github-starred/komodo
2
0
Fork 1
mirror of https://github.com/moghtech/komodo.git synced 2026-03-09 07:13:36 -05:00
Code Issues 258 Packages Projects Releases 10 Wiki Activity

Feature Request: addin SSHkeys to Store and Script #286

New Issue
Closed
opened 2025-10-31 15:07:34 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-10-31 15:07:34 -05:00
Owner
Copy Link

Originally created by @pvyswiss on GitHub (Apr 15, 2025).

Adding SSH Keys for GIT

Since SSL with GIT can lead to issues, best thing for automation is using SSHkeys as an Option:

Pros: More secure, no SSL issues.
Cons: Requires SSH key management by the user/org

Directory: /etc/komodo/ssh

Example Command: ssh-keygen -t ed25519 -f /etc/komodo/ssh/id_ed25519

Adding the Option Script as an own Resource Management to Sync, deploy and execute as Feature, which can be deployed independent from Stacks/Deployments:

Directory /etc/komodo/scripts

Example Script, for anyone who use Alpine Linux as Dockerhost, to auto-deploy Periphery-Agent as Docker, creates all necessary folder structre before and generates an OPENSSL based self signed SSL Certificae for 1 Year, and symlink it for Periphery Default Config for SSL enabled:

#!/bin/sh

# Check if script is run as root
if [ "$(id -u)" -ne 0 ]; then
    echo "This script must be run as root"
    exit 1
fi

# Get hostname
hostname=$(hostname)

# Create required directories
echo "Creating directories..."
mkdir -p /opt/docker/komodo
mkdir -p /etc/komodo/
mkdir -p /etc/komodo/ssl
mkdir -p /etc/komodo/stacks
mkdir -p /etc/komodo/repos

# Check and install openssl if needed
if ! command -v openssl >/dev/null 2>&1; then
    echo "Installing openssl..."
    apk add --no-cache openssl
fi

# Generate self-signed SSL certificate
echo "Generating SSL certificate for $hostname..."
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/komodo/ssl/$hostname.pem \
    -out /etc/komodo/ssl/$hostname.cert \
    -subj "/CN=$hostname"

# Create symlinks for the expected filenames
ln -sf /etc/komodo/ssl/$hostname.pem /etc/komodo/ssl/key.pem
ln -sf /etc/komodo/ssl/$hostname.cert /etc/komodo/ssl/cert.pem

# Create docker-compose.yml file
echo "Creating docker-compose.yml..."
cat > /opt/docker/komodo/docker-compose.yml << 'EOF'
services:
  periphery:
    image: ghcr.io/moghtech/komodo-periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    container_name: komodo-periphery
    restart: unless-stopped
    network_mode: host  # Recommended for Periphery to access host Docker daemon
    environment:
      # Required: Mount paths for repos/stacks
      PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos
      PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks

      # SSL (enable if needed)
      PERIPHERY_SSL_ENABLED: ${PERIPHERY_SSL_ENABLED:-false}
      PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem
      PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem

      # Security (uncomment and set)
      # PERIPHERY_PASSKEYS: "your-passkey-here"
      # PERIPHERY_ALLOWED_IPS: "192.168.1.100"  # Komodo Core IP

      # Disk monitoring (adjust as needed)
      PERIPHERY_INCLUDE_DISK_MOUNTS: /etc/hostname
      # PERIPHERY_EXCLUDE_DISK_MOUNTS: /snap,/etc/repos

      # Logging (optional)
      RUST_LOG: info
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # Critical for Docker control
      - /proc:/proc  # Required for process monitoring
      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}  # Config persistence
    labels:
      komodo.skip: "true"  # Prevent accidental stops
    logging:
      driver: ${COMPOSE_LOGGING_DRIVER:-local}
      options:
        max-size: "10m"
EOF

# Check if docker-compose is available
if ! command -v docker-compose >/dev/null 2>&1 && ! command -v docker compose >/dev/null 2>&1; then
    echo "Error: docker-compose is not installed. Please install it first."
    exit 1
fi

# Start the container
echo "Starting komodo-periphery container..."
cd /opt/docker/komodo

# Try docker-compose v1 first, then fall back to v2
if command -v docker-compose >/dev/null 2>&1; then
    docker-compose up -d
elif command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
    docker compose up -d
else
    echo "Error: Could not find a working docker-compose command"
    exit 1
fi

echo "Komodo periphery setup completed successfully!"

