switch base to dind

v1nsai · Dec 8, 2024 · 9d38f32 · 9d38f32
1 parent 8015cdf
commit 9d38f32
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 6 deletions.
diff --git a/apps/services/devbox/app/deployment.yaml b/apps/services/devbox/app/deployment.yaml
@@ -18,21 +18,41 @@ spec:
         kubernetes.io/hostname: bigrig
       containers:
       - name: devbox
-        image: ubuntu:24.04
+        # image: ubuntu:24.04
+        image: docker:dind
+      lifecycle:
+        postStart:
+          exec:
+            command: ["/bin/bash", "-c", "/postinstall.sh"]
+        environment:
+          - name: USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: ssh-pubkey
+                key: username
         ports:
         - containerPort: 22
         command: ["/bin/sleep", "infinity"]
         volumeMounts:
-        - mountPath: /home/ubuntu
+        - mountPath: /home
           name: devbox-home
-        - mountPath: /home/ubuntu/.ssh
+        - mountPath: /authorized_keys
           name: ssh-pubkey
           readOnly: true
+        - mountPath: /postinstall.sh
+          name: postinstall
+          readOnly: true
       volumes:
       - name: devbox-home
         persistentVolumeClaim:
           claimName: devbox-home
       - name: ssh-pubkey
         secret:
           secretName: ssh-pubkey
-          secretKey: authorized_keys
+          secretKey: authorized_keys
+      - name: postinstall
+        configMap:
+          name: postinstall
+          items:
+            - key: postinstall.sh
+              path: postinstall.sh
diff --git a/apps/services/devbox/app/secrets.sh b/apps/services/devbox/app/secrets.sh
@@ -5,6 +5,13 @@ source apps/services/devbox/.env
 
 kubectl create secret generic ssh-pubkey \
     --namespace=devbox \
-    --from-literal=authorized_keys="$SSH_PUBKEY" \
+    --from-literal=username="$USERNAME" \
+    --from-literal=authorized_keys="$AUTHORIZED_KEYS" \
     --dry-run=client -o yaml | \
-kubeseal --format=yaml --cert=./.sealed-secrets.pub > ./apps/services/devbox/app/sealed-secrets.yaml
+kubeseal --format=yaml --cert=./.sealed-secrets.pub > ./apps/services/devbox/app/sealed-secrets.yaml
+
+# create configmap for the postinstal.sh script
+kubectl create configmap postinstall \
+    --namespace=devbox \
+    --from-file=postinstall.sh=./apps/services/devbox/files/postinstall.sh \
+    --dry-run=client -o yaml > ./apps/services/devbox/app/configmap.yaml
diff --git a/apps/services/devbox/files/postinstall.sh b/apps/services/devbox/files/postinstall.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+# if the file /postinstall-has-run exists, then the postinstall script has already run and exit gracefully
+if [ -f /postinstall-has-run ]; then
+    exit 0
+fi
+
+apt update
+apt install -y openssh-server vim unminimize sudo nnn git
+unminimize
+
+# ssh
+echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
+service ssh restart
+
+# user
+adduser --disabled-password --gecos "" $USERNAME
+echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+cp /authorized_keys /home/$USERNAME/.ssh/authorized_keys
+chown $USERNAME:$USERNAME /home/$USERNAME/.ssh/authorized_keys
+chmod 600 /home/$USERNAME/.ssh/authorized_keys
+
+# node 
+
+
+
+# If everything runs successfully, don't bother running next startup
+touch /postinstall-has-run