From ab339ddd794ebde262a3b91d858fc040a09dadfe Mon Sep 17 00:00:00 2001 From: Nick Jansen Date: Tue, 17 Sep 2024 15:01:35 +0200 Subject: [PATCH] Refactor runtime configuration management Organize secret files by moving them from `secrets/` to `files/` and updating related paths. Introduce templating for `authorized_keys`, `crontab`, and `sshd_config` to better manage dynamic configurations. Adjust logging output for runtime entry points and add utility functions for file operations. --- compose.yml | 20 +++++-------------- {secrets => files}/authorized_keys | 0 files/crontab | 1 + {secrets => files}/password | 0 secrets/crontab | 1 - src/Dockerfile | 5 +++-- src/runtime/runtime/entrypoint | 16 ++++++++++----- src/runtime/runtime/entrypoint.d/40-cron.sh | 8 +++++--- src/runtime/runtime/entrypoint.d/40-ssh.sh | 17 +++++++++------- .../runtime/templates/authorized_keys.tmpl | 2 ++ src/runtime/runtime/templates/crontab.tmpl | 5 +++++ .../runtime/templates/sshd_config.tmpl | 4 +++- 12 files changed, 45 insertions(+), 34 deletions(-) rename {secrets => files}/authorized_keys (100%) create mode 100644 files/crontab rename {secrets => files}/password (100%) delete mode 100644 secrets/crontab create mode 100644 src/runtime/runtime/templates/authorized_keys.tmpl create mode 100644 src/runtime/runtime/templates/crontab.tmpl diff --git a/compose.yml b/compose.yml index 23e497c..89a854e 100644 --- a/compose.yml +++ b/compose.yml @@ -9,15 +9,13 @@ services: RUNTIME_VERBOSITY: 2 RUNTIME_USER: captain # Generate with: openssl passwd -1 - RUNTIME_PASSWORD_FILE: /run/secrets/password # secret + RUNTIME_PASSWORD_FILE: /files/password # secret RUNTIME_CRON_ENABLED: true - RUNTIME_CRONTAB_FILE: /run/secrets/crontab + RUNTIME_CRONTAB_FILE: /files/crontab RUNTIME_SSH_ENABLED: true - RUNTIME_SSH_KEYS_FILE: /run/secrets/authorized_keys - secrets: - - password - - crontab - - authorized_keys + RUNTIME_SSH_AUTH_KEYS_FILE: /files/authorized_keys + volumes: + - ./files:/files build: context: ./src target: runtime @@ -63,11 +61,3 @@ services: build: context: ./src target: php-ols - -secrets: - password: - file: ./secrets/password - crontab: - file: ./secrets/crontab - authorized_keys: - file: ./secrets/authorized_keys diff --git a/secrets/authorized_keys b/files/authorized_keys similarity index 100% rename from secrets/authorized_keys rename to files/authorized_keys diff --git a/files/crontab b/files/crontab new file mode 100644 index 0000000..3e63315 --- /dev/null +++ b/files/crontab @@ -0,0 +1 @@ +* * * * * echo $(date) > /app/test \ No newline at end of file diff --git a/secrets/password b/files/password similarity index 100% rename from secrets/password rename to files/password diff --git a/secrets/crontab b/secrets/crontab deleted file mode 100644 index 0f47687..0000000 --- a/secrets/crontab +++ /dev/null @@ -1 +0,0 @@ -* * * * * echo $(date) > /app/test diff --git a/src/Dockerfile b/src/Dockerfile index fa08729..539ccb1 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -14,7 +14,8 @@ ENV RUNTIME_UID=1000 \ RUNTIME_FILES_DIR=/app/files \ RUNTIME_LOGS_DIR=/app/logs \ RUNTIME_VERBOSITY=1 \ - RUNTIME_BOOTED_FILE=/runtime/booted + RUNTIME_BOOTED_FILE=/runtime/booted \ + RUNTIME_CRONTABS_DIR=/app/.config/crontabs COPY --chmod=755 ./runtime/runtime/bin /runtime/bin @@ -32,7 +33,7 @@ RUN /runtime/bin/install \ && curl -L https://github.com/just-containers/s6-overlay/releases/download/$S6_VERSION/s6-overlay-noarch.tar.xz -o - | tar Jxp -C / \ && curl -L https://github.com/just-containers/s6-overlay/releases/download/$S6_VERSION/s6-overlay-$(uname -m).tar.xz -o - | tar Jxp -C / \ && curl -L https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-${TARGETARCH}-$DOCKERIZE_VERSION.tar.gz -o - | tar xzf - -C /runtime/bin \ - && /runtime/bin/rchown /run /etc/ssh /etc/s6-overlay/s6-rc.d/user \ + && /runtime/bin/rchown /run /etc/ssh /etc/s6-overlay/s6-rc.d/user /var/spool/cron/crontabs \ && rm /etc/update-motd.d/* \ && chmod u+s /usr/sbin/cron diff --git