node is hostname

2022-11-22 22:49:44 +00:00 · 2022-11-22 22:49:44 +00:00 · 9697288134
parent 61ab6f67af
commit 9697288134
24 changed files with 172 additions and 45 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,9 @@
 # CHANGELOG

+## v0.9.9 - 2022-11-22
+
+* node name is `hostname`
+
 ## v0.9 - 2022-11-11

 * split make files in `myos` project and install files in `yaip` project
--- a/docker/ipfs/ipfs-config.sh
+++ b/docker/ipfs/ipfs-config.sh
@ -21,7 +21,7 @@ echo "${IPFS_ADDRESSES_API_INET4}" |awk -F. '{ for ( i=1; i<=4; i++ ) if ($i >=
 # check ${IPFS_ADDRESSES_API_PORT} format
 [ "${IPFS_ADDRESSES_API_PORT}" -eq "${IPFS_ADDRESSES_API_PORT}" ] 2>/dev/null && [ "${IPFS_ADDRESSES_API_PORT}" -ge 1 ] && [ "${IPFS_ADDRESSES_API_PORT}" -le 65535 ] \
 || unset IPFS_ADDRESSES_API_PORT
-ipfs config Addresses.API "${IPFS_ADDRESSES_API:-/ip4/${IPFS_ADDRESSES_API_INET4:-127.0.0.1}/tcp/${IPFS_ADDRESSES_API_PORT:-5001}}"
+ipfs config Addresses.Api "${IPFS_ADDRESSES_API:-/ip4/${IPFS_ADDRESSES_API_INET4:-127.0.0.1}/tcp/${IPFS_ADDRESSES_API_PORT:-5001}}"

 ## gateway address
 # search for ip address of $(hostname).${IPFS_ADDRESSES_GATEWAY_DOMAIN}
--- a/docker/x2go/xfce-debian/Dockerfile
+++ b/docker/x2go/xfce-debian/Dockerfile
@ -26,9 +26,12 @@ RUN cp /usr/share/doc/libpam-script/examples/logscript /usr/share/libpam-script
 WORKDIR /app
 COPY ${DOCKER_BUILD_DIR}/*.sh /app/

+ARG SSH_PORT=22
 CMD []
 ENTRYPOINT ["/app/run.sh"]
-HEALTHCHECK CMD timeout 1 bash -c "</dev/tcp/localhost/22" 2>/dev/null 
+EXPOSE ${SSH_PORT:-22}
+RUN echo "${SSH_PORT}" > /app/.ssh_port
+HEALTHCHECK CMD timeout 1 bash -c "</dev/tcp/localhost/$(cat /app/.ssh_port 2>/dev/null)" 2>/dev/null

 FROM dist as master
 ARG DOCKER_BUILD_DIR
--- a/docker/x2go/xfce-debian/authorized_keys.sh
+++ b/docker/x2go/xfce-debian/authorized_keys.sh
@ -0,0 +1,25 @@
+#!/bin/sh
+[ -n "${DEBUG}" ] && set -x
+set -eu
+
+user=${1:-${USER}}
+domain=${USER/*@}
+
+[ -f "/home/${user}/.ssh/authorized_keys" ] \
+ && authorized_keys=$(cat "/home/${user}/.ssh/authorized_keys" 2>/dev/null)
+if [ -n "${authorized_keys:-}" ]; then
+  echo "${authorized_keys:-}"
+elif [ -n "${SSH_AUTHORIZED_KEYS:-}" ]; then
+    for host in ${SSH_AUTHORIZED_KEYS:-}; do
+      wget -qO - "${host}" 2>/dev/null && break
+    done
+elif [ -n "${user}" ]; then
+  # if no domain
+  if [ "${domain}" = "${user}" ]; then
+    for host in ${SSH_PUBLIC_HOSTS:-}; do
+      wget -qO - "https://${host}/${user}.keys" 2>/dev/null && break
+    done
+  else
+    exit 1
+  fi
+fi
--- a/docker/x2go/xfce-debian/run.sh
+++ b/docker/x2go/xfce-debian/run.sh
@ -10,9 +10,7 @@ if [ ! -f /app/.setup_done ]; then
  /app/setup_timezone.sh
 fi

