From 48a8499a2b919e28045c896cd8553d90bb3b875b Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 9 Jan 2026 11:13:28 +0200
Subject: Fix SSH host keys and container security

- Generate SSH host keys at runtime via entrypoint script
- Remove fsGroup security context to fix emptyDir permissions
- Allow cgit to initialize cache directory as root
---
 f3s/git-server/docker-image/Dockerfile | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'f3s/git-server/docker-image')

diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile
index 382ad0d..574a94b 100644
--- a/f3s/git-server/docker-image/Dockerfile
+++ b/f3s/git-server/docker-image/Dockerfile
@@ -9,15 +9,19 @@ RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \
     mkdir -p /home/git/.ssh /repos && \
     chown -R git:git /home/git /repos
 
-# Generate SSH host keys
-# These will be regenerated if not persisted via volume mount
-RUN ssh-keygen -A
-
 # Copy sshd configuration
 COPY sshd_config /etc/ssh/sshd_config
 
+# Create entrypoint script to generate host keys at runtime
+RUN echo '#!/bin/sh' > /entrypoint.sh && \
+    echo 'if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then' >> /entrypoint.sh && \
+    echo '  ssh-keygen -A' >> /entrypoint.sh && \
+    echo 'fi' >> /entrypoint.sh && \
+    echo 'exec /usr/sbin/sshd -D -e' >> /entrypoint.sh && \
+    chmod +x /entrypoint.sh
+
 # Expose SSH port
 EXPOSE 22
 
-# Run SSH daemon in foreground with error logging to stderr
-CMD ["/usr/sbin/sshd", "-D", "-e"]
+# Run entrypoint script
+CMD ["/entrypoint.sh"]
-- 
cgit v1.2.3