Merge pull request 'ecryptfs' (#14) from aya/Astroport.ONE:ecryptfs into master
Reviewed-on: qo-op/Astroport.ONE#14 woai
This commit is contained in:
commit
e8d73bef7f
10
.env.dist
10
.env.dist
|
@ -1 +1,9 @@
|
||||||
DOCKER_SERVICE_1234_TAGS=urlprefix-astroport.${APP_DOMAIN}/
|
DOCKER_IMAGES_MYOS=x2go:xfce-debian
|
||||||
|
NODE_ASTROPORT_SERVICE_1234_TAGS=urlprefix-astroport.${DOMAIN}/
|
||||||
|
NODE_VDI_ECRYPTERS=zen
|
||||||
|
NODE_VDI_LANG=${LANG}
|
||||||
|
NODE_VDI_PORT=45720
|
||||||
|
NODE_VDI_SUDOERS=
|
||||||
|
NODE_VDI_TZ=UTC
|
||||||
|
NODE_VDI_USERS=zen
|
||||||
|
UFW_UPDATE_ASTROPORT=1234 12245:12445/tcp
|
||||||
|
|
1
12345.sh
1
12345.sh
|
@ -100,6 +100,7 @@ while true; do
|
||||||
sed -i "s~_IPFSNODEID_~${IPFSNODEID}~g" ~/.zen/tmp/coucou/${MOATS}.myIP.http ## NODE PUBLISH HOSTED ${WHAT}'S JSON
|
sed -i "s~_IPFSNODEID_~${IPFSNODEID}~g" ~/.zen/tmp/coucou/${MOATS}.myIP.http ## NODE PUBLISH HOSTED ${WHAT}'S JSON
|
||||||
sed -i "s~_HOSTNAME_~$(hostname)~g" ~/.zen/tmp/coucou/${MOATS}.myIP.http ## HOSTNAME
|
sed -i "s~_HOSTNAME_~$(hostname)~g" ~/.zen/tmp/coucou/${MOATS}.myIP.http ## HOSTNAME
|
||||||
############### ############### ############### ###############
|
############### ############### ############### ###############
|
||||||
|
|
||||||
############################################################################
|
############################################################################
|
||||||
## SERVE LANDING REDIRECT PAGE ~/.zen/tmp/coucou/${MOATS}.myIP.http on PORT 1234 (LOOP BLOCKING POINT)
|
## SERVE LANDING REDIRECT PAGE ~/.zen/tmp/coucou/${MOATS}.myIP.http on PORT 1234 (LOOP BLOCKING POINT)
|
||||||
############################################################################
|
############################################################################
|
||||||
|
|
3
Makefile
3
Makefile
|
@ -9,9 +9,6 @@ SHELL_FILES ?= $(wildcard .*/*.sh */*.sh */*/*.sh)
|
||||||
|
|
||||||
all: install tests
|
all: install tests
|
||||||
|
|
||||||
install:
|
|
||||||
./install.sh
|
|
||||||
|
|
||||||
tests: shellcheck
|
tests: shellcheck
|
||||||
|
|
||||||
shellcheck:
|
shellcheck:
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
FROM debian:bullseye as dist
|
ARG DOCKER_REPOSITORY=aynicos
|
||||||
|
FROM ${DOCKER_REPOSITORY}/x2go:xfce-debian as dist
|
||||||
LABEL maintainer aynic.os <support+docker@asycn.io>
|
LABEL maintainer aynic.os <support+docker@asycn.io>
|
||||||
ARG DOCKER_BUILD_DIR
|
ARG DOCKER_BUILD_DIR
|
||||||
ARG DOCKER_MACHINE=x86_64
|
ARG DOCKER_MACHINE=x86_64
|
||||||
|
@ -6,7 +7,7 @@ ARG DOCKER_SYSTEM=Linux
|
||||||
|
|
||||||
RUN apt-get update \
|
RUN apt-get update \
