container repository

Author: namachan10777

.github/workflows/release.yaml

@@ -0,0 +1,41 @@
+name: Docker Build and Push
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  contents: read
+  packages: write
+  actions: read
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        container:
+          - web-compat
+          - bastion
+          - phpldapadmin
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push images
+        uses: docker/build-push-action@v6
+        with:
+          context: "${{ matrix.container }}"
+          tags: ghcr.io/hpcslab/${{ matrix.container }}:${{ github.sha }}
+          push: true

bastion/.gitignore

@@ -0,0 +1 @@
+authorized_keys

bastion/Dockerfile

@@ -0,0 +1,43 @@
+FROM ubuntu:noble
+
+RUN apt-get update && \
+    apt-get install -y \
+    iproute2 \
+    iputils-ping \
+    dnsutils \
+    fish \
+    neovim \
+    openssh-server \
+    libnss-ldapd \
+    libpam-ldapd \
+    ldap-utils \
+    wget \
+    netcat-openbsd \
+    unzip \
+    subversion \
+    less
+
+RUN wget https://github.com/namachan10777/whaleinit/releases/download/v0.0.4/whaleinit-$(uname -m)-linux-musl -O /whaleinit && \
+    chmod 755 /whaleinit
+
+COPY bastion.conf /etc/ssh/sshd_config.d/10-bastion.conf
+
+RUN mkdir -p /local/home/rescue/.ssh
+RUN useradd -M -d /local/home/rescue -G sudo rescue
+
+COPY authorized_keys_gen.sh .
+RUN bash authorized_keys_gen.sh && mv authorized_keys /local/home/rescue/.ssh/authorized_keys
+COPY ssh_host_keys_gen.sh /usr/local/bin/ssh_host_keys_gen.sh
+RUN chown -R rescue:rescue /local/home/rescue/.ssh
+RUN chmod 700 /local/home/rescue/.ssh && chmod 600 /local/home/rescue/.ssh/authorized_keys
+RUN mkdir -p /run/sshd
+RUN echo 'work' > /etc/hostname
+
+COPY nsswitch.conf /etc/nsswitch.conf
+COPY nslcd.conf /etc/nslcd.conf
+
+COPY whaleinit.toml /etc/whaleinit.toml
+
+RUN rm /etc/ssh/ssh_host_*_key*
+
+ENTRYPOINT [ "/whaleinit" ]

bastion/LICENSE

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>

bastion/README.md

@@ -0,0 +1,10 @@
+# bastion
+
+`host`ネットワークモードで、docker volumeを使いSSH鍵が配置されているvolumeを`/home`にマウントしてください。
+
+## Build
+
+```sh
+./authorized_keys_gen.sh
+docker build -t hpcslab/bastion .
+```

bastion/authorized_keys_gen.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -eux
+
+ADMINS=(
+  namachan10777 # mnakano
+  onokatio # tmaruyama
+  maetin0324 # rmaeda
+  motorailgun # kourakata
+  k5342 # ksugihara
+  kotatsumuri # Shota Kawakami
+  TomoYoshida-enthityDecalture # Tomo Yoshida
+  TKSN0775 # Shunsuke Takeshima
+  UNIQabes # Takato Abe
+  shattori # Shingo Hattori
+)
+
+touch authorized_keys
+truncate -s 0 authorized_keys
+
+for admin in "${ADMINS[@]}"; do
+  echo "genrate for $admin"
+  curl "https://github.com/$admin.keys" >> authorized_keys
+done
+
+echo "authorized_keys generated"

bastion/bastion.conf

@@ -0,0 +1,7 @@
+AddressFamily inet
+PasswordAuthentication no
+Port 10022
+
+HostKey /etc/ssh/keys/rsa
+HostKey /etc/ssh/keys/ed25519
+HostKey /etc/ssh/keys/ecdsa

bastion/nslcd.conf

@@ -0,0 +1,31 @@
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri ldap://auth.lab.hpcs.cs.tsukuba.ac.jp:389
+
+# The search base that will be used for all queries.
+base dc=hpcs,dc=cs,dc=tsukuba,dc=ac,dc=jp
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+#tls_reqcert never
+#tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+
+# The search scope.
+#scope sub

bastion/nsswitch.conf

@@ -0,0 +1,14 @@
+passwd:         files systemd ldap
+group:          files systemd ldap
+shadow:         files systemd ldap
+gshadow:        files systemd
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis

bastion/ssh_host_keys_gen.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -eux
+
+mkdir -p /etc/ssh/keys
+
+if [ ! -e /etc/ssh/keys/ecdsa ]; then
+  ssh-keygen -t ecdsa -f /etc/ssh/keys/ecdsa -N ""
+fi
+
+if [ ! -e /etc/ssh/keys/ed25519 ]; then
+  ssh-keygen -t ed25519 -f /etc/ssh/keys/ed25519 -N ""
+fi
+
+if [ ! -e /etc/ssh/keys/rsa ]; then
+  ssh-keygen -t rsa -f /etc/ssh/keys/rsa -N ""
+fi