-
-
Notifications
You must be signed in to change notification settings - Fork 112
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add docker-compose with github-authorized-keys and etcd included Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * add script to set because the environment variable is not available when the container starts Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * override authorized-keys-command to write ssh variables separated by space instead of = /TODO Update in source Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * add script to set ssh logLevel, default is INFO Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * bind mount scripts from local script directory Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * add default LOGLEVEL=DEBUG env variable to bastion.env Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * add example env files Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * add README with basic instructions Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * update EOL in README Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * update ssh instructions in README Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * add .gitignore and .dockerignore Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * Format README Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com> * Format README Signed-off-by: jawabuu <49921621+jawabuu@users.noreply.github.com>
- Loading branch information
Showing
9 changed files
with
160 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
*.env |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
*.env |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Bastion example using docker-compose | ||
|
||
This example starts up cloudposse bastion, github-authorized-keys and etcd. | ||
|
||
### Requirements | ||
1. You will need to [install docker-compose](https://docs.docker.com/compose/install/). | ||
2. Have an [SSH key added to your github account](https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account). | ||
##### Recommended | ||
Create a slack webhook. Follow this simple [guide](https://api.slack.com/tutorials/slack-apps-hello-world). | ||
Copy `bastion.env.example` to `bastion.env` and set the following variable; | ||
``` | ||
SLACK_WEBHOOK_URL=<slack_webhook_url> | ||
``` | ||
|
||
Obtain the GitHub API Token (aka Personal Access Token) [here](https://github.com/settings/tokens). Click "Generate new token" and select `read:org`. | ||
Create a team [here](https://help.github.com/en/articles/creating-a-team). | ||
Copy `gak.env.example` to `gak.env` and set the following variables; | ||
``` | ||
GITHUB_API_TOKEN=<your_token> | ||
GITHUB_ORGANIZATION=<your_organization> | ||
GITHUB_TEAM=<your_team> | ||
``` | ||
### Start the stack | ||
To start, run | ||
``` | ||
bastion/examples/compose$ docker-compose up -d | ||
``` | ||
|
||
### Connect to bastion | ||
Connect to bastion via ssh by running. | ||
``` | ||
bastion/examples/compose$ ssh <github_user_name>@<docker_ip> -p 1234 | ||
``` | ||
<docker-ip> may be one of the following; | ||
1. localhost | ||
2. `bastion/examples/compose$ docker-machine ip` | ||
|
||
Make sure you substitute the appropriate values. | ||
|
||
### Check status | ||
Check the status of your containers by running; | ||
``` | ||
bastion/examples/compose$ docker-compose ps | ||
``` | ||
Your output should look like this | ||
```sh | ||
Name Command State Ports | ||
----------------------------------------------------------------------------------------------------------------------------------------------------------- | ||
compose_bastion_1 /init Up 0.0.0.0:1234->22/tcp | ||
compose_etcd_1 /etcd --advertise-client-u ... Up 0.0.0.0:2379->2379/tcp, 0.0.0.0:2380->2380/tcp, 0.0.0.0:4001->4001/tcp, 0.0.0.0:7001->7001/tcp | ||
