From 4439d1624bd68ee4b8e030d6f36908e162f44717 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 7 Feb 2026 23:01:55 +0200 Subject: fix(git-server): add sshd_config to persistent storage The sshd_config file needs to be in the persistent SSH directory for the git-server container to start properly. Added ConfigMap and updated initContainer to copy it on first deployment. Co-authored-by: Cursor --- .../helm-chart/templates/configmap-sshd.yaml | 45 ++++++++++++++++++++++ .../helm-chart/templates/deployment.yaml | 15 +++++++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 f3s/git-server/helm-chart/templates/configmap-sshd.yaml diff --git a/f3s/git-server/helm-chart/templates/configmap-sshd.yaml b/f3s/git-server/helm-chart/templates/configmap-sshd.yaml new file mode 100644 index 0000000..cb436bd --- /dev/null +++ b/f3s/git-server/helm-chart/templates/configmap-sshd.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: git-server-sshd-config + namespace: cicd +data: + sshd_config: | + # SSH Server Configuration for Git Server + # Security-hardened configuration for git-only access + # Runs as non-root user (git) with privilege separation disabled + + # Network + Port 22 + AddressFamily any + ListenAddress 0.0.0.0 + + # Host Keys + HostKey /etc/ssh/ssh_host_ed25519_key + HostKey /etc/ssh/ssh_host_rsa_key + + # Security + PermitRootLogin no + PubkeyAuthentication yes + PasswordAuthentication no + PermitEmptyPasswords no + ChallengeResponseAuthentication no + + # Restrict to git user only + AllowUsers git + + # Disable tunneling and forwarding + X11Forwarding no + AllowTcpForwarding no + AllowAgentForwarding no + PermitTunnel no + + # Logging + SyslogFacility AUTH + LogLevel INFO + + # Performance + UseDNS no + + # PID file location (writable by non-root) + PidFile /tmp/sshd.pid diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index 51f45c8..5d40fbb 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -31,13 +31,20 @@ spec: if [ ! -f /ssh-persistent/ssh_host_ed25519_key ]; then echo "Generating new SSH host keys (first time setup)..." ssh-keygen -A -f /ssh-persistent/.. - mv /ssh-persistent/../etc/ssh/ssh_host_* /ssh-persistent/ + mv /ssh-persistent/../etc/ssh/ssh_host_* /ssh-persistent/ 2>/dev/null || true chown -R 1001:33 /ssh-persistent chmod 600 /ssh-persistent/ssh_host_*_key chmod 644 /ssh-persistent/ssh_host_*_key.pub else echo "SSH host keys already exist, reusing them." fi + # Copy sshd_config if not exists + if [ ! -f /ssh-persistent/sshd_config ]; then + echo "Copying sshd_config to persistent storage..." + cp /sshd-config/sshd_config /ssh-persistent/sshd_config + chown 1001:33 /ssh-persistent/sshd_config + chmod 644 /ssh-persistent/sshd_config + fi # Setup authorized_keys with correct ownership # The /ssh-git mount point IS the .ssh directory # UID 1001 and GID 33 match the NFS file ownership @@ -54,6 +61,9 @@ spec: readOnly: true - name: git-ssh-writable mountPath: /ssh-git + - name: sshd-config + mountPath: /sshd-config + readOnly: true - name: install-git-http-backend image: alpine:3.19 @@ -203,5 +213,8 @@ spec: - name: cgit-config configMap: name: cgit-config + - name: sshd-config + configMap: + name: git-server-sshd-config - name: cgit-runtime emptyDir: {} -- cgit v1.2.3