From 0862bc8c043159ab391aef3af46486fb593ff05b Mon Sep 17 00:00:00 2001
From: Paolo Asperti <paolo@asperti.com>
Date: Wed, 13 Jul 2022 18:28:10 +0200
Subject: [PATCH] test secrets

---
 README.md                                     | 100 ++++++++++++++++++
 docker/Dockerfile                             |   3 +-
 .../etc/s6-overlay/s6-rc.d/hbbr/dependencies  |   1 +
 .../etc/s6-overlay/s6-rc.d/hbbs/dependencies  |   1 +
 .../etc/s6-overlay/s6-rc.d/key-secret/type    |   1 +
 .../etc/s6-overlay/s6-rc.d/key-secret/up      |   1 +
 .../etc/s6-overlay/s6-rc.d/key-secret/up.real |  35 ++++++
 .../s6-rc.d/user/contents.d/key-secret        |   0
 8 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
 create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type
 create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up
 create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real
 create mode 100755 docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/key-secret

diff --git a/README.md b/README.md
index cbfb2f0..c55b779 100644
--- a/README.md
+++ b/README.md
@@ -176,3 +176,103 @@ We use these environment variables:
 | --- | --- | --- |
 | RELAY | no | the IP address/DNS name of the machine running this container |
 | ENCRYPTED_ONLY | yes | if set to **"1"** unencrypted connection will not be accepted |
+| DB_URL | yes | path for database file |
+| KEY_PUB | yes | public part of the key pair |
+| KEY_PRIV | yes | private part of the key pair |
+
+### Secret management in S6-overlay based images
+
+You can obviously keep the key pair in a docker volume, but the best practices tells you to not write the keys on the filesystem; so we provide a couple of options.
+
+On container startup, the presence of the keypair is checked (`/data/id_ed25519.pub` and `/data/id_ed25519`) and if one of these keys doesn't exist, it's recreated from ENV variables or docker secrets.
+
+#### Use ENV to store the key pair
+
+You can use docker environment variables to store the keys. Just follow this examples:
+
+```bash
+docker run --name rustdesk-server \ 
+  --net=host \
+  -e "RELAY=rustdeskrelay.example.com" \
+  -e "ENCRYPTED_ONLY=1" \
+  -e "DB_URL=/db/db_v2.sqlite3" \
+  -e "KEY_PRIV=FR2j78IxfwJNR+HjLluQ2Nh7eEryEeIZCwiQDPVe+PaITKyShphHAsPLn7So0OqRs92nGvSRdFJnE2MSyrKTIQ==" \
+  -e "KEY_PUB=iEyskoaYRwLDy5+0qNDqkbPdpxr0kXRSZxNjEsqykyE=" \
+  -v "$PWD/db:/db" -d rustdesk/rustdesk-server-s6:latest
+```
+
+```yaml
+version: '3'
+
+services:
+  rustdesk-server:
+    container_name: rustdesk-server
+    ports:
+      - 21115:21115
+      - 21116:21116
+      - 21116:21116/udp
+      - 21117:21117
+      - 21118:21118
+      - 21119:21119
+    image: rustdesk/rustdesk-server-s6:latest
+    environment:
+      - "RELAY=rustdesk.example.com:21117"
+      - "ENCRYPTED_ONLY=1"
+      - "DB_URL=/db/db_v2.sqlite3"
+      - "KEY_PRIV=FR2j78IxfwJNR+HjLluQ2Nh7eEryEeIZCwiQDPVe+PaITKyShphHAsPLn7So0OqRs92nGvSRdFJnE2MSyrKTIQ=="
+      - "KEY_PUB=iEyskoaYRwLDy5+0qNDqkbPdpxr0kXRSZxNjEsqykyE="
+    volumes:
+      - ./db:/db
+    restart: unless-stopped
+```
+
+#### Use Docker secrets to store the key pair
+
+You can alternatively use docker secrets to store the keys.
+This is useful if you're using **docker-compose** or **docker swarm**.
+Just follow this examples:
+
+```bash
+cat secrets/id_ed25519.pub | docker secret create key_pub -
+cat secrets/id_ed25519 | docker secret create key_priv -
+docker service create --name rustdesk-server \
+  --secret key_priv --secret key_pub \
+  --net=host \
+  -e "RELAY=rustdeskrelay.example.com" \
+  -e "ENCRYPTED_ONLY=1" \
+  -e "DB_URL=/db/db_v2.sqlite3" \
+  --mount "type=bind,source=$PWD/db,destination=/db" \
+  rustdesk/rustdesk-server-s6:latest
+```
+
+```yaml
+version: '3'
+
+services:
+  rustdesk-server:
+    container_name: rustdesk-server
+    ports:
+      - 21115:21115
+      - 21116:21116
+      - 21116:21116/udp
+      - 21117:21117
+      - 21118:21118
+      - 21119:21119
+    image: rustdesk/rustdesk-server-s6:latest
+    environment:
+      - "RELAY=rustdesk.example.com:21117"
+      - "ENCRYPTED_ONLY=1"
+      - "DB_URL=/db/db_v2.sqlite3"
+    volumes:
+      - ./db:/db
+    restart: unless-stopped
+    secrets:
+      - key_pub
+      - key_priv
+
+secrets:
+  key_pub:
+    file: secrets/id_ed25519.pub
+  key_priv:
+    file: secrets/id_ed25519      
+```
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 2ea6425..e6982af 100755
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -7,7 +7,8 @@ ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLA
 RUN \
   tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
   tar -C / -Jxpf /tmp/s6-overlay-${S6_ARCH}.tar.xz && \
-  rm /tmp/s6-overlay*.tar.xz
+  rm /tmp/s6-overlay*.tar.xz && \
+  ln -s /run /var/run
 
