gitea, zomboid updates, ssh key fixes

ansible/roles/git/defaults/main.yml

@@ -1,3 +1,8 @@
 ---
 git_user: git
 git_home: "/srv/{{ git_user }}"
+
+# Gitea configuration
+gitea_debyl_server_name: git.debyl.io
+gitea_image: docker.gitea.com/gitea:1.25.2
+gitea_db_image: docker.io/library/postgres:14-alpine

ansible/roles/git/files/gitea-ssh-podman.te

@@ -0,0 +1,13 @@
+module gitea-ssh-podman 1.0;
+
+require {
+    type sshd_t;
+    type container_runtime_exec_t;
+    type user_home_t;
+    class file { execute execute_no_trans open read };
+    class dir { search };
+}
+
+# Allow sshd to execute podman for AuthorizedKeysCommand
+allow sshd_t container_runtime_exec_t:file { execute execute_no_trans open read };
+allow sshd_t user_home_t:dir search;

ansible/roles/git/handlers/main.yml

@@ -15,3 +15,10 @@
   tags:
     - git
     - selinux
+
+- name: restart sshd
+  become: true
+  ansible.builtin.systemd:
+    name: sshd.service
+    state: restarted
+  tags: git

ansible/roles/git/tasks/gitea-shell.yml

@@ -0,0 +1,28 @@
+---
+# Deploy gitea shim and shell for SSH passthrough
+
+# The shim is called by SSH when authorized_keys command runs
+# It forwards gitea commands to the container
+- name: create gitea shim script
+  become: true
+  ansible.builtin.template:
+    src: gitea-shim.j2
+    dest: /usr/local/bin/gitea
+    mode: 0755
+  tags: git, gitea
+
+# The shell is used if someone tries to SSH interactively
+- name: create gitea-shell script
+  become: true
+  ansible.builtin.template:
+    src: gitea-shell.j2
+    dest: /usr/local/bin/gitea-shell
+    mode: 0755
+  tags: git, gitea
+
+- name: update git user shell to gitea-shell
+  become: true
+  ansible.builtin.user:
+    name: "{{ git_user }}"
+    shell: /usr/local/bin/gitea-shell
+  tags: git, gitea

ansible/roles/git/tasks/gitea.yml

@@ -0,0 +1,90 @@
+---
+# Deploy Gitea containers using Podman pod
+
+# Create pod for Gitea services
+- name: create gitea-debyl pod
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_pod:
+    name: gitea-debyl-pod
+    state: started
+    ports:
+      - "3100:3000"
+  tags: gitea
+
+# PostgreSQL container in pod
+- name: create gitea-debyl-postgres container
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_container:
+    name: gitea-debyl-postgres
+    image: "{{ gitea_db_image }}"
+    pod: gitea-debyl-pod
+    restart_policy: on-failure:3
+    log_driver: journald
+    env:
+      POSTGRES_DB: gitea
+      POSTGRES_USER: gitea
+      POSTGRES_PASSWORD: "{{ gitea_debyl_db_pass }}"
+    volumes:
+      - "{{ git_home }}/volumes/gitea/psql:/var/lib/postgresql/data"
+  tags: gitea
+
+# Gitea container in pod
+- name: create gitea-debyl container
+  become: true
+  become_user: "{{ git_user }}"
+  containers.podman.podman_container:
+    name: gitea-debyl
+    image: "{{ gitea_image }}"
+    pod: gitea-debyl-pod
+    restart_policy: on-failure:3
+    log_driver: journald
+    env:
+      USER_UID: "1000"
+      USER_GID: "1000"
+      GITEA__database__DB_TYPE: postgres
+      GITEA__database__HOST: "127.0.0.1:5432"
+      GITEA__database__NAME: gitea
+      GITEA__database__USER: gitea
+      GITEA__database__PASSWD: "{{ gitea_debyl_db_pass }}"
+      GITEA__server__DOMAIN: "{{ gitea_debyl_server_name }}"
+      GITEA__server__ROOT_URL: "https://{{ gitea_debyl_server_name }}/"
+      GITEA__server__SSH_DOMAIN: "{{ gitea_debyl_server_name }}"
+      GITEA__server__START_SSH_SERVER: "false"
+      GITEA__server__DISABLE_SSH: "false"
+      GITEA__server__SSH_PORT: "22"
+      GITEA__security__SECRET_KEY: "{{ gitea_debyl_secret_key }}"
+      GITEA__security__INTERNAL_TOKEN: "{{ gitea_debyl_internal_token }}"
+      GITEA__security__INSTALL_LOCK: "true"
+      GITEA__service__DISABLE_REGISTRATION: "true"
+      GITEA__service__REQUIRE_SIGNIN_VIEW: "false"
+    volumes:
+      - "{{ git_home }}/volumes/gitea/data:/data"
+      - /etc/localtime:/etc/localtime:ro
+  tags: gitea
+
+# Generate systemd service for the pod
+- name: create systemd job for gitea-debyl-pod
+  become: true
+  become_user: "{{ git_user }}"
+  ansible.builtin.shell: |
+    podman generate systemd --name gitea-debyl-pod --files --new
+    mv pod-gitea-debyl-pod.service {{ git_home }}/.config/systemd/user/
+    mv container-gitea-debyl-postgres.service {{ git_home }}/.config/systemd/user/
+    mv container-gitea-debyl.service {{ git_home }}/.config/systemd/user/
+  args:
+    chdir: "{{ git_home }}"
+  changed_when: false
+  tags: gitea
+
+- name: enable gitea-debyl-pod service
+  become: true
+  become_user: "{{ git_user }}"
+  ansible.builtin.systemd:
+    name: pod-gitea-debyl-pod.service
+    daemon_reload: true
+    enabled: true
+    state: started
+    scope: user
+  tags: gitea

