feat: ssh-agent instead of filesystem based ssh keys

app/Actions/CoolifyTask/RunRemoteProcess.php

@@ -73,7 +73,7 @@ public function __invoke(): ProcessResult
         $this->time_start = hrtime(true);
 
         $status = ProcessStatus::IN_PROGRESS;
-        $processResult = Process::forever()->run($this->getCommand(), $this->handleOutput(...));
+        $processResult = processWithEnv()->forever()->run($this->getCommand(), $this->handleOutput(...));
 
         if ($this->activity->properties->get('status') === ProcessStatus::ERROR->value) {
             $status = ProcessStatus::ERROR;
@@ -104,11 +104,10 @@ protected function getCommand(): string
     {
         $user = $this->activity->getExtraProperty('user');
         $server_ip = $this->activity->getExtraProperty('server_ip');
-        $private_key_location = $this->activity->getExtraProperty('private_key_location');
         $port = $this->activity->getExtraProperty('port');
         $command = $this->activity->getExtraProperty('command');
 
-        return generate_ssh_command($private_key_location, $server_ip, $user, $port, $command);
+        return generateSshCommand($server_ip, $user, $port, $command);
     }
 
     protected function handleOutput(string $type, string $output)

app/Data/CoolifyTaskArgs.php

@@ -13,7 +13,6 @@ class CoolifyTaskArgs extends Data
 {
     public function __construct(
         public string  $server_ip,
-        public string  $private_key_location,
         public string  $command,
         public int     $port,
         public string  $user,

app/Http/Livewire/Server/ShowPrivateKey.php

@@ -14,6 +14,7 @@ class ShowPrivateKey extends Component
     public function setPrivateKey($newPrivateKeyId)
     {
         try {
+            refresh_server_connection($this->server->privateKey);
             $oldPrivateKeyId = $this->server->private_key_id;
             $this->server->update([
                 'private_key_id' => $newPrivateKeyId
@@ -26,7 +27,7 @@ public function setPrivateKey($newPrivateKeyId)
                 'private_key_id' => $oldPrivateKeyId
             ]);
             $this->server->refresh();
-             refresh_server_connection($this->server->privateKey);
+            refresh_server_connection($this->server->privateKey);
             return general_error_handler($e, that: $this);
         }
     }

app/Traits/ExecuteRemoteCommand.php

@@ -28,9 +28,8 @@ public function execute_remote_command(...$commands)
         $ip = data_get($this->server, 'ip');
         $user = data_get($this->server, 'user');
         $port = data_get($this->server, 'port');
-        $private_key_location = get_private_key_for_server($this->server);
 
-        $commandsText->each(function ($single_command) use ($private_key_location, $ip, $user, $port) {
+        $commandsText->each(function ($single_command) use ($ip, $user, $port) {
             $command = data_get($single_command, 'command') ?? $single_command[0] ?? null;
             if ($command === null) {
                 throw new \RuntimeException('Command is not set');
@@ -39,8 +38,8 @@ public function execute_remote_command(...$commands)
             $ignore_errors = data_get($single_command, 'ignore_errors', false);
             $this->save = data_get($single_command, 'save');
 
-            $remote_command = generate_ssh_command($private_key_location, $ip, $user, $port, $command);
-            $process = Process::timeout(3600)->idleTimeout(3600)->start($remote_command, function (string $type, string $output) use ($command, $hidden) {
+            $remote_command = generateSshCommand( $ip, $user, $port, $command);
+            $process =  processWithEnv()->timeout(3600)->idleTimeout(3600)->start($remote_command, function (string $type, string $output) use ($command, $hidden) {
                 $output = Str::of($output)->trim();
                 $new_log_entry = [
                     'command' => $command,

bootstrap/helpers/remoteProcess.php

@@ -33,12 +33,9 @@ function remote_process(
         }
     }
 
-    $private_key_location = save_private_key_for_server($server);
-
     return resolve(PrepareCoolifyTask::class, [
         'remoteProcessArgs' => new CoolifyTaskArgs(
             server_ip: $server->ip,
-            private_key_location: $private_key_location,
             command: <<<EOT
                 {$command_string}
                 EOT,
@@ -52,25 +49,29 @@ function remote_process(
     ])();
 }
 