-/app/setup_ecryptfs.sh /dev/shm
-# /shared encryption will not survive on restart
-/app/setup_ecryptfs.sh /shared
+/app/setup_ecryptfs.sh /dev/shm &
 /app/setup_users.sh

 ## Start-up our services manually (since Docker container will not invoke all init scripts).
@ -50,6 +48,6 @@ if [ $# -eq 0 ]; then
  PID=$! && wait
 else
  # WARNING: cleanup is not called
-  exec /bin/bash -c "set -e && $*"
+  exec su ${USER:-root} /bin/bash -c "set -e && $*"
 fi
 cleanup
--- a/docker/x2go/xfce-debian/setup_sshd.sh
+++ b/docker/x2go/xfce-debian/setup_sshd.sh
@ -11,6 +11,7 @@ sed -i "s/^#\?PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_
 sed -i "s/^#\?PrintLastLog.*/PrintLastLog yes/g" /etc/ssh/sshd_config
 sed -i "s/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
 sed -i "s/^#\?X11Forwarding.*/X11Forwarding no/g" /etc/ssh/sshd_config
+sed -i "s/^#\?Port.*/Port ${SSH_PORT:-22}/g" /etc/ssh/sshd_config

 cat >> /etc/ssh/sshd_config <<EOF
 Match group x2gouser
--- a/docker/x2go/xfce-debian/setup_users.sh
+++ b/docker/x2go/xfce-debian/setup_users.sh
@ -2,7 +2,7 @@
 [ -n "${DEBUG}" ] && set -x
 set -eu

-for user in ${USERS:-${USERNAME}}; do
+for user in ${USERS:-${USER:-user}}; do
  id "${user}" > /dev/null 2>&1 || useradd -s /bin/bash "${user}"
  [ ! -d "/home/${user}" ] \
   && mkdir -p "/home/${user}" \
@ -15,9 +15,9 @@ for user in ${USERS:-${USERNAME}}; do
  done
  usermod -a -G x2gouser "${user}"
  mkdir -p "/home/${user}/.ssh"
-  wget -qO "/home/${user}/.ssh/authorized_keys" "https://gitlab.com/${user}.keys" 2>/dev/null \
-   || wget -qO "/home/${user}/.ssh/authorized_keys" "https://github.com/${user}.keys" 2>/dev/null \
-   || echo "WARNING: Unable to fetch ssh public keys for user ${user}."
+  keys=$(su "${user}" /app/authorized_keys.sh 2>/dev/null) \
+   && echo "${keys}" > "/home/${user}/.ssh/authorized_keys" \
+   || echo "WARNING: Unable to fetch authorized keys for ssh user ${user}."
  chown "${user}" "/home/${user}/.ssh" "/home/${user}/.ssh/authorized_keys"
 done
 for sudoer in ${SUDOERS:-}; do
@ -29,5 +29,5 @@ for ecrypter in ${ECRYPTERS:-}; do
  touch "/home/${ecrypter}/.ecryptfs/auto-umount"
  chown -R "${ecrypter}" "/home/${ecrypter}/.ecryptfs"
 done
-ln -s /app/setup_ecryptfs_sshagent.sh /etc/profile.d/
+cp /app/setup_ecryptfs_sshagent.sh /etc/profile.d/
 mkdir -p /shared && chmod 1777 /shared
--- a/make/apps/common.mk
+++ b/make/apps/common.mk
@ -27,7 +27,7 @@ bootstrap-docker: install-bin-docker setup-docker-group setup-binfmt setup-nfsd

