FossilRepo
| c588255… | ragelink | 1 | #!/bin/bash |
| c588255… | ragelink | 2 | # fossilrepo entrypoint — starts sshd as root, drops to app user for gunicorn. |
| c588255… | ragelink | 3 | # |
| c588255… | ragelink | 4 | # sshd needs root for port binding and key access. |
| c588255… | ragelink | 5 | # gunicorn runs as the unprivileged 'app' user. |
| c588255… | ragelink | 6 | |
| c588255… | ragelink | 7 | set -euo pipefail |
| c588255… | ragelink | 8 | |
| c588255… | ragelink | 9 | # Ensure SSH host keys exist (persistent across restarts via volume) |
| c588255… | ragelink | 10 | if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then |
| c588255… | ragelink | 11 | ssh-keygen -A |
| c588255… | ragelink | 12 | fi |
| c588255… | ragelink | 13 | |
| c588255… | ragelink | 14 | # Ensure data dirs exist with correct permissions |
| c588255… | ragelink | 15 | mkdir -p /data/ssh /data/repos /data/trash |
| c588255… | ragelink | 16 | touch /data/ssh/authorized_keys |
| c588255… | ragelink | 17 | chmod 600 /data/ssh/authorized_keys |
| c588255… | ragelink | 18 | chown -R fossil:fossil /data/ssh |
| c588255… | ragelink | 19 | chown -R app:app /data/repos /data/trash |
| c588255… | ragelink | 20 | # fossil user needs read access to repos for SSH sync |
| c588255… | ragelink | 21 | chmod -R g+r /data/repos |
| c588255… | ragelink | 22 | |
| c588255… | ragelink | 23 | # Start sshd in the background (runs as root) |
| c588255… | ragelink | 24 | /usr/sbin/sshd -p 2222 -e & |
| c588255… | ragelink | 25 | SSHD_PID=$! |
| c588255… | ragelink | 26 | echo "sshd started (PID $SSHD_PID) on port 2222" |
| c588255… | ragelink | 27 | |
| c588255… | ragelink | 28 | # Trap signals to clean up sshd |
| c588255… | ragelink | 29 | cleanup() { |
| c588255… | ragelink | 30 | echo "Shutting down sshd..." |
| c588255… | ragelink | 31 | kill "$SSHD_PID" 2>/dev/null || true |
| c588255… | ragelink | 32 | wait "$SSHD_PID" 2>/dev/null || true |
| c588255… | ragelink | 33 | } |
| c588255… | ragelink | 34 | trap cleanup EXIT TERM INT |
| c588255… | ragelink | 35 | |
| c588255… | ragelink | 36 | # Drop to non-root 'app' user for gunicorn |
| c588255… | ragelink | 37 | exec gosu app gunicorn config.wsgi:application \ |
| c588255… | ragelink | 38 | --bind 0.0.0.0:8000 \ |
| c588255… | ragelink | 39 | --workers 3 \ |
| c588255… | ragelink | 40 | --timeout 120 |