From 03f5eaf1d22d292251c0a124a5147050d8417404 Mon Sep 17 00:00:00 2001 From: Daniel Dolezal Date: Sat, 11 Apr 2026 23:24:13 +0200 Subject: [PATCH] rewrite conatiner to use the base image alpine:3.23 --- .gitmodules | 3 - Dockerfile | 60 +++++---------- bash-config/.bash_profile | 2 +- entrypoint-script/entrypoint.sh | 131 +++++++++++++++----------------- entrypoint-script/variables.sh | 6 +- package/teleport-bin | 1 - sshd_config | 34 +++++++++ 7 files changed, 122 insertions(+), 115 deletions(-) delete mode 100644 .gitmodules mode change 100755 => 100644 entrypoint-script/entrypoint.sh delete mode 160000 package/teleport-bin create mode 100644 sshd_config diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index cd43278..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "package/teleport-bin"] - path = package/teleport-bin - url = git@git.yiprawr.dev:daniel156161/teleport-bin.git diff --git a/Dockerfile b/Dockerfile index cca72c5..5161fb7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM archlinux:latest +FROM alpine:3.23 ENV USER=borg ENV UID=1000 @@ -9,8 +9,18 @@ ENV RUN_INSTALL_SCRIPT="false" ENV RUN_PROMETHEUS_EXPORTER="false" ENV TZ="" -# Add Folders and Shell Scripts -RUN mkdir "/.ssh" +RUN apk add --no-cache \ + bash sudo openssh-server shadow tzdata curl git dcron coreutils grep sed gawk util-linux ca-certificates tmux prometheus-node-exporter \ + borgbackup \ +&& mkdir -p \ + /.ssh \ + /backups \ + /logs \ + /run/sshd \ + /root/.cache/crontab \ + /sshkeys/clients \ + /sshkeys/host + VOLUME ["/backups"] VOLUME ["/logs"] VOLUME ["/sshkeys/host"] @@ -18,44 +28,16 @@ VOLUME ["/sshkeys/host"] COPY entrypoint-script/entrypoint.sh / COPY entrypoint-script/variables.sh / COPY scripts/borgbackup.sh /usr/local/bin/ - -COPY bash-config/.bash_profile /root/ -COPY bash-config/.bashrc_root /root/ - -COPY bash-config/.bash_profile / -COPY bash-config/.bashrc / -COPY bash-config/locale.gen /etc/locale.gen - COPY prometheus-borg-exporter/borg_exporter.sh /usr/local/bin/ COPY prometheus-borg-exporter/borg_exporter.rc /etc/ +COPY bash-config/.bash_profile /root/ +COPY bash-config/.bashrc_root /root/ +COPY bash-config/.bash_profile / +COPY bash-config/.bashrc / +COPY sshd_config /etc/ssh/sshd_config -# Create .cache folder -RUN mkdir -p "/root/.cache/crontab" - -# Create locale files -RUN locale-gen - -# Install packages -RUN pacman-key --init -RUN pacman -Syu --noconfirm sudo bash-completion openssh fastfetch \ - borgbackup dateutils prometheus-node-exporter wget git base-devel cron net-tools inetutils tmux - -# Make Build User -RUN useradd builduser -m -RUN passwd -d builduser -RUN printf 'builduser ALL=(ALL) ALL\n' | tee -a /etc/sudoers -RUN sudo -u builduser bash -c 'cd ~ && git clone https://aur.archlinux.org/teleport-bin.git teleport && cd teleport && makepkg -si --noconfirm && cd ~ && rm -rf teleport' -#RUN sudo -u builduser bash -c 'cd ~ && git clone https://git.yiprawr.dev/daniel156161/teleport-bin.git teleport && cd teleport && makepkg -si --noconfirm && cd ~ && rm -rf teleport' -RUN userdel -r builduser - -# Setup SSH-Server -RUN sed -ie 's/#Port 22/Port 22/g' /etc/ssh/sshd_config -RUN sed -ie 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config -RUN sed -ie 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config - -RUN sed -ie 's|#HostKey /etc/ssh/ssh_host_rsa_key|HostKey /sshkeys/host/ssh_host_rsa_key|g' /etc/ssh/sshd_config -RUN sed -ie 's|#HostKey /etc/ssh/ssh_host_ecdsa_key|HostKey /sshkeys/host/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config -RUN sed -ie 's|#HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /sshkeys/host/ssh_host_ed25519_key|g' /etc/ssh/sshd_config +RUN chmod 0755 /entrypoint.sh /usr/local/bin/borgbackup.sh /usr/local/bin/borg_exporter.sh EXPOSE 22 -ENTRYPOINT [ "/entrypoint.sh" ] + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/bash-config/.bash_profile b/bash-config/.bash_profile index 05f7894..f791e62 100644 --- a/bash-config/.bash_profile +++ b/bash-config/.bash_profile @@ -9,4 +9,4 @@ fi PATH=$PATH:$HOME/bin export PATH -unset USERNAME \ No newline at end of file +unset USERNAME diff --git a/entrypoint-script/entrypoint.sh b/entrypoint-script/entrypoint.sh old mode 100755 new mode 100644 index 7512756..faa3cba --- a/entrypoint-script/entrypoint.sh +++ b/entrypoint-script/entrypoint.sh @@ -1,16 +1,18 @@ #!/bin/bash +set -euo pipefail + source "/variables.sh" -##################################################################################################### +############################################################################### # Funktionen -##################################################################################################### +############################################################################### function set_environment_variables_if_not_empty { # Set Tmux Shell for .bashrc to load tmux and attach session if exists else create new session - if [ "$USE_TMUX_SHELL" != "" ]; then + if [ -n "${USE_TMUX_SHELL:-}" ]; then echo "USE_TMUX_SHELL=$USE_TMUX_SHELL" >> /etc/environment fi # Set Server Timezone - if [ "$TZ" != "" ]; then + if [ -n "${TZ:-}" ]; then echo "TZ=$TZ" >> /etc/environment ln -sf "/usr/share/zoneinfo/$TZ" /etc/localtime fi @@ -29,52 +31,55 @@ function print_user_info { echo "* GROUP: $USER - GID: $GID" } +function create_folder_and_change_permissions { + if [ ! -d "$1" ]; then + mkdir -p "$1" + fi + chown -R "$USER":"$USER" "$1" +} + function add_borg_user { - if ! id "$USER" &>/dev/null; then - groupadd -g "$GID" "$USER" >> /dev/null - useradd -r -u "$UID" -g "$GID" -s "/bin/bash" "$USER" >> /dev/null - passwd -d "$USER" >> /dev/null - printf "$USER ALL=(ALL) NOPASSWD: ALL\n" | tee -a /etc/sudoers >> /dev/null - usermod -d / borg >> /dev/null + if ! id "$USER" >/dev/null 2>&1; then + groupadd -g "$GID" "$USER" >/dev/null + useradd -M -u "$UID" -g "$GID" -d / -s /bin/bash "$USER" >/dev/null + printf "%s ALL=(ALL) NOPASSWD: ALL\n" "$USER" >> /etc/sudoers create_folder_and_change_permissions "/.config" create_folder_and_change_permissions "/.cache" chmod 700 "/.cache" fi + + random_pw="$(dd if=/dev/urandom bs=18 count=1 2>/dev/null | base64)" + echo "${USER}:${random_pw}" | chpasswd >/dev/null 2>&1 || true } function make_and_import_ssh_keys { local create_folders="0" - if [ ! -f "/.ssh/authorized_keys" ]; then - touch "/.ssh/authorized_keys" - else - rm "/.ssh/authorized_keys" - touch "/.ssh/authorized_keys" - fi + mkdir -p "/.ssh" + : > "/.ssh/authorized_keys" - for key in ${SSH_FOLDERS[@]}; do - if [ ! -d "${key}" ]; then - mkdir -p "${key}" - echo "Created ${key}" + for key_dir in "${SSH_FOLDERS[@]}"; do + if [ ! -d "$key_dir" ]; then + mkdir -p "$key_dir" + echo "Created $key_dir" create_folders="1" fi done - #chown -R "$USER":"$USER" "/sshkeys" - - if [ $create_folders == "1" ]; then + if [ "$create_folders" = "1" ]; then sepurator fi echo "* IMPORT SSH KEYS" - FILES=$(ls -1 /sshkeys/clients) - for key in $FILES; do - echo "- Adding SSH-Key $key" - cat "/sshkeys/clients/$key" >> "/.ssh/authorized_keys" + shopt -s nullglob + for key in /sshkeys/clients/*; do + echo "- Adding SSH-Key $(basename "$key")" + cat "$key" >> "/.ssh/authorized_keys" echo "" >> "/.ssh/authorized_keys" done + shopt -u nullglob chown -R "$USER":"$USER" "/.ssh" chmod 700 "/.ssh" @@ -89,26 +94,30 @@ function print_message { function generate_host_sshkey { # Generate SSH-Keys + mkdir -p /sshkeys/host + if [ ! -f "/sshkeys/host/ssh_host_rsa_key" ]; then sepurator print_message "HOST SSH-KEY RSA not found, generating..." - ssh-keygen -t rsa -b 4096 -f "/sshkeys/host/ssh_host_rsa_key" -N "" + ssh-keygen -q -t rsa -b 4096 -f "/sshkeys/host/ssh_host_rsa_key" -N "" print_message "HOST SSH-KEY RSA Generated" fi if [ ! -f "/sshkeys/host/ssh_host_ecdsa_key" ]; then sepurator print_message "HOST SSH-KEY ECDSA not found, generating..." - ssh-keygen -t ecdsa -b 521 -f "/sshkeys/host/ssh_host_ecdsa_key" -N "" + ssh-keygen -q -t ecdsa -b 521 -f "/sshkeys/host/ssh_host_ecdsa_key" -N "" print_message "HOST SSH-KEY ECDSA Generated" fi if [ ! -f "/sshkeys/host/ssh_host_ed25519_key" ]; then sepurator print_message "HOST SSH-KEY ED25519 not found, generating..." - ssh-keygen -t ed25519 -b 521 -f "/sshkeys/host/ssh_host_ed25519_key" -N "" + ssh-keygen -q -t ed25519 -f "/sshkeys/host/ssh_host_ed25519_key" -N "" print_message "HOST SSH-KEY ED25519 Generated" fi - chown -R "$USER":"$USER" "/sshkeys/host" + chmod 600 /sshkeys/host/ssh_host_*_key + chmod 644 /sshkeys/host/ssh_host_*_key.pub + chown root:root /sshkeys/host/ssh_host_* || true } function maintenance_enable { @@ -116,7 +125,7 @@ function maintenance_enable { echo "* MAINTENANCE MODE - ENABLED" if [ -f "/crontab.txt" ]; then crontab "/crontab.txt" - crond -i 2> /dev/null + crond echo "- Crontab loaded successfully" else echo "- Can not find /crontab.txt" @@ -126,7 +135,7 @@ function maintenance_enable { } function show_timezone_output { - if [ "$TZ" != "" ]; then + if [ -n "${TZ:-}" ]; then echo "* Setting Timezone to $TZ" else echo "* Timezone not set - Use UTC Time" @@ -135,37 +144,26 @@ function show_timezone_output { } function run_install_script { - if [ "$RUN_INSTALL_SCRIPT" != "false" ]; then - if [ ! -f "/.runnedInstall" ]; then - echo "* RUNNING INSTALL SCRIPT" - sepurator - sh "$RUN_INSTALL_SCRIPT" - - sepurator - touch "/.runnedInstall" - fi + if [ "$RUN_INSTALL_SCRIPT" != "false" ] && [ ! -f "/.runnedInstall" ]; then + echo "* RUNNING INSTALL SCRIPT" + sepurator + sh "$RUN_INSTALL_SCRIPT" + sepurator + touch "/.runnedInstall" fi } -function create_folder_and_change_permissions { - if [ ! -d "$1" ]; then - mkdir -p "$1" - fi - chown -R "$USER":"$USER" "$1" -} - -function run_prometheus_exporter() { +function run_prometheus_exporter { if [ "$RUN_PROMETHEUS_EXPORTER" != "false" ]; then create_folder_and_change_permissions "/var/log/" echo "* STARTING Prometheus Exporter for Borg Backup" - crontab -l > /tmp/cron_bkp + crontab -l > /tmp/cron_bkp 2>/dev/null || true echo "" >> /tmp/cron_bkp - echo "- Add Cronjob to Crontab" echo "$RUN_PROMETHEUS_EXPORTER su -c '/usr/local/bin/borg_exporter.sh 2>&1' -s /bin/bash borg" >> /tmp/cron_bkp - crontab /tmp/cron_bkp > /dev/null 2>&1 + crontab /tmp/cron_bkp >/dev/null 2>&1 rm /tmp/cron_bkp if [ ! -f "/var/log/borg_exporter.prom" ]; then @@ -174,24 +172,22 @@ function run_prometheus_exporter() { fi echo "- STARTING Node Exporter" - sudo -H -u "$USER" bash -c "prometheus-node-exporter --collector.textfile.directory=$NODE_EXPORTER_DIR > /dev/null 2>&1 &" + if command -v prometheus-node-exporter >/dev/null 2>&1; then + sudo -H -u "$USER" bash -c "prometheus-node-exporter --collector.textfile.directory=$NODE_EXPORTER_DIR >/dev/null 2>&1 &" + elif command -v node_exporter >/dev/null 2>&1; then + sudo -H -u "$USER" bash -c "node_exporter --collector.textfile.directory=$NODE_EXPORTER_DIR >/dev/null 2>&1 &" + fi + + if ! pgrep -x crond >/dev/null 2>&1; then + crond + fi sepurator fi } - -function run_correct_ssh_service() { - if [ -f "/etc/teleport.yaml" ]; then - echo "* STARTING Teleport Server" - exec teleport start -c /etc/teleport.yaml 2>&1 - else - exec /usr/sbin/sshd -D -e "$@" 2>&1 - fi; -} -##################################################################################################### +############################################################################### # Main Code -##################################################################################################### +############################################################################### set_environment_variables_if_not_empty -dbus-uuidgen --ensure=/etc/machine-id add_borg_user print_container_info @@ -209,5 +205,4 @@ run_install_script echo "* Init done! - Starting SSH-Daemon..." sepurator - -run_correct_ssh_service +exec /usr/sbin/sshd -D -e "$@" 2>&1 diff --git a/entrypoint-script/variables.sh b/entrypoint-script/variables.sh index 8d064cf..770abaa 100644 --- a/entrypoint-script/variables.sh +++ b/entrypoint-script/variables.sh @@ -3,11 +3,11 @@ BORG_VERSION=$(borg -V) SSH_FOLDERS=( "/sshkeys/clients" "/sshkeys/host" ) NODE_EXPORTER_DIR="/var/log" COLUMNS="86" -############################################################################################################################## +############################################################################### # Funktionen -############################################################################################################################## +############################################################################### function sepurator { - if [ ! -z "$2" ]; then + if [ -n "${2:-}" ]; then local end="$2" else local end="$COLUMNS" diff --git a/package/teleport-bin b/package/teleport-bin deleted file mode 160000 index a840ba5..0000000 --- a/package/teleport-bin +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a840ba5f13b25ae03c2c912c9db2c8a5617b630f diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..4824d48 --- /dev/null +++ b/sshd_config @@ -0,0 +1,34 @@ +Port 22 +Protocol 2 +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: + +HostKey /sshkeys/host/ssh_host_rsa_key +HostKey /sshkeys/host/ssh_host_ecdsa_key +HostKey /sshkeys/host/ssh_host_ed25519_key + +PermitRootLogin no +PasswordAuthentication no +KbdInteractiveAuthentication no +ChallengeResponseAuthentication no +PubkeyAuthentication yes +AuthenticationMethods publickey +PermitEmptyPasswords no +AuthorizedKeysFile .ssh/authorized_keys +StrictModes yes +AllowUsers borg + +AllowAgentForwarding no +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +PermitTTY yes +PermitTunnel no +TCPKeepAlive yes +ClientAliveInterval 300 +ClientAliveCountMax 3 +UseDNS no +PrintMotd no + +Subsystem sftp internal-sftp