 # target bootstrap-stack: Call bootstrap target of each stack
 .PHONY: bootstrap-stack
-bootstrap-stack: docker-network $(foreach stack,$(STACK),bootstrap-stack-$(stack))
+bootstrap-stack: docker-network debug-STACK $(foreach stack,$(STACK),bootstrap-stack-$(subst /,-,$(stack)) debug-$(stack))

 # target build: Build application docker images to run
 # on local host
--- a/make/apps/def.docker.mk
+++ b/make/apps/def.docker.mk
@ -20,16 +20,17 @@ CONTEXT_DEBUG                   += DOCKER_BUILD_TARGET DOCKER_IMAGE_TAG DOCKER_R
 DOCKER_AUTHOR                   ?= $(DOCKER_AUTHOR_NAME) <$(DOCKER_AUTHOR_EMAIL)>
 DOCKER_AUTHOR_EMAIL             ?= $(subst +git,+docker,$(GIT_AUTHOR_EMAIL))
 DOCKER_AUTHOR_NAME              ?= $(GIT_AUTHOR_NAME)
-DOCKER_BUILD_ARGS               ?= $(if $(filter true,$(DOCKER_BUILD_NO_CACHE)),--pull --no-cache) $(foreach var,$(DOCKER_BUILD_VARS),$(if $($(var)),--build-arg $(var)='$($(var))'))
+DOCKER_BUILD_ARGS               ?= $(if $(filter true,$(DOCKER_BUILD_NO_CACHE)),--pull --no-cache) $(foreach var,$(DOCKER_BUILD_VARS),$(if $($(var)),--build-arg $(var)='$($(var))')) --build-arg GID='$(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_GID),$(GID))' --build-arg UID='$(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_UID),$(UID))'
 DOCKER_BUILD_CACHE              ?= true
 DOCKER_BUILD_LABEL              ?= $(foreach var,$(filter $(BUILD_LABEL_VARS),$(MAKE_FILE_VARS)),$(if $($(var)),--label $(var)='$($(var))'))
 DOCKER_BUILD_NO_CACHE           ?= false
 DOCKER_BUILD_TARGET             ?= $(if $(filter $(ENV),$(DOCKER_BUILD_TARGETS)),$(ENV),$(DOCKER_BUILD_TARGET_DEFAULT))
 DOCKER_BUILD_TARGET_DEFAULT     ?= master
 DOCKER_BUILD_TARGETS            ?= $(ENV_DEPLOY)
-DOCKER_BUILD_VARS               ?= APP BRANCH COMPOSE_VERSION DOCKER_GID DOCKER_MACHINE DOCKER_REPOSITORY DOCKER_SYSTEM GID GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PRIVATE_IP_RANGE SSH_PUBLIC_HOST_KEYS SSH_REMOTE_HOSTS UID USER VERSION
+DOCKER_BUILD_VARS               ?= APP BRANCH COMPOSE_VERSION DOCKER_GID DOCKER_MACHINE DOCKER_REPOSITORY DOCKER_SYSTEM GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME SSH_REMOTE_HOSTS USER VERSION
 DOCKER_COMPOSE                  ?= $(if $(DOCKER_RUN),docker/compose:$(COMPOSE_VERSION),$(or $(shell docker compose >/dev/null 2>&1 && printf 'docker compose\n'),docker-compose)) $(COMPOSE_ARGS)
 DOCKER_COMPOSE_DOWN_OPTIONS     ?=
+DOCKER_COMPOSE_PROJECT_NAME     ?= $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME)))
 DOCKER_COMPOSE_RUN_OPTIONS      ?= --rm
 DOCKER_COMPOSE_UP_OPTIONS       ?= -d
 DOCKER_IMAGE_TAG                ?= $(if $(filter true,$(DEPLOY)),$(if $(filter $(ENV),$(ENV_DEPLOY)),$(VERSION)),$(if $(DRONE_BUILD_NUMBER),$(DRONE_BUILD_NUMBER),latest))
@ -82,14 +83,12 @@ endef
 define docker-compose
 	$(call INFO,docker-compose,$(1))
 	$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
-	$(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))))
 	$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) $(1)))
 endef
 # function docker-compose-exec-sh: Run docker-compose-exec sh -c 'arg 2' in service 1
 define docker-compose-exec-sh
 	$(call INFO,docker-compose-exec-sh,$(1)$(comma) $(2))
 	$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
-	$(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))))
 	$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) exec -T $(1) sh -c '$(2)'))
 endef
 # function docker-push: Push docker image
--- a/make/apps/docker.mk
+++ b/make/apps/docker.mk
@ -115,8 +115,9 @@ docker-compose-up: docker-images-myos bootstrap-stack

