node is hostname
This commit is contained in:
parent
61ab6f67af
commit
9697288134
|
@ -1,5 +1,9 @@
|
||||||
# CHANGELOG
|
# CHANGELOG
|
||||||
|
|
||||||
|
## v0.9.9 - 2022-11-22
|
||||||
|
|
||||||
|
* node name is `hostname`
|
||||||
|
|
||||||
## v0.9 - 2022-11-11
|
## v0.9 - 2022-11-11
|
||||||
|
|
||||||
* split make files in `myos` project and install files in `yaip` project
|
* split make files in `myos` project and install files in `yaip` project
|
||||||
|
|
|
@ -21,7 +21,7 @@ echo "${IPFS_ADDRESSES_API_INET4}" |awk -F. '{ for ( i=1; i<=4; i++ ) if ($i >=
|
||||||
# check ${IPFS_ADDRESSES_API_PORT} format
|
# check ${IPFS_ADDRESSES_API_PORT} format
|
||||||
[ "${IPFS_ADDRESSES_API_PORT}" -eq "${IPFS_ADDRESSES_API_PORT}" ] 2>/dev/null && [ "${IPFS_ADDRESSES_API_PORT}" -ge 1 ] && [ "${IPFS_ADDRESSES_API_PORT}" -le 65535 ] \
|
[ "${IPFS_ADDRESSES_API_PORT}" -eq "${IPFS_ADDRESSES_API_PORT}" ] 2>/dev/null && [ "${IPFS_ADDRESSES_API_PORT}" -ge 1 ] && [ "${IPFS_ADDRESSES_API_PORT}" -le 65535 ] \
|
||||||
|| unset IPFS_ADDRESSES_API_PORT
|
|| unset IPFS_ADDRESSES_API_PORT
|
||||||
ipfs config Addresses.API "${IPFS_ADDRESSES_API:-/ip4/${IPFS_ADDRESSES_API_INET4:-127.0.0.1}/tcp/${IPFS_ADDRESSES_API_PORT:-5001}}"
|
ipfs config Addresses.Api "${IPFS_ADDRESSES_API:-/ip4/${IPFS_ADDRESSES_API_INET4:-127.0.0.1}/tcp/${IPFS_ADDRESSES_API_PORT:-5001}}"
|
||||||
|
|
||||||
## gateway address
|
## gateway address
|
||||||
# search for ip address of $(hostname).${IPFS_ADDRESSES_GATEWAY_DOMAIN}
|
# search for ip address of $(hostname).${IPFS_ADDRESSES_GATEWAY_DOMAIN}
|
||||||
|
|
|
@ -26,9 +26,12 @@ RUN cp /usr/share/doc/libpam-script/examples/logscript /usr/share/libpam-script
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
COPY ${DOCKER_BUILD_DIR}/*.sh /app/
|
COPY ${DOCKER_BUILD_DIR}/*.sh /app/
|
||||||
|
|
||||||
|
ARG SSH_PORT=22
|
||||||
CMD []
|
CMD []
|
||||||
ENTRYPOINT ["/app/run.sh"]
|
ENTRYPOINT ["/app/run.sh"]
|
||||||
HEALTHCHECK CMD timeout 1 bash -c "</dev/tcp/localhost/22" 2>/dev/null
|
EXPOSE ${SSH_PORT:-22}
|
||||||
|
RUN echo "${SSH_PORT}" > /app/.ssh_port
|
||||||
|
HEALTHCHECK CMD timeout 1 bash -c "</dev/tcp/localhost/$(cat /app/.ssh_port 2>/dev/null)" 2>/dev/null
|
||||||
|
|
||||||
FROM dist as master
|
FROM dist as master
|
||||||
ARG DOCKER_BUILD_DIR
|
ARG DOCKER_BUILD_DIR
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
#!/bin/sh
|
||||||
|
[ -n "${DEBUG}" ] && set -x
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
user=${1:-${USER}}
|
||||||
|
domain=${USER/*@}
|
||||||
|
|
||||||
|
[ -f "/home/${user}/.ssh/authorized_keys" ] \
|
||||||
|
&& authorized_keys=$(cat "/home/${user}/.ssh/authorized_keys" 2>/dev/null)
|
||||||
|
if [ -n "${authorized_keys:-}" ]; then
|
||||||
|
echo "${authorized_keys:-}"
