heckyel
/
gitolite-cgit-docker
огледало от https://c.lifetech.ga/containers/gitolite-cgit-docker.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406
							#!/usr/bin/env sh

# Force security SSH parameters
if [ -d /etc/ssh ]; then
   cat > /etc/ssh/sshd_config <<- EOF
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

# Algorithms
Ciphers chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms=ssh-ed25519
EOF
fi

# Validate environment variables

# Create ssh host key if not present
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
  ssh-keygen -A
fi

# Setup gitolite at volume /var/lib/git
if [ ! -f "/var/lib/git/.ssh/authorized_keys" ]; then
  # Configure gitolite
  echo "$SSH_KEY" > "/tmp/$SSH_KEY_NAME.pub"
  su git -c "gitolite setup -pk \"/tmp/$SSH_KEY_NAME.pub\""
  rm "/tmp/$SSH_KEY_NAME.pub"
fi

if [ ! -d /etc/nginx/http.d ]; then
    install -d -m755 /etc/nginx/http.d || true
fi

# Init container
if [ ! -f /etc/nginx/http.d/cgit.conf ]; then
  # enable random git password
  GIT_PASSWORD=$(date +%s | sha256sum | base64 | head -c 32)
  echo "git:$GIT_PASSWORD" | chpasswd

  # add web user (nginx) to gitolite group (git)
  adduser nginx git

  ## Config cgit interface
  cat > /etc/cgitrc <<- EOF
#
# cgit config
#

virtual-root=/

# Use a custom logo
logo=/cgit.png

# Specify the css url
css=/cgit.css

# Enable configuration from external management, for example: gitolite
enable-git-config=1

# Show extra links for each repository on the index page
enable-index-links=1

# Show owner
enable-index-owner=1

# Enable ASCII art commit history graph on the log pages
enable-commit-graph=1

# Allow http transport git clone
enable-http-clone=1

# Show number of affected files per commit on the log pages
enable-log-filecount=1

# Show number of added/removed lines per commit on the log pages
enable-log-linecount=1

# Enable statistics per week, month and quarter
max-stats=quarter

# Cache
cache-about-ttl=15
cache-dynamic-ttl=5
cache-repo-ttl=5
cache-root=/var/cache/cgit
cache-root-ttl=5
cache-scanrc-ttl=15
cache-size=0
cache-snapshot-ttl=5
cache-static-ttl=-1

# Sort items in the repo list case sensitively. Default value: "1"
case-sensitive-sort=1

# Specifies the maximum size of a blob to display HTML for in KBytes. Default value: "0" (limit disabled)
max-blob-size=2048

# Specifies the number of entries to list per page on the repository index page. Default value: "50".
max-repo-count=250


# Specifies the maximum number of repo description characters to display on the repository index page.
# Default value: "80"
max-repodesc-length=80

# Set the default maximum statistics period. Valid values are "week", "month", "quarter" and "year".
# If unspecified, statistics are disabled. Default value: none
max-stats=year

#
# List of common mimetypes
#

mimetype.gif=image/gif
mimetype.htm=text/html
mimetype.html=text/html
mimetype.ico=image/x-icon
mimetype.jpg=image/jpeg
mimetype.jpeg=image/jpeg
mimetype.md=text/markdown
mimetype.mng=video/x-mng
mimetype.ora=image/openraster
mimetype.pam=image/x-portable-arbitrarymap
mimetype.pbm=image/x-portable-bitmap
mimetype.pdf=application/pdf
mimetype.pgm=image/x-portable-graymap
mimetype.png=image/png
mimetype.pnm=image/x-portable-anymap
mimetype.ppm=image/x-portable-pixmap
mimetype.svg=image/svg+xml
mimetype.svgz=image/svg+xml
mimetype.tga=image/x-tga
mimetype.tif=image/tiff
mimetype.tiff=image/tiff
mimetype.webp=image/webp
mimetype.xbm=image/x-xbitmap
mimetype.xcf=image/x-xcf
mimetype.xpm=image/x-xpixmap

# Enable syntax highlighting and about formatting
source-filter=/usr/lib/cgit/filters/syntax-highlighting.py
about-filter=/usr/lib/cgit/filters/about-formatting.sh