 # target docker-images-myos: Call myos-docker-build-% target for each DOCKER_IMAGES_MYOS
 .PHONY: docker-images-myos
+docker-images-myos: MAKE_VARS += DOCKER_REPOSITORY STACK
 docker-images-myos:
-	$(foreach image,$(subst $(quote),,$(DOCKER_IMAGES_MYOS)),$(call make,myos-docker-build-$(image)))
+	$(foreach image,$(subst $(quote),,$(DOCKER_IMAGES_MYOS)),$(call make,docker-build-$(image),$(MYOS)))

 # target docker-images-rm: Call docker-image-rm-% target for DOCKER_REPOSITORY
 .PHONY: docker-images-rm
--- a/make/apps/myos/def.ssh.mk
+++ b/make/apps/myos/def.ssh.mk
@ -3,13 +3,14 @@ ENV_VARS                        += $(SSH_ENV_VARS)
 SSH_AUTHORIZED_KEYS             ?= $(SSH_GITHUB_AUTHORIZED_KEYS)
 SSH_BASTION_HOSTNAME            ?= 
 SSH_BASTION_USERNAME            ?= $(SSH_USER)
-SSH_ENV_VARS                    ?= SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PUBLIC_HOSTS SSH_PRIVATE_IP_RANGE SSH_USER
+SSH_ENV_VARS                    ?= SSH_AUTHORIZED_KEYS SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PORT SSH_PRIVATE_IP_RANGE SSH_PUBLIC_HOSTS SSH_USER
 SSH_GITHUB_AUTHORIZED_KEYS      ?= $(patsubst %,https://github.com/%,$(patsubst %,%.keys,$(SSH_USER)))
 SSH_PUBLIC_HOSTS                ?= $(if $(filter ssh,$(CONFIG_REPOSITORY_SCHEME)),$(CONFIG_REPOSITORY_HOST)) $(SSH_BASTION_HOSTNAME) $(SSH_REMOTE_HOSTS)
 SSH_PRIVATE_IP_RANGE            ?= 
 SSH_PRIVATE_KEYS                ?= $(wildcard $(SSH_DIR)/id_ed25519 $(SSH_DIR)/id_rsa)
 SSH_REMOTE_HOSTS                ?= github.com gitlab.com
 SSH_USER                        ?= $(call slugify,$(GIT_USER))
+SSH_PORT                        ?= 22

 # function ssh-connect: Exec command 2 on remote hosts 1 with tty
 define ssh-connect
--- a/make/apps/myos/def.ufw.mk
+++ b/make/apps/myos/def.ufw.mk
@ -7,6 +7,7 @@ ifeq ($(SETUP_UFW),true)
 define ufw
 	$(call INFO,ufw,$(1)$(comma))
 	$(call app-bootstrap,ufw-docker)
+	$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
 	$(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw $(1))
 endef

@ -14,6 +15,7 @@ endef
 define ufw-docker
 	$(call INFO,ufw-docker,$(1)$(comma))
 	$(call app-bootstrap,ufw-docker)
+	$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
 	$(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw-docker $(1))
 endef

