fork 0k-charms
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

75 lines
2.7 KiB

  1. * Presentation
  2. This charm allows you to host a SFTP (using ssh) with it's own user
  3. database. They can be authenticated with a password or with a SSH key.
  4. You can choose exactly what data will be accessible to them by mount
  5. binding each directory you want to share from the host in their own
  6. home directory in the container. (see the examples).
  7. The permissions should be managed through group permissions, directly
  8. from the host and in the shared directory.
  9. Each user in the container will be part of multiple groups
  10. (configurable via the options of the charm in your service definition
  11. of the =compose.yml=), and the GID of the groups will be the same on
  12. the host and on the container.
  13. * Example configuration
  14. #+begin_src yaml
  15. sftp:
  16. docker-compose:
  17. ports:
  18. - "10622:22"
  19. volumes:
  20. ## Here we allow access to specific directories only by binding
  21. ## them in their home directory:
  22. - /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient1/www.myclientwebsite.com:rw
  23. - /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient2/www.myclientwebsite.com:rw
  24. options:
  25. users:
  26. myclient1:
  27. ## These groups are created on the container with the given GID
  28. ## Note that UID/GID are the same for the container and the host,
  29. ## So don't forget to give the appropriate rights from the host on
  30. ## the shared directory to ensure that access is effectively granted
  31. ## as you want to the customer
  32. groups:
  33. - sftpaccess-rw:3000
  34. password: FaKePaSSw0rdT0Ch4Ng3
  35. keys:
  36. - "ssh-rsa AAAAB3NzaC2yc2Z..."
  37. myclient2:
  38. ## These groups are created on the container with the given GID
  39. ## Note that UID/GID are the same for the container and the host,
  40. ## So don't forget to give the appropriate rights from the host on
  41. ## the shared directory to ensure that access is effectively granted
  42. ## as you want to the customer
  43. groups:
  44. - sftpaccess-rw:3000
  45. password: FaKePaSSw0rdT0Ch4Ng3
  46. keys:
  47. - "ssh-rsa AAAAB3NzBC1yc2X..."
  48. #+end_src
  49. In this case, you'll need also to make sure to set up correctly the
  50. directories you shared, in this example, only
  51. =/srv/datastore/data/www/var/www/www.myclientwebsite.com= is shared :
  52. you are expected to set the permissions of the group identified by the
  53. id `3000`.
  54. Using getfacl/setfacl is the right tool most of the time. If you don't
  55. have it:
  56. #+begin_src sh
  57. apt-get install acl
  58. #+end_src
  59. Then, you could:
  60. #+begin_src sh
  61. find /srv/datastore/data/www/var/www/www.myclientwebsite.com -type d \
  62. -exec getfacl -mR d:g:3000:rwx,d:g:3000:rwx
  63. #+end_src