feat: create ssh key for automation tasks

includes refactoring for build process

forge-pod.yml

@@ -7,9 +7,9 @@ metadata:
 spec:
   restartPolicy: Always
   volumes:
-    - name: ublue-os_forge-minica-pvc
+    - name: ublue-os_forge-certs-pvc
       persistentVolumeClaim:
-        claimName: ublue-os_forge-minica
+        claimName: ublue-os_forge-certs
 
     - name: ublue-os_forge-registry-pvc
       persistentVolumeClaim:
@@ -28,7 +28,7 @@ spec:
           cpu: 200m
       volumeMounts:
         - mountPath: /certs
-          name: ublue-os_forge-minica-pvc
+          name: ublue-os_forge-certs-pvc
       ports:
         - containerPort: 443
           hostPort: 443
@@ -42,7 +42,7 @@ spec:
           cpu: 200m
       volumeMounts:
         - mountPath: /certs
-          name: ublue-os_forge-minica-pvc
+          name: ublue-os_forge-certs-pvc
           subPath: _.ublue.local
         - mountPath: /var/lib/registry
           name: ublue-os_forge-registry-pvc
@@ -59,12 +59,21 @@ spec:
       volumeMounts:
         - mountPath: /var/lib/semaphore
           name: ublue-os_forge-semaphore-pvc
+        - mountPath: /certs
+          subPath: ssh
+          name: ublue-os_forge-certs-pvc
+          readOnly: true
       ports:
         - containerPort: 3000
           protocol: TCP
 
     - name: setup.ublue.local
       image: setup
+      volumeMounts:
+        - mountPath: /certs
+          subPath: ssh
+          name: ublue-os_forge-certs-pvc
+          readOnly: true
       resources:
         limits:
           memory: 512Mi
@@ -75,4 +84,4 @@ spec:
       image: minica
       volumeMounts:
         - mountPath: /certs
-          name: ublue-os_forge-minica-pvc
+          name: ublue-os_forge-certs-pvc

minica/Containerfile

@@ -1,10 +1,13 @@
 # Source Image
 FROM docker.io/library/golang:1.20
 
+# Copy script
+WORKDIR /certs
+COPY certificates.sh .
+RUN chmod +x ./certificates.sh
+
 # Install minica
 RUN go install github.com/jsha/minica@latest
 
-# Generate wildcard certificate
+# Container start command
-WORKDIR /certs
+CMD ["/certs/certificates.sh"]
-RUN minica --domains "*.ublue.local,ublue.local,localhost" \
-    --ip-addresses 127.0.0.1

minica/certificates.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+## Create SSH keys and certificates for uBlue-OS Forge
+
+CERTIFICATE_DIRECTORY="/certs"
+SSH_KEY_NAME="ublue-os_forge-id_ed25519"
+TLS_ROOT_CERTIFICATE_NAME="ublue-os_forge-root"
+
+if [ ! -f ${CERTIFICATE_DIRECTORY}/ssh/${SSH_KEY_NAME} ];
+then
+    echo "uBlue Forge SSH key not present. Creating new key..."
+    mkdir ${CERTIFICATE_DIRECTORY}/ssh -p
+    mkdir ${CERTIFICATE_DIRECTORY}/tls -p
+    # Generate SSH key
+    ssh-keygen -o -a 100 -t ed25519 -f ${CERTIFICATE_DIRECTORY}/ssh/${SSH_KEY_NAME} -C "forge@ublue.local"
+else
+    echo "Existing uBlue Forge SSH key found. Nothing to do..."
+fi
+
+# Creating TLS certificates
+echo "Creating / Updating TLS certificate..."
+minica --domains "*.ublue.local,ublue.local,localhost" --ip-addresses 127.0.0.1 -ca-cert "${CERTIFICATE_DIRECTORY}/tls/${TLS_ROOT_CERTIFICATE_NAME}.pem" -ca-key "${CERTIFICATE_DIRECTORY}/tls/${TLS_ROOT_CERTIFICATE_NAME}-key.pem"

rvproxy/Caddyfile

@@ -16,7 +16,7 @@
                 reverse_proxy ublue-os_forge-registry.ublue.local:5000 {
                         transport http {
                                 tls
-                                tls_trusted_ca_certs /certs/minica.pem
+                                tls_trusted_ca_certs /certs/tls/ublue-os_forge-root.pem
                         }
                 }
         }

setup/Containerfile

@@ -1,11 +1,11 @@
 # Source Image
 FROM docker.io/library/python:alpine3.17
 
-# Install forge setup project
+# Install ansible setup project
-COPY ./ansible /ansible
-RUN pip3 install -r /ansible/requirements.txt
-RUN chmod +x /ansible/startup.sh
-
-# Run starup script
 WORKDIR /ansible
-CMD ["./startup.sh"]
+COPY ./ansible .
+RUN pip3 install -r ./requirements.txt
+RUN chmod +x ./startup.sh
+
+# Container start command
+CMD ["/ansible/startup.sh"]