fix: Remove VOLUME from Dockerfile and move host_keys dir

nqngo · Sep 17, 2022 · 104b989 · 104b989
1 parent e40f0c2
commit 104b989
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 13 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ ARG VERSION
 LABEL maintainer="Nhat Ngo"
 LABEL version=$VERSION
 RUN apk add --update --no-cache openssh-server gnupg curl
-RUN mkdir -p /etc/ssh/hostkeys
+RUN mkdir -p /host_keys.d
 
 FROM install_packages AS add_user_bastion
 RUN adduser -D bastion
@@ -17,6 +17,4 @@ COPY entrypoint.sh ./
 
 EXPOSE 22/tcp
 
-VOLUME /etc/ssh/hostkeys
-
 ENTRYPOINT ["./entrypoint.sh"]
diff --git a/README.md b/README.md
@@ -15,7 +15,7 @@ $ docker volume create hostkeys
 $ docker run -d \
     --name bastion \
     --hostname bastion \
-    --mount source=hostkeys,target=/etc/ssh/hostkeys \
+    --mount source=hostkeys,target=/host_keys.d \
     --add-host docker-host:172.17.0.1 \
     --publish 2222:22/tcp \
     --env "REMOTE_SSH_URL=https://github.com/nqngo.keys" \
@@ -40,7 +40,7 @@ TO BE UPDATED
 
 ## Persistent Volumes
 
-- `source=<any>,target=/etc/ssh/hostkeys`, the default hostkeys are stored in `/etc/ssh/hostkeys` in the container and is generated if not existed during init.
+- `source=<any>,target=/etc/ssh/host_keys.d`, the default hostkeys are stored in `/host_keys.d` in the container and is generated if not existed during init.
 
 # Appendix
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,7 @@
 version: "3.9"
 services:
   bastion:
-    image: nqngo1:latest
+    image: nqngo1/bastion
     container_name: bastion
     hostname: bastion
     restart: unless-stopped
@@ -13,7 +13,7 @@ services:
       REMOTE_SSH_URL: "https://github.com/nqngo.keys"
       REMOTE_GPG_URL: "https://github.com/nqngo.gpg"
     volumes:
-      - ssh_hostkeys:/etc/ssh/hostkeys:rw
+      - ssh_hostkeys:/host_keys.d:rw
     extra_hosts:
       - docker-host:172.17.0.1
     networks:

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -2,9 +2,9 @@
 
 # Generate host keys on first run
 if [ ! -f "/etc/ssh/hostkeys/ssh_host_rsa_key" ]; then
-    ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/hostkeys/ssh_host_ed25519_key
-    ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/hostkeys/ssh_host_rsa_key
-    ssh-keygen -q -N "" -t ecdsa -f /etc/ssh/hostkeys/ssh_host_ecdsa_key
+    ssh-keygen -q -N "" -t ed25519 -f /host_keys.d/ssh_host_ed25519_key
+    ssh-keygen -q -N "" -t rsa -b 4096 -f /host_keys.d/ssh_host_rsa_key
+    ssh-keygen -q -N "" -t ecdsa -f /host_keys.d/ssh_host_ecdsa_key
 fi
 
 # Fetch a remote public ssh key file and store in bastion authorized_keys

diff --git a/sshd_config b/sshd_config
@@ -1,8 +1,8 @@
 ## CONFIG AS PROPOSED BY https://infosec.mozilla.org/guidelines/openssh.html
 # Supported HostKey algorithms by order of preference.
-HostKey /etc/ssh/hostkeys/ssh_host_ed25519_key
-HostKey /etc/ssh/hostkeys/ssh_host_rsa_key
-HostKey /etc/ssh/hostkeys/ssh_host_ecdsa_key
+HostKey /host_keys.d/ssh_host_ed25519_key
+HostKey /host_keys.d/ssh_host_rsa_key
+HostKey /host_keys.d/ssh_host_ecdsa_key
 
 KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
 Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr