add x2go/xfce-debian docker image

* VDI server with temporary encrypted /home

docker/x2go/xfce-debian/Dockerfile

@@ -0,0 +1,27 @@
+FROM danger89/xfcevdi_x2go as dist
+LABEL maintainer aynic.os <support+docker@asycn.io>
+ARG DOCKER_BUILD_DIR
+
+RUN apt-get update \
+ && apt-get -fy upgrade \
+ && apt-get -fy install \
+    ecryptfs-utils \
+    fail2ban \
+    iptables \
+    neovim \
+ && apt-get clean \
+ && rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
+
+COPY ${DOCKER_BUILD_DIR}/run.sh /app
+COPY ${DOCKER_BUILD_DIR}/setup_ecryptfs.sh /app
+COPY ${DOCKER_BUILD_DIR}/setup_locales.sh /app
+COPY ${DOCKER_BUILD_DIR}/setup_sshd.sh /app
+COPY ${DOCKER_BUILD_DIR}/setup_timezone.sh /app
+COPY ${DOCKER_BUILD_DIR}/setup_users.sh /app
+
+CMD []
+ENTRYPOINT ["/app/run.sh"]
+HEALTHCHECK CMD timeout 1 bash -c "</dev/tcp/localhost/22" 2>/dev/null 
+
+FROM dist as master
+ARG DOCKER_BUILD_DIR

docker/x2go/xfce-debian/run.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+### every exit != 0 fails the script
+set -eu
+
+if [ ! -f /app/.setup_done ]; then
+  /app/setup.sh
+  /app/setup_locales.sh
+  /app/setup_sshd.sh
+  /app/setup_timezone.sh
+fi
+
+# /home is mounted in RAM and does not survive on restart
+/app/setup_ecryptfs.sh
+/app/setup_users.sh
+
+## Start-up our services manually (since Docker container will not invoke all init scripts).
+## However, some service do start automatically, when placed and NOT-hidden in: /etc/xdg/autostart folder.
+
+# Start SSH daemon
+service ssh start
+# Start dbus system daemon
+service dbus start
+# Start syslog (for debugging reasons)
+service rsyslog start
+# prevent fail2ban to fail starting
+touch /var/log/auth.log
+# prevent fail2ban to fail restarting
+rm -f /var/run/fail2ban/fail2ban.sock
+# Start fail2ban (for security reasons)
+service fail2ban start
+
+cleanup() {
+  /bin/umount -fl /home
+  service dbus stop
+  service fail2ban stop
+  service rsyslog stop
+  service ssh stop
+  kill $PID 2>/dev/null
+  exit
+}
+
+trap "cleanup" INT TERM
+
+if [ $# -eq 0 ]; then
+  exec tail -f /dev/null &
+  PID=$! && wait
+else
+  # WARNING: cleanup is not called
+  exec /bin/bash -c "set -e && $@"
+fi
+cleanup

docker/x2go/xfce-debian/setup_ecryptfs.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+set -eu
+
+CIPHER="${ECRYPTFS_CIPHER:-aes}"
+KEY_BYTES="${ECRYPTFS_KEY_BYTES:-32}"
+LOWER_DIR="${ECRYPTFS_LOWER_DIR:-/home}"
+UPPER_DIR="${ECRYPTFS_UPPER_DIR:-${LOWER_DIR}}"
+ALIAS="${ECRYPTFS_ALIAS:-${LOWER_DIR##*/}}"
+PASSPHRASE="${ECRYPTFS_PASSPHRASE:-$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)}"
+KEY="${ECRYPTFS_KEY:-passphrase:passphrase_passwd=${PASSPHRASE}}"
+SIG="${ECRYPTFS_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase - |/usr/bin/awk '$5 == "sig" {print substr($6,2,16); exit;}')}"
+FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}"
+
+mkdir -p ${LOWER_DIR} ${UPPER_DIR} ${HOME}/.ecryptfs
+printf "%s\n" "${LOWER_DIR} ${UPPER_DIR} ecryptfs" > ${HOME}/.ecryptfs/${ALIAS}.conf
+printf "%s\n" "${SIG}" > ${HOME}/.ecryptfs/${ALIAS}.sig
+printf "%s\n" "${FNEK_SIG}" >> ${HOME}/.ecryptfs/${ALIAS}.sig
+# mount.ecryptfs_private ${ALIAS}
+
+/bin/mount -t ecryptfs -o \
+key="${KEY}",\
+no_sig_cache,\
+ecryptfs_cipher="${CIPHER}",\
+ecryptfs_enable_filename=y,\
+ecryptfs_enable_filename_crypto=y,\
+ecryptfs_fnek_sig="${FNEK_SIG}",\
+ecryptfs_key_bytes="${KEY_BYTES}",\
+ecryptfs_passthrough=n,\
+ecryptfs_unlink_sigs\
+ "${LOWER_DIR}" "${UPPER_DIR}" 1>/dev/null
+
+# Overwrite sensible variables with random data
+ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
+PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"

