gitea, zomboid updates, ssh key fixes

ansible/roles/git/templates/gitea-authorized-keys.j2

@@ -0,0 +1,12 @@
+#!/bin/sh
+# Query Gitea for SSH authorized keys
+# Managed by Ansible - do not edit directly
+# Arguments: %u (username) %t (key type) %k (key blob)
+
+# Use podman remote to connect via socket (avoids rootless pause process issues)
+export CONTAINER_HOST=unix:///run/user/1001/podman/podman.sock
+
+/usr/bin/podman --remote exec -i --user 1000 gitea-debyl \
+    /usr/local/bin/gitea keys \
+    -c /data/gitea/conf/app.ini \
+    -e git -u "$1" -t "$2" -k "$3" 2>/dev/null

ansible/roles/git/templates/gitea-shell.j2

@@ -0,0 +1,27 @@
+#!/bin/sh
+# Gitea SSH shell - forwards commands to Gitea container
+# Managed by Ansible - do not edit directly
+#
+# When sshd runs a forced command from authorized_keys, it invokes:
+#   <user-shell> -c "<forced-command>"
+# The forced command is: /usr/local/bin/gitea --config=... serv key-<id>
+# SSH_ORIGINAL_COMMAND contains the client's requested command (e.g., git-upload-pack)
+
+# Use podman remote to connect via socket (avoids rootless pause process issues)
+export CONTAINER_HOST=unix:///run/user/1001/podman/podman.sock
+
+if [ "$1" = "-c" ] && [ -n "$2" ]; then
+    # sshd invoked us with -c "command" - execute the command
+    # The command is: /usr/local/bin/gitea --config=... serv key-<id>
+    exec $2
+elif [ -n "$SSH_ORIGINAL_COMMAND" ]; then
+    # Direct invocation with SSH_ORIGINAL_COMMAND (shouldn't happen normally)
+    echo "Interactive shell is disabled."
+    echo "Use: git clone git@{{ gitea_debyl_server_name }}:<owner>/<repo>.git"
+    exit 1
+else
+    # Interactive login attempt
+    echo "Interactive shell is disabled."
+    echo "Use: git clone git@{{ gitea_debyl_server_name }}:<owner>/<repo>.git"
+    exit 1
+fi

ansible/roles/git/templates/gitea-shim.j2

@@ -0,0 +1,15 @@
+#!/bin/sh
+# Gitea shim - forwards gitea commands to the container
+# Managed by Ansible - do not edit directly
+#
+# This script is called when sshd executes the forced command from authorized_keys:
+#   /usr/local/bin/gitea --config=/data/gitea/conf/app.ini serv key-<id>
+#
+# SSH_ORIGINAL_COMMAND contains the client's git command (e.g., git-upload-pack <repo>)
+
+# Use podman remote to connect via socket (avoids rootless pause process issues)
+export CONTAINER_HOST=unix:///run/user/1001/podman/podman.sock
+
+exec /usr/bin/podman --remote exec -i --user 1000 \
+    --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" \
+    gitea-debyl /usr/local/bin/gitea "$@"

ansible/roles/git/templates/sshd-gitea.conf.j2

@@ -0,0 +1,7 @@
+# Gitea SSH Key Authentication
+# Managed by Ansible - do not edit directly
+
+Match User {{ git_user }}
+    AuthorizedKeysFile none
+    AuthorizedKeysCommandUser {{ git_user }}
+    AuthorizedKeysCommand /usr/local/bin/gitea-authorized-keys %u %t %k