Git key import again

Split run.sh and add git retrival
This patch modularize run.sh, adding two new helper scripts and make it possible to specify a git repository for ssh keys via a new env variable `BORG_SSHKEYS_REPO`. the modularization add two new files : - `env.sh` : define a few envriroment variables - `create-client-dirs.sh` : update and create user directories and re-create authorized_keys We also add a new script `update-ssh-keys.sh` to be called regurlarly in a cron job to check if the git repository is up-to-date and eventually adding/removing users.
2020-03-26 18:16:56 +01:00 · 2020-03-24 14:03:24 +01:00
8 changed files with 125 additions and 47 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 /backup
 /sshkeys
+.env
--- a/3
+++ b/3
@ -24,6 +24,9 @@ RUN apt-get update && apt-get -y --no-install-recommends install \

 COPY ./data/run.sh /run.sh
 COPY ./data/sshd_config /etc/ssh/sshd_config
+COPY ./data/update-ssh-keys.sh /usr/local/bin/
+COPY ./data/create-client-dirs.sh /usr/local/bin/
+COPY ./data/env.sh /usr/local/bin/env.sh

 ENTRYPOINT /run.sh

--- a/Dockerfile.pullgit
+++ b/Dockerfile.pullgit
@ -0,0 +1,9 @@
+############################################################
+# Dockerfile to build borgbackup server images with git-pull support!
+# Based on Debian
+############################################################
+FROM borgserver:latest
+
+RUN apt-get update && apt-get -y --no-install-recommends install \
+		git ca-certificates && apt-get clean && \
+		rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*
--- a/data/create-client-dirs.sh
+++ b/data/create-client-dirs.sh
@ -0,0 +1,55 @@
+#!/bin/bash
+# This script generates the authorized_keys file from SSH_KEY_DIR
+# authorized_keys will only get overridden after syntax check
+set -e
+source env.sh
+
+TMPFILE=$(mktemp)
+
+echo "######################################################"
+echo "* Regenerate borgserver authorized_keys *"
+echo "######################################################"
+
+# Add every key to borg-users authorized_keys
+for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
+  client_name=$(basename ${keyfile})
+
+	# Only import valid keyfiles, skip other files
+  if ! ssh-keygen -lf $keyfile >/dev/null ; then
+		echo " Warning: Skipping invalid ssh-key file '$keyfile'"
+		continue
+	fi
+
+  if [ ! -d "${BORG_DATA_DIR}/${client_name}" ]; then
+    echo "  ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}"
+    mkdir "${BORG_DATA_DIR}/${client_name}"
+  else
+    echo "Directory ${BORG_DATA_DIR}/${client_name} exists: Nothing to do"
+  fi
+
+  # If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
+  # Otherwise add --append-only, if enabled
+  borg_cmd=${BORG_CMD}
+  if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
+    echo "   ** Client '${client_name}' is BORG_ADMIN! **"
+    unset client_name
+  elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
+    borg_cmd="${BORG_CMD} --append-only"
+  fi
+
+  echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${TMPFILE}
+  cat ${keyfile} >> ${TMPFILE}
+done
+
+# Due to `set -e` the script will end here on failure anyways
+echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
+ssh-keygen -lf ${TMPFILE} >/dev/null
+
+mv ${TMPFILE} ${AUTHORIZED_KEYS_PATH}
+echo " ** Success"
+
+chown -R borg:borg ${BORG_DATA_DIR}
+chown borg:borg ${AUTHORIZED_KEYS_PATH}
+chmod 600 ${AUTHORIZED_KEYS_PATH}
+
+exit 0
--- a/data/env.sh
+++ b/data/env.sh
@ -0,0 +1,23 @@
+# Default values for environment
+PATH=$PATH:/usr/local/bin
+PUID=${PUID:-1000}
+PGID=${PGID:-1000}
+
+# Append only mode?
+BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
+
+# Volume for backup repositories
+BORG_DATA_DIR=${BORG_DATA_DIR:-/backup}
+
+# Branch of KEY_GIT_URL
+KEY_GIT_BRANCH=${KEY_GIT_BRANCH:-master}
+
+# This will contain the host and client keys
+SSH_KEY_DIR=${SSH_KEY_DIR:-/sshkeys}
+
+### CAUTION
+# This is more of a template then something you need to change, it should stay static
+BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
+
+# Path to authorized_keys file
+AUTHORIZED_KEYS_PATH=${AUTHORIZED_KEYS_PATH:-/home/borg/.ssh/authorized_keys}
--- a/data/run.sh
+++ b/data/run.sh
@ -1,34 +1,30 @@
 #!/bin/bash
 # Start Script for docker-borgserver
-
-PUID=${PUID:-1000}
-PGID=${PGID:-1000}
+set -e
+source env.sh

