Refactor runtime configuration management

Organize secret files by moving them from `secrets/` to `files/` and updating related paths. Introduce templating for `authorized_keys`, `crontab`, and `sshd_config` to better manage dynamic configurations. Adjust logging output for runtime entry points and add utility functions for file operations.

compose.yml

@@ -9,15 +9,13 @@ services:
       RUNTIME_VERBOSITY: 2
       RUNTIME_USER: captain
       # Generate with: openssl passwd -1
-      RUNTIME_PASSWORD_FILE: /run/secrets/password # secret
+      RUNTIME_PASSWORD_FILE: /files/password # secret
       RUNTIME_CRON_ENABLED: true
-      RUNTIME_CRONTAB_FILE: /run/secrets/crontab
+      RUNTIME_CRONTAB_FILE: /files/crontab
       RUNTIME_SSH_ENABLED: true
-      RUNTIME_SSH_KEYS_FILE: /run/secrets/authorized_keys
-    secrets:
-      - password
-      - crontab
-      - authorized_keys
+      RUNTIME_SSH_AUTH_KEYS_FILE: /files/authorized_keys
+    volumes:
+      - ./files:/files
     build:
       context: ./src
       target: runtime
@@ -63,11 +61,3 @@ services:
     build:
       context: ./src
       target: php-ols
-
-secrets:
-  password:
-    file: ./secrets/password
-  crontab:
-    file: ./secrets/crontab
-  authorized_keys:
-    file: ./secrets/authorized_keys

files/crontab

@@ -0,0 +1 @@
+* * * * * echo $(date) > /app/test

src/Dockerfile

@@ -14,7 +14,8 @@ ENV RUNTIME_UID=1000 \
     RUNTIME_FILES_DIR=/app/files \
     RUNTIME_LOGS_DIR=/app/logs \
     RUNTIME_VERBOSITY=1 \
-    RUNTIME_BOOTED_FILE=/runtime/booted
+    RUNTIME_BOOTED_FILE=/runtime/booted \
+    RUNTIME_CRONTABS_DIR=/app/.config/crontabs
 
 COPY --chmod=755 ./runtime/runtime/bin /runtime/bin
 
@@ -32,7 +33,7 @@ RUN /runtime/bin/install  \
     && curl -L https://github.com/just-containers/s6-overlay/releases/download/$S6_VERSION/s6-overlay-noarch.tar.xz -o - | tar Jxp -C / \
     && curl -L https://github.com/just-containers/s6-overlay/releases/download/$S6_VERSION/s6-overlay-$(uname -m).tar.xz -o - | tar Jxp -C / \
     && curl -L https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-${TARGETARCH}-$DOCKERIZE_VERSION.tar.gz -o - | tar xzf - -C /runtime/bin \
-    && /runtime/bin/rchown /run /etc/ssh /etc/s6-overlay/s6-rc.d/user \
+    && /runtime/bin/rchown /run /etc/ssh /etc/s6-overlay/s6-rc.d/user /var/spool/cron/crontabs \
     && rm /etc/update-motd.d/* \
     && chmod u+s /usr/sbin/cron
 

src/runtime/runtime/entrypoint

@@ -15,33 +15,33 @@ function to_bool()
 function debug()
 {
   if [ "$RUNTIME_VERBOSITY" -ge 2 ]; then
-    echo "✳️ $1" >&2
+    echo "❇️ $1" > /dev/stdout
   fi
 }
 
 function info()
 {
   if [ "$RUNTIME_VERBOSITY" -ge 1 ]; then
-    echo "ℹ️ $1" >&2
+    echo "ℹ️ $1" > /dev/stdout
   fi
 }
 
 function warning()
 {
   if [ "$RUNTIME_VERBOSITY" -ge 1 ]; then
-    echo "⚠️ $1" >&2
+    echo "⚠️ $1" > /dev/stderr
   fi
 }
 
 function error()
 {
-    echo "‼️ $1" 1>&2
+    echo "🆘 $1" > /dev/stderr
 }
 
 function throw()
 {
   EXIT_CODE=${2:-1}
-  echo "‼️ $1" 1>&2
+  echo "🆘 $1" > /dev/stderr
   exit "$EXIT_CODE"
 }
 
