@@ -20,35 +20,21 @@ errors at connect: |
| 20 | 20 | |
| 21 | 21 | ## First-time enable on an existing droplet |
| 22 | 22 | |
| 23 | | -If S13 shipped before the deploy ever ran SSH-git: |
| 24 | | - |
| 25 | | -```sh |
| 26 | | -# 1. Create the git login user with git-shell as a defense layer |
| 27 | | -ssh root@shithub.sh ' |
| 28 | | - apt-get install -y git # provides git-shell |
| 29 | | - useradd --system --home-dir /var/lib/git --create-home \ |
| 30 | | - --shell "$(which git-shell)" git |
| 31 | | - getent passwd git |
| 32 | | -' |
| 33 | | - |
| 34 | | -# 2. Confirm sshd_config has the Match User git block |
| 35 | | -ssh root@shithub.sh ' |
| 36 | | - grep -A4 "Match User git" /etc/ssh/sshd_config |
| 37 | | -' |
| 38 | | -# Expected: AuthorizedKeysCommand /usr/local/bin/shithubd ssh-authkeys %f |
| 39 | | -# AuthorizedKeysCommandUser shithub-ssh |
| 40 | | -# PermitTTY no |
| 41 | | -# AllowAgentForwarding no |
| 42 | | - |
| 43 | | -# 3. Set the env knobs on web.env (worker.env doesn't render repo pages) |
| 44 | | -ssh root@shithub.sh ' |
| 45 | | - printf "\nSHITHUB_AUTH__SSH__ENABLED=true\nSHITHUB_AUTH__SSH__HOST=git@shithub.sh\n" \ |
| 46 | | - >> /etc/shithub/web.env |
| 47 | | -' |
| 48 | | - |
| 49 | | -# 4. Restart shithubd-web to pick up the new env (workers don't need it) |
| 50 | | -ssh root@shithub.sh 'systemctl restart shithubd-web' |
| 51 | | -``` |
| 23 | +The clean path is `ansible-playbook deploy/ansible/site.yml -l shithub-app`, |
| 24 | +which provisions everything below. SSH-git turned out to need |
| 25 | +**six** pieces — the obvious ones from S13 plus five subtleties |
| 26 | +discovered live. They are all encoded in ansible (after this PR); |
| 27 | +this list is for operators who want to apply piece-by-piece or |
| 28 | +debug one failure mode at a time. |
| 29 | + |
| 30 | +| # | Piece | Lives in | Failure if missing | |
| 31 | +|---|---|---|---| |
| 32 | +| 1 | `git` system user with `git-shell`, in `shithub` group, password-cleared (`passwd -d`) | `roles/base/tasks/main.yml` | "User git not allowed because account is locked" | |
| 33 | +| 2 | `Match User git` sshd block pointing at the AKC wrapper | `deploy/sshd_config.j2` | sshd offers no AKC for `git@`; "Permission denied (publickey)" | |
| 34 | +| 3 | `/usr/local/bin/shithub-ssh-authkeys` wrapper sourcing web.env then exec'ing `shithubd ssh-authkeys` | `roles/shithubd/files/shithub-ssh-authkeys` | AKC returns empty (no `SHITHUB_DATABASE_URL` in env); "Permission denied (publickey)" | |
| 35 | +| 4 | `/var/lib/git/git-shell-commands/shithubd` wrapper sourcing web.env then exec'ing the bare binary | `roles/shithubd/files/git-shell-commands-shithubd` | git-shell rejects forced command; "fatal: unrecognized command" | |
| 36 | +| 5 | `/etc/shithub/web.env` mode 0640 (group=shithub) so the git user can read it through the wrappers above | `roles/shithubd/tasks/main.yml` | `ssh-shell: cfg: ... permission denied` | |
| 37 | +| 6 | `SHITHUB_AUTH__SSH__{ENABLED,HOST}` env vars on web.env | `roles/shithubd/templates/web.env.j2` | repo pages don't show the SSH clone URL (sshd path still works) | |
| 52 | 38 | |
| 53 | 39 | Verify: |
| 54 | 40 | |