compose_gak_1 github-authorized-keys Up 0.0.0.0:301->301/tcp | ||
|
||
``` | ||
|
||
### Clean up | ||
To stop the containers and remove attached volumes, run; | ||
``` | ||
bastion/examples/compose$ docker-compose down -v | ||
``` | ||
|
||
### Build from source | ||
To stop the containers and remove attached volumes, run; | ||
``` | ||
bastion/examples/compose$ docker-compose down -v | ||
``` | ||
|
||
## References | ||
https://github.com/cloudposse/github-authorized-keys | ||
|
||
|
||
## References | ||
https://github.com/cloudposse/github-authorized-keys | ||
https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account | ||
https://api.slack.com/tutorials/slack-apps-hello-world | ||
https://help.github.com/en/articles/creating-a-team |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
API_URL=http://gak:301/user/%s/authorized_keys | ||
MFA_PROVIDER=google-authenticator | ||
SLACK_ENABLED=true | ||
SLACK_WEBHOOK_URL=<slack_webhook_url> | ||
SSH_AUTHORIZED_KEYS_COMMAND=/usr/bin/github-authorized-keys | ||
SSH_AUTHORIZED_KEYS_COMMAND_USER=root | ||
LOGLEVEL=DEBUG |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
version: "2" | ||
volumes: | ||
home: | ||
etc: | ||
services: | ||
bastion: | ||
image: cloudposse/bastion | ||
ports: | ||
- "1234:22" | ||
env_file: | ||
- bastion.env | ||
volumes: | ||
- home:/home | ||
- etc:/etc | ||
- "./scripts/ssh-authorized-keys-command:/etc/init.d/ssh-authorized-keys-command" | ||
- "./scripts/ssh-api-url:/etc/init.d/ssh-api-url" | ||
- "./scripts/ssh-log-level:/etc/init.d/ssh-log-level" | ||
gak: | ||
image: cloudposse/github-authorized-keys | ||
ports: | ||
- "301:301" | ||
volumes: | ||
- home:/home | ||
- etc:/etc | ||
env_file: | ||
- gak.env | ||
links: | ||
- "etcd:etcd" | ||
restart: always | ||
etcd: | ||
image: quay.io/coreos/etcd:v2.3.7 | ||
command: | ||
- "--advertise-client-urls=http://0.0.0.0:2379,http://0.0.0.0:4001" | ||
- "--listen-client-urls=http://0.0.0.0:2379,http://0.0.0.0:4001" | ||
ports: | ||
- "2379:2379" | ||
- "2380:2380" | ||
- "4001:4001" | ||
- "7001:7001" | ||
restart: always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
GITHUB_API_TOKEN=<your_token> | ||
GITHUB_ORGANIZATION=<your_organization> | ||
GITHUB_TEAM=<your_team> | ||
SYNC_USERS_GID=500 | ||
SYNC_USERS_GROUPS=sudo | ||
SYNC_USERS_SHELL=/usr/bin/sudosh | ||
SYNC_USERS_ROOT=/ | ||
SYNC_USERS_INTERVAL=60 | ||
ETCD_ENDPOINT=http://etcd:2379 | ||
ETCD_TTL=86400 | ||
ETCD_PREFIX=github-authorized-keys | ||
LISTEN=:301 | ||
INTEGRATE_SSH=false | ||
LOG_LEVEL=debug | ||
LINUX_USER_ADD_TPL=adduser -D -s {shell} {username} | ||
LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} -u {gid} {username} | ||
LINUX_USER_ADD_TO_GROUP_TPL=addgroup {group} | ||
SSH_AUTHORIZED_KEYS_COMMAND_USER=root | ||
SSH_RESTART_TPL=echo "sshd restart" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
|
||
if [ -n "${API_URL}" ] && [ "${API_URL}" != "none" ]; then | ||
echo "- Setting SSH Authorized Keys API URL" | ||
sed -i s!http://localhost:301/user/%s/authorized_keys!${API_URL}!g /usr/bin/github-authorized-keys | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!/bin/bash | ||
|
||
if [ -n "${SSH_AUTHORIZED_KEYS_COMMAND}" ] && [ "${SSH_AUTHORIZED_KEYS_COMMAND}" != "none" ]; then | ||
echo "- Enabling SSH Authorized Keys Command" | ||
echo "AuthorizedKeysCommand ${SSH_AUTHORIZED_KEYS_COMMAND}" >> /etc/ssh/sshd_config | ||
echo "AuthorizedKeysCommandUser ${SSH_AUTHORIZED_KEYS_COMMAND_USER}" >> /etc/ssh/sshd_config | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/bin/bash | ||
|
||
echo "- Setting SSH LogLevel to ${LOGLEVEL:-INFO}" | ||
echo "LogLevel ${LOGLEVEL:-INFO}" >> /etc/ssh/sshd_config |