Add OpenSSH client installation and SSH key handling in Dockerfile

Dockerfile

@@ -4,7 +4,21 @@ FROM alpine:3.20
 # Install minimal tooling
 RUN apk add --no-cache \
 	--repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing wol \
-	&& apk add --no-cache bash curl ca-certificates docker-cli lua5.4 lua5.4-socket
+	&& apk add --no-cache bash curl ca-certificates docker-cli lua5.4 lua5.4-socket openssh-client
+
+# Create the ssh directory
+RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh
+
+# ssh-add ssh key from env var but do not keep env var around
+ARG SSH_PRIVATE_KEY
+ARG SSH_PUBLIC_KEY
+RUN echo "$SSH_PRIVATE_KEY" > /root/.ssh/id_rsa && \
+	echo "$SSH_PUBLIC_KEY" > /root/.ssh/id_rsa.pub && \
+	chmod 600 /root/.ssh/id_rsa && \
+	chmod 644 /root/.ssh/id_rsa.pub && \
+	unset SSH_PRIVATE_KEY && unset SSH_PUBLIC_KEY
+RUN ssh-keyscan -H $OLLAMA_HOST >> /root/.ssh/known_hosts
+RUN chmod 600 /root/.ssh/known_hosts
 
 # Copy script
 WORKDIR /app

scripts/auto-boot-ollama-host.lua

@@ -76,45 +76,45 @@ end
 --   return false
 -- end
 
-local function createSSHKeyFilesFromEnv()
+--local function createSSHKeyFilesFromEnv()
-  if SSH_PRIVATE_KEY == "" or SSH_PUBLIC_KEY == "" then
+--  if SSH_PRIVATE_KEY == "" or SSH_PUBLIC_KEY == "" then
-    log("SSH_PRIVATE_KEY or SSH_PUBLIC_KEY env var is empty, skipping SSH key file creation.")
+--    log("SSH_PRIVATE_KEY or SSH_PUBLIC_KEY env var is empty, skipping SSH key file creation.")
-    return
+--    return
-  end
+--  end
-
+--
-  -- Ensure .ssh directory exists
+--  -- Ensure .ssh directory exists
-  local ssh_dir = SSH_IDENTITY_FILE:match("^(.*)/[^/]+$")
+--  local ssh_dir = SSH_IDENTITY_FILE:match("^(.*)/[^/]+$")
-  if ssh_dir then
+--  if ssh_dir then
-    os.execute(("mkdir -p %q && chmod 700 %q"):format(ssh_dir, ssh_dir))
+--    os.execute(("mkdir -p %q && chmod 700 %q"):format(ssh_dir, ssh_dir))
-  end
+--  end
-
+--
-  local priv_fh = io.open(SSH_IDENTITY_FILE, "w")
+--  local priv_fh = io.open(SSH_IDENTITY_FILE, "w")
-  if not priv_fh then
+--  if not priv_fh then
-    log("Failed to open SSH identity file for writing: " .. SSH_IDENTITY_FILE)
+--    log("Failed to open SSH identity file for writing: " .. SSH_IDENTITY_FILE)
-    return
+--    return
-  end
+--  end
-  priv_fh:write(SSH_PRIVATE_KEY)
+--  priv_fh:write(SSH_PRIVATE_KEY)
-  priv_fh:close()
+--  priv_fh:close()
-  os.execute(("chmod 600 %q"):format(SSH_IDENTITY_FILE))
+--  os.execute(("chmod 600 %q"):format(SSH_IDENTITY_FILE))
-  log("Wrote SSH private key to " .. SSH_IDENTITY_FILE)
+--  log("Wrote SSH private key to " .. SSH_IDENTITY_FILE)
-
+--
-  local pub_fh = io.open(SSH_IDENTITY_FILE .. ".pub", "w")
+--  local pub_fh = io.open(SSH_IDENTITY_FILE .. ".pub", "w")
-  if not pub_fh then
+--  if not pub_fh then
-    log("Failed to open SSH public key file for writing: " .. SSH_IDENTITY_FILE .. ".pub")
+--    log("Failed to open SSH public key file for writing: " .. SSH_IDENTITY_FILE .. ".pub")
-    return
+--    return
-  end
+--  end
-  pub_fh:write(SSH_PUBLIC_KEY)
+--  pub_fh:write(SSH_PUBLIC_KEY)
-  pub_fh:close()
+--  pub_fh:close()
-  os.execute(("chmod 644 %q"):format(SSH_IDENTITY_FILE .. ".pub"))
+--  os.execute(("chmod 644 %q"):format(SSH_IDENTITY_FILE .. ".pub"))
-  log("Wrote SSH public key to " .. SSH_IDENTITY_FILE .. ".pub")
+--  log("Wrote SSH public key to " .. SSH_IDENTITY_FILE .. ".pub")
-
+--
-  -- Unset the env vars for security
+--  -- Unset the env vars for security
-  os.setenv("SSH_PRIVATE_KEY", "")
+--  os.setenv("SSH_PRIVATE_KEY", "")
-  os.setenv("SSH_PUBLIC_KEY", "")
+--  os.setenv("SSH_PUBLIC_KEY", "")
-end
+--end
 
 local function main()
-  createSSHKeyFilesFromEnv()
+  -- createSSHKeyFilesFromEnv()
 
   log(("Watching container='%s' since='%s'"):format(CONTAINER_NAME, SINCE))
   log(("Looking for pattern: %q"):format(ERROR_PATTERN))