 usermod -o -u "$PUID" borg &>/dev/null
 groupmod -o -g "$PGID" borg &>/dev/null

-BORG_DATA_DIR=/backup
-SSH_KEY_DIR=/sshkeys
-BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}'
-AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys
-
-# Append only mode?
-BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no}
-
 echo "########################################################"
 echo -n " * Docker BorgServer powered by "
 borg -V
 echo "########################################################"
 echo " * User  id: $(id -u borg)"
 echo " * Group id: $(id -g borg)"
+if [ -z "${KEY_GIT_URL}" ] ; then
+  echo "* Pulling keys from ${KEY_GIT_URL}"
+fi
 echo "########################################################"

-
 # Precheck if BORG_ADMIN is set
 if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then
 	echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!"
 fi

+# Init the ssh keys directory from a remote git repository
+update-ssh-keys.sh
+
 # Precheck directories & client ssh-keys
 for dir in BORG_DATA_DIR SSH_KEY_DIR ; do
 	dirpath=$(eval echo '$'${dir})
@ -54,40 +50,8 @@ for keytype in ed25519 rsa ; do
 	fi
 done

-echo "########################################################"
-echo " * Starting SSH-Key import..."
-
 # Add every key to borg-users authorized_keys
-rm ${AUTHORIZED_KEYS_PATH} &>/dev/null
-for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do
-    client_name=$(basename ${keyfile})
-    mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null
-    echo "  ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}"
-
-	# If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR
-	# Otherwise add --append-only, if enabled
-	borg_cmd=${BORG_CMD}
-	if [ "${client_name}" == "${BORG_ADMIN}" ] ; then
-		echo "   ** Client '${client_name}' is BORG_ADMIN! **"
-		unset client_name
-	elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then
-		borg_cmd="${BORG_CMD} --append-only"
-	fi
-
-    echo -n "command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH}
-	cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH}
-done
-
-echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..."
-ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null)
-if [ $? -ne 0 ]; then
-    echo "ERROR: ${ERROR}"
-    exit 1
-fi
-
-chown -R borg:borg ${BORG_DATA_DIR}
-chown borg:borg ${AUTHORIZED_KEYS_PATH}
-chmod 600 ${AUTHORIZED_KEYS_PATH}
+create-client-dirs.sh

 echo "########################################################"
 echo " * Init done! Starting SSH-Daemon..."
--- a/data/update-ssh-keys.sh
+++ b/data/update-ssh-keys.sh
@ -0,0 +1,20 @@
+#!/bin/bash
+# This script updates the authorized_keys file
+# Will clone/pull ssh-pubkeys from GIT_KEY_URL if set
+set -e
+source env.sh
+
+if [ -d "${SSH_KEY_DIR}/clients/.git" ] ; then
+  git -C "${SSH_KEY_DIR}/clients" fetch
+  if ! git -C "${SSH_KEY_DIR}/clients" diff --quiet remotes/origin/HEAD; then
+    echo "Pull from git repository"
+    git -C "${SSH_KEY_DIR}/clients" pull
+    create-client-dirs.sh
+  else
+    echo "$0: Nothing to do"
+  fi
+elif [ ! -z "${KEY_GIT_URL}" ] ; then
+	git clone --depth=1 -b ${KEY_GIT_BRANCH} ${KEY_GIT_URL} ${SSH_KEY_DIR}/clients
+fi
+
+exit 0
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,13 +1,16 @@
 version: '3'
 services:
 borgserver:
-  image: nold360/borgserver
-  #build: .
+  #image: nold360/borgserver
+  build:
+    context: .
+    dockerfile: Dockerfile.pullgit
  volumes:
   - ./backup:/backup
   - ./sshkeys:/sshkeys
  ports:
   - "2222:22"
+  env_file: .env
  environment:
   BORG_SERVE_ARGS: ""