|
||||||
|
elif [ -n "${SSH_AUTHORIZED_KEYS:-}" ]; then
|
||||||
|
for host in ${SSH_AUTHORIZED_KEYS:-}; do
|
||||||
|
wget -qO - "${host}" 2>/dev/null && break
|
||||||
|
done
|
||||||
|
elif [ -n "${user}" ]; then
|
||||||
|
# if no domain
|
||||||
|
if [ "${domain}" = "${user}" ]; then
|
||||||
|
for host in ${SSH_PUBLIC_HOSTS:-}; do
|
||||||
|
wget -qO - "https://${host}/${user}.keys" 2>/dev/null && break
|
||||||
|
done
|
||||||
|
else
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
|
@ -10,9 +10,7 @@ if [ ! -f /app/.setup_done ]; then
|
||||||
/app/setup_timezone.sh
|
/app/setup_timezone.sh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
/app/setup_ecryptfs.sh /dev/shm
|
/app/setup_ecryptfs.sh /dev/shm &
|
||||||
# /shared encryption will not survive on restart
|
|
||||||
/app/setup_ecryptfs.sh /shared
|
|
||||||
/app/setup_users.sh
|
/app/setup_users.sh
|
||||||
|
|
||||||
## Start-up our services manually (since Docker container will not invoke all init scripts).
|
## Start-up our services manually (since Docker container will not invoke all init scripts).
|
||||||
|
@ -50,6 +48,6 @@ if [ $# -eq 0 ]; then
|
||||||
PID=$! && wait
|
PID=$! && wait
|
||||||
else
|
else
|
||||||
# WARNING: cleanup is not called
|
# WARNING: cleanup is not called
|
||||||
exec /bin/bash -c "set -e && $*"
|
exec su ${USER:-root} /bin/bash -c "set -e && $*"
|
||||||
fi
|
fi
|
||||||
cleanup
|
cleanup
|
||||||
|
|
|
@ -11,6 +11,7 @@ sed -i "s/^#\?PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_
|
||||||
sed -i "s/^#\?PrintLastLog.*/PrintLastLog yes/g" /etc/ssh/sshd_config
|
sed -i "s/^#\?PrintLastLog.*/PrintLastLog yes/g" /etc/ssh/sshd_config
|
||||||
sed -i "s/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
|
sed -i "s/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
|
||||||
sed -i "s/^#\?X11Forwarding.*/X11Forwarding no/g" /etc/ssh/sshd_config
|
sed -i "s/^#\?X11Forwarding.*/X11Forwarding no/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?Port.*/Port ${SSH_PORT:-22}/g" /etc/ssh/sshd_config
|
||||||
|
|
||||||
cat >> /etc/ssh/sshd_config <<EOF
|
cat >> /etc/ssh/sshd_config <<EOF
|
||||||
Match group x2gouser
|
Match group x2gouser
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
[ -n "${DEBUG}" ] && set -x
|
[ -n "${DEBUG}" ] && set -x
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
for user in ${USERS:-${USERNAME}}; do
|
for user in ${USERS:-${USER:-user}}; do
|
||||||
id "${user}" > /dev/null 2>&1 || useradd -s /bin/bash "${user}"
|
id "${user}" > /dev/null 2>&1 || useradd -s /bin/bash "${user}"
|
||||||
[ ! -d "/home/${user}" ] \
|
[ ! -d "/home/${user}" ] \
|
||||||
&& mkdir -p "/home/${user}" \
|
&& mkdir -p "/home/${user}" \
|
||||||
|
@ -15,9 +15,9 @@ for user in ${USERS:-${USERNAME}}; do
|
||||||
done
|
done
|
||||||
usermod -a -G x2gouser "${user}"
|
usermod -a -G x2gouser "${user}"
|
||||||
mkdir -p "/home/${user}/.ssh"
|
mkdir -p "/home/${user}/.ssh"
|
||||||
wget -qO "/home/${user}/.ssh/authorized_keys" "https://gitlab.com/${user}.keys" 2>/dev/null \
|
keys=$(su "${user}" /app/authorized_keys.sh 2>/dev/null) \
|
||||||
|| wget -qO "/home/${user}/.ssh/authorized_keys" "https://github.com/${user}.keys" 2>/dev/null \
|
&& echo "${keys}" > "/home/${user}/.ssh/authorized_keys" \
|
||||||
|| echo "WARNING: Unable to fetch ssh public keys for user ${user}."
|
|| echo "WARNING: Unable to fetch authorized keys for ssh user ${user}."
|
||||||
chown "${user}" "/home/${user}/.ssh" "/home/${user}/.ssh/authorized_keys"
|
chown "${user}" "/home/${user}/.ssh" "/home/${user}/.ssh/authorized_keys"
|
||||||
done
|
done
|
||||||
for sudoer in ${SUDOERS:-}; do
|
for sudoer in ${SUDOERS:-}; do
|
||||||
|
@ -29,5 +29,5 @@ for ecrypter in ${ECRYPTERS:-}; do
|
||||||
touch "/home/${ecrypter}/.ecryptfs/auto-umount"
|
touch "/home/${ecrypter}/.ecryptfs/auto-umount"
|
||||||
