib/git/repositories}" + +mk_index () { + gitolite list-phy-repos | \ + gitolite access % stagit R any | \ + awk \ + -F'\t' \ + -v d="${GL_REPO_BASE}" \ + '{if ($3 !~ "DENIED") print d"/"$1".git"}' | \ + xargs -r /usr/local/bin/stagit-index | \ + sed 's|\(\)|\1\2|' > \ + "${1}/index.html" +} + +if [ -n "${SITES}" ]; then + for site in ${SITES}; do + mk_index "${PYSTAGIT_BASE}-${site}" + done +else + mk_index "${PYSTAGIT_BASE}" +fi diff --git a/gitolite-pystagit/bin/build-pystagit-repo b/gitolite-pystagit/bin/build-pystagit-repo new file mode 100644 index 0000000..940de02 --- /dev/null +++ b/gitolite-pystagit/bin/build-pystagit-repo @@ -0,0 +1,70 @@ +#!/bin/sh + +set -e + +[ -z "${1}" ] && exit + +PYSTAGIT_BASE="${PYSTAGIT_BASE:-/var/lib/git/pystagit}" +GL_REPO_BASE="${GL_REPO_BASE:-/var/lib/git/repositories}" + +# shellcheck disable=SC1091 +[ -f /etc/env ] && . /etc/env + +run_pystagit () { + repo_dir="${GL_REPO_BASE}/${1}.git" + if [ -n "${2}" ]; then + out_dir="${PYSTAGIT_BASE}-${2}/${1}" + else + out_dir="${PYSTAGIT_BASE}/${1}" + fi + mkdir -p "${out_dir}" && \ + cd "${out_dir}" && \ + /usr/local/bin/pystagit "${repo_dir}" && \ + ln -sf files.html index.html +} + +set_url () { + url_file="${GL_REPO_BASE}/${1}.git/url" + if [ -n "${2}" ]; then + echo "${2}/${1}" > "${url_file}" + else + echo "url not set" + rm -f "${url_file}" + fi +} + +set_owner () { + owner_file="${GL_REPO_BASE}/${1}.git/owner" + if owner=$(gitolite git-config "${1}" gitweb.owner); then + echo "setting owner for '${1}'" + echo "${owner}" > "${owner_file}" + else + echo "usetting owner for '${1}'" + rm -f "${owner_file}" + fi +} + +echo "running pystagit for '${1}'" + +if gitolite access "${1}" pystagit R any; then + + set_owner "${1}" + + if [ -n "${SITES}" ]; then + _i=1 + for site in ${SITES}; do + url=$(printf "%s" "${URLS}" | cut -d " " -f "$_i") + set_url "${1}" "${url}" + run_pystagit "${1}" "${site}" + _i=$((_i+1)) + done + + else + url=$(printf "%s" "${URLS}" | cut -d " " -f 1) + set_url "${1}" "${url}" + run_pystagit "${1}" "" + fi + +else + rm -rf "${PYSTAGIT_BASE}"*"/${1}.git" +fi diff --git a/gitolite-pystagit/bin/build-pystagit-repos b/gitolite-pystagit/bin/build-pystagit-repos new file mode 100644 index 0000000..190affc --- /dev/null +++ b/gitolite-pystagit/bin/build-pystagit-repos @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +for repo in $(gitolite list-phy-repos); do + /usr/local/bin/build-pystagit-repo "${repo}" +done diff --git a/gitolite-pystagit/bin/entrypoint b/gitolite-pystagit/bin/entrypoint new file mode 100644 index 0000000..893aea0 --- /dev/null +++ b/gitolite-pystagit/bin/entrypoint @@ -0,0 +1,49 @@ +#!/bin/sh + +set -e + +su-exec git env | awk -F"=" '{ print $1"=\""$2"\"" }' > /etc/env + +for algorithm in rsa dsa ecdsa ed25519; do + keyfile="/etc/ssh/keys/ssh_host_${algorithm}_key" + [ -f "$keyfile" ] || \ + ssh-keygen -q -N '' -f "$keyfile" -t "$algorithm" +done + +BASE_DIR=/var/lib/git + +echo "fixing permissions..." + +mkdir -p \ + "${BASE_DIR}/.gitolite/conf" \ + "${BASE_DIR}/.gitolite/hooks" \ + "${BASE_DIR}/.gitolite/keydir" \ + "${BASE_DIR}/.gitolite/logs" +chown -R git:git \ + "${BASE_DIR}/.gitolite" \ + "${BASE_DIR}/.ssh" \ + "${BASE_DIR}/pystagit"* \ + "${BASE_DIR}/repositories" + +if [ ! -f "${BASE_DIR}/.ssh/authorized_keys" ]; then + if [ -z "$SSH_KEY" ]; then + echo "SSH_KEY needs to be set" + exit 1 + fi + SSH_KEY_NAME=${SSH_KEY_NAME:-admin} + echo "$SSH_KEY" > "/tmp/${SSH_KEY_NAME}.pub" + echo "gitolite's initial setup" + su-exec git gitolite setup -pk "/tmp/${SSH_KEY_NAME}.pub" + rm "/tmp/${SSH_KEY_NAME}.pub" +else + # stuff is already set up, but check the setup anyway + echo "gitolite's sanity setup" + su-exec git gitolite setup +fi + +echo "building static site" +su-exec git build-pystagit-repos +su-exec git build-pystagit-index + +echo "gitolite is ready,starting sshd" +exec "$@" diff --git a/gitolite-pystagit/gitolite.rc b/gitolite-pystagit/gitolite.rc new file mode 100644 index 0000000..16bee4e --- /dev/null +++ b/gitolite-pystagit/gitolite.rc @@ -0,0 +1,213 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0077, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => 'gitweb.description gitweb.owner', + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # logging options + # 1. leave this section as is for 'normal' gitolite logging (default) + # 2. uncomment this line to log ONLY to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + # 4. prefixing "repo-log," to any of the above will **also** log just the + # update records to "gl-log" in the bare repo directory: + # LOG_DEST => 'repo-log,normal', + # LOG_DEST => 'repo-log,syslog', + # LOG_DEST => 'repo-log,syslog,normal', + # syslog 'facility': defaults to 'local0', uncomment if needed. For example: + # LOG_FACILITY => 'local4', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + LOCAL_CODE => "/opt/gitolite-local", + #LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + #POST_COMPILE => [], + POST_COMPILE => [ + 'build-pystagit-repos', + 'build-pystagit-index' + ], + + POST_CREATE => [ + 'build-pystagit-repo' + ], + + # List of commands and features to enable + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + # 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + # 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + #'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + # 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + 'cgit', + + # allow repo-specific hooks to be added + #'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vi: ft=perl diff --git a/gitolite-pystagit/local_code/hooks/common/post-receive b/gitolite-pystagit/local_code/hooks/common/post-receive new file mode 100644 index 0000000..855485e --- /dev/null +++ b/gitolite-pystagit/local_code/hooks/common/post-receive @@ -0,0 +1,6 @@ +#!/bin/sh + +set -e + +[ -n "${GL_REPO}" ] && \ + /usr/local/bin/build-pystagit-repo "${GL_REPO}" diff --git a/gitolite-pystagit/local_code/triggers/build-pystagit-index b/gitolite-pystagit/local_code/triggers/build-pystagit-index new file mode 100644 index 0000000..3df6846 --- /dev/null +++ b/gitolite-pystagit/local_code/triggers/build-pystagit-index @@ -0,0 +1,3 @@ +#!/bin/sh + +/usr/local/bin/build-pystagit-index diff --git a/gitolite-pystagit/local_code/triggers/build-pystagit-repo b/gitolite-pystagit/local_code/triggers/build-pystagit-repo new file mode 100644 index 0000000..5abd063 --- /dev/null +++ b/gitolite-pystagit/local_code/triggers/build-pystagit-repo @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +[ -n "$2" ] && /usr/local/bin/build-pystagit-repo "$2" diff --git a/gitolite-pystagit/local_code/triggers/build-pystagit-repos b/gitolite-pystagit/local_code/triggers/build-pystagit-repos new file mode 100644 index 0000000..84d4693 --- /dev/null +++ b/gitolite-pystagit/local_code/triggers/build-pystagit-repos @@ -0,0 +1,3 @@ +#!/bin/sh + +/usr/local/bin/build-pystagit-repos diff --git a/gitolite-pystagit/sshd_config b/gitolite-pystagit/sshd_config new file mode 100644 index 0000000..dd5414f --- /dev/null +++ b/gitolite-pystagit/sshd_config @@ -0,0 +1,23 @@ +Port 22 +Protocol 2 + +PermitRootLogin no +AllowUsers git + +PasswordAuthentication no +PermitEmptyPasswords no +PubkeyAuthentication yes + +HostKey /etc/ssh/keys/ssh_host_rsa_key +HostKey /etc/ssh/keys/ssh_host_dsa_key +HostKey /etc/ssh/keys/ssh_host_ecdsa_key +HostKey /etc/ssh/keys/ssh_host_ed25519_key + +X11Forwarding no +PrintMotd no + +ClientAliveInterval 300 +ClientAliveCountMax 2 +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512 +MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com +HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512