first-commit

docker/root/etc/nsswitch.conf

@@ -0,0 +1,15 @@
+# /etc/nsswitch.conf
+
+passwd:         compat
+group:          compat
+shadow:         compat
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis

docker/root/etc/s6/.s6-svscan/finish

@@ -0,0 +1,2 @@
+#!/bin/bash
+exit 0

docker/root/etc/s6/gitea/finish

@@ -0,0 +1,2 @@
+#!/bin/bash
+s6-svscanctl -t /etc/s6/

docker/root/etc/s6/gitea/run

@@ -0,0 +1,6 @@
+#!/bin/bash
+[[ -f ./setup ]] && source ./setup
+
+pushd /app/gitea >/dev/null
+exec su-exec $USER /usr/local/bin/gitea web
+popd

docker/root/etc/s6/gitea/setup

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+if [ ! -d /data/git/.ssh ]; then
+    mkdir -p /data/git/.ssh
+fi
+
+# Set the correct permissions on the .ssh directory and authorized_keys file,
+# or sshd will refuse to use them and lead to clone/push/pull failures.
+# It could happen when users have copied their data to a new volume and changed the file permission by accident,
+# and it would be very hard to troubleshoot unless users know how to check the logs of sshd which is started by s6.
+chmod 700 /data/git/.ssh
+if [ -f /data/git/.ssh/authorized_keys ]; then
+    chmod 600 /data/git/.ssh/authorized_keys
+fi
+
+if [ ! -f /data/git/.ssh/environment ]; then
+    echo "GITEA_CUSTOM=$GITEA_CUSTOM" >| /data/git/.ssh/environment
+    chmod 600 /data/git/.ssh/environment
+
+elif ! grep -q "^GITEA_CUSTOM=$GITEA_CUSTOM$" /data/git/.ssh/environment; then
+    sed -i /^GITEA_CUSTOM=/d /data/git/.ssh/environment
+    echo "GITEA_CUSTOM=$GITEA_CUSTOM" >> /data/git/.ssh/environment
+fi
+
+if [ ! -f ${GITEA_CUSTOM}/conf/app.ini ]; then
+    mkdir -p ${GITEA_CUSTOM}/conf
+
+    # Set INSTALL_LOCK to true only if SECRET_KEY is not empty and
+    # INSTALL_LOCK is empty
+    if [ -n "$SECRET_KEY" ] && [ -z "$INSTALL_LOCK" ]; then
+        INSTALL_LOCK=true
+    fi
+
+    # Substitute the environment variables in the template
+    APP_NAME=${APP_NAME:-"Gitea: Git with a cup of tea"} \
+    RUN_MODE=${RUN_MODE:-"prod"} \
+    DOMAIN=${DOMAIN:-"localhost"} \
+    SSH_DOMAIN=${SSH_DOMAIN:-"localhost"} \
+    HTTP_PORT=${HTTP_PORT:-"3000"} \
+    ROOT_URL=${ROOT_URL:-""} \
+    DISABLE_SSH=${DISABLE_SSH:-"false"} \
+    SSH_PORT=${SSH_PORT:-"22"} \
+    SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-"${SSH_PORT}"} \
+    LFS_START_SERVER=${LFS_START_SERVER:-"false"} \
+    DB_TYPE=${DB_TYPE:-"sqlite3"} \
+    DB_HOST=${DB_HOST:-"localhost:3306"} \
+    DB_NAME=${DB_NAME:-"gitea"} \
+    DB_USER=${DB_USER:-"root"} \
+    DB_PASSWD=${DB_PASSWD:-""} \
+    INSTALL_LOCK=${INSTALL_LOCK:-"false"} \
+    DISABLE_REGISTRATION=${DISABLE_REGISTRATION:-"false"} \
+    REQUIRE_SIGNIN_VIEW=${REQUIRE_SIGNIN_VIEW:-"false"} \
+    SECRET_KEY=${SECRET_KEY:-""} \
+    envsubst < /etc/templates/app.ini > ${GITEA_CUSTOM}/conf/app.ini
+
+    chown ${USER}:git ${GITEA_CUSTOM}/conf/app.ini
+fi
+
+# Replace app.ini settings with env variables in the form GITEA__SECTION_NAME__KEY_NAME
+environment-to-ini --config ${GITEA_CUSTOM}/conf/app.ini
+
+# only chown if current owner is not already the gitea ${USER}. No recursive check to save time
+if ! [[ $(ls -ld /data/gitea | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /data/gitea; fi
+if ! [[ $(ls -ld /app/gitea  | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /app/gitea;  fi
+if ! [[ $(ls -ld /data/git   | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /data/git;   fi
+chmod 0755 /data/gitea /app/gitea /data/git