chown -R "${ecrypter}" "/home/${ecrypter}/.ecryptfs"
|
chown -R "${ecrypter}" "/home/${ecrypter}/.ecryptfs"
|
||||||
done
|
done
|
||||||
ln -s /app/setup_ecryptfs_sshagent.sh /etc/profile.d/
|
cp /app/setup_ecryptfs_sshagent.sh /etc/profile.d/
|
||||||
mkdir -p /shared && chmod 1777 /shared
|
mkdir -p /shared && chmod 1777 /shared
|
||||||
|
|
|
@ -27,7 +27,7 @@ bootstrap-docker: install-bin-docker setup-docker-group setup-binfmt setup-nfsd
|
||||||
|
|
||||||
# target bootstrap-stack: Call bootstrap target of each stack
|
# target bootstrap-stack: Call bootstrap target of each stack
|
||||||
.PHONY: bootstrap-stack
|
.PHONY: bootstrap-stack
|
||||||
bootstrap-stack: docker-network $(foreach stack,$(STACK),bootstrap-stack-$(stack))
|
bootstrap-stack: docker-network debug-STACK $(foreach stack,$(STACK),bootstrap-stack-$(subst /,-,$(stack)) debug-$(stack))
|
||||||
|
|
||||||
# target build: Build application docker images to run
|
# target build: Build application docker images to run
|
||||||
# on local host
|
# on local host
|
||||||
|
|
|
@ -20,16 +20,17 @@ CONTEXT_DEBUG += DOCKER_BUILD_TARGET DOCKER_IMAGE_TAG DOCKER_R
|
||||||
DOCKER_AUTHOR ?= $(DOCKER_AUTHOR_NAME) <$(DOCKER_AUTHOR_EMAIL)>
|
DOCKER_AUTHOR ?= $(DOCKER_AUTHOR_NAME) <$(DOCKER_AUTHOR_EMAIL)>
|
||||||
DOCKER_AUTHOR_EMAIL ?= $(subst +git,+docker,$(GIT_AUTHOR_EMAIL))
|
DOCKER_AUTHOR_EMAIL ?= $(subst +git,+docker,$(GIT_AUTHOR_EMAIL))
|
||||||
DOCKER_AUTHOR_NAME ?= $(GIT_AUTHOR_NAME)
|
DOCKER_AUTHOR_NAME ?= $(GIT_AUTHOR_NAME)
|
||||||
DOCKER_BUILD_ARGS ?= $(if $(filter true,$(DOCKER_BUILD_NO_CACHE)),--pull --no-cache) $(foreach var,$(DOCKER_BUILD_VARS),$(if $($(var)),--build-arg $(var)='$($(var))'))
|
DOCKER_BUILD_ARGS ?= $(if $(filter true,$(DOCKER_BUILD_NO_CACHE)),--pull --no-cache) $(foreach var,$(DOCKER_BUILD_VARS),$(if $($(var)),--build-arg $(var)='$($(var))')) --build-arg GID='$(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_GID),$(GID))' --build-arg UID='$(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_UID),$(UID))'
|
||||||
DOCKER_BUILD_CACHE ?= true
|
DOCKER_BUILD_CACHE ?= true
|
||||||
DOCKER_BUILD_LABEL ?= $(foreach var,$(filter $(BUILD_LABEL_VARS),$(MAKE_FILE_VARS)),$(if $($(var)),--label $(var)='$($(var))'))
|
DOCKER_BUILD_LABEL ?= $(foreach var,$(filter $(BUILD_LABEL_VARS),$(MAKE_FILE_VARS)),$(if $($(var)),--label $(var)='$($(var))'))
|
||||||
DOCKER_BUILD_NO_CACHE ?= false
|
DOCKER_BUILD_NO_CACHE ?= false
|
||||||
DOCKER_BUILD_TARGET ?= $(if $(filter $(ENV),$(DOCKER_BUILD_TARGETS)),$(ENV),$(DOCKER_BUILD_TARGET_DEFAULT))
|
DOCKER_BUILD_TARGET ?= $(if $(filter $(ENV),$(DOCKER_BUILD_TARGETS)),$(ENV),$(DOCKER_BUILD_TARGET_DEFAULT))
|
||||||
DOCKER_BUILD_TARGET_DEFAULT ?= master
|
DOCKER_BUILD_TARGET_DEFAULT ?= master
|
||||||
DOCKER_BUILD_TARGETS ?= $(ENV_DEPLOY)
|
DOCKER_BUILD_TARGETS ?= $(ENV_DEPLOY)
|
||||||
DOCKER_BUILD_VARS ?= APP BRANCH COMPOSE_VERSION DOCKER_GID DOCKER_MACHINE DOCKER_REPOSITORY DOCKER_SYSTEM GID GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PRIVATE_IP_RANGE SSH_PUBLIC_HOST_KEYS SSH_REMOTE_HOSTS UID USER VERSION
|
DOCKER_BUILD_VARS ?= APP BRANCH COMPOSE_VERSION DOCKER_GID DOCKER_MACHINE DOCKER_REPOSITORY DOCKER_SYSTEM GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME SSH_REMOTE_HOSTS USER VERSION
|
||||||
DOCKER_COMPOSE ?= $(if $(DOCKER_RUN),docker/compose:$(COMPOSE_VERSION),$(or $(shell docker compose >/dev/null 2>&1 && printf 'docker compose\n'),docker-compose)) $(COMPOSE_ARGS)
|
DOCKER_COMPOSE ?= $(if $(DOCKER_RUN),docker/compose:$(COMPOSE_VERSION),$(or $(shell docker compose >/dev/null 2>&1 && printf 'docker compose\n'),docker-compose)) $(COMPOSE_ARGS)
|
||||||
DOCKER_COMPOSE_DOWN_OPTIONS ?=
|
DOCKER_COMPOSE_DOWN_OPTIONS ?=
|
||||||
|
DOCKER_COMPOSE_PROJECT_NAME ?= $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME)))
|
||||||
DOCKER_COMPOSE_RUN_OPTIONS ?= --rm
|
DOCKER_COMPOSE_RUN_OPTIONS ?= --rm
|
||||||
DOCKER_COMPOSE_UP_OPTIONS ?= -d
|
DOCKER_COMPOSE_UP_OPTIONS ?= -d
|
||||||
DOCKER_IMAGE_TAG ?= $(if $(filter true,$(DEPLOY)),$(if $(filter $(ENV),$(ENV_DEPLOY)),$(VERSION)),$(if $(DRONE_BUILD_NUMBER),$(DRONE_BUILD_NUMBER),latest))
|
DOCKER_IMAGE_TAG ?= $(if $(filter true,$(DEPLOY)),$(if $(filter $(ENV),$(ENV_DEPLOY)),$(VERSION)),$(if $(DRONE_BUILD_NUMBER),$(DRONE_BUILD_NUMBER),latest))
|
||||||
|
@ -82,14 +83,12 @@ endef
|
||||||
define docker-compose
|
define docker-compose
|
||||||
$(call INFO,docker-compose,$(1))
|
$(call INFO,docker-compose,$(1))
|
||||||
$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
|
$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
|
||||||
$(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))))
|
|
||||||
$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) $(1)))
|
$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) $(1)))
|
||||||
endef
|
endef
|
||||||
# function docker-compose-exec-sh: Run docker-compose-exec sh -c 'arg 2' in service 1
|
# function docker-compose-exec-sh: Run docker-compose-exec sh -c 'arg 2' in service 1
|
||||||
define docker-compose-exec-sh
|
define docker-compose-exec-sh
|
||||||
$(call INFO,docker-compose-exec-sh,$(1)$(comma) $(2))
|
$(call INFO,docker-compose-exec-sh,$(1)$(comma) $(2))
|
||||||
$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
|
$(if $(DOCKER_RUN),$(call docker-build,$(MYOS)/docker/compose,docker/compose:$(COMPOSE_VERSION)))
|
||||||
$(eval DOCKER_COMPOSE_PROJECT_NAME := $(if $(filter node,$(firstword $(subst /, ,$(STACK)))),$(NODE_COMPOSE_PROJECT_NAME),$(if $(filter User,$(firstword $(subst /, ,$(STACK)))),$(USER_COMPOSE_PROJECT_NAME),$(COMPOSE_PROJECT_NAME))))
|
|
||||||
$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) exec -T $(1) sh -c '$(2)'))
|
$(if $(COMPOSE_FILE),$(call run,$(DOCKER_COMPOSE) $(patsubst %,-f %,$(COMPOSE_FILE)) -p $(DOCKER_COMPOSE_PROJECT_NAME) exec -T $(1) sh -c '$(2)'))
|
||||||
endef
|
endef
|
||||||
# function docker-push: Push docker image
|
# function docker-push: Push docker image
|
||||||
|
|
|
@ -115,8 +115,9 @@ docker-compose-up: docker-images-myos bootstrap-stack
|
||||||
|
|
||||||
# target docker-images-myos: Call myos-docker-build-% target for each DOCKER_IMAGES_MYOS
|
# target docker-images-myos: Call myos-docker-build-% target for each DOCKER_IMAGES_MYOS
|
||||||
.PHONY: docker-images-myos
|
.PHONY: docker-images-myos
|
||||||
|
docker-images-myos: MAKE_VARS += DOCKER_REPOSITORY STACK
|
||||||
docker-images-myos:
|
docker-images-myos:
|
||||||
$(foreach image,$(subst $(quote),,$(DOCKER_IMAGES_MYOS)),$(call make,myos-docker-build-$(image)))
|
$(foreach image,$(subst $(quote),,$(DOCKER_IMAGES_MYOS)),$(call make,docker-build-$(image),$(MYOS)))
|
||||||
|
|
||||||
# target docker-images-rm: Call docker-image-rm-% target for DOCKER_REPOSITORY
|
# target docker-images-rm: Call docker-image-rm-% target for DOCKER_REPOSITORY
|
||||||
.PHONY: docker-images-rm
|
.PHONY: docker-images-rm
|
||||||
|
|
|
@ -3,13 +3,14 @@ ENV_VARS += $(SSH_ENV_VARS)
|
||||||
SSH_AUTHORIZED_KEYS ?= $(SSH_GITHUB_AUTHORIZED_KEYS)
|
SSH_AUTHORIZED_KEYS ?= $(SSH_GITHUB_AUTHORIZED_KEYS)
|
||||||
SSH_BASTION_HOSTNAME ?=
|
SSH_BASTION_HOSTNAME ?=
|
||||||
SSH_BASTION_USERNAME ?= $(SSH_USER)
|
SSH_BASTION_USERNAME ?= $(SSH_USER)
|
||||||
SSH_ENV_VARS ?= SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PUBLIC_HOSTS SSH_PRIVATE_IP_RANGE SSH_USER
|
SSH_ENV_VARS ?= SSH_AUTHORIZED_KEYS SSH_BASTION_HOSTNAME SSH_BASTION_USERNAME SSH_PORT SSH_PRIVATE_IP_RANGE SSH_PUBLIC_HOSTS SSH_USER
|
||||||
SSH_GITHUB_AUTHORIZED_KEYS ?= $(patsubst %,https://github.com/%,$(patsubst %,%.keys,$(SSH_USER)))
|
SSH_GITHUB_AUTHORIZED_KEYS ?= $(patsubst %,https://github.com/%,$(patsubst %,%.keys,$(SSH_USER)))
|
||||||
SSH_PUBLIC_HOSTS ?= $(if $(filter ssh,$(CONFIG_REPOSITORY_SCHEME)),$(CONFIG_REPOSITORY_HOST)) $(SSH_BASTION_HOSTNAME) $(SSH_REMOTE_HOSTS)
