Created Init-Container that pulls pubkeys from git, creates authorized_keys, ssh-host-keys and backup-repo folders

.gitignore

@@ -1,2 +1,3 @@
 /backup
 /sshkeys
+.env

Dockerfile

@@ -1,31 +0,0 @@
-############################################################
-# Dockerfile to build borgbackup server images
-# Based on Debian
-############################################################
-FROM debian:buster-slim
-
-# Volume for SSH-Keys
-VOLUME /sshkeys
-
-# Volume for borg repositories
-VOLUME /backup
-
-ENV DEBIAN_FRONTEND noninteractive
-
-RUN apt-get update && apt-get -y --no-install-recommends install \
-		borgbackup openssh-server && apt-get clean && \
-		useradd -s /bin/bash -m -U borg && \
-		mkdir /home/borg/.ssh && \
-		chmod 700 /home/borg/.ssh && \
-		chown borg:borg /home/borg/.ssh && \
-		mkdir /run/sshd && \
-		rm -f /etc/ssh/ssh_host*key* && \
-		rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
-
-COPY ./data/run.sh /run.sh
-COPY ./data/sshd_config /etc/ssh/sshd_config
-
-ENTRYPOINT /run.sh
-
-# Default SSH-Port for clients
-EXPOSE 22

build.sh

@@ -0,0 +1,2 @@
+docker build -t borg:git server
+docker build -t borg:init init

data/run.sh

@@ -1,95 +0,0 @@
-#!/bin/bash
-# Start Script for docker-borgserver
-
-PUID=${PUID:-1000}
-PGID=${PGID:-1000}
-
-usermod -o -u "$PUID" borg &>/dev/null
-groupmod -o -g "$PGID" borg &>/dev/null
-
-BORG_DATA_DIR=/backup
-SSH_KEY_DIR=/sshkeys
-BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
-AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
-
-# Append only mode?
-BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
-
-echo "########################################################"
-echo -n " * Docker BorgServer powered by "
-borg -V
-echo "########################################################"
-echo " * User  id: $(id -u borg)"
-echo " * Group id: $(id -g borg)"
-echo "########################################################"
-
-
-# Precheck if BORG_ADMIN is set
-if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
-	echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!"
-fi
-
-# Precheck directories & client ssh-keys
-for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
-	dirpath=$(eval echo '$'${dir})
-	echo " * Testing Volume ${dir}: ${dirpath}"
-	if [ ! -d "${dirpath}" ] ; then
-		echo "ERROR: ${dirpath} is no directory!"
-		exit 1
-	fi
-
-	if [ "$(find ${SSH_KEY_DIR}/clients ! -regex '.*/\..*' -a -type f | wc -l)" == "0" ] ; then
-		echo "ERROR: No SSH-Pubkey file found in ${SSH_KEY_DIR}"
-		exit 1
-	fi
-done
-
-# Create SSH-Host-Keys on persistent storage, if not exist
-mkdir -p ${SSH_KEY_DIR}/host 2>/dev/null
-echo " * Checking / Preparing SSH Host-Keys..."
-for keytype in ed25519 rsa ; do
-	if [ ! -f "${SSH_KEY_DIR}/host/ssh_host_${keytype}_key" ] ; then
-		echo "  ** Creating SSH Hostkey [${keytype}]..."
-		ssh-keygen -q -f "${SSH_KEY_DIR}/host/ssh_host_${keytype}_key" -N '' -t ${keytype}
-	fi
-done
-
-echo "########################################################"
-echo " * Starting SSH-Key import..."
-
-# Add every key to borg-users authorized_keys
-rm ${AUTHORIZED_KEYS_PATH} &>/dev/null
-for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
-    client_name=$(basename ${keyfile})
-    mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null
-    echo "  ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}"
-
-	# If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
-	# Otherwise add --append-only, if enabled
-	borg_cmd=${BORG_CMD}
-	if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
-		echo "   ** Client '${client_name}' is BORG_ADMIN! **"
-		unset client_name
-	elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
-		borg_cmd="${BORG_CMD} --append-only"
-	fi
-
-    echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
-	cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
-done
-
-echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
-ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null)
-if [ $? -ne 0 ]; then
-    echo "ERROR: ${ERROR}"
-    exit 1
-fi
-
-chown -R borg:borg ${BORG_DATA_DIR}
-chown borg:borg ${AUTHORIZED_KEYS_PATH}
-chmod 600 ${AUTHORIZED_KEYS_PATH}
-
-echo "########################################################"
-echo " * Init done! Starting SSH-Daemon..."
-
-/usr/sbin/sshd -D -e

