Add Docker Compose instructions and Docker build workflow

.github/workflows/docker.yml

@@ -0,0 +1,41 @@
+name: ci
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*.*.*"]
+
+jobs:
+  docker:
+    environment: Docker Build
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Collect Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ vars.DOCKERHUB_USERNAME }}/sandhole
+          tags: |
+            type=ref,event=branch
+            type=sha
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PUSH_TOKEN  }}
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          platforms: |
+            linux/amd64
+            linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

Cargo.toml

@@ -8,6 +8,12 @@ license = "MIT"
 authors = ["Eric Rodrigues Pires <[email protected]>"]
 readme = "README.md"
 categories = ["network-programming", "web-programming", "authentication"]
+exclude = [
+  ".github",
+  "book",
+  "docker-compose-example",
+  "tests",
+]
 
 [dependencies]
 anyhow = "1.0.93"

book/src/SUMMARY.md

@@ -3,6 +3,7 @@
 # Administrator guide
 
 - [Quick start](./quick_start.md)
+- [Using Docker Compose](./docker_compose.md)
 - [Configuration](./configuration.md)
 - [TLS support](./tls_support.md)
 - [Admin interface](./admin_interface.md)

book/src/advanced_uses.md

@@ -44,3 +44,15 @@ Then, add the following entries to your DNS (assuming that your domain is `my.do
 This instructs your DNS to redirect requests to Sandhole, and tells Sandhole to authorize your SSH key for the given domain, respectively.
 
 If you need to use multiple keys for the same domain, simply add a TXT record for each one.
+
+### HTTPS support
+
+If your administrator has configured [ACME support](./tls_support.md#acme-support), you don't need any extra steps. HTTPS will be automatically available for you.
+
+However, if you require DNS challenges for your domain's certification for any reason, and your administrator is running [dnsrobocert](./tls_support.md), you can simply set another DNS entry:
+
+| Type  | Domain                          | Data                                       |
+| ----- | ------------------------------- | ------------------------------------------ |
+| CNAME | `_acme-challenge.my.domain.net` | `_acme-challenge.my.domain.net.server.com` |
+
+This lets dnsrobocert manage the ACME challenge for you.

book/src/cli.md

@@ -81,7 +81,7 @@ Options:
           Contact e-mail to use with Let's Encrypt. If set, enables ACME for
           HTTPS certificates.
 
-          By providing your e-mail, you agree to Let's Encrypt Subscriber
+          By providing your e-mail, you agree to the Let's Encrypt Subscriber
           Agreement
 
       --acme-use-staging

book/src/docker_compose.md

@@ -0,0 +1,23 @@
+# Using Docker Compose
+
+The most straightforward way to have Sandhole up and running is with Docker Compose. Mainly, this takes care of running dnsrobocert for you, and daemonizes your application.
+
+An example is provided in [docker-compose-example](https://github.com/EpicEric/sandhole/tree/main/docker-compose-example), using `server.com` as the example domain and Hetzner as the DNS provider for DNS-01 challenges in `le-config.yml`.
+
+Adjust the fields and CLI flags as appropriate for your use-case. Then, simply run:
+
+```shell
+docker compose up -d
+```
+
+Then, if you need to restart the service:
+
+```shell
+docker compose restart
+```
+
+Or stop it entirely:
+
+```shell
+docker compose down
+```

book/src/quick_start.md

@@ -5,7 +5,7 @@ In order to run Sandhole, you'll need:
 - A server with public addresses.
 - A domain pointing to said server (in this example, `server.com`).
 
-Then, install the Sandhole binary in your server. Currently, the only way to do so is to compile it yourself.
+Then, install the Sandhole binary in your server. Currently, the only ways to do so are [through Docker Compose](./docker_compose.md) or to compile it yourself.
 
 If you're compiling from a separate workstation, grab the source files, build the binary, and copy it over:
 

book/src/tls_support.md

@@ -2,7 +2,7 @@
 
 Sandhole supports TLS signing out of the box, including ACME challenges via TLS-ALPN-01 for custom domains.
 
-However, especially for your main domain, it's recommended that you set up [dnsrobocert](https://github.com/adferrand/dnsrobocert) to handle the wildcard certification via DNS. Sandhole already matches this tool's output directly. Please see its documentation to set it up yourself.
+However, especially for your main domain, it's recommended that you set up a tool like [dnsrobocert](https://github.com/adferrand/dnsrobocert) to handle the wildcard certification via DNS. Sandhole already matches dnsrobocert's output directly. Please see its documentation to set it up yourself.
 
 Assuming that the output of dnsrobocert is `./letsencrypt`, Sandhole can then read the certificates via:
 

docker-compose-example/.gitignore

@@ -0,0 +1,2 @@
+deploy/
+letsencrypt/

docker-compose-example/compose.yml

@@ -0,0 +1,33 @@
+services:
+  letsencrypt:
+    image: docker.io/adferrand/dnsrobocert:3.25.0
+    container_name: sandhole_dnsrobocert
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./letsencrypt:/etc/letsencrypt
+      - ./le-config.yml:/etc/dnsrobocert/config.yml
+    restart: unless-stopped
+
+  sandhole:
+    image: docker.io/epiceric/sandhole:latest
+    container_name: sandhole
+    depends_on:
+      - letsencrypt
+    volumes:
+      - ./letsencrypt:/letsencrypt
+      - ./deploy:/deploy
+    # See https://epiceric.github.io/sandhole/cli.html
+    command: |
+      --domain=server.com
+      --user-keys-directory=/deploy/user_keys/
+      --admin-keys-directory=/deploy/admin_keys/
+      --certificates-directory=/letsencrypt/live/
+      --acme-cache-directory=/deploy/acme_cache/
+      --private-key-file=/deploy/server_keys/ssh
+      --ssh-port=2222
+      --http-port=80
+      --https-port=443
+      --force-https
+      [email protected]
+    network_mode: host
+    restart: unless-stopped

docker-compose-example/le-config.yml

@@ -0,0 +1,13 @@
+acme:
+  email_account: [email protected]
+certificates:
+  - domains:
+      - server.com
+      - "*.server.com"
+    name: server.com
+    profile: hetzner
+profiles:
+  - name: hetzner
+    provider: hetzner
+    provider_options:
+      auth_token: "" # Add PAT for Hetzner DNS

src/admin.rs

@@ -255,7 +255,7 @@ impl AdminInterface {
             buf: Vec::new(),
         });
         let options = TerminalOptions {
-            viewport: Viewport::Fullscreen,
+            viewport: Viewport::Fixed(Rect::new(0, 0, 120, 60)),
         };
         let (change_notifier, mut subscriber) = watch::channel(());
         let interface = Arc::new(Mutex::new(AdminTerminal {

src/main.rs

@@ -150,7 +150,7 @@ struct Args {
 
     /// Contact e-mail to use with Let's Encrypt. If set, enables ACME for HTTPS certificates.
     ///
-    /// By providing your e-mail, you agree to Let's Encrypt Subscriber Agreement.
+    /// By providing your e-mail, you agree to the Let's Encrypt Subscriber Agreement.
     #[arg(long)]
     acme_contact_email: Option<String>,