diff --git a/CHANGELOG.md b/CHANGELOG.md index cc93e78..7272f85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # CHANGELOG +## v0.9.9 - 2022-11-22 + +* node name is `hostname` + ## v0.9 - 2022-11-11 * split make files in `myos` project and install files in `yaip` project diff --git a/docker/ipfs/ipfs-config.sh b/docker/ipfs/ipfs-config.sh index 02e66e9..c0faddf 100755 --- a/docker/ipfs/ipfs-config.sh +++ b/docker/ipfs/ipfs-config.sh @@ -21,7 +21,7 @@ echo "${IPFS_ADDRESSES_API_INET4}" |awk -F. '{ for ( i=1; i<=4; i++ ) if ($i >= # check ${IPFS_ADDRESSES_API_PORT} format [ "${IPFS_ADDRESSES_API_PORT}" -eq "${IPFS_ADDRESSES_API_PORT}" ] 2>/dev/null && [ "${IPFS_ADDRESSES_API_PORT}" -ge 1 ] && [ "${IPFS_ADDRESSES_API_PORT}" -le 65535 ] \ || unset IPFS_ADDRESSES_API_PORT -ipfs config Addresses.API "${IPFS_ADDRESSES_API:-/ip4/${IPFS_ADDRESSES_API_INET4:-127.0.0.1}/tcp/${IPFS_ADDRESSES_API_PORT:-5001}}" +ipfs config Addresses.Api "${IPFS_ADDRESSES_API:-/ip4/${IPFS_ADDRESSES_API_INET4:-127.0.0.1}/tcp/${IPFS_ADDRESSES_API_PORT:-5001}}" ## gateway address # search for ip address of $(hostname).${IPFS_ADDRESSES_GATEWAY_DOMAIN} diff --git a/docker/x2go/xfce-debian/Dockerfile b/docker/x2go/xfce-debian/Dockerfile index 7aae745..e7c578f 100644 --- a/docker/x2go/xfce-debian/Dockerfile +++ b/docker/x2go/xfce-debian/Dockerfile @@ -26,9 +26,12 @@ RUN cp /usr/share/doc/libpam-script/examples/logscript /usr/share/libpam-script WORKDIR /app COPY ${DOCKER_BUILD_DIR}/*.sh /app/ +ARG SSH_PORT=22 CMD [] ENTRYPOINT ["/app/run.sh"] -HEALTHCHECK CMD timeout 1 bash -c "/dev/null +EXPOSE ${SSH_PORT:-22} +RUN echo "${SSH_PORT}" > /app/.ssh_port +HEALTHCHECK CMD timeout 1 bash -c "/dev/null)" 2>/dev/null FROM dist as master ARG DOCKER_BUILD_DIR diff --git a/docker/x2go/xfce-debian/authorized_keys.sh b/docker/x2go/xfce-debian/authorized_keys.sh new file mode 100755 index 0000000..e8d320e --- /dev/null +++ b/docker/x2go/xfce-debian/authorized_keys.sh @@ -0,0 +1,25 @@ +#!/bin/sh +[ -n "${DEBUG}" ] && set -x +set -eu + +user=${1:-${USER}} +domain=${USER/*@} + +[ -f "/home/${user}/.ssh/authorized_keys" ] \ + && authorized_keys=$(cat "/home/${user}/.ssh/authorized_keys" 2>/dev/null) +if [ -n "${authorized_keys:-}" ]; then + echo "${authorized_keys:-}" +elif [ -n "${SSH_AUTHORIZED_KEYS:-}" ]; then + for host in ${SSH_AUTHORIZED_KEYS:-}; do + wget -qO - "${host}" 2>/dev/null && break + done +elif [ -n "${user}" ]; then + # if no domain + if [ "${domain}" = "${user}" ]; then + for host in ${SSH_PUBLIC_HOSTS:-}; do + wget -qO - "https://${host}/${user}.keys" 2>/dev/null && break + done + else + exit 1 + fi +fi diff --git a/docker/x2go/xfce-debian/run.sh b/docker/x2go/xfce-debian/run.sh