-
-
Notifications
You must be signed in to change notification settings - Fork 114
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add docker-compose with github-authorized-keys and etcd included Signed-off-by: jawabuu <[email protected]> * add script to set because the environment variable is not available when the container starts Signed-off-by: jawabuu <[email protected]> * override authorized-keys-command to write ssh variables separated by space instead of = /TODO Update in source Signed-off-by: jawabuu <[email protected]> * add script to set ssh logLevel, default is INFO Signed-off-by: jawabuu <[email protected]> * bind mount scripts from local script directory Signed-off-by: jawabuu <[email protected]> * add default LOGLEVEL=DEBUG env variable to bastion.env Signed-off-by: jawabuu <[email protected]> * add example env files Signed-off-by: jawabuu <[email protected]> * add README with basic instructions Signed-off-by: jawabuu <[email protected]> * update EOL in README Signed-off-by: jawabuu <[email protected]> * update ssh instructions in README Signed-off-by: jawabuu <[email protected]> * add .gitignore and .dockerignore Signed-off-by: jawabuu <[email protected]> * Format README Signed-off-by: jawabuu <[email protected]> * Format README Signed-off-by: jawabuu <[email protected]>
- Loading branch information
Showing
9 changed files
with
160 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
*.env |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
*.env |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Bastion example using docker-compose | ||
|
||
This example starts up cloudposse bastion, github-authorized-keys and etcd. | ||
|
||
### Requirements | ||
1. You will need to [install docker-compose](https://docs.docker.com/compose/install/). | ||
2. Have an [SSH key added to your github account](https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account). | ||
##### Recommended | ||
Create a slack webhook. Follow this simple [guide](https://api.slack.com/tutorials/slack-apps-hello-world). | ||
Copy `bastion.env.example` to `bastion.env` and set the following variable; | ||
``` | ||
SLACK_WEBHOOK_URL=<slack_webhook_url> | ||
``` | ||
|
||
Obtain the GitHub API Token (aka Personal Access Token) [here](https://github.com/settings/tokens). Click "Generate new token" and select `read:org`. | ||
Create a team [here](https://help.github.com/en/articles/creating-a-team). | ||
Copy `gak.env.example` to `gak.env` and set the following variables; | ||
``` | ||
GITHUB_API_TOKEN=<your_token> | ||
GITHUB_ORGANIZATION=<your_organization> | ||
GITHUB_TEAM=<your_team> | ||
``` | ||
### Start the stack | ||
To start, run | ||
``` | ||
bastion/examples/compose$ docker-compose up -d | ||
``` | ||
|
||
### Connect to bastion | ||
Connect to bastion via ssh by running. | ||
``` | ||
bastion/examples/compose$ ssh <github_user_name>@<docker_ip> -p 1234 | ||
``` | ||
<docker-ip> may be one of the following; | ||
1. localhost | ||
2. `bastion/examples/compose$ docker-machine ip` | ||
|
||
Make sure you substitute the appropriate values. | ||
|
||
### Check status | ||
Check the status of your containers by running; | ||
``` | ||
bastion/examples/compose$ docker-compose ps | ||
``` | ||
Your output should look like this | ||
```sh | ||
Name Command State Ports | ||
----------------------------------------------------------------------------------------------------------------------------------------------------------- | ||
compose_bastion_1 /init Up 0.0.0.0:1234->22/tcp | ||
compose_etcd_1 /etcd --advertise-client-u ... Up 0.0.0.0:2379->2379/tcp, 0.0.0.0:2380->2380/tcp, 0.0.0.0:4001->4001/tcp, 0.0.0.0:7001->7001/tcp | ||
