commit 3125470cfb575161c71235f817d2c079db59a4a9 Author: olli Date: Sun Jul 10 10:51:10 2022 +0200 first commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29 diff --git a/sftp-share.yml b/sftp-share.yml new file mode 100644 index 0000000..6e29808 --- /dev/null +++ b/sftp-share.yml @@ -0,0 +1,194 @@ +--- +- name: sftp-share + hosts: jarvis.olmusic.de tor-nas.dedyn.io + tasks: + + - name: Allow all access to tcp port 28 + community.general.ufw: + rule: allow + port: '28' + proto: tcp + + - name: Create /home/docker/sftp-share dir + ansible.builtin.file: + path: /home/docker/sftp-share + owner: root + group: docker + state: directory + mode: '0550' + + - name: Create Data-Directory /home/docker/sftp-share/data + ansible.builtin.file: + path: /home/docker/sftp-share/data + owner: root + group: 28 + state: directory + mode: '0755' + + - name: Gen sshd ed25519 host-keys + ansible.builtin.shell: ssh-keygen -q -N "" -t ed25519 -f ssh_host_ed25519_key + args: + chdir: /home/docker/sftp-share + creates: /home/docker/sftp-share/ssh_host_ed25519_key + + - name: /home/docker/sftp-share/docker-compose.yml + blockinfile: + path: /home/docker/sftp-share/docker-compose.yml + mode: "0440" + owner: root + group: root + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + version: '3.6' + services: + sftp-share: + build: + context: . + dockerfile: Dockerfile + restart: unless-stopped + env_file: env + ports: + - "28:28" + volumes: + - /etc/localtime:/etc/localtime:ro + - ./ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key + - ./ssh_host_ed25519_key.pub:/etc/ssh/ssh_host_ed25519_key.pub + - ./sftp-share.conf:/etc/sftp-share.conf:ro + - ./sftp-share-user.conf:/etc/sftp-share-user.conf + - ./data:/sftp-share:rw + networks: + - sftp-share--network + + networks: + sftp-share--network: + driver: bridge + driver_opts: + com.docker.network.bridge.name: br-sftp-share + backup: yes + notify: + - Restart sftp-share + + - name: /home/docker/sftp-share/Dockerfile + blockinfile: + path: /home/docker/sftp-share/Dockerfile + mode: "0440" + owner: root + group: root + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + FROM debian:latest + RUN apt-get update \ + && apt-get install -y openssh-server strace \ + && groupadd -g 28 sftp-share \ + && mkdir -p -m0755 /run/sshd + ENV LANG en_US.utf8 + COPY ./docker-entrypoint.sh / + ENTRYPOINT ["/docker-entrypoint.sh"] + backup: yes + notify: + - Restart sftp-share + + - name: Create env file + copy: + content: "" + dest: /home/docker/sftp-share/env + force: no + group: root + owner: root + mode: 0600 + + - name: Create additional Config sftp-share-user.conf + copy: + content: "" + dest: /home/docker/sftp-share/sftp-share-user.conf + force: no + group: root + owner: root + mode: 0600 + + - name: /home/docker/sftp-share/docker-entrypoint.sh + blockinfile: + path: /home/docker/sftp-share/docker-entrypoint.sh + mode: "0555" + owner: root + group: root + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + ### create Users by ENV + # ToDo: LDAP-Integration + for SFTPUSERPW in $SFTPUSERS + do + SFTPUSER=$(echo ${SFTPUSERPW} | cut -d ":" -f1) + useradd -g sftp-share -G 33,101 -m -s /usr/sbin/nologin $SFTPUSER + echo ${SFTPUSERPW} | chpasswd + unset $SFTPUSERPW + done + unset $SFTPUSERS + ### Start SSHD/SFTP-Server + /usr/sbin/sshd -f /etc/sftp-share.conf -d + backup: yes + validate: /bin/bash -n %s + notify: + - Restart sftp-share + + - name: /home/docker/sftp-share/docker-entrypoint.sh shebang + lineinfile: + path: /home/docker/sftp-share/docker-entrypoint.sh + insertbefore: BOF + line: "#!/bin/bash" + + - name: /home/docker/sftp-share/sftp-share.conf + blockinfile: + path: /home/docker/sftp-share/sftp-share.conf + mode: "0500" + owner: root + group: root + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + Port 28 + Protocol 2 + PasswordAuthentication no + PubkeyAuthentication yes + UsePAM yes + PrintMotd no + PrintLastLog no + AcceptEnv LANG LC_* + AllowTcpForwarding no + AllowAgentForwarding no + AllowGroups sftp-share + IgnoreRhosts yes + PermitRootLogin no + PermitTunnel no + X11Forwarding no + Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007 + ForceCommand internal-sftp -f AUTH -l INFO -u 0007 + LogLevel VERBOSE + TCPKeepAlive no + ClientAliveCountMax 30 + ClientAliveInterval 60 + ## Ciphers Check https://sshcheck.com/server/gabosh.net/28 + KexAlgorithms curve25519-sha256@libssh.org + HostKeyAlgorithms ssh-ed25519 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com + #AuthenticationMethods publickey,keyboard-interactive + ChrootDirectory /sftp-share + + Include /etc/sftp-share-user.conf + backup: yes + validate: /usr/sbin/sshd -T -f %s + notify: + - Restart sftp-share + + + handlers: + + - name: Restart sftp-share + ansible.builtin.shell: docker-compose build --pull --no-cache --force-rm && docker-compose up -d + args: + chdir: /home/docker/sftp-share +