initial commit :-)

.github/workflows/docker-build.yml

@@ -0,0 +1,56 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches: [ "main" ]
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches: [ "main" ]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }} 

70-yubihsm.rules

@@ -0,0 +1,8 @@
+# This udev file should be used with udev 188 and newer
+ACTION!="add|change", GOTO="yubihsm2_connector_end"
+
+# Yubico YubiHSM 2
+# The OWNER attribute here has to match the uid of the process running the Connector
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0030", OWNER="yubihsm-connector"
+
+LABEL="yubihsm2_connector_end" 

Dockerfile

@@ -0,0 +1,44 @@
+FROM ubuntu:24.04
+
+RUN apt-get update && apt-get install -y \
+    curl \
+    udev \
+    wget \
+    tar \
+    libusb-1.0-0 \
+    libedit2 \
+    libpcsclite1 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create yubihsm-connector user and its home directory
+RUN useradd -r -m -s /bin/false yubihsm-connector
+
+# Install YubiHSM SDK
+WORKDIR /home/yubihsm-connector
+RUN wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2024-09-ubuntu2404-amd64.tar.gz
+RUN tar xvf yubihsm2-sdk-2024-09-ubuntu2404-amd64.tar.gz
+RUN dpkg -i ./yubihsm2-sdk/libykhsmauth*.deb \
+    ./yubihsm2-sdk/libyubihsm-http*.deb \
+    ./yubihsm2-sdk/libyubihsm-usb*.deb \
+    ./yubihsm2-sdk/libyubihsm1*.deb \
+    ./yubihsm2-sdk/yubihsm-connector*.deb \
+    ./yubihsm2-sdk/yubihsm-shell*.deb
+
+# Cleanup
+RUN rm -rf yubihsm2-sdk*
+
+# Setup udev rules
+RUN mkdir -p /etc/udev/rules.d/
+COPY 70-yubihsm.rules /etc/udev/rules.d/
+
+COPY yubihsm-connector-config.yaml /etc/yubihsm-connector/yubihsm-connector-config.yaml
+
+# Set proper ownership
+RUN chown -R yubihsm-connector:yubihsm-connector /home/yubihsm-connector
+RUN chown yubihsm-connector:yubihsm-connector /etc/yubihsm-connector/yubihsm-connector-config.yaml
+
+# Run as yubihsm-connector user
+USER yubihsm-connector
+
+CMD ["/usr/bin/yubihsm-connector", "-c", "/etc/yubihsm-connector/yubihsm-connector-config.yaml"]

LICENSE

@@ -0,0 +1,17 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Copyright 2024 AxLabs
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -0,0 +1,77 @@
+# YubiHSM Connector Docker
+
+This repository contains a Dockerized version of the YubiHSM Connector, which enables communication with YubiHSM 2 devices.
+
+## Prerequisites
+
+- [Docker](https://docs.docker.com/get-docker/) installed on your system
+- A [YubiHSM 2](https://www.yubico.com/products/yubihsm-2/) device
+- USB access from the host system (see [USB/udev documentation](https://docs.docker.com/engine/reference/commandline/run/#add-host-device-to-container---device))
+
+## Files
+
+- `Dockerfile`: Contains the container build instructions
+- `70-yubihsm.rules`: udev rules for YubiHSM 2 device access
+- `yubihsm-connector-config.yaml`: Configuration file for the YubiHSM connector
+
+## Building
+
+Build the Docker image with:
+
+```bash
+docker build --platform linux/amd64 -t AxLabs/yubihsm-connector-docker .
+```
+
+## Running
+
+Run the container with the following command to ensure proper USB device access:
+
+```bash
+docker run -d \
+  --name yubihsm-connector \
+  --restart unless-stopped \
+  --privileged \
+  --device=/dev/bus/usb \
+  -v /run/udev:/run/udev:ro \
+  -p 12345:12345 \
+  AxLabs/yubihsm-connector-docker
+```
+
+### Run Options Explained
+
+- `--privileged`: Gives the container access to host devices
+- `--device=/dev/bus/usb`: Mounts the USB bus
+- `-v /run/udev:/run/udev:ro`: Mounts udev information (read-only)
+- `-p 12345:12345`: Exposes the default YubiHSM Connector port
+- `--restart unless-stopped`: Automatically restart the container unless manually stopped
+
+## Verifying the Connection
+
+To verify that the connector is running properly:
+
+```bash
+curl http://localhost:12345/connector/status
+```
+
+You should receive a JSON response indicating the connector status.
+
+## Security Considerations
+
+- The container runs as a non-root user `yubihsm-connector`
+- USB device access is restricted through udev rules
+- Consider network security when exposing port 12345
+
+## Troubleshooting
+
+1. If the device is not detected:
+   - Ensure the YubiHSM 2 is properly connected
+   - Check that the udev rules are properly loaded
+   - Verify USB permissions on the host system
+
+2. If the connector fails to start:
+   - Check the container logs: `docker logs yubihsm-connector`
+   - Verify the configuration in `yubihsm-connector-config.yaml`
+
+## License
+
+This project is distributed under the terms of the Apache License 2.0. See [LICENSE](LICENSE) for more information.

