Use proper security contexts for NFS access without chown

Changes:
- Set fsGroup: 33 at pod level for proper NFS group access
- Updated git user to UID 1001, GID 33 (www-data) to match NFS ownership
- Run git-server container as UID 1001:33 (non-root)
- Run cgit container as UID 33:33 (non-root)
- Disabled SSH privilege separation (UsePrivilegeSeparation no)
- Removed unnecessary capabilities (SETGID, SETUID, SYS_CHROOT)

This follows the same pattern as filebrowser and webdav services,
using security contexts instead of chown operations on NFS.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

1 files changed, 5 insertions, 3 deletions

diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile
index 5b703c0..97c4c7f 100644
--- a/f3s/git-server/docker-image/Dockerfile
+++ b/f3s/git-server/docker-image/Dockerfile
@@ -3,11 +3,13 @@ FROM alpine:3.19
 # Install OpenSSH server and git
 RUN apk add --no-cache openssh git
 
-# Create git user with UID 1000 and set git-shell as login shell
+# Create git user with UID 1001, GID 33 (www-data) and set git-shell as login shell
+# UID 1001 and GID 33 match the NFS file ownership
 # This restricts the user to git operations only
-RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \
+# GID 33 is the existing www-data group in Alpine
+RUN adduser -D -u 1001 -G www-data -s /usr/bin/git-shell git && \
     mkdir -p /home/git/.ssh /repos && \
-    chown -R git:git /home/git /repos && \
+    chown -R git:www-data /home/git /repos && \
     echo "/usr/bin/git-shell" >> /etc/shells && \
     passwd -u git