Skip to content

Commit

Permalink
Reorganize files for goreleaser
Browse files Browse the repository at this point in the history 
Also limit Docker build to tag pushes
  • Loading branch information
@iBug
iBug committed Aug 13, 2024
1 parent 883bd0d commit d9e8d80
Show file tree
Hide file tree
Showing 8 changed files with 119 additions and 40 deletions.
29 changes: 20 additions & 9 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,20 @@ on:
- push
- pull_request

concurrency:
cancel-in-progress: true
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}

jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version: ^1.21
go-version: stable
check-latest: true
id: go
- uses: actions/checkout@v4
- name: Get dependencies
Expand All @@ -27,22 +32,29 @@ jobs:
env:
CGO_ENABLED: 0
- name: Test
run: |
sudo rm -rf /etc/ssh/sshd_config.d/*.conf
make test
run: make test
env:
CGO_ENABLED: 0
- name: Create GitHub Release
- uses: goreleaser/goreleaser-action@v6
if: startsWith(github.ref, 'refs/tags/')
with:
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Add additional GitHub Release assets
if: startsWith(github.ref, 'refs/tags/')
id: upload-release-asset
uses: softprops/action-gh-release@v1
with:
files: |
sshmux
config.example.json
sshmux.service
etc/config.example.json
etc/sshmux.service
docker:
name: Docker
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
steps:
- name: Compute Docker metadata
Expand All @@ -60,7 +72,6 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR
if: startsWith(github.ref, 'refs/tags/')
uses: docker/login-action@v3
with:
registry: ghcr.io
Expand Down
54 changes: 54 additions & 0 deletions .goreleaser.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
version: 2
before:
hooks:
- go mod tidy
builds:
- id: sshmux
binary: sshmux
env:
- CGO_ENABLED=0
main: .
goos:
- linux
goarch:
- amd64
flags:
- -trimpath
ldflags:
- -s -w
archives:
- format: binary
name_template: "{{ .Binary }}_{{ .Os }}_{{ .Arch }}"
checksum:
name_template: 'checksums.txt'
snapshot:
name_template: "{{ incpatch .Version }}-next"
changelog:
use: github-native
nfpms:
- id: default
package_name: sshmux
homepage: https://github.com/USTC-vlab/sshmux
maintainer: "USTC Vlab Team <[email protected]>"
description: |-
A reverse proxy for SSH
formats:
- deb
umask: 0o022
section: admin
priority: extra
scripts:
postinstall: etc/postinst.sh
preremove: etc/prerm.sh
contents:
- src: README.md
dst: /usr/share/doc/sshmux/
- src: etc/config.example.json
dst: /etc/sshmux/
- src: etc/sshmux.service
dst: /lib/systemd/system/


# modelines, feel free to remove those if you don't want/use them:
# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
# vim: set ts=2 sw=2 tw=0 fo=cnqoj
36 changes: 18 additions & 18 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,22 +16,22 @@ You can perform unit tests with `go test` or `make test`. Enable verbose logging

The table below shows the available options for `sshmux`:

| Key | Type | Description | Required | Example |
|-------------|------------|--------------------------------------------------------------------|----------|------------------------------------|
| `address` | `string` | TCP host and port that `sshmux` will listen on. | `true` | `"0.0.0.0:8022"` |
| `host-keys` | `[]string` | Paths to SSH host key files with which `sshmux` identifies itself. | `true` | `["/sshmux/ssh_host_ed25519_key"]` |
| `api` | `string` | HTTP address that `sshmux` shall interact with. | `true` | `"http://127.0.0.1:5000/ssh"` |
| `token` | `string` | Token used to authenticate with the API endpoint. | `true` | `"long-and-random-token"` |
| `banner` | `string` | SSH banner to send to downstream. | `false` | `"Welcome to Vlab\n"` |
| `logger` | `string` | UDP host and port that `sshmux` send log messages to. | `false` | `"127.0.0.1:5556"` |
| `proxy-protocol-allowed-cidrs` | `[]string` | CIDRs from which [PROXY protocol](https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address) is allowed. | `false` | `["127.0.0.22/32"]` |
| Key | Type | Description | Required | Example |
| ------------------------------ | ---------- | ----------------------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------------- |
| `address` | `string` | TCP host and port that `sshmux` will listen on. | `true` | `"0.0.0.0:8022"` |
| `host-keys` | `[]string` | Paths to SSH host key files with which `sshmux` identifies itself. | `true` | `["/sshmux/ssh_host_ed25519_key"]` |
| `api` | `string` | HTTP address that `sshmux` shall interact with. | `true` | `"http://127.0.0.1:5000/ssh"` |
| `token` | `string` | Token used to authenticate with the API endpoint. | `true` | `"long-and-random-token"` |
| `banner` | `string` | SSH banner to send to downstream. | `false` | `"Welcome to Vlab\n"` |
| `logger` | `string` | UDP host and port that `sshmux` send log messages to. | `false` | `"127.0.0.1:5556"` |
| `proxy-protocol-allowed-cidrs` | `[]string` | CIDRs from which [PROXY protocol](https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address) is allowed. | `false` | `["127.0.0.22/32"]` |

