dokku-add-user.md

Dokku ACL plugin

# Dokku host
dokku plugin:install https://github.com/dokku-community/dokku-acl.git acl

dokku ssh-keys:add guest guest-key.pub
dokku ssh-keys:list

mkdir ~dokku/.dokkurc
echo "export DOKKU_ACL_ALLOW_COMMAND_LINE=1" >> ~dokku/.dokkurc/acl
echo "export DOKKU_SUPER_USER=<username>" >> ~dokku/.dokkurc/acl # Determine admin username from output of `dokku ssh-keys:list`
echo "DOKKU_ACL_USER_COMMANDS='help version'" >> ~dokku/.dokkurc/acl

dokku apps:create my-app
dokku domains:add my-app my-app.com
dokku acl:add my-app guest

Create guest user with restricted SSH access (optional)

# Create guest account with SSH access
useradd -d /home/guest guest
cat guest-key.pub >> /home/guest/.ssh/authorized_keys

mkdir -p /home/guest/{bin,lib,etc,home/guest}

chown 755 /home/guest
chown root:root /home/guest
chown -R guest:guest /home/guest/home/guest
chmod 700 /home/guest/.ssh
chmod 644 /home/guest/.ssh/authorized_keys
chmod -R 0700 /home/guest/home/guest

# ldd /bin/bash
cp -v /lib/x86_64-linux-gnu/{libselinux.so.1,libc.so.6,libpcre.so.3,libdl.so.2,libpthread.so.0} /home/guest/lib/

# ldd /bin/ls
cp -v /lib/x86_64-linux-gnu/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /home/guest/lib/

# Copy allowed binaries to guest user /bin directory
# Find binary using the 'whereis' command, like so:
# whereis git-receive-pack
# cp -v /usr/bin/git-receive-pack /home/guest/bin/

cp -vf /etc/{passwd,group} /home/guest/etc/
cp -v /bin/bash /home/guest/bin/
cp -v /bin/ls /home/guest/bin/
cp -v /bin/pwd /home/guest/bin/
cp -v /bin/whoami /home/guest/bin/
cp -v /usr/bin/git-receive-pack /home/guest/bin/

sudo chmod -R 755 /home/guest/bin

# Set up SSH access
nano /etc/ssh/sshd_config

# Copy-paste without '#':

# Match user guest
#     ChrootDirectory /home/guest
#     PubkeyAuthentication yes
#     AuthorizedKeysFile /home/guest/.ssh/authorized_keys

sshd -t
sudo service ssh restart