--- a/make/apps/myos/setup.mk
+++ b/make/apps/myos/setup.mk
@ -43,6 +43,7 @@ setup-ufw:
 ifeq ($(SETUP_UFW),true)
 	$(call app-install,$(SETUP_UFW_REPOSITORY))
 	$(call app-bootstrap,$(lastword $(subst /, ,$(SETUP_UFW_REPOSITORY))))
+	$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
 	$(call app-build)
 	$(eval DOCKER_RUN_OPTIONS := --rm --cap-add NET_ADMIN -v /etc/ufw:/etc/ufw --network host)
 	$(call app-up)
--- a/make/apps/myos/ufw.mk
+++ b/make/apps/myos/ufw.mk
@ -15,17 +15,18 @@ ufw-docker:

 # target ufw-docker: Call ufw and ufw-docker foreach service UFW_UPDATE
 .PHONY: ufw-update
-ufw-update:
+ufw-update: debug-UFW_UPDATE
+	$(eval name := $(DOCKER_COMPOSE_PROJECT_NAME))
 	$(foreach update,$(UFW_UPDATE), \
-	  $(foreach port,$(UFW_DOCKER_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \
-	    $(call ufw-docker,$(if $(UFW_DELETE),delete) allow $(DOCKER_COMPOSE_PROJECT_NAME)-$(update) $(port)) \
+	  $(foreach port,$(UFW_DOCKER_$(update)) $(UFW_DOCKER_$(name)-$(update)), \
+		  $(call ufw-docker,$(if $(UFW_DELETE),delete) allow $(name)-$(update) $(port) ||:) \
 	  ) \
-	  $(foreach port,$(UFW_UPDATE_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \
+	  $(foreach port,$(UFW_UPDATE_$(update)) $(UFW_UPDATE_$(name)-$(update)), \
 	    $(call ufw,$(if $(UFW_DELETE),delete) allow $(port)) \
 	  ) \
 	)

-## ex: ufw-node-up will update ufw rules for stack node
+## ex: ufw-node-update will update ufw rules for stack node
 .PHONY: stack-%
 ufw-%:
 	$(eval stack   := $(subst -$(lastword $(subst -, ,$*)),,$*))
--- a/make/def.docker.mk
+++ b/make/def.docker.mk
@ -16,17 +16,19 @@ DOCKER_RUN_OPTIONS              += --rm --network $(DOCKER_NETWORK)
 DOCKER_RUN_VOLUME               += -v /var/run/docker.sock:/var/run/docker.sock
 DOCKER_RUN_WORKDIR              ?= -w $(PWD)
 DOCKER_SYSTEM                   ?= $(shell docker run --rm alpine uname -s 2>/dev/null)
-ENV_VARS                        += DOCKER_MACHINE DOCKER_NETWORK_PRIVATE DOCKER_NETWORK_PUBLIC DOCKER_SYSTEM NODE_COMPOSE_PROJECT_NAME NODE_COMPOSE_SERVICE_NAME NODE_DOCKER_REPOSITORY NODE_DOCKER_VOLUME USER_COMPOSE_PROJECT_NAME USER_COMPOSE_SERVICE_NAME USER_DOCKER_IMAGE USER_DOCKER_NAME USER_DOCKER_REPOSITORY USER_DOCKER_VOLUME
-NODE_COMPOSE_PROJECT_NAME       ?= node
+ENV_VARS                        += DOCKER_MACHINE DOCKER_NETWORK_PRIVATE DOCKER_NETWORK_PUBLIC DOCKER_SYSTEM NODE_COMPOSE_PROJECT_NAME NODE_COMPOSE_SERVICE_NAME NODE_DOCKER_REPOSITORY NODE_DOCKER_VOLUME NODE_GID NODE_UID USER_COMPOSE_PROJECT_NAME USER_COMPOSE_SERVICE_NAME USER_DOCKER_IMAGE USER_DOCKER_NAME USER_DOCKER_REPOSITORY USER_DOCKER_VOLUME
+NODE_COMPOSE_PROJECT_NAME       ?= $(HOSTNAME)
 NODE_COMPOSE_SERVICE_NAME       ?= $(subst _,-,$(NODE_COMPOSE_PROJECT_NAME))
 NODE_DOCKER_REPOSITORY          ?= $(subst -,/,$(subst _,/,$(NODE_COMPOSE_PROJECT_NAME)))
-NODE_DOCKER_VOLUME              ?= $(NODE_COMPOSE_PROJECT_NAME)_myos
+NODE_DOCKER_VOLUME              ?= $(NODE_COMPOSE_PROJECT_NAME)
+NODE_GID                        ?= 100
+NODE_UID                        ?= 123
 USER_COMPOSE_PROJECT_NAME       ?= $(USER)-$(ENV)
 USER_COMPOSE_SERVICE_NAME       ?= $(subst _,-,$(USER_COMPOSE_PROJECT_NAME))
-USER_DOCKER_IMAGE               ?= $(USER_DOCKER_REPOSITORY)/myos:${DOCKER_IMAGE_TAG}
-USER_DOCKER_NAME                ?= $(USER_COMPOSE_PROJECT_NAME)-myos
+USER_DOCKER_IMAGE               ?= $(USER_DOCKER_REPOSITORY):${DOCKER_IMAGE_TAG}
+USER_DOCKER_NAME                ?= $(USER_COMPOSE_PROJECT_NAME)
 USER_DOCKER_REPOSITORY          ?= $(subst -,/,$(subst _,/,$(USER_COMPOSE_PROJECT_NAME)))
-USER_DOCKER_VOLUME              ?= $(USER_COMPOSE_PROJECT_NAME)_myos
+USER_DOCKER_VOLUME              ?= $(USER_COMPOSE_PROJECT_NAME)