docker-compose.yml

@@ -1,20 +1,46 @@
 version: '3'
 services:
- borgserver:
-  image: nold360/borgserver
-  #build: .
-  volumes:
-   - ./backup:/backup
-   - ./sshkeys:/sshkeys
-  ports:
-   - "2222:22"
-  environment:
-   BORG_SERVE_ARGS: ""
+  init:
+    image: borg:init
+    env_file: .env
+    volumes:
+      - borg-home:/home/borg/.ssh:rw
+      - host-keys:/sshkeys:rw
 
-   # If set to "yes", only the BORG_ADMIN
-   # can delete/prune the all clients archives/repos
-   BORG_APPEND_ONLY: "no"
+      # FIXME: i want to get rid of that..
+      - backup:/backup:rw
+    restart: "no"
 
-   # Hostname of Admin's SSH-Key
-   BORG_ADMIN: ""
-  restart: unless-stopped
+  borgserver:
+    #image: nold360/borgserver
+    image: borg:git
+    user: 1000:1000
+    volumes:
+      # generated authorized_keys by init
+      - borg-home:/home/borg/.ssh:ro
+
+      # only contains host-keys now
+      - host-keys:/sshkeys:ro
+
+      # Backup repository for borg
+      - backup:/backup:rw
+    ports:
+      - "2222:2222"
+    environment:
+      BORG_SERVE_ARGS: ""
+
+      # If set to "yes", only the BORG_ADMIN
+      # can delete/prune the all clients archives/repos
+      BORG_APPEND_ONLY: "no"
+
+      # Hostname of Admin's SSH-Key
+      BORG_ADMIN: ""
+    depends_on:
+      - init
+    restart: unless-stopped
+
+# Shared volume to exchange authorized_keys between init & server
+volumes:
+  borg-home:
+  host-keys:
+  backup:

env.example

@@ -0,0 +1,2 @@
+KEY_GIT_URL=https://github.com/yourName/your-ssh-pub-keys.git
+KEY_GIT_BRANCH=master

init/Dockerfile

@@ -0,0 +1,13 @@
+# Borgserver Init-Container, simply replace entrypoiny and install git
+#FROM nold360/borgserver:latest
+FROM borg:git
+
+USER root
+RUN export DEBIAN_FRONTEND=noninteractive && \
+		apt-get update && \
+		apt-get -y --no-install-recommends install \
+		git ca-certificates && \
+		apt-get clean && \
+		rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
+
+COPY ./entrypoint.sh /entrypoint.sh