|
SSH_PUBLIC_HOSTS ?= $(if $(filter ssh,$(CONFIG_REPOSITORY_SCHEME)),$(CONFIG_REPOSITORY_HOST)) $(SSH_BASTION_HOSTNAME) $(SSH_REMOTE_HOSTS)
|
||||||
SSH_PRIVATE_IP_RANGE ?=
|
SSH_PRIVATE_IP_RANGE ?=
|
||||||
SSH_PRIVATE_KEYS ?= $(wildcard $(SSH_DIR)/id_ed25519 $(SSH_DIR)/id_rsa)
|
SSH_PRIVATE_KEYS ?= $(wildcard $(SSH_DIR)/id_ed25519 $(SSH_DIR)/id_rsa)
|
||||||
SSH_REMOTE_HOSTS ?= github.com gitlab.com
|
SSH_REMOTE_HOSTS ?= github.com gitlab.com
|
||||||
SSH_USER ?= $(call slugify,$(GIT_USER))
|
SSH_USER ?= $(call slugify,$(GIT_USER))
|
||||||
|
SSH_PORT ?= 22
|
||||||
|
|
||||||
# function ssh-connect: Exec command 2 on remote hosts 1 with tty
|
# function ssh-connect: Exec command 2 on remote hosts 1 with tty
|
||||||
define ssh-connect
|
define ssh-connect
|
||||||
|
|
|
@ -7,6 +7,7 @@ ifeq ($(SETUP_UFW),true)
|
||||||
define ufw
|
define ufw
|
||||||
$(call INFO,ufw,$(1)$(comma))
|
$(call INFO,ufw,$(1)$(comma))
|
||||||
$(call app-bootstrap,ufw-docker)
|
$(call app-bootstrap,ufw-docker)
|
||||||
|
$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
|
||||||
$(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw $(1))
|
$(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw $(1))
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
@ -14,6 +15,7 @@ endef
|
||||||
define ufw-docker
|
define ufw-docker
|
||||||
$(call INFO,ufw-docker,$(1)$(comma))
|
$(call INFO,ufw-docker,$(1)$(comma))
|
||||||
$(call app-bootstrap,ufw-docker)
|
$(call app-bootstrap,ufw-docker)
|
||||||
|
$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
|
||||||
$(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw-docker $(1))
|
$(call app-exec,,$(if $(DOCKER_RUN),,$(SUDO)) ufw-docker $(1))
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
|
|
@ -43,6 +43,7 @@ setup-ufw:
|
||||||
ifeq ($(SETUP_UFW),true)
|
ifeq ($(SETUP_UFW),true)
|
||||||
$(call app-install,$(SETUP_UFW_REPOSITORY))
|
$(call app-install,$(SETUP_UFW_REPOSITORY))
|
||||||
$(call app-bootstrap,$(lastword $(subst /, ,$(SETUP_UFW_REPOSITORY))))
|
$(call app-bootstrap,$(lastword $(subst /, ,$(SETUP_UFW_REPOSITORY))))
|
||||||
|
$(eval COMPOSE_PROJECT_NAME := $(NODE_COMPOSE_PROJECT_NAME))
|
||||||
$(call app-build)
|
$(call app-build)
|
||||||
$(eval DOCKER_RUN_OPTIONS := --rm --cap-add NET_ADMIN -v /etc/ufw:/etc/ufw --network host)
|
$(eval DOCKER_RUN_OPTIONS := --rm --cap-add NET_ADMIN -v /etc/ufw:/etc/ufw --network host)
|
||||||
$(call app-up)
|
$(call app-up)
|
||||||
|
|
|
@ -15,17 +15,18 @@ ufw-docker:
|
||||||
|
|
||||||
# target ufw-docker: Call ufw and ufw-docker foreach service UFW_UPDATE
|
# target ufw-docker: Call ufw and ufw-docker foreach service UFW_UPDATE
|
||||||
.PHONY: ufw-update
|
.PHONY: ufw-update
|
||||||
ufw-update:
|
ufw-update: debug-UFW_UPDATE
|
||||||
|
$(eval name := $(DOCKER_COMPOSE_PROJECT_NAME))
|
||||||
$(foreach update,$(UFW_UPDATE), \
|
$(foreach update,$(UFW_UPDATE), \
|
||||||
$(foreach port,$(UFW_DOCKER_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \
|
$(foreach port,$(UFW_DOCKER_$(update)) $(UFW_DOCKER_$(name)-$(update)), \
|
||||||
$(call ufw-docker,$(if $(UFW_DELETE),delete) allow $(DOCKER_COMPOSE_PROJECT_NAME)-$(update) $(port)) \
|
$(call ufw-docker,$(if $(UFW_DELETE),delete) allow $(name)-$(update) $(port) ||:) \
|
||||||
) \
|
) \
|
||||||
$(foreach port,$(UFW_UPDATE_$(DOCKER_COMPOSE_PROJECT_NAME)-$(update)), \
|
$(foreach port,$(UFW_UPDATE_$(update)) $(UFW_UPDATE_$(name)-$(update)), \
|
||||||
$(call ufw,$(if $(UFW_DELETE),delete) allow $(port)) \
|
$(call ufw,$(if $(UFW_DELETE),delete) allow $(port)) \
|
||||||
) \
|
) \
|
||||||
)
|
)
|
||||||
|
|
||||||
## ex: ufw-node-up will update ufw rules for stack node
|
## ex: ufw-node-update will update ufw rules for stack node
|
||||||
.PHONY: stack-%
|
.PHONY: stack-%
|
||||||
ufw-%:
|
ufw-%:
|
||||||
$(eval stack := $(subst -$(lastword $(subst -, ,$*)),,$*))