|
||||||
&& apt-get -fy upgrade \
|
&& apt-get -fy upgrade \
|
||||||
&& apt-get -fy install \
|
&& DEBIAN_FRONTEND=noninteractive apt-get -fy install \
|
||||||
bash \
|
bash \
|
||||||
bc \
|
bc \
|
||||||
cron \
|
cron \
|
||||||
|
@ -61,6 +62,7 @@ RUN apt-get update \
|
||||||
vim-nox \
|
vim-nox \
|
||||||
wget \
|
wget \
|
||||||
x11-utils \
|
x11-utils \
|
||||||
|
x2goserver \
|
||||||
xclip \
|
xclip \
|
||||||
xz-utils \
|
xz-utils \
|
||||||
youtube-dl \
|
youtube-dl \
|
||||||
|
@ -87,7 +89,7 @@ RUN set -x && buildDeps=' \
|
||||||
&& chmod 0755 /usr/local/bin/jaklis \
|
&& chmod 0755 /usr/local/bin/jaklis \
|
||||||
&& /usr/local/bin/jaklis --help >/dev/null \
|
&& /usr/local/bin/jaklis --help >/dev/null \
|
||||||
&& mkdir -p /usr/local/src/dpgpid \
|
&& mkdir -p /usr/local/src/dpgpid \
|
||||||
&& wget -qO - https://github.com/aynicos/dpgpid/archive/wip.tar.gz \
|
&& wget -qO - https://github.com/aynicos/dpgpid/archive/master.tar.gz \
|
||||||
|tar --strip-components 1 -C /usr/local/src/dpgpid -xzf - \
|
|tar --strip-components 1 -C /usr/local/src/dpgpid -xzf - \
|
||||||
&& pip3 install -r /usr/local/src/dpgpid/requirements.txt \
|
&& pip3 install -r /usr/local/src/dpgpid/requirements.txt \
|
||||||
&& ln -s /usr/local/src/dpgpid/keygen /usr/local/bin/keygen \
|
&& ln -s /usr/local/src/dpgpid/keygen /usr/local/bin/keygen \
|
||||||
|
@ -123,39 +125,51 @@ RUN chmod 600 /etc/ssmtp/ssmtp.conf
|
||||||
EXPOSE 1234 12345
|
EXPOSE 1234 12345
|
||||||
|
|
||||||
COPY install.sh /install.sh
|
COPY install.sh /install.sh
|
||||||
COPY ${DOCKER_BUILD_DIR}/docker-entrypoint.sh /docker-entrypoint.sh
|
COPY ${DOCKER_BUILD_DIR}/*.sh /app/
|
||||||
ENTRYPOINT ["/docker-entrypoint.sh"]
|
CMD ["/app/astroport.sh", "start"]
|
||||||
CMD ["start"]
|
|
||||||
|
|
||||||
FROM dist as master
|
FROM dist as master
|
||||||
ARG DOCKER_BUILD_DIR
|
ARG DOCKER_BUILD_DIR
|
||||||
ARG DOCKER_GID
|
ARG DOCKER_GID
|
||||||
|
ARG GID
|
||||||
ARG SHELL=/bin/bash
|
ARG SHELL=/bin/bash
|
||||||
ARG UID
|
ARG UID
|
||||||
ARG USER
|
ARG USER
|
||||||
|
ENV GID=${GID}
|
||||||
ENV UID=${UID}
|
ENV UID=${UID}
|
||||||
ENV GID=${UID}
|
|
||||||
ENV USER=zen
|
ENV USER=zen
|
||||||
|
|
||||||
# If we provide a numeric UID
|
# If we provide a numeric UID
|
||||||
RUN [ "$UID" -eq "$UID" ] 2>/dev/null \
|
RUN if [ "${UID}" -eq "${UID}" ] 2>/dev/null; then \
|
||||||
# Remove user with $UID if it is not our $USER
|
# Force $UID of $USER if it exists
|
||||||
&& if [ "$(getent passwd $UID |awk -F: '{print $1}')" != "$USER" ]; then \
|
if [ "$(awk -F: '$1 == "'"${USER}"'" {print $3}' /etc/passwd)" != "${UID}" ]; then \
|
||||||
