initial working ssh entry

.gitignore

@@ -1,7 +1,8 @@
-gitea/
+gitea
 .env
-pmb-pf/
+pmb-pf
 venv
 zapp.db
 db/bu
-tor/hidden_service/
+tor/hidden_service
+sshtun/oilykey

compose.yaml

@@ -31,7 +31,7 @@ services:
     #tty: true
     restart: always
     # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
-    command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
+    #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
     container_name: backend
     environment:
       - MYSQL_USER=flasku
@@ -96,12 +96,12 @@ services:
   proxy:
     build: proxy
     restart: always
-    volumes:
+    #volumes:
-      - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
+    #  - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt:ro
-      - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
+    #  - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt:ro
     ports:
-      - 80:80
+      - "80:80"
-      - 443:443
+      - "443:443"
     depends_on: 
       - backend
     networks:
@@ -135,6 +135,19 @@ services:
     networks:
       - backnet
 
+  sshtun:
+    build:
+      context: sshtun
+      dockerfile: Dockerfile
+    restart: always
+    ports:
+      - "22222:22"
+    expose:
+      - "11111"
+      - "11112"
+    networks:
+      - frontnet
+
 volumes:
   db-data:
   pmb-root:

proxy/conf

@@ -1,52 +1,12 @@
-#server {
-#    listen       80;
-#    server_name  localhost;
-#    location / {
-#        proxy_pass   http://backend:8000;
-#    }
-
-
-# always redirect to https
 server {
-	listen 80 default_server;
+    listen       80;
-	server_name _;
+    server_name  localhost;
-	return 301 https://$host$request_uri;
-}
-
-server {
-	listen 443 ssl http2;
-	# use the certificates
-	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
-	server_name oily.dad www.oily.dad;
-	root /var/www/html;
-	index index.php index.html index.htm;
-
-
     location / {
-		proxy_pass http://backend:8000/;
+        proxy_pass   http://backend:8000;
     }
+    location /gutty{
+        proxy_pass   http://gitea:3000;
     }
 
-server {
-	listen 443 ssl http2;
-	# use the certificates
-	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
-	server_name gut.oily.dad;
-	root /var/www/html;
-	index index.php index.html index.htm;
 
-	location / {
-		client_max_body_size 512M;
-	        #proxy_pass http://localhost:3000;
-	        proxy_set_header Connection $http_connection;
-        	proxy_set_header Upgrade $http_upgrade;
-	        proxy_set_header Host $host;
-	        proxy_set_header X-Real-IP $remote_addr;
-	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	        proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_pass http://gitea:3000/;
 }
-}
-

sshtun/Dockerfile

@@ -0,0 +1,18 @@
+FROM debian:12-slim
+
+RUN apt update && apt install -y openssh-server socat
+
+RUN adduser --disabled-password --gecos "" finn
+
+RUN mkdir /home/finn/.ssh
+
+# only one pubkey -- wildcard to conceal filename
+COPY ./oilykey/*.pub /home/finn/.ssh/authorized_keys
+
+RUN mkdir /var/run/sshd
+RUN echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
+
+COPY ./entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]

sshtun/entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Container goal:
+# autossh -N -R 11111:localhost:11434 -i sshtun/oilykey/<SOMEKEY> -p 22222 <SOMEURL>
+# forwards    rem_c_port:(operator_pc:op_pc_port) ...some args...  rem_host_p rem_host_url 
+
+nohup socat TCP-LISTEN:11112,fork TCP:localhost:11111 &
+/usr/sbin/sshd -D
+