blax-software/docker-bastion

Commit Graph

Author	SHA1	Message	Date
Fabian @ Blax Software	58492c80ec	A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually exclusive with HTTP_TOKEN (basic takes precedence if both set). Implementation note: busybox httpd strips Authorization: Basic headers before invoking CGI scripts (it expects to handle basic auth itself), so a CGI-side check for Basic doesn't work. We let busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`) and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is chowned to the agent user because httpd drops privileges before reading -c. Image additions for canonical deploy.sh patterns: - git (apk add git) — for git pull/tag/push. - openssh-client (apk add openssh-client) — provides /usr/bin/ssh, which git invokes for ssh:// remote transports. Without it `git push origin` fails with 'error: cannot run ssh: No such file or directory'. - HOME=/home/agent exported in the force-command wrapper — busybox httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups pointing at /root and producing 'Permission denied' warnings. README updated with HTTP_BASIC_AUTH env var, URL syntax examples, and the mutual-exclusion note.	2026-05-28 12:11:20 +02:00
Fabian @ Blax Software	74b3983ff4	A optional HTTP listener + polished README - HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT (default 8080) and serves /cgi-bin/run, which validates the 'Authorization: Bearer …' header and exec's the same force-command wrapper SSH uses. Output streams chunked. GET and POST both work. Without HTTP_TOKEN the bastion stays SSH-only. - README rewritten with shields.io badges, two complete quickstart examples (WordPress drop-in + nginx config-reload webhook), inline comments on every yaml line marking required/optional, traefik integration in both examples, and star-history footer matching Blax OSS convention. - Dockerfile: add busybox-extras (the httpd applet was split out of the core busybox binary in alpine 3.21); EXPOSE 8080; document HTTP_TOKEN/HTTP_PORT env vars.	2026-05-28 11:25:34 +02:00
Fabian @ Blax Software	86b8966130	A initial docker-bastion image Minimal SSH bastion (alpine + openssh-server + docker-cli) that authenticates by key and runs exactly one preconfigured command (FORCE_COMMAND) per session. authorized_keys can be merged from both a host-mounted source and a repo-mounted source. Host keys persist via /etc/ssh/keys volume; docker socket group membership is aligned at boot.	2026-05-28 10:50:06 +02:00

Author

SHA1

Message

Date

Fabian @ Blax Software

58492c80ec

A HTTP basic auth + git/ssh tooling for deploy.sh-shape FORCE_COMMANDs

HTTP basic auth via HTTP_BASIC_AUTH=user:password. Mutually
exclusive with HTTP_TOKEN (basic takes precedence if both set).

Implementation note: busybox httpd strips Authorization: Basic
headers before invoking CGI scripts (it expects to handle basic
auth itself), so a CGI-side check for Basic doesn't work. We let
busybox handle Basic via its -c httpd.conf rule (`/cgi-bin/:user:pass`)
and keep the CGI-side Bearer check for HTTP_TOKEN. httpd.conf is
chowned to the agent user because httpd drops privileges before
reading -c.

Image additions for canonical deploy.sh patterns:
- git (apk add git) — for git pull/tag/push.
- openssh-client (apk add openssh-client) — provides /usr/bin/ssh,
  which git invokes for ssh:// remote transports. Without it
  `git push origin` fails with 'error: cannot run ssh: No such
  file or directory'.
- HOME=/home/agent exported in the force-command wrapper — busybox
  httpd doesn't set HOME for CGI, leaving git/ssh/xdg lookups
  pointing at /root and producing 'Permission denied' warnings.

README updated with HTTP_BASIC_AUTH env var, URL syntax examples,
and the mutual-exclusion note.

2026-05-28 12:11:20 +02:00

Fabian @ Blax Software

74b3983ff4

A optional HTTP listener + polished README

- HTTP path: opt-in via $HTTP_TOKEN; busybox httpd binds $HTTP_PORT
  (default 8080) and serves /cgi-bin/run, which validates the
  'Authorization: Bearer …' header and exec's the same force-command
  wrapper SSH uses. Output streams chunked. GET and POST both work.
  Without HTTP_TOKEN the bastion stays SSH-only.

- README rewritten with shields.io badges, two complete quickstart
  examples (WordPress drop-in + nginx config-reload webhook), inline
  comments on every yaml line marking required/optional, traefik
  integration in both examples, and star-history footer matching
  Blax OSS convention.

- Dockerfile: add busybox-extras (the httpd applet was split out of
  the core busybox binary in alpine 3.21); EXPOSE 8080; document
  HTTP_TOKEN/HTTP_PORT env vars.

2026-05-28 11:25:34 +02:00

Fabian @ Blax Software

86b8966130

A initial docker-bastion image

Minimal SSH bastion (alpine + openssh-server + docker-cli) that
authenticates by key and runs exactly one preconfigured command
(FORCE_COMMAND) per session. authorized_keys can be merged from
both a host-mounted source and a repo-mounted source. Host keys
persist via /etc/ssh/keys volume; docker socket group membership
is aligned at boot.

2026-05-28 10:50:06 +02:00

3 Commits