Fix SSH host keys and container security

- Generate SSH host keys at runtime via entrypoint script - Remove fsGroup security context to fix emptyDir permissions - Allow cgit to initialize cache directory as root
author: Paul Buetow <paul@buetow.org> 2026-01-09 11:13:28 +0200
committer: Paul Buetow <paul@buetow.org> 2026-01-09 11:13:28 +0200
commit: 48a8499a2b919e28045c896cd8553d90bb3b875b (patch)
tree: 8079af8b392f3c8f19ae653a69ed311c38f8ac79 /f3s/git-server/docker-image
parent: 36b631ff8f1fb454164f448bfd0cd0e8707bb6af (diff)
1 files changed, 10 insertions, 6 deletions
diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile
index 382ad0d..574a94b 100644
--- a/f3s/git-server/docker-image/Dockerfile
+++ b/f3s/git-server/docker-image/Dockerfile
@@ -9,15 +9,19 @@ RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \
     mkdir -p /home/git/.ssh /repos && \
     chown -R git:git /home/git /repos
 
-# Generate SSH host keys
-# These will be regenerated if not persisted via volume mount
-RUN ssh-keygen -A
-
 # Copy sshd configuration
 COPY sshd_config /etc/ssh/sshd_config
 
+# Create entrypoint script to generate host keys at runtime
+RUN echo '#!/bin/sh' > /entrypoint.sh && \
+    echo 'if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then' >> /entrypoint.sh && \
+    echo '  ssh-keygen -A' >> /entrypoint.sh && \
+    echo 'fi' >> /entrypoint.sh && \
+    echo 'exec /usr/sbin/sshd -D -e' >> /entrypoint.sh && \
+    chmod +x /entrypoint.sh
+
 # Expose SSH port
 EXPOSE 22
 
-# Run SSH daemon in foreground with error logging to stderr
-CMD ["/usr/sbin/sshd", "-D", "-e"]
+# Run entrypoint script
+CMD ["/entrypoint.sh"]
author	Paul Buetow <paul@buetow.org>	2026-01-09 11:13:28 +0200
committer	Paul Buetow <paul@buetow.org>	2026-01-09 11:13:28 +0200
commit	48a8499a2b919e28045c896cd8553d90bb3b875b (patch)
tree	8079af8b392f3c8f19ae653a69ed311c38f8ac79 /f3s/git-server/docker-image
parent	36b631ff8f1fb454164f448bfd0cd0e8707bb6af (diff)