 # https://github.com/docker/libnetwork/pull/2348
 ifeq ($(SYSTEM),Darwin)
@ -69,7 +71,7 @@ else
 # function exec: call docker-exec
 define exec
 	$(call INFO,exec,$(1))
-	$(call docker-exec)
+	$(call docker-exec,$(1))
 endef
 endif
 # function run: Run docker run with arg 1 and docker repository 2
--- a/make/def.mk
+++ b/make/def.mk
@ -76,7 +76,7 @@ INSTALL_CMDS                    ?= APK_INSTALL APT_INSTALL
 $(foreach cmd,$(INSTALL_CMDS),$(if $(CMD_$(cmd)),$(eval INSTALL_CMD ?= $(CMD_$(cmd)))))
 LOG_LEVEL                       ?= $(if $(DEBUG),debug,$(if $(VERBOSE),info,error))
 MAKE_ARGS                       ?= $(foreach var,$(MAKE_VARS),$(if $($(var)),$(var)='$($(var))'))
-MAKE_SUBDIRS                    ?= $(if $(filter myos,$(MYOS)),monorepo,$(if $(APP),apps $(foreach type,$(APP_TYPE),$(if $(wildcard $(MAKE_DIR)/apps/$(type)),apps/$(type)))))
+MAKE_SUBDIRS                    ?= $(if $(filter myos,$(MYOS)),monorepo,$(if $(APP),apps $(foreach type,$(APP_LOAD),$(if $(wildcard $(MAKE_DIR)/apps/$(type)),apps/$(type)))))
 MAKE_CMD_ARGS                   ?= $(foreach var,$(MAKE_CMD_VARS),$(var)='$($(var))')
 MAKE_CMD_VARS                   ?= $(strip $(foreach var, $(filter-out .VARIABLES,$(.VARIABLES)), $(if $(filter command\ line,$(origin $(var))),$(var))))
 MAKE_ENV_ARGS                   ?= $(foreach var,$(filter $(ENV_VARS),$(MAKE_ENV_VARS)),$(var)='$($(var))')
--- a/stack/node/.env.dist
+++ b/stack/node/.env.dist
@ -2,6 +2,8 @@ NODE_CONSUL_ACL_TOKENS_MASTER=01234567-89AB-CDEF-0123-456789ABCDEF
 NODE_CONSUL_HTTP_TOKEN=01234567-89AB-CDEF-0123-456789ABCDEF
 NODE_CONSUL_SERVICE_8500_TAGS=urlprefix-consul.${DOMAIN}/
 NODE_FABIO_SERVICE_9998_TAGS=urlprefix-fabio.${DOMAIN}/
-UFW_UPDATE_node-certbot=53/udp
-UFW_UPDATE_node-consul=8500
-UFW_DOCKER_node-fabio=80 443
+NODE_SSH_PORT=${SSH_PORT}
+NODE_SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS}
+UFW_UPDATE_certbot=53/udp
+UFW_UPDATE_consul=8500
+UFW_DOCKER_fabio=80 443
--- a/stack/node/ipfs/.env.dist
+++ b/stack/node/ipfs/.env.dist
@ -16,4 +16,4 @@ NODE_IPFS_API_HTTPHEADERS_ACA_CREDENTIALS=["true"]
 NODE_IPFS_API_HTTPHEADERS_ACA_HEADERS=["X-Requested-With", "Range", "User-Agent"]
