add missing files and updated README

.github/workflows/container-creation-tests.yml

@@ -4,11 +4,11 @@ on:
   push:
     branches: [ main, develop ]
     paths:
-      - 'container-creation/js/**'
+      - 'container-creation/container-creation/root-bin/js/**'
   pull_request:
     branches: [ main, develop ]
     paths:
-      - 'container-creation/js/**'
+      - 'container-creation/container-creation/root-bin/js/**'
 
 jobs:
   test:
@@ -27,25 +27,25 @@ jobs:
       with:
         node-version: ${{ matrix.node-version }}
         cache: 'npm'
-        cache-dependency-path: 'container-creation/js/package-lock.json'
+        cache-dependency-path: 'container-creation/container-creation/root-bin/js/package-lock.json'
 
     - name: Install dependencies
-      working-directory: ./container-creation/js
+      working-directory: ./container-creation/container-creation/root-bin/js
       run: npm ci
 
     - name: Run tests
-      working-directory: ./container-creation/js
+      working-directory: ./container-creation/container-creation/root-bin/js
       run: npm test
 
     - name: Run tests with coverage
-      working-directory: ./container-creation/js
+      working-directory: ./container-creation/container-creation/root-bin/js
       run: npm run test:coverage
 
     - name: Upload coverage reports
       if: matrix.node-version == '20'
       uses: codecov/codecov-action@v3
       with:
-        file: ./container-creation/js/coverage/lcov.info
+        file: ./container-creation/container-creation/root-bin/js/coverage/lcov.info
         flags: container-creation-js
         name: container-creation-js-coverage
         fail_ci_if_error: false

.gitignore

@@ -1,6 +1,2 @@
-Wazuh/node_modules/
-Wazuh/package-lock.json
-Wazuh/package.json
-Wazuh/.env
-Wazuh/.gitignore
-
+node_modules
+.env

