| Age | Commit message (Collapse) | Author |
|---|
|
Repository is at /repos/repos/conf.git, so scan-path should be /repos/repos
to generate correct URLs in the web interface.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Updated 17 application manifests to use internal git-server:
- Monitoring: grafana-ingress, prometheus, pushgateway
- Services: anki-sync-server, audiobookshelf, filebrowser, immich, keybr,
kobo-sync-server, miniflux, opodsync, radicale, syncthing,
tracing-demo, wallabag, webdav
- Infra: registry
All applications now fetch from:
ssh://git@git-server.cicd.svc.cluster.local/repos/repos/conf.git
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Test migration of first application from Codeberg to internal git-server.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
Updated 17 application manifests to use internal git-server:
- Monitoring: grafana-ingress, prometheus, pushgateway
- Services: anki-sync-server, audiobookshelf, filebrowser, immich, keybr,
kobo-sync-server, miniflux, opodsync, radicale, syncthing,
tracing-demo, wallabag, webdav
- Infra: registry
All applications now fetch from:
ssh://git@git-server.cicd.svc.cluster.local/repos/repos/conf.git
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Test migration of first application from Codeberg to internal git-server.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Debug logging was useful for troubleshooting but not needed in production.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SSH requires user accounts to be unlocked (not have ! in shadow).
Use 'passwd -u' to unlock the git user account.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SELinux prevents root from accessing 700 directories in some contexts.
Use 755 for directory and 644 for authorized_keys to allow access.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
The emptyDir needs to be writable for SSH to access authorized_keys.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SSH requires user shells to be listed in /etc/shells.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Remove extra .ssh directory creation in initContainer.
The emptyDir mount point itself is /home/git/.ssh.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Copy authorized_keys from secret to emptyDir with git user ownership.
This allows SSH to read the keys for authentication.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SSH privilege separation requires setgroups() and setuid() syscalls.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
- Enable SYS_CHROOT capability for git-server SSH to work in containers
- Configure ArgoCD repo-server to use SSH key for git-server access
- Set DEBUG3 logging in sshd for troubleshooting (temp)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Nginx workers (running as user nginx) couldn't connect to fcgiwrap.sock
created by root. Add chmod 666 to make the socket world-accessible.
|
|
The cgit nginx default.conf listens on port 80, not 8080.
Update:
- Container port from 8080 to 80
- Service targetPort from 8080 to 80
|
|
Nginx workers need these capabilities to drop privileges.
Add SETGID and SETUID to allow nginx workers to start properly.
|
|
The fsGroup: 1000 was causing nginx workers to fail with setgid errors
even after removing 'user nginx;' directive. Since both containers run
as root, fsGroup is not needed for repo access.
|
|
When running as root with fsGroup, nginx workers fail trying to setgid.
Remove the 'user nginx;' directive from nginx.conf at startup using sed.
This allows nginx to run workers as root without permission errors.
|
|
Remove -u nginx -g nginx from spawn-fcgi command to run as root.
This avoids nginx worker process setgid permission errors.
|
|
The cgit image entrypoint always tries to chown /var/cache/cgit which
fails with permission errors. Override the entrypoint to directly:
1. Spawn fcgiwrap as nginx user
2. Start nginx in foreground
This skips the problematic chown/chmod and template substitution.
|
|
Instead of fighting permission issues with the cgit cache directory,
disable caching entirely by:
- Setting cache-size=0 in cgitrc
- Removing cgit-cache emptyDir volume and mounts
- Simplifying initContainer (only SSH keys setup needed)
cgit will work without caching, just slightly slower for large repos.
|
|
cgit image needs root to:
- Bind sockets with spawn-fcgi
- Run nginx master process
- Write to /var/run/nginx.pid
The initContainer already sets up cache dir with proper permissions.
|
|
The cgit entrypoint tries to write to /etc/cgitrc which is mounted
read-only from our ConfigMap. Set USE_CUSTOM_CONFIG=true to use our
custom cgitrc directly without template substitution.
|
|
The cgit image runs as nginx user (UID 101), not www-data (UID 33).