 NODE_IPFS_API_HTTPHEADERS_ACA_METHODS=["OPTIONS", "POST"]
 NODE_IPFS_API_HTTPHEADERS_ACA_ORIGIN=["https://ipfs.${DOMAIN}", "http://ipfs.${DOMAIN}", "http://ipfs.localhost:8080"]
-UFW_DOCKER_node-ipfs=4001/tcp 4001/udp 8080
+UFW_DOCKER_ipfs=4001/tcp 4001/udp 8080
--- a/stack/node/ipfs/ipfs.yml
+++ b/stack/node/ipfs/ipfs.yml
@ -5,7 +5,9 @@ services:
    build:
      args:
      - DOCKER_BUILD_DIR=docker/ipfs
+      - GID=${NODE_GID}
      - IPFS_VERSION=${IPFS_VERSION}
+      - UID=${NODE_UID}
      context: ../..
      dockerfile: docker/ipfs/Dockerfile
    command: daemon --agent-version-suffix=${NODE_COMPOSE_PROJECT_NAME} ${NODE_IPFS_DAEMON_ARGS}
--- a/stack/node/mail/.env.dist
+++ b/stack/node/mail/.env.dist
@ -2,4 +2,4 @@ NODE_MAILSERVER_ENABLE_MANAGESIEVE=1
 NODE_MAILSERVER_SPOOF_PROTECTION=1
 NODE_MAILSERVER_SSL_TYPE=letsencrypt
 NODE_MAILSERVER_UPDATE_CHECK=0
-UFW_DOCKER_node-mailserver=25 465 587 993
+UFW_DOCKER_mailserver=25 465 587 993
--- a/stack/node/vdi/.env.dist
+++ b/stack/node/vdi/.env.dist
@ -0,0 +1,7 @@
+NODE_VDI_ECRYPTERS=${USER}
+NODE_VDI_LANG=${LANG}
+NODE_VDI_PORT=${SSH_PORT}
+NODE_VDI_SUDOERS=
+NODE_VDI_TZ=UTC
+NODE_VDI_USERS=${USER}
+UFW_DOCKER_vdi=${SSH_PORT}
--- a/stack/node/vdi/vdi.yml
+++ b/stack/node/vdi/vdi.yml
@ -0,0 +1,61 @@
+version: '3.8'
+
+services:
+  vdi:
+    build:
+      args:
+      - DOCKER_BUILD_DIR=docker/x2go/xfce-debian
+      - SSH_PORT=${NODE_VDI_PORT:-22}
+      context: ../..
+      dockerfile: docker/x2go/xfce-debian/Dockerfile
+    cap_add:
+    - IPC_LOCK # ecryptfs
+    - NET_ADMIN # iptables
+    - NET_RAW # iptables
+    - SYS_ADMIN # ecryptfs
+    container_name: ${NODE_COMPOSE_PROJECT_NAME}-vdi
+    cpus: 0.5
+    environment:
+    - DEBUG=${VDI_DEBUG:-}
+    - ECRYPTERS=${NODE_VDI_ECRYPTERS:-}
+    - LANG=${NODE_VDI_LANG:-}
+    - SSH_PORT=${NODE_VDI_PORT:-22}
+    - SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS:-}
+    - SSH_PUBLIC_HOSTS=${NODE_SSH_PUBLIC_HOSTS:-}
+    - SUDOERS=${NODE_VDI_SUDOERS:-}
+    - TZ=${NODE_VDI_TZ:-}
+    - USERS=${NODE_VDI_USERS:-}
+    image: ${NODE_DOCKER_REPOSITORY}/vdi:${DOCKER_IMAGE_TAG}
+    networks:
+    - public
