✨ Add SFTP

Author: kevinkupski

README.md

@@ -9,7 +9,9 @@
 
 * [SSH-Proxy](ssh-proxy/README.md)
 
+## Data Transfer Applications
+* [SFTP](sftp/README.md)
+
 ## 3rd-party Tools
 
 * [Graylog](graylog/README.md)
-

sftp/.gitignore

@@ -0,0 +1,3 @@
+key
+key.pub
+authorized_keys

sftp/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:3.14
+RUN apk add --update openssh bash shadow && \
+    rm -rf /var/cache/apk/* && \
+    adduser -u 1000 -g 1000 -D -s /sbin/nologin data && \
+    usermod -p '*' data && \
+    mkdir /app
+WORKDIR /app
+COPY docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

sftp/README.md

@@ -0,0 +1,67 @@
+# SFTP
+
+This is an example of deploying an SFTP service on SetOps using [OpenSSH](https://www.openssh.com/). It is helpful if you want transfer files between an app and a SFTP client. This solution utilizes the SetOps volume service to share files between the SFTP app and another app.
+
+## Setup
+
+1. Create the app and make it public available via tcp. Only do a changeset commit after you set the protocol. Otherwise the protocol is set to `http` and cannot be changed anymore.
+
+    ```shell
+    setops -p <PROJECT> -s <STAGE> app:create sftp
+
+    setops -p <PROJECT> -s <STAGE> --app sftp network:set protocol tcp
+    setops -p <PROJECT> -s <STAGE> --app sftp network:set public true
+    setops -p <PROJECT> -s <STAGE> --app sftp network:set port 12345
+    ```
+
+1. Mount the existing volume to the SFTP app to `/data`:
+
+    ```shell
+    setops -p <PROJECT> -s <STAGE> --app sftp link:create volume --path /data [--read-only]
+    ```
+
+1. Set the environment variables:
+
+    ```text
+    # one of
+    SSH_ECDSA_HOST_KEY: <see hint>
+    SSH_ED25519_HOST_KEY: <see hint>
+    SSH_RSA_HOST_KEY: <see hint>
+
+    (optional) SSH_PASSWORD: <see hint>
+    (optional) SSH_AUTHORIZED_KEYS: <see hint>
+    ```
+
+    > Hint:
+    >
+    > `SSH_ECDSA_HOST_KEY`: SSH server host key (generate with `ssh-keygen -t ecdsa -b 521 -f key` without passphrase), encode to base64 with `base64 --break=0 < key`
+    > `SSH_ED25519_HOST_KEY`: SSH server host key (generate with `ssh-keygen -t ed25519 -f key` without passphrase), encode to base64 with `base64 --break=0 < key`
+    > `SSH_RSA_HOST_KEY`: SSH server host key (generate with `ssh-keygen -t rsa -b 4096 -f key` without passphrase), encode to base64 with `base64 --break=0 < key`
+    >
+    > `SSH_PASSWORD`: random (e.g. 16 character) password (generate with `pwgen 16 1`)
+    >
+    > `SSH_AUTHORIZED_KEYS`: SSH public keys files, encode to base64 with `base64 --break=0 < authorized_keys`
+
+    Use the `setops -p <PROJECT> -s <STAGE> --app sftp env:set <var>:<value>` to set the values. The port of the SFTP server is gathered by using the `$PORT` environment variables.
+
+1. Commit your changes with `setops -p <PROJECT> -s <STAGE> changeset:commit`.
+
+1. Build & Deploy the SFTP app using:
+
+    ```shell
+    docker build -t <CLIENT>.setops.net/<PROJECT>/<STAGE>/sftp .
+    docker push <CLIENT>.setops.net/<PROJECT>/<STAGE>/sftp
+
+    setops -p <PROJECT> -s <STAGE> --app sftp release:create sha256:<sha>
+    setops -p <PROJECT> -s <STAGE> --app sftp release:activate 1
+    setops -p <PROJECT> -s <STAGE> changeset:commit
+    ```
+
+## Connection
+
+To connect to the SFTP server, use the following settings:
+
+- Server: run `setops -p <PROJECT> -s <STAGE> --app sftp domain` to get the domain
+- User: `data`
+- Auth: either use the password you provided (via the `SSH_PASSWORD` env variable) or a client with the your SSH private key
+- Port: see App Network Port (`app:info sftp`, default `5000`)

