Move everything out of the container filesystem

README.md

@@ -338,6 +338,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **24.11.24:** - Move sshd_config to /config/sshd/sshd_config.
 * **31.05.24:** - Rebase to Alpine 3.20.
 * **04.05.24:** - Display the SSH host public keys every time the container starts.
 * **09.03.24:** - Rebase to Alpine 3.19.

readme-vars.yml

@@ -72,6 +72,7 @@ app_setup_block: |
   The keys generated by this script are only displayed on your console output, so make sure to save them somewhere after generation.
 # changelog
 changelogs:
+  - {date: "24.11.24:", desc: "Move sshd_config to /config/sshd/sshd_config."}
   - {date: "31.05.24:", desc: "Rebase to Alpine 3.20."}
   - {date: "04.05.24:", desc: "Display the SSH host public keys every time the container starts."}
   - {date: "09.03.24:", desc: "Rebase to Alpine 3.19."}

root/etc/s6-overlay/s6-rc.d/init-adduser/run

@@ -1,7 +1,12 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-USER_NAME=${USER_NAME:-linuxserver.io}
+if [[ -n "$USER_NAME" ]] && [[ "$USER_NAME" != "abc" ]] && grep -q "^${USER_NAME}" /etc/passwd; then
+    echo "*** USER_NAME cannot be set to an user that already exists in /etc/passwd. Halting init. ***"
+    sleep infinity
+else
+    USER_NAME=${USER_NAME:-linuxserver.io}
+fi
 
 PUID=${PUID:-911}
 PGID=${PGID:-911}

root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run

@@ -3,7 +3,7 @@
 
 # create folders
 mkdir -p \
-    /config/{.ssh,ssh_host_keys,logs/openssh}
+    /config/{.ssh,logs/openssh,sshd}
 
 USER_NAME=${USER_NAME:-linuxserver.io}
 echo "User name is set to $USER_NAME"
@@ -30,15 +30,23 @@ fi
 USER_PASSWORD=${USER_PASSWORD:-$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c"${1:-8}";echo;)}
 echo "${USER_NAME}:${USER_PASSWORD}" | chpasswd
 
-# symlink out ssh config directory
-if [[ ! -L /etc/ssh ]]; then
-    if [[ ! -f /config/ssh_host_keys/sshd_config ]]; then
-        sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config
-        cp -a /etc/ssh/sshd_config /config/ssh_host_keys/
-    fi
-    rm -Rf /etc/ssh
-    ln -s /config/ssh_host_keys /etc/ssh
+# Migration
+if [[ -f /config/ssh_host_keys/sshd_config ]]; then
+    mv /config/ssh_host_keys/sshd_config /config/sshd/sshd_config
+    sed -i 's/Include \/etc\/ssh\/sshd_config.d\/\*.conf/#Include \/etc\/ssh\/sshd_config.d\/\*.conf/' /config/sshd/sshd_config
+    echo "This file has been moved to /config/sshd/sshd_config" > /config/ssh_host_keys/sshd_config_README
+fi
+
+if [[ ! -f /config/sshd/sshd_config ]]; then
+    sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config
+    sed -i 's/Include \/etc\/ssh\/sshd_config.d\/\*.conf/#Include \/etc\/ssh\/sshd_config.d\/\*.conf/' /etc/ssh/sshd_config
+    cp -a /etc/ssh/sshd_config /config/sshd/sshd_config
+fi
+
+if [[ ! -d /config/ssh_host_keys ]]; then
+    mkdir -p /config/ssh_host_keys
     ssh-keygen -A
+    cp /etc/ssh/ssh_host_* /config/ssh_host_keys
 fi
 
 # display SSH host public key(s)
@@ -47,32 +55,32 @@ cat /config/ssh_host_keys/ssh_host_*.pub
 
 # custom port
 if [[ -n "${LISTEN_PORT}" ]]; then
-    sed -i "s/^#Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /etc/ssh/sshd_config
-    sed -i "s/^Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /etc/ssh/sshd_config
+    sed -i "s/^#Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /config/sshd/sshd_config
+    sed -i "s/^Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /config/sshd/sshd_config
     echo "sshd is listening on port ${LISTEN_PORT}"
 else
-    sed -i "s/^#Port [[:digit:]]\+/Port 2222"/ /etc/ssh/sshd_config
-    sed -i "s/^Port [[:digit:]]\+/Port 2222"/ /etc/ssh/sshd_config
+    sed -i "s/^#Port [[:digit:]]\+/Port 2222"/ /config/sshd/sshd_config
+    sed -i "s/^Port [[:digit:]]\+/Port 2222"/ /config/sshd/sshd_config
     echo "sshd is listening on port 2222"
 fi
 
 # password access
 if [[ "$PASSWORD_ACCESS" == "true" ]]; then
-    sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config
-    sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config
+    sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /config/sshd/sshd_config
+    sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /config/sshd/sshd_config
     chown root:"${USER_NAME}" \
         /etc/shadow
     echo "User/password ssh access is enabled."
 else
-    sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /etc/ssh/sshd_config
+    sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /config/sshd/sshd_config
     chown root:root \
         /etc/shadow
     echo "User/password ssh access is disabled."
 fi
 
 # set umask for sftp
 UMASK=${UMASK:-022}
-sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /etc/ssh/sshd_config
+sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /config/sshd/sshd_config
 
 # set key auth in file
 if [[ ! -f /config/.ssh/authorized_keys ]]; then
@@ -133,10 +141,9 @@ chmod 700 \
 chmod 600 \
     /config/.ssh/authorized_keys
 
-# ssh_host_keys permissions
 lsiown -R root:"${USER_NAME}" \
-    /config/ssh_host_keys
+    /config/sshd
 chmod 750 \
-    /config/ssh_host_keys
+    /config/sshd
 chmod 640 \
-    /config/ssh_host_keys/*
+    /config/sshd/sshd_config

root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run

@@ -3,6 +3,10 @@
 
 USER_NAME=${USER_NAME:-linuxserver.io}
 
+for i in /config/ssh_host_keys/ssh_host_*_key; do
+    SSH_HOST_KEYS="${SSH_HOST_KEYS} -h ${i}"
+done
+
 exec 2>&1 \
     s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost ${LISTEN_PORT:-2222}" \
-        s6-setuidgid "${USER_NAME}" /usr/sbin/sshd.pam -D -e
+        s6-setuidgid "${USER_NAME}" /usr/sbin/sshd.pam -D -e -f /config/sshd/sshd_config ${SSH_HOST_KEYS}