+27 -16

Dockerfile

··· 1 1 FROM golang:alpine AS build 2 2 - 3 2 FROM alpine AS runtime 4 4 - RUN addgroup --system --gid 1001 tangled 5 5 - RUN adduser --system --uid 1001 tangled 6 6 - RUN mkdir -p /var/lib/tangled 7 7 - VOLUME ["/var/lib/tangled"] 8 3 9 4 FROM build AS tangled 10 5 # earliest version with knot & spindle ··· 15 10 WORKDIR /core 16 11 RUN go mod download 17 12 18 18 - FROM build AS build_spindle 13 13 + FROM build AS build-spindle 19 14 WORKDIR /app 20 15 COPY --from=tangled /core . 21 16 RUN go build -o spindle cmd/spindle/main.go 22 17 23 23 - FROM build AS build_knot 18 18 + FROM build AS build-knot 24 19 WORKDIR /app 25 20 COPY --from=tangled /core . 26 21 RUN go build -o knot cmd/knot/main.go 27 22 28 23 FROM runtime AS spindle 29 29 - RUN mkdir -p /var/log/spindle 24 24 + ENV SPINDLE_SERVER_DB_PATH=/var/lib/spindle/spindle.db 25 25 + RUN addgroup --system --gid 1001 spindle 26 26 + RUN adduser --system --uid 1001 spindle 27 27 + RUN mkdir -p /var/{lib,log}/spindle 30 28 COPY --from=build_spindle /app/spindle /usr/bin/spindle 31 31 - ENV SPINDLE_SERVER_DB_PATH=/var/lib/tangled/spindle.db 32 32 - USER tangled 33 29 EXPOSE 6555 34 34 - VOLUME ["/var/log/spindle"] 30 30 + USER spindle 31 31 + VOLUME ["/var/log/spindle", "/var/lib/spindle"] 35 32 CMD ["spindle"] 36 33 37 34 FROM runtime AS knot 38 38 - COPY --from=build_knot /app/knot /usr/bin/knot 39 39 - ENV KNOT_SERVER_DB_PATH=/var/lib/tangled/knotserver.db 35 35 + ARG UID=1001 36 36 + ARG GID=1001 37 37 + ENV KNOT_SERVER_DB_PATH=/home/git/knotserver.db 40 38 ENV KNOT_REPO_SCAN_PATH=/home/git/repositories 41 39 ENV KNOT_SERVER_INTERNAL_LISTEN_ADDR=localhost:5444 42 42 - USER tangled 40 40 + COPY knot . 41 41 + RUN chmod 755 /etc 42 42 + RUN chmod -R 755 /etc/s6-overlay 43 43 + RUN apk add shadow s6-overlay execline openssl openssh git curl bash 44 44 + RUN groupadd -g $GID -f git 45 45 + RUN useradd -u $UID -g $GID -d /home/git git 46 46 + RUN openssl rand -hex 16 | passwd --stdin git 47 47 + RUN mkdir -p /home/git/repositories && chown -R git:git /home/git 48 48 + COPY --from=build_knot /app/knot /usr/bin/knot 43 49 EXPOSE 5555 44 44 - VOLUME ["/var/log/spindle"] 45 45 - CMD ["knot"] 50 50 + EXPOSE 22 51 51 + USER git 52 52 + WORKDIR /home/git 53 53 + VOLUME ["/home/git", "/etc/ssh/keys"] 54 54 + ENTRYPOINT ["/init"] 55 55 + HEALTHCHECK --interval=60s --timeout=30s --start-period=5s --retries=3 \ 56 56 + CMD curl -f http://localhost:5555 || exit 1

+1

knot/etc/s6-overlay/s6-rc.d/create-sshd-host-keys/type

··· 1 1 + oneshot

+1

knot/etc/s6-overlay/s6-rc.d/create-sshd-host-keys/up

··· 1 1 + /etc/s6-overlay/scripts/create-sshd-host-keys

knot/etc/s6-overlay/s6-rc.d/knotserver/dependencies.d/base

This is a binary file and will not be displayed.

+3

knot/etc/s6-overlay/s6-rc.d/knotserver/run

··· 1 1 + #!/command/with-contenv ash 2 2 + 3 3 + exec s6-setuidgid git /usr/bin/knot server

+1

knot/etc/s6-overlay/s6-rc.d/knotserver/type

··· 1 1 + longrun

knot/etc/s6-overlay/s6-rc.d/sshd/dependencies.d/base

This is a binary file and will not be displayed.

knot/etc/s6-overlay/s6-rc.d/sshd/dependencies.d/create-sshd-host-keys

This is a binary file and will not be displayed.

+3

knot/etc/s6-overlay/s6-rc.d/sshd/run

··· 1 1 + #!/usr/bin/execlineb -P 2 2 + 3 3 + /usr/sbin/sshd -e -D

+1

knot/etc/s6-overlay/s6-rc.d/sshd/type

··· 1 1 + longrun

knot/etc/s6-overlay/s6-rc.d/user/contents.d/knotserver

This is a binary file and will not be displayed.

knot/etc/s6-overlay/s6-rc.d/user/contents.d/sshd

This is a binary file and will not be displayed.

+21

knot/etc/s6-overlay/scripts/create-sshd-host-keys

··· 1 1 + #!/usr/bin/execlineb -P 2 2 + 3 3 + foreground { 4 4 + if -n { test -d /etc/ssh/keys } 5 5 + mkdir /etc/ssh/keys 6 6 + } 7 7 + 8 8 + foreground { 9 9 + if -n { test -f /etc/ssh/keys/ssh_host_rsa_key } 10 10 + ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_rsa_key -q -N "" 11 11 + } 12 12 + 13 13 + foreground { 14 14 + if -n { test -f /etc/ssh/keys/ssh_host_ecdsa_key } 15 15 + ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_ecdsa_key -q -N "" 16 16 + } 17 17 + 18 18 + foreground { 19 19 + if -n { test -f /etc/ssh/keys/ssh_host_ed25519_key } 20 20 + ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_ed25519_key -q -N "" 21 21 + }

+8

knot/etc/s6-overlay/scripts/keys-wrapper

··· 1 1 + #!/bin/sh 2 2 + 3 3 + # Execute the knot keys command with proper shell context 4 4 + exec /bin/sh -c '/usr/bin/knot keys -output authorized-keys \ 5 5 + -internal-api "http://${KNOT_SERVER_INTERNAL_LISTEN_ADDR:-localhost:5444}" \ 6 6 + -git-dir "${KNOT_REPO_SCAN_PATH:-/home/git/repositories}" \ 7 7 + -log-path "/tmp/knotguard.log"' 8 8 +

+3

knot/etc/ssh/sshd_config.d/authorized_keys_command.conf

··· 1 1 + Match User git 2 2 + AuthorizedKeysCommand /usr/bin/knot keys -o authorized-keys -git-dir /home/git/repositories 3 3 + AuthorizedKeysCommandUser nobody

+9

knot/etc/ssh/sshd_config.d/tangled_sshd.conf

··· 1 1 + HostKey /etc/ssh/keys/ssh_host_rsa_key 2 2 + HostKey /etc/ssh/keys/ssh_host_ecdsa_key 3 3 + HostKey /etc/ssh/keys/ssh_host_ed25519_key 4 4 + 5 5 + PasswordAuthentication no 6 6 + 7 7 + Match User git 8 8 + AuthorizedKeysCommand /etc/s6-overlay/scripts/keys-wrapper 9 9 + AuthorizedKeysCommandUser nobody