From fb7d61bd2b49ecf9eb6aa5194a2b108e8933c88d Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 9 Jan 2026 11:16:18 +0200
Subject: Run containers as root and use emptyDir for writeable dirs

- Mount emptyDir for /etc/ssh to allow SSH host key generation
- Mount emptyDir for /var/cache/cgit to allow cache initialization
- Run both containers as root with proper capabilities
- Copy sshd_config at runtime from /tmp to /etc/ssh
- Add imagePullPolicy: Always to force image refresh
---
 f3s/git-server/docker-image/Dockerfile              | 11 ++++++++---
 f3s/git-server/helm-chart/templates/deployment.yaml | 10 ++++++++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile
index 574a94b..f721fab 100644
--- a/f3s/git-server/docker-image/Dockerfile
+++ b/f3s/git-server/docker-image/Dockerfile
@@ -9,11 +9,16 @@ RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \
     mkdir -p /home/git/.ssh /repos && \
     chown -R git:git /home/git /repos
 
-# Copy sshd configuration
-COPY sshd_config /etc/ssh/sshd_config
+# Copy sshd configuration to /tmp (will be copied to /etc/ssh by entrypoint)
+COPY sshd_config /tmp/sshd_config
 
-# Create entrypoint script to generate host keys at runtime
+# Create entrypoint script to setup SSH and run sshd
 RUN echo '#!/bin/sh' > /entrypoint.sh && \
+    echo '# Copy sshd_config if not exists' >> /entrypoint.sh && \
+    echo 'if [ ! -f /etc/ssh/sshd_config ]; then' >> /entrypoint.sh && \
+    echo '  cp /tmp/sshd_config /etc/ssh/sshd_config' >> /entrypoint.sh && \
+    echo 'fi' >> /entrypoint.sh && \
+    echo '# Generate host keys if not exists' >> /entrypoint.sh && \
     echo 'if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then' >> /entrypoint.sh && \
     echo '  ssh-keygen -A' >> /entrypoint.sh && \
     echo 'fi' >> /entrypoint.sh && \
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index b74a5fc..6f47c36 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -19,6 +19,7 @@ spec:
       # Container 1: SSH Git Server
       - name: git-server
         image: registry.lan.buetow.org:30001/git-server:1.0
+        imagePullPolicy: Always
         ports:
         - containerPort: 22
           name: ssh
@@ -30,12 +31,15 @@ spec:
           mountPath: /home/git/.ssh/authorized_keys
           subPath: authorized_keys
           readOnly: true
+        - name: ssh-host-keys
+          mountPath: /etc/ssh
         securityContext:
-          runAsUser: 1000
-          runAsGroup: 1000
+          runAsUser: 0
+          runAsGroup: 0
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
+            add: ["CHOWN", "DAC_OVERRIDE"]
         resources:
           requests:
             cpu: 50m
@@ -94,3 +98,5 @@ spec:
           name: cgit-config
       - name: cgit-cache
         emptyDir: {}
+      - name: ssh-host-keys
+        emptyDir: {}
-- 
cgit v1.2.3