container-creation/README.md

@@ -1 +1,21 @@
-# Container Creation
+# Container Creation
+
+## Scripts
+
+- [`extract-fingerprint.sh`](./intern-phxdc-pve1/home-create-container-bin/extract-fingerprint.sh) - Executed via the [`sshd_config`](./intern-phxdc-pve1/etc-ssh/sshd_config) `ForceCommand` for the "create-container" user on intern-phxdc-pve1. Derives user's SSH pubkey fingerprint from the sshd journal, then forwards the `SSH_KEY_FP`, `PUBLIC_KEY`, `PROXMOX_USERNAME`, `PROXMOX_PASSWORD`, `CONTAINER_NAME`, `HTTP_PORT`, `DEPLOY_ON_START`, `PROJECT_REPOSITORY`, `PROJECT_BRANCH`, `PROJECT_ROOT`, `REQUIRE_ENV_VARS`, `CONTAINER_ENV_VARS`, `INSTALL_COMMAND`, `BUILD_COMMAND`, `START_COMMAND`, `RUNTIME_LANGUAGE`, `SERVICES`, `REQUIRE_SERVICES`, `CUSTOM_SERVICES`, `LINUX_DISTRIBUTION`, `MULTI_COMPONENT`, `ROOT_START_COMMAND`, `GH_ACTION`, `GITHUB_PAT` and `SELF_HOSTED_RUNNER` environment variables to the ssh as "create-container" on the container-creation server.
+- [`create-lxc-container.sh`](./container-creation/root-bin/create-lxc-container.sh) - Executed via the [`sshd_config`](./container-creation/etc-ssh/sshd_config) `ForceCommand` for the "create-container" user on container-creation. Queries for `PROXMOX_USERNAME`, `PROXMOX_PASSWORD` if unset in the environment, then verifies them with the [`runner.js`](./container-creation/root-bin/js/runner.js) subcommand `authenticateUser`. If authentication fails, the user is re-prompted unless the `GH_ACTION` environment variable is set, in which case the script fails fast. The script then prompts for `CONTAINER_NAME` if unset in the environment, then checks if that name is available with the [`checkHostnameRunner.js`](../nginx-reverse-proxy/checkHostnameRunner.js) script on the NGINX server. Again, the script re-prompts until a valid hostname is given unles `GH_ACTION` is set in the environment. The script then attempts to detect an SSH Public Key using the [`detectPublicKey.sh`](./container-creation/root-bin/ssh/detectPublicKey.sh) script and if it is not found, check if `PUBLIC_KEY` is unset, and otherwise prompt or fail depending on `GH_ACTION`. Once a public key is identified, it is handled with the [`publicKeyAppendJumpHost.sh`](./container-creation/root-bin/ssh/publicKeyAppendJumpHost.sh) script. Likewise, `HTTP_PORT` is prompted based on it's value and `GH_ACTION`. Then the user is prompted for additional protocols to be forwarded to the container cross-referenced with [`master_protocol_list.txt`](./container-creation/root-bin/protocols/master_protocol_list.txt). `DEPLOY_ON_START` is then prompted based on the value of `GH_ACTION`. If it is set, the [`deploy-application.sh`](./container-creation/root-bin/deploy-application.sh) script is invoked before continuing. Several files are then copied to intern-phxdc-pve1 before [`create-container.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/create-container.sh) is invoked as root on intern-phxdc-pve1.
+- [`deploy-application.sh`](./container-creation/root-bin/deploy-application.sh) - This script prompts for the `PROJECT_REPOSITORY`, `PROJECT_BRANCH`, `PROJECT_ROOT`, `RUNTIME_LANGUAGE`, `MULTI_COMPONENT`, and `COMPONENT_PATH` variables if they are unset, failing early if `GH_ACTION` is defined. Each stage verfies the existence with the `authenticateRepo` subcommand of [`runner.js`](./container-creation/root-bin/js/runner.js). Several more variables are set using the [`gatherSetupCommands.sh`](./container-creation/root-bin/deployment-scripts/gatherSetupCommands.sh), [`gatherEnvVars.sh`](./container-creation/root-bin/deployment-scripts/gatherEnvVars.sh), [`gatherRuntimeLangs.sh`](./container-creation/root-bin/deployment-scripts/gatherRuntimeLangs.sh) and [`gatherServices.sh`](./container-creation/root-bin/deployment-scripts/gatherRuntimeLangs.sh) scripts.
+- [`gatherSetupCommands.sh`](./container-creation/root-bin/deployment-scripts/gatherSetupCommands.sh) - used to prompt for the `BUILD_COMMAND`, `INSTALL_COMMAND`, `START_COMMAND`, and `ROOT_START_COMMAND` (if `MUTLI_COMPONENT`) variables if they are unset.
+- [`gatherEnvVars.sh`](./container-creation/root-bin/deployment-scripts/gatherEnvVars.sh) - used to prompt for the `REQUIRE_ENV_VARS` and `CONTAINER_ENV_VARS` then prompts for environment variables and their values to store in `/root/bin/env/env_{100000-999999}/{component_path}.txt`
+- [`gatherRuntimeLangs.sh`](./container-creation/root-bin/deployment-scripts/gatherRuntimeLangs.sh) - Prompts for the `RUNTIME_LANGUAGE` variable for each component. Support values include `nodejs` and `python` with a version number for both.
+- [`gatherServices.sh`](./container-creation/root-bin/deployment-scripts/gatherRuntimeLangs.sh) - sets the `REQUIRE_SERVICES` variable, and, if true, appends services to the `/root/bin/services/services_{100000-999999}.txt` file which is a list of commands to run to start the services.
+- [`create-container.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/create-container.sh) - Clones the container template for the `LINUX_DISTRO`, sets the `PROXMOX_USERNAME` tag, starts the container, adds `PROXMOX_USERNAME` as a user on the container, stores the `CONTAINER_ID`, adds the user's ssh public key, to root's authorized_keys, sets a random root password, stores `CONTAINER_IP` (allocated from DHCP but obtained from `hostname -I`), runs [`configureLDAP.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/configureLDAP.sh), runs [`register-agent.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/register-agent.sh), runs [`deployOnStart.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/deployOnStart.sh), runs [`register-container.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh), displays the container's details, then runs [`start_services.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/start_services.sh) in a TMUX.
+- [`configureLDAP.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/configureLDAP.sh) - Runs https://raw.githubusercontent.com/anishapant21/pown.sh/main/pown.sh on thhe server, then makes a few additional changes the sssd.
+- [`register-agent.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/register-agent.sh) - Installs wazuh-agent from it's repos then registers it with the manager.
+- [`deployOnStart.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/deployOnStart.sh) - clones `PROJECT_REPOSITORY` to /root on the container, then copies each set of env vars from `gatherEnvVars.sh` to the appropriate component directories, then calls the appropriate [`node_runtime_install`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/node_runtime_install.sh) or [`python_runtime_install`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/python_runtime_install.sh) scripts for component runtimes, then runs `INSTALL_CMD` and executes the file created in `gatherServices.sh`
+- [`register-container.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/register-container.sh) - interogates for `container_ip`, `hostname`, `os_release`, and `mac`, then checks if an SSH port forwards has already been allocated via IPTables on intern-phxdc-pve1 and allocates one if not. Similarly checks then allocates additional port-forwards also via IPTables on intern-phxdc-pve1. Then `port_map.json`is updated via an ssh connection to the NGINX container using `jq` to perform the update.
+- [`start_services.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/start_services.sh) - Stops `CONTAINER_ID`, sources [`create-template.sh`](./intern-phxdc-pve1/var-lib-vz-snippets/helper-scripts/create-template.sh), starts `CONTAINER_ID`, starts `github-runner.service` in the container if `GH_ACTION`, runs `BUILD_COMMAND`, then `START_COMMAND` for each component and `ROOT_START_COMMAND` when `MULTI_COMPONENT`.
+
+## Deployment
+
+This folder is structured to indicate deployment. Essentially, on any changes, copy all changed files to the server indicated by the "intern-phxdc-pve1" and "container-creation" subfolders, then to the correct directory on those servers. I.e. "intern-phxdc-pve1/var-lib-vz-snippets/create-container.sh" would be RSYNCed or otherwise copied to "intern-pxdc-pve1:/var/lib/vz/snippets/create-container.sh".

