Implement SSH passthrough mode and refactor Gitea domain configuration

Major Changes: - Add dual SSH mode system (passthrough default, dedicated fallback) - Refactor domain configuration to use direct specification pattern - Fix critical fail2ban security gap in dedicated mode - Separate HTTP and SSH domains for cleaner Git URLs
2025-12-17 21:51:24 +01:00
parent 2fe194ba82
commit cf71fb3a8d
15 changed files with 1134 additions and 102 deletions
--- a/roles/gitea/templates/gitea-keys.sh.j2
+++ b/roles/gitea/templates/gitea-keys.sh.j2
@@ -0,0 +1,28 @@
+#!/bin/bash
+# Gitea SSH Keys AuthorizedKeysCommand - Rick-Infra
+# Generated by Ansible Gitea role
+#
+# This script is called by OpenSSH's AuthorizedKeysCommand to query
+# Gitea's database for SSH public keys when the 'git' user connects.
+#
+# Called by SSH with parameters:
+#   %u = username (should be "git")
+#   %t = key type (ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, etc.)
+#   %k = base64 encoded public key content
+#
+# The script returns authorized_keys format entries that include
+# forced commands to execute Gitea's Git server.
+
+set -euo pipefail
+
+# Gitea keys command queries the database and returns authorized_keys format
+# If the key is found, it returns a line like:
+#   command="/usr/bin/gitea serv key-123",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAA...
+
+exec /usr/bin/gitea keys \
+    --config /etc/gitea/app.ini \
+    --username "$1" \
+    --type "$2" \
+    --content "$3"
+
+# Rick-Infra: AuthorizedKeysCommand for Gitea SSH passthrough mode