Gitiles
Code Review Sign In
review.sourcearcade.org / sourcearcade / a1a296fa55d0b0293a4041c2fe62a41ef08cdb6d^! / . / gerrit
commita1a296fa55d0b0293a4041c2fe62a41ef08cdb6d[log] [tgz]
authorNico Huber <nico.h@gmx.de>Sun Jun 25 10:07:07 2023 +0000
committerNico Huber <nico.h@gmx.de>Sat Jul 01 15:42:03 2023 +0000
treee55b49c6d2823dd706837e3c026e0760a2311198
parent8700ab849ad5f9e343a07bdabae262f7176febb7 [diff]
Add Gerrit behind reverse-proxy

diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
new file mode 100644
index 0000000..161f286
--- /dev/null
+++ b/gerrit/Dockerfile

@@ -0,0 +1,25 @@
+FROM gerritcodereview/gerrit:3.8.0
+
+COPY --from=sourcearcade-nginx /etc/ssl/certs/sa-selfsigned.crt /var/gerrit/etc/
+RUN \
+	keytool -importcert -alias sa-selfsigned -file /var/gerrit/etc/sa-selfsigned.crt \
+		-keystore /var/gerrit/truststore -storepass uiaeuiae -noprompt && \
+	rm /var/gerrit/etc/sa-selfsigned.crt
+RUN \
+	echo | keytool -importkeystore \
+		-srckeystore /usr/lib/jvm/java-*/lib/security/cacerts \
+		-destkeystore /var/gerrit/truststore \
+		-deststorepass uiaeuiae -noprompt
+
+USER root
+RUN \
+	printf 'JAVA_OPTIONS="%s %s"\n' \
+		-Djavax.net.ssl.trustStore=/var/gerrit/truststore \
+		-Djavax.net.ssl.trustStorePassword=uiaeuiae >>/etc/default/gerritcodereview
+
+COPY gerrit/Dockerfile.entrypoint /privileged.sh
+RUN chmod 544 /privileged.sh
+COPY gerrit/Dockerfile.entrypoint-unprivileged /unprivileged.sh
+RUN chmod 555 /unprivileged.sh
+
+ENTRYPOINT ["/bin/sh", "/privileged.sh"]

diff --git a/gerrit/Dockerfile.entrypoint b/gerrit/Dockerfile.entrypoint
new file mode 100644
index 0000000..6aa141b
--- /dev/null
+++ b/gerrit/Dockerfile.entrypoint

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+# Allows us to bind mount arbitrary owned files
+chown -R gerrit:gerrit /var/gerrit/{logs,etc,db,git,index,cache}/
+
+# Drop privileges as we set `USER root` only to change file permissions
+exec setpriv --reuid=gerrit --regid=gerrit --init-groups --inh-caps=-all /unprivileged.sh "$@"

diff --git a/gerrit/Dockerfile.entrypoint-unprivileged b/gerrit/Dockerfile.entrypoint-unprivileged
new file mode 100644
index 0000000..78ca1f8
--- /dev/null
+++ b/gerrit/Dockerfile.entrypoint-unprivileged

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec /entrypoint.sh "$@"

diff --git a/gerrit/environment.template b/gerrit/environment.template
new file mode 100644
index 0000000..f8975aa
--- /dev/null
+++ b/gerrit/environment.template

@@ -0,0 +1,2 @@
+# Set to publicly visible Gerrit URL
+# CANONICAL_WEB_URL=https://review.some.host/