0k
/
0k-charms
6
3
Fork 2
Code Issues 11 Pull Requests 6 Releases Wiki Activity
Browse Source

new: [sftp] compose ready charm

framadate
Valentin Lab 5 years ago
parent
0070661495
commit
c770f2c170
5 changed files with 141 additions and 46 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      sftp/build/Dockerfile
  2. 8
      sftp/build/src/etc/ssh/sshd_config
  3. 51
      sftp/hooks/init
  4. 114
      sftp/lib/common
  5. 4
      sftp/metadata.yml

10
sftp/build/Dockerfile
View File

@ -0,0 +1,10 @@
FROM alpine:3.7
RUN apk add --no-cache openssh openssh-sftp-server
RUN ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' && \
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
COPY src/ .
CMD /usr/sbin/sshd -D -e

8
sftp/build/src/etc/ssh/sshd_config
View File

@ -0,0 +1,8 @@
UseDNS no
PermitRootLogin no
Subsystem sftp internal-sftp
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

51
sftp/hooks/init
View File

@ -11,53 +11,18 @@
## - SERVICE_CONFIGSTORE Location on host of the CONFIGSTORE of this service
. lib/common
set -e
service_def=$(get_compose_service_def "$SERVICE_NAME")
users_def=$(echo "$service_def" | shyaml get-value options.users 2>/dev/null) || true
users_file="$SERVICE_CONFIGSTORE/etc/sftp-users.conf"
echo | file_put "$users_file"
rm -f "$SERVICE_DATASTORE/home/"*"/.ssh/authorized_keys"
[ "$users_def" ] || exit 0
rm -f "$users_file"
volume_keys=()
while read-0 login user_def; do
key_nb=0
local_path_key="/home/$login/.ssh/keys"
host_path_key="$SERVICE_CONFIGSTORE${local_path_key}"
while read-0 key; do
debug "Creating login key ${key_nb} for '$login'" || true
echo "$key" | file_put "$host_path_key/key_${key_nb}.pub"
((key_nb++)) || true
done < <(echo "$user_def" | shyaml get-values-0 keys)
volume_keys+=("$host_path_key:$local_path_key:ro")
gids=()
while read-0 group; do
if ! group_ent=$(getent group "$group"); then
debug groupadd -K GID_MIN=3000 -K GID_MAX=4000 "$group"
groupadd -K GID_MIN=3000 -K GID_MAX=4000 "$group"
group_ent=$(getent group "$group")
fi
gids+=("$(echo "$group_ent" | cut -f3 -d:)")
done < <(echo "$user_def" | shyaml get-values-0 groups 2>/dev/null)
password=$(echo "$user_def" | shyaml get-value password 2>/dev/null) ||
password=$(gen_password 14)
line="$login:$password::$(echo "${gids[@]}" | tr " " ",")"
debug "Adding line: $line"
echo "$line" >> "$users_file"
done < <(echo "$users_def" | shyaml key-values-0)
init-config-add "\
$SERVICE_NAME:
volumes:
$(for volume in "${volume_keys[@]}"; do
echo " - $volume"
done)
"
build_script="$(make_build_script "$users_def")" || exit 1
echo "build-script:" >&2
echo "$build_script" | prefix " $GRAY|$NORMAL " >&2
docker_update "$SERVICE_NAME" "$build_script" -v "$SERVICE_DATASTORE/home":"/home" || exit 1

114
sftp/lib/common
View File

@ -0,0 +1,114 @@
# -*- mode: shell-script -*-
make_build_script() {
local users_def="$1" cache_file="$CACHEDIR/$FUNCNAME.cache.$(p0 "$@" | md5_compat)"
if [ -e "$cache_file" ]; then
#debug "$FUNCNAME: STATIC cache hit"
cat "$cache_file" &&
touch "$cache_file" || return 1
return 0
fi
local users_def="$1" \
code fixed_groups_code groups_code volume_keys \
created_groups first_group
if [ -z "$users_def" ]; then
return 0
fi
e "set -eux"$'\n'
code=""
fixed_groups_code=""
groups_code=""
volume_keys=()
declare -A created_groups
while read-0 user user_def; do
code+="mkdir -p \"/home/$user\""$'\n'
##
## Group management
##
first_group=
groups=()
first=1
while read-0 group; do
[ "${created_groups[$group]}" ] && continue
if [[ "$group" == *":"* ]]; then
gid=${group##*:}
group=${group%%:*}
fixed_groups_code+="addgroup -g \"$gid\" \"$group\""$'\n'
else
groups_code+="addgroup \"$group\""$'\n'
fi
created_groups[$group]=1
if [ "$first" ]; then
first_group="$group"
first=
else
remaining_groups+=("$group")
fi
groups+=("$group")
done < <(echo "$user_def" | shyaml get-values-0 groups 2>/dev/null)
##
## User create commands
##
uid=$(echo "$user_def" | shyaml get-value uid 2>/dev/null)
useradd_options=(
"-D" ## don't assign a password
"-s" "/bin/false" ## default shell
)
if [ "$uid" ]; then
useradd_options+=("-u" "$uid") ## force uid
fi
if [ "$first_group" ]; then
useradd_options+=("-G" "$first_group") ## force main group
fi
code+="adduser ${useradd_options[*]} \"$user\""$'\n'
if [ "$allow_writeable_chroot" ]; then
code+="chown $user \"/home/$user\""$'\n' ## sanitize
else
code+="chown root:root \"/home/$user\""$'\n' ## sanitize
fi
code+="chmod 755 \"/home/$user\""$'\n' ## sanitize
password=$(echo "$user_def" | shyaml get-value password 2>/dev/null) ||
password=$(gen_password 14)
code+="echo '$user:$password' | chpasswd"$'\n'
for group in "${remaining_groups[@]}"; do
code+="adduser \"$user\" \"$group\""$'\n'
done
##
## Key managements
##
while read-0 key; do
keys+="$key"$'\n'
done < <(echo "$user_def" | shyaml get-values-0 -q keys)
if [ "$keys" ]; then
code+="mkdir -p \"/home/$user/.ssh\""$'\n'
code+="cat <<EOF > /home/$user/.ssh/authorized_keys"$'\n'
code+="$keys"
code+="EOF"$'\n'
# code+="chown $user /home/$user/.ssh/authorized_keys"$'\n'
code+="chmod 644 /home/$user/.ssh/authorized_keys"$'\n'
code+="chmod 755 /home/$user/.ssh"$'\n'
fi
done < <(echo "$users_def" | shyaml key-values-0)
{
echo -n "$fixed_groups_code"
echo -n "$groups_code"
echo -n "$code"
} | tee "$cache_file"
}

4
sftp/metadata.yml
View File

@ -1,8 +1,6 @@
docker-image: docker.0k.io/sftp:carif
config-resources:
- /etc/sftp-users.conf
data-resources:
- /home
provides:
sftp-access:
tech-dep: False
Write Preview
Loading…
Cancel
Save