sftp/docker-entrypoint.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  echo "Prepare server config"
+  cat << EOF > /etc/ssh/sshd_config
+Protocol 2
+UseDNS no
+MaxAuthTries 5
+LoginGraceTime 60
+MaxSessions 5
+MaxStartups 10:30:60
+LogLevel INFO
+Subsystem sftp internal-sftp
+ChrootDirectory /data
+EOF
+
+  echo "Setting port"
+  echo "Port $PORT" >> /etc/ssh/sshd_config
+
+  echo "Setting host keys"
+  if [ -z "${SSH_ECDSA_HOST_KEY=}" ] && [ -z "${SSH_ED25519_HOST_KEY=}" ] && [ -z "${SSH_RSA_HOST_KEY=}" ]; then
+    echo "> No host key was set. Expecting at least one of SSH_ECDSA_HOST_KEY, SSH_ED25519_HOST_KEY, SSH_RSA_HOST_KEY."
+    exit 1
+  fi
+  if [ ! -z "${SSH_ECDSA_HOST_KEY=}" ]; then
+    base64 -d <<< "$SSH_ECDSA_HOST_KEY" > /etc/ssh/ssh_host_ecdsa_key
+    chmod 600 /etc/ssh/ssh_host_ecdsa_key
+    echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> /etc/ssh/sshd_config
+  fi
+  if [ ! -z "${SSH_ED25519_HOST_KEY=}" ]; then
+    base64 -d <<< "$SSH_ED25519_HOST_KEY" > /etc/ssh/ssh_host_ed25519_key
+    chmod 600 /etc/ssh/ssh_host_ed25519_key
+    echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config
+  fi
+  if [ ! -z "${SSH_RSA_HOST_KEY=}" ]; then
+    base64 -d <<< "$SSH_RSA_HOST_KEY" > /etc/ssh/ssh_host_rsa_key
+    chmod 600 /etc/ssh/ssh_host_rsa_key
+    echo "HostKey /etc/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config
+  fi
+
+  echo "Setting authorized_keys for user data"
+  touch /etc/ssh/authorized_keys
+  if [ ! -z "${SSH_AUTHORIZED_KEYS=}" ]; then
+    base64 -d <<< "$SSH_AUTHORIZED_KEYS" > /etc/ssh/authorized_keys
+  else
+    echo "> Skipping because SSH_AUTHORIZED_KEYS is unset"
+  fi
+  chown data:root /etc/ssh/authorized_keys
+  chmod 600 /etc/ssh/authorized_keys
+
+  echo "Setting password for user data"
+  if [ ! -z "${SSH_PASSWORD=}" ]; then
+    echo "data:$SSH_PASSWORD" | chpasswd
+    echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
+    echo "ChallengeResponseAuthentication yes" >> /etc/ssh/sshd_config
+  else
+    echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
+    echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
+    echo "> Password auth deactivated since no password was provided"
+  fi
+
+  echo "Setting user config"
+  cat << EOF >> /etc/ssh/sshd_config
+AllowUsers data
+Match User data
+  ForceCommand internal-sftp -l INFO
+  AllowTcpForwarding no
+  PermitTunnel no
+  X11Forwarding no
+  AuthorizedKeysFile /etc/ssh/authorized_keys
+EOF
+
+  printf "\n------------ Generated config ------------\n"
+  cat /etc/ssh/sshd_config
+  printf "\n------------------------------------------\n\n"
+
+  echo "Starting sshd..."
+  exec /usr/sbin/sshd -D
+}
+
+main "$@"