knotbin.com
(i be traumatized) fixes knotguard options, along with some more config improvements and fixes in docker compose and dockerfile
+9
-2
docker/Dockerfile
+9
-2
docker/Dockerfile
···
1
FROM docker.io/golang:1.24-alpine3.21 AS build
2
3
ENV CGO_ENABLED=1
4
WORKDIR /usr/src/app
5
COPY go.mod go.sum ./
6
···
22
LABEL org.opencontainers.image.url=https://tangled.sh
23
LABEL org.opencontainers.image.source=https://tangled.sh/@tangled.sh/core
24
25
-
RUN apk add --no-cache shadow s6-overlay execline openssh git && \
26
adduser --disabled-password git && \
27
# We need to set password anyway since otherwise ssh won't work
28
head -c 32 /dev/random | base64 | tr -dc 'a-zA-Z0-9' | passwd git --stdin && \
···
30
31
COPY --from=build /usr/local/bin/knot /usr/local/bin
32
COPY docker/rootfs/ .
33
34
EXPOSE 22
35
EXPOSE 5555
36
37
-
ENTRYPOINT ["/bin/sh", "-c", "chown git:git /app && chown git:git /home/git/repositories && /init"]
···
1
FROM docker.io/golang:1.24-alpine3.21 AS build
2
3
ENV CGO_ENABLED=1
4
+
ENV KNOT_REPO_SCAN_PATH=/home/git/repositories
5
WORKDIR /usr/src/app
6
COPY go.mod go.sum ./
7
···
23
LABEL org.opencontainers.image.url=https://tangled.sh
24
LABEL org.opencontainers.image.source=https://tangled.sh/@tangled.sh/core
25
26
+
RUN apk add --no-cache shadow s6-overlay execline openssh git curl && \
27
adduser --disabled-password git && \
28
# We need to set password anyway since otherwise ssh won't work
29
head -c 32 /dev/random | base64 | tr -dc 'a-zA-Z0-9' | passwd git --stdin && \
···
31
32
COPY --from=build /usr/local/bin/knot /usr/local/bin
33
COPY docker/rootfs/ .
34
+
RUN chmod +x /etc/s6-overlay/scripts/keys-wrapper && \
35
+
chown git:git /app && \
36
+
chown -R git:git /home/git/repositories
37
38
EXPOSE 22
39
EXPOSE 5555
40
41
+
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
42
+
CMD curl -f http://localhost:5555/ || exit 1
43
+
44
+
ENTRYPOINT ["/init"]
+6
-4
docker/docker-compose.yml
+6
-4
docker/docker-compose.yml
···
8
KNOT_SERVER_SECRET: ${KNOT_SERVER_SECRET}
9
KNOT_SERVER_DB_PATH: "/app/knotserver.db"
10
KNOT_REPO_SCAN_PATH: "/home/git/repositories"
11
volumes:
12
- "./keys:/etc/ssh/keys"
13
- "./repositories:/home/git/repositories"
14
- "./server:/app"
15
ports:
16
- "2222:22"
17
frontend:
18
image: caddy:2-alpine
19
command: >
···
24
depends_on:
25
- knot
26
ports:
27
-
- "443:443"
28
-
- "443:443/udp"
29
volumes:
30
- caddy_data:/data
31
restart: always
32
-
volumes:
33
-
caddy_data:
···
8
KNOT_SERVER_SECRET: ${KNOT_SERVER_SECRET}
9
KNOT_SERVER_DB_PATH: "/app/knotserver.db"
10
KNOT_REPO_SCAN_PATH: "/home/git/repositories"
11
+
KNOT_SERVER_INTERNAL_LISTEN_ADDR: "localhost:5444"
12
volumes:
13
- "./keys:/etc/ssh/keys"
14
- "./repositories:/home/git/repositories"
15
- "./server:/app"
16
ports:
17
+
- "5555:5555"
18
- "2222:22"
19
+
restart: always
20
frontend:
21
image: caddy:2-alpine
22
command: >
···
27
depends_on:
28
- knot
29
ports:
30
+
- "${KNOT_SERVER_PORT:-443}:443"
31
+
- "${KNOT_SERVER_PORT:-443}:443/udp"
32
volumes:
33
- caddy_data:/data
34
restart: always
35
+
profiles: ["caddy"]
+13
docker/rootfs/etc/s6-overlay/scripts/keys-wrapper
+13
docker/rootfs/etc/s6-overlay/scripts/keys-wrapper
···
···
1
+
#!/bin/sh
2
+
3
+
# Default values
4
+
INTERNAL_API=${KNOT_SERVER_INTERNAL_LISTEN_ADDR:-localhost:5444}
5
+
REPO_PATH=${KNOT_REPO_SCAN_PATH:-/home/git/repositories}
6
+
LOG_PATH="/tmp/knotguard.log"
7
+
8
+
# Execute the knot keys command
9
+
exec /usr/local/bin/knot keys \
10
+
-output authorized-keys \
11
+
-internal-api "http://${INTERNAL_API}" \
12
+
-git-dir "${REPO_PATH}" \
13
+
-log-path "${LOG_PATH}"
+1
-1
docker/rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf
+1
-1
docker/rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf