first commit

sftp-share.yml

@@ -0,0 +1,194 @@
+---
+- name: sftp-share
+  hosts: jarvis.olmusic.de tor-nas.dedyn.io
+  tasks:
+
+  - name: Allow all access to tcp port 28
+    community.general.ufw:
+      rule: allow
+      port: '28'
+      proto: tcp
+
+  - name: Create /home/docker/sftp-share dir
+    ansible.builtin.file:
+      path: /home/docker/sftp-share
+      owner: root
+      group: docker
+      state: directory
+      mode: '0550'
+
+  - name: Create Data-Directory /home/docker/sftp-share/data
+    ansible.builtin.file:
+      path: /home/docker/sftp-share/data
+      owner: root
+      group: 28
+      state: directory
+      mode: '0755'
+
+  - name: Gen sshd ed25519 host-keys
+    ansible.builtin.shell: ssh-keygen -q -N "" -t ed25519 -f ssh_host_ed25519_key
+    args:
+      chdir: /home/docker/sftp-share
+      creates: /home/docker/sftp-share/ssh_host_ed25519_key
+
+  - name: /home/docker/sftp-share/docker-compose.yml
+    blockinfile:
+      path: /home/docker/sftp-share/docker-compose.yml
+      mode: "0440"
+      owner: root
+      group: root
+      create: yes
+      marker: "# {mark} ANSIBLE MANAGED BLOCK"
+      block: |
+        version: '3.6'
+        services:
+          sftp-share:
+            build:
+              context: .
+              dockerfile: Dockerfile
+            restart: unless-stopped
+            env_file: env
+            ports: 
+              - "28:28"
+            volumes:
+              - /etc/localtime:/etc/localtime:ro
+              - ./ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
+              - ./ssh_host_ed25519_key.pub:/etc/ssh/ssh_host_ed25519_key.pub
+              - ./sftp-share.conf:/etc/sftp-share.conf:ro
+              - ./sftp-share-user.conf:/etc/sftp-share-user.conf
+              - ./data:/sftp-share:rw
+            networks:
+              - sftp-share--network
+        
+        networks:
+          sftp-share--network:
+            driver: bridge
+            driver_opts:
+              com.docker.network.bridge.name: br-sftp-share
+      backup: yes
+    notify:
+    - Restart sftp-share
+
+  - name: /home/docker/sftp-share/Dockerfile
+    blockinfile:
+      path: /home/docker/sftp-share/Dockerfile
+      mode: "0440"
+      owner: root
+      group: root
+      create: yes
+      marker: "# {mark} ANSIBLE MANAGED BLOCK"
+      block: |
+        FROM debian:latest
+        RUN apt-get update \
+            && apt-get install -y openssh-server strace \
+            && groupadd -g 28 sftp-share \
+            && mkdir -p -m0755 /run/sshd
+        ENV LANG en_US.utf8
+        COPY ./docker-entrypoint.sh /
+        ENTRYPOINT ["/docker-entrypoint.sh"]
+      backup: yes
+    notify:
+    - Restart sftp-share
+
+  - name: Create env file
+    copy:
+      content: ""
+      dest: /home/docker/sftp-share/env
+      force: no
+      group: root
+      owner: root
+      mode: 0600
+
+  - name: Create additional Config sftp-share-user.conf
+    copy:
+      content: ""
+      dest: /home/docker/sftp-share/sftp-share-user.conf
+      force: no
+      group: root
+      owner: root
+      mode: 0600
+
+  - name: /home/docker/sftp-share/docker-entrypoint.sh
+    blockinfile:
+      path: /home/docker/sftp-share/docker-entrypoint.sh
+      mode: "0555"
+      owner: root
+      group: root
+      create: yes
+      marker: "# {mark} ANSIBLE MANAGED BLOCK"
+      block: |
+        ### create Users by ENV
+        # ToDo: LDAP-Integration
+        for SFTPUSERPW in $SFTPUSERS
+        do
+          SFTPUSER=$(echo ${SFTPUSERPW} | cut -d ":" -f1)
+          useradd -g sftp-share -G 33,101 -m -s /usr/sbin/nologin $SFTPUSER
+          echo ${SFTPUSERPW} | chpasswd
+          unset $SFTPUSERPW
+        done
+        unset $SFTPUSERS
+        ### Start SSHD/SFTP-Server
+        /usr/sbin/sshd -f /etc/sftp-share.conf -d
+      backup: yes
+      validate: /bin/bash -n %s
+    notify:
+    - Restart sftp-share
+
+  - name: /home/docker/sftp-share/docker-entrypoint.sh shebang
+    lineinfile:
+      path: /home/docker/sftp-share/docker-entrypoint.sh
+      insertbefore: BOF
+      line: "#!/bin/bash"
+
+  - name: /home/docker/sftp-share/sftp-share.conf
+    blockinfile:
+      path: /home/docker/sftp-share/sftp-share.conf
+      mode: "0500"
+      owner: root
+      group: root
+      create: yes
+      marker: "# {mark} ANSIBLE MANAGED BLOCK"
+      block: |
+        Port 28
+        Protocol 2
+        PasswordAuthentication no
+        PubkeyAuthentication yes
+        UsePAM yes
+        PrintMotd no
+        PrintLastLog no
+        AcceptEnv LANG LC_*
+        AllowTcpForwarding no
+        AllowAgentForwarding no
+        AllowGroups sftp-share
+        IgnoreRhosts yes
+        PermitRootLogin no
+        PermitTunnel no
+        X11Forwarding no
+        Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
+        ForceCommand internal-sftp -f AUTH -l INFO -u 0007
+        LogLevel VERBOSE
+        TCPKeepAlive no
+        ClientAliveCountMax 30
+        ClientAliveInterval 60
+        ## Ciphers Check https://sshcheck.com/server/gabosh.net/28
+        KexAlgorithms curve25519-sha256@libssh.org
+        HostKeyAlgorithms ssh-ed25519
+        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+        #AuthenticationMethods publickey,keyboard-interactive
+        ChrootDirectory /sftp-share
+
+        Include /etc/sftp-share-user.conf
+      backup: yes
+      validate: /usr/sbin/sshd -T -f %s
+    notify:
+    - Restart sftp-share
+
+  
+  handlers:
+
+  - name: Restart sftp-share
+    ansible.builtin.shell: docker-compose build --pull --no-cache --force-rm && docker-compose up -d
+    args:
+      chdir: /home/docker/sftp-share
+