feat: copy ssh-keys to prevent file permissions thingies

+6 -4

containers/knot/Dockerfile

··· 31 31 && apk del shadow openssl 32 32 33 33 ENV KNOT_REPO_SCAN_PATH=/repositories \ 34 - KNOT_SERVER_DB_PATH=/data/knotserver.db 34 + KNOT_SERVER_DB_PATH=/data/knotserver.db \ 35 + KNOT_SSH_KEYS_PATH=/ssh-keys 35 36 RUN apk add --no-cache \ 36 37 openssh \ 37 38 git \ 38 39 catatonit \ 39 40 bash \ 40 - && mkdir -p ${KNOT_REPO_SCAN_PATH} /data /ssh-keys \ 41 - && chown -R git:git ${KNOT_REPO_SCAN_PATH} /data /ssh-keys \ 42 - && chmod 700 /ssh-keys 41 + && mkdir -p ${KNOT_REPO_SCAN_PATH} /data ${KNOT_SSH_KEYS_PATH} /safe_ssh_keys \ 42 + && chown -R git:git ${KNOT_REPO_SCAN_PATH} /data ${KNOT_SSH_KEYS_PATH} /safe_ssh_keys \ 43 + && chmod 1777 /safe_ssh_keys 43 44 44 45 COPY --chmod=755 --chown=root:root sshd-keys-wrapper /usr/local/sbin/sshd-keys-wrapper 45 46 COPY --chmod=600 --chown=git:git sshd_config /sshd_config ··· 52 53 HEALTHCHECK --interval=60s --timeout=30s --start-period=5s --retries=3 \ 53 54 CMD curl -f http://localhost:5555 || exit 1 54 55 56 + USER 10999 55 57 ENTRYPOINT [ "/usr/bin/catatonit", "--" ] 56 58 CMD [ "start-knot" ]

+18 -11

containers/knot/README.md

··· 1 1 # knot 2 2 3 - OCI Container to run your own [tangled](https://tangled.org) [knot](https://tangled.org/@tangled.org/core/blob/master/docs/knot-hosting.md) and host the data of your own repositories. 3 + OCI Container to run your own [tangled](https://tangled.org) [knot](https://docs.tangled.org/knot-self-hosting-guide.html) and host the data of your own repositories. 4 4 5 5 ## Pre-built Images 6 6 7 - Pre-built images are available in an ATCR [repository](https://atcr.io/r/bram.gotink.be/knot) starting at `v1.10.0-alpha`. 7 + Pre-built images are available in an ATCR [repository](https://atcr.io/r/bram.gotink.be/knot) starting at `v1.12.0-alpha`. 8 8 9 9 ```sh 10 10 docker pull atcr.io/bram.gotink.be/knot ··· 13 13 This image differs from the pseudo-official [tngl/knot](https://hub.docker.com/r/tngl/knot) image. 14 14 The code is the same, but the image is set up differently: 15 15 16 - - Run everything using a non-root user 16 + - It is designed to be run with a non-root user (userid 10999), although root works just fine if you prefer 17 17 - Allow the OCI runtime to restart the container if anything fails, rather than package an entire init system that manages these programs 18 18 19 19 ## Building The Image 20 20 21 21 ```sh 22 - docker build --platform linux/amd64,linux/arm64 -t atcr.io/bram.gotink.be/knot --build-arg VERSION=v1.10.0-alpha . 22 + docker build --platform linux/amd64,linux/arm64 -t atcr.io/bram.gotink.be/knot --build-arg VERSION=v1.13.0-alpha . 23 23 ``` 24 24 25 25 ## Setting Up The Image 26 26 27 - This image is designed to work with kubernetes. 28 - It requires three `volumeMounts`: 27 + This image is designed to work with stricter permissions in e.g. kubernetes. 28 + 29 + The container requires three volumes: 30 + 31 + | Environment variable | Default value | Usage | 32 + | --------------------- | --------------------- | ----------------------------------------------------- | 33 + | `KNOT_REPO_SCAN_PATH` | `/repositories` | storage directory the repositories | 34 + | `KNOT_SERVER_DB_PATH` | `/data/knotserver.db` | the sqlite database, should be placed inside a volume | 35 + | `KNOT_SSH_KEYS_PATH` | `/ssh-keys` | directory in which to store SSH host keys | 29 36 30 - - `/repositories` for the repositories 31 - - `/data` for the database 32 - - `/ssh-keys` for the SSH host keys 37 + Two environment variables are required: 33 38 34 - The first two can be configured using `KNOT_REPO_SCAN_PATH` (default `/repositories`) and `KNOT_SERVER_DB_PATH` (default `/data/knotserver.db`). 35 - The latter cannot be changed, and it _must_ be a folder with strict permissions. 39 + | Environment variable | Usage | 40 + | ---------------------- | ------------------------------------------------------------------------------ | 41 + | `KNOT_SERVER_HOSTNAME` | Domain name of the server (`example.com`) | 42 + | `KNOT_SERVER_OWNER` | Did of the owner (user account) of the knot server (`did:plc:yourdidgoeshere`) | 36 43 37 44 The container listens on two ports: 38 45 - 5555 handles HTTP traffic and should be mapped onto port 443

+3 -3

containers/knot/sshd_config

··· 1 1 Port 2222 2 2 3 - HostKey /ssh-keys/ssh_host_rsa_key 4 - HostKey /ssh-keys/ssh_host_ecdsa_key 5 - HostKey /ssh-keys/ssh_host_ed25519_key 3 + HostKey /safe_ssh_keys/ssh_host_rsa_key 4 + HostKey /safe_ssh_keys/ssh_host_ecdsa_key 5 + HostKey /safe_ssh_keys/ssh_host_ed25519_key 6 6 7 7 PasswordAuthentication no 8 8

+13 -8

containers/knot/start.sh

··· 1 - #!/bin/ash 1 + #!/bin/bash 2 2 set -e 3 3 4 - if [ ! -f /ssh-keys/ssh_host_rsa_key ]; then 5 - ssh-keygen -t rsa -f /ssh-keys/ssh_host_rsa_key -q -N "" 4 + if [ ! -f "$KNOT_SSH_KEYS_PATH/ssh_host_rsa_key" ]; then 5 + ssh-keygen -t rsa -f "$KNOT_SSH_KEYS_PATH/ssh_host_rsa_key" -q -N "" 6 6 fi 7 - if [ ! -f /ssh-keys/ssh_host_ecdsa_key ]; then 8 - ssh-keygen -t ecdsa -f /ssh-keys/ssh_host_ecdsa_key -q -N "" 7 + if [ ! -f "$KNOT_SSH_KEYS_PATH/ssh_host_ecdsa_key" ]; then 8 + ssh-keygen -t ecdsa -f "$KNOT_SSH_KEYS_PATH/ssh_host_ecdsa_key" -q -N "" 9 9 fi 10 - if [ ! -f /ssh-keys/ssh_host_ed25519_key ]; then 11 - ssh-keygen -t ed25519 -f /ssh-keys/ssh_host_ed25519_key -q -N "" 10 + if [ ! -f "$KNOT_SSH_KEYS_PATH/ssh_host_ed25519_key" ]; then 11 + ssh-keygen -t ed25519 -f "$KNOT_SSH_KEYS_PATH/ssh_host_ed25519_key" -q -N "" 12 12 fi 13 13 14 - /usr/sbin/sshd -f /sshd_config & 14 + cp "$KNOT_SSH_KEYS_PATH"/ssh_host_{rsa,ecdsa,ed25519}_key{,.pub} \ 15 + /safe_ssh_keys 16 + chmod 600 /safe_ssh_keys/* 17 + chmod 644 /safe_ssh_keys/*.pub 18 + 19 + /usr/sbin/sshd -d -f /sshd_config & 15 20 sshd_pid=$! 16 21 17 22 /usr/sbin/knot server &

+1 -1

kubernetes/apps/at/pds/knot.yaml

··· 42 42 app: 43 43 image: 44 44 repository: codeberg.org/bgotink/knot 45 - tag: 1.13.0-alpha@sha256:ee175db19fe912382bfe36ec252a510bc86cb22235c0deffc4674d1ef23185a7 45 + tag: 1.13.0-alpha@sha256:347550b3d3e36799a21948bbe0b67592d58043d28bdd0a0ee868321eb117a5b6 46 46 env: 47 47 TZ: ${TIMEZONE} 48 48

Configure Feed

Configure Feed