add crypto vdi

2022-11-22 22:49:46 +00:00 · 2022-11-22 22:49:46 +00:00 · ffc4aaa72c
parent 3fd2a5d51b
commit ffc4aaa72c
10 changed files with 175 additions and 103 deletions
--- a/.env.dist
+++ b/.env.dist
@ -1 +1,9 @@
-DOCKER_SERVICE_1234_TAGS=urlprefix-astroport.${APP_DOMAIN}/
+DOCKER_IMAGES_MYOS=x2go:xfce-debian
+NODE_ASTROPORT_SERVICE_1234_TAGS=urlprefix-astroport.${DOMAIN}/
+NODE_VDI_ECRYPTERS=zen
+NODE_VDI_LANG=${LANG}
+NODE_VDI_PORT=45720
+NODE_VDI_SUDOERS=
+NODE_VDI_TZ=UTC
+NODE_VDI_USERS=zen
+UFW_UPDATE_ASTROPORT=1234 12245:12445/tcp
--- a/12345.sh
+++ b/12345.sh
@ -100,6 +100,7 @@ while true; do
    sed -i "s~_IPFSNODEID_~${IPFSNODEID}~g" ~/.zen/tmp/coucou/${MOATS}.myIP.http ## NODE PUBLISH HOSTED ${WHAT}'S JSON
    sed -i "s~_HOSTNAME_~$(hostname)~g" ~/.zen/tmp/coucou/${MOATS}.myIP.http ## HOSTNAME
    ###############    ###############    ###############    ###############
+
    ############################################################################
    ## SERVE LANDING REDIRECT PAGE ~/.zen/tmp/coucou/${MOATS}.myIP.http on PORT 1234 (LOOP BLOCKING POINT)
    ############################################################################
--- a/3
+++ b/3
@ -9,9 +9,6 @@ SHELL_FILES ?= $(wildcard .*/*.sh */*.sh */*/*.sh)

 all: install tests

-install:
-	./install.sh
-
 tests: shellcheck

 shellcheck:
--- a/docker/astroport/Dockerfile
+++ b/docker/astroport/Dockerfile
@ -1,4 +1,5 @@
-FROM debian:bullseye as dist
+ARG DOCKER_REPOSITORY=aynicos
+FROM ${DOCKER_REPOSITORY}/x2go:xfce-debian as dist
 LABEL maintainer aynic.os <support+docker@asycn.io>
 ARG DOCKER_BUILD_DIR
 ARG DOCKER_MACHINE=x86_64
@ -6,7 +7,7 @@ ARG DOCKER_SYSTEM=Linux

 RUN apt-get update \
 && apt-get -fy upgrade \
- && apt-get -fy install \
+ && DEBIAN_FRONTEND=noninteractive apt-get -fy install \
        bash \
        bc \
        cron \
@ -61,6 +62,7 @@ RUN apt-get update \
        vim-nox \
        wget \
        x11-utils \
+        x2goserver \
        xclip \
        xz-utils \
        youtube-dl \
@ -87,7 +89,7 @@ RUN set -x && buildDeps=' \
 && chmod 0755 /usr/local/bin/jaklis \
 && /usr/local/bin/jaklis --help >/dev/null \
 && mkdir -p /usr/local/src/dpgpid \
- && wget -qO - https://github.com/aynicos/dpgpid/archive/wip.tar.gz \
+ && wget -qO - https://github.com/aynicos/dpgpid/archive/master.tar.gz \
     |tar --strip-components 1 -C /usr/local/src/dpgpid -xzf - \
 && pip3 install -r /usr/local/src/dpgpid/requirements.txt \
 && ln -s /usr/local/src/dpgpid/keygen /usr/local/bin/keygen \
@ -123,39 +125,51 @@ RUN chmod 600 /etc/ssmtp/ssmtp.conf
 EXPOSE 1234 12345

 COPY install.sh /install.sh
-COPY ${DOCKER_BUILD_DIR}/docker-entrypoint.sh /docker-entrypoint.sh
-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["start"]
+COPY ${DOCKER_BUILD_DIR}/*.sh /app/
+CMD ["/app/astroport.sh", "start"]

 FROM dist as master
 ARG DOCKER_BUILD_DIR
 ARG DOCKER_GID
+ARG GID
 ARG SHELL=/bin/bash
 ARG UID
 ARG USER
+ENV GID=${GID}
 ENV UID=${UID}
-ENV GID=${UID}
 ENV USER=zen

