From ffc4aaa72cacd6464682f76a1b03fb1bd05c0edd Mon Sep 17 00:00:00 2001
From: Yann Autissier <yann.autissier@gmail.com>
Date: Tue, 22 Nov 2022 22:49:46 +0000
Subject: [PATCH] add crypto vdi

---
 .env.dist                         | 10 +++-
 12345.sh                          |  1 +
 Makefile                          |  3 --
 docker/{ => astroport}/Dockerfile | 81 ++++++++++++++++++-------------
 docker/astroport/astroport.sh     | 40 +++++++++++++++
 docker/docker-compose.app.yml     | 25 +++++-----
 docker/docker-compose.vdi.yml     | 46 ++++++++++++++++++
 docker/docker-compose.yml         | 23 ++-------
 docker/docker-entrypoint.sh       | 37 --------------
 docker/stack.mk                   | 12 +++++
 10 files changed, 175 insertions(+), 103 deletions(-)
 rename docker/{ => astroport}/Dockerfile (65%)
 create mode 100755 docker/astroport/astroport.sh
 create mode 100644 docker/docker-compose.vdi.yml
 delete mode 100755 docker/docker-entrypoint.sh
 create mode 100644 docker/stack.mk

diff --git a/.env.dist b/.env.dist
index b045f572..566cb2fe 100644
--- a/.env.dist
+++ b/.env.dist
@@ -1 +1,9 @@
-DOCKER_SERVICE_1234_TAGS=urlprefix-astroport.${APP_DOMAIN}/
+DOCKER_IMAGES_MYOS=x2go:xfce-debian
+NODE_ASTROPORT_SERVICE_1234_TAGS=urlprefix-astroport.${DOMAIN}/
+NODE_VDI_ECRYPTERS=zen
+NODE_VDI_LANG=${LANG}
+NODE_VDI_PORT=45720
+NODE_VDI_SUDOERS=
+NODE_VDI_TZ=UTC
+NODE_VDI_USERS=zen
+UFW_UPDATE_ASTROPORT=1234 12245:12445/tcp
diff --git a/12345.sh b/12345.sh
index 21c3ae41..f5b88ef2 100755
--- a/12345.sh
+++ b/12345.sh
@@ -100,6 +100,7 @@ while true; do
     sed -i "s~_IPFSNODEID_~${IPFSNODEID}~g" ~/.zen/tmp/coucou/${MOATS}.myIP.http ## NODE PUBLISH HOSTED ${WHAT}'S JSON
     sed -i "s~_HOSTNAME_~$(hostname)~g" ~/.zen/tmp/coucou/${MOATS}.myIP.http ## HOSTNAME
     ###############    ###############    ###############    ###############
+
     ############################################################################
     ## SERVE LANDING REDIRECT PAGE ~/.zen/tmp/coucou/${MOATS}.myIP.http on PORT 1234 (LOOP BLOCKING POINT)
     ############################################################################
diff --git a/Makefile b/Makefile
index 31000978..12064871 100644
--- a/Makefile
+++ b/Makefile
@@ -9,9 +9,6 @@ SHELL_FILES ?= $(wildcard .*/*.sh */*.sh */*/*.sh)
 
 all: install tests
 
-install:
-	./install.sh
-
 tests: shellcheck
 
 shellcheck:
diff --git a/docker/Dockerfile b/docker/astroport/Dockerfile
similarity index 65%
rename from docker/Dockerfile
rename to docker/astroport/Dockerfile
index 50a40ed8..1dfa1ea9 100644
--- a/docker/Dockerfile
+++ b/docker/astroport/Dockerfile
@@ -1,4 +1,5 @@
-FROM debian:bullseye as dist
+ARG DOCKER_REPOSITORY=aynicos
+FROM ${DOCKER_REPOSITORY}/x2go:xfce-debian as dist
 LABEL maintainer aynic.os <support+docker@asycn.io>
 ARG DOCKER_BUILD_DIR
 ARG DOCKER_MACHINE=x86_64
@@ -6,7 +7,7 @@ ARG DOCKER_SYSTEM=Linux
 
