add x2go/xfce-debian docker image
* VDI server with temporary encrypted /home
This commit is contained in:
parent
093b99b0e3
commit
f05f55cfdd
|
@ -0,0 +1,27 @@
|
||||||
|
FROM danger89/xfcevdi_x2go as dist
|
||||||
|
LABEL maintainer aynic.os <support+docker@asycn.io>
|
||||||
|
ARG DOCKER_BUILD_DIR
|
||||||
|
|
||||||
|
RUN apt-get update \
|
||||||
|
&& apt-get -fy upgrade \
|
||||||
|
&& apt-get -fy install \
|
||||||
|
ecryptfs-utils \
|
||||||
|
fail2ban \
|
||||||
|
iptables \
|
||||||
|
neovim \
|
||||||
|
&& apt-get clean \
|
||||||
|
&& rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
COPY ${DOCKER_BUILD_DIR}/run.sh /app
|
||||||
|
COPY ${DOCKER_BUILD_DIR}/setup_ecryptfs.sh /app
|
||||||
|
COPY ${DOCKER_BUILD_DIR}/setup_locales.sh /app
|
||||||
|
COPY ${DOCKER_BUILD_DIR}/setup_sshd.sh /app
|
||||||
|
COPY ${DOCKER_BUILD_DIR}/setup_timezone.sh /app
|
||||||
|
COPY ${DOCKER_BUILD_DIR}/setup_users.sh /app
|
||||||
|
|
||||||
|
CMD []
|
||||||
|
ENTRYPOINT ["/app/run.sh"]
|
||||||
|
HEALTHCHECK CMD timeout 1 bash -c "</dev/tcp/localhost/22" 2>/dev/null
|
||||||
|
|
||||||
|
FROM dist as master
|
||||||
|
ARG DOCKER_BUILD_DIR
|
|
@ -0,0 +1,51 @@
|
||||||
|
#!/bin/sh
|
||||||
|
### every exit != 0 fails the script
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
if [ ! -f /app/.setup_done ]; then
|
||||||
|
/app/setup.sh
|
||||||
|
/app/setup_locales.sh
|
||||||
|
/app/setup_sshd.sh
|
||||||
|
/app/setup_timezone.sh
|
||||||
|
fi
|
||||||
|
|
||||||
|
# /home is mounted in RAM and does not survive on restart
|
||||||
|
/app/setup_ecryptfs.sh
|
||||||
|
/app/setup_users.sh
|
||||||
|
|
||||||
|
## Start-up our services manually (since Docker container will not invoke all init scripts).
|
||||||
|
## However, some service do start automatically, when placed and NOT-hidden in: /etc/xdg/autostart folder.
|
||||||
|
|
||||||
|
# Start SSH daemon
|
||||||
|
service ssh start
|
||||||
|
# Start dbus system daemon
|
||||||
|
service dbus start
|
||||||
|
# Start syslog (for debugging reasons)
|
||||||
|
service rsyslog start
|
||||||
|
# prevent fail2ban to fail starting
|
||||||
|
touch /var/log/auth.log
|
||||||
|
# prevent fail2ban to fail restarting
|
||||||
|
rm -f /var/run/fail2ban/fail2ban.sock
|
||||||
|
# Start fail2ban (for security reasons)
|
||||||
|
service fail2ban start
|
||||||
|
|
||||||
|
cleanup() {
|
||||||
|
/bin/umount -fl /home
|
||||||
|
service dbus stop
|
||||||
|
service fail2ban stop
|
||||||
|
service rsyslog stop
|
||||||
|
service ssh stop
|
||||||
|
kill $PID 2>/dev/null
|
||||||
|
exit
|
||||||
|
}
|
||||||
|
|
||||||
|
trap "cleanup" INT TERM
|
||||||
|
|
||||||
|
if [ $# -eq 0 ]; then
|
||||||
|
exec tail -f /dev/null &
|
||||||
|
PID=$! && wait
|
||||||
|
else
|
||||||
|
# WARNING: cleanup is not called
|
||||||
|
exec /bin/bash -c "set -e && $@"
|
||||||
|
fi
|
||||||
|
cleanup
|
|
@ -0,0 +1,34 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
CIPHER="${ECRYPTFS_CIPHER:-aes}"
|
||||||
|
KEY_BYTES="${ECRYPTFS_KEY_BYTES:-32}"
|
||||||
|
LOWER_DIR="${ECRYPTFS_LOWER_DIR:-/home}"
|
||||||
|
UPPER_DIR="${ECRYPTFS_UPPER_DIR:-${LOWER_DIR}}"
|
||||||
|
ALIAS="${ECRYPTFS_ALIAS:-${LOWER_DIR##*/}}"
|
||||||
|
PASSPHRASE="${ECRYPTFS_PASSPHRASE:-$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)}"
|
||||||
|
KEY="${ECRYPTFS_KEY:-passphrase:passphrase_passwd=${PASSPHRASE}}"
|
||||||
|
SIG="${ECRYPTFS_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase - |/usr/bin/awk '$5 == "sig" {print substr($6,2,16); exit;}')}"
|
||||||
|
FNEK_SIG="${ECRYPTFS_FNEK_SIG:-$(printf "%s" "${PASSPHRASE}" |/usr/bin/ecryptfs-add-passphrase --fnek - |/usr/bin/awk '$5 == "sig" && NR == 2 {print substr($6,2,16)}')}"
|
||||||
|
|
||||||
|
mkdir -p ${LOWER_DIR} ${UPPER_DIR} ${HOME}/.ecryptfs
|
||||||
|
printf "%s\n" "${LOWER_DIR} ${UPPER_DIR} ecryptfs" > ${HOME}/.ecryptfs/${ALIAS}.conf
|
||||||
|
printf "%s\n" "${SIG}" > ${HOME}/.ecryptfs/${ALIAS}.sig
|
||||||
|
printf "%s\n" "${FNEK_SIG}" >> ${HOME}/.ecryptfs/${ALIAS}.sig
|
||||||
|
# mount.ecryptfs_private ${ALIAS}
|
||||||
|
|
||||||
|
/bin/mount -t ecryptfs -o \
|
||||||
|
key="${KEY}",\
|
||||||
|
no_sig_cache,\
|
||||||
|
ecryptfs_cipher="${CIPHER}",\
|
||||||
|
ecryptfs_enable_filename=y,\
|
||||||
|
ecryptfs_enable_filename_crypto=y,\
|
||||||
|
ecryptfs_fnek_sig="${FNEK_SIG}",\
|
||||||
|
ecryptfs_key_bytes="${KEY_BYTES}",\
|
||||||
|
ecryptfs_passthrough=n,\
|
||||||
|
ecryptfs_unlink_sigs\
|
||||||
|
"${LOWER_DIR}" "${UPPER_DIR}" 1>/dev/null
|
||||||
|
|
||||||
|
# Overwrite sensible variables with random data
|
||||||
|
ECRYPTFS_PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
||||||
|
PASSPHRASE="$(/usr/bin/base64 /dev/urandom |/usr/bin/head -c 64)"
|
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
LANG=${LANG:-C.UTF-8}
|
||||||
|
LOCALES=${LOCALES:-${LANG} ${LANG##*.}}
|
||||||
|
printf "LANG=%s\n" "${LANG}" > /etc/default/locale
|
||||||
|
rm /etc/locale.gen && printf "%s\n" "${LOCALES}" |while read locale; do
|
||||||
|
printf "%s\n" "${locale}" >> /etc/locale.gen
|
||||||
|
done && locale-gen
|
|
@ -0,0 +1,19 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
sed -i "s/^#\?PasswordAuthentication.*/PasswordAuthentication no/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?PermitTTY.*/PermitTTY no/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?PermitTunnel.*/PermitTunnel no/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?PrintLastLog.*/PrintLastLog yes/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#\?X11Forwarding.*/X11Forwarding no/g" /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
cat >> /etc/ssh/sshd_config <<EOF
|
||||||
|
Match group x2gouser
|
||||||
|
AllowAgentForwarding yes
|
||||||
|
AllowTcpForwarding yes
|
||||||
|
PermitTTY yes
|
||||||
|
EOF
|
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
TZ="${TZ:-UTC}"
|
||||||
|
printf "%s\n" "${TZ}" > /etc/timezone
|
||||||
|
unlink /etc/localtime && ln -s "/usr/share/zoneinfo/${TZ}" /etc/localtime
|
|
@ -0,0 +1,14 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
for user in ${USERS:-${USERNAME}}; do
|
||||||
|
id ${user} > /dev/null 2>&1 || useradd -ms /bin/bash ${user}
|
||||||
|
usermod -a -G x2gouser ${user}
|
||||||
|
mkdir -p /home/${user}/.ssh
|
||||||
|
wget -qO /home/${user}/.ssh/authorized_keys https://github.com/${user}.keys
|
||||||
|
chown -R ${user} /home/${user}/.ssh
|
||||||
|
done
|
||||||
|
for sudoer in ${SUDOERS:-}; do
|
||||||
|
usermod -a -G sudo ${sudoer}
|
||||||
|
done
|
||||||
|
mkdir -p /home/shared && chmod 1777 /home/shared
|
|
@ -0,0 +1,5 @@
|
||||||
|
VDI_LANG=${LANG}
|
||||||
|
VDI_PORT=22
|
||||||
|
VDI_TZ=UTC
|
||||||
|
VDI_USERS=${USER}
|
||||||
|
VDI_SUDOERS=
|
|
@ -0,0 +1,35 @@
|
||||||
|
version: '3.8'
|
||||||
|
|
||||||
|
services:
|
||||||
|
vdi:
|
||||||
|
build:
|
||||||
|
args:
|
||||||
|
- DOCKER_BUILD_DIR=docker/x2go/xfce-debian
|
||||||
|
context: ../..
|
||||||
|
dockerfile: docker/x2go/xfce-debian/Dockerfile
|
||||||
|
cap_add:
|
||||||
|
- IPC_LOCK # ecryptfs
|
||||||
|
- NET_ADMIN # iptables
|
||||||
|
- NET_RAW # iptables
|
||||||
|
- SYS_ADMIN # ecryptfs
|
||||||
|
environment:
|
||||||
|
- LANG=${VDI_LANG}
|
||||||
|
- SUDOERS=${VDI_SUDOERS}
|
||||||
|
- TZ=${VDI_TZ}
|
||||||
|
- USERS=${VDI_USERS}
|
||||||
|
ports:
|
||||||
|
- "${VDI_PORT}:22"
|
||||||
|
restart: unless-stopped
|
||||||
|
security_opt:
|
||||||
|
- apparmor=unconfined # ecryptfs
|
||||||
|
- seccomp=unconfined # ecryptfs
|
||||||
|
tty: true
|
||||||
|
volumes:
|
||||||
|
- type: tmpfs
|
||||||
|
target: /home
|
||||||
|
tmpfs:
|
||||||
|
size: 8589934592 # 8GB
|
||||||
|
- type: tmpfs
|
||||||
|
target: /dev/shm
|
||||||
|
tmpfs:
|
||||||
|
size: 2147483648 # 2GB
|
Loading…
Reference in New Issue