RELEASE.md

@@ -0,0 +1,56 @@
+# Release Process
+
+This document describes how to release a new version of the YubiHSM Connector Docker image.
+
+## Prerequisites
+
+- Push access to the main repository
+- GitHub CLI (optional, for easier tag creation)
+
+## Steps to Release
+
+1. Ensure your local repository is up to date:
+   ```bash
+   git fetch origin
+   git checkout main
+   git pull origin main
+   ```
+
+2. Create and push a new tag following semantic versioning:
+   ```bash
+   # Using git
+   git tag v1.0.0
+   git push origin v1.0.0
+
+   # Or using GitHub CLI
+   gh release create v1.0.0
+   ```
+
+3. The GitHub Actions workflow will automatically:
+   - Build the Docker image for amd64 architecture
+   - Push it to GitHub Container Registry with the following tags:
+     - `ghcr.io/axlabs/yubihsm-connector-docker:v1.0.0` (exact version)
+     - `ghcr.io/axlabs/yubihsm-connector-docker:1.0` (minor version)
+     - `ghcr.io/axlabs/yubihsm-connector-docker:main` (branch tag)
+
+4. Verify the release:
+   - Check the [Actions tab](../../actions) for successful workflow completion
+   - Verify the new package is listed in the [Packages section](../../packages)
+   - Test pulling and running the new image:
+     ```bash
+     docker pull ghcr.io/axlabs/yubihsm-connector-docker:v1.0.0
+     ```
+
+## Version Numbers
+
+We follow [Semantic Versioning](https://semver.org/):
+- `MAJOR` version for incompatible API changes
+- `MINOR` version for backwards-compatible functionality additions
+- `PATCH` version for backwards-compatible bug fixes
+
+## Troubleshooting
+
+If the workflow fails:
+1. Check the workflow logs in the Actions tab
+2. Ensure the repository has proper permissions for GitHub Packages
+3. Verify the tag format matches `v*.*.*` 

yubihsm-connector-config.yaml

@@ -0,0 +1,23 @@
+# Certificate (X.509)
+cert: ""
+
+# Certificate key
+key: ""
+
+# Listening address. Defaults to "localhost:12345".
+listen: localhost:12345
+
+# Device serial in case of multiple devices
+serial: ""
+
+# Log to syslog/eventlog. Defaults to "false".
+syslog: false
+
+# Use to enable host header filtering. Default to "false".
+# Use this if there is an absolute need to use a web browser on the
+# host where the YubiHSM 2 is installed to connect to untrusted web
+# sites on the Internet.
+enable-host-whitelist: false
+
+# Default list for the host header filter
+host-whitelist: localhost,localhost.,127.0.0.1,[::1]