diff --git a/DESIGN.md b/DESIGN.md index 384f17f..07b499a 100644 --- a/DESIGN.md +++ b/DESIGN.md @@ -13,11 +13,11 @@ | User Location | Host Location | attach mode | Mode | Attribute | Owner | Description | | ------------------------------------ | ------------- | ----------- | ---- | --------- | ----- | ------------------------ | | /home/devuser/.gitconfig | - | mount | 600 | +i | user | Git configuration file | -| /root/ssh/config | - | copy | 100 | +i | root | ssh config file | -| /root/ssh/authorized_keys | - | mount | 000 | +i | root | authorized keys file | -| /root/ssh/ssh_blocker.sh | - | copy | 100 | +i | root | ssh blocker shell script | -| /root/ssh/id_ed25519 | - | mount | 100 | +i | root | private shh key file | -| /root/ssh/id_ed25519.pub | - | mount | 100 | +i | root | public shh key file | +| /opt/secure/ssh/config | - | copy | 100 | +i | root | ssh config file | +| /opt/secure/ssh/authorized_keys | - | mount | 000 | +i | root | authorized keys file | +| /opt/secure/ssh/ssh_blocker.sh | - | copy | 100 | +i | root | ssh blocker shell script | +| /opt/secure/ssh/id_ed25519 | - | mount | 100 | +i | root | private shh key file | +| /opt/secure/ssh/id_ed25519.pub | - | mount | 100 | +i | root | public shh key file | | /home/devuser/lazygit/config.yml | - | copy | 600 | +i | user | lazygit config file | | /home/devuser/.config/nvim | - | copy | 600 | +i | user | neovim config files | | /home/devuser/.config/tmux | - | copy | 600 | +i | user | tmux config files | diff --git a/build-analytics-backend-workspace.sh b/build-analytics-backend-workspace.sh index 851e52f..9f48c13 100644 --- a/build-analytics-backend-workspace.sh +++ b/build-analytics-backend-workspace.sh @@ -5,6 +5,7 @@ set -euo pipefail IMG_NAME="analytics-backend-workspace" +SECURE=/opt/secure ctr=$(buildah from registry.fedoraproject.org/fedora-minimal:40) @@ -18,13 +19,14 @@ buildah run "$ctr" -- useradd -ms /bin/zsh devuser buildah run "$ctr" -- bash -c 'echo "devuser ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/devuser' # SSH setup -buildah run "$ctr" -- mkdir -p /root/ssh -buildah copy "$ctr" ssh/config /root/ssh/config -buildah copy "$ctr" ssh/ssh_blocker.sh /root/ssh/ssh_blocker.sh -buildah run "$ctr" -- chmod 100 /root/ssh/ssh_blocker.sh -buildah run "$ctr" -- chattr +i /root/ssh/ssh_blocker.sh -buildah run "$ctr" -- chmod 000 /root/ssh/config -buildah run "$ctr" -- chattr +i /root/ssh/config +buildah run "$ctr" -- mkdir -p /"$SECURE"/ssh +buildah copy "$ctr" ssh/config /"$SECURE"/ssh/config +buildah copy "$ctr" ssh/ssh_blocker.sh /"$SECURE"/ssh/ssh_blocker.sh +buildah run "$ctr" -- chmod 100 /"$SECURE"/ssh/ssh_blocker.sh +buildah run "$ctr" -- chattr +i /"$SECURE"/ssh/ssh_blocker.sh +buildah run "$ctr" -- chmod 000 /"$SECURE"/ssh/config +buildah run "$ctr" -- chattr +i /"$SECURE"/ssh/config +buildah run "$ctr" -- chown -R root:root ssh/config /"$SECURE"/ssh_blocker.sh # Neovim config (immutable) buildah copy "$ctr" config/nvim /home/devuser/.config/nvim @@ -44,27 +46,6 @@ buildah copy "$ctr" ./gpg-key.asc /home/devuser/.gnupg/gpg-key.asc buildah run "$ctr" -- chattr +i /home/devuser/.gitconfig buildah run "$ctr" -- chattr +i /home/devuser/.gnupg/gpg-key.asc -# Secure SSH wrapper and config -buildah run "$ctr" -- mkdir -p /opt/secure/ssh -buildah copy "$ctr" ./id_ed25519 /opt/secure/ssh/id_ed25519 -buildah copy "$ctr" ./ssh_config /opt/secure/ssh/config -buildah run "$ctr" -- chmod 600 /opt/secure/ssh/id_ed25519 -buildah run "$ctr" -- chmod 100 /opt/secure/ssh/config -buildah run "$ctr" -- chown root:root /opt/secure/ssh/id_ed25519 /opt/secure/ssh/config -buildah run "$ctr" -- chattr +i /opt/secure/ssh/id_ed25519 /opt/secure/ssh/config - -# Create SSH wrapper script -buildah run "$ctr" -- bash -c ' -cat < /usr/local/bin/git-ssh-wrapper.sh -#!/bin/bash -exec ssh -F /opt/secure/ssh/config "\$@" -EOF -chmod +x /usr/local/bin/git-ssh-wrapper.sh' - -# Entrypoint to start SSH -buildah run "$ctr" -- mkdir -p /run/sshd -buildah run "$ctr" -- bash -c 'echo "/usr/sbin/sshd -D" > /home/devuser/start.sh && chmod +x /home/devuser/start.sh' - buildah run "$ctr" -- chown -R devuser:devuser /home/devuser buildah config --user devuser "$ctr"