do some major refactoring and add a lot more features

entrypoint.sh

@@ -1,26 +1,163 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
-if [ "${ROOT_PASSWORD}" == "root" ] || [ -z "${ROOT_PASSWORD}" ]; then
-    export ROOT_PASSWORD="$(hexdump -e '"%02x"' -n 16 /dev/urandom)"
-    echo "Successfully generated a random password for root"
+set -e
+
+# enable debug mode if desired
+if [ "${DEBUG}" = "true" ]; then 
+    set -x
 fi
 
-echo "root:${ROOT_PASSWORD}" | chpasswd
+log() {
+    LEVEL="${1}"
+    TO_LOG="${2}"
+
+    WHITE='\033[1;37m'
+    YELLOW='\033[1;33m'
+    RED='\033[1;31m'
+    NO_COLOR='\033[0m'
+
+    if [ "${LEVEL}" = "warning" ]; then
+        LOG_LEVEL="${YELLOW}WARN${NO_COLOR}"
+    elif [ "${LEVEL}" = "error" ]; then
+        LOG_LEVEL="${RED}ERROR${NO_COLOR}"
+    else
+        LOG_LEVEL="${WHITE}INFO${NO_COLOR}"
+        if [ -z "${TO_LOG}" ]; then
+            TO_LOG="${1}"
+        fi
+    fi
+
+    echo -e "[${LOG_LEVEL}] ${TO_LOG}"
+}
+
+ensure_mod() {
+    FILE="${1}"
+    MOD="${2}"
+    U_ID="${3}"
+    G_ID="${4}"
+
+    chmod "${MOD}" "${FILE}"
+    chown "${U_ID}"."${G_ID}" "${FILE}"
+}
+
+generate_passwd() {
+    hexdump -e '"%02x"' -n 16 /dev/urandom
+}
+
+# ensure backward comaptibility for earlier versions of this image
+if [ -n "${KEYPAIR_LOGIN}" ] && [ "${KEYPAIR_LOGIN}" = "true" ]; then
+    ROOT_KEYPAIR_LOGIN_ENABLED="${KEYPAIR_LOGIN}"
+fi
+if [ -n "${ROOT_PASSWORD}" ]; then
+    ROOT_LOGIN_UNLOCKED="true"
+fi
+
+# enable root login if keypair login is enabled
+if [ "${ROOT_KEYPAIR_LOGIN_ENABLED}" = "true" ]; then
+    ROOT_LOGIN_UNLOCKED="true"
+fi
+
+# initiate default sshd-config if there is none available
+if ! find "/etc/ssh" -mindepth 1 -print -quit 2>/dev/null | grep -q .; then
+    cp -a "${CACHED_SSH_DIRECTORY}"/* /etc/ssh/.
+fi
+rm -rf "${CACHED_SSH_DIRECTORY}"
 
 # generate host keys if not present
-ssh-keygen -A
+ssh-keygen -A 1>/dev/null
+
+log "Applying configuration for 'root' user ..."
+
+if [ "${ROOT_LOGIN_UNLOCKED}" = "true" ] ; then
+
+    # generate random root password
+    if [ -z "${ROOT_PASSWORD}" ]; then
+        log "    generating random password for user 'root'"
+        ROOT_PASSWORD="$(generate_passwd)"
+    fi
+
+    echo "root:${ROOT_PASSWORD}" | chpasswd >/dev/null 2>&1
+    log "    password for user 'root' set"
+    log "warning" "    user 'root' is now UNLOCKED"
+
+    # set root login mode by password or keypair
+    if [ "${ROOT_KEYPAIR_LOGIN_ENABLED}" = "true" ] && [ -f "${HOME}/.ssh/authorized_keys" ] ; then
+        sed -i "s/#PermitRootLogin.*/PermitRootLogin without-password/" /etc/ssh/sshd_config
+        sed -i "s/#PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
+        ensure_mod "${HOME}/.ssh/authorized_keys" "0600" "root" "root"
+        log "    enabled login by keypair and disabled password-login for user 'root'"
+    else
+        sed -i "s/#PermitRootLogin.*/PermitRootLogin\ yes/" /etc/ssh/sshd_config
+        log "    enabled login by password for user 'root'"
+    fi
 
