blax-software
/
docker-bastion
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
docker-bastion/scripts/start-container

243 lines
10 KiB
Plaintext
Raw Normal View History

A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
#!/bin/sh
set -eu
echo "=========================================="
echo " docker-bastion starting"
echo "=========================================="
echo "Date: $(date)"
echo "Hostname: $(hostname)"
echo "OpenSSH: $(/usr/sbin/sshd -V 2>&1 | head -1 || echo n/a)"
echo "Docker CLI: $(docker --version 2>/dev/null || echo n/a)"
echo "=========================================="
SSH_USER="agent"
SSH_PORT="${SSH_PORT:-22}"
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
HTTP_PORT="${HTTP_PORT:-8080}"
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
FORCE_COMMAND_VALUE="${FORCE_COMMAND:-}"
AUTHORIZED_KEYS_HOST="${AUTHORIZED_KEYS_HOST:-/etc/bastion/authorized_keys.host}"
AUTHORIZED_KEYS_REPO="${AUTHORIZED_KEYS_REPO:-/etc/bastion/authorized_keys.repo}"
# ---------------------------------------------------------------------------
# 1) Validate config
# ---------------------------------------------------------------------------
if [ -z "$FORCE_COMMAND_VALUE" ]; then
echo "FATAL: FORCE_COMMAND must be set."
echo " e.g. FORCE_COMMAND='docker exec -it app bash'"
echo " or FORCE_COMMAND='cd /workspace && ./deploy.sh'"
exit 1
fi
# ---------------------------------------------------------------------------
# 2) Host keys — generate on first boot, persist via /etc/ssh/keys volume
# ---------------------------------------------------------------------------
echo "[1/5] Host keys..."
mkdir -p /etc/ssh/keys
chmod 700 /etc/ssh/keys
for keytype in ed25519 rsa; do
keyfile="/etc/ssh/keys/ssh_host_${keytype}_key"
if [ ! -f "$keyfile" ]; then
echo " Generating new $keytype host key"
ssh-keygen -t "$keytype" -f "$keyfile" -N "" -q
else
echo " Reusing existing $keytype host key"
fi
chmod 600 "$keyfile"
[ -f "${keyfile}.pub" ] && chmod 644 "${keyfile}.pub"
done
# ---------------------------------------------------------------------------
# 3) Merge authorized_keys sources
# ---------------------------------------------------------------------------
echo "[2/5] Authorized keys..."
AUTH_FILE="/home/${SSH_USER}/.ssh/authorized_keys"
mkdir -p "$(dirname "$AUTH_FILE")"
: > "$AUTH_FILE"
added=0
for src in "$AUTHORIZED_KEYS_HOST" "$AUTHORIZED_KEYS_REPO"; do
if [ -f "$src" ]; then
echo " + Merging $src"
cat "$src" >> "$AUTH_FILE"
# Force newline between sources (final file may not end with one).
printf '\n' >> "$AUTH_FILE"
added=$((added + 1))
fi
done
A users.d/ drop-in directory for live-read authorized keys sshd now consults /etc/bastion/users.d/*.pub on every authentication attempt via AuthorizedKeysCommand, so adding or removing a user takes effect immediately without restarting the container — just drop `alice.pub` (or any *.pub file) into the host-bound dir, sshd picks it up on the next login. Implementation: - /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per AuthorizedKeysCommandUser), reads world-readable pubkeys. - sshd_config: AuthorizedKeysCommand alongside the existing AuthorizedKeysFile — both checked, so the boot-merged file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX. - start-container: 'zero key sources' is now a WARN, not a fatal. Bastion comes up empty; SSH attempts fail with 'publickey denied' until you drop a key. Lets users `docker compose up` first and add keys later. Bug fix on the way through: `grep -c` exits non-zero when no lines match, which under `set -eu` killed the boot script silently after '[2/5] Authorized keys...'. Switched to `awk … | wc -l` which exits 0 cleanly on empty input. README updated with the new source priority and env var.
