Skip to content

Commit

Permalink
Add Docker Compose Example (#45)
Browse files Browse the repository at this point in the history
* add docker-compose with github-authorized-keys and etcd included

Signed-off-by: jawabuu <[email protected]>

* add script to set  because the environment variable is not available when the container starts

Signed-off-by: jawabuu <[email protected]>

* override authorized-keys-command to write ssh variables separated by space instead of = /TODO Update in source

Signed-off-by: jawabuu <[email protected]>

* add script to set ssh logLevel, default is INFO

Signed-off-by: jawabuu <[email protected]>

* bind mount scripts from local script directory

Signed-off-by: jawabuu <[email protected]>

* add default LOGLEVEL=DEBUG env variable to bastion.env

Signed-off-by: jawabuu <[email protected]>

* add example env files

Signed-off-by: jawabuu <[email protected]>

* add README with basic instructions

Signed-off-by: jawabuu <[email protected]>

* update EOL in README

Signed-off-by: jawabuu <[email protected]>

* update ssh instructions in README

Signed-off-by: jawabuu <[email protected]>

* add .gitignore and .dockerignore

Signed-off-by: jawabuu <[email protected]>

* Format README

Signed-off-by: jawabuu <[email protected]>

* Format README

Signed-off-by: jawabuu <[email protected]>
  • Loading branch information
jawabuu authored and osterman committed Jul 25, 2019
1 parent 8bb178f commit 9163885
Show file tree
Hide file tree
Showing 9 changed files with 160 additions and 0 deletions.
1 change: 1 addition & 0 deletions examples/compose/.dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
*.env
1 change: 1 addition & 0 deletions examples/compose/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
*.env
75 changes: 75 additions & 0 deletions examples/compose/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Bastion example using docker-compose

This example starts up cloudposse bastion, github-authorized-keys and etcd.

### Requirements
1. You will need to [install docker-compose](https://docs.docker.com/compose/install/).
2. Have an [SSH key added to your github account](https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account).
##### Recommended
Create a slack webhook. Follow this simple [guide](https://api.slack.com/tutorials/slack-apps-hello-world).
Copy `bastion.env.example` to `bastion.env` and set the following variable;
```
SLACK_WEBHOOK_URL=<slack_webhook_url>
```

Obtain the GitHub API Token (aka Personal Access Token) [here](https://github.com/settings/tokens). Click "Generate new token" and select `read:org`.
Create a team [here](https://help.github.com/en/articles/creating-a-team).
Copy `gak.env.example` to `gak.env` and set the following variables;
```
GITHUB_API_TOKEN=<your_token>
GITHUB_ORGANIZATION=<your_organization>
GITHUB_TEAM=<your_team>
```
### Start the stack
To start, run
```
bastion/examples/compose$ docker-compose up -d
```

### Connect to bastion
Connect to bastion via ssh by running.
```
bastion/examples/compose$ ssh <github_user_name>@<docker_ip> -p 1234
```
<docker-ip> may be one of the following;
1. localhost
2. `bastion/examples/compose$ docker-machine ip`

Make sure you substitute the appropriate values.

### Check status
Check the status of your containers by running;
```
bastion/examples/compose$ docker-compose ps
```
Your output should look like this
```sh
Name Command State Ports
-----------------------------------------------------------------------------------------------------------------------------------------------------------
compose_bastion_1 /init Up 0.0.0.0:1234->22/tcp
compose_etcd_1 /etcd --advertise-client-u ... Up 0.0.0.0:2379->2379/tcp, 0.0.0.0:2380->2380/tcp, 0.0.0.0:4001->4001/tcp, 0.0.0.0:7001->7001/tcp
compose_gak_1 github-authorized-keys Up 0.0.0.0:301->301/tcp

```

### Clean up
To stop the containers and remove attached volumes, run;
```
bastion/examples/compose$ docker-compose down -v
```

### Build from source
To stop the containers and remove attached volumes, run;
```
bastion/examples/compose$ docker-compose down -v
```

