diff --git a/.github/workflows/BuildImage.yml b/.github/workflows/BuildImage.yml index 4715e563b..06801f44d 100644 --- a/.github/workflows/BuildImage.yml +++ b/.github/workflows/BuildImage.yml @@ -12,8 +12,8 @@ on: env: GITHUB_REPO: "linuxserver/docker-mods" #don't modify ENDPOINT: "linuxserver/mods" #don't modify - BASEIMAGE: "replace_baseimage" #replace - MODNAME: "replace_modname" #replace + BASEIMAGE: "openssh-server" #replace + MODNAME: "trusted-ca" #replace MOD_VERSION: ${{ inputs.mod_version }} #don't modify MULTI_ARCH: "true" #set to false if not needed diff --git a/Dockerfile b/Dockerfile index aa6617046..1ae86adc4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM scratch -LABEL maintainer="username" +LABEL maintainer="Koalab99" # copy local files COPY root/ / diff --git a/Dockerfile.complex b/Dockerfile.complex deleted file mode 100644 index 3ed07b0dc..000000000 --- a/Dockerfile.complex +++ /dev/null @@ -1,33 +0,0 @@ -# syntax=docker/dockerfile:1 - -## Buildstage ## -FROM ghcr.io/linuxserver/baseimage-alpine:3.20 AS buildstage - -RUN \ - echo "**** install packages ****" && \ - apk add --no-cache \ - curl && \ - echo "**** grab rclone ****" && \ - mkdir -p /root-layer && \ - if [ $(uname -m) = "x86_64" ]; then \ - echo "Downloading x86_64 tarball" && \ - curl -o \ - /root-layer/rclone.deb -L \ - "https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-amd64.deb"; \ - elif [ $(uname -m) = "aarch64" ]; then \ - echo "Downloading aarch64 tarball" && \ - curl -o \ - /root-layer/rclone.deb -L \ - "https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-arm64.deb"; \ - fi && \ - -# copy local files -COPY root/ /root-layer/ - -## Single layer deployed image ## -FROM scratch - -LABEL maintainer="username" - -# Add files from buildstage -COPY --from=buildstage /root-layer/ / diff --git a/README.md b/README.md index 170066831..beb76099a 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,59 @@ -# Rsync - Docker mod for openssh-server - -This mod adds rsync to openssh-server, to be installed/updated during container start. - -In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync` - -If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2` - -# Mod creation instructions - -* Fork the repo, create a new branch based on the branch `template`. -* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done. -* Inspect the `root` folder contents. Edit, add and remove as necessary. -* After all init scripts and services are created, run `find ./ -path "./.git" -prune -o \( -name "run" -o -name "finish" -o -name "check" \) -not -perm -u=x,g=x,o=x -print -exec chmod +x {} +` to fix permissions. -* Edit this readme with pertinent info, delete these instructions. -* Finally edit the `.github/workflows/BuildImage.yml`. Customize the vars for `BASEIMAGE` and `MODNAME`. Set the versioning logic and `MULTI_ARCH` if needed. -* Ask the team to create a new branch named `-`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch. -* Submit PR against the branch created by the team. - - -## Tips and tricks - -* Some images have helpers built in, these images are currently: - * [Openvscode-server](https://github.com/linuxserver/docker-openvscode-server/pull/10/files) - * [Code-server](https://github.com/linuxserver/docker-code-server/pull/95) +# Trusted CA - Docker mod for openssh-server + +This mod allow the configuration of the `TrustedUserCAKeys` directive, which allows ssh authentication using certificates. + +In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca` + +If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca|linuxserver/mods:openssh-server-mod2` + +## Mod environment variables +In order to add a certificate authority, you can add your CA's public keys in one or multiple environment variables: +* `TRUSTED_CA="your_ca_pubkey"` to add one CA to the TrustedCA file from text. +* `TRUSTED_CA_URL="https://example.com/trusted_ca.key"` to retrieve one or more trusted CA from a URL. +* `TRUSTED_CA_FILE="/mounted_file"` to add one or more CA from a file (inside the container's tree). +* `TRUSTED_CA_DIR="/mounted_dir"` to add CAs from the content of a directory (inside the container's tree). + +You can use multiple environment variables at the same time to add different CAs. + +Certificates are added/removed from the server when the container is starting, so you will need to restart your container for your change to take effect. + +# Example +If you want to build your own CA: +``` +# Create temp directory and cd there +cd $(mktemp -d) + +# Generate key pairs (x and x.pub) +ssh-keygen -b 4096 -t ed25519 -f myca +ssh-keygen -b 4096 -t ed25519 -f userkey + +# Sign users pubkeys (x-cert.pub) +ssh-keygen -s myca -I my_user_certificate_id -n myuser userkey.pub +``` + +Notes: `-n` parameter gives the username principals, it must match the target user (see `man 1 ssh-keygen`). + +``` +services: + openssh-server: + image: linuxserver/openssh-server + environment: + - DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca + - PUID=1000 + - PGID=1000 + - TZ=Etc/UTC + - USER_NAME=myuser + - TRUSTED_CA_FILE=/pubkey + volumes: + - ./myca.pub:/pubkey:ro,z + ports: + - 2222:2222 +``` + +You can then connect using: +``` +ssh -p 2222 -i ./userkey myuser@127.0.0.1 + +# Or specify the certificate explicitly: +ssh -o CertificateFile=./userkey-cert.pub -p 2222 -i ./userkey myuser@127.0.0.1 +``` diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/run b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/run deleted file mode 100755 index 063b57016..000000000 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/run +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/with-contenv bash - -# This is the init file used for adding os or pip packages to install lists. -# It takes advantage of the built-in init-mods-package-install init script that comes with the baseimages. -# If using this, we need to make sure we set this init as a dependency of init-mods-package-install so this one runs first - -if ! command -v apprise; then - echo "**** Adding apprise and its deps to package install lists ****" - echo "apprise" >> /mod-pip-packages-to-install.list - ## Ubuntu - if [ -f /usr/bin/apt ]; then - echo "\ - python3 \ - python3-pip \ - runc" >> /mod-repo-packages-to-install.list - fi - # Alpine - if [ -f /sbin/apk ]; then - echo "\ - cargo \ - libffi-dev \ - openssl-dev \ - python3 \ - python3-dev \ - python3 \ - py3-pip" >> /mod-repo-packages-to-install.list - fi -else - echo "**** apprise already installed, skipping ****" -fi diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/type b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/type deleted file mode 100644 index 3d92b15f2..000000000 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/type +++ /dev/null @@ -1 +0,0 @@ -oneshot \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/up b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/up deleted file mode 100644 index 6414139f8..000000000 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/up +++ /dev/null @@ -1 +0,0 @@ -/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/run \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/run b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/run deleted file mode 100755 index 59a4b77f1..000000000 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/run +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/with-contenv bash - -# This is an install script that is designed to run after init-mods-package-install -# so it can take advantage of packages installed -# init-mods-end depends on this script so that later init and services wait until this script exits - -echo "**** Setting up apprise ****" -apprise blah blah diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/type b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/type deleted file mode 100644 index 3d92b15f2..000000000 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/type +++ /dev/null @@ -1 +0,0 @@ -oneshot \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/up b/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/up deleted file mode 100644 index 03d298d2b..000000000 --- a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/up +++ /dev/null @@ -1 +0,0 @@ -/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/run \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/dependencies.d/init-mods b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/dependencies.d/init-mods similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-add-package/dependencies.d/init-mods rename to root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/dependencies.d/init-mods diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/run b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/run new file mode 100755 index 000000000..d66933542 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/run @@ -0,0 +1,54 @@ +#!/usr/bin/with-contenv bash + +# set trusted certificate authority in file + +# Reset the content of the file +echo -n "" >/config/sshd/trusted_ca + +if [[ -n "$TRUSTED_CA" ]]; then + if ! grep -q "${TRUSTED_CA}" /config/sshd/trusted_ca; then + echo "$TRUSTED_CA" >> /config/sshd/trusted_ca + echo "Trusted CA from env variable added" + fi +fi + +if [[ -n "$TRUSTED_CA_URL" ]]; then + TRUSTED_CA_DOWNLOADED=$(curl -s "$TRUSTED_CA_URL") + if ! grep -q "$TRUSTED_CA_DOWNLOADED" /config/sshd/trusted_ca; then + echo "$TRUSTED_CA_DOWNLOADED" >> /config/sshd/trusted_ca + echo "Trusted CA downloaded from '$TRUSTED_CA_URL' added" + fi +fi + +if [[ -n "$TRUSTED_CA_FILE" ]] && [[ -f "$TRUSTED_CA_FILE" ]]; then + TRUSTED_CA2=$(cat "$TRUSTED_CA_FILE") + if ! grep -q "$TRUSTED_CA2" /config/sshd/trusted_ca; then + echo "$TRUSTED_CA2" >> /config/sshd/trusted_ca + echo "Trusted CA from file added" + fi +fi + +if [[ -d "$TRUSTED_CA_DIR" ]]; then + for F in "${TRUSTED_CA_DIR}"/*; do + TRUSTED_CAN=$(cat "$F") + if ! grep -q "$TRUSTED_CAN" /config/sshd/trusted_ca; then + echo "$TRUSTED_CAN" >> /config/sshd/trusted_ca + echo "Trusted CA from file '$F' added" + fi + done +fi + +if [[ -s /config/sshd/trusted_ca ]]; then + # Trusted CA exists and is not empty + sed -i '/^TrustedUserCAKeys/c\TrustedUserCAKeys /config/sshd/trusted_ca' /config/sshd/sshd_config + sed -i '/^#TrustedUserCAKeys/c\TrustedUserCAKeys /config/sshd/trusted_ca' /config/sshd/sshd_config + + if ! grep -q "^TrustedUserCAKeys" /config/sshd/sshd_config; then + # TrustedUserCAKeys is not in the file, adding it at the end of the file + echo "TrustedUserCAKeys /config/sshd/trusted_ca" >>/config/sshd/sshd_config + fi +else + # Trusted CA is empty, commenting parameter + sed -i 's/^TrustedUserCAKeys/#TrustedUserCAKeys' /config/sshd/sshd_config +fi + diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/type b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/type new file mode 100644 index 000000000..bdd22a185 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/type @@ -0,0 +1 @@ +oneshot diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/up b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/up new file mode 100644 index 000000000..a4f59af39 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/init-mod-openssh-server-trusted-ca-install/run diff --git a/root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/dependencies.d/init-mods-package-install b/root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mod-openssh-server-trusted-ca-install similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-mod-imagename-modname-install/dependencies.d/init-mods-package-install rename to root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mod-openssh-server-trusted-ca-install diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-imagename-modname-add-package b/root/etc/s6-overlay/s6-rc.d/init-mods-package-install/dependencies.d/init-mod-imagename-modname-add-package deleted file mode 100644 index e69de29bb..000000000 diff --git a/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/dependencies.d/init-services b/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/dependencies.d/init-services deleted file mode 100644 index e69de29bb..000000000 diff --git a/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/run b/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/run deleted file mode 100755 index 02ffe39ae..000000000 --- a/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/run +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/with-contenv bash - -# This is an example service that would run for the mod -# It depends on init-services, the baseimage hook for start of all longrun services - -exec \ - s6-setuidgid abc run my app diff --git a/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/type b/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/type deleted file mode 100644 index 1780f9f44..000000000 --- a/root/etc/s6-overlay/s6-rc.d/svc-mod-imagename-modname/type +++ /dev/null @@ -1 +0,0 @@ -longrun \ No newline at end of file diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-imagename-modname-add-package b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-imagename-modname-add-package deleted file mode 100644 index e69de29bb..000000000 diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-imagename-modname-install b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-imagename-modname-install deleted file mode 100644 index e69de29bb..000000000 diff --git a/root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mod-imagename-modname-install b/root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-openssh-server-trusted-ca-install similarity index 100% rename from root/etc/s6-overlay/s6-rc.d/init-mods-end/dependencies.d/init-mod-imagename-modname-install rename to root/etc/s6-overlay/s6-rc.d/user/contents.d/init-mod-openssh-server-trusted-ca-install diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-mod-imagename-modname b/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-mod-imagename-modname deleted file mode 100644 index e69de29bb..000000000