diff options
| author | Paul Buetow <paul@buetow.org> | 2026-02-07 23:11:41 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-02-07 23:11:41 +0200 |
| commit | 190473b0dcb41ef49f1e4e3dd7a1e8fa4150181d (patch) | |
| tree | a437eb664790d2e42db0dc64ad2a460a5b5338be | |
| parent | ffbe2cb0a75c7f44d51cd74280dd6d597d6e7c8e (diff) | |
docs(git-server): update README with persistent SSH keys info
Co-authored-by: Cursor <cursoragent@cursor.com>
| -rw-r--r-- | f3s/git-server/README.md | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/f3s/git-server/README.md b/f3s/git-server/README.md index fe23bee..28050b8 100644 --- a/f3s/git-server/README.md +++ b/f3s/git-server/README.md @@ -7,6 +7,7 @@ A self-hosted git repository solution for the f3s k3s cluster, replacing externa - **SSH Git Server**: Alpine-based container with OpenSSH and git for repository access - **CGit Web UI**: Browse repositories at `http://cgit.f3s.buetow.org` - **Single Pod Design**: Both containers share storage via ReadWriteMany PVC +- **Persistent SSH Host Keys**: Keys are stored in NFS and persist across pod restarts ## Architecture @@ -249,10 +250,11 @@ To recover: ## Security Notes - SSH keys are restricted to git-shell only (no shell access) -- git-server container runs as non-root user (UID 1000) +- git-server container runs as non-root user (UID 1001) - cgit container has read-only access to repositories -- All container capabilities dropped except NET_BIND_SERVICE for cgit +- All container capabilities dropped for enhanced security - Secrets managed via Kubernetes Secrets, never committed to git +- SSH host keys stored in NFS but copied to local emptyDir at startup (OpenSSH security requirement) ## Monitoring |