container-creation/container-creation/etc-ssh/sshd_config

@@ -0,0 +1,121 @@
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+PermitUserEnvironment yes
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_* LINUX_DISTRIBUTION SERVICES CUSTOM_SERVICES REQUIRE_SERVICES
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+Match User create-container
+	AcceptEnv SSH_KEY_FP PUBLIC_KEY PROXMOX_USERNAME PROXMOX_PASSWORD CONTAINER_NAME CONTAINER_PASSWORD HTTP_PORT DEPLOY_ON_START PROJECT_REPOSITORY PROJECT_BRANCH PROJECT_ROOT REQUIRE_ENV_VARS CONTAINER_ENV_VARS INSTALL_COMMAND BUILD_COMMAND START_COMMAND RUNTIME_LANGUAGE SERVICES REQUIRE_SERVICES CUSTOM_SERVICES LINUX_DISTRIBUTION MULTI_COMPONENT ROOT_START_COMMAND GH_ACTION GITHUB_PAT SELF_HOSTED_RUNNER 
+	ForceCommand sudo -E /root/bin/create-lxc-container.sh
+	PermitTTY yes

container-creation/container-creation/root-bin/cleanup/pruneTempFiles.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Script to prune all temporary files (env vars, protocols, services, and public keys)
+# Last Updated July 28th 2025 Maxwell Klema
+
+LOG_FILE="/var/log/pruneTempFiles.log"
+
+writeLog() {
+    echo "[$(date +'%Y-%m-%d %H:%M:%S')]: $1" >> "$LOG_FILE"
+}
+
+# Function to remove temporary environment variable Folders
+removeTempEnvVars() {
+    TEMP_ENV_FOLDER="/root/bin/env"
+    while read -r line; do
+        if [[ "$line" == /root/bin/env/env_* ]]; then
+            rm -rf "$line" > /dev/null 2>&1
+            writeLog "Removed temporary environment variable folder: $line"
+        fi
+    done < <(find "$TEMP_ENV_FOLDER" -maxdepth 1 -type d -name "env_*")
+}
+
+# Function to remove temporary services file
+removeTempServices() {
+    TEMP_SERVICES_FOLDER="/root/bin/services"
+    while read -r line; do
+        if [[ "$line" == /root/bin/services/services_* ]]; then
+            rm -f "$line"
+            writeLog "Removed temporary services file: $line"
+        fi
+    done < <(find "$TEMP_SERVICES_FOLDER" -maxdepth 1 -type f -name "services_*")
+}
+
+# Function to remove temporary public key files
+removeTempPublicKeys() {
+    TEMP_PUB_FOLDER="/root/bin/ssh/temp_pubs"
+    while read -r line; do
+        if [[ "$line" == /root/bin/ssh/temp_pubs/key_* ]];
+        then
+            rm -f "$line"
+            writeLog "Removed temporary public key file: $line"
+        fi
+    done < <(find "$TEMP_PUB_FOLDER" -maxdepth 1 -type f -name "key_*")
+}
+
+# Function to remove temporary protocol files
+removeTempProtocols() {
+    TEMP_PROTOCOL_FOLDER="/root/bin/protocols"
+    while read -r line; do
+        if [[ "$line" == /root/bin/protocols/protocol_list* ]]; then
+            rm -f "$line"
+            writeLog "Removed temporary protocol file: $line"
+        fi
+    done < <(find "$TEMP_PROTOCOL_FOLDER" -maxdepth 1 -type f -name "protocol_list*")
+}
+
+# Main function to prune all temporary files
+pruneTempFiles() {
+    writeLog "Starting to prune temporary files..."
+    removeTempEnvVars
+    removeTempServices
+    removeTempPublicKeys
+    removeTempProtocols
+    writeLog "Finished pruning temporary files."
+}
+
+# Execute the main function
+pruneTempFiles
+exit 0