Add self-hosted git server with SSH and cgit web UI

Deploy a self-hosted git repository solution to replace external Codeberg dependency. Components: - SSH git server: Alpine-based container with OpenSSH and git - cgit web UI: Browse repositories at cgit.f3s.buetow.org - Single pod design: git-server + cgit containers sharing storage Infrastructure: - Docker image in git-server/docker-image/ with Justfile build automation - Helm chart in git-server/helm-chart/ for Kubernetes deployment - 5Gi ReadWriteMany PVC for NFS-backed repository storage - ClusterIP service for ArgoCD internal access - NodePort 30022 for external SSH push access - Traefik ingress for cgit web UI ArgoCD Application manifest deployed to cicd namespace. Note: SSH keys must be created as Kubernetes secrets manually, not in git. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
author: Paul Buetow <paul@buetow.org> 2026-01-09 11:06:02 +0200
committer: Paul Buetow <paul@buetow.org> 2026-01-09 19:40:51 +0200
commit: ec8bd651d57deab371021c27b88f6698376f8e78 (patch)
tree: 3a60df2bd9c653e7bfdaaab67b5bf52230beda1e /f3s/git-server/docker-image
parent: 7ab1222310c23c5f1305c48c199ce432c2fd0848 (diff)
3 files changed, 65 insertions, 0 deletions
diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile
new file mode 100644
index 0000000..382ad0d
--- /dev/null
+++ b/f3s/git-server/docker-image/Dockerfile
@@ -0,0 +1,23 @@
+FROM alpine:3.19
+
+# Install OpenSSH server and git
+RUN apk add --no-cache openssh git
+
+# Create git user with UID 1000 and set git-shell as login shell
+# This restricts the user to git operations only
+RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \
+    mkdir -p /home/git/.ssh /repos && \
+    chown -R git:git /home/git /repos
+
+# Generate SSH host keys
+# These will be regenerated if not persisted via volume mount
+RUN ssh-keygen -A
+
+# Copy sshd configuration
+COPY sshd_config /etc/ssh/sshd_config
+
+# Expose SSH port
+EXPOSE 22
+
+# Run SSH daemon in foreground with error logging to stderr
+CMD ["/usr/sbin/sshd", "-D", "-e"]
diff --git a/f3s/git-server/docker-image/Justfile b/f3s/git-server/docker-image/Justfile
new file mode 100644
index 0000000..1b54e4a
--- /dev/null
+++ b/f3s/git-server/docker-image/Justfile
@@ -0,0 +1,7 @@
+all:
+	docker build -t git-server:1.0 .
+
+f3s:
+	docker build -t git-server:1.0 .
+	docker tag git-server:1.0 r0.lan.buetow.org:30001/git-server:1.0
+	docker push r0.lan.buetow.org:30001/git-server:1.0
diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config
new file mode 100644
index 0000000..e49c5bb
--- /dev/null
+++ b/f3s/git-server/docker-image/sshd_config
@@ -0,0 +1,35 @@
+# SSH Server Configuration for Git Server
+# Security-hardened configuration for git-only access
+
+# Network
+Port 22
+AddressFamily any
+ListenAddress 0.0.0.0
+
+# Host Keys
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# Security
+PermitRootLogin no
+PubkeyAuthentication yes
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+UsePAM no
+
+# Restrict to git user only
+AllowUsers git
+
+# Disable tunneling and forwarding
+X11Forwarding no
+AllowTcpForwarding no
+AllowAgentForwarding no
+PermitTunnel no
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Performance
+UseDNS no
author	Paul Buetow <paul@buetow.org>	2026-01-09 11:06:02 +0200
committer	Paul Buetow <paul@buetow.org>	2026-01-09 19:40:51 +0200
commit	ec8bd651d57deab371021c27b88f6698376f8e78 (patch)
tree	3a60df2bd9c653e7bfdaaab67b5bf52230beda1e /f3s/git-server/docker-image
parent	7ab1222310c23c5f1305c48c199ce432c2fd0848 (diff)