From eae27de6c6b63a830f0ee23b155d94a9fe82c255 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 9 Jan 2026 14:40:42 +0200
Subject: Add SSH connectivity for git-server and configure ArgoCD

- Enable SYS_CHROOT capability for git-server SSH to work in containers
- Configure ArgoCD repo-server to use SSH key for git-server access
- Set DEBUG3 logging in sshd for troubleshooting (temp)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 f3s/argocd/values.yaml                              | 18 +++++++++++++++++-
 f3s/git-server/docker-image/sshd_config             |  2 +-
 f3s/git-server/helm-chart/templates/deployment.yaml |  1 +
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/f3s/argocd/values.yaml b/f3s/argocd/values.yaml
index e3b6887..2d5a4c1 100644
--- a/f3s/argocd/values.yaml
+++ b/f3s/argocd/values.yaml
@@ -52,19 +52,35 @@ server:
 # Repo Server configuration (clones repos, generates manifests)
 repoServer:
   replicas: 1
+  # Pod security context - fsGroup ensures secret volumes are readable by argocd user (999)
+  podSecurityContext:
+    fsGroup: 999
   # Enable persistence for repo cache - mount PVC at /home/argocd/repo-cache
   # This avoids conflict with default /tmp mount used by ArgoCD
   volumes:
     - name: repo-server-data
       persistentVolumeClaim:
         claimName: argocd-repo-server-pvc
+    # SSH private key for git-server access
+    - name: argocd-git-ssh-key
+      secret:
+        secretName: argocd-git-ssh-key
+        defaultMode: 0444
   volumeMounts:
     - name: repo-server-data
       mountPath: /home/argocd/repo-cache
-  # Configure repo-server to use the persistent cache directory
+    # Mount SSH key for git operations
+    - name: argocd-git-ssh-key
+      mountPath: /home/argocd/.ssh/id_ed25519
+      subPath: sshPrivateKey
+      readOnly: true
+  # Configure repo-server to use the persistent cache directory and SSH key
   env:
     - name: XDG_CACHE_HOME
       value: /home/argocd/repo-cache
+    # Configure git to use SSH key and accept new host keys
+    - name: GIT_SSH_COMMAND
+      value: "ssh -i /home/argocd/.ssh/id_ed25519 -o StrictHostKeyChecking=accept-new"
   # Resource limits
   resources:
     limits:
diff --git a/f3s/git-server/docker-image/sshd_config b/f3s/git-server/docker-image/sshd_config
index 7e899e0..da9ef33 100644
--- a/f3s/git-server/docker-image/sshd_config
+++ b/f3s/git-server/docker-image/sshd_config
@@ -28,7 +28,7 @@ PermitTunnel no
 
 # Logging
 SyslogFacility AUTH
-LogLevel INFO
+LogLevel DEBUG3
 
 # Performance
 UseDNS no
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index ac2a48d..6f38d88 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -52,6 +52,7 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
+            add: ["SYS_CHROOT"]
         resources:
           requests:
             cpu: 50m
-- 
cgit v1.2.3