403 lines
11 KiB
Bash
403 lines
11 KiB
Bash
#!/usr/bin/env sh
|
|
|
|
# Force security SSH parameters
|
|
if [ -d /etc/ssh ]; then
|
|
cat > /etc/ssh/sshd_config <<- EOF
|
|
# This is the sshd server system-wide configuration file. See
|
|
# sshd_config(5) for more information.
|
|
|
|
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
|
|
|
# The strategy used for options in the default sshd_config shipped with
|
|
# OpenSSH is to specify options with their default value where
|
|
# possible, but leave them commented. Uncommented options override the
|
|
# default value.
|
|
|
|
#Port 22
|
|
#AddressFamily any
|
|
#ListenAddress 0.0.0.0
|
|
#ListenAddress ::
|
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
|
|
# Ciphers and keying
|
|
#RekeyLimit default none
|
|
|
|
# Logging
|
|
#SyslogFacility AUTH
|
|
#LogLevel INFO
|
|
|
|
# Authentication:
|
|
|
|
#LoginGraceTime 2m
|
|
PermitRootLogin no
|
|
#StrictModes yes
|
|
MaxAuthTries 3
|
|
#MaxSessions 10
|
|
|
|
#PubkeyAuthentication yes
|
|
|
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
|
AuthorizedKeysFile .ssh/authorized_keys
|
|
|
|
#AuthorizedPrincipalsFile none
|
|
|
|
#AuthorizedKeysCommand none
|
|
#AuthorizedKeysCommandUser nobody
|
|
|
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
|
#HostbasedAuthentication no
|
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
|
# HostbasedAuthentication
|
|
#IgnoreUserKnownHosts no
|
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
#IgnoreRhosts yes
|
|
|
|
# To disable tunneled clear text passwords, change to no here!
|
|
PasswordAuthentication no
|
|
PermitEmptyPasswords no
|
|
|
|
# Change to no to disable s/key passwords
|
|
#ChallengeResponseAuthentication yes
|
|
|
|
# Kerberos options
|
|
#KerberosAuthentication no
|
|
#KerberosOrLocalPasswd yes
|
|
#KerberosTicketCleanup yes
|
|
#KerberosGetAFSToken no
|
|
|
|
# GSSAPI options
|
|
#GSSAPIAuthentication no
|
|
#GSSAPICleanupCredentials yes
|
|
|
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
# and session processing. If this is enabled, PAM authentication will
|
|
# be allowed through the ChallengeResponseAuthentication and
|
|
# PasswordAuthentication. Depending on your PAM configuration,
|
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
# the setting of "PermitRootLogin without-password".
|
|
# If you just want the PAM account and session checks to run without
|
|
# PAM authentication, then enable this but set PasswordAuthentication
|
|
# and ChallengeResponseAuthentication to 'no'.
|
|
#UsePAM no
|
|
|
|
#AllowAgentForwarding yes
|
|
# Feel free to re-enable these if your use case requires them.
|
|
AllowTcpForwarding no
|
|
GatewayPorts no
|
|
X11Forwarding no
|
|
#X11DisplayOffset 10
|
|
#X11UseLocalhost yes
|
|
#PermitTTY yes
|
|
#PrintMotd yes
|
|
#PrintLastLog yes
|
|
#TCPKeepAlive yes
|
|
#PermitUserEnvironment no
|
|
#Compression delayed
|
|
#ClientAliveInterval 0
|
|
#ClientAliveCountMax 3
|
|
#UseDNS no
|
|
#PidFile /run/sshd.pid
|
|
#MaxStartups 10:30:100
|
|
#PermitTunnel no
|
|
#ChrootDirectory none
|
|
#VersionAddendum none
|
|
|
|
# no default banner path
|
|
#Banner none
|
|
|
|
# override default of no subsystems
|
|
Subsystem sftp /usr/lib/ssh/sftp-server
|
|
|
|
# Example of overriding settings on a per-user basis
|
|
#Match User anoncvs
|
|
# X11Forwarding no
|
|
# AllowTcpForwarding no
|
|
# PermitTTY no
|
|
# ForceCommand cvs server
|
|
|
|
# Algorithms
|
|
Ciphers chacha20-poly1305@openssh.com
|
|
KexAlgorithms curve25519-sha256@libssh.org
|
|
MACs hmac-sha2-512-etm@openssh.com
|
|
HostKeyAlgorithms=ssh-ed25519
|
|
EOF
|
|
fi
|
|
|
|
# Validate environment variables
|
|
|
|
# Create ssh host key if not present
|
|
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
|
|
ssh-keygen -A
|
|
fi
|
|
|
|
# Setup gitolite at volume /var/lib/git
|
|
if [ ! -f "/var/lib/git/.ssh/authorized_keys" ]; then