sed -i '/^'$(getent passwd $UID |awk -F: '{print $1}')':x:'$UID':/d' /etc/passwd; \
|
sed -i 's/^\('"${USER}"':x\):[0-9]\+:/\1:'"${UID}"':/' /etc/passwd; \
|
||||||
sed -i '/^'$(getent group $GID |awk -F: '{print $1}')':x:'$GID':/d' /etc/group; \
|
fi; \
|
||||||
fi \
|
# Create $USER if $UID does not exist
|
||||||
# Force $UID if our $USER already exists
|
if [ "$(awk -F: '$3 == "'"${UID}"'" {print $1}' /etc/passwd)" = "" ]; then \
|
||||||
&& sed -i 's/^'$USER':x:[0-9]\+:[0-9]\+:/'$USER':x:'$UID':'$GID':/' /etc/passwd \
|
echo "${USER}:x:${UID}:${GID:-${UID}}::/home/${USER}:${SHELL:-/bin/sh}" >> /etc/passwd; \
|
||||||
&& sed -i 's/^'$USER':x:[0-9]\+:/'$USER':x:'$GID':/' /etc/group \
|
echo "${USER}:\!:$(($(date +%s) / 60 / 60 / 24)):0:99999:7:::" >> /etc/shadow; \
|
||||||
# Create $USER if it does not exist
|
mkdir -p /home/"${USER}"; \
|
||||||
&& if [ "$(getent passwd $UID)" = "" ]; then \
|
fi; \
|
||||||
echo "$USER:x:$UID:$GID::/home/$USER:$SHELL" >> /etc/passwd; \
|
chown "${UID}" $(awk -F: '$1 == "'"${USER}"'" {print $(NF-1)}' /etc/passwd); \
|
||||||
echo "$USER:\!:$(($(date +%s) / 60 / 60 / 24)):0:99999:7:::" >> /etc/shadow; \
|
fi
|
||||||
echo "$USER:x:$GID:" >> /etc/group; \
|
|
||||||
fi \
|
# If we provide a numeric GID
|
||||||
&& mkdir -p /home/$USER \
|
RUN if [ "${GID}" -eq "${GID}" ] 2>/dev/null; then \
|
||||||
&& chown $UID:$GID /home/$USER \
|
# Force $GID of $GROUP if it already exists
|
||||||
|| true
|
if [ "$(awk -F: '$1 == "'"${GROUP}"'" {print $3}' /etc/group)" != "${GID}" ]; then \
|
||||||
|
sed -i 's/^\('"${GROUP}"':x\):[0-9]\+:/\1:'"${GID}"':/' /etc/group; \
|
||||||
|
fi; \
|
||||||
|
# Create $GROUP if $GID does not exist
|
||||||
|
if [ "$(awk -F: '$3 == "'"${GID}"'" {print $1}' /etc/group)" = "" ]; then \
|
||||||
|
echo "${GROUP}:x:${GID}:" >> /etc/group; \
|
||||||
|
fi; \
|
||||||
|
# Force $GID of $USER if it exists
|
||||||
|
if [ "$(awk -F: '$1 == "'"${USER}"'" {print $4}' /etc/passwd)" != "${GID}" ]; then \
|
||||||
|
sed -i 's/^\('"${USER}"':x:[0-9]\+\):[0-9]\+:/\1:'"${GID}"':/' /etc/passwd; \
|
||||||
|
fi; \
|
||||||
|
chgrp "${GID}" $(awk -F: '$1 == "'"${USER}"'" {print $(NF-1)}' /etc/passwd); \
|
||||||
|
fi
|
||||||
|
|
||||||
## sudo
|
## sudo
|
||||||
RUN echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$USER"
|
RUN echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$USER"
|
||||||
|
@ -164,14 +178,15 @@ RUN echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$USER"
|
||||||
RUN echo "$USER:support@g1sms.fr:mail.asycn.io:587" >> /etc/ssmtp/revaliases
|
RUN echo "$USER:support@g1sms.fr:mail.asycn.io:587" >> /etc/ssmtp/revaliases
|
||||||
|
|
||||||
