From 6f9ca6aa96646e19f19d2d43c6dde39080866b89 Mon Sep 17 00:00:00 2001
From: Morgan Lindqvist <morgan@quzed.com>
Date: Fri, 20 May 2022 09:29:03 +0200
Subject: [PATCH 1/4] Option to save ssh keys in a volume

Change-Id: I886d0785d981ebf6bceae6f2cb1a1fd089a7ffbb
---
 Dockerfile           | 10 ++++--
 Readme.md            | 19 +++++++++++
 docker-entrypoint.sh | 79 +++++++++++++++++++++++++++++++++++---------
 3 files changed, 91 insertions(+), 17 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 199842d..35d37f1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,14 @@
-FROM alpine:3.12
+FROM alpine:3.15
 MAINTAINER "EEA: IDM2 A-Team" <eea-edw-a-team-alerts@googlegroups.com>
 
-RUN apk add --no-cache --virtual .run-deps rsync openssh tzdata curl ca-certificates && rm -rf /var/cache/apk/*
+RUN apk add --no-cache --virtual .run-deps rsync openssh tzdata curl ca-certificates && \
+    rm -rf /var/cache/apk/* && \
+    mkdir -p /data
+
 COPY docker-entrypoint.sh /
 
+VOLUME [ "/data" ]
+EXPOSE 22
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["sh"]
diff --git a/Readme.md b/Readme.md
index 5dec849..2579829 100644
--- a/Readme.md
+++ b/Readme.md
@@ -28,6 +28,15 @@ Start client to pack and sync every night:
 
 Copy the client SSH public key printed found in console
 
+or use a second volume to store client ssh keys between restarts, not re-created evvery time
+
+    $ docker run --name=rsync_client -v client_vol_to_sync:/data \
+                 -v storage_of_client_ssh_keys:/ssh_keys \
+                 -e CRON_TASK_1="0 1 * * * /data/pack-db.sh" \
+                 -e CRON_TASK_2="0 3 * * * rsync -e 'ssh -p 2222' -aqx --numeric-ids root@foo.bar.com:/data/ /data/" \
+             eeacms/rsync client
+
+
 ### Server setup
 
 Start server on `foo.bar.com`
@@ -37,6 +46,16 @@ Start server on `foo.bar.com`
                  -e SSH_AUTH_KEY_n="<SSH KEY FROM rsync_client_n>" \
              eeacms/rsync server
 
+or use a second volume to store client ssh keys between restarts, no need to upload keys every time
+
+    # docker run --name=rsync_server -d -p 2222:22 -v server_vol_to_sync:/data \
+                 -v storage_of_client_ssh_keys:/ssh_keys \
+                 -e SSH_AUTH_KEY_1="<SSH KEY FROM rsync_client>" \
+                 -e SSH_AUTH_KEY_n="<SSH KEY FROM rsync_client_n>" \
+             eeacms/rsync server
+
+The keys in the "SSH_AUTH_KEY_n" is appended to the keys in the file "authrozed_keys" in the volume. The resulting file is then used in the container.
+
 ### Verify that it works
 
 Add `test` file on server:
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 467d0bb..ff5f422 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -4,22 +4,40 @@
 # INIT
 ################################################################################
 
+sed -i "s/#\s*PasswordAuthentication .*/PasswordAuthentication no/g" /etc/ssh/sshd_config
+sed -i 's/root:!/root:*/' /etc/shadow
+
+# Create list of authorized keys
 mkdir -p /root/.ssh
-> /root/.ssh/authorized_keys
+if [ -e /ssh_keys/authorized_keys ]; then
+  echo "Starting with existing authorized keys"
+  cp /ssh_keys/authorized_keys /root/.ssh/.
+else
+  echo "No existing authorized keys, starting with empty file"
+  > /root/.ssh/authorized_keys
+fi
 chmod go-rwx /root/.ssh/authorized_keys
-sed -i "s/.*PasswordAuthentication .*/PasswordAuthentication no/g" /etc/ssh/sshd_config
-sed -i 's/root:!/root:*/' /etc/shadow
 
 # Provide SSH_AUTH_KEY_* via environment variable
 for item in `env`; do
    case "$item" in
        SSH_AUTH_KEY*)
             ENVVAR=`echo $item | cut -d \= -f 1`
+            echo "Adding key $ENVVAR"
             printenv $ENVVAR >> /root/.ssh/authorized_keys
             ;;
    esac
 done
 
+# Store the keys if possible
+if [ -d /ssh_keys/ ] ; then
+  # Using updated authorization keys
+  echo "Saving keys for the future"
+  cp -u /root/.ssh/authorized_keys /ssh_keys/
+else
+  echo "Keys not saved for the future"
+fi
+
 # Provide CRON_TASK_* via environment variable
 > /etc/crontabs/root
 for item in `env`; do
@@ -33,22 +51,55 @@ for item in `env`; do
 done
 
 # Generate host SSH keys
-if [ ! -e /etc/ssh/ssh_host_rsa_key.pub ]; then
+if [ -e /ssh_keys/ssh_host_rsa_key.pub ]; then
+  # Copy persistent host keys
+  echo "Using existing SSH host keys"
+  cp -u /ssh_keys/ssh_host* /etc/ssh/
+else
+  # Generate host SSH keys
+  echo "Generating SSH host keys"
   ssh-keygen -A
+  if [ -d /ssh_keys ]; then
+    # Store generated keys on persistent volume
+    echo "Persisting SSH host keys"
+    cp -u /etc/ssh/ssh_host_* /ssh_keys/
+  fi
 fi
 
