From 02bebb22f73e1e556372eb2a0c37bd742a700894 Mon Sep 17 00:00:00 2001
From: "build@apk-groulx" <build@apk-groulx.praxis>
Date: Wed, 11 Jan 2023 13:38:45 +0000
Subject: [PATCH] user/gitlab-shell: new aport

---
 user/gitlab-shell/APKBUILD                  | 66 +++++++++++++++
 user/gitlab-shell/change-config-path.patch  | 11 +++
 user/gitlab-shell/config.patch              | 93 +++++++++++++++++++++
 user/gitlab-shell/gitconfig                 | 17 ++++
 user/gitlab-shell/gitlab-shell.post-install | 23 +++++
 user/gitlab-shell/gitlab-shell.pre-install  | 41 +++++++++
 6 files changed, 251 insertions(+)
 create mode 100644 user/gitlab-shell/APKBUILD
 create mode 100644 user/gitlab-shell/change-config-path.patch
 create mode 100644 user/gitlab-shell/config.patch
 create mode 100644 user/gitlab-shell/gitconfig
 create mode 100644 user/gitlab-shell/gitlab-shell.post-install
 create mode 100644 user/gitlab-shell/gitlab-shell.pre-install

diff --git a/user/gitlab-shell/APKBUILD b/user/gitlab-shell/APKBUILD
new file mode 100644
index 0000000..3a2deee
--- /dev/null
+++ b/user/gitlab-shell/APKBUILD
@@ -0,0 +1,66 @@
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
+pkgname=gitlab-shell
+pkgver=14.10.0
+pkgrel=0
+pkgdesc="GitLab Shell handles git SSH sessions for GitLab"
+url="https://gitlab.com/gitlab-org/gitlab-shell"
+arch="all"
+license="MIT"
+depends="git openssh"
+makedepends="go"
+pkgusers="git"
+pkggroups="git"
+install="$pkgname.pre-install $pkgname.post-install"
+# NOTE: user vs system gitconfig, see https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6166
+source="https://gitlab.com/gitlab-org/$pkgname/-/archive/v$pkgver/$pkgname-v$pkgver.tar.gz
+	config.patch
+	change-config-path.patch
+	gitconfig
+	"
+builddir="$srcdir/$pkgname-v$pkgver"
+options="!check"
+
+build() {
+	# BUILD_TAGS - build without tracing libs,
+	#   see https://gitlab.com/gitlab-org/labkit/-/merge_requests/2
+	make build \
+		VERSION_STRING="$pkgver" \
+		BUILD_TAGS=""
+}
+
+package() {
+	local datadir="$pkgdir/var/lib/gitlab"
+	local libdir="$pkgdir/usr/lib/gitlab-shell"
+
+	# XXX: I couldn't figure out how/where is gitlab-shell called,
+	#  so I kept /usr/lib/gitlab-shell. It should be changed to /usr.
+	make install DESTDIR="$pkgdir" PREFIX=/usr/lib/gitlab-shell
+
+	install -m644 VERSION "$libdir"/
+	install -m644 -D config.yml.example "$pkgdir"/etc/gitlab/gitlab-shell.yml
+
+	cd "$pkgdir"
+
+	rm "$libdir"/bin/check
+	rm "$libdir"/bin/gitlab-sshd
+
+	install -d -m755 -o git -g git \
+		"$pkgdir"/var/log/gitlab \
+		"$datadir"
+
+	install -d -m02770 -o git -g git \
+		"$datadir"/repositories
+
+	install -m644 -o git -g git "$srcdir"/gitconfig "$datadir"/.gitconfig
+
+	ln -s /etc/gitlab/gitlab-shell.yml "$libdir"/config.yml
+	ln -s /etc/gitlab/gitlab_shell_secret "$libdir"/.gitlab_shell_secret
+}
+
+sha512sums="
+4062d2f31d5bcbff653a44564aabff61dfcad4f0257c0ce5c131287864faaffcc37f86eb54d22b9e02b93f7149912c42f097f6b615b3dd479bdce3ba08af35da  gitlab-shell-v14.10.0.tar.gz
+22a6e87a317bbffa063717ca5f06f08e05da90c3ea18744049abfc29b3109a34d90d366b46b381cfbf3817e410daf8d0bc51a592b51a81b7f4a9381d20e347d8  config.patch
+499b3a46ea94a33a23b01f6a7509d74f5a6781b930619b3b8ae42bdeae8a052cc636578744d7992b4ae4f9b9f72b11ee3d3c0f5e50986fa3f7e35b979b08aada  change-config-path.patch
+c53da7f145593693392d9fa880ad5a1909bfc7504fd1c93d94a468c3e0f5cc80f712f41ee1dc8bf38105b410c1165658f208bd88a70c4674104c78af33d8d09c  gitconfig
+"
diff --git a/user/gitlab-shell/change-config-path.patch b/user/gitlab-shell/change-config-path.patch
new file mode 100644