|
|
# Configure gitolite
|
|
echo "$SSH_KEY" > "/tmp/$SSH_KEY_NAME.pub"
|
|
su git -c "gitolite setup -pk \"/tmp/$SSH_KEY_NAME.pub\""
|
|
rm "/tmp/$SSH_KEY_NAME.pub"
|
|
fi
|
|
|
|
if [ ! -d /etc/nginx/http.d ]; then
|
|
install -d -m755 /etc/nginx/http.d || true
|
|
fi
|
|
|
|
# Init container
|
|
if [ ! -f /etc/nginx/http.d/cgit.conf ]; then
|
|
# enable random git password
|
|
GIT_PASSWORD=$(date +%s | sha256sum | base64 | head -c 32)
|
|
echo "git:$GIT_PASSWORD" | chpasswd
|
|
|
|
# add web user (nginx) to gitolite group (git)
|
|
adduser nginx git
|
|
|
|
## Config cgit interface
|
|
cat > /etc/cgitrc <<- EOF
|
|
#
|
|
# cgit config
|
|
#
|
|
|
|
virtual-root=/
|
|
|
|
# Use a custom logo
|
|
logo=/cgit.png
|
|
|
|
# Specify the css url
|
|
css=/cgit.css
|
|
|
|
# Enable configuration from external management, for example: gitolite
|
|
enable-git-config=1
|
|
|
|
# Show extra links for each repository on the index page
|
|
enable-index-links=1
|
|
|
|
# Show owner
|
|
enable-index-owner=1
|
|
|
|
# Enable ASCII art commit history graph on the log pages
|
|
enable-commit-graph=1
|
|
|
|
# Allow http transport git clone
|
|
enable-http-clone=1
|
|
|
|
# Show number of affected files per commit on the log pages
|
|
enable-log-filecount=1
|
|
|
|
# Show number of added/removed lines per commit on the log pages
|
|
enable-log-linecount=1
|
|
|
|
# Enable statistics per week, month and quarter
|
|
max-stats=quarter
|
|
|
|
# Cache
|
|
cache-about-ttl=15
|
|
cache-dynamic-ttl=5
|
|
cache-repo-ttl=5
|
|
cache-root=/var/cache/cgit
|
|
cache-root-ttl=5
|
|
cache-scanrc-ttl=15
|
|
cache-size=0
|
|
cache-snapshot-ttl=5
|
|
cache-static-ttl=-1
|
|
|
|
# Sort items in the repo list case sensitively. Default value: "1"
|
|
case-sensitive-sort=1
|
|
|
|
# Specifies the maximum size of a blob to display HTML for in KBytes. Default value: "0" (limit disabled)
|
|
max-blob-size=2048
|
|
|
|
# Specifies the number of entries to list per page on the repository index page. Default value: "50".
|
|
max-repo-count=250
|
|
|
|
|
|
# Specifies the maximum number of repo description characters to display on the repository index page.
|
|
# Default value: "80"
|
|
max-repodesc-length=80
|
|
|
|
# Set the default maximum statistics period. Valid values are "week", "month", "quarter" and "year".
|
|
# If unspecified, statistics are disabled. Default value: none
|
|
max-stats=year
|
|
|
|
#
|
|
# List of common mimetypes
|
|
#
|
|
|
|
mimetype.gif=image/gif
|
|
mimetype.htm=text/html
|
|
mimetype.html=text/html
|
|
mimetype.ico=image/x-icon
|
|
mimetype.jpg=image/jpeg
|
|
mimetype.jpeg=image/jpeg
|
|
mimetype.md=text/markdown
|
|
mimetype.mng=video/x-mng
|
|
mimetype.ora=image/openraster
|
|
mimetype.pam=image/x-portable-arbitrarymap
|
|
mimetype.pbm=image/x-portable-bitmap
|
|
mimetype.pdf=application/pdf
|
|
mimetype.pgm=image/x-portable-graymap
|
|
mimetype.png=image/png
|
|
mimetype.pnm=image/x-portable-anymap
|
|
mimetype.ppm=image/x-portable-pixmap
|
|
mimetype.svg=image/svg+xml
|
|
mimetype.svgz=image/svg+xml
|
|
mimetype.tga=image/x-tga
|
|
mimetype.tif=image/tiff
|
|
mimetype.tiff=image/tiff
|
|
mimetype.webp=image/webp
|
|
mimetype.xbm=image/x-xbitmap
|
|
mimetype.xcf=image/x-xcf
|
|
mimetype.xpm=image/x-xpixmap
|
|
|
|
# Enable syntax highlighting and about formatting
|
|
source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
|
|
about-filter=/usr/lib/cgit/filters/about-formatting.sh
|
|
|
|
#
|
|
# List of common readmes
|
|
#
|
|
readme=:README.md
|
|
readme=:readme.md
|
|
readme=:README.mkd
|
|
readme=:readme.mkd
|
|
readme=:README.rst
|
|
readme=:readme.rst
|
|
readme=:README.html
|
|
readme=:readme.html
|
|
readme=:README.htm
|
|
readme=:readme.htm
|
|
readme=:README.txt
|
|
readme=:readme.txt
|
|
readme=:README
|
|
readme=:readme
|
|
readme=:INSTALL.md
|
|
readme=:install.md
|
|
readme=:INSTALL.mkd
|
|
readme=:install.mkd
|
|
readme=:INSTALL.rst
|
|
readme=:install.rst
|
|
readme=:INSTALL.html
|
|
readme=:install.html
|
|
readme=:INSTALL.htm
|
|
readme=:install.htm
|
|
readme=:INSTALL.txt
|
|
readme=:install.txt
|
|
readme=:INSTALL
|
|
readme=:install
|
|
|
|
snapshots=$CGIT_SNAPSHOT
|
|
|
|
# Direct cgit to repository location managed by gitolite
|
|
remove-suffix=0
|
|
project-list=/var/lib/git/projects.list
|
|
section-from-path=1
|
|
scan-path=/var/lib/git/repositories
|
|
EOF
|
|
|
|
# Append clone-prefix
|
|
if [ -n "$CGIT_CLONE_PREFIX" ]; then
|
|
echo "# Specify some default clone prefixes" >> /etc/cgitrc
|
|
echo "clone-prefix=$CGIT_CLONE_PREFIX" >> /etc/cgitrc
|
|
fi
|
|
|
|
if [ -n "$CGIT_ROOT_TITLE" ]; then
|
|
echo "# Set the title and heading of the repository index page" >> /etc/cgitrc
|
|
echo "root-title=$CGIT_ROOT_TITLE" >> /etc/cgitrc
|
|
fi
|
|
|
|
if [ -n "$CGIT_DESC" ]; then
|
|
echo "# Set description repository" >> /etc/cgitrc
|
|
echo "root-desc=$CGIT_DESC" >> /etc/cgitrc
|
|
fi
|
|
|
|
# Using highlight syntax
|
|
#sed -i.bak \
|
|
# -e "s#exec highlight --force -f -I -X -S #\#&#g" \
|
|
# -e "s#\#exec highlight --force -f -I -O xhtml#exec highlight --force --inline-css -f -I -O xhtml#g" \
|
|
# /usr/lib/cgit/filters/syntax-highlighting.sh
|
|
|
|
# Nginx configuration
|
|
rm -f /etc/nginx/http.d/default.conf || true
|
|
cat > /etc/nginx/http.d/cgit.conf <<- EOF
|
|
server {
|
|
listen 80 default_server;
|
|
server_name localhost;
|
|
|
|
# Logs
|
|
access_log off;
|
|
error_log off;
|
|
|
|
root /usr/share/webapps/cgit;
|
|
try_files \$uri @cgit;
|
|
|
|
location @cgit {
|
|
include fastcgi_params;
|
|
|
|
# Path to the CGI script that comes with cgit
|
|
fastcgi_param SCRIPT_FILENAME \$document_root/cgit.cgi;
|
|
|
|
fastcgi_param PATH_INFO \$uri;
|
|
fastcgi_param QUERY_STRING \$args;
|
|
fastcgi_param QUERY_INFO \$uri;
|
|
fastcgi_param HTTP_HOST \$server_name;
|
|
|
|
# Path to the socket file that is created/used by fcgiwrap
|
|
fastcgi_pass unix:/run/fcgiwrap/fcgiwrap.socket;
|
|
}
|
|
|
|
# Enable compression for JS/CSS/HTML, for improved client load times.
|
|
# It might be nice to compress JSON/XML as returned by the API, but
|
|
# leaving that out to protect against potential BREACH attack.
|
|
gzip on;
|
|
gzip_vary on;
|
|
|
|
gzip_types # text/html is always compressed by HttpGzipModule
|
|
text/css
|
|
application/javascript
|
|
font/truetype
|
|
font/opentype
|
|
application/vnd.ms-fontobject
|
|
image/svg+xml;
|
|
gzip_min_length 1000; # default is 20 bytes
|
|
gzip_buffers 16 8k;
|
|
gzip_comp_level 2; # default is 1
|
|
|
|
client_body_timeout 30s; # default is 60
|
|
client_header_timeout 10s; # default is 60
|
|
send_timeout 10s; # default is 60
|
|
keepalive_timeout 10s; # default is 75
|
|
resolver_timeout 10s; # default is 30
|
|
reset_timedout_connection on;
|
|
proxy_ignore_client_abort on;
|
|
|
|
tcp_nopush on; # send headers in one piece
|
|
tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time
|
|
|
|
# Enabling the sendfile directive eliminates the step of copying the data into the buffer
|
|
# and enables direct copying data from one file descriptor to another.
|
|
sendfile on;
|
|
sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
|
|
aio threads;
|
|
}
|
|
EOF
|
|
|
|
fi
|
|
|
|
# Start sshd as detach, log to stderr (-e)
|
|
/usr/sbin/sshd -e
|
|
|
|
# launch fcgiwrap via spawn-fcgi, port 1234
|
|
spawn-fcgi -s /run/fcgiwrap/fcgiwrap.socket -f /usr/bin/fcgiwrap
|
|
chmod 660 /run/fcgiwrap/fcgiwrap.socket
|
|
|
|
# fix permissions gitolite
|
|
chown git:git /var/lib/git/.gitolite.rc
|
|
chmod 640 /var/lib/git/.gitolite.rc
|
|
|
|
# Start git-daemon
|
|
git daemon --detach --reuseaddr --base-path=/var/lib/git/repositories /var/lib/git/repositories
|
|
|
|
# Start nginx
|
|
exec nginx -g "daemon off;"
|