#!/bin/bash PERSON="$1" WORKSPACE="$SSH_ORIGINAL_COMMAND" IMAGE="localhost/analytics-backend-workspace:latest" DEV_USER="devuser" XDG_RUNTIME_DIR="/run/user/$(id -u)" LOG_FILE="/tmp/.ssh-router-${PERSON}.log" log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" >>"$LOG_FILE" } if [[ ! -t 0 ]]; then log "❌ No TTY allocated — refusing to run tmux without an interactive terminal" echo "Error: No TTY. Use 'ssh -t'" >&2 exit 1 fi # log "🧩 IMAGE = '$IMAGE'" # log "🧩 WORKSPACE = '$WORKSPACE'" # log "🧩 PERSON = '$PERSON'" # Fallbacks if [[ -z "${WORKSPACE:-}" ]]; then WORKSPACE="$PERSON" log "ℹī¸ Defaulted WORKSPACE to $WORKSPACE" fi TMUX_SESSION="$WORKSPACE|analytics-backend" # Start podman socket service if it's not running if [[ ! -S "$XDG_RUNTIME_DIR/podman/podman.sock" ]]; then log "🔄 Starting Podman socket service for user $USER" systemctl --user start podman.socket || { log "❌ Failed to start podman.socket via systemd" exit 1 } # Wait briefly for socket to appear sleep 1 fi if [[ ! -S "$XDG_RUNTIME_DIR/podman/podman.sock" ]]; then log "❌ Podman socket still missing after startup attempt" exit 1 fi # Check if image exists locally if ! podman image exists "$IMAGE"; then log "đŸ“Ļ Image $IMAGE not found locally. Pulling from registry..." # Attempt to pull the image from the local registry (insecure HTTP) if ! podman pull --tls-verify=false "$IMAGE"; then log "❌ Failed to pull image from $IMAGE" exit 1 fi log "✅ Successfully pulled $IMAGE" fi case "$SSH_ORIGINAL_COMMAND" in *scp* | *sftp* | *rsync* | *tar*) log "❌ File transfers are disabled" exit 1 ;; esac # Function to start the container if not running start_container_if_needed() { if ! podman container exists "$WORKSPACE"; then log "🚀 Creating container $WORKSPACE..." podman run -dit \ --userns=keep-id \ --name "$WORKSPACE" \ --user "$DEV_USER" \ --hostname "$WORKSPACE" \ --label auto-cleanup=true \ -v "${XDG_RUNTIME_DIR}"/podman/podman.sock:/run/podman/podman.sock \ -v /home/infilytics/data/"$WORKSPACE":/app \ -v /home/infilytics/secrets/"$WORKSPACE"/gitconfig:/home/"$DEV_USER"/.gitconfig:ro \ -v /home/infilytics/secrets/"$WORKSPACE"/id_ed25519:/home/"$DEV_USER"/.ssh/id_ed25519:ro \ -v /home/infilytics/secrets/"$WORKSPACE"/id_ed25519.pub:/home/"$DEV_USER"/.ssh/id_ed25519.pub:ro \ --entrypoint "/home/$DEV_USER/start.sh" \ "$IMAGE" "${TMUX_SESSION}" elif ! podman inspect -f '{{.State.Running}}' "$WORKSPACE" | grep -q true; then log "⚡ Starting existing container $WORKSPACE..." podman start "$WORKSPACE" >/dev/null 2>&1 fi sleep 1 } # After devuser exits... check_devuser_attached() { # Get list of clients client_users=$(podman exec "$WORKSPACE" tmux list-clients -t "$TMUX_SESSION" -F "#{client_user}" 2>/dev/null) if echo "$client_users" | grep -q "$DEV_USER"; then log "💡 devuser still attached — container stays running" return 0 else log "🏃 $PERSON has logged out — stopping container" podman stop "$WORKSPACE" >/dev/null 2>&1 return 1 fi } get_access_mode() { local yaml_file="access.yml" local workspace="$1" local person="$2" if [[ ! "$workspace" =~ ^[a-zA-Z0-9._-]+$ ]]; then log "❌ Invalid container name: $WORKSPACE" exit 1 fi # Special case: user accessing their own workspace if [[ "$workspace" == "$person" ]]; then echo "access=rw" return 0 fi # Check rw if yq '.["'"$person"'"].rw // []' "$yaml_file" | grep -q "\b$workspace\b"; then echo "access=rw" return 0 fi # Check ro if yq '.["'"$person"'"].ro // []' "$yaml_file" | grep -q "\b$workspace\b"; then echo "access=ro" return 0 fi # No access → exit with error log "❌ $person has no access to $workspace" >&2 exit 1 } # === Main === read -r access_line < <(get_access_mode "$WORKSPACE" "$PERSON") || exit 1 MODE="${access_line#access=}" case "$MODE" in rw) start_container_if_needed # Run tmux session inside the container if ! podman exec -it --user "$DEV_USER" "$WORKSPACE" tmux has-session -t "$TMUX_SESSION" >/dev/null 2>&1; then if ! podman exec -it -e EDITOR=nvim --user "$DEV_USER" "$WORKSPACE" tmux new-session -d -s "$TMUX_SESSION" >/dev/null 2>&1; then log "❌ Could not create new tmux session. Please contact admin or try again later." exit 1 fi fi log "⚡ $PERSON is working on $WORKSPACE's workspace" if ! podman exec -it -e TERM="$TERM" --user "$DEV_USER" "$WORKSPACE" tmux attach -t "$TMUX_SESSION"; then log "❌ Could not attach to tmux session. Please contact admin or try again later." exit 1 fi log "⚡ $PERSON finished working on $WORKSPACE's worksapce" check_devuser_attached exit 0 ;; ro) if (podman container exists "$WORKSPACE" && podman inspect -f '{{.State.Running}}' "$WORKSPACE" | grep -q true) >/dev/null 2>&1; then log "📜 $PERSON is viewing $WORKSPACE's workspace" if ! podman exec -it -e TERM="$TERM" --user "$DEV_USER" "$WORKSPACE" tmux attach -r -t "$TMUX_SESSION"; then log "❌ Could not attach to tmux session. Please contact admin or try again later." exit 1 fi log "🏃 $PERSON stopped viewing $WORKSPACE's workspace" exit 0 else log "❌ Workspace for $WORKSPACE does not exist." exit 1 fi ;; *) log "❌ Invalid access mode: $MODE" exit 1 ;; esac