index c2cd08e..9e969d9 100755 --- a/docker/x2go/xfce-debian/run.sh +++ b/docker/x2go/xfce-debian/run.sh @@ -10,9 +10,7 @@ if [ ! -f /app/.setup_done ]; then /app/setup_timezone.sh fi -/app/setup_ecryptfs.sh /dev/shm -# /shared encryption will not survive on restart -/app/setup_ecryptfs.sh /shared +/app/setup_ecryptfs.sh /dev/shm & /app/setup_users.sh ## Start-up our services manually (since Docker container will not invoke all init scripts). @@ -50,6 +48,6 @@ if [ $# -eq 0 ]; then PID=$! && wait else # WARNING: cleanup is not called - exec /bin/bash -c "set -e && $*" + exec su ${USER:-root} /bin/bash -c "set -e && $*" fi cleanup diff --git a/docker/x2go/xfce-debian/setup_sshd.sh b/docker/x2go/xfce-debian/setup_sshd.sh index f3b8e98..131f9a5 100755 --- a/docker/x2go/xfce-debian/setup_sshd.sh +++ b/docker/x2go/xfce-debian/setup_sshd.sh @@ -11,6 +11,7 @@ sed -i "s/^#\?PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_ sed -i "s/^#\?PrintLastLog.*/PrintLastLog yes/g" /etc/ssh/sshd_config sed -i "s/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config sed -i "s/^#\?X11Forwarding.*/X11Forwarding no/g" /etc/ssh/sshd_config +sed -i "s/^#\?Port.*/Port ${SSH_PORT:-22}/g" /etc/ssh/sshd_config cat >> /etc/ssh/sshd_config < /dev/null 2>&1 || useradd -s /bin/bash "${user}" [ ! -d "/home/${user}" ] \ && mkdir -p "/home/${user}" \ @@ -15,9 +15,9 @@ for user in ${USERS:-${USERNAME}}; do done usermod -a -G x2gouser "${user}" mkdir -p "/home/${user}/.ssh" - wget -qO "/home/${user}/.ssh/authorized_keys" "https://gitlab.com/${user}.keys" 2>/dev/null \ - || wget -qO "/home/${user}/.ssh/authorized_keys" "https://github.com/${user}.keys" 2>/dev/null \ - || echo "WARNING: Unable to fetch ssh public keys for user ${user}." + keys=$(su "${user}" /app/authorized_keys.sh 2>/dev/null) \ + && echo "${keys}" > "/home/${user}/.ssh/authorized_keys" \ + || echo "WARNING: Unable to fetch authorized keys for ssh user ${user}." chown "${user}" "/home/${user}/.ssh" "/home/${user}/.ssh/authorized_keys" done for sudoer in ${SUDOERS:-}; do @@ -29,5 +29,5 @@ for ecrypter in ${ECRYPTERS:-}; do touch "/home/${ecrypter}/.ecryptfs/auto-umount" chown -R "${ecrypter}" "/home/${ecrypter}/.ecryptfs" done -ln -s /app/setup_ecryptfs_sshagent.sh /etc/profile.d/ +cp /app/setup_ecryptfs_sshagent.sh /etc/profile.d/ mkdir -p /shared && chmod 1777 /shared diff --git a/make/apps/common.mk b/make/apps/common.mk index 8841f8e..2834800 100644 --- a/make/apps/common.mk +++ b/make/apps/common.mk @@ -27,7 +27,7 @@ bootstrap-docker: install-bin-docker setup-docker-group setup-binfmt setup-nfsd # target bootstrap-stack: Call bootstrap target of each stack .PHONY: bootstrap-stack -bootstrap-stack: docker-network $(foreach stack,$(STACK),bootstrap-stack-$(stack)) +bootstrap-stack: docker-network debug-STACK $(foreach stack,$(STACK),bootstrap-stack-$(subst /,-,$(stack)) debug-$(stack)) # target build: Build application docker images to run # on local host diff --git a/make/apps/def.docker.mk b/make/apps/def.docker.mk index 23d4fe8..e07e365 100644 --- a/make/apps/def.docker.mk +++ b/make/apps/def.docker.mk @@ -20,16 +20,17 @@ CONTEXT_DEBUG += DOCKER_BUILD_TARGET DOCKER_IMAGE_TAG DOCKER_R DOCKER_AUTHOR ?= $(DOCKER_AUTHOR_NAME) <$(DOCKER_AUTHOR_EMAIL)> DOCKER_AUTHOR_EMAIL ?= $(subst +git,+docker,$(GIT_AUTHOR_EMAIL)) DOCKER_AUTHOR_NAME ?= $(GIT_AUTHOR_NAME) -DOCKER_BUILD_ARGS ?= $(if $(filter true,$(DOCKER_BUILD_NO_CACHE)),--pull --no-cache) $(foreach var,$(DOCKER_BUILD_VARS),$(if $($(var)),--build-arg $(var)='$($(var))')) +DOCKER_BUILD_ARGS ?= $(if $(filter true,$(DOCKER_BUILD_NO_CACHE)),--pull --no-cache) $(foreach var,$(DOCKER_BUILD_VARS),$(if $($(var)),--build-arg $(var)='$($(var))')) --build-arg GID='$(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_GID),$(GID))' --build-arg UID='$(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_UID),$(UID))' DOCKER_BUILD_CACHE ?= true DOCKER_BUILD_LABEL ?= $(foreach var,$(filter $(BUILD_LABEL_VARS),$(MAKE_FILE_VARS)),$(if $($(var)),--label $(var)='$($(var))')) DOCKER_BUILD_NO_CACHE ?= false DOCKER_BUILD_TARGET ?= $(if $(filter $(ENV),$(DOCKER_BUILD_TARGETS)),$(ENV),$(DOCKER_BUILD_TARGET_DEFAULT)) DOCKER_BUILD_TARGET_DEFAULT ?= master DOCKER_BUILD_TARGETS ?= $(ENV_DEPLOY) -DOCKER_BUILD_VARS ?= APP BRANCH COMPOSE_VERSION DOCKER_GID DOCKER_MACHINE DOCKER_REPOSITORY DOCKER_SYSTEM GID GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PRIVATE_IP_RANGE SSH_PUBLIC_HOST_KEYS SSH_REMOTE_HOSTS UID USER VERSION +DOCKER_BUILD_VARS ?= APP BRANCH COMPOSE_VERSION DOCKER_GID DOCKER_MACHINE DOCKER_REPOSITORY DOCKER_SYSTEM GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME SSH_REMOTE_HOSTS USER VERSION DOCKER_COMPOSE ?= $(if $(DOCKER_RUN),docker/compose:$(COMPOSE_VERSION),$(or $(shell docker compose >/dev/null 2>&1 && printf 'docker compose\n'),docker-compose)) $(COMPOSE_ARGS) DOCKER_COMPOSE_DOWN_OPTIONS ?= +DOCKER_COMPOSE_PROJECT_NAME ?= $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))) DOCKER_COMPOSE_RUN_OPTIONS ?= --rm DOCKER_COMPOSE_UP_OPTIONS ?= -d DOCKER_IMAGE_TAG ?