2026-05-28 10:31:51 +00:00
# awk emits matching lines (non-blank, non-comment), wc -l counts them.
# Both exit 0 even on empty input — important under `set -e`, which
# `grep -c` would have triggered (exits 1 when nothing matches).
file_keys=$(awk 'NF && $0 !~ /^[[:space:]]*#/' "$AUTH_FILE" 2>/dev/null | wc -l)
file_keys=$(echo "$file_keys" | tr -d ' ') # wc on busybox pads with spaces
echo " Boot-merged: $file_keys key(s) from $added file source(s)"
# Live-read directory — sshd reads this via AuthorizedKeysCommand on every
# auth attempt. We just report the current count for visibility; new files
# dropped in later take effect immediately, no restart needed.
dir_keys=0
if [ -d "${AUTHORIZED_KEYS_DIR:-/etc/bastion/users.d}" ]; then
dir_keys=$(find "${AUTHORIZED_KEYS_DIR}" -maxdepth 1 -name '*.pub' -type f 2>/dev/null | wc -l)
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
fi
A users.d/ drop-in directory for live-read authorized keys sshd now consults /etc/bastion/users.d/*.pub on every authentication attempt via AuthorizedKeysCommand, so adding or removing a user takes effect immediately without restarting the container — just drop `alice.pub` (or any *.pub file) into the host-bound dir, sshd picks it up on the next login. Implementation: - /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per AuthorizedKeysCommandUser), reads world-readable pubkeys. - sshd_config: AuthorizedKeysCommand alongside the existing AuthorizedKeysFile — both checked, so the boot-merged file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX. - start-container: 'zero key sources' is now a WARN, not a fatal. Bastion comes up empty; SSH attempts fail with 'publickey denied' until you drop a key. Lets users `docker compose up` first and add keys later. Bug fix on the way through: `grep -c` exits non-zero when no lines match, which under `set -eu` killed the boot script silently after '[2/5] Authorized keys...'. Switched to `awk … | wc -l` which exits 0 cleanly on empty input. README updated with the new source priority and env var.
2026-05-28 10:31:51 +00:00
echo " Live drop-in: $dir_keys key file(s) in $AUTHORIZED_KEYS_DIR"
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
A users.d/ drop-in directory for live-read authorized keys sshd now consults /etc/bastion/users.d/*.pub on every authentication attempt via AuthorizedKeysCommand, so adding or removing a user takes effect immediately without restarting the container — just drop `alice.pub` (or any *.pub file) into the host-bound dir, sshd picks it up on the next login. Implementation: - /usr/local/bin/bastion-list-keys: minimal POSIX-sh script that cats $AUTHORIZED_KEYS_DIR/*.pub. Runs as the agent user (per AuthorizedKeysCommandUser), reads world-readable pubkeys. - sshd_config: AuthorizedKeysCommand alongside the existing AuthorizedKeysFile — both checked, so the boot-merged file (AUTHORIZED_KEYS_HOST/_REPO) still works for single-file UX. - start-container: 'zero key sources' is now a WARN, not a fatal. Bastion comes up empty; SSH attempts fail with 'publickey denied' until you drop a key. Lets users `docker compose up` first and add keys later. Bug fix on the way through: `grep -c` exits non-zero when no lines match, which under `set -eu` killed the boot script silently after '[2/5] Authorized keys...'. Switched to `awk … | wc -l` which exits 0 cleanly on empty input. README updated with the new source priority and env var.
