fix(git-server): add sshd_config to persistent storage

The sshd_config file needs to be in the persistent SSH directory
for the git-server container to start properly. Added ConfigMap
and updated initContainer to copy it on first deployment.

Co-authored-by: Cursor <cursoragent@cursor.com>

2 files changed, 59 insertions, 1 deletions

diff --git a/f3s/git-server/helm-chart/templates/configmap-sshd.yaml b/f3s/git-server/helm-chart/templates/configmap-sshd.yaml
new file mode 100644
index 0000000..cb436bd
--- /dev/null
+++ b/f3s/git-server/helm-chart/templates/configmap-sshd.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: git-server-sshd-config
+  namespace: cicd
+data:
+  sshd_config: |
+    # SSH Server Configuration for Git Server
+    # Security-hardened configuration for git-only access
+    # Runs as non-root user (git) with privilege separation disabled
+    
+    # Network
+    Port 22
+    AddressFamily any
+    ListenAddress 0.0.0.0
+    
+    # Host Keys
+    HostKey /etc/ssh/ssh_host_ed25519_key
+    HostKey /etc/ssh/ssh_host_rsa_key
+    
+    # Security
+    PermitRootLogin no
+    PubkeyAuthentication yes
+    PasswordAuthentication no
+    PermitEmptyPasswords no
+    ChallengeResponseAuthentication no
+    
+    # Restrict to git user only
+    AllowUsers git
+    
+    # Disable tunneling and forwarding
+    X11Forwarding no
+    AllowTcpForwarding no
+    AllowAgentForwarding no
+    PermitTunnel no
+    
+    # Logging
+    SyslogFacility AUTH
+    LogLevel INFO
+    
+    # Performance
+    UseDNS no
+    
+    # PID file location (writable by non-root)
+    PidFile /tmp/sshd.pid
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index 51f45c8..5d40fbb 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -31,13 +31,20 @@ spec:
           if [ ! -f /ssh-persistent/ssh_host_ed25519_key ]; then
             echo "Generating new SSH host keys (first time setup)..."
             ssh-keygen -A -f /ssh-persistent/..
-            mv /ssh-persistent/../etc/ssh/ssh_host_* /ssh-persistent/
+            mv /ssh-persistent/../etc/ssh/ssh_host_* /ssh-persistent/ 2>/dev/null || true
             chown -R 1001:33 /ssh-persistent
             chmod 600 /ssh-persistent/ssh_host_*_key
             chmod 644 /ssh-persistent/ssh_host_*_key.pub
           else
             echo "SSH host keys already exist, reusing them."
           fi
+          # Copy sshd_config if not exists
+          if [ ! -f /ssh-persistent/sshd_config ]; then
+            echo "Copying sshd_config to persistent storage..."
+            cp /sshd-config/sshd_config /ssh-persistent/sshd_config
+            chown 1001:33 /ssh-persistent/sshd_config
+            chmod 644 /ssh-persistent/sshd_config
+          fi
           # Setup authorized_keys with correct ownership
           # The /ssh-git mount point IS the .ssh directory
           # UID 1001 and GID 33 match the NFS file ownership
@@ -54,6 +61,9 @@ spec:
           readOnly: true
         - name: git-ssh-writable
           mountPath: /ssh-git
+        - name: sshd-config
+          mountPath: /sshd-config
+          readOnly: true
 
       - name: install-git-http-backend
         image: alpine:3.19
@@ -203,5 +213,8 @@ spec:
       - name: cgit-config
         configMap:
           name: cgit-config
+      - name: sshd-config
+        configMap:
+          name: git-server-sshd-config
       - name: cgit-runtime
         emptyDir: {}