 # If we provide a numeric UID
-RUN [ "$UID" -eq "$UID" ] 2>/dev/null \
-# Remove user with $UID if it is not our $USER
- && if [ "$(getent passwd $UID |awk -F: '{print $1}')" != "$USER" ]; then \
-      sed -i '/^'$(getent passwd $UID |awk -F: '{print $1}')':x:'$UID':/d' /etc/passwd; \
-      sed -i '/^'$(getent group $GID |awk -F: '{print $1}')':x:'$GID':/d' /etc/group; \
-    fi \
-# Force $UID if our $USER already exists
- && sed -i 's/^'$USER':x:[0-9]\+:[0-9]\+:/'$USER':x:'$UID':'$GID':/' /etc/passwd \
- && sed -i 's/^'$USER':x:[0-9]\+:/'$USER':x:'$GID':/' /etc/group \
-# Create $USER if it does not exist
- && if [ "$(getent passwd $UID)" = "" ]; then \
-      echo "$USER:x:$UID:$GID::/home/$USER:$SHELL" >> /etc/passwd; \
-      echo "$USER:\!:$(($(date +%s) / 60 / 60 / 24)):0:99999:7:::" >> /etc/shadow; \
-      echo "$USER:x:$GID:" >> /etc/group; \
-    fi \
- && mkdir -p /home/$USER \
- && chown $UID:$GID /home/$USER \
- || true
+RUN if [ "${UID}" -eq "${UID}" ] 2>/dev/null; then \
+  # Force $UID of $USER if it exists
+  if [ "$(awk -F: '$1 == "'"${USER}"'" {print $3}' /etc/passwd)" != "${UID}" ]; then \
+    sed -i 's/^\('"${USER}"':x\):[0-9]\+:/\1:'"${UID}"':/' /etc/passwd; \
+  fi; \
+  # Create $USER if $UID does not exist
+  if [ "$(awk -F: '$3 == "'"${UID}"'" {print $1}' /etc/passwd)" = "" ]; then \
+    echo "${USER}:x:${UID}:${GID:-${UID}}::/home/${USER}:${SHELL:-/bin/sh}" >> /etc/passwd; \
+    echo "${USER}:\!:$(($(date +%s) / 60 / 60 / 24)):0:99999:7:::" >> /etc/shadow; \
+    mkdir -p /home/"${USER}"; \
+  fi; \
+  chown "${UID}" $(awk -F: '$1 == "'"${USER}"'" {print $(NF-1)}' /etc/passwd); \
+fi
+
+# If we provide a numeric GID
+RUN if [ "${GID}" -eq "${GID}" ] 2>/dev/null; then \
+  # Force $GID of $GROUP if it already exists
+  if [ "$(awk -F: '$1 == "'"${GROUP}"'" {print $3}' /etc/group)" != "${GID}" ]; then \
+    sed -i 's/^\('"${GROUP}"':x\):[0-9]\+:/\1:'"${GID}"':/' /etc/group; \
+  fi; \
+  # Create $GROUP if $GID does not exist
+  if [ "$(awk -F: '$3 == "'"${GID}"'" {print $1}' /etc/group)" = "" ]; then \
+    echo "${GROUP}:x:${GID}:" >> /etc/group; \
+  fi; \
+  # Force $GID of $USER if it exists
+  if [ "$(awk -F: '$1 == "'"${USER}"'" {print $4}' /etc/passwd)" != "${GID}" ]; then \
+    sed -i 's/^\('"${USER}"':x:[0-9]\+\):[0-9]\+:/\1:'"${GID}"':/' /etc/passwd; \
+  fi; \
+  chgrp "${GID}" $(awk -F: '$1 == "'"${USER}"'" {print $(NF-1)}' /etc/passwd); \
+fi

 ## sudo
 RUN echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$USER"
@ -164,14 +178,15 @@ RUN echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$USER"
 RUN echo "$USER:support@g1sms.fr:mail.asycn.io:587" >> /etc/ssmtp/revaliases