 RUN apt-get update \
  && apt-get -fy upgrade \
- && apt-get -fy install \
+ && DEBIAN_FRONTEND=noninteractive apt-get -fy install \
         bash \
         bc \
         cron \
@@ -61,6 +62,7 @@ RUN apt-get update \
         vim-nox \
         wget \
         x11-utils \
+        x2goserver \
         xclip \
         xz-utils \
         youtube-dl \
@@ -87,7 +89,7 @@ RUN set -x && buildDeps=' \
  && chmod 0755 /usr/local/bin/jaklis \
  && /usr/local/bin/jaklis --help >/dev/null \
  && mkdir -p /usr/local/src/dpgpid \
- && wget -qO - https://github.com/aynicos/dpgpid/archive/wip.tar.gz \
+ && wget -qO - https://github.com/aynicos/dpgpid/archive/master.tar.gz \
      |tar --strip-components 1 -C /usr/local/src/dpgpid -xzf - \
  && pip3 install -r /usr/local/src/dpgpid/requirements.txt \
  && ln -s /usr/local/src/dpgpid/keygen /usr/local/bin/keygen \
@@ -123,39 +125,51 @@ RUN chmod 600 /etc/ssmtp/ssmtp.conf
 EXPOSE 1234 12345
 
 COPY install.sh /install.sh
-COPY ${DOCKER_BUILD_DIR}/docker-entrypoint.sh /docker-entrypoint.sh
-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["start"]
+COPY ${DOCKER_BUILD_DIR}/*.sh /app/
+CMD ["/app/astroport.sh", "start"]
 
 FROM dist as master
 ARG DOCKER_BUILD_DIR
 ARG DOCKER_GID
+ARG GID
 ARG SHELL=/bin/bash
 ARG UID
 ARG USER
+ENV GID=${GID}
 ENV UID=${UID}
-ENV GID=${UID}
 ENV USER=zen
 
 # If we provide a numeric UID
-RUN [ "$UID" -eq "$UID" ] 2>/dev/null \
-# Remove user with $UID if it is not our $USER
- && if [ "$(getent passwd $UID |awk -F: '{print $1}')" != "$USER" ]; then \
-      sed -i '/^'$(getent passwd $UID |awk -F: '{print $1}')':x:'$UID':/d' /etc/passwd; \
-      sed -i '/^'$(getent group $GID |awk -F: '{print $1}')':x:'$GID':/d' /etc/group; \
-    fi \
-# Force $UID if our $USER already exists
- && sed -i 's/^'$USER':x:[0-9]\+:[0-9]\+:/'$USER':x:'$UID':'$GID':/' /etc/passwd \
- && sed -i 's/^'$USER':x:[0-9]\+:/'$USER':x:'$GID':/' /etc/group \
-# Create $USER if it does not exist
- && if [ "$(getent passwd $UID)" = "" ]; then \
-      echo "$USER:x:$UID:$GID::/home/$USER:$SHELL" >> /etc/passwd; \
-      echo "$USER:\!:$(($(date +%s) / 60 / 60 / 24)):0:99999:7:::" >> /etc/shadow; \
-      echo "$USER:x:$GID:" >> /etc/group; \
-    fi \
- && mkdir -p /home/$USER \
- && chown $UID:$GID /home/$USER \
- || true
+RUN if [ "${UID}" -eq "${UID}" ] 2>/dev/null; then \
+  # Force $UID of $USER if it exists
+  if [ "$(awk -F: '$1 == "'"${USER}"'" {print $3}' /etc/passwd)" != "${UID}" ]; then \
+    sed -i 's/^\('"${USER}"':x\):[0-9]\+:/\1:'"${UID}"':/' /etc/passwd; \
+  fi; \
+  # Create $USER if $UID does not exist
+  if [ "$(awk -F: '$3 == "'"${UID}"'" {print $1}' /etc/passwd)" = "" ]; then \
+    echo "${USER}:x:${UID}:${GID:-${UID}}::/home/${USER}:${SHELL:-/bin/sh}" >> /etc/passwd; \
+    echo "${USER}:\!:$(($(date +%s) / 60 / 60 / 24)):0:99999:7:::" >> /etc/shadow; \
+    mkdir -p /home/"${USER}"; \
+  fi; \
+  chown "${UID}" $(awk -F: '$1 == "'"${USER}"'" {print $(NF-1)}' /etc/passwd); \
+fi
+
+# If we provide a numeric GID
+RUN if [ "${GID}" -eq "${GID}" ] 2>/dev/null; then \
+  # Force $GID of $GROUP if it already exists
+  if [ "$(awk -F: '$1 == "'"${GROUP}"'" {print $3}' /etc/group)" != "${GID}" ]; then \
+    sed -i 's/^\('"${GROUP}"':x\):[0-9]\+:/\1:'"${GID}"':/' /etc/group; \
+  fi; \
+  # Create $GROUP if $GID does not exist
+  if [ "$(awk -F: '$3 == "'"${GID}"'" {print $1}' /etc/group)" = "" ]; then \
+    echo "${GROUP}:x:${GID}:" >> /etc/group; \
+  fi; \
+  # Force $GID of $USER if it exists
+  if [ "$(awk -F: '$1 == "'"${USER}"'" {print $4}' /etc/passwd)" != "${GID}" ]; then \
+    sed -i 's/^\('"${USER}"':x:[0-9]\+\):[0-9]\+:/\1:'"${GID}"':/' /etc/passwd; \
+  fi; \
+  chgrp "${GID}" $(awk -F: '$1 == "'"${USER}"'" {print $(NF-1)}' /etc/passwd); \
+fi
 
 ## sudo
 RUN echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$USER"
@@ -164,14 +178,15 @@ RUN echo "$USER ALL=(ALL:ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$USER"
 RUN echo "$USER:support@g1sms.fr:mail.asycn.io:587" >> /etc/ssmtp/revaliases
 
 # config crontab
-RUN echo "SHELL=/bin/bash" > /var/spool/cron/crontabs/$USER \
- && echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /var/spool/cron/crontabs/$USER \
- && echo "12  20  *  *  *   /bin/bash /home/zen/.zen/20h12.process.sh > /tmp/20h12.log 2>&1" >> /var/spool/cron/crontabs/$USER \
- && chown $USER /var/spool/cron/crontabs/$USER
+RUN echo "SHELL=/bin/bash" > "/var/spool/cron/crontabs/$USER" \
+ && echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> "/var/spool/cron/crontabs/$USER" \
+ && echo "12  20  *  *  *   /bin/bash /home/zen/.zen/Astroport.ONE/20h12.process.sh > /tmp/20h12.log 2>&1" >> "/var/spool/cron/crontabs/$USER" \
+ && chown "$USER" "/var/spool/cron/crontabs/$USER"
 
 HEALTHCHECK CMD [ $(ps aux |grep 'nc -l -p' |wc -l) -lt 199 ] && echo -n OK
-USER $USER
-ENV SHELL=${SHELL}
-WORKDIR /home/$USER
 
-RUN mkdir ~/.zen ~/.zen/tmp ~/astroport
+VOLUME "/home/$USER/.ipfs"
+VOLUME "/home/$USER/.zen"
+VOLUME "/home/$USER/Astroport"
+
+WORKDIR "/home/$USER"
diff --git a/docker/astroport/astroport.sh b/docker/astroport/astroport.sh
new file mode 100755
index 00000000..8ae1a22a
--- /dev/null
+++ b/docker/astroport/astroport.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env sh
+[ -n "${DEBUG}" ] && set -x
+set -euo errexit
+
+ASTROPORT_DIR=/home/zen/.zen/Astroport.ONE
+ASTROPORT_REPO=https://git.p2p.legal/qo-op/Astroport.ONE.git
+
+cron() {
+  sudo service cron start
+}
+
+log() {
+  tail -F /var/log/fail2ban.log /var/log/syslog /var/log/auth.log /var/log/pam-script.log >&2
+}
+
+zen() {
+  rm -rf /home/zen/.zen/tmp \
+   && mkdir -p /dev/shm/tmp \
+   && ln -s /dev/shm/tmp /home/zen/.zen/tmp
+  [ -d "$ASTROPORT_DIR" ] && cd "$ASTROPORT_DIR" && git pull -q || git clone -q "$ASTROPORT_REPO" "$ASTROPORT_DIR"
+}
+
+case "${1:-${cmd:-start}}" in
+
+  start)
+    cron
+    log &
+    zen
+    exec "$ASTROPORT_DIR/start.sh"
+  ;;
+
+  install)
+    exec /install.sh
+  ;;
+
+  *)
+    exec "$@"
+  ;;
+
+esac
diff --git a/docker/docker-compose.app.yml b/docker/docker-compose.app.yml
index 8a602fa5..14b3de07 100644
--- a/docker/docker-compose.app.yml
+++ b/docker/docker-compose.app.yml
@@ -1,20 +1,23 @@
 version: '3.6'
 
 services:
-  docker:
+  astroport:
+    build:
+      args:
+      - DOCKER_REPOSITORY=${DOCKER_REPOSITORY}
+      - GID=${NODE_GID}
+      - UID=${NODE_UID}
+    container_name: ${COMPOSE_PROJECT_NAME}-astroport
     environment:
     - ENV=${ENV}
     - SHELL=${DOCKER_SHELL}
-    image: ${DOCKER_REPOSITORY}/docker:${DOCKER_IMAGE_TAG}
+    image: ${DOCKER_REPOSITORY}/astroport:${DOCKER_IMAGE_TAG}
     labels:
-    - SERVICE_1234_CHECK_HTTP=/
-    - SERVICE_1234_NAME=${COMPOSE_SERVICE_NAME}-docker-1234
-    - SERVICE_1234_TAGS=${DOCKER_SERVICE_1234_TAGS}
+    - SERVICE_1234_CHECK_HTTP=/test
+    - SERVICE_1234_NAME=${COMPOSE_SERVICE_NAME}-astroport-1234
+    - SERVICE_1234_TAGS=${NODE_ASTROPORT_SERVICE_1234_TAGS}
 
-networks:
-  private:
+volumes:
+  ipfs:
     external: true
-    name: ${DOCKER_NETWORK_PRIVATE}
-  public:
-    external: true
-    name: ${DOCKER_NETWORK_PUBLIC}
+    name: ${COMPOSE_SERVICE_NAME}_ipfs
diff --git a/docker/docker-compose.vdi.yml b/docker/docker-compose.vdi.yml
new file mode 100644
index 00000000..6e4edd7e
--- /dev/null
+++ b/docker/docker-compose.vdi.yml
@@ -0,0 +1,46 @@
+version: '3.8'
+
+services:
+  astroport:
+    build:
+      args:
+      - SSH_PORT=${NODE_VDI_PORT:-22}
+    cap_add:
+    - IPC_LOCK # ecryptfs
+    - NET_ADMIN # iptables
+    - NET_RAW # iptables
+    - SYS_ADMIN # ecryptfs
+    environment:
+    - DEBUG=${VDI_DEBUG:-}
+    - ECRYPTERS=${NODE_VDI_ECRYPTERS:-}
+    - LANG=${NODE_VDI_LANG:-}
+    - SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS:-}
+    - SSH_PORT=${NODE_VDI_PORT:-22}
+    - SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS:-}
+    - SUDOERS=${NODE_VDI_SUDOERS:-}
+    security_opt:
+    - apparmor=unconfined # ecryptfs
+    - seccomp=unconfined # ecryptfs
+    tty: true
+    volumes:
+    - /etc/localtime:/etc/localtime:ro
+    - /etc/default/console-setup:/etc/default/console-setup:ro
+    - /etc/default/keyboard:/etc/default/keyboard:ro
+    - home:/home:delegated
+    - shared:/shared:cached
+    - shm:/dev/shm:delegated
+
+volumes:
+  home:
+  shared:
+    driver: local
+    driver_opts:
+      type: none
+      device: /mnt/shared
+      o: bind
+  shm:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: mode=1777,size=2147483648 # 2GB
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index b847a264..f9f14862 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -1,36 +1,23 @@
 version: '3.6'
 
 services:
-  docker:
+  astroport:
     build:
       args:
-      - DOCKER_BUILD_DIR=docker
-      - GID=${GID}
+      - DOCKER_BUILD_DIR=docker/astroport
       - IPFS_VERSION=${IPFS_VERSION:-0.16.0}
-      - UID=${UID}
       context: ../
-      dockerfile: docker/Dockerfile
+      dockerfile: docker/astroport/Dockerfile
     network_mode: host
     restart: unless-stopped
     tty: true
-    user: ${UID}:${GID}
     volumes:
-    - data:/home/zen/astroport:cached
+    - data:/home/zen/Astroport:cached
     - ipfs:/home/zen/.ipfs:cached,ro
     - zen:/home/zen/.zen:delegated
-    working_dir: /home/zen/.zen
+    working_dir: /home/zen
 
 volumes:
   data:
   ipfs:
-    driver: local
-    driver_opts:
-      type: none
-      device: ${HOME}/.ipfs
-      o: bind
   zen:
-    driver: local
-    driver_opts:
-      type: none
-      device: ${HOME}/.zen
-      o: bind
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
deleted file mode 100755
index dc5d60c3..00000000
--- a/docker/docker-entrypoint.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/usr/bin/env sh
-set -euo errexit
-
-# Print a debug message if debug mode is on ($DEBUG is not empty)
-# @param message
-debug_msg ()
-{
-  if [ -n "${DEBUG:-}" -a "${DEBUG:-}" != "false" ]; then
-    echo "$@"
-  fi
-}
-
-mkdir -p /home/zen/.zen/tmp
-SOURCE_DIR="/home/zen/.zen/Astroport.ONE"
-[ -d "$SOURCE_DIR" ] && cd "$SOURCE_DIR" && git pull -q || git clone -q https://git.p2p.legal/qo-op/Astroport.ONE.git "$SOURCE_DIR"
-cd "$SOURCE_DIR"
-
-sudo -n /usr/sbin/cron -L/dev/stdout
-
-case "${1:-${cmd:-start}}" in
-
-  start)
-    debug_msg "Starting $SOURCE_DIR/start.sh ..."
-    exec "$SOURCE_DIR"/start.sh
-  ;;
-
-  install)
-    debug_msg "Installing..."
-    exec /install.sh
-  ;;
-
-  *)
-    debug_msg "Exec: $@"
-    exec "$@"
-  ;;
-
-esac
diff --git a/docker/stack.mk b/docker/stack.mk
new file mode 100644
index 00000000..562ff124
--- /dev/null
+++ b/docker/stack.mk
@@ -0,0 +1,12 @@
+COMPOSE_FILE_VDI                := true
+COMPOSE_PROJECT_NAME            := $(HOSTNAME)
+MAKE_VARS                       += NODE_VDI_PORT node
+SERVICE                         := astroport
+SSH_PORT                        := $(NODE_VDI_PORT)
+SSH_PUBLIC_HOSTS                += git.p2p.legal
+STACK                           := node
+UFW_UPDATE                      := $(SERVICE)
+node                            := node/ipfs
+
+bootstrap-stack: myos-node
+