diff --git a/.gitignore b/.gitignore index 541eeaa..5afb6e5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,8 @@ -gitea/ +gitea .env -pmb-pf/ +pmb-pf venv zapp.db db/bu -tor/hidden_service/ +tor/hidden_service +sshtun/oilykey diff --git a/compose.yaml b/compose.yaml index bff8591..9eec933 100644 --- a/compose.yaml +++ b/compose.yaml @@ -100,8 +100,8 @@ services: - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro ports: - - 80:80 - - 443:443 + - "80:80" + - "443:443" depends_on: - backend networks: @@ -135,6 +135,19 @@ services: networks: - backnet + sshtun: + build: + context: sshtun + dockerfile: Dockerfile + restart: always + ports: + - "22222:22" + expose: + - "11111" + - "11112" + networks: + - frontnet + volumes: db-data: pmb-root: diff --git a/compose.yaml.local b/compose.yaml.local index 4b1bd31..fd2ce88 100644 --- a/compose.yaml.local +++ b/compose.yaml.local @@ -100,8 +100,8 @@ services: # - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro # - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro ports: - - 80:80 - - 443:443 + - "80:80" + - "443:443" depends_on: - backend networks: @@ -135,6 +135,19 @@ services: networks: - backnet + sshtun: + build: + context: sshtun + dockerfile: Dockerfile + restart: always + ports: + - "22222:22" + expose: + - "11111" + - "11112" + networks: + - frontnet + volumes: db-data: pmb-root: diff --git a/compose.yaml.prod b/compose.yaml.prod index bff8591..9eec933 100644 --- a/compose.yaml.prod +++ b/compose.yaml.prod @@ -100,8 +100,8 @@ services: - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro ports: - - 80:80 - - 443:443 + - "80:80" + - "443:443" depends_on: - backend networks: @@ -135,6 +135,19 @@ services: networks: - backnet + sshtun: + build: + context: sshtun + dockerfile: Dockerfile + restart: always + ports: + - "22222:22" + expose: + - "11111" + - "11112" + networks: + - frontnet + volumes: db-data: pmb-root: diff --git a/sshtun/Dockerfile b/sshtun/Dockerfile new file mode 100644 index 0000000..602bacd --- /dev/null +++ b/sshtun/Dockerfile @@ -0,0 +1,18 @@ +FROM debian:12-slim + +RUN apt update && apt install -y openssh-server socat + +RUN adduser --disabled-password --gecos "" finn + +RUN mkdir /home/finn/.ssh + +# only one pubkey -- wildcard to conceal filename +COPY ./oilykey/*.pub /home/finn/.ssh/authorized_keys + +RUN mkdir /var/run/sshd +RUN echo "PermitRootLogin no" >> /etc/ssh/sshd_config +RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config + +COPY ./entrypoint.sh / + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/sshtun/entrypoint.sh b/sshtun/entrypoint.sh new file mode 100755 index 0000000..55ebd77 --- /dev/null +++ b/sshtun/entrypoint.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# Container goal: +# autossh -N -R 11111:localhost:11434 -i sshtun/oilykey/ -p 22222 +# forwards rem_c_port:(operator_pc:op_pc_port) ...some args... rem_host_p rem_host_url + +nohup socat TCP-LISTEN:11112,fork TCP:localhost:11111 & +/usr/sbin/sshd -D +