# config crontab
|
# config crontab
|
||||||
RUN echo "SHELL=/bin/bash" > /var/spool/cron/crontabs/$USER \
|
RUN echo "SHELL=/bin/bash" > "/var/spool/cron/crontabs/$USER" \
|
||||||
&& echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /var/spool/cron/crontabs/$USER \
|
&& echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> "/var/spool/cron/crontabs/$USER" \
|
||||||
&& echo "12 20 * * * /bin/bash /home/zen/.zen/20h12.process.sh > /tmp/20h12.log 2>&1" >> /var/spool/cron/crontabs/$USER \
|
&& echo "12 20 * * * /bin/bash /home/zen/.zen/Astroport.ONE/20h12.process.sh > /tmp/20h12.log 2>&1" >> "/var/spool/cron/crontabs/$USER" \
|
||||||
&& chown $USER /var/spool/cron/crontabs/$USER
|
&& chown "$USER" "/var/spool/cron/crontabs/$USER"
|
||||||
|
|
||||||
HEALTHCHECK CMD [ $(ps aux |grep 'nc -l -p' |wc -l) -lt 199 ] && echo -n OK
|
HEALTHCHECK CMD [ $(ps aux |grep 'nc -l -p' |wc -l) -lt 199 ] && echo -n OK
|
||||||
USER $USER
|
|
||||||
ENV SHELL=${SHELL}
|
|
||||||
WORKDIR /home/$USER
|
|
||||||
|
|
||||||
RUN mkdir ~/.zen ~/.zen/tmp ~/astroport
|
VOLUME "/home/$USER/.ipfs"
|
||||||
|
VOLUME "/home/$USER/.zen"
|
||||||
|
VOLUME "/home/$USER/Astroport"
|
||||||
|
|
||||||
|
WORKDIR "/home/$USER"
|
|
@ -0,0 +1,40 @@
|
||||||
|
#!/usr/bin/env sh
|
||||||
|
[ -n "${DEBUG}" ] && set -x
|
||||||
|
set -euo errexit
|
||||||
|
|
||||||
|
ASTROPORT_DIR=/home/zen/.zen/Astroport.ONE
|
||||||
|
ASTROPORT_REPO=https://git.p2p.legal/qo-op/Astroport.ONE.git
|
||||||
|
|
||||||
|
cron() {
|
||||||
|
sudo service cron start
|
||||||
|
}
|
||||||
|
|
||||||
|
log() {
|
||||||
|
tail -F /var/log/fail2ban.log /var/log/syslog /var/log/auth.log /var/log/pam-script.log >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
zen() {
|
||||||
|
rm -rf /home/zen/.zen/tmp \
|
||||||
|
&& mkdir -p /dev/shm/tmp \
|
||||||
|
&& ln -s /dev/shm/tmp /home/zen/.zen/tmp
|
||||||
|
[ -d "$ASTROPORT_DIR" ] && cd "$ASTROPORT_DIR" && git pull -q || git clone -q "$ASTROPORT_REPO" "$ASTROPORT_DIR"
|
||||||
|
}
|
||||||
|
|
||||||
|
case "${1:-${cmd:-start}}" in
|
||||||
|
|
||||||
|
start)
|
||||||
|
cron
|
||||||
|
log &
|
||||||
|
zen
|
||||||
|
exec "$ASTROPORT_DIR/start.sh"
|
||||||
|
;;
|
||||||
|
|
||||||
|
install)
|
||||||
|
exec /install.sh
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
exec "$@"
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
|
@ -1,20 +1,23 @@
|
||||||
version: '3.6'
|
version: '3.6'
|
||||||
|
|
||||||
services:
|
services:
|
||||||
docker:
|
astroport:
|
||||||
|
build:
|
||||||
|
args:
|
||||||
|
- DOCKER_REPOSITORY=${DOCKER_REPOSITORY}
|
||||||
|
- GID=${NODE_GID}
|
||||||
|
- UID=${NODE_UID}
|
||||||
|
