first commit
This commit is contained in:
commit
3125470cfb
194
sftp-share.yml
Normal file
194
sftp-share.yml
Normal file
@ -0,0 +1,194 @@
|
|||||||
|
---
|
||||||
|
- name: sftp-share
|
||||||
|
hosts: jarvis.olmusic.de tor-nas.dedyn.io
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
- name: Allow all access to tcp port 28
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: '28'
|
||||||
|
proto: tcp
|
||||||
|
|
||||||
|
- name: Create /home/docker/sftp-share dir
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /home/docker/sftp-share
|
||||||
|
owner: root
|
||||||
|
group: docker
|
||||||
|
state: directory
|
||||||
|
mode: '0550'
|
||||||
|
|
||||||
|
- name: Create Data-Directory /home/docker/sftp-share/data
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: /home/docker/sftp-share/data
|
||||||
|
owner: root
|
||||||
|
group: 28
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Gen sshd ed25519 host-keys
|
||||||
|
ansible.builtin.shell: ssh-keygen -q -N "" -t ed25519 -f ssh_host_ed25519_key
|
||||||
|
args:
|
||||||
|
chdir: /home/docker/sftp-share
|
||||||
|
creates: /home/docker/sftp-share/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
- name: /home/docker/sftp-share/docker-compose.yml
|
||||||
|
blockinfile:
|
||||||
|
path: /home/docker/sftp-share/docker-compose.yml
|
||||||
|
mode: "0440"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
create: yes
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
|
block: |
|
||||||
|
version: '3.6'
|
||||||
|
services:
|
||||||
|
sftp-share:
|
||||||
|
build:
|
||||||
|
context: .
|
||||||
|
dockerfile: Dockerfile
|
||||||
|
restart: unless-stopped
|
||||||
|
env_file: env
|
||||||
|
ports:
|
||||||
|
- "28:28"
|
||||||
|
volumes:
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- ./ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
|
||||||
|
- ./ssh_host_ed25519_key.pub:/etc/ssh/ssh_host_ed25519_key.pub
|
||||||
|
- ./sftp-share.conf:/etc/sftp-share.conf:ro
|
||||||
|
- ./sftp-share-user.conf:/etc/sftp-share-user.conf
|
||||||
|
- ./data:/sftp-share:rw
|
||||||
|
networks:
|
||||||
|
- sftp-share--network
|
||||||
|
|
||||||
|
networks:
|
||||||
|
sftp-share--network:
|
||||||
|
driver: bridge
|
||||||
|
driver_opts:
|
||||||
|
com.docker.network.bridge.name: br-sftp-share
|
||||||
|
backup: yes
|
||||||
|
notify:
|
||||||
|
- Restart sftp-share
|
||||||
|
|
||||||
|
- name: /home/docker/sftp-share/Dockerfile
|
||||||
|
blockinfile:
|
||||||
|
path: /home/docker/sftp-share/Dockerfile
|
||||||
|
mode: "0440"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
create: yes
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
|
block: |
|
||||||
|
FROM debian:latest
|
||||||
|
RUN apt-get update \
|
||||||
|
&& apt-get install -y openssh-server strace \
|
||||||
|
&& groupadd -g 28 sftp-share \
|
||||||
|
&& mkdir -p -m0755 /run/sshd
|
||||||
|
ENV LANG en_US.utf8
|
||||||
|
COPY ./docker-entrypoint.sh /
|
||||||
|
ENTRYPOINT ["/docker-entrypoint.sh"]
|
||||||
|
backup: yes
|
||||||
|
notify:
|
||||||
|
- Restart sftp-share
|
||||||
|
|
||||||
|
- name: Create env file
|
||||||
|
copy:
|
||||||
|
content: ""
|
||||||
|
dest: /home/docker/sftp-share/env
|
||||||
|
force: no
|
||||||
|
group: root
|
||||||
|
