feat(ssh_locker): implement ssh locker helper scripts and configuration for Duo API integration

This commit is contained in:
2025-05-22 22:55:27 +02:00
parent f6be1d5dbe
commit 071b4eea9e
13 changed files with 360 additions and 3 deletions
-3
View File
@@ -1,3 +0,0 @@
#!/bin/bash
POD_NAME=$(kubectl get pods -n nextcloud -l app=nextcloud -o jsonpath="{.items[0].metadata.name}")
kubectl -n nextcloud exec -it $POD_NAME -- /bin/su -s /bin/bash www-data -c "/var/www/html/occ $*"
Executable
+15
View File
@@ -0,0 +1,15 @@
#bin/bash
function usage() {
echo "Usage: ssh_locker_helper <user> <action>"
echo "Actions:"
echo " lock - Lock the SSH locker"
echo " unlock - Unlock the SSH locker"
}
if [ -z "$1" ] || [ -z "$2" ]; then
usage
exit 1
fi
sectool exec bash -c "bin/ssh_locker_helper $1 $2"
+27
View File
@@ -0,0 +1,27 @@
#/!/bin/bash
function usage() {
echo "Usage: ssh_locker_helper <user> <action>"
echo "Actions:"
echo " lock - Lock the SSH locker"
echo " unlock - Unlock the SSH locker"
}
if [ -z "$SERVER_API_ACCESS_TOKEN" ]; then
echo "Please set the SERVER_API_ACCESS_TOKEN environment variable."
exit 1
fi
if [ -z "$1" ] || [ -z "$2" ]; then
usage
exit 1
fi
response=$(curl -s -o /dev/null -w "%{redirect_url}" \
-X POST https://alexpires.me/api/ssh_locker/action \
-H "Content-Type: application/json" \
-H "X-Auth-Token: $SERVER_API_ACCESS_TOKEN" \
-d '{"user":"'$1'","action":"'$2'"}')
if [ -n "$response" ]; then
xdg-open "$response"
else
echo "No redirect URL received."
fi
+1
View File
@@ -8,3 +8,4 @@ SCW_ACCESS_KEY=$SCALEWAY_ACCESS_KEY
SCW_SECRET_KEY=$SCALEWAY_SECRET_KEY
SCW_DEFAULT_PROJECT_ID=$SCALEWAY_PROJECT_ID
SCW_DEFAULT_ORGANIZATION_ID=$SCALEWAY_ORGANIZATION_ID
SERVER_API_ACCESS_TOKEN=$SERVER_API_ACCESS_TOKEN
+11
View File
@@ -128,3 +128,14 @@ module "trivy" {
from_email = "trivy@${local.primary_domain}"
to_email = "c.alexandre.pires@${local.primary_domain}"
}
module "ssh_locker_web" {
source = "../modules/apps/ssh_locker_web"
duo_client_id = var.server_api_duo_client_id
duo_client_secret = var.server_api_duo_client_secret
access_token = var.server_api_access_token
duo_api_host = "api-7cda1654.duosecurity.com"
redirect_uri = "https://alexpires.me/api/ssh_locker/duo-callback"
socket_path = "/var/run/ssh_locker/provision.sock"
}
@@ -9,3 +9,14 @@ location ^~ /config/dav {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
location ^~ /api/ssh_locker/ {
rewrite ^/api/ssh_locker/(.*)$ /$1 break;
proxy_pass https://backend.ssh-locker-web.svc.cluster.local;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
+16
View File
@@ -106,3 +106,19 @@ variable "gitea_jwt_secret" {
type = string
sensitive = true
}
variable "server_api_duo_client_id" {
description = "Duo client ID"
type = string
sensitive = true
}
variable "server_api_duo_client_secret" {
description = "Duo client secret"
type = string
sensitive = true
}
variable "server_api_access_token" {
description = "Access token for ssh_locker API"
type = string
sensitive = true
}
+3
View File
@@ -28,3 +28,6 @@ TF_VAR_gitea_lfs_jwt_secret=$GITEA_LFS_JWT_SECRET
TF_VAR_gitea_secret_key=$GITEA_SECRET_KEY
TF_VAR_gitea_internal_token=$GITEA_INTERNAL_TOKEN
TF_VAR_gitea_jwt_secret=$GITEA_JWT_SECRET
TF_VAR_server_api_duo_client_id=$SERVER_API_DUO_CLIENT_ID
TF_VAR_server_api_duo_client_secret=$SERVER_API_DUO_CLIENT_SECRET
TF_VAR_server_api_access_token=$SERVER_API_ACCESS_TOKEN
@@ -0,0 +1,14 @@
locals {
config = {
"clientId" : var.duo_client_id
"clientSecret" : var.duo_client_secret
"apiHost" : var.duo_api_host
"redirectUri" : var.redirect_uri
"accessToken" : var.access_token
"socketPath" : "/app/socket"
"tlsCert" : var.tls_enabled ? "/etc/ssl/certs/private/tls.crt" : ""
"tlsKey" : var.tls_enabled ? "/etc/ssl/certs/private/tls.key" : ""
}
config_json = jsonencode(local.config)
config_checksum = sha256(local.config_json)
}
@@ -0,0 +1,191 @@
resource "kubernetes_namespace" "ssh_locker_web" {
metadata {
name = "ssh-locker-web"
}
}
resource "kubernetes_secret" "ssh_locker_web" {
metadata {
name = "ssh-locker-web-config"