index 0000000..52d44ce
--- /dev/null
+++ b/user/gitlab-shell/change-config-path.patch
@@ -0,0 +1,11 @@
+--- a/support/gitlab_config.rb
++++ b/support/gitlab_config.rb
+@@ -4,7 +4,7 @@ class GitlabConfig
+   attr_reader :config
+ 
+   def initialize
+-    @config = YAML.load_file(File.join(ROOT_PATH, 'config.yml'))
++    @config = YAML.load_file(ENV.fetch('GITLAB_SHELL_CONFIG', '/etc/gitlab/gitlab-shell.yml'))
+   end
+ 
+   def home
diff --git a/user/gitlab-shell/config.patch b/user/gitlab-shell/config.patch
new file mode 100644
index 0000000..9dfc0a5
--- /dev/null
+++ b/user/gitlab-shell/config.patch
@@ -0,0 +1,93 @@
+--- a/config.yml.example
++++ b/config.yml.example
+@@ -13,7 +13,7 @@
+ # only listen on a Unix domain socket. For Unix domain sockets use
+ # "http+unix://<urlquoted-path-to-socket>", e.g.
+ # "http+unix://%2Fpath%2Fto%2Fsocket"
+-gitlab_url: "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket"
++gitlab_url: "http+unix://%2Frun%2Fgitlab%2Fworkhorse.socket"
+ 
+ # When a http+unix:// is used in gitlab_url, this is the relative URL root to GitLab.
+ # Not used if gitlab_url is http:// or https://.
+@@ -29,15 +29,15 @@
+ #
+ 
+ # File used as authorized_keys for gitlab user
+-auth_file: "/home/git/.ssh/authorized_keys"
++auth_file: "/var/lib/gitlab/.ssh/authorized_keys"
+ 
+ # SSL certificate dir where custom certificates can be placed
+ # https://golang.org/pkg/crypto/x509/
+-# ssl_cert_dir: /opt/gitlab/embedded/ssl/certs/
++# ssl_cert_dir: /etc/gitlab/ssl/certs/
+ 
+ # File that contains the secret key for verifying access to GitLab.
+ # Default is .gitlab_shell_secret in the gitlab-shell directory.
+-# secret_file: "/home/git/gitlab-shell/.gitlab_shell_secret"
++secret_file: "/etc/gitlab/gitlab_shell_secret"
+ #
+ # The secret field supersedes the secret_file, and if set that
+ # file will not be read.
+@@ -45,13 +45,13 @@
+ 
+ # Log file.
+ # Default is gitlab-shell.log in the root directory.
+-# log_file: "/home/git/gitlab-shell/gitlab-shell.log"
++log_file: "/var/log/gitlab/gitlab-shell.log"
+ 
+ # Log level. INFO by default
+-log_level: INFO
++log_level: WARN
+ 
+ # Log format. 'json' by default, can be changed to 'text' if needed
+-# log_format: json
++log_format: text
+ 
+ # Audit usernames.
+ # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
+@@ -61,45 +61,3 @@
+ # Distributed Tracing. GitLab-Shell has distributed tracing instrumentation.
+ # For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html
+ # gitlab_tracing: opentracing://driver
+-
+-# This section configures the built-in SSH server. Ignored when running on OpenSSH.
+-sshd:
+-  # Address which the SSH server listens on. Defaults to [::]:22.
+-  listen: "[::]:22"
+-  # Set to true if gitlab-sshd is being fronted by a load balancer that implements
+-  # the PROXY protocol.
+-  proxy_protocol: false
+-  # Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value
+-  # Values: https://github.com/pires/go-proxyproto/blob/195fedcfbfc1be163f3a0d507fac1709e9d81fed/policy.go#L20
+-  proxy_policy: "use"
+-  # Address which the server listens on HTTP for monitoring/health checks. Defaults to localhost:9122.
+-  web_listen: "localhost:9122"
+-  # Maximum number of concurrent sessions allowed on a single SSH connection. Defaults to 10.
+-  concurrent_sessions_limit: 10
+-  # Sets an interval after which server will send keepalive message to a client. Defaults to 15s.
+-  client_alive_interval: 15
+-  # The server waits for this time for the ongoing connections to complete before shutting down. Defaults to 10s.
