Add Docker Compose Example

examples/compose/.dockerignore

@@ -0,0 +1 @@
+*.env

examples/compose/.gitignore

@@ -0,0 +1 @@
+*.env

examples/compose/README.md

@@ -0,0 +1,75 @@
+# Bastion example using docker-compose 
+
+This example starts up cloudposse bastion, github-authorized-keys and etcd.  
+
+### Requirements
+1. You will need to [install docker-compose](https://docs.docker.com/compose/install/).  
+2. Have an [SSH key added to your github account](https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account).
+##### Recommended
+Create a slack webhook. Follow this simple [guide](https://api.slack.com/tutorials/slack-apps-hello-world).  
+Copy `bastion.env.example` to `bastion.env` and set the following variable;  
+```
+SLACK_WEBHOOK_URL=<slack_webhook_url>
+```
+
+Obtain the GitHub API Token (aka Personal Access Token) [here](https://github.com/settings/tokens). Click "Generate new token" and select `read:org`.  
+Create a team [here](https://help.github.com/en/articles/creating-a-team).  
+Copy `gak.env.example` to `gak.env` and set the following variables;
+```
+GITHUB_API_TOKEN=<your_token>
+GITHUB_ORGANIZATION=<your_organization>
+GITHUB_TEAM=<your_team>
+```
+### Start the stack
+To start, run  
+```
+bastion/examples/compose$ docker-compose up -d
+```
+
+### Connect to bastion
+Connect to bastion via ssh by running.  
+```
+bastion/examples/compose$ ssh <github_user_name>@<docker_ip> -p 1234
+```
+<docker-ip> may be one of the following;
+1. localhost
+2. `bastion/examples/compose$ docker-machine ip`
+
+Make sure you substitute the appropriate values.
+
+### Check status
+Check the status of your containers by running;
+```
+bastion/examples/compose$ docker-compose ps
+```
+Your output should look like this
+```sh
+      Name                     Command               State                                               Ports
+-----------------------------------------------------------------------------------------------------------------------------------------------------------
+compose_bastion_1   /init                            Up      0.0.0.0:1234->22/tcp
+compose_etcd_1      /etcd --advertise-client-u ...   Up      0.0.0.0:2379->2379/tcp, 0.0.0.0:2380->2380/tcp, 0.0.0.0:4001->4001/tcp, 0.0.0.0:7001->7001/tcp
+compose_gak_1       github-authorized-keys           Up      0.0.0.0:301->301/tcp
+
+```
+
+### Clean up
+To stop the containers and remove attached volumes, run;
+```
+bastion/examples/compose$ docker-compose down -v
+```
+
+### Build from source
+To stop the containers and remove attached volumes, run;
+```
+bastion/examples/compose$ docker-compose down -v
+```
+
+## References
+https://github.com/cloudposse/github-authorized-keys
+
+
+## References
+https://github.com/cloudposse/github-authorized-keys  
+https://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account  
+https://api.slack.com/tutorials/slack-apps-hello-world  
+https://help.github.com/en/articles/creating-a-team  

examples/compose/bastion.env.example

@@ -0,0 +1,7 @@
+API_URL=http://gak:301/user/%s/authorized_keys
+MFA_PROVIDER=google-authenticator
+SLACK_ENABLED=true
+SLACK_WEBHOOK_URL=<slack_webhook_url>
+SSH_AUTHORIZED_KEYS_COMMAND=/usr/bin/github-authorized-keys
+SSH_AUTHORIZED_KEYS_COMMAND_USER=root
+LOGLEVEL=DEBUG

examples/compose/docker-compose.yml

@@ -0,0 +1,40 @@
+version: "2"
+volumes:
+  home:
+  etc:
+services:
+  bastion:
+    image: cloudposse/bastion
+    ports:
+      - "1234:22"
+    env_file:
+      - bastion.env
+    volumes:
+      - home:/home
+      - etc:/etc
+      - "./scripts/ssh-authorized-keys-command:/etc/init.d/ssh-authorized-keys-command"
+      - "./scripts/ssh-api-url:/etc/init.d/ssh-api-url"
+      - "./scripts/ssh-log-level:/etc/init.d/ssh-log-level"
+  gak:
+    image: cloudposse/github-authorized-keys
+    ports:
+      - "301:301"
+    volumes:
+      - home:/home
+      - etc:/etc
+    env_file:
+      - gak.env
+    links:
+      - "etcd:etcd"
+    restart: always
+  etcd:
+    image: quay.io/coreos/etcd:v2.3.7
+    command:
+      - "--advertise-client-urls=http://0.0.0.0:2379,http://0.0.0.0:4001"
+      - "--listen-client-urls=http://0.0.0.0:2379,http://0.0.0.0:4001"
+    ports:
+      - "2379:2379"
+      - "2380:2380"
+      - "4001:4001"
+      - "7001:7001"
+    restart: always

examples/compose/gak.env.example

@@ -0,0 +1,19 @@
+GITHUB_API_TOKEN=<your_token>
+GITHUB_ORGANIZATION=<your_organization>
+GITHUB_TEAM=<your_team>
+SYNC_USERS_GID=500
+SYNC_USERS_GROUPS=sudo
+SYNC_USERS_SHELL=/usr/bin/sudosh
+SYNC_USERS_ROOT=/
+SYNC_USERS_INTERVAL=60
+ETCD_ENDPOINT=http://etcd:2379
+ETCD_TTL=86400
+ETCD_PREFIX=github-authorized-keys
+LISTEN=:301
+INTEGRATE_SSH=false
+LOG_LEVEL=debug
+LINUX_USER_ADD_TPL=adduser -D -s {shell} {username}
+LINUX_USER_ADD_WITH_GID_TPL=adduser -D -s {shell} -u {gid} {username}
+LINUX_USER_ADD_TO_GROUP_TPL=addgroup {group}
+SSH_AUTHORIZED_KEYS_COMMAND_USER=root
+SSH_RESTART_TPL=echo "sshd restart"

examples/compose/scripts/ssh-api-url

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ -n "${API_URL}" ] && [ "${API_URL}" != "none" ]; then
+  echo "- Setting SSH Authorized Keys API URL"
+  sed -i s!http://localhost:301/user/%s/authorized_keys!${API_URL}!g /usr/bin/github-authorized-keys
+fi

examples/compose/scripts/ssh-authorized-keys-command

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [ -n "${SSH_AUTHORIZED_KEYS_COMMAND}" ] && [ "${SSH_AUTHORIZED_KEYS_COMMAND}" != "none" ]; then
+  echo "- Enabling SSH Authorized Keys Command"
+  echo "AuthorizedKeysCommand ${SSH_AUTHORIZED_KEYS_COMMAND}" >> /etc/ssh/sshd_config
+  echo "AuthorizedKeysCommandUser ${SSH_AUTHORIZED_KEYS_COMMAND_USER}" >> /etc/ssh/sshd_config
+fi

examples/compose/scripts/ssh-log-level

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "- Setting SSH LogLevel to ${LOGLEVEL:-INFO}"
+echo "LogLevel ${LOGLEVEL:-INFO}" >> /etc/ssh/sshd_config