= $(if $(filter true,$(DEPLOY)),$(if $(filter $(ENV),$(ENV_DEPLOY)),$(VERSION)),$(if $(DRONE_BUILD_NUMBER),$(DRONE_BUILD_NUMBER),latest)) @@ -82,14 +83,12 @@ endef define docker-compose $(call INFO,docker-compose,$(1)) $(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION))) - $(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME)))) $(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) $(1))) endef # function docker-compose-exec-sh: Run docker-compose-exec sh -c 'arg 2' in service 1 define docker-compose-exec-sh $(call INFO,docker-compose-exec-sh,$(1)$(comma) $(2)) $(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION))) - $(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME)))) $(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) exec -T $(1) sh -c '$(2)')) endef # function docker-push: Push docker image diff --git a/make/apps/docker.mk b/make/apps/docker.mk index 6346cbc..e01e614 100644 --- a/make/apps/docker.mk +++ b/make/apps/docker.mk @@ -115,8 +115,9 @@ docker-compose-up: docker-images-myos bootstrap-stack # target docker-images-myos: Call myos-docker-build-% target for each DOCKER_IMAGES_MYOS .PHONY: docker-images-myos +docker-images-myos: MAKE_VARS += DOCKER_REPOSITORY STACK docker-images-myos: - $(foreach image,$(subst $(quote),,$(DOCKER_IMAGES_MYOS)),$(call make,myos-docker-build-$(image))) + $(foreach image,$(subst $(quote),,$(DOCKER_IMAGES_MYOS)),$(call make,docker-build-$(image),$(MYOS))) # target docker-images-rm: Call docker-image-rm-% target for DOCKER_REPOSITORY .PHONY: docker-images-rm diff --git a/make/apps/myos/def.ssh.mk b/make/apps/myos/def.ssh.mk index b733f8a..acd8fef 100644 --- a/make/apps/myos/def.ssh.mk +++ b/make/apps/myos/def.ssh.mk @@ -3,13 +3,14 @@ ENV_VARS += $(SSH_ENV_VARS) SSH_AUTHORIZED_KEYS ?= $(SSH_GITHUB_AUTHORIZED_KEYS) SSH_BASTION_HOSTNAME ?= SSH_BASTION_USERNAME ?= $(SSH_USER) -SSH_ENV_VARS ?= SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PUBLIC_HOSTS SSH_PRIVATE_IP_RANGE SSH_USER +SSH_ENV_VARS ?= SSH_AUTHORIZED_KEYS SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PORT SSH_PRIVATE_IP_RANGE SSH_PUBLIC_HOSTS SSH_USER SSH_GITHUB_AUTHORIZED_KEYS ?= $(patsubst %,https://github.com/%,$(patsubst %,%.keys,$(SSH_USER))) SSH_PUBLIC_HOSTS ?= $(if $(filter ssh,$(CONFIG_REPOSITORY_SCHEME)),$(CONFIG_REPOSITORY_HOST)) $(SSH_BASTION_HOSTNAME) $(SSH_REMOTE_HOSTS) SSH_PRIVATE_IP_RANGE ?= SSH_PRIVATE_KEYS ?= $(wildcard $(SSH_DIR)/id_ed25519 $(SSH_DIR)/id_rsa) SSH_REMOTE_HOSTS ?= github.com gitlab.com SSH_USER ?= $(call slugify,$(GIT_USER)) +SSH_PORT ?= 22 # function ssh-connect: Exec command 2 on remote hosts 1 with tty define ssh-connect diff --git a/make/apps/myos/def.ufw.mk b/make/apps/myos/def.ufw.mk index 6f5292b..e6776a8 100644 --- a/make/apps/myos/def.ufw.mk +++ b/make/apps/myos/def.ufw.mk @@ -7,6 +7,7 @@ ifeq ($(SETUP_UFW),true) define ufw $(call INFO,ufw,$(1)$(comma)) $(call app-bootstrap,ufw-docker) + $(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME)) $(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw $(1)) endef @@ -14,6 +15,7 @@ endef define ufw-docker $(call INFO,ufw-docker,$(1)$(comma)) $(call app-bootstrap,ufw-docker) + $(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME)) $(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw-docker $(1)) endef diff --git a/make/apps/myos/setup.mk b/make/apps/myos/setup.mk index e041c3d..80d7f77 100644 --- a/make/apps/myos/setup.mk +++ b/make/apps/myos/setup.mk @@ -43,6 +43,7 @@ setup-ufw: ifeq ($(SETUP_UFW),true) $(call app-install,$(SETUP_UFW_REPOSITORY)) $(call app-bootstrap,$(lastword $(subst /, ,$(SETUP_UFW_REPOSITORY)))) + $(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME)) $(call app-build) $(eval DOCKER_RUN_OPTIONS := --rm --cap-add NET_ADMIN -v /etc/ufw:/etc/ufw --network host) $(call app-up) diff --git a/make/apps/myos/ufw.mk b/make/apps/myos/ufw.mk index 942300b..fd6ae5e 100644 --- a/make/apps/myos/ufw.mk +++ b/make/apps/myos/ufw.mk @@ -15,17 +15,18 @@ ufw-docker: # target ufw-docker: Call ufw and ufw-docker foreach service UFW_UPDATE .PHONY: ufw-update -ufw-update: +ufw-update: debug-UFW_UPDATE + $(eval name := $(DOCKER_COMPOSE_PROJECT_NAME)) $(foreach update,$(UFW_UPDATE), \ - $(foreach port,$(UFW_DOCKER_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \ - $(call ufw-docker,$(if $(UFW_DELETE),delete) allow $(DOCKER_COMPOSE_PROJECT_NAME)-$(update) $(port)) \ + $(foreach port,$(UFW_DOCKER_$(update)) $(UFW_DOCKER_$(name)-$(update)), \ + $(call ufw-docker,$(if $(UFW_DELETE),delete) allow $(name)-$(update) $(port) ||:) \ ) \ - $(foreach port,$(UFW_UPDATE_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \ + $(foreach port,$(UFW_UPDATE_$(update)) $(UFW_UPDATE_$(name)-$(update)), \ $(call ufw,$(if $(UFW_DELETE),delete) allow $(port)) \ ) \ ) -## ex: ufw-node-up will update ufw rules for stack node +## ex: ufw-node-update will update ufw rules for stack node .PHONY: stack-% ufw-%: $(eval stack := $(subst -$(lastword $(subst -, ,$*)),,$*)) diff --git a/make/def.docker.mk b/make/def.docker.mk index 68b2d6f..282fb55 100644 --- a/make/def.docker.mk +++ b/make/def.docker.mk @@ -16,17 +16,19 @@ DOCKER_RUN_OPTIONS += --rm --network $(DOCKER_NETWORK) DOCKER_RUN_VOLUME += -v /var/run/docker.sock:/var/run/docker.sock DOCKER_RUN_WORKDIR ?= -w $(PWD) DOCKER_SYSTEM ?= $(shell docker run --rm alpine uname -s 2>/dev/null) -ENV_VARS += DOCKER_MACHINE DOCKER_NETWORK_PRIVATE DOCKER_NETWORK_PUBLIC DOCKER_SYSTEM NODE_COMPOSE_PROJECT_NAME NODE_COMPOSE_SERVICE_NAME NODE_DOCKER_REPOSITORY NODE_DOCKER_VOLUME USER_COMPOSE_PROJECT_NAME USER_COMPOSE_SERVICE_NAME USER_DOCKER_IMAGE USER_DOCKER_NAME USER_DOCKER_REPOSITORY USER_DOCKER_VOLUME -NODE_COMPOSE_PROJECT_NAME ?