#
# List of common readmes
#
readme=:README.md
readme=:readme.md
readme=:README.mkd
readme=:readme.mkd
readme=:README.rst
readme=:readme.rst
readme=:README.html
readme=:readme.html
readme=:README.htm
readme=:readme.htm
readme=:README.txt
readme=:readme.txt
readme=:README
readme=:readme
readme=:INSTALL.md
readme=:install.md
readme=:INSTALL.mkd
readme=:install.mkd
readme=:INSTALL.rst
readme=:install.rst
readme=:INSTALL.html
readme=:install.html
readme=:INSTALL.htm
readme=:install.htm
readme=:INSTALL.txt
readme=:install.txt
readme=:INSTALL
readme=:install

snapshots=$CGIT_SNAPSHOT

# Direct cgit to repository location managed by gitolite
remove-suffix=0
project-list=/var/lib/git/projects.list
section-from-path=1
scan-path=/var/lib/git/repositories
EOF

  # Append clone-prefix
  if [ -n "$CGIT_CLONE_PREFIX" ]; then
      echo "# Specify some default clone prefixes" >> /etc/cgitrc
      echo "clone-prefix=$CGIT_CLONE_PREFIX" >> /etc/cgitrc
  fi

  if [ -n "$CGIT_ROOT_TITLE" ]; then
      echo "# Set the title and heading of the repository index page" >> /etc/cgitrc
      echo "root-title=$CGIT_ROOT_TITLE" >> /etc/cgitrc
  fi

  if [ -n "$CGIT_DESC" ]; then
      echo "# Set description repository" >> /etc/cgitrc
      echo "root-desc=$CGIT_DESC" >> /etc/cgitrc
  fi

  # Using highlight syntax
  #sed -i.bak \
  #  -e "s#exec highlight --force -f -I -X -S #\#&#g" \
  #  -e "s#\#exec highlight --force -f -I -O xhtml#exec highlight --force --inline-css -f -I -O xhtml#g" \
  #  /usr/lib/cgit/filters/syntax-highlighting.sh

  # Nginx configuration
  rm -f /etc/nginx/http.d/default.conf || true
  cat > /etc/nginx/http.d/cgit.conf <<- EOF
  server {
    listen 80 default_server;
    server_name localhost;

    # Logs
    access_log /dev/null;
    error_log /dev/null;

    root /usr/share/webapps/cgit;
    try_files \$uri @cgit;

    location @cgit {
      include             fastcgi_params;

      # Path to the CGI script that comes with cgit
      fastcgi_param        SCRIPT_FILENAME \$document_root/cgit.cgi;

      fastcgi_param       PATH_INFO       \$uri;
      fastcgi_param       QUERY_STRING    \$args;
      fastcgi_param       QUERY_INFO      \$uri;
      fastcgi_param       HTTP_HOST       \$server_name;

      # Path to the socket file that is created/used by fcgiwrap
      fastcgi_pass        unix:/run/fcgiwrap/fcgiwrap.socket;
    }

    # Enable compression for JS/CSS/HTML, for improved client load times.
    # It might be nice to compress JSON/XML as returned by the API, but
    # leaving that out to protect against potential BREACH attack.
    gzip              on;
    gzip_vary         on;

    gzip_types        # text/html is always compressed by HttpGzipModule
                      text/css
                      application/javascript
                      font/truetype
                      font/opentype
                      application/vnd.ms-fontobject
                      image/svg+xml;
    gzip_min_length 1000; # default is 20 bytes
    gzip_buffers 16 8k;
    gzip_comp_level 2; # default is 1

    client_body_timeout       30s; # default is 60
    client_header_timeout     10s; # default is 60
    send_timeout              10s; # default is 60
    keepalive_timeout         10s; # default is 75
    resolver_timeout          10s; # default is 30
    reset_timedout_connection on;
    proxy_ignore_client_abort on;

    tcp_nopush on; # send headers in one piece
    tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time

    # Enabling the sendfile directive eliminates the step of copying the data into the buffer
    # and enables direct copying data from one file descriptor to another.
    sendfile on;
    sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
    aio threads;
  }
EOF

fi

# Start sshd as detach, log to stderr (-e)
/usr/sbin/sshd -e

# launch fcgiwrap via spawn-fcgi, port 1234
spawn-fcgi -s /run/fcgiwrap/fcgiwrap.socket -f /usr/bin/fcgiwrap
chmod 660 /run/fcgiwrap/fcgiwrap.socket

# fix permissions gitolite
chown git:git /var/lib/git
chown git:git -R /var/lib/git
chmod 700 /var/lib/git
chown git:git /var/lib/git/.gitolite.rc
chmod 640 /var/lib/git/.gitolite.rc

# Start git-daemon
git daemon --detach --reuseaddr --base-path=/var/lib/git/repositories /var/lib/git/repositories

# Start nginx
exec nginx -g "daemon off;"