docker/root/etc/s6/openssh/finish

@@ -0,0 +1,2 @@
+#!/bin/bash
+exit 0

docker/root/etc/s6/openssh/run

@@ -0,0 +1,6 @@
+#!/bin/bash
+[[ -f ./setup ]] && source ./setup
+
+pushd /root >/dev/null
+exec su-exec root /usr/sbin/sshd -D -e 2>&1
+popd

docker/root/etc/s6/openssh/setup

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+if [ ! -d /data/ssh ]; then
+    mkdir -p /data/ssh
+fi
+
+if [ ! -f /data/ssh/ssh_host_ed25519_key ]; then
+    echo "Generating /data/ssh/ssh_host_ed25519_key..."
+    ssh-keygen -t ed25519 -f /data/ssh/ssh_host_ed25519_key -N "" > /dev/null
+fi
+
+if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
+    echo "Generating /data/ssh/ssh_host_rsa_key..."
+    ssh-keygen -t rsa -b 3072 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
+fi
+
+if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
+    echo "Generating /data/ssh/ssh_host_ecdsa_key..."
+    ssh-keygen -t ecdsa -b 256 -f /data/ssh/ssh_host_ecdsa_key -N "" > /dev/null
+fi
+
+if [ -e /data/ssh/ssh_host_ed25519_cert ]; then
+  SSH_ED25519_CERT=${SSH_ED25519_CERT:-"/data/ssh/ssh_host_ed25519_cert"}
+fi
+
+if [ -e /data/ssh/ssh_host_rsa_cert ]; then
+  SSH_RSA_CERT=${SSH_RSA_CERT:-"/data/ssh/ssh_host_rsa_cert"}
+fi
+
+if [ -e /data/ssh/ssh_host_ecdsa_cert ]; then
+  SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_cert"}
+fi
+
+# In case someone wants to sign the `{keyname}.pub` key by `ssh-keygen -s ca -I identity ...` to
+# make use of the ssh-key certificate authority feature (see ssh-keygen CERTIFICATES section),
+# the generated key file name is `{keyname}-cert.pub`
+if [ -e /data/ssh/ssh_host_ed25519_key-cert.pub ]; then
+  SSH_ED25519_CERT=${SSH_ED25519_CERT:-"/data/ssh/ssh_host_ed25519_key-cert.pub"}
+fi
+
+if [ -e /data/ssh/ssh_host_rsa_key-cert.pub ]; then
+  SSH_RSA_CERT=${SSH_RSA_CERT:-"/data/ssh/ssh_host_rsa_key-cert.pub"}
+fi
+
+if [ -e /data/ssh/ssh_host_ecdsa_key-cert.pub ]; then
+  SSH_ECDSA_CERT=${SSH_ECDSA_CERT:-"/data/ssh/ssh_host_ecdsa_key-cert.pub"}
+fi
+
+if [ -d /etc/ssh ]; then
+    SSH_PORT=${SSH_PORT:-"22"} \
+    SSH_LISTEN_PORT=${SSH_LISTEN_PORT:-"${SSH_PORT}"} \
+    SSH_ED25519_CERT="${SSH_ED25519_CERT:+"HostCertificate "}${SSH_ED25519_CERT}" \
+    SSH_RSA_CERT="${SSH_RSA_CERT:+"HostCertificate "}${SSH_RSA_CERT}" \
+    SSH_ECDSA_CERT="${SSH_ECDSA_CERT:+"HostCertificate "}${SSH_ECDSA_CERT}" \
+    SSH_MAX_STARTUPS="${SSH_MAX_STARTUPS:+"MaxStartups "}${SSH_MAX_STARTUPS}" \
+    SSH_MAX_SESSIONS="${SSH_MAX_SESSIONS:+"MaxSessions "}${SSH_MAX_SESSIONS}" \
+    SSH_INCLUDE_FILE="${SSH_INCLUDE_FILE:+"Include "}${SSH_INCLUDE_FILE}" \
+    SSH_LOG_LEVEL=${SSH_LOG_LEVEL:-"INFO"} \
+    envsubst < /etc/templates/sshd_config > /etc/ssh/sshd_config
+
+    chmod 0644 /etc/ssh/sshd_config
+fi
+
+chown root:root /data/ssh/*
+chmod 0700 /data/ssh
+chmod 0600 /data/ssh/*