 # config crontab
-RUN echo "SHELL=/bin/bash" > /var/spool/cron/crontabs/$USER \
- && echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /var/spool/cron/crontabs/$USER \
- && echo "12  20  *  *  *   /bin/bash /home/zen/.zen/20h12.process.sh > /tmp/20h12.log 2>&1" >> /var/spool/cron/crontabs/$USER \
- && chown $USER /var/spool/cron/crontabs/$USER
+RUN echo "SHELL=/bin/bash" > "/var/spool/cron/crontabs/$USER" \
+ && echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> "/var/spool/cron/crontabs/$USER" \
+ && echo "12  20  *  *  *   /bin/bash /home/zen/.zen/Astroport.ONE/20h12.process.sh > /tmp/20h12.log 2>&1" >> "/var/spool/cron/crontabs/$USER" \
+ && chown "$USER" "/var/spool/cron/crontabs/$USER"

 HEALTHCHECK CMD [ $(ps aux |grep 'nc -l -p' |wc -l) -lt 199 ] && echo -n OK
-USER $USER
-ENV SHELL=${SHELL}
-WORKDIR /home/$USER

-RUN mkdir ~/.zen ~/.zen/tmp ~/astroport
+VOLUME "/home/$USER/.ipfs"
+VOLUME "/home/$USER/.zen"
+VOLUME "/home/$USER/Astroport"
+
+WORKDIR "/home/$USER"
--- a/docker/astroport/astroport.sh
+++ b/docker/astroport/astroport.sh
@ -0,0 +1,40 @@
+#!/usr/bin/env sh
+[ -n "${DEBUG}" ] && set -x
+set -euo errexit
+
+ASTROPORT_DIR=/home/zen/.zen/Astroport.ONE
+ASTROPORT_REPO=https://git.p2p.legal/qo-op/Astroport.ONE.git
+
+cron() {
+  sudo service cron start
+}
+
+log() {
+  tail -F /var/log/fail2ban.log /var/log/syslog /var/log/auth.log /var/log/pam-script.log >&2
+}
+
+zen() {
+  rm -rf /home/zen/.zen/tmp \
+   && mkdir -p /dev/shm/tmp \
+   && ln -s /dev/shm/tmp /home/zen/.zen/tmp
+  [ -d "$ASTROPORT_DIR" ] && cd "$ASTROPORT_DIR" && git pull -q || git clone -q "$ASTROPORT_REPO" "$ASTROPORT_DIR"
+}
+
+case "${1:-${cmd:-start}}" in
+
+  start)
+    cron
+    log &
+    zen
+    exec "$ASTROPORT_DIR/start.sh"
+  ;;
+
+  install)
+    exec /install.sh
+  ;;
+
+  *)
+    exec "$@"
+  ;;
+
+esac
--- a/docker/docker-compose.app.yml
+++ b/docker/docker-compose.app.yml
@ -1,20 +1,23 @@
 version: '3.6'

 services:
-  docker:
+  astroport:
+    build:
+      args:
+      - DOCKER_REPOSITORY=${DOCKER_REPOSITORY}
+      - GID=${NODE_GID}
+      - UID=${NODE_UID}
+    container_name: ${COMPOSE_PROJECT_NAME}-astroport
    environment:
    - ENV=${ENV}
    - SHELL=${DOCKER_SHELL}
-    image: ${DOCKER_REPOSITORY}/docker:${DOCKER_IMAGE_TAG}
+    image: ${DOCKER_REPOSITORY}/astroport:${DOCKER_IMAGE_TAG}
    labels:
-    - SERVICE_1234_CHECK_HTTP=/
-    - SERVICE_1234_NAME=${COMPOSE_SERVICE_NAME}-docker-1234
-    - SERVICE_1234_TAGS=${DOCKER_SERVICE_1234_TAGS}
+    - SERVICE_1234_CHECK_HTTP=/test
+    - SERVICE_1234_NAME=${COMPOSE_SERVICE_NAME}-astroport-1234
+    - SERVICE_1234_TAGS=${NODE_ASTROPORT_SERVICE_1234_TAGS}

-networks:
-  private:
+volumes:
+  ipfs:
    external: true
-    name: ${DOCKER_NETWORK_PRIVATE}
-  public:
-    external: true
-    name: ${DOCKER_NETWORK_PUBLIC}
+    name: ${COMPOSE_SERVICE_NAME}_ipfs
--- a/docker/docker-compose.vdi.yml
+++ b/docker/docker-compose.vdi.yml
@ -0,0 +1,46 @@
+version: '3.8'
+
+services:
+  astroport:
+    build:
+      args:
+      - SSH_PORT=${NODE_VDI_PORT:-22}
+    cap_add:
+    - IPC_LOCK # ecryptfs
+    - NET_ADMIN # iptables
+    - NET_RAW # iptables
+    - SYS_ADMIN # ecryptfs
+    environment:
+    - DEBUG=${VDI_DEBUG:-}
+    - ECRYPTERS=${NODE_VDI_ECRYPTERS:-}
+    - LANG=${NODE_VDI_LANG:-}
+    - SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS:-}
+    - SSH_PORT=${NODE_VDI_PORT:-22}
+    - SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS:-}
+    - SUDOERS=${NODE_VDI_SUDOERS:-}
+    security_opt:
+    - apparmor=unconfined # ecryptfs
+    - seccomp=unconfined # ecryptfs
+    tty: true
+    volumes:
+    - /etc/localtime:/etc/localtime:ro
+    - /etc/default/console-setup:/etc/default/console-setup:ro
+    - /etc/default/keyboard:/etc/default/keyboard:ro
+    - home:/home:delegated
+    - shared:/shared:cached
+    - shm:/dev/shm:delegated
+
+volumes:
+  home:
+  shared:
+    driver: local
+    driver_opts:
+      type: none
+      device: /mnt/shared
+      o: bind
+  shm:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: mode=1777,size=2147483648 # 2GB
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -1,36 +1,23 @@
 version: '3.6'

 services:
-  docker:
+  astroport:
    build:
      args:
-      - DOCKER_BUILD_DIR=docker
-      - GID=${GID}
+      - DOCKER_BUILD_DIR=docker/astroport
      - IPFS_VERSION=${IPFS_VERSION:-0.16.0}
-      - UID=${UID}
      context: ../
-      dockerfile: docker/Dockerfile
+      dockerfile: docker/astroport/Dockerfile
    network_mode: host
    restart: unless-stopped
    tty: true
-    user: ${UID}:${GID}
    volumes:
-    - data:/home/zen/astroport:cached
+    - data:/home/zen/Astroport:cached
    - ipfs:/home/zen/.ipfs:cached,ro
    - zen:/home/zen/.zen:delegated
-    working_dir: /home/zen/.zen
+    working_dir: /home/zen

 volumes:
  data:
  ipfs:
-    driver: local
-    driver_opts:
-      type: none
-      device: ${HOME}/.ipfs
-      o: bind
  zen:
-    driver: local
-    driver_opts:
-      type: none
-      device: ${HOME}/.zen
-      o: bind
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@ -1,37 +0,0 @@
-#!/usr/bin/env sh
-set -euo errexit
-
-# Print a debug message if debug mode is on ($DEBUG is not empty)
-# @param message
-debug_msg ()
-{
-  if [ -n "${DEBUG:-}" -a "${DEBUG:-}" != "false" ]; then
-    echo "$@"
-  fi
-}
-
-mkdir -p /home/zen/.zen/tmp
-SOURCE_DIR="/home/zen/.zen/Astroport.ONE"
-[ -d "$SOURCE_DIR" ] && cd "$SOURCE_DIR" && git pull -q || git clone -q https://git.p2p.legal/qo-op/Astroport.ONE.git "$SOURCE_DIR"
-cd "$SOURCE_DIR"
-
-sudo -n /usr/sbin/cron -L/dev/stdout
-
-case "${1:-${cmd:-start}}" in
-
-  start)
-    debug_msg "Starting $SOURCE_DIR/start.sh ..."
-    exec "$SOURCE_DIR"/start.sh
-  ;;
-
-  install)
-    debug_msg "Installing..."
-    exec /install.sh
-  ;;
-
-  *)
-    debug_msg "Exec: $@"
-    exec "$@"
-  ;;
-
-esac
--- a/docker/stack.mk
+++ b/docker/stack.mk
@ -0,0 +1,12 @@
+COMPOSE_FILE_VDI                := true
+COMPOSE_PROJECT_NAME            := $(HOSTNAME)
+MAKE_VARS                       += NODE_VDI_PORT node
+SERVICE                         := astroport
+SSH_PORT                        := $(NODE_VDI_PORT)
+SSH_PUBLIC_HOSTS                += git.p2p.legal
+STACK                           := node
+UFW_UPDATE                      := $(SERVICE)
+node                            := node/ipfs
+
+bootstrap-stack: myos-node
+