лет назад: 3 · 0862bc8c04
--- a/README.md
+++ b/README.md
@@ -176,3 +176,103 @@ We use these environment variables:
 
				 | --- | --- | --- |
			
 
				 | RELAY | no | the IP address/DNS name of the machine running this container |
			
 
				 | ENCRYPTED_ONLY | yes | if set to **"1"** unencrypted connection will not be accepted |
			
 
				+| DB_URL | yes | path for database file |
			
 
				+| KEY_PUB | yes | public part of the key pair |
			
 
				+| KEY_PRIV | yes | private part of the key pair |
			
 
				+
			
 
				+### Secret management in S6-overlay based images
			
 
				+
			
 
				+You can obviously keep the key pair in a docker volume, but the best practices tells you to not write the keys on the filesystem; so we provide a couple of options.
			
 
				+
			
 
				+On container startup, the presence of the keypair is checked (`/data/id_ed25519.pub` and `/data/id_ed25519`) and if one of these keys doesn't exist, it's recreated from ENV variables or docker secrets.
			
 
				+
			
 
				+#### Use ENV to store the key pair
			
 
				+
			
 
				+You can use docker environment variables to store the keys. Just follow this examples:
			
 
				+
			
 
				+```bash
			
 
				+docker run --name rustdesk-server \ 
			
 
				+  --net=host \
			
 
				+  -e "RELAY=rustdeskrelay.example.com" \
			
 
				+  -e "ENCRYPTED_ONLY=1" \
			
 
				+  -e "DB_URL=/db/db_v2.sqlite3" \
			
 
				+  -e "KEY_PRIV=FR2j78IxfwJNR+HjLluQ2Nh7eEryEeIZCwiQDPVe+PaITKyShphHAsPLn7So0OqRs92nGvSRdFJnE2MSyrKTIQ==" \
			
 
				+  -e "KEY_PUB=iEyskoaYRwLDy5+0qNDqkbPdpxr0kXRSZxNjEsqykyE=" \
			
 
				+  -v "$PWD/db:/db" -d rustdesk/rustdesk-server-s6:latest
			
 
				+```
			
 
				+
			
 
				+```yaml
			
 
				+version: '3'
			
 
				+
			
 
				+services:
			
 
				+  rustdesk-server:
			
 
				+    container_name: rustdesk-server
			
 
				+    ports:
			
 
				+      - 21115:21115
			
 
				+      - 21116:21116
			
 
				+      - 21116:21116/udp
			
 
				+      - 21117:21117
			
 
				+      - 21118:21118
			
 
				+      - 21119:21119
			
 
				+    image: rustdesk/rustdesk-server-s6:latest
			
 
				+    environment:
			
 
				+      - "RELAY=rustdesk.example.com:21117"
			
 
				+      - "ENCRYPTED_ONLY=1"
			
 
				+      - "DB_URL=/db/db_v2.sqlite3"
			
 
				+      - "KEY_PRIV=FR2j78IxfwJNR+HjLluQ2Nh7eEryEeIZCwiQDPVe+PaITKyShphHAsPLn7So0OqRs92nGvSRdFJnE2MSyrKTIQ=="
			
 
				+      - "KEY_PUB=iEyskoaYRwLDy5+0qNDqkbPdpxr0kXRSZxNjEsqykyE="
			
 
				+    volumes:
			
 
				+      - ./db:/db
			
 
				+    restart: unless-stopped
			
 
				+```
			
 
				+
			
 
				+#### Use Docker secrets to store the key pair
			
 
				+
			
 
				+You can alternatively use docker secrets to store the keys.
			
 
				+This is useful if you're using **docker-compose** or **docker swarm**.
			
 
				+Just follow this examples:
			
 
				+
			
 
				+```bash
			
 
				+cat secrets/id_ed25519.pub | docker secret create key_pub -
			
 
				+cat secrets/id_ed25519 | docker secret create key_priv -
			
 
				+docker service create --name rustdesk-server \
			
 
				+  --secret key_priv --secret key_pub \
			
 
				+  --net=host \
			
 
				+  -e "RELAY=rustdeskrelay.example.com" \
			
 
				+  -e "ENCRYPTED_ONLY=1" \
			
 
				+  -e "DB_URL=/db/db_v2.sqlite3" \
			
 
				+  --mount "type=bind,source=$PWD/db,destination=/db" \
			
 
				+  rustdesk/rustdesk-server-s6:latest
			
 
				+```
			
 
				+
			
 
				+```yaml
			
 
				+version: '3'
			
 
				+
			
 
				+services:
			
 
				+  rustdesk-server:
			
 
				+    container_name: rustdesk-server
			
 
				+    ports:
			
 
				+      - 21115:21115
			
 
				+      - 21116:21116
			
 
				+      - 21116:21116/udp
			
 
				+      - 21117:21117
			
 
				+      - 21118:21118
			
 
				+      - 21119:21119
			
 
				+    image: rustdesk/rustdesk-server-s6:latest
			
 
				+    environment:
			
 
				+      - "RELAY=rustdesk.example.com:21117"
			
 
				+      - "ENCRYPTED_ONLY=1"
			
 
				+      - "DB_URL=/db/db_v2.sqlite3"
			
 
				+    volumes:
			
 
				+      - ./db:/db
			
 
				+    restart: unless-stopped
			
 
				+    secrets:
			
 
				+      - key_pub
			
 
				+      - key_priv
			
 
				+
			
 
				+secrets:
			
 
				+  key_pub:
			
 
				+    file: secrets/id_ed25519.pub
			
 
				+  key_priv:
			
 
				+    file: secrets/id_ed25519      
			
 
				+```
			
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -7,7 +7,8 @@ ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLA
 
				 RUN \
			
 
				   tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
			
 
				   tar -C / -Jxpf /tmp/s6-overlay-${S6_ARCH}.tar.xz && \
			
 
				-  rm /tmp/s6-overlay*.tar.xz
			
 
				+  rm /tmp/s6-overlay*.tar.xz && \
			
 
				+  ln -s /run /var/run
			
 
				 
			
 
				 COPY rootfs /
			
 
				 
			
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbr/dependencies
@@ -0,0 +1 @@
 
				+key-secret
			
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/hbbs/dependencies
@@ -1 +1,2 @@
 
				+key-secret
			
 
				 hbbr
			
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/type
@@ -0,0 +1 @@
 
				+oneshot
			
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up
@@ -0,0 +1 @@
 
				+/etc/s6-overlay/s6-rc.d/key-secret/up.real
			
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real
@@ -0,0 +1,35 @@
 
				+#!/command/with-contenv sh
			
 
				+
			
 
				+if [ ! -d /data ] ; then
			
 
				+  mkdir /data
			
 
				+fi
			
 
				+
			
 
				+# normal docker secrets
			
 
				+if [ ! -f /data/id_ed25519.pub ] && [ -r /run/secrets/key_pub ] ; then
			
 
				+  cp /run/secrets/key_pub /data/id_ed25519.pub
			
 
				+  echo "Public key created from secret"
			
 
				+fi
			
 
				+
			
 
				+if [ ! -f /data/id_ed25519 ] && [ -r /run/secrets/key_priv ] ; then
			
 
				+  cp /run/secrets/key_priv /data/id_ed25519
			
 
				+  echo "Private key created from secret"
			
 
				+fi
			
 
				+
			
 
				+# ENV variables
			
 
				+if [ ! -f /data/id_ed25519.pub ] && [ ! "$KEY_PUB" = "" ] ; then
			
 
				+  echo -n "$KEY_PUB" > /data/id_ed25519.pub
			
 
				+  echo "Public key created from ENV variable"
			
 
				+fi
			
 
				+
			
 
				+if [ ! -f /data/id_ed25519 ] && [ ! "$KEY_PRIV" = "" ] ; then
			
 
				+  echo -n "$KEY_PRIV" > /data/id_ed25519
			
 
				+  echo "Private key created from ENV variable"
			
 
				+fi
			
 
				+
			
 
				+# fix perms
			
 
				+if [ -f /data/id_ed25519.pub ] ; then
			
 
				+  chmod 600 /data/id_ed25519.pub 
			
 
				+fi
			
 
				+if [ -f /data/id_ed25519 ] ; then
			
 
				+  chmod 600 /data/id_ed25519
			
 
				+fi
			
--- a/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/key-secret
+++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/key-secret
		`@@ -0,0 +1 @@`
	1	`+/etc/s6-overlay/s6-rc.d/key-secret/up.real`