## References
https://github.com/cloudposse/github-authorized-keys


## References
https://github.com/cloudposse/github-authorized-keys
https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account
https://api.slack.com/tutorials/slack-apps-hello-world
https://help.github.com/en/articles/creating-a-team
7 changes: 7 additions & 0 deletions examples/compose/bastion.env.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
API_URL=http://gak:301/user/%s/authorized_keys
MFA_PROVIDER=google-authenticator
SLACK_ENABLED=true
SLACK_WEBHOOK_URL=<slack_webhook_url>
SSH_AUTHORIZED_KEYS_COMMAND=/usr/bin/github-authorized-keys
SSH_AUTHORIZED_KEYS_COMMAND_USER=root
LOGLEVEL=DEBUG
40 changes: 40 additions & 0 deletions examples/compose/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
version: "2"
volumes:
home:
etc:
services:
bastion:
image: cloudposse/bastion
ports:
- "1234:22"
env_file:
- bastion.env
volumes:
- home:/home
- etc:/etc
- "./scripts/ssh-authorized-keys-command:/etc/init.d/ssh-authorized-keys-command"
- "./scripts/ssh-api-url:/etc/init.d/ssh-api-url"
- "./scripts/ssh-log-level:/etc/init.d/ssh-log-level"
gak:
image: cloudposse/github-authorized-keys
ports:
- "301:301"
volumes:
- home:/home
- etc:/etc
env_file:
- gak.env
links:
- "etcd:etcd"
restart: always
etcd:
image: quay.io/coreos/etcd:v2.3.7
command:
- "--advertise-client-urls=http://0.0.0.0:2379,http://0.0.0.0:4001"
- "--listen-client-urls=http://0.0.0.0:2379,http://0.0.0.0:4001"
ports:
- "2379:2379"
- "2380:2380"
- "4001:4001"
- "7001:7001"
restart: always
19 changes: 19 additions & 0 deletions examples/compose/gak.env.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
GITHUB_API_TOKEN=<your_token>
GITHUB_ORGANIZATION=<your_organization>
GITHUB_TEAM=<your_team>
SYNC_USERS_GID=500
SYNC_USERS_GROUPS=sudo
SYNC_USERS_SHELL=/usr/bin/sudosh
SYNC_USERS_ROOT=/
SYNC_USERS_INTERVAL=60
ETCD_ENDPOINT=http://etcd:2379
ETCD_TTL=86400
ETCD_PREFIX=github-authorized-keys
LISTEN=:301
INTEGRATE_SSH=false
LOG_LEVEL=debug
LINUX_USER_ADD_TPL=adduser -D -s {shell} {username}
LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} -u {gid} {username}
LINUX_USER_ADD_TO_GROUP_TPL=addgroup {group}
SSH_AUTHORIZED_KEYS_COMMAND_USER=root
SSH_RESTART_TPL=echo "sshd restart"
6 changes: 6 additions & 0 deletions examples/compose/scripts/ssh-api-url
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/bash

if [ -n "${API_URL}" ] && [ "${API_URL}" != "none" ]; then
echo "- Setting SSH Authorized Keys API URL"
sed -i s!http://localhost:301/user/%s/authorized_keys!${API_URL}!g /usr/bin/github-authorized-keys
fi
7 changes: 7 additions & 0 deletions examples/compose/scripts/ssh-authorized-keys-command
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash

if [ -n "${SSH_AUTHORIZED_KEYS_COMMAND}" ] && [ "${SSH_AUTHORIZED_KEYS_COMMAND}" != "none" ]; then
echo "- Enabling SSH Authorized Keys Command"
echo "AuthorizedKeysCommand ${SSH_AUTHORIZED_KEYS_COMMAND}" >> /etc/ssh/sshd_config
echo "AuthorizedKeysCommandUser ${SSH_AUTHORIZED_KEYS_COMMAND_USER}" >> /etc/ssh/sshd_config
fi
4 changes: 4 additions & 0 deletions examples/compose/scripts/ssh-log-level
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash

echo "- Setting SSH LogLevel to ${LOGLEVEL:-INFO}"
echo "LogLevel ${LOGLEVEL:-INFO}" >> /etc/ssh/sshd_config

0 comments on commit 9163885

Please sign in to comment.