diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 0000000..58ffb6a --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,39 @@ +name: Docker Image CI + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '0 0 * * *' # Runs at 00:00 daily + +jobs: + build-and-push: + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write # Required to push to GitHub Container Registry + + steps: + - uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push Docker image (multi-arch) + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + push: true + platforms: linux/amd64,linux/arm64 # Multi-platform support + tags: ghcr.io/${{ github.actor }}/git-server-docker:latest diff --git a/Dockerfile b/Dockerfile index b1c9d0a..2d42577 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,36 +1,20 @@ -FROM alpine:3.4 +FROM alpine:latest -MAINTAINER Carlos Bernárdez "carlos@z4studios.com" +LABEL org.opencontainers.image.authors="Oliver Filla , Carlos Bernárdez " -# "--no-cache" is new in Alpine 3.3 and it avoid using -# "--update + rm -rf /var/cache/apk/*" (to remove cache) -RUN apk add --no-cache \ -# openssh=7.2_p2-r1 \ - openssh \ -# git=2.8.3-r0 - git - -# Key generation on the server -RUN ssh-keygen -A - -# SSH autorun -# RUN rc-update add sshd - -WORKDIR /git-server/ +RUN apk add --no-cache openssh git # -D flag avoids password generation # -s flag changes user's shell -RUN mkdir /git-server/keys \ - && adduser -D -s /usr/bin/git-shell git \ - && echo git:12345 | chpasswd \ - && mkdir /home/git/.ssh +RUN adduser -D -s /usr/bin/git-shell git \ + && mkdir -p /git-server/keys /git-server/repos ~git/.ssh # This is a login shell for SSH accounts to provide restricted Git access. # It permits execution only of server-side Git commands implementing the # pull/push functionality, plus custom commands present in a subdirectory # named git-shell-commands in the user’s home directory. # More info: https://git-scm.com/docs/git-shell -COPY git-shell-commands /home/git/git-shell-commands +COPY --chown=git:git git-shell-commands /home/git/git-shell-commands # sshd_config file is edited for enable access key and disable access password COPY sshd_config /etc/ssh/sshd_config diff --git a/README.md b/README.md index 168a01f..ac4e373 100644 --- a/README.md +++ b/README.md @@ -1,76 +1,102 @@ # git-server-docker -A lightweight Git Server Docker image built with Alpine Linux. Available on [GitHub](https://github.com/jkarlosb/git-server-docker) and [Docker Hub](https://hub.docker.com/r/jkarlos/git-server-docker/) +A lightweight Git Server Docker image built with Alpine Linux. Available on [GitHub](https://github.com/ofilla/git-server-docker) and [GitHub Container Registry](https://github.com/ofilla/git-server-docker/pkgs/container/git-server-docker). -!["image git server docker" "git server docker"](https://raw.githubusercontent.com/jkarlosb/git-server-docker/master/git-server-docker.jpg) +!["image git server docker" "git server docker"](https://raw.githubusercontent.com/ofilla/git-server-docker/master/git-server-docker.jpg) + +This image is built daily, based on `alpine:latest`. ### Basic Usage How to run the container in port 2222 with two volumes: keys volume for public keys and repos volume for git repositories: - $ docker run -d -p 2222:22 -v ~/git-server/keys:/git-server/keys -v ~/git-server/repos:/git-server/repos jkarlos/git-server-docker +``` +$ docker run -d \ + -p 2222:22 \ + -v ~/git-server/keys:/git-server/keys \ + -v ~/git-server/repos:/git-server/repos \ + ghcr.io/ofilla/git-server-docker +``` How to use a public key: - Copy them to keys folder: - - From host: $ cp ~/.ssh/id_rsa.pub ~/git-server/keys - - From remote: $ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys - You need restart the container when keys are updated: - $ docker restart - +* Copy them to keys folder: + * From host: `$ cp ~/.ssh/id_rsa.pub ~/git-server/keys` + * From remote: `$ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys` +* You need restart the container when keys are updated: `$ docker restart ` + How to check that container works (you must to have a key): - $ ssh git@ -p 2222 - ... - Welcome to git-server-docker! - You've successfully authenticated, but I do not - provide interactive shell access. - ... +``` +$ ssh git@ -p 2222 +... +Welcome to git-server-docker! +You've successfully authenticated, but I do not +provide interactive shell access. +... +``` How to create a new repo: - $ cd myrepo - $ git init --shared=true - $ git add . - $ git commit -m "my first commit" - $ cd .. - $ git clone --bare myrepo myrepo.git +``` +$ cd myrepo +$ git init --shared=true +$ git add . +$ git commit -m "my first commit" +$ cd .. +$ git clone --bare myrepo myrepo.git +``` How to upload a repo: - From host: - $ mv myrepo.git ~/git-server/repos - From remote: - $ scp -r myrepo.git user@host:~/git-server/repos +* From host: `$ mv myrepo.git ~/git-server/repos` +* From remote: `$ scp -r myrepo.git user@host:~/git-server/repos` How clone a repository: - $ git clone ssh://git@:2222/git-server/repos/myrepo.git +``` +$ git clone ssh://git@:2222/git-server/repos/myrepo.git +``` ### Arguments * **Expose ports**: 22 * **Volumes**: - * */git-server/keys*: Volume to store the users public keys - * */git-server/repos*: Volume to store the repositories + * `/git-server/keys`: Volume to store the users public keys + * `/git-server/repos`: Volume to store the repositories ### SSH Keys How generate a pair keys in client machine: - $ ssh-keygen -t rsa +``` +$ ssh-keygen -t rsa +``` How upload quickly a public key to host volume: - $ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys +``` +$ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys +``` + ### Build Image How to make the image: - $ docker build -t git-server-docker . - +``` +$ docker build -t git-server-docker . +``` + + ### Docker-Compose -You can edit docker-compose.yml and run this container with docker-compose: +You can edit `docker-compose.yml` and run this container with docker-compose: + +``` +$ docker-compose up -d +``` + +Environment Variables: - $ docker-compose up -d +* `GIT_SERVER_KEYS_DIR`: Path to public keys to accept, on the host +* `GIT_SERVER_REPO_DIR`: Path to repositories, on the host diff --git a/docker-compose.yml b/docker-compose.yml index cded791..b2a7d37 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,15 +1,12 @@ -version: '2' - services: - git-server: - image: jkarlos/git-server-docker + image: ghcr.io/ofilla/git-server-docker:latest #build: . restart: always container_name: git-server ports: - "2222:22" volumes: - - ~/git-server/keys:/git-server/keys - - ~/git-server/repos:/git-server/repos + - ${GIT_SERVER_KEYS_DIR:-~/git-server/keys}:/git-server/keys:ro + - ${GIT_SERVER_REPO_DIR:-~/git-server/repos}:/git-server/repos diff --git a/sshd_config b/sshd_config index 8c9e576..fb6fcfb 100644 --- a/sshd_config +++ b/sshd_config @@ -1,145 +1,9 @@ -# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# The default requires explicit activation of protocol 1 -#Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Ciphers and keying -#RekeyLimit default none - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -RSAAuthentication yes -PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys -#AuthorizedKeysFile /home/git/.ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! +# Disable SSH for all users except 'git' +PermitRootLogin no PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options (deprecated) -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options (deprecated) -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -#UsePAM no - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# the following are HPN related configuration options -# tcp receive buffer polling. disable in non autotuning kernels -#TcpRcvBufPoll yes - -# disable hpn performance boosts -#HPNDisabled no - -# buffer size for hpn to non-hpn connections -#HPNBufferSize 2048 - +AllowUsers git -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server +Match User git + X11Forwarding no + AllowTcpForwarding no + ForceCommand git-shell diff --git a/start.sh b/start.sh index 6000392..d756f7c 100644 --- a/start.sh +++ b/start.sh @@ -1,22 +1,23 @@ #!/bin/sh -# If there is some public key in keys folder +ssh-keygen -A + +# If there are some public keys in keys folder # then it copies its contain in authorized_keys file if [ "$(ls -A /git-server/keys/)" ]; then cd /home/git - cat /git-server/keys/*.pub > .ssh/authorized_keys - chown -R git:git .ssh - chmod 700 .ssh - chmod -R 600 .ssh/* + cat /git-server/keys/*.pub > /home/git/.ssh/authorized_keys + chown -R git:git /home/git/.ssh + chmod 700 /home/git/.ssh + chmod -R 600 /home/git/.ssh/* fi # Checking permissions and fixing SGID bit in repos folder # More info: https://github.com/jkarlosb/git-server-docker/issues/1 if [ "$(ls -A /git-server/repos/)" ]; then - cd /git-server/repos - chown -R git:git . - chmod -R ug+rwX . - find . -type d -exec chmod g+s '{}' + + chown -R git:git /git-server/repos + chmod -R ug+rwX /git-server/repos + find /git-server/repos -type d -exec chmod g+s '{}' + fi # -D flag avoids executing sshd as a daemon