diff options
| -rw-r--r-- | Dockerfile.debian | 12 | ||||
| -rw-r--r-- | docker-compose.yaml | 6 | ||||
| -rw-r--r-- | entrypoint.bash | 11 |
3 files changed, 26 insertions, 3 deletions
diff --git a/Dockerfile.debian b/Dockerfile.debian index 3993f22..8bd71de 100644 --- a/Dockerfile.debian +++ b/Dockerfile.debian @@ -21,8 +21,16 @@ RUN useradd -m -s /bin/bash git # Create the repositories directory and set appropriate permissions RUN mkdir -p /repositories && chown git:git /repositories -# Disallow password authentication for security reasons -RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config +# Remove auto-generated SSH host keys so they are not baked into the image. +# Keys will be generated at container startup and persisted via a volume mount. +RUN rm -f /etc/ssh/ssh_host_* + +# Disallow password authentication for security reasons. +# Point sshd to the persistent host key location. +RUN echo "PasswordAuthentication no" >> /etc/ssh/sshd_config && \ + echo "HostKey /run/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config && \ + echo "HostKey /run/ssh/ssh_host_ecdsa_key" >> /etc/ssh/sshd_config && \ + echo "HostKey /run/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config # Copy the entrypoint script into the container COPY entrypoint.bash / diff --git a/docker-compose.yaml b/docker-compose.yaml index 87dd9ad..69c9d6f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -9,6 +9,7 @@ services: volumes: - ./repositories:/repositories - ./.secrets/github_token:/run/secrets/github_token:ro + - ssh-host-keys:/run/ssh network_mode: service:tailscale depends_on: - tailscale @@ -36,4 +37,7 @@ services: cap_add: - NET_ADMIN - NET_RAW - restart: unless-stopped
\ No newline at end of file + restart: unless-stopped + +volumes: + ssh-host-keys:
\ No newline at end of file diff --git a/entrypoint.bash b/entrypoint.bash index f3cd66f..d2f7167 100644 --- a/entrypoint.bash +++ b/entrypoint.bash @@ -28,6 +28,17 @@ chown -R git:git /repositories echo "Starting cron service..." cron +# Generate SSH host keys into the persistent volume if they don't exist yet. +# This keeps keys stable across container rebuilds. +mkdir -p /run/ssh +chmod 700 /run/ssh +if [ ! -f /run/ssh/ssh_host_ed25519_key ]; then + echo "Generating SSH host keys..." + ssh-keygen -q -N "" -t rsa -b 4096 -f /run/ssh/ssh_host_rsa_key + ssh-keygen -q -N "" -t ecdsa -f /run/ssh/ssh_host_ecdsa_key + ssh-keygen -q -N "" -t ed25519 -f /run/ssh/ssh_host_ed25519_key +fi + # Start the SSH service in the background echo "Starting SSH service..." /usr/sbin/sshd -D -E /var/log/sshd.log & |