a/src/runtime/runtime/entrypoint b/src/runtime/runtime/entrypoint index d5cb681..95b2f33 100755 --- a/src/runtime/runtime/entrypoint +++ b/src/runtime/runtime/entrypoint @@ -15,33 +15,33 @@ function to_bool() function debug() { if [ "$RUNTIME_VERBOSITY" -ge 2 ]; then - echo "✳️ $1" >&2 + echo "❇️ $1" > /dev/stdout fi } function info() { if [ "$RUNTIME_VERBOSITY" -ge 1 ]; then - echo "ℹ️ $1" >&2 + echo "ℹ️ $1" > /dev/stdout fi } function warning() { if [ "$RUNTIME_VERBOSITY" -ge 1 ]; then - echo "⚠️ $1" >&2 + echo "⚠️ $1" > /dev/stderr fi } function error() { - echo "‼️ $1" 1>&2 + echo "🆘 $1" > /dev/stderr } function throw() { EXIT_CODE=${2:-1} - echo "‼️ $1" 1>&2 + echo "🆘 $1" > /dev/stderr exit "$EXIT_CODE" } @@ -51,6 +51,12 @@ function template() /runtime/bin/dockerize -template "/runtime/templates/$1":"$2" } +function file() +{ + debug "Generating $2" + printf "# This file is managed by the container; any changes will be lost.\n%s\n" "$1" > "$2" +} + function generate_certs() { if [ ! -f "$1"/ssl.key ]; then diff --git a/src/runtime/runtime/entrypoint.d/40-cron.sh b/src/runtime/runtime/entrypoint.d/40-cron.sh index 1183fa1..fbc7ecf 100755 --- a/src/runtime/runtime/entrypoint.d/40-cron.sh +++ b/src/runtime/runtime/entrypoint.d/40-cron.sh @@ -7,10 +7,12 @@ if ${RUNTIME_CRON_ENABLED:-false} to_bool; then info "Cron: Enabled" touch /etc/s6-overlay/s6-rc.d/user/contents.d/cron - if [[ -f ${RUNTIME_CRONTAB_FILE:-} ]]; then - info "Crontab: $RUNTIME_CRONTAB_FILE" - crontab "$RUNTIME_CRONTAB_FILE" + if [[ -n ${RUNTIME_CRONTAB_FILE:-} ]]; then + RUNTIME_CRONTAB="$(cat "$RUNTIME_CRONTAB_FILE")" + export RUNTIME_CRONTAB fi + + template crontab.tmpl /var/spool/cron/crontabs/"$RUNTIME_USER" else info "Cron: Disabled" fi diff --git a/src/runtime/runtime/entrypoint.d/40-ssh.sh b/src/runtime/runtime/entrypoint.d/40-ssh.sh index af45574..41cac98 100755 --- a/src/runtime/runtime/entrypoint.d/40-ssh.sh +++ b/src/runtime/runtime/entrypoint.d/40-ssh.sh @@ -6,17 +6,20 @@ set -u if ${RUNTIME_SSH_ENABLED:-false} to_bool; then info "SSH Server: Enabled" - if [[ -f ${RUNTIME_SSH_KEYS_FILE:-} ]]; then - info "Auth Keys: $RUNTIME_SSH_KEYS_FILE" - fi - touch /etc/s6-overlay/s6-rc.d/user/contents.d/sshd - template sshd_config.tmpl /etc/ssh/sshd_config - mkdir -p /run/sshd ~/.ssh/etc/ssh - debug "$(ssh-keygen -A -f ~/.ssh)" + ssh-keygen -A -f ~/.ssh > /dev/null + + if [[ -n ${RUNTIME_SSH_AUTH_KEYS_FILE:-} ]]; then + RUNTIME_SSH_AUTH_KEYS="$(cat "$RUNTIME_SSH_AUTH_KEYS_FILE")" + export RUNTIME_SSH_AUTH_KEYS + fi + + template sshd_config.tmpl /etc/ssh/sshd_config + + template authorized_keys.tmpl ~/.ssh/authorized_keys else info "SSH Server: Disabled" fi diff --git a/src/runtime/runtime/templates/authorized_keys.tmpl b/src/runtime/runtime/templates/authorized_keys.tmpl new file mode 100644 index 0000000..7e94a79 --- /dev/null +++ b/src/runtime/runtime/templates/authorized_keys.tmpl @@ -0,0 +1,2 @@ +# This file is managed by the container; any changes will be lost. +{{ default .Env.RUNTIME_SSH_AUTH_KEYS "" }} diff --git a/src/runtime/runtime/templates/crontab.tmpl b/src/runtime/runtime/templates/crontab.tmpl new file mode 100644 index 0000000..a29c36f --- /dev/null +++ b/src/runtime/runtime/templates/crontab.tmpl @@ -0,0 +1,5 @@ +# DO NOT EDIT THIS FILE - edit the master and reinstall. +# +# +# This file is managed by the container; any changes will be lost. +{{ default .Env.RUNTIME_CRONTAB "" }} diff --git a/src/runtime/runtime/templates/sshd_config.tmpl b/src/runtime/runtime/templates/sshd_config.tmpl index f5a207f..81a0b32 100644 --- a/src/runtime/runtime/templates/sshd_config.tmpl +++ b/src/runtime/runtime/templates/sshd_config.tmpl @@ -1,3 +1,5 @@ +# This file is managed by the container; any changes will be lost. + # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -36,7 +38,7 @@ PermitRootLogin no #PubkeyAuthentication yes -AuthorizedKeysFile {{ default .Env.RUNTIME_SSH_KEYS_FILE ".ssh/authorized_keys" }} +AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none