docker/root/etc/templates/app.ini

@@ -0,0 +1,62 @@
+APP_NAME = $APP_NAME
+RUN_MODE = $RUN_MODE
+
+[repository]
+ROOT = /data/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+APP_DATA_PATH = /data/gitea
+DOMAIN           = $DOMAIN
+SSH_DOMAIN       = $SSH_DOMAIN
+HTTP_PORT        = $HTTP_PORT
+ROOT_URL         = $ROOT_URL
+DISABLE_SSH      = $DISABLE_SSH
+SSH_PORT         = $SSH_PORT
+SSH_LISTEN_PORT  = $SSH_LISTEN_PORT
+LFS_START_SERVER = $LFS_START_SERVER
+
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = $DB_TYPE
+HOST    = $DB_HOST
+NAME    = $DB_NAME
+USER    = $DB_USER
+PASSWD  = $DB_PASSWD
+LOG_SQL = false
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = $INSTALL_LOCK
+SECRET_KEY   = $SECRET_KEY
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+
+[service]
+DISABLE_REGISTRATION = $DISABLE_REGISTRATION
+REQUIRE_SIGNIN_VIEW  = $REQUIRE_SIGNIN_VIEW
+
+[lfs]
+PATH = /data/git/lfs

docker/root/etc/templates/sshd_config

@@ -0,0 +1,43 @@
+Port ${SSH_LISTEN_PORT}
+Protocol 2
+
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+${SSH_MAX_STARTUPS}
+${SSH_MAX_SESSIONS}
+
+LogLevel ${SSH_LOG_LEVEL}
+
+HostKey /data/ssh/ssh_host_ed25519_key
+${SSH_ED25519_CERT}
+HostKey /data/ssh/ssh_host_rsa_key
+${SSH_RSA_CERT}
+HostKey /data/ssh/ssh_host_ecdsa_key
+${SSH_ECDSA_CERT}
+
+AuthorizedKeysFile .ssh/authorized_keys
+AuthorizedPrincipalsFile .ssh/authorized_principals
+TrustedUserCAKeys /data/git/.ssh/gitea-trusted-user-ca-keys.pem
+CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+
+UseDNS no
+AllowAgentForwarding no
+AllowTcpForwarding no
+PrintMotd no
+
+PermitUserEnvironment yes
+PermitRootLogin no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+AllowUsers ${USER}
+
+Banner none
+Subsystem sftp /usr/lib/ssh/sftp-server
+
+AcceptEnv GIT_PROTOCOL
+
+${SSH_INCLUDE_FILE}

docker/root/usr/bin/entrypoint

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Protect against buggy runc in docker <20.10.6 causing problems in with Alpine >= 3.14
+if [ ! -x /bin/sh ]; then
+  echo "Executable test for /bin/sh failed. Your Docker version is too old to run Alpine 3.14+ and Gitea. You must upgrade Docker.";
+  exit 1;
+fi
+
+if [ "${USER}" != "git" ]; then
+    # Rename user
+    sed -i -e "s/^git\:/${USER}\:/g" /etc/passwd
+fi
+
+if [ -z "${USER_GID}" ]; then
+  USER_GID="`id -g ${USER}`"
+fi
+
+if [ -z "${USER_UID}" ]; then
+  USER_UID="`id -u ${USER}`"
+fi
+
+# Change GID for USER?
+if [ -n "${USER_GID}" ] && [ "${USER_GID}" != "`id -g ${USER}`" ]; then
+    sed -i -e "s/^${USER}:\([^:]*\):[0-9]*/${USER}:\1:${USER_GID}/" /etc/group
+    sed -i -e "s/^${USER}:\([^:]*\):\([0-9]*\):[0-9]*/${USER}:\1:\2:${USER_GID}/" /etc/passwd
+fi
+
+# Change UID for USER?
+if [ -n "${USER_UID}" ] && [ "${USER_UID}" != "`id -u ${USER}`" ]; then
+    sed -i -e "s/^${USER}:\([^:]*\):[0-9]*:\([0-9]*\)/${USER}:\1:${USER_UID}:\2/" /etc/passwd
+fi
+
+for FOLDER in /data/gitea/conf /data/gitea/log /data/git /data/ssh; do
+    mkdir -p ${FOLDER}
+done
+
+if [ $# -gt 0 ]; then
+    exec "$@"
+else
+    exec /usr/bin/s6-svscan /etc/s6
+fi

docker/root/usr/local/bin/gitea

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+###############################################################
+# This script sets defaults for gitea to run in the container #
+###############################################################
+
+# It assumes that you place this script as gitea in /usr/local/bin
+#
+# And place the original in /usr/lib/gitea with working files in /data/gitea
+GITEA="/app/gitea/gitea"
+WORK_DIR="/data/gitea"
+CUSTOM_PATH="/data/gitea"
+
+# Provide docker defaults
+GITEA_WORK_DIR="${GITEA_WORK_DIR:-$WORK_DIR}" GITEA_CUSTOM="${GITEA_CUSTOM:-$CUSTOM_PATH}" exec -a "$0" "$GITEA" $CONF_ARG "$@"