2026-05-28 10:31:51 +00:00
if [ "$file_keys" -eq 0 ] && [ "$dir_keys" -eq 0 ]; then
echo " WARN: zero authorized keys configured."
echo " Drop *.pub files into $AUTHORIZED_KEYS_DIR on the host"
echo " (or mount AUTHORIZED_KEYS_HOST / AUTHORIZED_KEYS_REPO);"
echo " until then every SSH attempt will fail with 'publickey denied'."
fi
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
chown -R "${SSH_USER}:${SSH_USER}" "$(dirname "$AUTH_FILE")"
chmod 700 "$(dirname "$AUTH_FILE")"
chmod 600 "$AUTH_FILE"
# ---------------------------------------------------------------------------
# 4) ForceCommand wrapper
#
# Write the configured command to a plain file, then a small wrapper that
# exec's `sh -c "$(cat ...)"`. This way:
# - Shell metacharacters in $FORCE_COMMAND work (&&, |, redirects, cd).
# - The wrapper itself stays static (no escaping of user input into a
# heredoc), and the command file is read at session start so changes
# to $FORCE_COMMAND only need a container restart, not a rebuild.
# ---------------------------------------------------------------------------
echo "[3/5] ForceCommand..."
mkdir -p /etc/bastion
printf '%s\n' "$FORCE_COMMAND_VALUE" > /etc/bastion/force-command.cmd
chmod 0644 /etc/bastion/force-command.cmd
cat > /etc/bastion/force-command <<'WRAPPER'
#!/bin/sh
# Auto-generated by docker-bastion start-container.
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
# sshd invokes this script for every authenticated session; the HTTP CGI
# exec's it after auth.
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
# SSH_ORIGINAL_COMMAND is intentionally ignored — clients cannot override.
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
#
# Force HOME for the agent user so git / ssh / xdg lookups land in the
# right place. sshd sets this already; busybox httpd's CGI doesn't, so
# without this fix `git push` complains about /root/.config/git/* perms.
export HOME=/home/agent
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
exec sh -c "$(cat /etc/bastion/force-command.cmd)"
WRAPPER
chmod 0755 /etc/bastion/force-command
echo " $FORCE_COMMAND_VALUE"
# ---------------------------------------------------------------------------
# 5) Docker socket — if mounted, align group membership so the agent user
# can talk to dockerd without --privileged.
# ---------------------------------------------------------------------------
echo "[4/5] Docker socket..."
if [ -S /var/run/docker.sock ]; then
sock_gid=$(stat -c '%g' /var/run/docker.sock)
echo " Socket present, host gid=$sock_gid"
grp_name=$(getent group "$sock_gid" | cut -d: -f1 || true)
if [ -z "$grp_name" ]; then
grp_name="dockerhost"
addgroup -g "$sock_gid" "$grp_name" 2>/dev/null || true
echo " Created group $grp_name (gid=$sock_gid)"
else
echo " Reusing existing group $grp_name (gid=$sock_gid)"
fi
addgroup "$SSH_USER" "$grp_name" 2>/dev/null || true
echo " Added $SSH_USER to $grp_name"
else
echo " WARN: /var/run/docker.sock not mounted — docker-based FORCE_COMMAND will fail."
fi
# ---------------------------------------------------------------------------
# 6) Adjust sshd_config port if non-default
# ---------------------------------------------------------------------------
if [ "$SSH_PORT" != "22" ]; then
sed -i "s/^Port 22\$/Port ${SSH_PORT}/" /etc/ssh/sshd_config
fi
# ---------------------------------------------------------------------------
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
# 7) Optional HTTP listener (opt-in via $HTTP_BASIC_AUTH or $HTTP_TOKEN)
#
# Two mutually-exclusive auth modes. Pick one and set the matching env var:
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
#
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
# HTTP_BASIC_AUTH=user:pass → Basic auth. Works with browser URL bars,
# `curl -u user:pass`, and the URL syntax
# `https://user:pass@host/cgi-bin/run`.
# Handled by busybox's built-in -c auth.
# HTTP_TOKEN=secret → Bearer auth via Authorization header.
# `curl -H 'Authorization: Bearer secret'`.
# Handled by the CGI script.
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
#
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
# Why mutually exclusive: busybox httpd *strips* `Authorization: Basic` from
# the CGI env (it expects to handle basic auth itself), so a CGI-side check
# for Basic doesn't work. Conversely, when busybox is enforcing Basic via
# its conf file, Bearer requests get rejected by busybox before the CGI runs.
#
# Both modes exec the same /etc/bastion/force-command wrapper SSH uses;
# output streams back as the command produces it.
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
# ---------------------------------------------------------------------------
echo "[5/6] HTTP listener..."