|
$(eval stack := $(subst -$(lastword $(subst -, ,$*)),,$*))
|
||||||
|
|
|
@ -16,17 +16,19 @@ DOCKER_RUN_OPTIONS += --rm --network $(DOCKER_NETWORK)
|
||||||
DOCKER_RUN_VOLUME += -v /var/run/docker.sock:/var/run/docker.sock
|
DOCKER_RUN_VOLUME += -v /var/run/docker.sock:/var/run/docker.sock
|
||||||
DOCKER_RUN_WORKDIR ?= -w $(PWD)
|
DOCKER_RUN_WORKDIR ?= -w $(PWD)
|
||||||
DOCKER_SYSTEM ?= $(shell docker run --rm alpine uname -s 2>/dev/null)
|
DOCKER_SYSTEM ?= $(shell docker run --rm alpine uname -s 2>/dev/null)
|
||||||
ENV_VARS += DOCKER_MACHINE DOCKER_NETWORK_PRIVATE DOCKER_NETWORK_PUBLIC DOCKER_SYSTEM NODE_COMPOSE_PROJECT_NAME NODE_COMPOSE_SERVICE_NAME NODE_DOCKER_REPOSITORY NODE_DOCKER_VOLUME USER_COMPOSE_PROJECT_NAME USER_COMPOSE_SERVICE_NAME USER_DOCKER_IMAGE USER_DOCKER_NAME USER_DOCKER_REPOSITORY USER_DOCKER_VOLUME
|
ENV_VARS += DOCKER_MACHINE DOCKER_NETWORK_PRIVATE DOCKER_NETWORK_PUBLIC DOCKER_SYSTEM NODE_COMPOSE_PROJECT_NAME NODE_COMPOSE_SERVICE_NAME NODE_DOCKER_REPOSITORY NODE_DOCKER_VOLUME NODE_GID NODE_UID USER_COMPOSE_PROJECT_NAME USER_COMPOSE_SERVICE_NAME USER_DOCKER_IMAGE USER_DOCKER_NAME USER_DOCKER_REPOSITORY USER_DOCKER_VOLUME
|
||||||
NODE_COMPOSE_PROJECT_NAME ?= node
|
NODE_COMPOSE_PROJECT_NAME ?= $(HOSTNAME)
|
||||||
NODE_COMPOSE_SERVICE_NAME ?= $(subst _,-,$(NODE_COMPOSE_PROJECT_NAME))
|
NODE_COMPOSE_SERVICE_NAME ?= $(subst _,-,$(NODE_COMPOSE_PROJECT_NAME))
|
||||||
NODE_DOCKER_REPOSITORY ?= $(subst -,/,$(subst _,/,$(NODE_COMPOSE_PROJECT_NAME)))
|
NODE_DOCKER_REPOSITORY ?= $(subst -,/,$(subst _,/,$(NODE_COMPOSE_PROJECT_NAME)))
|
||||||
NODE_DOCKER_VOLUME ?= $(NODE_COMPOSE_PROJECT_NAME)_myos
|
NODE_DOCKER_VOLUME ?= $(NODE_COMPOSE_PROJECT_NAME)
|
||||||
|
NODE_GID ?= 100
|
||||||
|
NODE_UID ?= 123
|
||||||
USER_COMPOSE_PROJECT_NAME ?= $(USER)-$(ENV)
|
USER_COMPOSE_PROJECT_NAME ?= $(USER)-$(ENV)
|
||||||
USER_COMPOSE_SERVICE_NAME ?= $(subst _,-,$(USER_COMPOSE_PROJECT_NAME))
|
USER_COMPOSE_SERVICE_NAME ?= $(subst _,-,$(USER_COMPOSE_PROJECT_NAME))
|
||||||
USER_DOCKER_IMAGE ?= $(USER_DOCKER_REPOSITORY)/myos:${DOCKER_IMAGE_TAG}
|
USER_DOCKER_IMAGE ?= $(USER_DOCKER_REPOSITORY):${DOCKER_IMAGE_TAG}
|
||||||
USER_DOCKER_NAME ?= $(USER_COMPOSE_PROJECT_NAME)-myos
|
USER_DOCKER_NAME ?= $(USER_COMPOSE_PROJECT_NAME)
|
||||||
USER_DOCKER_REPOSITORY ?= $(subst -,/,$(subst _,/,$(USER_COMPOSE_PROJECT_NAME)))
|
USER_DOCKER_REPOSITORY ?= $(subst -,/,$(subst _,/,$(USER_COMPOSE_PROJECT_NAME)))
|
||||||
USER_DOCKER_VOLUME ?= $(USER_COMPOSE_PROJECT_NAME)_myos
|
USER_DOCKER_VOLUME ?= $(USER_COMPOSE_PROJECT_NAME)
|
||||||
|
|
||||||
# https://github.com/docker/libnetwork/pull/2348
|
# https://github.com/docker/libnetwork/pull/2348
|
||||||
ifeq ($(SYSTEM),Darwin)
|
ifeq ($(SYSTEM),Darwin)
|
||||||
|
@ -69,7 +71,7 @@ else
|
||||||
# function exec: call docker-exec
|
# function exec: call docker-exec
|
||||||
define exec
|
define exec
|
||||||
$(call INFO,exec,$(1))
|
$(call INFO,exec,$(1))
|
||||||
$(call docker-exec)
|
$(call docker-exec,$(1))
|
||||||
endef
|
endef
|
||||||
endif
|
endif
|
||||||
# function run: Run docker run with arg 1 and docker repository 2
|
# function run: Run docker run with arg 1 and docker repository 2
|
||||||
|
|
|
@ -76,7 +76,7 @@ INSTALL_CMDS ?= APK_INSTALL APT_INSTALL
|
||||||
$(foreach cmd,$(INSTALL_CMDS),$(if $(CMD_$(cmd)),$(eval INSTALL_CMD ?= $(CMD_$(cmd)))))
|
$(foreach cmd,$(INSTALL_CMDS),$(if $(CMD_$(cmd)),$(eval INSTALL_CMD ?= $(CMD_$(cmd)))))
|
||||||
LOG_LEVEL ?= $(if $(DEBUG),debug,$(if $(VERBOSE),info,error))
|
LOG_LEVEL ?= $(if $(DEBUG),debug,$(if $(VERBOSE),info,error))
|
||||||
MAKE_ARGS ?= $(foreach var,$(MAKE_VARS),$(if $($(var)),$(var)='$($(var))'))
|
MAKE_ARGS ?= $(foreach var,$(MAKE_VARS),$(if $($(var)),$(var)='$($(var))'))
|
||||||
MAKE_SUBDIRS ?= $(if $(filter myos,$(MYOS)),monorepo,$(if $(APP),apps $(foreach type,$(APP_TYPE),$(if $(wildcard $(MAKE_DIR)/apps/$(type)),apps/$(type)))))
