diff --git a/00_preps.yaml b/00_preps.yaml index 8ce776f..7a41ce4 100644 --- a/00_preps.yaml +++ b/00_preps.yaml @@ -22,3 +22,22 @@ become: true user: name: git + groups: + - lxd + - name: PREPS -- git authorized keys + copy: + src: 'files/sshd_config' + dest: '/etc/ssh/sshd_config' + mode: 0644 + notify: + - reload sshd + - name: PREPS -- git host shim + copy: + src: 'files/git_host_shim' + dest: '/usr/local/bin/gitea' + mode: 0755 + handlers: + - name: reload sshd + service: + name: sshd + state: reloaded diff --git a/02_lxc_containers.yaml b/02_lxc_containers.yaml index 56b7039..a1277dd 100644 --- a/02_lxc_containers.yaml +++ b/02_lxc_containers.yaml @@ -33,12 +33,3 @@ listen: tcp:0.0.0.0:443 connect: tcp:127.0.0.1:443 proxy_protocol: 'true' - - name: Create gitea port forward(s) - community.general.lxd_container: - name: gitea - devices: - map_port_2222: - type: proxy - listen: tcp:0.0.0.0:2222 - connect: tcp:127.0.0.1:2222 - proxy_protocol: 'true' diff --git a/04_container_gitea.yaml b/04_container_gitea.yaml index 7deebd6..715be3b 100644 --- a/04_container_gitea.yaml +++ b/04_container_gitea.yaml @@ -18,3 +18,9 @@ ENABLE_AUTO_REGISTRATION = true USERNAME = email ACCOUNT_LINKING = auto + gitea_extra_config: | + [server] + SSH_PORT = 22 + SSH_LISTEN_PORT = 2222 + SSH_USER = git + BUILTIN_SSH_SERVER_USER = git diff --git a/files/git_host_shim b/files/git_host_shim new file mode 100644 index 0000000..5ee3622 --- /dev/null +++ b/files/git_host_shim @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +/snap/bin/lxc exec --cwd /var/lib/gitea --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea -- sudo -HE --user gitea $0 "$@" diff --git a/files/sshd_config b/files/sshd_config new file mode 100644 index 0000000..77d8eb0 --- /dev/null +++ b/files/sshd_config @@ -0,0 +1,128 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +PasswordAuthentication yes + +Match User git + AuthorizedKeysCommandUser root + AuthorizedKeysCommand /snap/bin/lxc exec gitea -- sudo --user gitea /usr/local/bin/gitea keys -e git -u "%u" -t "%t" -k "%k" -c /etc/gitea/gitea.ini