rustdesk/rustdesk-server
1
0
Fork 0
mirror of https://github.com/rustdesk/rustdesk-server.git synced 2025-07-01 23:35:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

test secrets

Browse Source
This commit is contained in:
Paolo Asperti 2022-07-13 18:28:10 +02:00
parent bfcfa68eae
commit 0862bc8c04
No known key found for this signature in database
GPG Key ID: 06D46905D19D5182
8 changed files with 141 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
README.md
View File

@ -176,3 +176,103 @@ We use these environment variables:
| --- | --- | --- | | --- | --- | --- |
| RELAY | no | the IP address/DNS name of the machine running this container | | RELAY | no | the IP address/DNS name of the machine running this container |
| ENCRYPTED_ONLY | yes | if set to **"1"** unencrypted connection will not be accepted | | ENCRYPTED_ONLY | yes | if set to **"1"** unencrypted connection will not be accepted |
| DB_URL | yes | path for database file |
| KEY_PUB | yes | public part of the key pair |
| KEY_PRIV | yes | private part of the key pair |
### Secret management in S6-overlay based images
You can obviously keep the key pair in a docker volume, but the best practices tells you to not write the keys on the filesystem; so we provide a couple of options.
On container startup, the presence of the keypair is checked (`/data/id_ed25519.pub` and `/data/id_ed25519`) and if one of these keys doesn't exist, it's recreated from ENV variables or docker secrets.
#### Use ENV to store the key pair
You can use docker environment variables to store the keys. Just follow this examples:
```bash
docker run --name rustdesk-server \
--net=host \
-e "RELAY=rustdeskrelay.example.com" \
-e "ENCRYPTED_ONLY=1" \
-e "DB_URL=/db/db_v2.sqlite3" \
-e "KEY_PRIV=FR2j78IxfwJNR+HjLluQ2Nh7eEryEeIZCwiQDPVe+PaITKyShphHAsPLn7So0OqRs92nGvSRdFJnE2MSyrKTIQ==" \
-e "KEY_PUB=iEyskoaYRwLDy5+0qNDqkbPdpxr0kXRSZxNjEsqykyE=" \
-v "$PWD/db:/db" -d rustdesk/rustdesk-server-s6:latest
```
```yaml
version: '3'
services:
rustdesk-server:
container_name: rustdesk-server
ports:
- 21115:21115
- 21116:21116
- 21116:21116/udp
- 21117:21117
- 21118:21118
- 21119:21119
image: rustdesk/rustdesk-server-s6:latest
environment:
- "RELAY=rustdesk.example.com:21117"
- "ENCRYPTED_ONLY=1"
- "DB_URL=/db/db_v2.sqlite3"
- "KEY_PRIV=FR2j78IxfwJNR+HjLluQ2Nh7eEryEeIZCwiQDPVe+PaITKyShphHAsPLn7So0OqRs92nGvSRdFJnE2MSyrKTIQ=="
- "KEY_PUB=iEyskoaYRwLDy5+0qNDqkbPdpxr0kXRSZxNjEsqykyE="
volumes:
- ./db:/db
restart: unless-stopped
```
#### Use Docker secrets to store the key pair
You can alternatively use docker secrets to store the keys.
This is useful if you're using **docker-compose** or **docker swarm**.
Just follow this examples:
```bash
cat secrets/id_ed25519.pub | docker secret create key_pub -
cat secrets/id_ed25519 | docker secret create key_priv -
docker service create --name rustdesk-server \
--secret key_priv --secret key_pub \
--net=host \
-e "RELAY=rustdeskrelay.example.com" \
-e "ENCRYPTED_ONLY=1" \
-e "DB_URL=/db/db_v2.sqlite3" \
--mount "type=bind,source=$PWD/db,destination=/db" \
rustdesk/rustdesk-server-s6:latest
```
```yaml
version: '3'
services:
rustdesk-server:
container_name: rustdesk-server
ports:
- 21115:21115
- 21116:21116
- 21116:21116/udp
- 21117:21117
- 21118:21118
- 21119:21119
image: rustdesk/rustdesk-server-s6:latest
environment:
- "RELAY=rustdesk.example.com:21117"
- "ENCRYPTED_ONLY=1"
- "DB_URL=/db/db_v2.sqlite3"
volumes:
- ./db:/db
restart: unless-stopped
secrets:
- key_pub
- key_priv
secrets:
key_pub:
file: secrets/id_ed25519.pub
key_priv:
file: secrets/id_ed25519
```

3
docker/Dockerfile
View File

@ -7,7 +7,8 @@ ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLA
RUN \ RUN \
tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \ tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
tar -C / -Jxpf /tmp/s6-overlay-${S6_ARCH}.tar.xz && \ tar -C / -Jxpf /tmp/s6-overlay-${S6_ARCH}.tar.xz && \
rm /tmp/s6-overlay*.tar.xz rm /tmp/s6-overlay*.tar.xz && \
ln -s /run /var/run
COPY rootfs / COPY rootfs /

1
docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies Normal file
View File

@ -0,0 +1 @@
key-secret

1
docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
View File

@ -1 +1,2 @@
key-secret
hbbr hbbr

1
docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type Executable file
View File

@ -0,0 +1 @@
oneshot

1
docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up Executable file
View File

@ -0,0 +1 @@
/etc/s6-overlay/s6-rc.d/key-secret/up.real

35
docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real Executable file
View File

@ -0,0 +1,35 @@
#!/command/with-contenv sh
if [ ! -d /data ] ; then
mkdir /data
fi
# normal docker secrets
if [ ! -f /data/id_ed25519.pub ] && [ -r /run/secrets/key_pub ] ; then
cp /run/secrets/key_pub /data/id_ed25519.pub
echo "Public key created from secret"
fi
if [ ! -f /data/id_ed25519 ] && [ -r /run/secrets/key_priv ] ; then
cp /run/secrets/key_priv /data/id_ed25519
echo "Private key created from secret"
fi
# ENV variables
if [ ! -f /data/id_ed25519.pub ] && [ ! "$KEY_PUB" = "" ] ; then
echo -n "$KEY_PUB" > /data/id_ed25519.pub
echo "Public key created from ENV variable"
fi
if [ ! -f /data/id_ed25519 ] && [ ! "$KEY_PRIV" = "" ] ; then
echo -n "$KEY_PRIV" > /data/id_ed25519
echo "Private key created from ENV variable"
fi
# fix perms
if [ -f /data/id_ed25519.pub ] ; then
chmod 600 /data/id_ed25519.pub
fi
if [ -f /data/id_ed25519 ] ; then
chmod 600 /data/id_ed25519
fi

0
docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/key-secret Executable file
View File