ansible/roles/git/tasks/main.yml

@@ -1,4 +1,10 @@
 ---
 - import_tasks: user.yml
-- import_tasks: systemd.yml
+- import_tasks: podman.yml
+- import_tasks: gitea-shell.yml
+- import_tasks: sshd.yml
 - import_tasks: selinux.yml
+- import_tasks: selinux-podman.yml
+- import_tasks: gitea.yml
+# git-daemon no longer needed - commented out
+# - import_tasks: systemd.yml

ansible/roles/git/tasks/podman.yml

@@ -0,0 +1,80 @@
+---
+# Rootless Podman setup for git user
+# Enables running Gitea containers under the git user
+
+# Enable lingering for systemd user services
+- name: check if git user lingering enabled
+  become: true
+  ansible.builtin.stat:
+    path: "/var/lib/systemd/linger/{{ git_user }}"
+  register: git_user_lingering
+  tags: git, gitea
+
+- name: enable git user lingering
+  become: true
+  ansible.builtin.command: |
+    loginctl enable-linger {{ git_user }}
+  when: not git_user_lingering.stat.exists
+  tags: git, gitea
+
+# Set ulimits for container operations
+- name: set ulimits for git user
+  become: true
+  community.general.pam_limits:
+    domain: "{{ git_user }}"
+    limit_type: "{{ item.type }}"
+    limit_item: "{{ item.name }}"
+    value: "{{ item.value }}"
+  loop:
+    - { name: memlock, type: soft, value: "unlimited" }
+    - { name: memlock, type: hard, value: "unlimited" }
+    - { name: nofile, type: soft, value: 39693561 }
+    - { name: nofile, type: hard, value: 39693561 }
+  tags: git, gitea
+
+# Create container directories
+- name: create git podman directories
+  become: true
+  become_user: "{{ git_user }}"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+  loop:
+    - "{{ git_home }}/.config/systemd/user"
+    - "{{ git_home }}/volumes"
+    - "{{ git_home }}/volumes/gitea"
+    - "{{ git_home }}/volumes/gitea/data"
+    # NOTE: psql directory is created by PostgreSQL container with container user ownership
+  notify: restorecon git
+  tags: git, gitea
+
+# SELinux context for container volumes
+- name: selinux context for git container volumes
+  become: true
+  community.general.sefcontext:
+    target: "{{ git_home }}/volumes(/.*)?"
+    setype: container_file_t
+    state: present
+  notify: restorecon git
+  tags: git, gitea, selinux
+
+# Enable podman socket for SSH key lookup via AuthorizedKeysCommand
+- name: enable podman socket for git user
+  become: true
+  become_user: "{{ git_user }}"
+  ansible.builtin.systemd:
+    name: podman.socket
+    enabled: true
+    state: started
+    scope: user
+  tags: git, gitea
+
+# Fetch subuid for volume permissions
+- name: fetch subuid of {{ git_user }}
+  become: true
+  changed_when: false
+  ansible.builtin.shell: |
+    set -o pipefail && cat /etc/subuid | awk -F':' '/{{ git_user }}/{ print $2 }' | head -n 1
+  register: git_subuid
+  tags: always