container_name: ${COMPOSE_PROJECT_NAME}-astroport
|
||||||
environment:
|
environment:
|
||||||
- ENV=${ENV}
|
- ENV=${ENV}
|
||||||
- SHELL=${DOCKER_SHELL}
|
- SHELL=${DOCKER_SHELL}
|
||||||
image: ${DOCKER_REPOSITORY}/docker:${DOCKER_IMAGE_TAG}
|
image: ${DOCKER_REPOSITORY}/astroport:${DOCKER_IMAGE_TAG}
|
||||||
labels:
|
labels:
|
||||||
- SERVICE_1234_CHECK_HTTP=/
|
- SERVICE_1234_CHECK_HTTP=/test
|
||||||
- SERVICE_1234_NAME=${COMPOSE_SERVICE_NAME}-docker-1234
|
- SERVICE_1234_NAME=${COMPOSE_SERVICE_NAME}-astroport-1234
|
||||||
- SERVICE_1234_TAGS=${DOCKER_SERVICE_1234_TAGS}
|
- SERVICE_1234_TAGS=${NODE_ASTROPORT_SERVICE_1234_TAGS}
|
||||||
|
|
||||||
networks:
|
volumes:
|
||||||
private:
|
ipfs:
|
||||||
external: true
|
external: true
|
||||||
name: ${DOCKER_NETWORK_PRIVATE}
|
name: ${COMPOSE_SERVICE_NAME}_ipfs
|
||||||
public:
|
|
||||||
external: true
|
|
||||||
name: ${DOCKER_NETWORK_PUBLIC}
|
|
||||||
|
|
|
@ -0,0 +1,46 @@
|
||||||
|
version: '3.8'
|
||||||
|
|
||||||
|
services:
|
||||||
|
astroport:
|
||||||
|
build:
|
||||||
|
args:
|
||||||
|
- SSH_PORT=${NODE_VDI_PORT:-22}
|
||||||
|
cap_add:
|
||||||
|
- IPC_LOCK # ecryptfs
|
||||||
|
- NET_ADMIN # iptables
|
||||||
|
- NET_RAW # iptables
|
||||||
|
- SYS_ADMIN # ecryptfs
|
||||||
|
environment:
|
||||||
|
- DEBUG=${VDI_DEBUG:-}
|
||||||
|
- ECRYPTERS=${NODE_VDI_ECRYPTERS:-}
|
||||||
|
- LANG=${NODE_VDI_LANG:-}
|
||||||
|
- SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS:-}
|
||||||
|
- SSH_PORT=${NODE_VDI_PORT:-22}
|
||||||
|
- SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS:-}
|
||||||
|
- SUDOERS=${NODE_VDI_SUDOERS:-}
|
||||||
|
security_opt:
|
||||||
|
- apparmor=unconfined # ecryptfs
|
||||||
|
- seccomp=unconfined # ecryptfs
|
||||||
|
tty: true
|
||||||
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- /etc/default/console-setup:/etc/default/console-setup:ro
|
||||||
|
- /etc/default/keyboard:/etc/default/keyboard:ro
|
||||||
|
- home:/home:delegated
|
||||||
|
- shared:/shared:cached
|
||||||
|
- shm:/dev/shm:delegated
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
home:
|
||||||
|
shared:
|
||||||
|
driver: local
|
||||||
|
driver_opts:
|
||||||
|
type: none
|
||||||
|
device: /mnt/shared
|
||||||
|
o: bind
|
||||||
|
shm:
|
||||||
|
driver: local
|
||||||
|
driver_opts:
|
||||||
|
type: tmpfs
|
||||||
|
device: tmpfs
|
||||||
|
o: mode=1777,size=2147483648 # 2GB
|
|
@ -1,36 +1,23 @@
|
||||||
version: '3.6'
|
version: '3.6'
|
||||||
|
|
||||||
services:
|
services:
|
||||||
docker:
|
astroport:
|
||||||
build:
|
build:
|
||||||
args:
|
args:
|
||||||
- DOCKER_BUILD_DIR=docker
|
- DOCKER_BUILD_DIR=docker/astroport
|
||||||