@@ -51,6 +51,12 @@ function template()
   /runtime/bin/dockerize -template "/runtime/templates/$1":"$2"
 }
 
+function file()
+{
+  debug "Generating $2"
+  printf "# This file is managed by the container; any changes will be lost.\n%s\n" "$1" > "$2"
+}
+
 function generate_certs()
 {
   if [ ! -f "$1"/ssl.key ]; then

src/runtime/runtime/entrypoint.d/40-cron.sh

@@ -7,10 +7,12 @@ if ${RUNTIME_CRON_ENABLED:-false} to_bool; then
   info "Cron: Enabled"
   touch  /etc/s6-overlay/s6-rc.d/user/contents.d/cron
 
-  if [[ -f ${RUNTIME_CRONTAB_FILE:-} ]]; then
-    info "Crontab: $RUNTIME_CRONTAB_FILE"
-    crontab "$RUNTIME_CRONTAB_FILE"
+  if [[ -n ${RUNTIME_CRONTAB_FILE:-} ]]; then
+    RUNTIME_CRONTAB="$(cat "$RUNTIME_CRONTAB_FILE")"
+    export RUNTIME_CRONTAB
   fi
+
+  template crontab.tmpl /var/spool/cron/crontabs/"$RUNTIME_USER"
 else
   info "Cron: Disabled"
 fi

src/runtime/runtime/entrypoint.d/40-ssh.sh

@@ -6,17 +6,20 @@ set -u
 if ${RUNTIME_SSH_ENABLED:-false} to_bool; then
   info "SSH Server: Enabled"
 
-  if [[ -f ${RUNTIME_SSH_KEYS_FILE:-} ]]; then
-    info "Auth Keys: $RUNTIME_SSH_KEYS_FILE"
-  fi
-
   touch  /etc/s6-overlay/s6-rc.d/user/contents.d/sshd
 
-  template sshd_config.tmpl /etc/ssh/sshd_config
-
   mkdir -p /run/sshd ~/.ssh/etc/ssh
 
-  debug "$(ssh-keygen -A -f ~/.ssh)"
+  ssh-keygen -A -f ~/.ssh > /dev/null
+
+  if [[ -n ${RUNTIME_SSH_AUTH_KEYS_FILE:-} ]]; then
+    RUNTIME_SSH_AUTH_KEYS="$(cat "$RUNTIME_SSH_AUTH_KEYS_FILE")"
+    export RUNTIME_SSH_AUTH_KEYS
+  fi
+
+  template sshd_config.tmpl /etc/ssh/sshd_config
+
+  template authorized_keys.tmpl ~/.ssh/authorized_keys
 else
   info "SSH Server: Disabled"
 fi

src/runtime/runtime/templates/authorized_keys.tmpl

@@ -0,0 +1,2 @@
+# This file is managed by the container; any changes will be lost.
+{{ default .Env.RUNTIME_SSH_AUTH_KEYS "" }}

src/runtime/runtime/templates/crontab.tmpl

@@ -0,0 +1,5 @@
+# DO NOT EDIT THIS FILE - edit the master and reinstall.
+#
+#
+# This file is managed by the container; any changes will be lost.
+{{ default .Env.RUNTIME_CRONTAB "" }}

src/runtime/runtime/templates/sshd_config.tmpl

@@ -1,3 +1,5 @@
+# This file is managed by the container; any changes will be lost.
+
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
@@ -36,7 +38,7 @@ PermitRootLogin no
 
 #PubkeyAuthentication yes
 
-AuthorizedKeysFile {{ default .Env.RUNTIME_SSH_KEYS_FILE ".ssh/authorized_keys" }}
+AuthorizedKeysFile .ssh/authorized_keys
 
 #AuthorizedPrincipalsFile none