Browse Source

new: [sftp] compose ready charm

framadate
Valentin Lab 6 years ago
parent
commit
c770f2c170
  1. 10
      sftp/build/Dockerfile
  2. 8
      sftp/build/src/etc/ssh/sshd_config
  3. 51
      sftp/hooks/init
  4. 114
      sftp/lib/common
  5. 4
      sftp/metadata.yml

10
sftp/build/Dockerfile

@ -0,0 +1,10 @@
FROM alpine:3.7
RUN apk add --no-cache openssh openssh-sftp-server
RUN ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' && \
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
COPY src/ .
CMD /usr/sbin/sshd -D -e

8
sftp/build/src/etc/ssh/sshd_config

@ -0,0 +1,8 @@
UseDNS no
PermitRootLogin no
Subsystem sftp internal-sftp
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

51
sftp/hooks/init

@ -11,53 +11,18 @@
## - SERVICE_CONFIGSTORE Location on host of the CONFIGSTORE of this service
. lib/common
set -e
service_def=$(get_compose_service_def "$SERVICE_NAME")
users_def=$(echo "$service_def" | shyaml get-value options.users 2>/dev/null) || true
users_file="$SERVICE_CONFIGSTORE/etc/sftp-users.conf"
echo | file_put "$users_file"
rm -f "$SERVICE_DATASTORE/home/"*"/.ssh/authorized_keys"
[ "$users_def" ] || exit 0
rm -f "$users_file"
volume_keys=()
while read-0 login user_def; do
key_nb=0
local_path_key="/home/$login/.ssh/keys"
host_path_key="$SERVICE_CONFIGSTORE${local_path_key}"
while read-0 key; do
debug "Creating login key ${key_nb} for '$login'" || true
echo "$key" | file_put "$host_path_key/key_${key_nb}.pub"
((key_nb++)) || true
done < <(echo "$user_def" | shyaml get-values-0 keys)
volume_keys+=("$host_path_key:$local_path_key:ro")
gids=()
while read-0 group; do
if ! group_ent=$(getent group "$group"); then
debug groupadd -K GID_MIN=3000 -K GID_MAX=4000 "$group"
groupadd -K GID_MIN=3000 -K GID_MAX=4000 "$group"
group_ent=$(getent group "$group")
fi
gids+=("$(echo "$group_ent" | cut -f3 -d:)")
done < <(echo "$user_def" | shyaml get-values-0 groups 2>/dev/null)
password=$(echo "$user_def" | shyaml get-value password 2>/dev/null) ||
password=$(gen_password 14)
line="$login:$password::$(echo "${gids[@]}" | tr " " ",")"
debug "Adding line: $line"
echo "$line" >> "$users_file"
done < <(echo "$users_def" | shyaml key-values-0)
init-config-add "\
$SERVICE_NAME:
volumes:
$(for volume in "${volume_keys[@]}"; do
echo " - $volume"
done)
"
build_script="$(make_build_script "$users_def")" || exit 1
echo "build-script:" >&2
echo "$build_script" | prefix " $GRAY|$NORMAL " >&2
docker_update "$SERVICE_NAME" "$build_script" -v "$SERVICE_DATASTORE/home":"/home" || exit 1

114
sftp/lib/common

@ -0,0 +1,114 @@
# -*- mode: shell-script -*-
make_build_script() {
local users_def="$1" cache_file="$CACHEDIR/$FUNCNAME.cache.$(p0 "$@" | md5_compat)"
if [ -e "$cache_file" ]; then
#debug "$FUNCNAME: STATIC cache hit"
cat "$cache_file" &&
touch "$cache_file" || return 1
return 0
fi
local users_def="$1" \
code fixed_groups_code groups_code volume_keys \
created_groups first_group
if [ -z "$users_def" ]; then
return 0
fi
e "set -eux"$'\n'
code=""
fixed_groups_code=""
groups_code=""
volume_keys=()
declare -A created_groups
while read-0 user user_def; do
code+="mkdir -p \"/home/$user\""$'\n'
##
## Group management
##
first_group=
groups=()
first=1
while read-0 group; do
[ "${created_groups[$group]}" ] && continue
if [[ "$group" == *":"* ]]; then
gid=${group##*:}
group=${group%%:*}
fixed_groups_code+="addgroup -g \"$gid\" \"$group\""$'\n'
else
groups_code+="addgroup \"$group\""$'\n'
fi
created_groups[$group]=1
if [ "$first" ]; then
first_group="$group"
first=
else
remaining_groups+=("$group")
fi
groups+=("$group")
done < <(echo "$user_def" | shyaml get-values-0 groups 2>/dev/null)
##
## User create commands
##
uid=$(echo "$user_def" | shyaml get-value uid 2>/dev/null)
useradd_options=(
"-D" ## don't assign a password
"-s" "/bin/false" ## default shell
)
if [ "$uid" ]; then
useradd_options+=("-u" "$uid") ## force uid
fi
if [ "$first_group" ]; then
useradd_options+=("-G" "$first_group") ## force main group
fi
code+="adduser ${useradd_options[*]} \"$user\""$'\n'
if [ "$allow_writeable_chroot" ]; then
code+="chown $user \"/home/$user\""$'\n' ## sanitize
else
code+="chown root:root \"/home/$user\""$'\n' ## sanitize
fi
code+="chmod 755 \"/home/$user\""$'\n' ## sanitize
password=$(echo "$user_def" | shyaml get-value password 2>/dev/null) ||
password=$(gen_password 14)
code+="echo '$user:$password' | chpasswd"$'\n'
for group in "${remaining_groups[@]}"; do
code+="adduser \"$user\" \"$group\""$'\n'
done
##
## Key managements
##
while read-0 key; do
keys+="$key"$'\n'
done < <(echo "$user_def" | shyaml get-values-0 -q keys)
if [ "$keys" ]; then
code+="mkdir -p \"/home/$user/.ssh\""$'\n'
code+="cat <<EOF > /home/$user/.ssh/authorized_keys"$'\n'
code+="$keys"
code+="EOF"$'\n'
# code+="chown $user /home/$user/.ssh/authorized_keys"$'\n'
code+="chmod 644 /home/$user/.ssh/authorized_keys"$'\n'
code+="chmod 755 /home/$user/.ssh"$'\n'
fi
done < <(echo "$users_def" | shyaml key-values-0)
{
echo -n "$fixed_groups_code"
echo -n "$groups_code"
echo -n "$code"
} | tee "$cache_file"
}

4
sftp/metadata.yml

@ -1,8 +1,6 @@
docker-image: docker.0k.io/sftp:carif
config-resources:
- /etc/sftp-users.conf
data-resources:
- /home
provides:
sftp-access:
tech-dep: False
Loading…
Cancel
Save