To use this script:

  1. Save it as periphery.sh
  2. Make it executable: chmod +x periphery.sh
  3. Run it as root: sudo ./periphery.sh or su -c './periphery.sh'

If you want to upgrade it once later or add it as a cronjob just to renew the komodo/etc/ssl:

#!/bin/sh

# SSL Certificate Deployer for Komodo Periphery (Alpine Linux)
# Usage: ./deploy-ssl.sh

set -e

# Must be root
[ "$(id -u)" -eq 0 ] || { echo "ERROR: Run as root" >&2; exit 1; }

# Get hostname
hostname=$(hostname)
ssl_dir="/etc/komodo/ssl"

# Verify directories exist
[ -d "$ssl_dir" ] || { echo "ERROR: Directory $ssl_dir missing" >&2; exit 1; }

# Install openssl if missing
if ! command -v openssl >/dev/null; then
    echo "Installing openssl..."
    apk add --no-cache openssl >/dev/null
fi

# Generate certificates
echo "Deploying SSL certificates for $hostname..."
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout "$ssl_dir/$hostname.pem" \
    -out "$ssl_dir/$hostname.cert" \
    -subj "/CN=$hostname" >/dev/null 2>&1

# Create symlinks
ln -sf "$ssl_dir/$hostname.pem" "$ssl_dir/key.pem"
ln -sf "$ssl_dir/$hostname.cert" "$ssl_dir/cert.pem"

echo "SSL certificates deployed to:"
echo " - $ssl_dir/$hostname.pem (private key)"
echo " - $ssl_dir/$hostname.cert (certificate)"
echo "Symlinks created: key.pem, cert.pem"

Key Features:

  1. Minimalist - Only handles SSL certificate deployment
  2. Error Handling:
    • Checks for root privileges
    • Verifies /etc/komodo/ssl exists
  3. Self-Contained:
    • Automatically installs OpenSSL if missing
    • Silent installation (>/dev/null)
  4. Clean Output - Only shows essential information
  5. Idempotent - Safe to run multiple times

Usage:

chmod +x deploy-ssl.sh
./deploy-ssl.sh

This assumes:

  • Alpine Linux environment
  • /etc/komodo/ssl directory already exists
  • You want certificates with the system's hostname

The certificates will be valid for 365 days with 2048-bit RSA encryption.

