Support passing SSH Agent to vm to container

D3strukt0r · Oct 6, 2024 · 1437029 · 1437029
1 parent e2fa80b
commit 1437029
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 38 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -52,9 +52,11 @@
 *.bash     text eol=lf
 *.fish     text eol=lf
 *.sh       text eol=lf
-*.envsh    text eol=lf # Our custom shell extension
+# Our custom shell extension
+*.envsh    text eol=lf
 *.zsh      text eol=lf
-crontab.*  text eol=lf # Or cron tabs end with the environments name
+# Or cron tabs end with the environments name
+crontab.*  text eol=lf
 # These are explicitly windows files and should use crlf
 *.bat      text eol=crlf
 *.cmd      text eol=crlf

diff --git a/.vagrant.config.yml.dist b/.vagrant.config.yml.dist
@@ -21,6 +21,9 @@ network:
     - 'mailpit.wedding-manuele-robine.test'
     - 'minio.wedding-manuele-robine.test'
 
+ssh:
+  forward_agent: true
+
 folder:
   # Enter "nfs", "rsync" or "smb" here. Both work on Mac. NFS folders do not work on
   # Windows hosts. Vagrant will ignore your request for NFS synced folders on

diff --git a/README.md b/README.md
@@ -44,6 +44,9 @@ vagrant up
 * Initial App startup: ~20s ?
 * Subsequent startups: ~1m 7s (VM) + 26s (Docker) ?
 