### Advanced Config

The table below shows extra options for `sshmux`, mainly for authentication with Vlab backends:

| Key | Type | Description | Example |
|----------------------------|------------|----------------------------------------------------------------------------|------------------------------|
| -------------------------- | ---------- | -------------------------------------------------------------------------- | ---------------------------- |
| `recovery-token` | `string` | Token used to authenticate with the recovery backend. Defaults to `token`. | `"long-and-random-token"` |
| `recovery-server` | `string` | SSH host and port of the recovery server. | `"172.30.0.101:2222"` |
| `recovery-username` | `[]string` | Usernames dedicated to the recovery server. | `["recovery", "console"]` |
Expand All @@ -49,7 +49,7 @@ All of these options can be omitted, if the corresponding feature is not intende
The API accepts JSON input with the following keys:

| Key | Type | Description |
|-------------------|----------|----------------------------------------------------------------------------------------------------------|
| ----------------- | -------- | -------------------------------------------------------------------------------------------------------- |
| `auth_type` | `string` | The authentication type. Always set to `"key"` at the moment. |
| `username` | `string` | Vlab username. Omitted if the user is authenticating with public key. |
| `password` | `string` | Vlab password. Omitted if the user is authenticating with public key. |
Expand All @@ -60,13 +60,13 @@ The API accepts JSON input with the following keys:

The API responds with JSON output with the following keys:

| Key | Type | Description |
|------------------|-----------|----------------------------------------------------------------------------------------------------------------------|
| `status` | `string` | The authentication status. Should be `"ok"` if the user is authorized. |
| `address` | `string` | TCP host and port of the downstream SSH server the user is requesting for. |
| `private_key` | `string` | SSH private key to authenticate for the downstream. |
| `cert` | `string` | The certificate associated with the SSH private key. |
| `vmid` | `integer` | ID of the requested VM. Only used for recovery access. |
| Key | Type | Description |
| ---------------- | --------- | ---------------------------------------------------------------------------------------------------------------- |
| `status` | `string` | The authentication status. Should be `"ok"` if the user is authorized. |
| `address` | `string` | TCP host and port of the downstream SSH server the user is requesting for. |
| `private_key` | `string` | SSH private key to authenticate for the downstream. |
| `cert` | `string` | The certificate associated with the SSH private key. |
| `vmid` | `integer` | ID of the requested VM. Only used for recovery access. |
| `proxy_protocol` | `integer` | PROXY protocol version to use for the downstream. Should be `1`, `2` or omitted (which disables PROXY protocol). |

Note that if the user is not authorized, the API server should return a `status` other than `"ok"`, and other keys can be safely ommitted.
0 config.example.json → etc/config.example.json
View file
File renamed without changes.
7 changes: 7 additions & 0 deletions etc/postinst.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/sh

# Only run when systemd is running
[ -d /run/systemd ] || exit 0

systemctl daemon-reload
systemctl enable sshmux.service
6 changes: 6 additions & 0 deletions etc/prerm.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/sh

# Only run when systemd is running
[ -d /run/systemd ] || exit 0

systemctl disable --now sshmux.service
14 changes: 14 additions & 0 deletions etc/sshmux.service
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
[Unit]
Description=A reverse proxy for SSH
StartLimitIntervalSec=0
ConditionPathExists=/etc/sshmux/config.json

[Service]
Type=exec
ExecStart=/usr/bin/sshmux -c /etc/sshmux/config.json
WorkingDirectory=/etc/sshmux/
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
13 changes: 0 additions & 13 deletions sshmux.service
View file

This file was deleted.

0 comments on commit d9e8d80

Please sign in to comment.