new: add doc to ``sftp`` charm

Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
3 years ago · 7981ed7dec
1 changed files with 75 additions and 0 deletions
--- a/sftp/README.org
+++ b/sftp/README.org
@ -0,0 +1,75 @@
+* Presentation
+
+This charm allows you to host a SFTP (using ssh) with it's own user
+database. They can be authenticated with a password or with a SSH key.
+
+You can choose exactly what data will be accessible to them by mount
+binding each directory you want to share from the host in their own
+home directory in the container. (see the examples).
+
+The permissions should be managed through group permissions, directly
+from the host and in the shared directory.
+
+Each user in the container will be part of multiple groups
+(configurable via the options of the charm in your service definition
+of the =compose.yml=), and the GID of the groups will be the same on
+the host and on the container.
+
+* Example configuration
+
+#+begin_src yaml
+  sftp:
+    docker-compose:
+      ports:
+        - "10622:22"
+      volumes:
+        ## Here we allow access to specific directories only by binding
+        ## them in their home directory:
+        - /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient1/www.myclientwebsite.com:rw
+        - /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient2/www.myclientwebsite.com:rw
+    options:
+      users:
+        myclient1:
+          ## These groups are created on the container with the given GID
+          ## Note that UID/GID are the same for the container and the host,
+          ## So don't forget to give the appropriate rights from the host on
+          ## the shared directory to ensure that access is effectively granted
+          ## as you want to the customer
+          groups:
+            - sftpaccess-rw:3000
+          password: FaKePaSSw0rdT0Ch4Ng3
+          keys:
+            - "ssh-rsa AAAAB3NzaC2yc2Z..."
+        myclient2:
+          ## These groups are created on the container with the given GID
+          ## Note that UID/GID are the same for the container and the host,
+          ## So don't forget to give the appropriate rights from the host on
+          ## the shared directory to ensure that access is effectively granted
+          ## as you want to the customer
+          groups:
+            - sftpaccess-rw:3000
+          password: FaKePaSSw0rdT0Ch4Ng3
+          keys:
+            - "ssh-rsa AAAAB3NzBC1yc2X..."
+#+end_src
+
+
+In this case, you'll need also to make sure to set up correctly the
+directories you shared, in this example, only
+=/srv/datastore/data/www/var/www/www.myclientwebsite.com= is shared :
+you are expected to set the permissions of the group identified by the
+id `3000`.
+
+Using getfacl/setfacl is the right tool most of the time. If you don't
+have it:
+
+#+begin_src sh
+apt-get install acl
+#+end_src
+
+Then, you could:
+
+#+begin_src sh
+find /srv/datastore/data/www/var/www/www.myclientwebsite.com -type d \
+    -exec getfacl -mR d:g:3000:rwx,d:g:3000:rwx
+#+end_src