diff --git a/build.sh b/build.sh index 054c59f..a70ce85 100755 --- a/build.sh +++ b/build.sh @@ -85,7 +85,6 @@ GATEWAY_PUBLIC_DOMAIN= # for certbot CERTBOT_ENABLED=false CF_API_TOKEN= -CF_ZONE_ID= ACME_URL=https://acme-staging-v02.api.letsencrypt.org/directory EOF if [ -f $CONFIG_FILE ]; then @@ -113,7 +112,10 @@ EOF build_host() { echo "Building binaries" (cd $DSTACK_DIR && cargo build --release --target-dir ${RUST_BUILD_DIR}) - cp ${RUST_BUILD_DIR}/release/{dstack-gateway,dstack-kms,dstack-vmm,supervisor} . + for bin in dstack-gateway dstack-kms dstack-vmm supervisor; do + cp "${RUST_BUILD_DIR}/release/${bin}" ".${bin}.new" + mv -f ".${bin}.new" "./${bin}" + done } # Step 2: build guest images @@ -221,8 +223,6 @@ workdir = "$CERBOT_WORKDIR" acme_url = "$ACME_URL" # Cloudflare API token cf_api_token = "$CF_API_TOKEN" -# Cloudflare zone ID -cf_zone_id = "$CF_ZONE_ID" # Auto set CAA record auto_set_caa = true # Domain to issue certificates for diff --git a/dstack b/dstack index 7bf1843..3917376 160000 --- a/dstack +++ b/dstack @@ -1 +1 @@ -Subproject commit 7bf1843a8ddf877fbaebb9898a7f27a19a49ab73 +Subproject commit 3917376cbef1919041809088c3f587e2380a8673 diff --git a/meta-dstack/recipes-connectivity/openssh/files/disable-password-auth.conf b/meta-dstack/recipes-connectivity/openssh/files/disable-password-auth.conf new file mode 100644 index 0000000..47963f2 --- /dev/null +++ b/meta-dstack/recipes-connectivity/openssh/files/disable-password-auth.conf @@ -0,0 +1,8 @@ +# Disable all password-based authentication +PasswordAuthentication no +PermitEmptyPasswords no +KbdInteractiveAuthentication no + +# Only allow public key authentication +PubkeyAuthentication yes +PermitRootLogin prohibit-password diff --git a/meta-dstack/recipes-connectivity/openssh/openssh_%.bbappend b/meta-dstack/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 0000000..81a2e54 --- /dev/null +++ b/meta-dstack/recipes-connectivity/openssh/openssh_%.bbappend @@ -0,0 +1,10 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI += "file://disable-password-auth.conf" + +do_install:append() { + install -d ${D}${sysconfdir}/ssh/sshd_config.d + install -m 0644 ${UNPACKDIR}/disable-password-auth.conf ${D}${sysconfdir}/ssh/sshd_config.d/ +} + +FILES:${PN}-sshd += "${sysconfdir}/ssh/sshd_config.d/" diff --git a/meta-dstack/recipes-core/images/dstack-rootfs-base.inc b/meta-dstack/recipes-core/images/dstack-rootfs-base.inc index 4f4acc1..1acf99a 100644 --- a/meta-dstack/recipes-core/images/dstack-rootfs-base.inc +++ b/meta-dstack/recipes-core/images/dstack-rootfs-base.inc @@ -142,11 +142,4 @@ mkdirs() { mkdir -p ${IMAGE_ROOTFS}/etc/wireguard mkdir -p ${IMAGE_ROOTFS}/var/lib/docker ln -sf dstack ${IMAGE_ROOTFS}/tapp - - # Aliases passwd files to a subdirectory - mkdir -p ${IMAGE_ROOTFS}/etc/users - mv ${IMAGE_ROOTFS}/etc/passwd ${IMAGE_ROOTFS}/etc/users/ - mv ${IMAGE_ROOTFS}/etc/shadow ${IMAGE_ROOTFS}/etc/users/ - ln -s users/passwd ${IMAGE_ROOTFS}/etc/passwd - ln -s users/shadow ${IMAGE_ROOTFS}/etc/shadow }