-function get_private_key_for_server(Server $server)
-{
-    $temp_file = "id.root@{$server->ip}";
-    return '/var/www/html/storage/app/ssh/keys/' . $temp_file;
-}
-
-function save_private_key_for_server(Server $server)
+function removePrivateKeyFromSshAgent(Server $server)
 {
     if (data_get($server, 'privateKey.private_key') === null) {
         throw new \Exception("Server {$server->name} does not have a private key");
     }
-    $temp_file = "id.root@{$server->ip}";
-    Storage::disk('ssh-keys')->put($temp_file, $server->privateKey->private_key);
-    Storage::disk('ssh-mux')->makeDirectory('.');
-    return '/var/www/html/storage/app/ssh/keys/' . $temp_file;
+    Process::run("echo '{$server->privateKey->private_key}' | ssh-add -d -");
+}
+function addPrivateKeyToSshAgent(Server $server, bool $onlyRemove = false)
+{
+    if (data_get($server, 'privateKey.private_key') === null) {
+        throw new \Exception("Server {$server->name} does not have a private key");
+    }
+    // ray('adding key', $server->privateKey->private_key);
+    Process::run("echo '{$server->privateKey->private_key}' | ssh-add -q -");
 }
 
-function generate_ssh_command(string $private_key_location, string $server_ip, string $user, string $port, string $command, bool $isMux = true)
+function generateSshCommand(string $server_ip, string $user, string $port, string $command, bool $isMux = true)
 {
+    $server = Server::where('ip', $server_ip)->first();
+    if (!$server) {
+        throw new \Exception("Server with ip {$server_ip} not found");
+    }
+    addPrivateKeyToSshAgent($server);
     $timeout = config('constants.ssh.command_timeout');
     $connectionTimeout = config('constants.ssh.connection_timeout');
     $serverInterval = config('constants.ssh.server_interval');
@@ -82,8 +83,7 @@ function generate_ssh_command(string $private_key_location, string $server_ip, s
         $ssh_command .= '-o ControlMaster=auto -o ControlPersist=1m -o ControlPath=/var/www/html/storage/app/ssh/mux/%h_%p_%r ';
     }
     $command = "PATH=\$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/host/usr/local/sbin:/host/usr/local/bin:/host/usr/sbin:/host/usr/bin:/host/sbin:/host/bin && $command";
-    $ssh_command .= "-i {$private_key_location} "
-        . '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null '
+    $ssh_command .= '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null '
         . '-o PasswordAuthentication=no '
         . "-o ConnectTimeout=$connectionTimeout "
         . "-o ServerAliveInterval=$serverInterval "
@@ -94,11 +94,16 @@ function generate_ssh_command(string $private_key_location, string $server_ip, s
         . " 'bash -se' << \\$delimiter" . PHP_EOL
         . $command . PHP_EOL
         . $delimiter;
-    ray($ssh_command);
+    // ray($ssh_command);
     return $ssh_command;
 }
-function instantCommand(string $command, $throwError = true) {
-    $process = Process::run($command);
+function processWithEnv()
+{
+    return Process::env(['SSH_AUTH_SOCK' => config('coolify.ssh_auth_sock')]);
+}
+function instantCommand(string $command, $throwError = true)
+{
+    $process = processWithEnv()->run($command);
     $output = trim($process->output());
     $exitCode = $process->exitCode();
     if ($exitCode !== 0) {
@@ -112,9 +117,8 @@ function instantCommand(string $command, $throwError = true) {
 function instant_remote_process(array $command, Server $server, $throwError = true, $repeat = 1)
 {
     $command_string = implode("\n", $command);
-    $private_key_location = save_private_key_for_server($server);
-    $ssh_command = generate_ssh_command($private_key_location, $server->ip, $server->user, $server->port, $command_string);
-    $process = Process::run($ssh_command);
+    $ssh_command = generateSshCommand($server->ip, $server->user, $server->port, $command_string);
+    $process =  processWithEnv()->run($ssh_command);
     $output = trim($process->output());
     $exitCode = $process->exitCode();
     if ($exitCode !== 0) {
@@ -172,6 +176,7 @@ function refresh_server_connection(PrivateKey $private_key)
         //     currentTeam()->privateKeys = PrivateKey::where('team_id', currentTeam()->id)->get();
         // }
     }
+    removePrivateKeyFromSshAgent($server);
 }
 
