From 13d0ab7ff300d01cd22c343671e8e0254909e73b Mon Sep 17 00:00:00 2001 From: Rihards Gailums Date: Sat, 23 May 2026 21:36:00 +0000 Subject: [PATCH] fix(deploy): create /data/git/.ssh with 0700 before processgit starts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Second papercut surfaced by the end-to-end install test on v0.1.2. Init-config now successfully writes app.ini and Gitea boots past the install wizard. It runs SQLite migrations, initializes the storage modules, then dies with: [F] code.gitea.io/gitea/services/asymkey.RewriteAllPublicKeys(ctx) failed: open /data/git/.ssh/authorized_keys.tmp: permission denied RewriteAllPublicKeys writes an authorized_keys file containing all registered SSH keys (zero on a fresh install — but it still writes the empty file). The parent dir /data/git/.ssh must: 1. Exist 2. Be owned by the gitea user (uid 1000) 3. Have mode 0700 (SSH refuses to use it otherwise) The standard gitea/gitea image's startup chain creates this. Our custom /etc/s6/gitea/run override bypasses it (same s6-overlay v3 mismatch that broke env-var-to-app.ini conversion and necessitated the init-config service in v0.1.2 — see #138). Fix: add /data/git/.ssh to init-config's mkdir block and chmod 0700. init-config runs as 1000:1000, so the dir ends up owned by the right user automatically. Two lines of substance, plus a doc comment explaining the SSH perms requirement so this isn't surprising in three months. Testing path: v0.1.3 release → fresh install → processgit should become healthy on first boot. Co-authored-by: Claude --- deploy/bootstrap/init-config.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/deploy/bootstrap/init-config.sh b/deploy/bootstrap/init-config.sh index c440656..e6964c2 100755 --- a/deploy/bootstrap/init-config.sh +++ b/deploy/bootstrap/init-config.sh @@ -37,7 +37,14 @@ mkdir -p \ /data/gitea/sessions \ /data/gitea/indexers \ /data/git/repositories \ - /data/git/lfs + /data/git/lfs \ + /data/git/.ssh + +# Gitea's RewriteAllPublicKeys() writes authorized_keys.tmp here on +# every startup (even with zero registered keys, it writes an empty +# file). SSH requires the parent dir to be 0700 owned by the running +# user; otherwise it fails closed with "permission denied". +chmod 0700 /data/git/.ssh # Generate per-deployment secrets using the bundled gitea binary. These # are written into the file once and never regenerated — losing them