From e7a2e9d7f4504f7da6640e7a84a6b970ec951589 Mon Sep 17 00:00:00 2001
From: Rob Ballantyne <rob@dynamedia.uk>
Date: Fri, 19 Jan 2024 13:05:17 +0000
Subject: [PATCH] Add user groups and disable SSH pasword login

---
 build/COPY_ROOT/etc/ssh/sshd_config.d/no-password.conf | 2 ++
 build/COPY_ROOT/opt/ai-dock/bin/init.sh                | 3 ++-
 build/Dockerfile                                       | 3 ++-
 3 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 build/COPY_ROOT/etc/ssh/sshd_config.d/no-password.conf

diff --git a/build/COPY_ROOT/etc/ssh/sshd_config.d/no-password.conf b/build/COPY_ROOT/etc/ssh/sshd_config.d/no-password.conf
new file mode 100644
index 0000000..0ef4e21
--- /dev/null
+++ b/build/COPY_ROOT/etc/ssh/sshd_config.d/no-password.conf
@@ -0,0 +1,2 @@
+PasswordAuthentication no
+
diff --git a/build/COPY_ROOT/opt/ai-dock/bin/init.sh b/build/COPY_ROOT/opt/ai-dock/bin/init.sh
index 3f31ace..1e9c0d9 100755
--- a/build/COPY_ROOT/opt/ai-dock/bin/init.sh
+++ b/build/COPY_ROOT/opt/ai-dock/bin/init.sh
@@ -192,13 +192,14 @@ function init_create_user() {
     mkdir -p ${home_dir}
     groupadd -g $WORKSPACE_GID $USER_NAME
     useradd -ms /bin/bash $USER_NAME -d $home_dir -u $WORKSPACE_UID -g $WORKSPACE_GID
+    printf "user:%s" "$USER_PASSWORD" | chpasswd
     usermod -a -G $USER_GROUPS $USER_NAME
     # May not exist - todo check device ownership
     usermod -a -G render $USER_NAME
     usermod -a -G sgx $USER_NAME
     ln -s $home_dir /home/${USER_NAME}
     # See the README (in)security notice
-    echo "${USER_NAME} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+    printf "%s ALL=(ALL) NOPASSWD: ALL\n" ${USER_NAME} >> /etc/sudoers
     if [[ ! -e ${home_dir}/.bashrc ]]; then
         cp -f /root/.bashrc ${home_dir}
         chown ${WORKSPACE_UID}:${WORKSPACE_GID} ${home_dir}/.bashrc
diff --git a/build/Dockerfile b/build/Dockerfile
index b268a26..1c35b94 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -19,7 +19,8 @@ ENV LC_ALL=C.UTF-8
 ENV TZ=UTC
 ENV SHELL="/bin/bash"
 ENV USER_NAME=user
-ENV USER_GROUPS=users,ai-dock,adm,sudo,audio,video,tty
+ENV USER_PASSWORD=password
+ENV USER_GROUPS=users,ai-dock,adm,sudo,audio,video,tty,cdrom,dialout,dip,fax,floppy,lp,plugdev,ssl-cert,sudo,tape,voice
 ENV DEBIAN_FRONTEND=noninteractive
 ENV PATH=/opt/ai-dock/bin:/opt/micromamba/bin:/opt/caddy/bin:$PATH
 ENV OPT_SYNC=