namespace = kubernetes_namespace.ssh_locker_web.metadata[0].name
}
data = {
"config.json" = local.config_json
}
type = "Opaque"
}
resource "kubernetes_service_account" "ssh_locker_web" {
metadata {
name = "ssh-locker-web"
namespace = kubernetes_namespace.ssh_locker_web.metadata[0].name
}
automount_service_account_token = false
}
resource "kubernetes_manifest" "internal_cert" {
count = var.tls_enabled ? 1 : 0
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"
metadata = {
name = "internal-cert"
namespace = kubernetes_namespace.ssh_locker_web.metadata[0].name
}
spec = {
secretName = "internal-cert"
issuerRef = {
name = var.issuer
kind = "ClusterIssuer"
}
commonName = "backend.ssh-locker-web.svc.cluster.local"
dnsNames = ["backend.ssh-locker-web.svc.cluster.local"]
}
}
}
resource "kubernetes_deployment" "ssh_locker_web" {
metadata {
name = "backend"
namespace = kubernetes_namespace.ssh_locker_web.metadata[0].name
labels = {
app = "backend"
}
annotations = {
"config/checksum" = local.config_checksum
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "backend"
}
}
template {
metadata {
labels = {
app = "backend"
}
}
spec {
security_context {
run_as_user = var.user_id
run_as_group = var.group_id
fs_group = var.group_id
run_as_non_root = true
}
container {
name = "backend"
image = "a13labs/ssh_locker_web:latest"
security_context {
allow_privilege_escalation = false
}
port {
container_port = var.tls_enabled ? 8443 : 8080
name = var.tls_enabled ? "https" : "http"
}
readiness_probe {
tcp_socket {
port = var.tls_enabled ? 8443 : 8080
}
}
liveness_probe {
tcp_socket {
port = var.tls_enabled ? 8443 : 8080
}
}
volume_mount {
name = "config-volume"
mount_path = "/app/config.json"
sub_path = "config.json"
read_only = true
}
volume_mount {
name = "socket-volume"
mount_path = "/app/socket"
}
dynamic "volume_mount" {
for_each = var.tls_enabled ? [1] : []
content {
name = "internal-cert"
mount_path = "/etc/ssl/certs/private"
read_only = true
}
}
}
volume {
name = "config-volume"
secret {
secret_name = kubernetes_secret.ssh_locker_web.metadata[0].name
items {
key = "config.json"
path = "config.json"
}
}
}
volume {
name = "socket-volume"
host_path {
path = var.socket_path
}
}
dynamic "volume" {
for_each = var.tls_enabled ? [1] : []
content {
name = "internal-cert"
secret {
secret_name = "internal-cert"
items {
key = "tls.crt"
path = "tls.crt"
}
items {
key = "tls.key"
path = "tls.key"
}
}
}
}
service_account_name = kubernetes_service_account.ssh_locker_web.metadata[0].name
}
}
}
}
resource "kubernetes_service" "backend" {
metadata {
name = "backend"
namespace = kubernetes_namespace.ssh_locker_web.metadata[0].name
}
spec {
selector = {
app = "backend"
}
port {
name = var.tls_enabled ? "https" : "http"
port = var.tls_enabled ? 443 : 80
target_port = var.tls_enabled ? 8443 : 8080
}
type = "ClusterIP"
}
}
@@ -0,0 +1,7 @@
output "namespace" {
value = kubernetes_namespace.ssh_locker_web.metadata[0].name
}
output "app_name" {
value = "ssh_locker_web"
}
@@ -0,0 +1,9 @@
terraform {
required_version = "~>1.8"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~>2.18"
}
}
}
@@ -0,0 +1,55 @@
variable "duo_client_id" {
description = "Duo client ID"
type = string
sensitive = true
}
variable "duo_client_secret" {
description = "Duo client secret"
type = string
sensitive = true
}
variable "duo_api_host" {
description = "Duo API host"
type = string
}
variable "redirect_uri" {
description = "Redirect URI for Duo authentication"
type = string
}
variable "access_token" {
description = "Access token for Duo API"
type = string
sensitive = true
}
variable "socket_path" {
description = "Socket path for Duo API"
type = string
}
variable "user_id" {
description = "User for running the pod"
type = number
default = 1000
}
variable "group_id" {
description = "Group for running the pod"
type = number
default = 1000
}
variable "issuer" {
description = "The issuer for the certificate"
type = string
default = "internal-ca"
}
variable "tls_enabled" {
description = "Enable TLS for the SFTPGo server"
type = bool
default = true
}