add x2go/xfce-debian docker image
* VDI server with temporary encrypted /home
This commit is contained in:
parent
093b99b0e3
commit
f05f55cfdd
|
@ -0,0 +1,27 @@
|
|||
FROM danger89/xfcevdi_x2go as dist
|
||||
LABEL maintainer aynic.os <support+docker@asycn.io>
|
||||
ARG DOCKER_BUILD_DIR
|
||||
|
||||
RUN apt-get update \
|
||||
&& apt-get -fy upgrade \
|
||||
&& apt-get -fy install \
|
||||
ecryptfs-utils \
|
||||
fail2ban \
|
||||
iptables \
|
||||
neovim \
|
||||
&& apt-get clean \
|
||||
&& rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
|
||||
|
||||
COPY ${DOCKER_BUILD_DIR}/run.sh /app
|
||||
COPY ${DOCKER_BUILD_DIR}/setup_ecryptfs.sh /app
|
||||
COPY ${DOCKER_BUILD_DIR}/setup_locales.sh /app
|
||||
COPY ${DOCKER_BUILD_DIR}/setup_sshd.sh /app
|
||||
COPY ${DOCKER_BUILD_DIR}/setup_timezone.sh /app
|
||||
COPY ${DOCKER_BUILD_DIR}/setup_users.sh /app
|
||||
|
||||
CMD []
|
||||
ENTRYPOINT ["/app/run.sh"]
|
||||
HEALTHCHECK CMD timeout 1 bash -c "</dev/tcp/localhost/22" 2>/dev/null
|
||||
|
||||
FROM dist as master
|
||||
ARG DOCKER_BUILD_DIR
|
|
@ -0,0 +1,51 @@
|
|||
#!/bin/sh
|
||||
### every exit != 0 fails the script
|
||||
set -eu
|
||||
|
||||
if [ ! -f /app/.setup_done ]; then
|
||||
/app/setup.sh
|
||||
/app/setup_locales.sh
|
||||
/app/setup_sshd.sh
|
||||
/app/setup_timezone.sh
|
||||
fi
|
||||
|
||||
# /home is mounted in RAM and does not survive on restart
|
||||
/app/setup_ecryptfs.sh
|
||||
/app/setup_users.sh
|
||||
|
||||
## Start-up our services manually (since Docker container will not invoke all init scripts).
|
||||
## However, some service do start automatically, when placed and NOT-hidden in: /etc/xdg/autostart folder.
|
||||
|
||||
# Start SSH daemon
|
||||
service ssh start
|
||||
# Start dbus system daemon
|
||||
service dbus start
|
||||
# Start syslog (for debugging reasons)
|
||||
service rsyslog start
|
||||
# prevent fail2ban to fail starting
|
||||
touch /var/log/auth.log
|
||||
# prevent fail2ban to fail restarting
|
||||
rm -f /var/run/fail2ban/fail2ban.sock
|
||||
# Start fail2ban (for security reasons)
|
||||
service fail2ban start
|
||||
|
||||
cleanup() {
|
||||
/bin/umount -fl /home
|
||||
service dbus stop
|
||||
service fail2ban stop
|
||||
service rsyslog stop
|
||||
service ssh stop
|
||||
kill $PID 2>/dev/null
|
||||
exit
|
||||
}
|
||||
|
||||
trap "cleanup" INT TERM
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
exec tail -f /dev/null &
|
||||
PID=$! && wait
|
||||
else
|
||||
# WARNING: cleanup is not called
|
||||
exec /bin/bash -c "set -e && $@"
|
||||
fi
|
||||
cleanup
|
|
@ -0,0 +1,34 @@
|
|||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
CIPHER="${ECRYPTFS_CIPHER:-aes}"
|
||||
KEY_BYTES="${ECRYPTFS_KEY_BYTES:-32}"
|
||||
LOWER_DIR="${ECRYPTFS_LOWER_DIR:-/home}"
|
||||
UPPER_DIR="${ECRYPTFS_UPPER_DIR:-${LOWER_DIR}}"
|
||||
ALIAS="${ECRYPTFS_ALIAS:-${LOWER_DIR##*/}}"
|
||||
PASSPHRASE="${ECRYPTFS_PASSPHRASE:-$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)}"
|
||||
KEY="${ECRYPTFS_KEY:-passphrase:passphrase_passwd=${PASSPHRASE}}"
|
||||
SIG="${ECRYPTFS_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase - |/usr/bin/awk '$5 == "sig" {print substr($6,2,16); exit;}')}"
|
||||
FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}"
|
||||
|
||||
mkdir -p ${LOWER_DIR} ${UPPER_DIR} ${HOME}/.ecryptfs
|
||||
printf "%s\n" "${LOWER_DIR} ${UPPER_DIR} ecryptfs" > ${HOME}/.ecryptfs/${ALIAS}.conf
|
||||
printf "%s\n" "${SIG}" > ${HOME}/.ecryptfs/${ALIAS}.sig
|
||||
printf "%s\n" "${FNEK_SIG}" >> ${HOME}/.ecryptfs/${ALIAS}.sig
|