init/entrypoint.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+# Init-Start Script for docker-borgserver
+# Will pull ssh-keys from git specified via KEY_GIT_URL and KEY_GIT_BRANCH [default: master]
+# and merge them into a single [openssh] authorized_keys file.
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+usermod -o -u "$PUID" borg &>/dev/null
+groupmod -o -g "$PGID" borg &>/dev/null
+
+# FIXME: Is this changeable? guess it should be.. should move it to some kind of
+# build-env file
+BORG_DATA_DIR=${BORG_DATA_DIR:-/backup}
+
+BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
+KEY_GIT_BRANCH=${KEY_GIT_BRANCH:-master}
+
+# This is the path where the final authorized_keys will be written:
+AUTHORIZED_KEYS_PATH=${AUTHORIZED_KEYS_PATH:-/home/borg/.ssh/authorized_keys}
+
+# This will only contain host-keys now
+SSH_KEY_DIR=${SSH_KEY_DIR:-/sshkeys}
+
+# This is no volume anymore, only temporary during init
+GIT_KEY_DIR=/tmp/gitkeys
+echo "########################################################"
+echo " * Docker BorgServer | Git Init-Container *"
+echo " * $(id)"
+
+if [ ! -z "${KEY_GIT_URL}" ] ; then
+  # FIXME: Should the container die here, in case of error?
+  # To workaround the limitations of docker-compose we could just loop here like.. forever
+
+  # INFO: simle git clone would be enouth, but you can also use a volume for SSH_KEY_DIR if you like
+  echo " * Cloning '${KEY_GIT_URL}' into '${GIT_KEY_DIR}/clients'"
+  if [ ! -d "${GIT_KEY_DIR}/clients/.git" ] ; then
+    git clone -b ${KEY_GIT_BRANCH} --depth=1 "${KEY_GIT_URL}" "${GIT_KEY_DIR}/clients"
+  else
+    git -C "${GIT_KEY_DIR}/clients" pull
+  fi
+else
+  echo " ! FATAL ERROR: KEY_GIT_URL is not set! Can't continue."
+  exit 1
+fi
+
+if [ "$(find ${GIT_KEY_DIR}/clients ! -regex '.*/\..*' -a -type f | wc -l)" == "0" ] ; then
+  echo " ! FATAL ERROR: No SSH-Pubkey file found in ${GIT_KEY_DIR}. Can't continue."
+  exit 2
+fi
+
+# Create SSH-Host-Keys on persistent storage, if not exist
+# This also means that `${SSH_KEY_DIR}` has to be a shared volume
+echo " * Checking / Preparing SSH Host-Keys..."
+for keytype in ed25519 rsa ; do
+  if [ ! -f "${SSH_KEY_DIR}/ssh_host_${keytype}_key" ] ; then
+    echo "  ** Creating SSH Hostkey [${keytype}]..."
+    ssh-keygen -q -f "${SSH_KEY_DIR}/ssh_host_${keytype}_key" -N '' -t ${keytype}
+  fi
+done
+
+echo "########################################################"
+echo " * Starting SSH-Key import..."
+
+# Add every key to borg-users authorized_keys
+# FIXME: mkdir of filestructure must still be done by server-container
+# since we shouldn't have access to the backup-data volume in init
+rm -f ${AUTHORIZED_KEYS_PATH} &>/dev/null
+for keyfile in $(find "${GIT_KEY_DIR}" ! -regex '.*/\..*' -a -type f); do
+  client_name=$(basename ${keyfile})
+
+  # check if file is a valid openssh public key
+  if ! ssh-keygen -lf $keyfile &>/dev/null ; then
+    echo " ! WARNING: '$keyfile' is not a valid [open]ssh-public-key. Will continue anyway."
+    continue
+  fi
+
+  # If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
+  # Otherwise add --append-only, if enabled
+  borg_cmd=${BORG_CMD}
+  if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
+    echo "   ** Client '${client_name}' is BORG_ADMIN! **"
+    unset client_name
+  elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
+    borg_cmd="${BORG_CMD} --append-only"
+  fi
+
+  echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
+  cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
+done
+
+# This will also fail if there wasn't a single valid pubkey found
+echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
+if ! ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} >/dev/null ; then
+  echo " ! FATAL ERROR: ${AUTHORIZED_KEYS_PATH} is no valid authorized_keys file. Can't continue."
+  exit 3
+fi
+
+echo " * Correcting Permissions..."
+chown borg:borg ${AUTHORIZED_KEYS_PATH}
+chown -R borg:borg ${SSH_KEY_DIR}/*
+chown borg:borg ${BORG_DATA_DIR}
+chmod 600 ${AUTHORIZED_KEYS_PATH}
+
+echo "########################################################"
+echo " * Init done! Ready to fire up your borgserver!"
+
+exit 0