- Update initContainer to chown cache to 101:1000
- Update cgit securityContext to runAsUser: 101
|
|
Follow webdav/filebrowser pattern for proper permission handling:
- Add fsGroup: 1000 at pod level for git repo access
- Add initContainer to chown emptyDir volumes
- Run git-server as root (required for sshd)
- Run cgit as user 33 (www-data)
- Restore cgit-cache emptyDir volume with proper ownership
|
|
- Mount emptyDir for /etc/ssh to allow SSH host key generation
- Mount emptyDir for /var/cache/cgit to allow cache initialization
- Run both containers as root with proper capabilities
- Copy sshd_config at runtime from /tmp to /etc/ssh
- Add imagePullPolicy: Always to force image refresh
|
|
- Generate SSH host keys at runtime via entrypoint script
- Remove fsGroup security context to fix emptyDir permissions
- Allow cgit to initialize cache directory as root
|
|
- Remove unsupported UsePAM option from sshd_config
- Run cgit as root to allow cache directory initialization
- Add CHOWN and DAC_OVERRIDE capabilities for cgit
|
|
- Use registry.lan.buetow.org for deployment (internal DNS)
- Add emptyDir volume for cgit cache directory
- Add README.md with deployment and secret management instructions
This fixes image pull issues and cgit permission errors.
|
|
Deploy a self-hosted git repository solution to replace external Codeberg dependency.
Components:
- SSH git server: Alpine-based container with OpenSSH and git
- cgit web UI: Browse repositories at cgit.f3s.buetow.org
- Single pod design: git-server + cgit containers sharing storage
Infrastructure:
- Docker image in git-server/docker-image/ with Justfile build automation
- Helm chart in git-server/helm-chart/ for Kubernetes deployment
- 5Gi ReadWriteMany PVC for NFS-backed repository storage
- ClusterIP service for ArgoCD internal access
- NodePort 30022 for external SSH push access
- Traefik ingress for cgit web UI
ArgoCD Application manifest deployed to cicd namespace.
Note: SSH keys must be created as Kubernetes secrets manually, not in git.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
|
|
Debug logging was useful for troubleshooting but not needed in production.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SSH requires user accounts to be unlocked (not have ! in shadow).
Use 'passwd -u' to unlock the git user account.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SELinux prevents root from accessing 700 directories in some contexts.
Use 755 for directory and 644 for authorized_keys to allow access.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
The emptyDir needs to be writable for SSH to access authorized_keys.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SSH requires user shells to be listed in /etc/shells.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Remove extra .ssh directory creation in initContainer.
The emptyDir mount point itself is /home/git/.ssh.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Copy authorized_keys from secret to emptyDir with git user ownership.
This allows SSH to read the keys for authentication.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SSH privilege separation requires setgroups() and setuid() syscalls.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
- Enable SYS_CHROOT capability for git-server SSH to work in containers
- Configure ArgoCD repo-server to use SSH key for git-server access
- Set DEBUG3 logging in sshd for troubleshooting (temp)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Nginx workers (running as user nginx) couldn't connect to fcgiwrap.sock
created by root. Add chmod 666 to make the socket world-accessible.
|
|
The cgit nginx default.conf listens on port 80, not 8080.
Update:
- Container port from 8080 to 80
- Service targetPort from 8080 to 80
|
|
Nginx workers need these capabilities to drop privileges.
Add SETGID and SETUID to allow nginx workers to start properly.
|
|
The fsGroup: 1000 was causing nginx workers to fail with setgid errors
even after removing 'user nginx;' directive. Since both containers run
as root, fsGroup is not needed for repo access.
|
|
When running as root with fsGroup, nginx workers fail trying to setgid.
Remove the 'user nginx;' directive from nginx.conf at startup using sed.
This allows nginx to run workers as root without permission errors.
|
|
Remove -u nginx -g nginx from spawn-fcgi command to run as root.
This avoids nginx worker process setgid permission errors.
|
|
The cgit image entrypoint always tries to chown /var/cache/cgit which
fails with permission errors. Override the entrypoint to directly:
1. Spawn fcgiwrap as nginx user
2. Start nginx in foreground
This skips the problematic chown/chmod and template substitution.
|
|
Instead of fighting permission issues with the cgit cache directory,
disable caching entirely by:
- Setting cache-size=0 in cgitrc
- Removing cgit-cache emptyDir volume and mounts
- Simplifying initContainer (only SSH keys setup needed)
cgit will work without caching, just slightly slower for large repos.
|