owner: root
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Create additional Config sftp-share-user.conf
|
||||||
|
copy:
|
||||||
|
content: ""
|
||||||
|
dest: /home/docker/sftp-share/sftp-share-user.conf
|
||||||
|
force: no
|
||||||
|
group: root
|
||||||
|
owner: root
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: /home/docker/sftp-share/docker-entrypoint.sh
|
||||||
|
blockinfile:
|
||||||
|
path: /home/docker/sftp-share/docker-entrypoint.sh
|
||||||
|
mode: "0555"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
create: yes
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
|
block: |
|
||||||
|
### create Users by ENV
|
||||||
|
# ToDo: LDAP-Integration
|
||||||
|
for SFTPUSERPW in $SFTPUSERS
|
||||||
|
do
|
||||||
|
SFTPUSER=$(echo ${SFTPUSERPW} | cut -d ":" -f1)
|
||||||
|
useradd -g sftp-share -G 33,101 -m -s /usr/sbin/nologin $SFTPUSER
|
||||||
|
echo ${SFTPUSERPW} | chpasswd
|
||||||
|
unset $SFTPUSERPW
|
||||||
|
done
|
||||||
|
unset $SFTPUSERS
|
||||||
|
### Start SSHD/SFTP-Server
|
||||||
|
/usr/sbin/sshd -f /etc/sftp-share.conf -d
|
||||||
|
backup: yes
|
||||||
|
validate: /bin/bash -n %s
|
||||||
|
notify:
|
||||||
|
- Restart sftp-share
|
||||||
|
|
||||||
|
- name: /home/docker/sftp-share/docker-entrypoint.sh shebang
|
||||||
|
lineinfile:
|
||||||
|
path: /home/docker/sftp-share/docker-entrypoint.sh
|
||||||
|
insertbefore: BOF
|
||||||
|
line: "#!/bin/bash"
|
||||||
|
|
||||||
|
- name: /home/docker/sftp-share/sftp-share.conf
|
||||||
|
blockinfile:
|
||||||
|
path: /home/docker/sftp-share/sftp-share.conf
|
||||||
|
mode: "0500"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
create: yes
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
|
block: |
|
||||||
|
Port 28
|
||||||
|
Protocol 2
|
||||||
|
PasswordAuthentication no
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
UsePAM yes
|
||||||
|
PrintMotd no
|
||||||
|
PrintLastLog no
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
AllowTcpForwarding no
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowGroups sftp-share
|
||||||
|
IgnoreRhosts yes
|
||||||
|
PermitRootLogin no
|
||||||
|
PermitTunnel no
|
||||||
|
X11Forwarding no
|
||||||
|
Subsystem sftp internal-sftp -f AUTH -l INFO -u 0007
|
||||||
|
ForceCommand internal-sftp -f AUTH -l INFO -u 0007
|
||||||
|
LogLevel VERBOSE
|
||||||
|
TCPKeepAlive no
|
||||||
|
ClientAliveCountMax 30
|
||||||
|
ClientAliveInterval 60
|
||||||
|
## Ciphers Check https://sshcheck.com/server/gabosh.net/28
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org
|
||||||
|
HostKeyAlgorithms ssh-ed25519
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
|
||||||
|
#AuthenticationMethods publickey,keyboard-interactive
|
||||||
|
ChrootDirectory /sftp-share
|
||||||
|
|
||||||
|
Include /etc/sftp-share-user.conf
|
||||||
|
backup: yes
|
||||||
|
validate: /usr/sbin/sshd -T -f %s
|
||||||
|
notify:
|
||||||
|
- Restart sftp-share
|
||||||
|
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
|
||||||
|
- name: Restart sftp-share
|
||||||
|
ansible.builtin.shell: docker-compose build --pull --no-cache --force-rm && docker-compose up -d
|
||||||
|
args:
|
||||||
|
chdir: /home/docker/sftp-share
|
||||||
|
|
Loading…
Reference in New Issue
Block a user