exodrifter logo

Apr 08, 20252 min read

Trying to figure out why SSH doesn’t work. After some research, it appears that this happens because I’m running Forgejo in a container and I don’t have SSH passthrough set up. I’m not able to find any articles on how to do this for Forgejo specifically, but I do find instructions for Gitea.

Reading the instructions for the “SSHing Shim (with authorized_keys)”, I realize that even though the tutorial has you create an SSH config from scratch, the SSH config already exists on the host, but it’s owned by my user account since all of the forgejo data is in my home folder. So, it seems all I need to do is add the git user on the host, update the SSH config to have the host SSH key, and then add the fake gitea command that forwards the SSH request for us.

Updating the docker installation to live in /opt instead of my home folder:

sudo mkdir /opt/moonlight
sudo mv docker-compose.yml /opt/moonlight
sudo mv forgejo /opt/moonlight
sudo mv swag /opt/moonlight
sudo chown -R git /opt/moonlight
sudo chgrp -R git /opt/moonlight

Create the git user and set up the SSH config:

# Create the git user
sudo useradd -m git
sudo -u git ln -s /opt/moonlight/forgejo/git/.ssh/ /home/git/.ssh
sudo -u git ssh-keygen -t ecdsa -b 521 -C "Gitea Host Key"
sudo -u git cat /home/git/.ssh/id_ecdsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys
sudo -u git chmod 600 /home/git/.ssh/authorized_keys

Creating the ssh shim:

cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
ssh -p 222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
sudo chmod +x /usr/local/bin/gitea

Updating /opt/moonlight/docker-compose.yml:

id git # prints "uid=1001(git) gid=1001(git) groups=1001(git)"
   forgejo:
     environment:
-     - USER_UID=1000
-     - USER_GID=1000
+     - USER_UID=1001
+     - USER_GID=1001
     volumes:
-      - ./forgejo:/data
+      - /opt/moonlight/forgejo:/data
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "127.0.0.1:222:22"
   swag:
     volumes:
-      - ./swag:/config
+      - /opt/moonlight/swag:/config

For some reason, this doesn’t seem to work, and it appears that the shim doesn’t run. I try running the shim as git on the server and it works, so I suspect that the ssh daemon is ignoring my symlink. So, I try changing that:

   forgejo:
     volumes:
       - /opt/moonlight/forgejo:/data
+      - /home/git/.ssh:/data/git/.ssh
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     ports:
       - "127.0.0.1:222:22"
sudo unlink /home/git/.ssh
sudo mv /data/git/.ssh /home/git/.ssh

And now it works! I guess that was a reason they mounting the folder instead of simply adding a symlink to the existing SSH folder.

Backlinks