Merge pull request #14 from creativecommons/bastion

Shafiya-Heena · web-flow · commit 164a0c3a03b4 · 2024-08-15T12:00:38.000-04:00
Bastion Container Creation
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ The aim of the project is to establish a robust and localized development enviro
 The [`docker-compose.yml`](docker-compose.yml) file defines the following
 containers:
 
-- WIP: Bastion (SSH jump server)
+- **bastion-dev** - Bastion (SSH jump server)
 - **ansible-dev** - Ansible
 - **web-dev** - Web server (Apache2/WordPress)
 - **db-dev** - Database server (MariaDB)
@@ -89,6 +89,19 @@ The SSH setup has been established and is currently in use for the Ansible conta
     ssh -i ./sysadmin-ssh-keys/rsa_sysadmin -p 22001 sysadmin@localhost
     ```
 
+**SSH connection from bastion**:
+- ProxyJump allow you to use `ssh bastion` to connect to the bastion-dev host, and `ssh ansible-dev` or `ssh web-dev`, and SSH will automatically connect through the bastion jump host.
+- currently, db-dev is not handled through bastion
+- Execute the following command to confirm the bastion connection:
+
+    ```shell
+    ssh -J sysadmin@localhost:22222 sysadmin@web-dev
+    ```
+
+    ```shell
+    ssh -J sysadmin@localhost:22222 sysadmin@ansible-dev
+    ```
+
 ## Related Links
 - [Ansible Documentation](https://docs.ansible.com/)
 - [FrontPage - Debian Wiki](https://wiki.debian.org/FrontPage)
diff --git a/ansible/Dockerfile b/ansible/Dockerfile
@@ -56,5 +56,4 @@ ENV ANSIBLE_CONFIG=/etc/ansible/ansible.cfg
 EXPOSE 22
 
 # Start SSH service
-CMD ["/usr/sbin/sshd", "-D"]
-
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/bastion/Dockerfile b/bastion/Dockerfile
@@ -0,0 +1,53 @@
+# https://docs.docker.com/engine/reference/builder/
+# https://hub.docker.com/_/debian
+FROM debian:bookworm-slim
+
+# Configure apt not to prompt during docker build
+ARG DEBIAN_FRONTEND=noninteractive
+
+# Configure apt to avoid installing recommended and suggested packages
+RUN apt-config dump \
+    | grep -E '^APT::Install-(Recommends|Suggests)' \
+    | sed -e 's/1/0/' \
+    | tee /etc/apt/apt.conf.d/99no-recommends-no-suggests
+
+# Resynchronize the package index files from their sources
+RUN apt-get update
+
+# Install git
+RUN apt-get install -y \
+    sed \
+    openssh-client \
+    openssh-server \
+    vim
+
+# Clean up packages: Saves space by removing unnecessary package files and lists
+RUN apt-get clean
+RUN rm -rf /var/lib/apt/lists/*
+
+# Create sysadmin user and add to sudoers
+RUN useradd -m -s /bin/bash sysadmin && echo "sysadmin:sysadmin" | chpasswd && \
+    usermod -aG sudo sysadmin
+
+# Copy the sudoers file for sysadmin user to the appropriate directory
+COPY ./bastion/etc-sudoers.d/sysadmin_all_nopass /etc/sudoers.d/sysadmin_all_nopass
+
+# Ensure SSH directory exists with correct permissions
+RUN mkdir -p /home/sysadmin/.ssh && \
+    chown sysadmin:sysadmin /home/sysadmin/.ssh && \
+    chmod 700 /home/sysadmin/.ssh
+
+# Create privilege separation directory for SSH
+RUN mkdir -p /run/sshd
+
+# Update SSH configuration to disable password authentication
+RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && \
+    sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config && \
+    sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding yes/' /etc/ssh/sshd_config && \
+    sed -i 's/#GatewayPorts no/GatewayPorts yes/' /etc/ssh/sshd_config
+
+# Expose SSH port
+EXPOSE 22
+
+# Start the SSH daemon
+CMD ["/usr/sbin/sshd", "-D"]
diff --git a/bastion/etc-sudoers.d/sysadmin_all_nopass b/bastion/etc-sudoers.d/sysadmin_all_nopass
@@ -0,0 +1,5 @@
+# vim: ft=sudoers
+#
+# This file MUST be edited with `/usr/sbin/visudo -sf FILENAME`.
+
+%sudo ALL =(ALL) NOPASSWD:ALL
diff --git a/bastion/sysadmin-.ssh-config/config b/bastion/sysadmin-.ssh-config/config
@@ -0,0 +1,17 @@
+Host bastion-dev
+    HostName localhost
+    User sysadmin
+    Port 22222
+    IdentityFile /home/sysadmin/.ssh/id_rsa
+
+Host ansible-dev
+    HostName ansible-dev
+    User sysadmin
+    Port 22
+    IdentityFile /home/sysadmin/.ssh/id_rsa
+
+Host web-dev
+    HostName web-dev
+    User sysadmin
+    Port 22
+    IdentityFile /home/sysadmin/.ssh/id_rsa
diff --git a/db/Dockerfile b/db/Dockerfile
diff --git a/db/startupservice.sh b/db/startupservice.sh
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -17,10 +17,6 @@ services:
       - "22001:22"
     environment:
       - USER=sysadmin
-    entrypoint: |
-      sh -c "
-        exec /usr/sbin/sshd -D
-      "
 
   web-dev:
     container_name: web-dev
@@ -65,22 +61,29 @@ services:
 
   db-dev:
     container_name: db-dev
-    build:
-      context: .
-      dockerfile: db/Dockerfile
     environment:
-      USER: sysadmin
       MYSQL_DATABASE: wordpress
       MYSQL_ROOT_PASSWORD: root
       MYSQL_USER: root
+    image: mariadb
     networks:
       - dev-backend
     restart: on-failure
-    ports:
-      - "3306:3306"
-      - "22003:22"
     volumes:
       - db-data:/var/lib/mysql
+
+  bastion-dev:
+    container_name: bastion-dev
+    build:
+      context: .
+      dockerfile: bastion/Dockerfile
+    networks:
+      - dev-backend
+    expose:
+      - 22/tcp
+    ports:
+      - 22222:22/tcp
+    volumes:
       - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro
       - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro
       - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro
@@ -94,4 +97,5 @@ volumes:
 networks:
   dev-backend:
     name: dev-backend
+    driver: bridge
 