Originally created by @pvyswiss on GitHub (Apr 15, 2025). ## Adding SSH Keys for GIT Since SSL with GIT can lead to issues, best thing for automation is using SSHkeys as an Option: Pros: More secure, no SSL issues. Cons: Requires SSH key management by the user/org Directory: /etc/komodo/ssh Example Command: ssh-keygen -t ed25519 -f /etc/komodo/ssh/id_ed25519 ## Adding the Option Script as an own Resource Management to Sync, deploy and execute as Feature, which can be deployed independent from Stacks/Deployments: Directory /etc/komodo/scripts Example Script, for anyone who use Alpine Linux as Dockerhost, to auto-deploy Periphery-Agent as Docker, creates all necessary folder structre before and generates an OPENSSL based self signed SSL Certificae for 1 Year, and symlink it for Periphery Default Config for SSL enabled: ```bash #!/bin/sh # Check if script is run as root if [ "$(id -u)" -ne 0 ]; then echo "This script must be run as root" exit 1 fi # Get hostname hostname=$(hostname) # Create required directories echo "Creating directories..." mkdir -p /opt/docker/komodo mkdir -p /etc/komodo/ mkdir -p /etc/komodo/ssl mkdir -p /etc/komodo/stacks mkdir -p /etc/komodo/repos # Check and install openssl if needed if ! command -v openssl >/dev/null 2>&1; then echo "Installing openssl..." apk add --no-cache openssl fi # Generate self-signed SSL certificate echo "Generating SSL certificate for $hostname..." openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/komodo/ssl/$hostname.pem \ -out /etc/komodo/ssl/$hostname.cert \ -subj "/CN=$hostname" # Create symlinks for the expected filenames ln -sf /etc/komodo/ssl/$hostname.pem /etc/komodo/ssl/key.pem ln -sf /etc/komodo/ssl/$hostname.cert /etc/komodo/ssl/cert.pem # Create docker-compose.yml file echo "Creating docker-compose.yml..." cat > /opt/docker/komodo/docker-compose.yml << 'EOF' services: periphery: image: ghcr.io/moghtech/komodo-periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest} container_name: komodo-periphery restart: unless-stopped network_mode: host # Recommended for Periphery to access host Docker daemon environment: # Required: Mount paths for repos/stacks PERIPHERY_REPO_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/repos PERIPHERY_STACK_DIR: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/stacks # SSL (enable if needed) PERIPHERY_SSL_ENABLED: ${PERIPHERY_SSL_ENABLED:-false} PERIPHERY_SSL_KEY_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/key.pem PERIPHERY_SSL_CERT_FILE: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}/ssl/cert.pem # Security (uncomment and set) # PERIPHERY_PASSKEYS: "your-passkey-here" # PERIPHERY_ALLOWED_IPS: "192.168.1.100" # Komodo Core IP # Disk monitoring (adjust as needed) PERIPHERY_INCLUDE_DISK_MOUNTS: /etc/hostname # PERIPHERY_EXCLUDE_DISK_MOUNTS: /snap,/etc/repos # Logging (optional) RUST_LOG: info volumes: - /var/run/docker.sock:/var/run/docker.sock # Critical for Docker control - /proc:/proc # Required for process monitoring - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo} # Config persistence labels: komodo.skip: "true" # Prevent accidental stops logging: driver: ${COMPOSE_LOGGING_DRIVER:-local} options: max-size: "10m" EOF # Check if docker-compose is available if ! command -v docker-compose >/dev/null 2>&1 && ! command -v docker compose >/dev/null 2>&1; then echo "Error: docker-compose is not installed. Please install it first." exit 1 fi # Start the container echo "Starting komodo-periphery container..." cd /opt/docker/komodo # Try docker-compose v1 first, then fall back to v2 if command -v docker-compose >/dev/null 2>&1; then docker-compose up -d elif command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then docker compose up -d else echo "Error: Could not find a working docker-compose command" exit 1 fi echo "Komodo periphery setup completed successfully!" ``` To use this script: 1. Save it as `periphery.sh` 2. Make it executable: `chmod +x periphery.sh` 3. Run it as root: `sudo ./periphery.sh` or `su -c './periphery.sh'` If you want to upgrade it once later or add it as a cronjob just to renew the komodo/etc/ssl: ```bash #!/bin/sh # SSL Certificate Deployer for Komodo Periphery (Alpine Linux) # Usage: ./deploy-ssl.sh set -e # Must be root [ "$(id -u)" -eq 0 ] || { echo "ERROR: Run as root" >&2; exit 1; } # Get hostname hostname=$(hostname) ssl_dir="/etc/komodo/ssl" # Verify directories exist [ -d "$ssl_dir" ] || { echo "ERROR: Directory $ssl_dir missing" >&2; exit 1; } # Install openssl if missing if ! command -v openssl >/dev/null; then echo "Installing openssl..." apk add --no-cache openssl >/dev/null fi # Generate certificates echo "Deploying SSL certificates for $hostname..." openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout "$ssl_dir/$hostname.pem" \ -out "$ssl_dir/$hostname.cert" \ -subj "/CN=$hostname" >/dev/null 2>&1 # Create symlinks ln -sf "$ssl_dir/$hostname.pem" "$ssl_dir/key.pem" ln -sf "$ssl_dir/$hostname.cert" "$ssl_dir/cert.pem" echo "SSL certificates deployed to:" echo " - $ssl_dir/$hostname.pem (private key)" echo " - $ssl_dir/$hostname.cert (certificate)" echo "Symlinks created: key.pem, cert.pem" ``` ### Key Features: 1. **Minimalist** - Only handles SSL certificate deployment 2. **Error Handling**: - Checks for root privileges - Verifies `/etc/komodo/ssl` exists 3. **Self-Contained**: - Automatically installs OpenSSL if missing - Silent installation (`>/dev/null`) 4. **Clean Output** - Only shows essential information 5. **Idempotent** - Safe to run multiple times ### Usage: ```sh chmod +x deploy-ssl.sh ./deploy-ssl.sh ``` This assumes: - Alpine Linux environment - `/etc/komodo/ssl` directory already exists - You want certificates with the system's hostname The certificates will be valid for 365 days with 2048-bit RSA encryption.
GiteaMirror commented 2025-10-31 15:07:35 -05:00
Author
Owner
Copy Link

@mbecker20 commented on GitHub (Aug 28, 2025):

Periphery now defaults to serving HTTPS and generated its own self signed certs if they aren't there

@mbecker20 commented on GitHub (Aug 28, 2025): Periphery now defaults to serving HTTPS and generated its own self signed certs if they aren't there
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
bug
documentation
done
enhancement
help wanted
info
pull-request
Mirrored from GitHub Pull Request
 question
security
seen 👀
setup
thinking 🤔
ui
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/komodo#286
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?