docker/x2go/xfce-debian/setup_locales.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -eu
+
+LANG=${LANG:-C.UTF-8}
+LOCALES=${LOCALES:-${LANG} ${LANG##*.}}
+printf "LANG=%s\n" "${LANG}" > /etc/default/locale
+rm /etc/locale.gen && printf "%s\n" "${LOCALES}" |while read locale; do
+  printf "%s\n" "${locale}" >> /etc/locale.gen
+done && locale-gen

docker/x2go/xfce-debian/setup_sshd.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+set -eu
+
+sed -i "s/^#\?PasswordAuthentication.*/PasswordAuthentication no/g" /etc/ssh/sshd_config
+sed -i "s/^#\?PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
+sed -i "s/^#\?PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
+sed -i "s/^#\?PermitTTY.*/PermitTTY no/g" /etc/ssh/sshd_config
+sed -i "s/^#\?PermitTunnel.*/PermitTunnel no/g" /etc/ssh/sshd_config
+sed -i "s/^#\?PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config
+sed -i "s/^#\?PrintLastLog.*/PrintLastLog yes/g" /etc/ssh/sshd_config
+sed -i "s/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
+sed -i "s/^#\?X11Forwarding.*/X11Forwarding no/g" /etc/ssh/sshd_config
+
+cat >> /etc/ssh/sshd_config <<EOF
+Match group x2gouser
+  AllowAgentForwarding yes
+  AllowTcpForwarding yes
+  PermitTTY yes
+EOF

docker/x2go/xfce-debian/setup_timezone.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eu
+
+TZ="${TZ:-UTC}"
+printf "%s\n" "${TZ}" > /etc/timezone
+unlink /etc/localtime && ln -s "/usr/share/zoneinfo/${TZ}" /etc/localtime

docker/x2go/xfce-debian/setup_users.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+set -eu
+
+for user in ${USERS:-${USERNAME}}; do
+  id ${user} > /dev/null 2>&1 || useradd -ms /bin/bash ${user}
+  usermod -a -G x2gouser ${user}
+  mkdir -p /home/${user}/.ssh
+  wget -qO /home/${user}/.ssh/authorized_keys https://github.com/${user}.keys
+  chown -R ${user} /home/${user}/.ssh
+done
+for sudoer in ${SUDOERS:-}; do
+  usermod -a -G sudo ${sudoer}
+done
+mkdir -p /home/shared && chmod 1777 /home/shared

stack/x2go/.env.dist

@@ -0,0 +1,5 @@
+VDI_LANG=${LANG}
+VDI_PORT=22
+VDI_TZ=UTC
+VDI_USERS=${USER}
+VDI_SUDOERS=

stack/x2go/xfce_debian.yml

@@ -0,0 +1,35 @@
+version: '3.8'
+
+services:
+  vdi:
+    build:
+      args:
+      - DOCKER_BUILD_DIR=docker/x2go/xfce-debian
+      context: ../..
+      dockerfile: docker/x2go/xfce-debian/Dockerfile
+    cap_add:
+    - IPC_LOCK # ecryptfs
+    - NET_ADMIN # iptables
+    - NET_RAW # iptables
+    - SYS_ADMIN # ecryptfs
+    environment:
+    - LANG=${VDI_LANG}
+    - SUDOERS=${VDI_SUDOERS}
+    - TZ=${VDI_TZ}
+    - USERS=${VDI_USERS}
+    ports:
+    - "${VDI_PORT}:22"
+    restart: unless-stopped
+    security_opt:
+    - apparmor=unconfined # ecryptfs
+    - seccomp=unconfined # ecryptfs
+    tty: true
+    volumes:
+    - type: tmpfs
+      target: /home
+      tmpfs:
+        size: 8589934592 # 8GB
+    - type: tmpfs
+      target: /dev/shm
+      tmpfs:
+        size: 2147483648 # 2GB