Implement SSH passthrough mode and refactor Gitea domain configuration

Major Changes: - Add dual SSH mode system (passthrough default, dedicated fallback) - Refactor domain configuration to use direct specification pattern - Fix critical fail2ban security gap in dedicated mode - Separate HTTP and SSH domains for cleaner Git URLs
2025-12-17 21:51:24 +01:00
parent 2fe194ba82
commit cf71fb3a8d
15 changed files with 1134 additions and 102 deletions
--- a/roles/gitea/templates/app.ini.j2
+++ b/roles/gitea/templates/app.ini.j2
@@ -11,14 +11,17 @@ DEFAULT_BRANCH = {{ gitea_default_branch }}

 [server]
 PROTOCOL = http
-DOMAIN = {{ gitea_full_domain }}
+DOMAIN = {{ gitea_http_domain }}
 HTTP_PORT = {{ gitea_http_port }}
-ROOT_URL = https://{{ gitea_full_domain }}/
+ROOT_URL = https://{{ gitea_http_domain }}/
 DISABLE_SSH = false
+# SSH Mode: {{ gitea_ssh_mode }}
 START_SSH_SERVER = {{ gitea_start_ssh_server | lower }}
-SSH_DOMAIN = {{ gitea_full_domain }}
+SSH_DOMAIN = {{ gitea_ssh_domain }}
 SSH_PORT = {{ gitea_ssh_port }}
+{% if gitea_ssh_mode == 'dedicated' %}
 SSH_LISTEN_PORT = {{ gitea_ssh_port }}
+{% endif %}
 LOCAL_ROOT_URL = http://127.0.0.1:{{ gitea_http_port }}/
 APP_DATA_PATH = {{ gitea_home }}/data

@@ -47,7 +50,7 @@ DISABLE_REGISTRATION = {{ gitea_disable_registration | lower }}
 REQUIRE_SIGNIN_VIEW = {{ gitea_require_signin | lower }}
 DEFAULT_KEEP_EMAIL_PRIVATE = true
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
-NO_REPLY_ADDRESS = noreply.{{ gitea_domain }}
+NO_REPLY_ADDRESS = noreply@{{ gitea_http_domain }}

 [log]
 MODE = console
@@ -63,4 +66,4 @@ CONTENT_PATH = {{ gitea_home }}/data/lfs
 [git]
 PATH = /usr/bin/git

-# Rick-Infra: Simplified Gitea configuration for self-contained service
+# Rick-Infra: Simplified Gitea configuration for self-contained service
--- a/roles/gitea/templates/gitea-keys.sh.j2
+++ b/roles/gitea/templates/gitea-keys.sh.j2
@@ -0,0 +1,28 @@
+#!/bin/bash
+# Gitea SSH Keys AuthorizedKeysCommand - Rick-Infra
+# Generated by Ansible Gitea role
+#
+# This script is called by OpenSSH's AuthorizedKeysCommand to query
+# Gitea's database for SSH public keys when the 'git' user connects.
+#
+# Called by SSH with parameters:
+#   %u = username (should be "git")
+#   %t = key type (ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, etc.)
+#   %k = base64 encoded public key content
+#
+# The script returns authorized_keys format entries that include
+# forced commands to execute Gitea's Git server.
+
+set -euo pipefail
+
+# Gitea keys command queries the database and returns authorized_keys format
+# If the key is found, it returns a line like:
+#   command="/usr/bin/gitea serv key-123",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAA...
+
+exec /usr/bin/gitea keys \
+    --config /etc/gitea/app.ini \
+    --username "$1" \
+    --type "$2" \
+    --content "$3"
+
+# Rick-Infra: AuthorizedKeysCommand for Gitea SSH passthrough mode
--- a/roles/gitea/templates/gitea.caddy.j2
+++ b/roles/gitea/templates/gitea.caddy.j2
@@ -2,7 +2,7 @@
 # Generated by Ansible Gitea role
 # Deployed to {{ caddy_sites_enabled_dir }}/gitea.caddy

-{{ gitea_full_domain }} {
+{{ gitea_http_domain }} {
    # Reverse proxy to Gitea
    reverse_proxy 127.0.0.1:{{ gitea_http_port }}

@@ -29,4 +29,4 @@
    }
 }

-# Rick-Infra: Self-contained Gitea service with Caddy reverse proxy
+# Rick-Infra: Self-contained Gitea service with Caddy reverse proxy