server/Dockerfile

@@ -0,0 +1,36 @@
+############################################################
+# Dockerfile to build borgbackup server images
+# Based on Debian
+############################################################
+FROM debian:buster-slim
+
+# Volume for SSH-Host-Keys
+VOLUME /sshkeys
+
+# Volume for borg repositories
+VOLUME /backup
+
+# Volume for authorized_keys exchange from init
+VOLUME /home/borg
+
+RUN export DEBIAN_FRONTEND=noninteractive && \
+		apt-get update && \
+		apt-get -y --no-install-recommends install \
+		borgbackup openssh-server iputils-ping && \
+		apt-get clean && \
+		useradd -s /bin/bash -m -U borg && \
+		mkdir /home/borg/.ssh && \
+		chmod 700 /home/borg/.ssh && \
+		touch /home/borg/.ssh/authorized_keys && \
+		chown -R borg:borg /home/borg /backup && \
+		mkdir /run/sshd && \
+		rm -f /etc/ssh/ssh_host*key* && \
+		rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
+
+COPY ./entrypoint.sh /entrypoint.sh
+COPY ./sshd_config /etc/ssh/sshd_config
+
+USER borg
+EXPOSE 2222
+
+ENTRYPOINT /entrypoint.sh

server/entrypoint.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# Start Script for docker-borgserver
+
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+usermod -o -u "$PUID" borg &>/dev/null
+groupmod -o -g "$PGID" borg &>/dev/null
+
+BORG_DATA_DIR=${BORG_DATA_DIR:-/backup}
+SSH_KEY_DIR=${SSH_KEY_DIR:-/sshkeys}
+BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
+AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
+
+# Append only mode?
+BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
+
+echo "########################################################"
+echo " * Docker BorgServer powered by $(borg -V)"
+echo "########################################################"
+echo " * $(id)"
+echo "########################################################"
+
+echo -n "Waiting for init-container to finish..."
+sleep 5
+while ping -c2 init >/dev/null 2>/dev/null ; do
+  echo .
+  sleep 3
+done
+echo " done"
+
+# Precheck if BORG_ADMIN is set
+if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
+  echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!"
+fi
+
+# Precheck directories & client ssh-keys
+for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
+  dirpath=$(eval echo '$'${dir})
+  echo " * Testing Volume ${dir}: ${dirpath}"
+  if [ ! -d "${dirpath}" ] ; then
+    echo " ! ERROR: ${dirpath} is no directory!"
+    exit 1
+  fi
+done
+
+for keytype in ed25519 rsa ; do
+  if [ ! -f "${SSH_KEY_DIR}/ssh_host_${keytype}_key" ] ; then
+    echo " ! WARNING: SSH-Host-Key $keytype doesn't exist!"
+    continue
+  fi
+done
+
+echo "########################################################"
+echo " * Checking authorized_keys file..."
+# Check if authorzied_keys is valid
+if ! ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} >/dev/null; then
+  echo " ! ERROR: '${AUTHORIZED_KEYS_PATH}' is not a valid authorized_keys-file."
+  exit 1
+fi
+
+echo "########################################################"
+echo " * Init done! Starting SSH-Daemon..."
+/usr/sbin/sshd -D -e

server/sshd_config

@@ -1,17 +1,19 @@
-Port 22
+Port 2222
 AddressFamily any
 ListenAddress 0.0.0.0
 ListenAddress ::
 
-HostKey /sshkeys/host/ssh_host_rsa_key
-HostKey /sshkeys/host/ssh_host_ed25519_key
+HostKey /sshkeys/ssh_host_rsa_key
+HostKey /sshkeys/ssh_host_ed25519_key
+
+PidFile /tmp/sshd.pid
 
 PermitRootLogin no
 StrictModes yes
 MaxSessions 20
 
 PubkeyAuthentication yes
-AuthorizedKeysFile	.ssh/authorized_keys
+AuthorizedKeysFile	/home/borg/.ssh/authorized_keys
 
 LogLevel INFO