+    ports:
+    - ${NODE_VDI_PORT:-22}:${SSH_PORT:-22}
+    restart: unless-stopped
+    security_opt:
+    - apparmor=unconfined # ecryptfs
+    - seccomp=unconfined # ecryptfs
+    tty: true
+    volumes:
+    - home:/home:delegated
+    - shared:/shared:cached
+    - shm:/dev/shm:delegated
+
+networks:
+  public:
+    external: true
+    name: ${DOCKER_NETWORK_PUBLIC}
+
+volumes:
+  home:
+  shared:
+    driver: local
+    driver_opts:
+      type: none
+      device: /mnt/shared
+      o: bind
+  shm:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: mode=1777,size=2147483648 # 2GB
--- a/stack/x2go/.env.dist
+++ b/stack/x2go/.env.dist
@ -1,5 +1,6 @@
+VDI_ECRYPTERS=
 VDI_LANG=${LANG}
-VDI_PORT=22
+VDI_PORT=8260
+VDI_SUDOERS=
 VDI_TZ=UTC
 VDI_USERS=${USER}
-VDI_SUDOERS=
--- a/stack/x2go/xfce_debian.yml
+++ b/stack/x2go/xfce_debian.yml
@ -5,6 +5,7 @@ services:
    build:
      args:
      - DOCKER_BUILD_DIR=docker/x2go/xfce-debian
+      - SSH_PORT=${VDI_PORT:-22}
      context: ../..
      dockerfile: docker/x2go/xfce-debian/Dockerfile
    cap_add:
@ -12,15 +13,22 @@ services:
    - NET_ADMIN # iptables
    - NET_RAW # iptables
    - SYS_ADMIN # ecryptfs
+    cpus: 0.5
    environment:
-    - DEBUG=${VDI_DEBUG}
-    - ECRYPTERS=${VDI_ECRYPTERS}
-    - LANG=${VDI_LANG}
-    - SUDOERS=${VDI_SUDOERS}
-    - TZ=${VDI_TZ}
-    - USERS=${VDI_USERS}
+    - DEBUG=${VDI_DEBUG:-}
+    - ECRYPTERS=${VDI_ECRYPTERS:-}
+    - LANG=${VDI_LANG:-}
+    - SSH_PORT=${VDI_PORT:-22}
+    - SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS:-}
+    - SUDOERS=${VDI_SUDOERS:-}
+    - TZ=${VDI_TZ:-}
+    - USERS=${VDI_USERS:-}
+    image: ${DOCKER_REPOSITORY}/vdi:${DOCKER_IMAGE_TAG}
+    networks:
+    - private
+    - public
    ports:
-    - "${VDI_PORT}:22"
+    - ${SSH_PORT}
    restart: unless-stopped
    security_opt:
    - apparmor=unconfined # ecryptfs
@ -31,6 +39,14 @@ services:
    - vdi-shared:/shared:cached
    - vdi-shm:/dev/shm:delegated

+networks:
+  private:
+    external: true
+    name: ${DOCKER_NETWORK_PRIVATE}
+  public:
+    external: true
+    name: ${DOCKER_NETWORK_PUBLIC}
+
 volumes:
  vdi-home:
  vdi-shared: