docker-sshpiper/compose.yml at master · 11notes/docker-sshpiper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
name: "ssh"

x-lockdown: &lockdown
  # prevents write access to the image itself
  read_only: true
  # prevents any process within the container to gain more privileges
  security_opt:
    - "no-new-privileges=true"

services:
  sshpiper:
    depends_on:
      socket-proxy:
        condition: "service_healthy"
        restart: true
    image: "11notes/sshpiper:1.5.4"
    <<: *lockdown
    environment:
      TZ: "Europe/Zurich"
    command:
      - "docker"
      - "--"
      - "failtoban"
      - "--max-failures=3"
      - "--ban-duration=6h"
      # if using failtoban, ignore localhost or the healtcheck will be banned!
      - "--ignore-ip=127.0.0.1"
    ports:
      - "8022:22/tcp"
    volumes:
      - "socket-proxy.run:/var/run"
    networks:
      frontend:
      backend:
    secrets:
      - "ssh_host_key"
    sysctls:
      # allow rootless container to access ports < 1024
      net.ipv4.ip_unprivileged_port_start: 22
    restart: "always"

  socket-proxy:
    # for more information about this image checkout:
    # https://github.com/11notes/docker-socket-proxy
    image: "11notes/socket-proxy:2.1.6"
    <<: *lockdown
    user: "0:103"
    environment:
      TZ: "Europe/Zurich"
    volumes:
      - "/run/docker.sock:/run/docker.sock:ro"
      - "socket-proxy.run:/run/proxy"
    restart: "always"

  sftp:
    # for more information about this image checkout:
    # https://github.com/11notes/docker-sftp
    image: "11notes/sftp:10.2"
    <<: *lockdown
    labels:
      - "sshpiper.username=foo"
    environment:
      TZ: "Europe/Zurich"
      SSH_USER: "foo"
      SSH_PASSWORD: "${SSH_PASSWORD}"
    volumes:
      - "foo.var:/home"
    tmpfs:
      - "/run/ssh:uid=1000,gid=1000,size=1m"
    secrets:
      - "ssh_host_key"
    networks:
      backend:
    sysctls:
      net.ipv4.ip_unprivileged_port_start: 22
    restart: "always"

  sftp-key:
    # for more information about this image checkout:
    # https://github.com/11notes/docker-sftp
    image: "11notes/sftp:10.2"
    <<: *lockdown
    labels:
      - "sshpiper.authorized_keys=${SFTP_AUTHORIZED_KEY}"
      - "sshpiper.private_key=${SFTP_PRIVATE_KEY}"
    environment:
      TZ: "Europe/Zurich"
      SSH_USER: "bar"
    volumes:
      - "bar.var:/home"
    tmpfs:
      - "/run/ssh:uid=1000,gid=1000,size=1m"
    secrets:
      - "ssh_host_key"
      - "authorized_keys"
    networks:
      backend:
    sysctls:
      net.ipv4.ip_unprivileged_port_start: 22
    restart: "always"

volumes:
  socket-proxy.run:
  sshpiper.var:
  foo.var:
  bar.var:

networks:
  frontend:
  backend:
    internal: true

secrets:
  ssh_host_key:
    file: "./ssh_host_ed25519_key.txt"
  authorized_keys:
    file: "./authorized_keys.txt"