+If you get an error `Could not kickstart service "com.apple.nfsd": 1: Operation not permitted`,
+use `sudo nfsd update` to fix it. (https://github.com/hashicorp/vagrant/issues/13364)
+
 Common commands
 
 ```shell

diff --git a/Vagrantfile b/Vagrantfile
@@ -173,39 +173,46 @@ Vagrant.configure('2') do |config|
         sudo /etc/init.d/ssh restart
     SCRIPT
 
-    # Copy the public SSH key of the host system user to the vagrant box to
-    # allow Git access
-    if File.file?(File.expand_path('~/.ssh/id_ed25519')) && File.file?(File.expand_path('~/.ssh/id_ed25519.pub'))
-        config.vm.provision 'file', source: '~/.ssh/id_ed25519', destination: '~/.ssh/id_ed25519', run: 'always'
-        config.vm.provision 'file', source: '~/.ssh/id_ed25519.pub', destination: '~/.ssh/id_ed25519.pub', run: 'always'
-    elsif File.file?(File.expand_path('~/.ssh/id_rsa')) && File.file?(File.expand_path('~/.ssh/id_rsa.pub'))
-        puts 'Still using RSA? Consider switching to ED25519 for better security'
-        config.vm.provision 'file', source: '~/.ssh/id_rsa', destination: '~/.ssh/id_rsa', run: 'always'
-        config.vm.provision 'file', source: '~/.ssh/id_rsa.pub', destination: '~/.ssh/id_rsa.pub', run: 'always'
+    if settings.dig('ssh', 'forward_agent') == true
+        # https://unix.stackexchange.com/questions/77238/ssh-agent-forwarding-for-a-vagrant-vm
+        config.ssh.forward_agent = true
     else
-        puts 'No SSH key found, please generate them first'
-        puts 'ECDSA: $ ssh-keygen -t ed25519 -C "[email protected]"'
-        puts 'RSA:   $ ssh-keygen -t rsa -b 4096 -C "[email protected]"'
-        exit
+        # Copy the public SSH key of the host system user to the vagrant box to
+        # allow Git access
+        if File.file?(File.expand_path('~/.ssh/id_ed25519')) && File.file?(File.expand_path('~/.ssh/id_ed25519.pub'))
+            config.vm.provision 'file', source: '~/.ssh/id_ed25519', destination: '~/.ssh/id_ed25519', run: 'always'
+            config.vm.provision 'file', source: '~/.ssh/id_ed25519.pub', destination: '~/.ssh/id_ed25519.pub', run: 'always'
+        elsif File.file?(File.expand_path('~/.ssh/id_rsa')) && File.file?(File.expand_path('~/.ssh/id_rsa.pub'))
+            puts 'Still using RSA? Consider switching to ED25519 for better security'
+            config.vm.provision 'file', source: '~/.ssh/id_rsa', destination: '~/.ssh/id_rsa', run: 'always'
+            config.vm.provision 'file', source: '~/.ssh/id_rsa.pub', destination: '~/.ssh/id_rsa.pub', run: 'always'
+        else
+            puts 'No SSH key found, please generate them first'
+            puts 'ECDSA: $ ssh-keygen -t ed25519 -C "[email protected]"'
+            puts 'RSA:   $ ssh-keygen -t rsa -b 4096 -C "[email protected]"'
+            exit
+        end
+
+        config.vm.provision 'fix-ssh-permissions', type: 'shell', privileged: false, reset: true, inline: <<-SCRIPT
+            set -e -u -x -o pipefail
+            if [ -f ~/.ssh/id_ed25519 ]; then
+                chmod 600 ~/.ssh/id_ed25519
+            fi
+        SCRIPT
+
+        # Start SSH agent and add SSH key to agent
+        config.vm.provision 'start-ssh-agent-at-boot', type: 'shell', privileged: false, inline: <<-SCRIPT
+            set -e -u -x -o pipefail
+            echo 'eval "$(ssh-agent -s)"' >> ~/.bashrc
+            echo 'ssh-add -l > /dev/null || ssh-add' >> ~/.bashrc
+        SCRIPT
     end
-    config.vm.provision 'fix-ssh-permissions', type: 'shell', privileged: false, reset: true, inline: <<-SCRIPT
-        set -e -u -x -o pipefail
-        if [ -f ~/.ssh/id_ed25519 ]; then
-            chmod 600 ~/.ssh/id_ed25519
-        fi
-    SCRIPT
+
     config.vm.provision 'update-known_hosts', type: 'shell', privileged: false, reset: true, inline: <<-SCRIPT
         set -e -u -x -o pipefail
         ssh-keyscan -t ed25519 github.com >> ~/.ssh/known_hosts
     SCRIPT
 
-    # Start SSH agent and add SSH key to agent
-    config.vm.provision 'start-ssh-agent-at-boot', type: 'shell', privileged: false, inline: <<-SCRIPT
-        set -e -u -x -o pipefail
-        echo 'eval "$(ssh-agent -s)"' >> ~/.bashrc
-        echo 'ssh-add -l > /dev/null || ssh-add' >> ~/.bashrc
-    SCRIPT
-
     config.vm.provision 'chdir-to-dockerfile', type: 'shell', privileged: false, inline: <<-SCRIPT
         set -e -u -x -o pipefail
         echo 'cd /vagrant' >> ~/.bashrc
@@ -390,16 +397,27 @@ Vagrant.configure('2') do |config|
     config.trigger.after :up do |trigger|
         trigger.name = 'Start Containers'
         trigger.info = 'Starting Docker containers...'
-        trigger.run_remote = { privileged: false, inline: <<-SCRIPT
-            set -e -u -x -o pipefail
-            cd /vagrant
-            eval "$(ssh-agent -s)"
-            ssh-add -l > /dev/null || ssh-add
-            docker compose pull
-            docker compose build --pull
-            docker compose up --detach
-        SCRIPT
-        }
+        if settings.dig('ssh', 'forward_agent') == true
+            trigger.run_remote = { privileged: false, inline: <<-SCRIPT
+                set -e -u -x -o pipefail
+                cd /vagrant
+                docker compose pull
+                docker compose build --pull
+                docker compose up --detach
+            SCRIPT
+            }
+        else
+            trigger.run_remote = { privileged: false, inline: <<-SCRIPT
+                set -e -u -x -o pipefail
+                cd /vagrant
+                eval "$(ssh-agent -s)"
+                ssh-add -l > /dev/null || ssh-add
+                docker compose pull
+                docker compose build --pull
+                docker compose up --detach
+            SCRIPT
+            }
+        end
     end
     config.vm.post_up_message = 'Machine was booted. Docker is starting. To check use "docker compose logs -f pwa api".'
     if settings.dig('network', 'hostname') || settings.dig('network', 'ip')