From 856af9ac9e42a088ca65e70026ad7390f00fe8d4 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 9 Jan 2026 11:16:18 +0200
Subject: Run containers as root and use emptyDir for writeable dirs

- Mount emptyDir for /etc/ssh to allow SSH host key generation
- Mount emptyDir for /var/cache/cgit to allow cache initialization
- Run both containers as root with proper capabilities
- Copy sshd_config at runtime from /tmp to /etc/ssh
- Add imagePullPolicy: Always to force image refresh
---
 f3s/git-server/helm-chart/templates/deployment.yaml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'f3s/git-server/helm-chart')

diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index b74a5fc..6f47c36 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -19,6 +19,7 @@ spec:
       # Container 1: SSH Git Server
       - name: git-server
         image: registry.lan.buetow.org:30001/git-server:1.0
+        imagePullPolicy: Always
         ports:
         - containerPort: 22
           name: ssh
@@ -30,12 +31,15 @@ spec:
           mountPath: /home/git/.ssh/authorized_keys
           subPath: authorized_keys
           readOnly: true
+        - name: ssh-host-keys
+          mountPath: /etc/ssh
         securityContext:
-          runAsUser: 1000
-          runAsGroup: 1000
+          runAsUser: 0
+          runAsGroup: 0
           allowPrivilegeEscalation: false
           capabilities:
             drop: ["ALL"]
+            add: ["CHOWN", "DAC_OVERRIDE"]
         resources:
           requests:
             cpu: 50m
@@ -94,3 +98,5 @@ spec:
           name: cgit-config
       - name: cgit-cache
         emptyDir: {}
+      - name: ssh-host-keys
+        emptyDir: {}
-- 
cgit v1.2.3