| Age | Commit message (Collapse) | Author |
|---|
|
- Generate SSH host keys in initContainer with correct ownership
- Remove deprecated UsePrivilegeSeparation from sshd_config
- Fix NFS repository permissions (UID 1001, GID 33)
- Configure git shared repository mode
|
|
Configures git to trust all directories on startup, preventing
'dubious ownership' errors when accessing NFS-mounted repositories
with different UIDs.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Changes:
- Set fsGroup: 33 at pod level for proper NFS group access
- Updated git user to UID 1001, GID 33 (www-data) to match NFS ownership
- Run git-server container as UID 1001:33 (non-root)
- Run cgit container as UID 33:33 (non-root)
- Disabled SSH privilege separation (UsePrivilegeSeparation no)
- Removed unnecessary capabilities (SETGID, SETUID, SYS_CHROOT)
This follows the same pattern as filebrowser and webdav services,
using security contexts instead of chown operations on NFS.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
Debug logging was useful for troubleshooting but not needed in production.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SSH requires user accounts to be unlocked (not have ! in shadow).
Use 'passwd -u' to unlock the git user account.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
SSH requires user shells to be listed in /etc/shells.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
- Enable SYS_CHROOT capability for git-server SSH to work in containers
- Configure ArgoCD repo-server to use SSH key for git-server access
- Set DEBUG3 logging in sshd for troubleshooting (temp)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
|
- Mount emptyDir for /etc/ssh to allow SSH host key generation
- Mount emptyDir for /var/cache/cgit to allow cache initialization
- Run both containers as root with proper capabilities
- Copy sshd_config at runtime from /tmp to /etc/ssh
- Add imagePullPolicy: Always to force image refresh
|
|
- Generate SSH host keys at runtime via entrypoint script
- Remove fsGroup security context to fix emptyDir permissions
- Allow cgit to initialize cache directory as root
|
|
- Remove unsupported UsePAM option from sshd_config
- Run cgit as root to allow cache directory initialization
- Add CHOWN and DAC_OVERRIDE capabilities for cgit
|
|
Deploy a self-hosted git repository solution to replace external Codeberg dependency.
Components:
- SSH git server: Alpine-based container with OpenSSH and git
- cgit web UI: Browse repositories at cgit.f3s.buetow.org
- Single pod design: git-server + cgit containers sharing storage
Infrastructure:
- Docker image in git-server/docker-image/ with Justfile build automation
- Helm chart in git-server/helm-chart/ for Kubernetes deployment
- 5Gi ReadWriteMany PVC for NFS-backed repository storage
- ClusterIP service for ArgoCD internal access
- NodePort 30022 for external SSH push access
- Traefik ingress for cgit web UI
ArgoCD Application manifest deployed to cicd namespace.
Note: SSH keys must be created as Kubernetes secrets manually, not in git.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
