From 190473b0dcb41ef49f1e4e3dd7a1e8fa4150181d Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sat, 7 Feb 2026 23:11:41 +0200 Subject: docs(git-server): update README with persistent SSH keys info Co-authored-by: Cursor --- f3s/git-server/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'f3s/git-server') diff --git a/f3s/git-server/README.md b/f3s/git-server/README.md index fe23bee..28050b8 100644 --- a/f3s/git-server/README.md +++ b/f3s/git-server/README.md @@ -7,6 +7,7 @@ A self-hosted git repository solution for the f3s k3s cluster, replacing externa - **SSH Git Server**: Alpine-based container with OpenSSH and git for repository access - **CGit Web UI**: Browse repositories at `http://cgit.f3s.buetow.org` - **Single Pod Design**: Both containers share storage via ReadWriteMany PVC +- **Persistent SSH Host Keys**: Keys are stored in NFS and persist across pod restarts ## Architecture @@ -249,10 +250,11 @@ To recover: ## Security Notes - SSH keys are restricted to git-shell only (no shell access) -- git-server container runs as non-root user (UID 1000) +- git-server container runs as non-root user (UID 1001) - cgit container has read-only access to repositories -- All container capabilities dropped except NET_BIND_SERVICE for cgit +- All container capabilities dropped for enhanced security - Secrets managed via Kubernetes Secrets, never committed to git +- SSH host keys stored in NFS but copied to local emptyDir at startup (OpenSSH security requirement) ## Monitoring -- cgit v1.2.3