- GID=${GID}
|
|
||||||
- IPFS_VERSION=${IPFS_VERSION:-0.16.0}
|
- IPFS_VERSION=${IPFS_VERSION:-0.16.0}
|
||||||
- UID=${UID}
|
|
||||||
context: ../
|
context: ../
|
||||||
dockerfile: docker/Dockerfile
|
dockerfile: docker/astroport/Dockerfile
|
||||||
network_mode: host
|
network_mode: host
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
tty: true
|
tty: true
|
||||||
user: ${UID}:${GID}
|
|
||||||
volumes:
|
volumes:
|
||||||
- data:/home/zen/astroport:cached
|
- data:/home/zen/Astroport:cached
|
||||||
- ipfs:/home/zen/.ipfs:cached,ro
|
- ipfs:/home/zen/.ipfs:cached,ro
|
||||||
- zen:/home/zen/.zen:delegated
|
- zen:/home/zen/.zen:delegated
|
||||||
working_dir: /home/zen/.zen
|
working_dir: /home/zen
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
data:
|
data:
|
||||||
ipfs:
|
ipfs:
|
||||||
driver: local
|
|
||||||
driver_opts:
|
|
||||||
type: none
|
|
||||||
device: ${HOME}/.ipfs
|
|
||||||
o: bind
|
|
||||||
zen:
|
zen:
|
||||||
driver: local
|
|
||||||
driver_opts:
|
|
||||||
type: none
|
|
||||||
device: ${HOME}/.zen
|
|
||||||
o: bind
|
|
||||||
|
|
|
@ -1,37 +0,0 @@
|
||||||
#!/usr/bin/env sh
|
|
||||||
set -euo errexit
|
|
||||||
|
|
||||||
# Print a debug message if debug mode is on ($DEBUG is not empty)
|
|
||||||
# @param message
|
|
||||||
debug_msg ()
|
|
||||||
{
|
|
||||||
if [ -n "${DEBUG:-}" -a "${DEBUG:-}" != "false" ]; then
|
|
||||||
echo "$@"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
mkdir -p /home/zen/.zen/tmp
|
|
||||||
SOURCE_DIR="/home/zen/.zen/Astroport.ONE"
|
|
||||||
[ -d "$SOURCE_DIR" ] && cd "$SOURCE_DIR" && git pull -q || git clone -q https://git.p2p.legal/qo-op/Astroport.ONE.git "$SOURCE_DIR"
|
|
||||||
cd "$SOURCE_DIR"
|
|
||||||
|
|
||||||
sudo -n /usr/sbin/cron -L/dev/stdout
|
|
||||||
|
|
||||||
case "${1:-${cmd:-start}}" in
|
|
||||||
|
|
||||||
start)
|
|
||||||
debug_msg "Starting $SOURCE_DIR/start.sh ..."
|
|
||||||
exec "$SOURCE_DIR"/start.sh
|
|
||||||
;;
|
|
||||||
|
|
||||||
install)
|
|
||||||
debug_msg "Installing..."
|
|
||||||
exec /install.sh
|
|
||||||
;;
|
|
||||||
|
|
||||||
*)
|
|
||||||
debug_msg "Exec: $@"
|
|
||||||
exec "$@"
|
|
||||||
;;
|
|
||||||
|
|
||||||
esac
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
COMPOSE_FILE_VDI := true
|
||||||
|
COMPOSE_PROJECT_NAME := $(HOSTNAME)
|
||||||
|
MAKE_VARS += NODE_VDI_PORT node
|
||||||
|
SERVICE := astroport
|
||||||
|
SSH_PORT := $(NODE_VDI_PORT)
|
||||||
|
SSH_PUBLIC_HOSTS += git.p2p.legal
|
||||||
|
STACK := node
|
||||||
|
UFW_UPDATE := $(SERVICE)
|
||||||
|
node := node/ipfs
|
||||||
|
|
||||||
|
bootstrap-stack: myos-node
|
||||||
|
|
Loading…
Reference in New Issue