 # Generate root SSH key
-if [ ! -e /root/.ssh/id_rsa.pub ]; then
-  ssh-keygen -q -N "" -f /root/.ssh/id_rsa
+if [ -e /ssh_keys/id_ed25519.pub ] ; then
+  # Copy persistent host keys
+  echo "Using existing SSH root keys"
+  cp -u /ssh_keys/id* /root/.ssh/.
+else
+  # Generate host SSH keys
+  echo "Generating SSH root keys"
+  ssh-keygen -a 100 -t ed25519 -q -N "" -f /root/.ssh/id_ed25519
+  if [ -d /ssh_keys ]; then
+    # Store generated keys on persistent volume
+    echo "Persisting SSH root keys"
+    cp -u /root/.ssh/id_ed25519* /ssh_keys/.
+  fi
+fi
+
+##############################################################################
+# Display ssh key if not in server mode
+##############################################################################
+
+if [ "$1" != "server" ] ; then
+  echo "Please add this ssh key to your server /home/user/.ssh/authorized_keys        "
+  echo "================================================================================"
+  echo "`cat /root/.ssh/id_*.pub`"
+  echo "================================================================================"
 fi
 
 ################################################################################
 # START as SERVER
 ################################################################################
 
-if [ "$1" == "server" ]; then
+if [ "$1" == "server" ] ; then
   AUTH=`cat /root/.ssh/authorized_keys`
-  if [ -z "$AUTH" ]; then
+  if [ -z "$AUTH" ] ; then
     echo "=================================================================================="
     echo "ERROR: No SSH_AUTH_KEY provided, you'll not be able to connect to this container. "
     echo "=================================================================================="
@@ -63,20 +114,18 @@ if [ "$1" == "server" ]; then
   exec /usr/sbin/sshd -D $SSH_PARAMS
 fi
 
-echo "Please add this ssh key to your server /home/user/.ssh/authorized_keys        "
-echo "================================================================================"
-echo "`cat /root/.ssh/id_rsa.pub`"
-echo "================================================================================"
-
 ################################################################################
 # START as CLIENT via crontab
 ################################################################################
 
-if [ "$1" == "client" ]; then
+if [ "$1" == "client" ] ; then
   exec /usr/sbin/crond -f
 fi
 
 ################################################################################
 # Anything else
 ################################################################################
-exec "$@"
+
+if [[ "$1" != "client" && "$1" != "server" ]] ; then
+  exec "$1"
+fi

From a405d8f757997849bf772aa24c9bb469970e7405 Mon Sep 17 00:00:00 2001
From: Morgan Lindqvist <morgan@quzed.com>
Date: Fri, 20 May 2022 10:03:59 +0200
Subject: [PATCH 2/4] Using all command arguments when starting container

Change-Id: Idebb63788b0c75af45487a8c6e64b6b9ebfa40dd
---
 docker-entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index ff5f422..d6212c3 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -127,5 +127,5 @@ fi
 ################################################################################
 
 if [[ "$1" != "client" && "$1" != "server" ]] ; then
-  exec "$1"
+  exec "$@"
 fi

From 22a4f055303292dc2a8ad3d8be8e17f036a4444d Mon Sep 17 00:00:00 2001
From: Morgan Lindqvist <morgan@quzed.com>
Date: Sat, 21 May 2022 05:36:41 +0200
Subject: [PATCH 3/4] Removed duplicate keys

Change-Id: Ie0b1aa0ce78600531a340ba34391966836238533
---
 docker-entrypoint.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index d6212c3..3fb0c19 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -23,14 +23,19 @@ for item in `env`; do
    case "$item" in
        SSH_AUTH_KEY*)
             ENVVAR=`echo $item | cut -d \= -f 1`
-            echo "Adding key $ENVVAR"
+            echo "Adding key `printenv $ENVVAR`"
             printenv $ENVVAR >> /root/.ssh/authorized_keys
             ;;
    esac
 done
 
+# Remove any duplicates
+echo "Removing duplicate keys if present"
+sort -u /root/.ssh/authorized_keys > /tmp/u
+mv -f /tmp/u /root/.ssh/authorized_keys
+
 # Store the keys if possible
-if [ -d /ssh_keys/ ] ; then
+if [ -d /ssh_keys ] ; then
   # Using updated authorization keys
   echo "Saving keys for the future"
   cp -u /root/.ssh/authorized_keys /ssh_keys/

From 33be7dba69c122c17b42b30aa57bc9ae92804c58 Mon Sep 17 00:00:00 2001
From: Morgan Lindqvist <morgan@quzed.com>
Date: Sat, 21 May 2022 09:17:14 +0200
Subject: [PATCH 4/4] Doing chmod on authorized_keys in the correct place

Change-Id: I080f037e88f2623a1801e5ec5592115134804b2f
---
 docker-entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 3fb0c19..e97f442 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -16,7 +16,6 @@ else
   echo "No existing authorized keys, starting with empty file"
   > /root/.ssh/authorized_keys
 fi
-chmod go-rwx /root/.ssh/authorized_keys
 
 # Provide SSH_AUTH_KEY_* via environment variable
 for item in `env`; do
@@ -33,6 +32,7 @@ done
 echo "Removing duplicate keys if present"
 sort -u /root/.ssh/authorized_keys > /tmp/u
 mv -f /tmp/u /root/.ssh/authorized_keys
+chmod go-rwx /root/.ssh/authorized_keys
 
 # Store the keys if possible
 if [ -d /ssh_keys ] ; then