 COPY rootfs /
 
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
new file mode 100644
index 0000000..23bc57d
--- /dev/null
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
@@ -0,0 +1 @@
+key-secret
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
index a689798..f72cf00 100644
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
@@ -1 +1,2 @@
+key-secret
 hbbr
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type
new file mode 100755
index 0000000..bdd22a1
--- /dev/null
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type
@@ -0,0 +1 @@
+oneshot
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up
new file mode 100755
index 0000000..5255a74
--- /dev/null
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up
@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/key-secret/up.real
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real
new file mode 100755
index 0000000..90a13dc
--- /dev/null
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real
@@ -0,0 +1,35 @@
+#!/command/with-contenv sh
+
+if [ ! -d /data ] ; then
+  mkdir /data
+fi
+
+# normal docker secrets
+if [ ! -f /data/id_ed25519.pub ] && [ -r /run/secrets/key_pub ] ; then
+  cp /run/secrets/key_pub /data/id_ed25519.pub
+  echo "Public key created from secret"
+fi
+
+if [ ! -f /data/id_ed25519 ] && [ -r /run/secrets/key_priv ] ; then
+  cp /run/secrets/key_priv /data/id_ed25519
+  echo "Private key created from secret"
+fi
+
+# ENV variables
+if [ ! -f /data/id_ed25519.pub ] && [ ! "$KEY_PUB" = "" ] ; then
+  echo -n "$KEY_PUB" > /data/id_ed25519.pub
+  echo "Public key created from ENV variable"
+fi
+
+if [ ! -f /data/id_ed25519 ] && [ ! "$KEY_PRIV" = "" ] ; then
+  echo -n "$KEY_PRIV" > /data/id_ed25519
+  echo "Private key created from ENV variable"
+fi
+
+# fix perms
+if [ -f /data/id_ed25519.pub ] ; then
+  chmod 600 /data/id_ed25519.pub 
+fi
+if [ -f /data/id_ed25519 ] ; then
+  chmod 600 /data/id_ed25519
+fi
diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/key-secret b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/key-secret
new file mode 100755
index 0000000..e69de29