-# set root login mode by password or keypair
-if [ "${KEYPAIR_LOGIN}" = "true" ] && [ -f "${HOME}/.ssh/authorized_keys" ] ; then
-    sed -i "s/#PermitRootLogin.*/PermitRootLogin without-password/" /etc/ssh/sshd_config
-    sed -i "s/#PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
-    chmod 600 "${HOME}/.ssh/authorized_keys"
-    chown root.root "${HOME}/.ssh/authorized_keys"
-    echo "Enabled root-login by keypair and disabled password-login"
 else
-    sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config
-    echo "Enabled root-login by password"
+
+    sed -i "s/#PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
+    log "    disabled login for user 'root'"
+    log "    user 'root' is now LOCKED"
+
 fi
 
+printf "\n" ""
+
+log "Applying configuration for additional users ..."
+
+if [ ! -x "${USER_LOGIN_SHELL}" ]; then
+    log "error" "    can not allocate desired shell '${USER_LOGIN_SHELL}', falling back to '${USER_LOGIN_SHELL_FALLBACK}' ..."
+    USER_LOGIN_SHELL="${USER_LOGIN_SHELL_FALLBACK}"
+fi
+
+log "    desired shell is ${USER_LOGIN_SHELL}"
+
+
+if [ -n "${SSH_USERS}" ]; then
+
+    IFS=","
+    for USER in ${SSH_USERS}; do
+
+        log "    '${USER}'"
+
+        USER_NAME="$(echo "${USER}" | cut -d ':' -f 1)"
+        USER_UID="$(echo "${USER}" | cut -d ':' -f 2)"
+        USER_GID="$(echo "${USER}" | cut -d ':' -f 3)"
+
+        if [ -z "${USER_NAME}" ] || [ -z "${USER_UID}" ] || [ -z "${USER_GID}" ]; then
+            log "error" "        skipping invalid data '${USER_NAME}' - UID: '${USER_UID}' GID: '${USER_GID}'"
+            continue
+        fi
+    
+        getent group "${USER_GID}" >/dev/null 2>&1 || addgroup -g "${USER_GID}" "${USER_NAME}"
+        getent passwd "${USER_NAME}" >/dev/null 2>&1 || adduser -s "${USER_LOGIN_SHELL}" -D -u "${USER_UID}" -G "${USER_NAME}" "${USER_NAME}"
+        passwd -u "${USER_NAME}" >/dev/null 2>&1
+        mkdir -p "/home/${USER_NAME}/.ssh"
+
+        log "        user '${USER_NAME}' created - UID: '${USER_UID}' GID: '${USER_GID}'"
+
+        MOUNTED_AUTHORIZED_KEYS="${AUTHORIZED_KEYS_VOLUME}/${USER_NAME}"
+        LOCAL_AUTHORIZED_KEYS="/home/${USER_NAME}/.ssh/authorized_keys"
+
+        if [ ! -e "${MOUNTED_AUTHORIZED_KEYS}" ]; then
+            log "warning" "        no SSH authorized_keys found for user '${USER_NAME}'"
+        else
+            cp "${MOUNTED_AUTHORIZED_KEYS}" "${LOCAL_AUTHORIZED_KEYS}"
+            log "        copied ${MOUNTED_AUTHORIZED_KEYS} to ${LOCAL_AUTHORIZED_KEYS}"
+            ensure_mod "${LOCAL_AUTHORIZED_KEYS}" "0600" "${USER_NAME}" "${USER_GID}"
+            log "        set mod 0600 on ${LOCAL_AUTHORIZED_KEYS}"
+        fi
+
+        printf "\n" ""
+
+    done
+    unset IFS
+
+else
+
+    log "    no additional SSH-users set"
+
+fi
+
+echo ""
+
 # do not detach (-D), log to stderr (-e), passthrough other arguments
-exec /usr/sbin/sshd -D -e "$@"
+exec /usr/sbin/sshd -D -e "$@"