ansible/roles/git/tasks/selinux-podman.yml

@@ -0,0 +1,21 @@
+---
+# SELinux policy for SSH + Podman integration
+
+- name: copy gitea SELinux policy module
+  become: true
+  ansible.builtin.copy:
+    src: gitea-ssh-podman.te
+    dest: /tmp/gitea-ssh-podman.te
+    mode: 0644
+  register: selinux_policy
+  tags: git, gitea, selinux
+
+- name: compile and install gitea SELinux policy
+  become: true
+  ansible.builtin.shell: |
+    cd /tmp
+    checkmodule -M -m -o gitea-ssh-podman.mod gitea-ssh-podman.te
+    semodule_package -o gitea-ssh-podman.pp -m gitea-ssh-podman.mod
+    semodule -i gitea-ssh-podman.pp
+  when: selinux_policy.changed
+  tags: git, gitea, selinux

ansible/roles/git/tasks/sshd.yml

@@ -0,0 +1,19 @@
+---
+# Configure SSH AuthorizedKeysCommand for Gitea
+
+- name: create gitea-authorized-keys script
+  become: true
+  ansible.builtin.template:
+    src: gitea-authorized-keys.j2
+    dest: /usr/local/bin/gitea-authorized-keys
+    mode: 0755
+  tags: git, gitea
+
+- name: deploy sshd gitea configuration
+  become: true
+  ansible.builtin.template:
+    src: sshd-gitea.conf.j2
+    dest: /etc/ssh/sshd_config.d/50-gitea.conf
+    mode: 0644
+  notify: restart sshd
+  tags: git, gitea

ansible/roles/git/templates/gitea-authorized-keys.j2

@@ -0,0 +1,12 @@
+#!/bin/sh
+# Query Gitea for SSH authorized keys
+# Managed by Ansible - do not edit directly
+# Arguments: %u (username) %t (key type) %k (key blob)
+
+# Use podman remote to connect via socket (avoids rootless pause process issues)
+export CONTAINER_HOST=unix:///run/user/1001/podman/podman.sock
+
+/usr/bin/podman --remote exec -i --user 1000 gitea-debyl \
+    /usr/local/bin/gitea keys \
+    -c /data/gitea/conf/app.ini \
+    -e git -u "$1" -t "$2" -k "$3" 2>/dev/null

ansible/roles/git/templates/gitea-shell.j2

@@ -0,0 +1,27 @@
+#!/bin/sh
+# Gitea SSH shell - forwards commands to Gitea container
+# Managed by Ansible - do not edit directly
+#
+# When sshd runs a forced command from authorized_keys, it invokes:
+#   <user-shell> -c "<forced-command>"
+# The forced command is: /usr/local/bin/gitea --config=... serv key-<id>
+# SSH_ORIGINAL_COMMAND contains the client's requested command (e.g., git-upload-pack)
+
+# Use podman remote to connect via socket (avoids rootless pause process issues)
+export CONTAINER_HOST=unix:///run/user/1001/podman/podman.sock
+
+if [ "$1" = "-c" ] && [ -n "$2" ]; then
+    # sshd invoked us with -c "command" - execute the command
+    # The command is: /usr/local/bin/gitea --config=... serv key-<id>
+    exec $2
+elif [ -n "$SSH_ORIGINAL_COMMAND" ]; then
+    # Direct invocation with SSH_ORIGINAL_COMMAND (shouldn't happen normally)
+    echo "Interactive shell is disabled."
+    echo "Use: git clone git@{{ gitea_debyl_server_name }}:<owner>/<repo>.git"
+    exit 1
+else
+    # Interactive login attempt
+    echo "Interactive shell is disabled."
+    echo "Use: git clone git@{{ gitea_debyl_server_name }}:<owner>/<repo>.git"
+    exit 1
+fi

ansible/roles/git/templates/gitea-shim.j2

@@ -0,0 +1,15 @@
+#!/bin/sh
+# Gitea shim - forwards gitea commands to the container
+# Managed by Ansible - do not edit directly
+#
+# This script is called when sshd executes the forced command from authorized_keys:
+#   /usr/local/bin/gitea --config=/data/gitea/conf/app.ini serv key-<id>
+#
+# SSH_ORIGINAL_COMMAND contains the client's git command (e.g., git-upload-pack <repo>)
+
+# Use podman remote to connect via socket (avoids rootless pause process issues)
+export CONTAINER_HOST=unix:///run/user/1001/podman/podman.sock
+
+exec /usr/bin/podman --remote exec -i --user 1000 \
+    --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" \
+    gitea-debyl /usr/local/bin/gitea "$@"

ansible/roles/git/templates/sshd-gitea.conf.j2

@@ -0,0 +1,7 @@
+# Gitea SSH Key Authentication
+# Managed by Ansible - do not edit directly
+
+Match User {{ git_user }}
+    AuthorizedKeysFile none
+    AuthorizedKeysCommandUser {{ git_user }}
+    AuthorizedKeysCommand /usr/local/bin/gitea-authorized-keys %u %t %k