Revert "feat: pass private key as env variable SSH_KEY"

This reverts commit 73f25ab8d2.

access.yml

@@ -1,13 +0,0 @@
-pallav:
-  fixedArgsCommands:
-    build:
-      - base
-      - workspace
-      - all
-    clean:
-    status:
-  multiArgsCommands:
-    remove:
-      - palak
-      - param
-      - darshan

gitops_router.sh

@@ -149,9 +149,9 @@ validate_command "$PERSON" "$cmd" "${args[@]}"
 case "$cmd" in
 build)
   case "${args[0]}" in
-  base) podman build --target base -t analytics-backend-base . ;;
+  base) podman build --target base -t workspaces-base . ;;
-  workspace) podman build --target base -t analytics-backend-base . ;;
+  workspace) podman build --target workspace -t workspaces . ;;
-  all) podman build -t analytics-backend-workspace . ;;
+  all) podman build -t workspaces . ;;
   *) log ERROR "build: invalid arg '${args[0]}'" ;;
   esac
   ;;
@@ -159,12 +159,21 @@ update)
   case "${args[0]}" in
   containerfile) update 0 Containerfile . 500 ;;
   access) update 2 access.yml . 400 ;;
-  authorized_keys) update 2 access.yml . 400 ;;
+  authorized_keys) update 2 authorized_keys .ssh 400 ;;
+  secret_key) update 2 keys/"${args[1]}"/id_ed25519 secrets/"${args[1]}" 400 ;;
+  podman_access)
+    update 2 podman_access.keys . 400
+    scp podman_access.keys mypodmanuser@alps:~/.ssh/authorized_keys
+    ;;
   ssh_router) update 1 ssh_router.sh .local/bin 500 ;;
   gitops_router) update 1 gitops_router.sh .local/bin 500 ;;
   validate_command) update 1 validate_command_access.sh .local/bin 500 ;;
-  home_tar) update 0 home.tar.gz . 500 media ;;
+  home_tar)
+    podman cp "$PERSON":/app/private/workspaces/home.tar.gz "$HOME"/
+    chmod 600 "$HOME"/home.tar.gz
+    ;;
   gitconfig) update 0 gitconfig.template . 500 ;;
+  start.sh) update 0 start.sh . 500 ;;
   *) log ERROR "update: invalid arg '${args[0]}'" ;;
   esac
   ;;

setgid-watcher.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Ensure setgid bit on all new directories in /mnt/private/workspaces-data/public
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/setgid-watcher.sh
+User=root
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

setgid-watcher.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+WATCH_DIR="/mnt/private/workspaces-data/public"
+
+inotifywait -m -r -e create --format '%w%f' "$WATCH_DIR" | while read -r newdir; do
+  chmod g+s "$newdir"
+done

ssh_router.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 PERSON="${1:?Usage: $0 <person>}"
 WORKSPACE="${SSH_ORIGINAL_COMMAND:-}"
-IMAGE="localhost/analytics-backend-workspace:latest"
+IMAGE="localhost/workspaces:latest"
 DEV_USER="devuser"
 XDG_RUNTIME_DIR="/run/user/$(id -u)"
 LOG_FILE="/tmp/.ssh-router-${PERSON}.log"
@@ -45,7 +45,7 @@ if [[ -z "$WORKSPACE" ]]; then
   WORKSPACE="$PERSON"
   log INFO "Defaulted WORKSPACE → $WORKSPACE"
 fi
-TMUX_SESSION="${WORKSPACE}|analytics-backend"
+TMUX_SESSION="${WORKSPACE}|workspace"
 
 # ─────────────────────────────────────────────
 # Ensure Podman socket is up
@@ -92,16 +92,17 @@ esac
 # ─────────────────────────────────────────────
 # Generate per-user gitconfig
 generate_gitconfig() {
+  local ws="$1"
   local access="$HOME/access.yml"
   local template="$HOME/gitconfig.template"
-  local userdir="$HOME/secrets/$PERSON"
+  local userdir="$HOME/secrets/$ws"
   local name email
 
-  name=$(yq -r ".\"$PERSON\".name" "$access" 2>/dev/null || echo)
+  name=$(yq -r ".\"$ws\".name" "$access" 2>/dev/null || echo)
-  email=$(yq -r ".\"$PERSON\".email" "$access" 2>/dev/null || echo)
+  email=$(yq -r ".\"$ws\".email" "$access" 2>/dev/null || echo)
 
   if [[ -z "$name" || -z "$email" ]]; then
-    log ERROR "Missing name/email for '$PERSON' in $access"
+    log ERROR "Missing name/email for '$ws' in $access"
     exit 1
   fi
 
@@ -116,14 +117,16 @@ generate_gitconfig() {
 start_container_if_needed() {
   if ! podman container exists "$WORKSPACE"; then
     log INFO "Creating container '$WORKSPACE'"
-    generate_gitconfig
+    generate_gitconfig "$PERSON"
     podman run -dit \
       --name "$WORKSPACE" \
-      --userns=keep-id \
+      --userns=keep-id:uid=1000,gid=1000 \
+      --group-add keep-groups \
       --user "$DEV_USER" \
       --hostname "$WORKSPACE" \
       --label auto-cleanup=true \
-      -v "$HOME/data/$WORKSPACE:/app:Z" \
+      -v "/mnt/private/workspaces-data/public/$WORKSPACE:/app/public" \
+      -v "/mnt/private/workspaces-data/private/$WORKSPACE:/app/private" \
       -v "$HOME/secrets/$WORKSPACE/gitconfig:/home/$DEV_USER/.gitconfig:ro,Z" \
       -v "$HOME/secrets/$WORKSPACE/id_ed25519:/home/$DEV_USER/.ssh/id_ed25519:ro,Z" \
       -v "$HOME/secrets/$WORKSPACE/id_ed25519.pub:/home/$DEV_USER/.ssh/id_ed25519.pub:ro,Z" \
@@ -177,16 +180,21 @@ case "$MODE" in
 rw)
   start_container_if_needed
 
-  # Ensure tmux session exists
-  if ! podman exec -it --user "$DEV_USER" "$WORKSPACE" tmux has-session -t "$TMUX_SESSION" 2>/dev/null; then
-    podman exec -it --user "$DEV_USER" "$WORKSPACE" \
-      tmux new-session -d -s "$TMUX_SESSION"
-  fi
-
   log INFO "$PERSON attaching to workspace '$WORKSPACE'"
+
+  # Try to attach to session; if it fails, create and attach
+  if ! podman exec -it -e TERM="$TERM" --user "$DEV_USER" "$WORKSPACE" \
+    tmux attach -t "$TMUX_SESSION"; then
+    log WARN "tmux session not found, creating new session"
+    podman exec -it --user "$DEV_USER" "$WORKSPACE" \
+      tmux new-session -d -s "$TMUX_SESSION" 2>/dev/null || true
     podman exec -it -e TERM="$TERM" --user "$DEV_USER" "$WORKSPACE" \
       tmux attach -t "$TMUX_SESSION"
+
+  fi
+
   log INFO "$PERSON detached from '$WORKSPACE'"
+
   check_devuser_attached
   ;;
 ro)