back round 9 view raw

docker: fix config #198

closed
opened by knotbin.com targeting master from [deleted fork]: fix-docker

(i be traumatized) fixes knotguard options, along with some more config improvements and fixes in docker compose and dockerfile

options
unified split
Changed files
+24 -7
docker
Dockerfile
docker-compose.yml
rootfs
etc
s6-overlay
scripts
keys-wrapper
ssh
sshd_config.d
tangled_sshd.conf
+9 -2
docker/Dockerfile
··· 1 1 FROM docker.io/golang:1.24-alpine3.21 AS build 2 2 3 3 ENV CGO_ENABLED=1 4 + ENV KNOT_REPO_SCAN_PATH=/home/git/repositories 4 5 WORKDIR /usr/src/app 5 6 COPY go.mod go.sum ./ 6 7 ··· 22 23 LABEL org.opencontainers.image.url=https://tangled.sh 23 24 LABEL org.opencontainers.image.source=https://tangled.sh/@tangled.sh/core 24 25 25 - RUN apk add --no-cache shadow s6-overlay execline openssh git && \ 26 + RUN apk add --no-cache shadow s6-overlay execline openssh git curl && \ 26 27 adduser --disabled-password git && \ 27 28 # We need to set password anyway since otherwise ssh won't work 28 29 head -c 32 /dev/random | base64 | tr -dc 'a-zA-Z0-9' | passwd git --stdin && \ ··· 30 31 31 32 COPY --from=build /usr/local/bin/knot /usr/local/bin 32 33 COPY docker/rootfs/ . 34 + RUN chmod +x /etc/s6-overlay/scripts/keys-wrapper && \ 35 + chown git:git /app && \ 36 + chown -R git:git /home/git/repositories 33 37 34 38 EXPOSE 22 35 39 EXPOSE 5555 36 40 37 - ENTRYPOINT ["/bin/sh", "-c", "chown git:git /app && chown git:git /home/git/repositories && /init"] 41 + HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ 42 + CMD curl -f http://localhost:5555/ || exit 1 43 + 44 + ENTRYPOINT ["/init"]
+6 -4
docker/docker-compose.yml
··· 8 8 KNOT_SERVER_SECRET: ${KNOT_SERVER_SECRET} 9 9 KNOT_SERVER_DB_PATH: "/app/knotserver.db" 10 10 KNOT_REPO_SCAN_PATH: "/home/git/repositories" 11 + KNOT_SERVER_INTERNAL_LISTEN_ADDR: "localhost:5444" 11 12 volumes: 12 13 - "./keys:/etc/ssh/keys" 13 14 - "./repositories:/home/git/repositories" 14 15 - "./server:/app" 15 16 ports: 17 + - "5555:5555" 16 18 - "2222:22" 19 + restart: always 17 20 frontend: 18 21 image: caddy:2-alpine 19 22 command: > ··· 24 27 depends_on: 25 28 - knot 26 29 ports: 27 - - "443:443" 28 - - "443:443/udp" 30 + - "${KNOT_SERVER_PORT:-443}:443" 31 + - "${KNOT_SERVER_PORT:-443}:443/udp" 29 32 volumes: 30 33 - caddy_data:/data 31 34 restart: always 32 - volumes: 33 - caddy_data: 35 + profiles: ["caddy"]
+8
docker/rootfs/etc/s6-overlay/scripts/keys-wrapper
··· 1 + #!/bin/sh 2 + 3 + # Execute the knot keys command with proper shell context 4 + exec /bin/sh -c '/usr/local/bin/knot keys \ 5 + -output authorized-keys \ 6 + -internal-api "http://${KNOT_SERVER_INTERNAL_LISTEN_ADDR:-localhost:5444}" \ 7 + -git-dir "${KNOT_REPO_SCAN_PATH:-/home/git/repositories}" \ 8 + -log-path "/tmp/knotguard.log"'
+1 -1
docker/rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf
··· 5 5 PasswordAuthentication no 6 6 7 7 Match User git 8 - AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys 8 + AuthorizedKeysCommand /etc/s6-overlay/scripts/keys-wrapper 9 9 AuthorizedKeysCommandUser nobody