compose_gak_1 github-authorized-keys Up 0.0.0.0:301->301/tcp | ||
|
||
``` | ||
|
||
### Clean up | ||
To stop the containers and remove attached volumes, run; | ||
``` | ||
bastion/examples/compose$ docker-compose down -v | ||
``` | ||
|
||
### Build from source | ||
To stop the containers and remove attached volumes, run; | ||
``` | ||
bastion/examples/compose$ docker-compose down -v | ||
``` | ||
|
||
## References | ||
https://github.com/cloudposse/github-authorized-keys | ||
|
||
|
||
## References | ||
https://github.com/cloudposse/github-authorized-keys | ||
https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account | ||
https://api.slack.com/tutorials/slack-apps-hello-world | ||
https://help.github.com/en/articles/creating-a-team |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
API_URL=http://gak:301/user/%s/authorized_keys | ||
MFA_PROVIDER=google-authenticator | ||
SLACK_ENABLED=true | ||
SLACK_WEBHOOK_URL=<slack_webhook_url> | ||
SSH_AUTHORIZED_KEYS_COMMAND=/usr/bin/github-authorized-keys | ||
SSH_AUTHORIZED_KEYS_COMMAND_USER=root | ||
LOGLEVEL=DEBUG |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
version: "2" | ||
volumes: | ||
home: | ||
etc: | ||
services: | ||
bastion: | ||
image: cloudposse/bastion | ||
ports: | ||
- "1234:22" | ||
env_file: | ||
- bastion.env | ||
volumes: | ||
- home:/home | ||
- etc:/etc | ||
- "./scripts/ssh-authorized-keys-command:/etc/init.d/ssh-authorized-keys-command" | ||
- "./scripts/ssh-api-url:/etc/init.d/ssh-api-url" | ||
- "./scripts/ssh-log-level:/etc/init.d/ssh-log-level" | ||
gak: | ||
image: cloudposse/github-authorized-keys | ||
ports: | ||
- "301:301" | ||
volumes: | ||
- home:/home | ||
- etc:/etc | ||
env_file: | ||
- gak.env | ||
links: | ||
- "etcd:etcd" | ||
restart: always | ||
etcd: | ||
image: quay.io/coreos/etcd:v2.3.7 | ||
command: | ||
- "--advertise-client-urls=http://0.0.0.0:2379,http://0.0.0.0:4001" | ||
- "--listen-client-urls=http://0.0.0.0:2379,http://0.0.0.0:4001" | ||
ports: | ||
- "2379:2379" | ||
- "2380:2380" | ||
- "4001:4001" | ||
- "7001:7001" | ||
restart: always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
GITHUB_API_TOKEN=<your_token> | ||
GITHUB_ORGANIZATION=<your_organization> | ||
GITHUB_TEAM=<your_team> | ||
SYNC_USERS_GID=500 | ||
SYNC_USERS_GROUPS=sudo | ||
SYNC_USERS_SHELL=/usr/bin/sudosh | ||
SYNC_USERS_ROOT=/ | ||
SYNC_USERS_INTERVAL=60 | ||
ETCD_ENDPOINT=http://etcd:2379 | ||
ETCD_TTL=86400 | ||
ETCD_PREFIX=github-authorized-keys | ||
LISTEN=:301 | ||
INTEGRATE_SSH=false | ||
LOG_LEVEL=debug | ||
LINUX_USER_ADD_TPL=adduser -D -s {shell} {username} | ||
LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} -u {gid} {username} | ||
LINUX_USER_ADD_TO_GROUP_TPL=addgroup {group} | ||
SSH_AUTHORIZED_KEYS_COMMAND_USER=root | ||
SSH_RESTART_TPL=echo "sshd restart" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
|
||
if [ -n "${API_URL}" ] && [ "${API_URL}" != "none" ]; then | ||
echo "- Setting SSH Authorized Keys API URL" | ||
sed -i s!http://localhost:301/user/%s/authorized_keys!${API_URL}!g /usr/bin/github-authorized-keys | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!/bin/bash | ||
|
||
if [ -n "${SSH_AUTHORIZED_KEYS_COMMAND}" ] && [ "${SSH_AUTHORIZED_KEYS_COMMAND}" != "none" ]; then | ||
echo "- Enabling SSH Authorized Keys Command" | ||
echo "AuthorizedKeysCommand ${SSH_AUTHORIZED_KEYS_COMMAND}" >> /etc/ssh/sshd_config | ||
echo "AuthorizedKeysCommandUser ${SSH_AUTHORIZED_KEYS_COMMAND_USER}" >> /etc/ssh/sshd_config | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/bin/bash | ||
|
||
echo "- Setting SSH LogLevel to ${LOGLEVEL:-INFO}" | ||
echo "LogLevel ${LOGLEVEL:-INFO}" >> /etc/ssh/sshd_config |