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
if [ -n "${HTTP_BASIC_AUTH:-}" ]; then
echo " Auth: Basic — enabling httpd on port ${HTTP_PORT}"
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
mkdir -p /var/www/cgi-bin
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
# httpd.conf format for basic auth: `/path:user:password` per line.
# Plaintext is supported; for crypt hashes use $1$/$5$/$6$ prefixes.
printf '/cgi-bin/:%s\n' "$HTTP_BASIC_AUTH" > /etc/bastion/httpd.conf
# httpd drops to $SSH_USER before reading -c CONFFILE, so the file
# must be readable by that user. chown rather than world-read because
# the conf holds the plaintext password.
chown "${SSH_USER}:${SSH_USER}" /etc/bastion/httpd.conf
chmod 0600 /etc/bastion/httpd.conf
# CGI: auth already done by httpd before we got here.
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
cat > /var/www/cgi-bin/run <<'CGI'
#!/bin/sh
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
# Auto-generated. Auth was validated by busybox httpd via httpd.conf
# before this script ran — REMOTE_USER holds the authenticated username.
printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n'
exec /etc/bastion/force-command 2>&1
CGI
chmod 0755 /var/www/cgi-bin/run
# -c CONFFILE = auth + content-type rules; httpd reads it as root before
# dropping to -u USER. CGI scripts then run as USER.
httpd -f -p "${HTTP_PORT}" -h /var/www -u "${SSH_USER}" -c /etc/bastion/httpd.conf &
HTTP_PID=$!
echo " httpd PID ${HTTP_PID}, endpoint: /cgi-bin/run (basic auth)"
elif [ -n "${HTTP_TOKEN:-}" ]; then
echo " Auth: Bearer — enabling httpd on port ${HTTP_PORT}"
mkdir -p /var/www/cgi-bin
cat > /var/www/cgi-bin/run <<'CGI'
#!/bin/sh
# Auto-generated. Bearer auth handled here in the CGI.
case "${HTTP_AUTHORIZATION:-}" in
"Bearer ${HTTP_TOKEN}") ;;
*)
printf 'Status: 401 Unauthorized\r\nContent-Type: text/plain\r\nWWW-Authenticate: Bearer\r\n\r\nUnauthorized\n'
exit 0
;;
esac
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n'
exec /etc/bastion/force-command 2>&1
CGI
chmod 0755 /var/www/cgi-bin/run
httpd -f -p "${HTTP_PORT}" -h /var/www -u "${SSH_USER}" &
HTTP_PID=$!
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
echo " httpd PID ${HTTP_PID}, endpoint: /cgi-bin/run (bearer token)"
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
else
A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.
2026-05-28 10:11:20 +00:00
echo " HTTP disabled (set HTTP_BASIC_AUTH or HTTP_TOKEN to enable)"
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
fi
# ---------------------------------------------------------------------------
# 8) sshd config sanity check + launch
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
# ---------------------------------------------------------------------------
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
echo "[6/6] sshd config check..."
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
echo "=========================================="
A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.
2026-05-28 09:25:34 +00:00
echo " SSH: port ${SSH_PORT}"
[ -n "${HTTP_TOKEN:-}" ] && echo " HTTP: port ${HTTP_PORT} (token-protected)"
A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.
2026-05-28 08:50:06 +00:00
echo " User: ${SSH_USER}"
echo " ForceCommand: ${FORCE_COMMAND_VALUE}"
echo "=========================================="
# -D = foreground, -e = log to stderr (so docker logs picks it up).
exec /usr/sbin/sshd -D -e