Gitea Docker SSH Forwarding

TimoHocker · March 11, 2024, 10:57am

Yesterday I reinstalled my main server, switching from ubuntu to nixos. The only major issue I have now is accessing my Gitea server, because it runs inside a docker container.

The usual process to allow ssh access to Gitea would be to create a git user, mount its authorized_keys to the container and place a mock Gitea binary in /usr/local/bin that redirects to ssh in the container.
I haven’t found a way to create such a file in /usr/local/bin with my nixos configuration, so I tried a different approach. (SSH Shell with AuthorizedKeysCommand)

services.openssh.extraConfig = ''
    Match User git
      AuthorizedKeysCommandUser git
      AuthorizedKeysCommand /usr/bin/ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k
  ''

With that the ssh connection always asks for a password, so it also doesn’t work.
The Gitea configuration and data is completely copied from the old server, I haven’t changed anything for the container.

How could I set up SSH forwarding for my Gitea server?

daylinmorgan · March 11, 2024, 4:14pm

There might be a better way to do this. But I have a similar setup and my solution was just to symlink a shim to /usr/local/bin

...
environment.systemPackages = with pkgs; [
(pkgs.writeShellScriptBin "gitea" ''
      ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
    '')
];
...

ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea

If it’s helpful you can see my system config for this host here.

TimoHocker · March 11, 2024, 7:06pm

That worked perfectly. I didn’t think about making a symlink before, I tried changing the gitea command’s path to /run/current-system/sw/bin/gitea, but that only caused it to not find the file inside the container.

Here is my working configuration now:

  environment.systemPackages = [
    (pkgs.writeShellScriptBin "gitea" ''
      ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
    '')
  ];

  system.activationScripts.gitealink.text = ''
    mkdir -p /usr/local/bin
    rm /usr/local/bin/gitea || true
    ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea
  '';