||||
# mount.ecryptfs_private ${ALIAS}
|
||||
|
||||
/bin/mount -t ecryptfs -o \
|
||||
key="${KEY}",\
|
||||
no_sig_cache,\
|
||||
ecryptfs_cipher="${CIPHER}",\
|
||||
ecryptfs_enable_filename=y,\
|
||||
ecryptfs_enable_filename_crypto=y,\
|
||||
ecryptfs_fnek_sig="${FNEK_SIG}",\
|
||||
ecryptfs_key_bytes="${KEY_BYTES}",\
|
||||
ecryptfs_passthrough=n,\
|
||||
ecryptfs_unlink_sigs\
|
||||
"${LOWER_DIR}" "${UPPER_DIR}" 1>/dev/null
|
||||
|
||||
# Overwrite sensible variables with random data
|
||||
ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
||||
PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
LANG=${LANG:-C.UTF-8}
|
||||
LOCALES=${LOCALES:-${LANG} ${LANG##*.}}
|
||||
printf "LANG=%s\n" "${LANG}" > /etc/default/locale
|
||||
rm /etc/locale.gen && printf "%s\n" "${LOCALES}" |while read locale; do
|
||||
printf "%s\n" "${locale}" >> /etc/locale.gen
|
||||
done && locale-gen
|
|
@ -0,0 +1,19 @@
|
|||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
sed -i "s/^#\?PasswordAuthentication.*/PasswordAuthentication no/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^#\?PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^#\?PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^#\?PermitTTY.*/PermitTTY no/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^#\?PermitTunnel.*/PermitTunnel no/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^#\?PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^#\?PrintLastLog.*/PrintLastLog yes/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
|
||||
sed -i "s/^#\?X11Forwarding.*/X11Forwarding no/g" /etc/ssh/sshd_config
|
||||
|
||||
cat >> /etc/ssh/sshd_config <<EOF
|
||||
Match group x2gouser
|
||||
AllowAgentForwarding yes
|
||||
AllowTcpForwarding yes
|
||||
PermitTTY yes
|
||||
EOF
|
|
@ -0,0 +1,6 @@
|
|||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
TZ="${TZ:-UTC}"
|
||||
printf "%s\n" "${TZ}" > /etc/timezone
|
||||
unlink /etc/localtime && ln -s "/usr/share/zoneinfo/${TZ}" /etc/localtime
|
|
@ -0,0 +1,14 @@
|
|||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
for user in ${USERS:-${USERNAME}}; do
|
||||
id ${user} > /dev/null 2>&1 || useradd -ms /bin/bash ${user}
|
||||
usermod -a -G x2gouser ${user}
|
||||
mkdir -p /home/${user}/.ssh
|
||||
wget -qO /home/${user}/.ssh/authorized_keys https://github.com/${user}.keys
|
||||
chown -R ${user} /home/${user}/.ssh
|
||||
done
|
||||
for sudoer in ${SUDOERS:-}; do
|
||||
usermod -a -G sudo ${sudoer}
|
||||
done
|
||||
mkdir -p /home/shared && chmod 1777 /home/shared
|
|
@ -0,0 +1,5 @@
|
|||
VDI_LANG=${LANG}
|
||||
VDI_PORT=22
|
||||
VDI_TZ=UTC
|
||||
VDI_USERS=${USER}
|
||||
VDI_SUDOERS=
|
|
@ -0,0 +1,35 @@
|
|||
version: '3.8'
|
||||
|
||||
services:
|
||||
vdi:
|
||||
build:
|
||||
args:
|
||||
- DOCKER_BUILD_DIR=docker/x2go/xfce-debian
|
||||
context: ../..
|
||||
dockerfile: docker/x2go/xfce-debian/Dockerfile
|
||||
cap_add:
|
||||
- IPC_LOCK # ecryptfs
|
||||
- NET_ADMIN # iptables
|
||||
- NET_RAW # iptables
|
||||
- SYS_ADMIN # ecryptfs
|
||||
environment:
|
||||
- LANG=${VDI_LANG}
|
||||
- SUDOERS=${VDI_SUDOERS}
|
||||
- TZ=${VDI_TZ}
|
||||
- USERS=${VDI_USERS}
|
||||
ports:
|
||||
- "${VDI_PORT}:22"
|
||||
restart: unless-stopped
|
||||
security_opt:
|
||||
- apparmor=unconfined # ecryptfs
|
||||
- seccomp=unconfined # ecryptfs
|
||||
tty: true
|
||||
volumes:
|
||||
- type: tmpfs
|
||||
target: /home
|
||||
tmpfs:
|
||||
size: 8589934592 # 8GB
|
||||
- type: tmpfs
|
||||
target: /dev/shm
|
||||
tmpfs:
|
||||
size: 2147483648 # 2GB
|
Loading…
Reference in New Issue