|
MAKE_SUBDIRS ?= $(if $(filter myos,$(MYOS)),monorepo,$(if $(APP),apps $(foreach type,$(APP_LOAD),$(if $(wildcard $(MAKE_DIR)/apps/$(type)),apps/$(type)))))
|
||||||
MAKE_CMD_ARGS ?= $(foreach var,$(MAKE_CMD_VARS),$(var)='$($(var))')
|
MAKE_CMD_ARGS ?= $(foreach var,$(MAKE_CMD_VARS),$(var)='$($(var))')
|
||||||
MAKE_CMD_VARS ?= $(strip $(foreach var, $(filter-out .VARIABLES,$(.VARIABLES)), $(if $(filter command\ line,$(origin $(var))),$(var))))
|
MAKE_CMD_VARS ?= $(strip $(foreach var, $(filter-out .VARIABLES,$(.VARIABLES)), $(if $(filter command\ line,$(origin $(var))),$(var))))
|
||||||
MAKE_ENV_ARGS ?= $(foreach var,$(filter $(ENV_VARS),$(MAKE_ENV_VARS)),$(var)='$($(var))')
|
MAKE_ENV_ARGS ?= $(foreach var,$(filter $(ENV_VARS),$(MAKE_ENV_VARS)),$(var)='$($(var))')
|
||||||
|
|
|
@ -2,6 +2,8 @@ NODE_CONSUL_ACL_TOKENS_MASTER=01234567-89AB-CDEF-0123-456789ABCDEF
|
||||||
NODE_CONSUL_HTTP_TOKEN=01234567-89AB-CDEF-0123-456789ABCDEF
|
NODE_CONSUL_HTTP_TOKEN=01234567-89AB-CDEF-0123-456789ABCDEF
|
||||||
NODE_CONSUL_SERVICE_8500_TAGS=urlprefix-consul.${DOMAIN}/
|
NODE_CONSUL_SERVICE_8500_TAGS=urlprefix-consul.${DOMAIN}/
|
||||||
NODE_FABIO_SERVICE_9998_TAGS=urlprefix-fabio.${DOMAIN}/
|
NODE_FABIO_SERVICE_9998_TAGS=urlprefix-fabio.${DOMAIN}/
|
||||||
UFW_UPDATE_node-certbot=53/udp
|
NODE_SSH_PORT=${SSH_PORT}
|
||||||
UFW_UPDATE_node-consul=8500
|
NODE_SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS}
|
||||||
UFW_DOCKER_node-fabio=80 443
|
UFW_UPDATE_certbot=53/udp
|
||||||
|
UFW_UPDATE_consul=8500
|
||||||
|
UFW_DOCKER_fabio=80 443
|
||||||
|
|
|
@ -16,4 +16,4 @@ NODE_IPFS_API_HTTPHEADERS_ACA_CREDENTIALS=["true"]
|
||||||
NODE_IPFS_API_HTTPHEADERS_ACA_HEADERS=["X-Requested-With", "Range", "User-Agent"]
|
NODE_IPFS_API_HTTPHEADERS_ACA_HEADERS=["X-Requested-With", "Range", "User-Agent"]
|
||||||
NODE_IPFS_API_HTTPHEADERS_ACA_METHODS=["OPTIONS", "POST"]
|
NODE_IPFS_API_HTTPHEADERS_ACA_METHODS=["OPTIONS", "POST"]
|
||||||
NODE_IPFS_API_HTTPHEADERS_ACA_ORIGIN=["https://ipfs.${DOMAIN}", "http://ipfs.${DOMAIN}", "http://ipfs.localhost:8080"]
|
NODE_IPFS_API_HTTPHEADERS_ACA_ORIGIN=["https://ipfs.${DOMAIN}", "http://ipfs.${DOMAIN}", "http://ipfs.localhost:8080"]
|
||||||
UFW_DOCKER_node-ipfs=4001/tcp 4001/udp 8080
|
UFW_DOCKER_ipfs=4001/tcp 4001/udp 8080
|
||||||
|
|
|
@ -5,7 +5,9 @@ services:
|
||||||
build:
|
build:
|
||||||
args:
|
args:
|
||||||
- DOCKER_BUILD_DIR=docker/ipfs
|
- DOCKER_BUILD_DIR=docker/ipfs
|
||||||
|
- GID=${NODE_GID}
|
||||||
- IPFS_VERSION=${IPFS_VERSION}
|
- IPFS_VERSION=${IPFS_VERSION}
|
||||||
|
- UID=${NODE_UID}
|
||||||
context: ../..
|
context: ../..
|
||||||
dockerfile: docker/ipfs/Dockerfile
|
dockerfile: docker/ipfs/Dockerfile
|
||||||
command: daemon --agent-version-suffix=${NODE_COMPOSE_PROJECT_NAME} ${NODE_IPFS_DAEMON_ARGS}
|
command: daemon --agent-version-suffix=${NODE_COMPOSE_PROJECT_NAME} ${NODE_IPFS_DAEMON_ARGS}
|
||||||
|
|
|
@ -2,4 +2,4 @@ NODE_MAILSERVER_ENABLE_MANAGESIEVE=1
|
||||||
NODE_MAILSERVER_SPOOF_PROTECTION=1
|
NODE_MAILSERVER_SPOOF_PROTECTION=1
|
||||||
NODE_MAILSERVER_SSL_TYPE=letsencrypt
|
NODE_MAILSERVER_SSL_TYPE=letsencrypt
|
||||||
NODE_MAILSERVER_UPDATE_CHECK=0
|
NODE_MAILSERVER_UPDATE_CHECK=0
|
||||||
UFW_DOCKER_node-mailserver=25 465 587 993
|
UFW_DOCKER_mailserver=25 465 587 993
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
NODE_VDI_ECRYPTERS=${USER}
|
||||||
|
NODE_VDI_LANG=${LANG}
|
||||||
|
NODE_VDI_PORT=${SSH_PORT}
|
||||||
|
NODE_VDI_SUDOERS=
|
||||||
|
NODE_VDI_TZ=UTC
|
||||||
|
NODE_VDI_USERS=${USER}
|
||||||
|
UFW_DOCKER_vdi=${SSH_PORT}
|
|
@ -0,0 +1,61 @@
|
||||||
|
version: '3.8'
|
||||||
|
|
||||||
|
services:
|
||||||
|
vdi:
|
||||||
|
build:
|
||||||
|
args:
|
||||||
|
- DOCKER_BUILD_DIR=docker/x2go/xfce-debian
|
||||||
|
- SSH_PORT=${NODE_VDI_PORT:-22}
|
||||||
|
context: ../..