 function validateServer(Server $server)
@@ -212,7 +217,7 @@ function validateServer(Server $server)
         $server->settings->is_usable = false;
         throw $e;
     } finally {
-        if(data_get($server,'settings')) $server->settings->save();
+        if (data_get($server, 'settings')) $server->settings->save();
     }
 }
 

config/coolify.php

@@ -8,4 +8,5 @@
     'dev_webhook' => env('SERVEO_URL'),
     'base_config_path' => env('BASE_CONFIG_PATH', '/data/coolify'),
     'helper_image' => env('HELPER_IMAGE', 'ghcr.io/coollabsio/coolify-helper:latest'),
+    'ssh_auth_sock' => env('SSH_AUTH_SOCK', '/tmp/coolify-ssh-agent.sock'),
 ];

docker-compose.dev.yml

@@ -21,6 +21,7 @@ services:
       SSL_MODE: "off"
       AUTORUN_LARAVEL_STORAGE_LINK: "false"
       AUTORUN_LARAVEL_MIGRATION: "false"
+      SSH_AUTH_SOCK: "/tmp/coolify-ssh-agent.sock"
     volumes:
       - .:/var/www/html/:cached
   postgres:

docker-compose.prod.yml

@@ -64,6 +64,7 @@ services:
       - LEMON_SQUEEZY_BASIC_PLAN_IDS
       - LEMON_SQUEEZY_PRO_PLAN_IDS
       - LEMON_SQUEEZY_ULTIMATE_PLAN_IDS
+      - SSH_AUTH_SOCK="/tmp/coolify-ssh-agent.sock"
     ports:
       - "${APP_PORT:-8000}:80"
     expose:

docker/dev-ssu/Dockerfile

@@ -24,4 +24,4 @@ RUN echo "alias mfs='php artisan migrate:fresh --seed'" >>/etc/bash.bashrc
 RUN echo "alias cda='composer dump-autoload'" >>/etc/bash.bashrc
 RUN echo "alias run='./scripts/run'" >>/etc/bash.bashrc
 
-# COPY --chmod=755 docker/dev-ssu/etc/s6-overlay/ /etc/s6-overlay/
+COPY --chmod=755  docker/dev-ssu/etc/s6-overlay/ /etc/s6-overlay/

docker/dev-ssu/etc/s6-overlay/s6-rc.d/horizon/run

@@ -0,0 +1,5 @@
+#!/command/execlineb -P
+foreground {
+  s6-sleep 5
+  su - webuser -c "php /var/www/html/artisan horizon"
+}

docker/dev-ssu/etc/s6-overlay/s6-rc.d/queue-worker/run

@@ -1,2 +0,0 @@
-#!/command/execlineb -P
-su - webuser -c "php /var/www/html/artisan queue:listen"

docker/dev-ssu/etc/s6-overlay/s6-rc.d/scheduler-worker/run

@@ -1,2 +1,5 @@
 #!/command/execlineb -P
-su - webuser -c "php /var/www/html/artisan schedule:work"
+foreground {
+  s6-sleep 5
+  su - webuser -c "php /var/www/html/artisan schedule:work"
+}

docker/dev-ssu/etc/s6-overlay/s6-rc.d/ssh-agent/type

@@ -0,0 +1 @@
+oneshot

docker/dev-ssu/etc/s6-overlay/s6-rc.d/ssh-agent/up

@@ -0,0 +1,5 @@
+#!/usr/bin/execlineb -P
+foreground {
+  s6-sleep 5
+  su - webuser -c "ssh-agent -a /tmp/coolify-ssh-agent.sock"
+}

docker/prod-ssu/etc/s6-overlay/s6-rc.d/ssh-agent/type

@@ -0,0 +1 @@
+oneshot

docker/prod-ssu/etc/s6-overlay/s6-rc.d/ssh-agent/up

@@ -0,0 +1,5 @@
+#!/usr/bin/execlineb -P
+foreground {
+  s6-sleep 5
+  su - webuser -c "ssh-agent -a /tmp/coolify-ssh-agent.sock"
+}