+-  grace_period: 10
+-  # The server disconnects after this time if the user has not successfully logged in. Defaults to 60s.
+-  login_grace_time: 60
+-  # A short timeout to decide to abort the connection if the protocol header is not seen within it. Defaults to 500ms
+-  proxy_header_timeout: 500ms
+-  # The endpoint that returns 200 OK if the server is ready to receive incoming connections; otherwise, it returns 503 Service Unavailable. Defaults to "/start".
+-  readiness_probe: "/start"
+-  # The endpoint that returns 200 OK if the server is alive. Defaults to "/health".
+-  liveness_probe: "/health"
+-  # Specifies the available message authentication code algorithms that are used for protecting data integrity
+-  macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1]
+-  # Specifies the available Key Exchange algorithms
+-  kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
+-  # Specified the ciphers allowed
+-  ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr]
+-  # SSH host key files.
+-  host_key_files:
+-    - /run/secrets/ssh-hostkeys/ssh_host_rsa_key
+-    - /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key
+-    - /run/secrets/ssh-hostkeys/ssh_host_ed25519_key
+-  host_key_certs:
+-    - /run/secrets/ssh-hostkeys/ssh_host_rsa_key-cert.pub
+-    - /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key-cert.pub
+-    - /run/secrets/ssh-hostkeys/ssh_host_ed25519_key-cert.pub
diff --git a/user/gitlab-shell/gitconfig b/user/gitlab-shell/gitconfig
new file mode 100644
index 0000000..ccf8053
--- /dev/null
+++ b/user/gitlab-shell/gitconfig
@@ -0,0 +1,17 @@
+# Based on files/gitlab-cookbooks/gitlab/templates/default/gitconfig.erb
+# in omnibus-gitlab.
+
+[user]
+name = GitLab
+email = gitlab@local.host
+
+[core]
+# Needed for the web editor.
+autocrlf = input
+alternateRefsCommand="exit 0 #"
+# This option is unnecessary on journaled file systems and it's not recognized
+# by git >= 2.36.
+# fsyncObjectFiles = true
+
+[gc]
+auto = 0
diff --git a/user/gitlab-shell/gitlab-shell.post-install b/user/gitlab-shell/gitlab-shell.post-install
new file mode 100644
index 0000000..01c425c
--- /dev/null
+++ b/user/gitlab-shell/gitlab-shell.post-install
@@ -0,0 +1,23 @@
+#!/bin/sh
+set -eu
+
+keys_file='/var/lib/gitlab/.ssh/authorized_keys'
+
+if [ ! -f "$keys_file" ]; then
+	keys_dir="$(dirname "$keys_file")"
+	echo "* Initializing authorized_keys file in $keys_dir" 1>&2
+
+	mkdir -m0700 -p "$keys_dir"
+	chown git:git "$keys_dir"
+
+	touch "$keys_file"
+	chmod 0600 "$keys_file"
+	chown git:git "$keys_file"
+fi
+
+cat <<EOF >&2
+*
+* GitLab Shell has been initialized. Read /etc/gitlab/gitlab-shell.yml and
+* modify settings as need.
+*
+EOF
diff --git a/user/gitlab-shell/gitlab-shell.pre-install b/user/gitlab-shell/gitlab-shell.pre-install
new file mode 100644
index 0000000..9421862
--- /dev/null
+++ b/user/gitlab-shell/gitlab-shell.pre-install
@@ -0,0 +1,41 @@
+#!/bin/sh
+# It's very important to set user/group correctly.
+
+git_dir='/var/lib/gitlab'
+
+if ! getent group git >/dev/null; then
+	echo '* Creating group git' >&2
+
+	addgroup -S git
+fi
+
+if ! id git 2>/dev/null 1>&2; then
+	echo '* Creating user git' >&2
+
+	adduser -DHS -G git -h "$git_dir" -s /bin/sh  \
+		-g "added by apk for gitlab-shell" git
+	passwd -u git >/dev/null  # unlock
+fi
+
+if ! id -Gn git | grep -Fq redis; then
+	echo '* Adding user git to group redis' >&2
+
+	addgroup git redis
+fi
+
+user_home="$(getent passwd git | cut -d: -f6)"
+
+if [ "$user_home" != "$git_dir" ]; then
+	cat >&2 <<-EOF
+	!!
+	!! User git has home directory in $user_home, but this package and gitlab-ce
+	!! package assumes $git_dir. Although it's possible to use a different
+	!! directory, it's really not easy.
+	!!
+	!! Please change git's home directory to $git_dir, or adjust settings
+	!! and move files yourself. Otherwise GitLab will not work!
+	!!
+	EOF
+fi
+
+exit 0