|
||||||
|
dockerfile: docker/x2go/xfce-debian/Dockerfile
|
||||||
|
cap_add:
|
||||||
|
- IPC_LOCK # ecryptfs
|
||||||
|
- NET_ADMIN # iptables
|
||||||
|
- NET_RAW # iptables
|
||||||
|
- SYS_ADMIN # ecryptfs
|
||||||
|
container_name: ${NODE_COMPOSE_PROJECT_NAME}-vdi
|
||||||
|
cpus: 0.5
|
||||||
|
environment:
|
||||||
|
- DEBUG=${VDI_DEBUG:-}
|
||||||
|
- ECRYPTERS=${NODE_VDI_ECRYPTERS:-}
|
||||||
|
- LANG=${NODE_VDI_LANG:-}
|
||||||
|
- SSH_PORT=${NODE_VDI_PORT:-22}
|
||||||
|
- SSH_AUTHORIZED_KEYS=${SSH_AUTHORIZED_KEYS:-}
|
||||||
|
- SSH_PUBLIC_HOSTS=${NODE_SSH_PUBLIC_HOSTS:-}
|
||||||
|
- SUDOERS=${NODE_VDI_SUDOERS:-}
|
||||||
|
- TZ=${NODE_VDI_TZ:-}
|
||||||
|
- USERS=${NODE_VDI_USERS:-}
|
||||||
|
image: ${NODE_DOCKER_REPOSITORY}/vdi:${DOCKER_IMAGE_TAG}
|
||||||
|
networks:
|
||||||
|
- public
|
||||||
|
ports:
|
||||||
|
- ${NODE_VDI_PORT:-22}:${SSH_PORT:-22}
|
||||||
|
restart: unless-stopped
|
||||||
|
security_opt:
|
||||||
|
- apparmor=unconfined # ecryptfs
|
||||||
|
- seccomp=unconfined # ecryptfs
|
||||||
|
tty: true
|
||||||
|
volumes:
|
||||||
|
- home:/home:delegated
|
||||||
|
- shared:/shared:cached
|
||||||
|
- shm:/dev/shm:delegated
|
||||||
|
|
||||||
|
networks:
|
||||||
|
public:
|
||||||
|
external: true
|
||||||
|
name: ${DOCKER_NETWORK_PUBLIC}
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
home:
|
||||||
|
shared:
|
||||||
|
driver: local
|
||||||
|
driver_opts:
|
||||||
|
type: none
|
||||||
|
device: /mnt/shared
|
||||||
|
o: bind
|
||||||
|
shm:
|
||||||
|
driver: local
|
||||||
|
driver_opts:
|
||||||
|
type: tmpfs
|
||||||
|
device: tmpfs
|
||||||
|
o: mode=1777,size=2147483648 # 2GB
|
|
@ -1,5 +1,6 @@
|
||||||
|
VDI_ECRYPTERS=
|
||||||
VDI_LANG=${LANG}
|
VDI_LANG=${LANG}
|
||||||
VDI_PORT=22
|
VDI_PORT=8260
|
||||||
|
VDI_SUDOERS=
|
||||||
VDI_TZ=UTC
|
VDI_TZ=UTC
|
||||||
VDI_USERS=${USER}
|
VDI_USERS=${USER}
|
||||||
VDI_SUDOERS=
|
|
||||||
|
|
|
@ -5,6 +5,7 @@ services:
|
||||||
build:
|
build:
|
||||||
args:
|
args:
|
||||||
- DOCKER_BUILD_DIR=docker/x2go/xfce-debian
|
- DOCKER_BUILD_DIR=docker/x2go/xfce-debian
|
||||||
|
- SSH_PORT=${VDI_PORT:-22}
|
||||||
context: ../..
|
context: ../..
|
||||||
dockerfile: docker/x2go/xfce-debian/Dockerfile
|
dockerfile: docker/x2go/xfce-debian/Dockerfile
|
||||||
cap_add:
|
cap_add:
|
||||||
|
@ -12,15 +13,22 @@ services:
|
||||||
- NET_ADMIN # iptables
|
- NET_ADMIN # iptables
|
||||||
- NET_RAW # iptables
|
- NET_RAW # iptables
|
||||||
- SYS_ADMIN # ecryptfs
|
- SYS_ADMIN # ecryptfs
|
||||||
|
cpus: 0.5
|
||||||
environment:
|
environment:
|
||||||
- DEBUG=${VDI_DEBUG}
|
- DEBUG=${VDI_DEBUG:-}
|
||||||
- ECRYPTERS=${VDI_ECRYPTERS}
|
- ECRYPTERS=${VDI_ECRYPTERS:-}
|
||||||
- LANG=${VDI_LANG}
|
- LANG=${VDI_LANG:-}
|
||||||
- SUDOERS=${VDI_SUDOERS}
|
- SSH_PORT=${VDI_PORT:-22}
|
||||||
- TZ=${VDI_TZ}
|
- SSH_PUBLIC_HOSTS=${SSH_PUBLIC_HOSTS:-}
|
||||||
- USERS=${VDI_USERS}
|
- SUDOERS=${VDI_SUDOERS:-}
|
||||||
|
- TZ=${VDI_TZ:-}
|
||||||
|
- USERS=${VDI_USERS:-}
|
||||||
|
image: ${DOCKER_REPOSITORY}/vdi:${DOCKER_IMAGE_TAG}
|
||||||
|
networks:
|
||||||
|
- private
|
||||||
|
- public
|
||||||
ports:
|
ports:
|
||||||
- "${VDI_PORT}:22"
|
- ${SSH_PORT}
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
security_opt:
|
security_opt:
|
||||||
- apparmor=unconfined # ecryptfs
|
- apparmor=unconfined # ecryptfs
|
||||||
|
@ -31,6 +39,14 @@ services:
|
||||||
- vdi-shared:/shared:cached
|
- vdi-shared:/shared:cached
|
||||||
- vdi-shm:/dev/shm:delegated
|
- vdi-shm:/dev/shm:delegated
|
||||||
|
|
||||||
|
networks:
|
||||||
|
private:
|
||||||
|
external: true
|
||||||
|
name: ${DOCKER_NETWORK_PRIVATE}
|
||||||
|
public:
|
||||||
|
external: true
|
||||||
|
name: ${DOCKER_NETWORK_PUBLIC}
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
vdi-home:
|
vdi-home:
|
||||||
vdi-shared:
|
vdi-shared:
|
||||||
|
|
Loading…
Reference in New Issue