= node +ENV_VARS += DOCKER_MACHINE DOCKER_NETWORK_PRIVATE DOCKER_NETWORK_PUBLIC DOCKER_SYSTEM NODE_COMPOSE_PROJECT_NAME NODE_COMPOSE_SERVICE_NAME NODE_DOCKER_REPOSITORY NODE_DOCKER_VOLUME NODE_GID NODE_UID USER_COMPOSE_PROJECT_NAME USER_COMPOSE_SERVICE_NAME USER_DOCKER_IMAGE USER_DOCKER_NAME USER_DOCKER_REPOSITORY USER_DOCKER_VOLUME +NODE_COMPOSE_PROJECT_NAME ?= $(HOSTNAME) NODE_COMPOSE_SERVICE_NAME ?= $(subst _,-,$(NODE_COMPOSE_PROJECT_NAME)) NODE_DOCKER_REPOSITORY ?= $(subst -,/,$(subst _,/,$(NODE_COMPOSE_PROJECT_NAME))) -NODE_DOCKER_VOLUME ?= $(NODE_COMPOSE_PROJECT_NAME)_myos +NODE_DOCKER_VOLUME ?= $(NODE_COMPOSE_PROJECT_NAME) +NODE_GID ?= 100 +NODE_UID ?= 123 USER_COMPOSE_PROJECT_NAME ?= $(USER)-$(ENV) USER_COMPOSE_SERVICE_NAME ?= $(subst _,-,$(USER_COMPOSE_PROJECT_NAME)) -USER_DOCKER_IMAGE ?= $(USER_DOCKER_REPOSITORY)/myos:${DOCKER_IMAGE_TAG} -USER_DOCKER_NAME ?= $(USER_COMPOSE_PROJECT_NAME)-myos +USER_DOCKER_IMAGE ?= $(USER_DOCKER_REPOSITORY):${DOCKER_IMAGE_TAG} +USER_DOCKER_NAME ?= $(USER_COMPOSE_PROJECT_NAME) USER_DOCKER_REPOSITORY ?= $(subst -,/,$(subst _,/,$(USER_COMPOSE_PROJECT_NAME))) -USER_DOCKER_VOLUME ?= $(USER_COMPOSE_PROJECT_NAME)_myos +USER_DOCKER_VOLUME ?= $(USER_COMPOSE_PROJECT_NAME) # https://github.com/docker/libnetwork/pull/2348 ifeq ($(SYSTEM),Darwin) @@ -69,7 +71,7 @@ else # function exec: call docker-exec define exec $(call INFO,exec,$(1)) - $(call docker-exec) + $(call docker-exec,$(1)) endef endif # function run: Run docker run with arg 1 and docker repository 2 diff --git a/make/def.mk b/make/def.mk index 3025d75..65bb26c 100644 --- a/make/def.mk +++ b/make/def.mk @@ -76,7 +76,7 @@ INSTALL_CMDS ?= APK_INSTALL APT_INSTALL $(foreach cmd,$(INSTALL_CMDS),$(if $(CMD_$(cmd)),$(eval INSTALL_CMD ?= $(CMD_$(cmd))))) LOG_LEVEL ?= $(if $(DEBUG),debug,$(if $(VERBOSE),info,error)) MAKE_ARGS ?= $(foreach var,$(MAKE_VARS),$(if $($(var)),$(var)='$($(var))')) -MAKE_SUBDIRS ?= $(if $(filter myos,$(MYOS)),monorepo,$(if $(APP),apps $(foreach type,$(APP_TYPE),$(if $(wildcard $(MAKE_DIR)/apps/$(type)),apps/$(type))))) +MAKE_SUBDIRS ?= $(if $(filter myos,$(MYOS)),monorepo,$(if $(APP),apps $(foreach type,$(APP_LOAD),$(if $(wildcard $(MAKE_DIR)/apps/$(type)),apps/$(type))))) MAKE_CMD_ARGS ?= $(foreach var,$(MAKE_CMD_VARS),$(var)='$($(var))') MAKE_CMD_VARS ?= $(strip $(foreach var, $(filter-out .VARIABLES,$(.VARIABLES)), $(if $(filter command\ line,$(origin $(var))),$(var)))) MAKE_ENV_ARGS ?= $(foreach var,$(filter $(ENV_VARS),$(MAKE_ENV_VARS)),$(var)='$($(var))') diff --git a/stack/node/.env.dist b/stack/node/.env.dist index 71ae971..01d34b2 100644 --- a/stack/node/.env.dist +++ b/stack/node/.env.dist @@ -2,6 +2,8 @@ NODE_CONSUL_ACL_TOKENS_MASTER=01234567-89AB-CDEF-0123-456789ABCDEF NODE_CONSUL_HTTP_TOKEN=01234567-89AB-CDEF-0123-456789ABCDEF NODE_CONSUL_SERVICE_8500_TAGS=urlprefix-consul.${DOMAIN}/ NODE_FABIO_SERVICE_9998_TAGS=urlprefix-fabio.${DOMAIN}/ -UFW_UPDATE_node-certbot=53/udp -UFW_UPDATE_node-consul=8500 -UFW_DOCKER_node-fabio=80 443 +NODE_SSH_PORT=${SSH_PORT} +NODE_SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS} +UFW_UPDATE_certbot=53/udp +UFW_UPDATE_consul=8500 +UFW_DOCKER_fabio=80 443 diff --git a/stack/node/ipfs/.env.dist b/stack/node/ipfs/.env.dist index 7100d26..41904c4 100644 --- a/stack/node/ipfs/.env.dist +++ b/stack/node/ipfs/.env.dist @@ -16,4 +16,4 @@ NODE_IPFS_API_HTTPHEADERS_ACA_CREDENTIALS=["true"] NODE_IPFS_API_HTTPHEADERS_ACA_HEADERS=["X-Requested-With", "Range", "User-Agent"] NODE_IPFS_API_HTTPHEADERS_ACA_METHODS=["OPTIONS", "POST"] NODE_IPFS_API_HTTPHEADERS_ACA_ORIGIN=["https://ipfs.${DOMAIN}", "http://ipfs.${DOMAIN}", "http://ipfs.localhost:8080"] -UFW_DOCKER_node-ipfs=4001/tcp 4001/udp 8080 +UFW_DOCKER_ipfs=4001/tcp 4001/udp 8080 diff --git a/stack/node/ipfs/ipfs.yml b/stack/node/ipfs/ipfs.yml index be75fd0..aade9d9 100644 --- a/stack/node/ipfs/ipfs.yml +++ b/stack/node/ipfs/ipfs.yml @@ -5,7 +5,9 @@ services: build: args: - DOCKER_BUILD_DIR=docker/ipfs + - GID=${NODE_GID} - IPFS_VERSION=${IPFS_VERSION} + - UID=${NODE_UID} context: ../.. dockerfile: docker/ipfs/Dockerfile command: daemon --agent-version-suffix=${NODE_COMPOSE_PROJECT_NAME} ${NODE_IPFS_DAEMON_ARGS} diff --git a/stack/node/mail/.env.dist b/stack/node/mail/.env.dist index 3a300b8..57eb802 100644 --- a/stack/node/mail/.env.dist +++ b/stack/node/mail/.env.dist @@ -2,4 +2,4 @@ NODE_MAILSERVER_ENABLE_MANAGESIEVE=1 NODE_MAILSERVER_SPOOF_PROTECTION=1 NODE_MAILSERVER_SSL_TYPE=letsencrypt NODE_MAILSERVER_UPDATE_CHECK=0 -UFW_DOCKER_node-mailserver=25 465 587 993 +UFW_DOCKER_mailserver=25 465 587 993 diff --git a/stack/node/vdi/.env.dist b/stack/node/vdi/.env.dist new file mode 100644 index 0000000..8b85b85 --- /dev/null +++ b/stack/node/vdi/.env.dist @@ -0,0 +1,7 @@ +NODE_VDI_ECRYPTERS=${USER} +NODE_VDI_LANG=${LANG} +NODE_VDI_PORT=${SSH_PORT} +NODE_VDI_SUDOERS= +NODE_VDI_TZ=UTC +NODE_VDI_USERS=${USER} +UFW_DOCKER_vdi=${SSH_PORT} diff --git a/stack/node/vdi/vdi.yml b/stack/node/vdi/vdi.yml new file mode 100644 index 0000000..62c4616 --- /dev/null +++ b/stack/node/vdi/vdi.yml @@ -0,0 +1,61 @@ +version: '3.8' + +services: + vdi: + build: + args: + - DOCKER_BUILD_DIR=docker/x2go/xfce-debian + - SSH_PORT=${NODE_VDI_PORT:-22} + context: ../.. + dockerfile: docker/x2go/xfce-debian/Dockerfile + cap_add: + - IPC_LOCK # ecryptfs + - NET_ADMIN # iptables + - NET_RAW # iptables + - SYS_ADMIN # ecryptfs + container_name: ${NODE_COMPOSE_PROJECT_NAME}-vdi + cpus: 0.5 + environment: + - DEBUG=${VDI_DEBUG:-} + - ECRYPTERS=${NODE_VDI_ECRYPTERS:-} + - LANG=${NODE_VDI_LANG:-} + - SSH_PORT=${NODE_VDI_PORT:-22} + - SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS:-} + - SSH_PUBLIC_HOSTS=${NODE_SSH_PUBLIC_HOSTS:-} + - SUDOERS=${NODE_VDI_SUDOERS:-} + - TZ=${NODE_VDI_TZ:-} + - USERS=${NODE_VDI_USERS:-} + image: ${NODE_DOCKER_REPOSITORY}/vdi:${DOCKER_IMAGE_TAG} + networks: + - public + ports: + - ${NODE_VDI_PORT:-22}:${SSH_PORT:-22} + restart: unless-stopped + security_opt: + - apparmor=unconfined # ecryptfs + - seccomp=unconfined # ecryptfs + tty: true + volumes: + - home:/home:delegated + - shared:/shared:cached + - shm:/dev/shm:delegated + +networks: + public: + external: true + name: ${DOCKER_NETWORK_PUBLIC} + +volumes: + home: + shared: + driver: local + driver_opts: + type: none + device: /mnt/shared + o: bind + shm: + driver: local + driver_opts: + type: tmpfs + device: tmpfs + o: mode=1777,size=2147483648 # 2GB diff --git a/stack/x2go/.env.dist b/stack/x2go/.env.dist index eb4f999..1ea20dd 100644 --- a/stack/x2go/.env.dist +++ b/stack/x2go/.env.dist @@ -1,5 +1,6 @@ +VDI_ECRYPTERS= VDI_LANG=${LANG} -VDI_PORT=22 +VDI_PORT=8260 +VDI_SUDOERS= VDI_TZ=UTC VDI_USERS=${USER} -VDI_SUDOERS= diff --git a/stack/x2go/xfce_debian.yml b/stack/x2go/xfce_debian.yml index 3e1b90a..865d90d 100644 --- a/stack/x2go/xfce_debian.yml +++ b/stack/x2go/xfce_debian.yml @@ -5,6 +5,7 @@ services: build: args: - DOCKER_BUILD_DIR=docker/x2go/xfce-debian + - SSH_PORT=${VDI_PORT:-22} context: ../.. dockerfile: docker/x2go/xfce-debian/Dockerfile cap_add: @@ -12,15 +13,22 @@ services: - NET_ADMIN # iptables - NET_RAW # iptables - SYS_ADMIN # ecryptfs + cpus: 0.5 environment: - - DEBUG=${VDI_DEBUG} - - ECRYPTERS=${VDI_ECRYPTERS} - - LANG=${VDI_LANG} - - SUDOERS=${VDI_SUDOERS} - - TZ=${VDI_TZ} - - USERS=${VDI_USERS} + - DEBUG=${VDI_DEBUG:-} + - ECRYPTERS=${VDI_ECRYPTERS:-} + - LANG=${VDI_LANG:-} + - SSH_PORT=${VDI_PORT:-22} + - SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS:-} + - SUDOERS=${VDI_SUDOERS:-} + - TZ=${VDI_TZ:-} + - USERS=${VDI_USERS:-} + image: ${DOCKER_REPOSITORY}/vdi:${DOCKER_IMAGE_TAG} + networks: + - private + - public ports: - - "${VDI_PORT}:22" + - ${SSH_PORT} restart: unless-stopped security_opt: - apparmor=unconfined # ecryptfs @@ -31,6 +39,14 @@ services: - vdi-shared:/shared:cached - vdi-shm:/dev/shm:delegated +networks: + private: + external: true + name: ${DOCKER_NETWORK_PRIVATE} + public: + external: true + name: ${DOCKER_NETWORK_PUBLIC} + volumes: vdi-home: vdi-shared: