Add zerotier

Author: 0xd61

Dockerfile

@@ -1,7 +1,30 @@
-FROM nginx:mainline-alpine-perl
+ARG BASE_IMAGE=nginx:mainline-alpine
+ARG MAKE_THREADS=8
+FROM ${BASE_IMAGE} AS zerotier_builder
+
+
+RUN apk add --update alpine-sdk linux-headers openssl-dev curl gcc libgcc musl-dev openssl openssl-dev
+
+RUN curl -sSL sh.rustup.rs >/usr/local/bin/rustup-dl && chmod +x /usr/local/bin/rustup-dl && /usr/local/bin/rustup-dl -y --default-toolchain stable
+
+RUN git clone --quiet https://github.com/zerotier/ZeroTierOne.git /src \
+  && cd /src \
+  && make -j ${MAKE_THREADS} -f make-linux.mk
+
+FROM ${BASE_IMAGE}-perl
+
+COPY --from=zerotier_builder /src/zerotier-one /usr/sbin/
+
+RUN    apk add --no-cache --purge --clean-protected libc6-compat libstdc++ \
+    && mkdir -p /var/lib/zerotier-one \
+    && ln -s /usr/sbin/zerotier-one /usr/sbin/zerotier-idtool \
+    && ln -s /usr/sbin/zerotier-one /usr/sbin/zerotier-cli
+
 RUN    apk update \
     && apk upgrade \
-    && apk add git git-gitweb git-daemon openssh fcgiwrap perl-cgi spawn-fcgi rsync highlight
+    && apk add git git-gitweb git-daemon openssh fcgiwrap perl-cgi spawn-fcgi rsync highlight \
+    && rm -rf /var/cache/apk/*
+
 RUN    sed -i 's/#UseDNS no/UseDNS no/' /etc/ssh/sshd_config \
     && sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config \
     && sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config

README.md

@@ -11,12 +11,14 @@ The Backup is done via git bundle files. If a bundle exists at the backup locati
 we copy it to the server and clone the repo. If not, we create a new repo.
 After 30 seconds (the next check loop) we create a backup of the new repo.
 
-To preserve repos during container restarts create a volume mapping to the `/git` folder
+To preserve repos and/or the zerotier config during container restarts create a volume mapping to the `/git/repos` or `/var/lib/zerotier-one` folder.
+
+Zerotier additionally needs the ability to create tun/tap devices which can be enabled with `--cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun`
 ```
 cp env.example env
 vi env
 
-docker run --rm -it -v $(pwd)/env:/.env -p 30080:80 -p 30022:22  kaitsh/gitweb
+docker run --rm -it -v $(pwd)/env:/.env:ro -p 30080:80 -p 30022:22  kaitsh/gitweb
 ```
 
 Clone a repo with ssh or http
@@ -27,6 +29,8 @@ git clone ssh://git@localhost:30022/git/repo1.git
 git clone http://localhost:30080/repo1.git
 ```
 
+_NOTE:_ http is currently disabled. Please only use ssh.
+
 Run the init script
 ```
 cd repo1

docker-compose.yaml

@@ -1,15 +1,18 @@
 version: '3.0'
 services:
   web:
-    image: local/gitweb
+    privileged: true
+    image: kaitsh/gitweb
     ports:
       - "30080:80"
       - "30022:22"
     volumes:
       - ./env:/.env
       - repos:/git
+      - zerotier:/var/lib/zerotier-one
     extra_hosts:
       - "host.docker.internal:host-gateway"
 
 volumes:
   repos: {}
+  zerotier: {}

env.example

@@ -1,6 +1,8 @@
 PRIVATE_KEY='openssh private key for backup server
 (ensure the backup server has the pub key in the authorized_keys file)'
 
+ZEROTIER_ID=""
+
 AUTHORIZED_KEYS='authorized keys for git ssh connection'
 
 # Needs escaped dollar signs... TODO: find solution
@@ -9,6 +11,5 @@ BASIC_AUTH='htpassd config for nginx'
 # Backup location/origin of the repos
 # New repos must also be specified here. The service will backup them every 30 seconds
 REPOS=""
-REPOS="${REPOS} [email protected]:repo1.git"
-REPOS="${REPOS} [email protected]:repo2.git"
-
+#REPOS="${REPOS} [email protected]:repo1.git"
+#REPOS="${REPOS} [email protected]:repo2.git"

init.template

@@ -78,6 +78,11 @@ read -p "Git email: [${git_email}] " input
 git_email=${input:-$git_email}
 git config user.email "${git_email}"
 
+git_signing=`git config commit.gpgsign`
+read -p "Git signing: [${git_signing}] " input
+git_signing=${input:-$git_signing}
+git config commit.gpgsign "${git_signing}"
+
 ###########
 # Cleanup #
 ###########
@@ -87,5 +92,5 @@ if [ "$answer" != "${answer#[Yy]}" ] ;then
     rm -f $0
     git rm --cached $0
     git commit --allow-empty -m "Initial commit" --no-verify
-    git push origin +master
+    git push origin +main
 fi

service.sh

@@ -3,7 +3,9 @@ USER=git
 ENV=/.env
 NGINX_CONF=/etc/nginx/conf.d/default.conf
 GITWEB_CONF=/etc/gitweb.conf
-SERVER_DIR=/git
+SSHD_CONF=/etc/ssh/sshd_config
+SERVER_ROOT=/jail
+SERVER_DIR=${SERVER_ROOT}/git
 SYNC_SCRIPT=/sync.sh
 
 # TODO(dgl): to load config on each loop
@@ -32,9 +34,29 @@ EOF
 chmod 600 /home/$USER/.ssh/id_rsa
 chmod 600 /home/$USER/.ssh/authorized_keys
 chmod 600 /home/$USER/.htpasswd
-
 EOC
 
+# ---- Setup chroot for git ----
+mkdir -p                      $SERVER_ROOT/dev
+mkdir -p                      $SERVER_ROOT/lib
+mkdir -p                      $SERVER_ROOT/bin
+mkdir -p                      $SERVER_ROOT/proc
+mkdir -p                      $SERVER_ROOT/usr/bin
+mkdir -p                      $SERVER_ROOT/usr/lib
+mknod -m 666                  $SERVER_ROOT/dev/null c 1 3
+mknod -m 444                  $SERVER_ROOT/dev/random c 1 8
+mknod -m 444                  $SERVER_ROOT/dev/urandom c 1 9
+cp /bin/busybox               $SERVER_ROOT/bin
+cp /usr/bin/git               $SERVER_ROOT/usr/bin
+cp /usr/bin/git-receive-pack  $SERVER_ROOT/usr/bin
+cp /usr/bin/git-upload-pack   $SERVER_ROOT/usr/bin
+cp /usr/bin/git-receive-pack  $SERVER_ROOT/usr/bin
+cp /lib/ld-musl*              $SERVER_ROOT/lib
+cp /usr/lib/libpcre2*         $SERVER_ROOT/usr/lib
+cp /lib/libz*                 $SERVER_ROOT/lib
+ln $SERVER_ROOT/bin/busybox   $SERVER_ROOT/bin/ash
+mount -t proc proc            $SERVER_ROOT/proc
+
 # TODO(dgl): fix remote: warning: unable to access '/root/.config/git/attributes': Permission denied
 # on git clone via http
 
@@ -113,6 +135,28 @@ sed -i "s/user  nginx;/user $USER www-data;/" /etc/nginx/nginx.conf
 chown -R $USER:www-data /usr/share/gitweb
 
 # Start sshd
+mv $SSHD_CONF $SSHD_CONF.original
+cat << EOF > $SSHD_CONF
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+PasswordAuthentication no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+UseDNS no
+ChrootDirectory $SERVER_ROOT
+EOF
+
 ssh-keygen -A
 /usr/sbin/sshd -f /etc/ssh/sshd_config
 status=$?
@@ -159,6 +203,21 @@ while sleep 30; do
     exit 1
   fi
 
+  if [ -n "${ZEROTIER_ID}" ]; then
+    # Check if zerotier is running, otherwise connect
+    if zerotier-cli info; then
+      if zerotier-cli listnetworks | grep $ZEROTIER_ID; then
+          echo "Still connected to $ZEROTIER_ID all good"
+      else
+          zerotier-cli join $ZEROTIER_ID
+      fi
+    else
+      zerotier-one -d
+      sleep 10
+      zerotier-cli join $ZEROTIER_ID
+    fi
+  fi
+
   # Running the script for syncing or backup the repos
   $SYNC_SCRIPT
 done

sync.sh

@@ -1,6 +1,7 @@
 ENV="/.env"
 USER=git
-SERVER_DIR=/git
+SERVER_ROOT=/jail
+SERVER_DIR=${SERVER_ROOT}/git
 
 . /.env
 
@@ -35,6 +36,7 @@ for REPO in ${REPOS}; do
                     && cp /init.template ${BASE}_temp/init.sh \
                     && chmod +x ${BASE}_temp/init.sh \
                     && cd ${BASE}_temp \
+                    && echo ${BASE} Repository > .git/description \
                     && git config user.name GitWeb \
                     && git config user.email gitweb@localhost \
                     && git add --all \