replace source env.sh with env.list (#76)

mmou · web-flow · commit c7b16b927952 · 2020-01-14T09:37:58.000-08:00
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,7 @@
 bin/
 keybaseca.config
 nohup.out
-env.sh
+env.list
 __pycache__
 
 # sphinx generated files:
diff --git a/docker/Dockerfile-ca b/docker/Dockerfile-ca
@@ -41,8 +41,9 @@ COPY --from=builder --chown=keybase:keybase /go/bin/keybase /usr/local/bin/
 COPY --from=builder --chown=keybase:keybase /go/bin/kbfsfuse /usr/local/bin/
 COPY --from=builder --chown=keybase:keybase /bot-sshca/bin/keybaseca bin/
 
-# copy in entrypoint scripts and env.sh
-COPY --chown=keybase:keybase ./docker ./
+# copy in entrypoint scripts
+COPY --chown=keybase:keybase ./docker/entrypoint-generate.sh ./
+COPY --chown=keybase:keybase ./docker/entrypoint-server.sh ./
 
 # Run container as root but only to be able to chown the Docker bind-mount, 
 # then immediatetly step down to the keybase user via sudo in the entrypoint scripts
diff --git a/docker/Makefile b/docker/Makefile
@@ -15,7 +15,7 @@ build: reset-permissions
 
 # Generate a new CA key
 generate: env-file-exists build
-	docker run -e FORCE_WRITE=$(FORCE_WRITE) -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-generate.sh
+	docker run -e FORCE_WRITE=$(FORCE_WRITE) --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-generate.sh
 	@echo -e "\nRun these commands on each server that you wish to use with the CA chatbot\n"
 	@echo "useradd developer && mkdir -p /home/developer && chown developer:developer /home/developer  # The user that will be used for non-root logins"
 	@echo "echo \"`cat $(CURDIR)/example-keybaseca-volume/keybase-ca-key.pub`\" > /etc/ssh/ca.pub"
@@ -27,14 +27,14 @@ generate: env-file-exists build
 
 # Start the CA chatbot in the background
 serve: env-file-exists ca-key-exists
-	docker run -d --restart unless-stopped -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-server.sh
+	docker run -d --restart unless-stopped --env-file ./env.list -v $(CURDIR)/example-keybaseca-volume:/mnt:rw ca:latest ./entrypoint-server.sh
 	@echo "Started CA bot service in the background... Use `docker ps` and `docker logs` to monitor it"
 
 # Stop the service
 stop:
 	docker kill `docker ps -q --filter ancestor=ca`
 
-# Restart the service (useful if you updated env.sh)
+# Restart the service (useful if you updated env.list)
 restart: stop serve
 
 # Wipe all data
@@ -52,9 +52,9 @@ reset-permissions:
 	# Avoid prompting for sudo unless the permissions actually need to be chnaged by piping find to xargs
 	find example-keybaseca-volume/ -not -user $$USER | xargs -I {} -- sudo chown -R $$USER {}
 
-# Asserts that env.sh exists
+# Asserts that env.list exists
 env-file-exists:
-	@test -e "env.sh" || (echo "You must create and fill in env.sh prior to running make" && exit 1)
+	@test -e "env.list" || (echo "You must create and fill in env.list prior to running make" && exit 1)
 
 # Assert that a CA key exists
 ca-key-exists:
diff --git a/docker/entrypoint-generate.sh b/docker/entrypoint-generate.sh
@@ -7,7 +7,6 @@ chown -R keybase:keybase /mnt
 
 # Run everything else as the keybase user
 sudo -i -u keybase bash << EOF
-source ./env.sh
 export "FORCE_WRITE=$FORCE_WRITE"
 nohup bash -c "KEYBASE_RUN_MODE=prod kbfsfuse /keybase | grep -v 'ERROR Mounting the filesystem failed' &"
 sleep 3
diff --git a/docker/entrypoint-server.sh b/docker/entrypoint-server.sh
@@ -7,7 +7,6 @@ chown -R keybase:keybase /mnt
 
 # Run everything else as the keybase user
 sudo -i -u keybase bash << EOF
-source ./env.sh
 nohup bash -c "KEYBASE_RUN_MODE=prod kbfsfuse /keybase | grep -v 'ERROR Mounting the filesystem failed' &"
 sleep 3
 keybase oneshot
diff --git a/docker/env.list.example b/docker/env.list.example
@@ -0,0 +1,7 @@
+# List the subteams here separated by commas (eg "teamname.ssh.production,teamname.ssh.staging") that you
+# wish to use to grant SSH access
+TEAMS="teamname.ssh.staging,teamname.ssh.production,..."
+
+# Login info for the chat bot
+KEYBASE_USERNAME="username_of_ca_bot"
+KEYBASE_PAPERKEY="paper key for the ca bot"
diff --git a/docker/env.sh.example b/docker/env.sh.example
diff --git a/docs/getting_started.md b/docs/getting_started.md
@@ -24,8 +24,8 @@ On a secured server (note that this server only needs docker installed) that you
 ```bash
 git clone git@github.com:keybase/bot-sshca.git
 cd bot-sshca/docker/
-cp env.sh.example env.sh
-nano env.sh         # Fill in the values including the previously generated paper key
+cp env.list.example env.list
+nano env.list       # Fill in the values including the previously generated paper key
 make generate       # Generate a new CA key
 ```
 
@@ -71,4 +71,5 @@ We recommend building kssh yourself and distributing the binary among your team
 If you update any environment variables, it is necessary to restart the keybaseca service. This can be done 
 by running `make restart`. Note that it is not required to re-run `make generate`. 
 
-Note that this means `kssh` will not work for a brief period of time while the container restarts. 
+Note that this means `kssh` will not work for a brief period of time while the container restarts.
+
