From 8d3acfbd5d075d5ab5ac672f461adf8adcc2f9a8 Mon Sep 17 00:00:00 2001 From: marlon Date: Wed, 22 Jan 2025 21:59:44 -0500 Subject: [PATCH 1/3] add optional feature for sftp webroot access, wip --- .env.sample | 7 ++++++- compose.sftp.yml | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 compose.sftp.yml diff --git a/.env.sample b/.env.sample index 3992a83..6b27e7b 100644 --- a/.env.sample +++ b/.env.sample @@ -25,4 +25,9 @@ COMPOSE_FILE="compose.yml" #REDIRECT_TYPE=permanent # Optionally handle all URL requests using a single file (commonly index.html) -#SINGLE_PAGE_SITE_HANDLER=/index.html \ No newline at end of file +#SINGLE_PAGE_SITE_HANDLER=/index.html + +# Enable an SSH server to allow SFTP uploads to the web root +#COMPOSE_FILE="$COMPOSE_FILE:compose.sftp.yml" +#SECRET_SSH_PASSWORD_VERSION=v1 +#SSH_PORT="2222" # this doesn't work yet, maybe an abra bug? \ No newline at end of file diff --git a/compose.sftp.yml b/compose.sftp.yml new file mode 100644 index 0000000..10b1a12 --- /dev/null +++ b/compose.sftp.yml @@ -0,0 +1,34 @@ +version: "3.8" +services: + ssh: + image: lscr.io/linuxserver/openssh-server:latest + networks: + - proxy + environment: + - PUID=1000 + - PGID=1000 + - TZ=Etc/UTC + - PASSWORD_ACCESS=true + - USER_PASSWORD_FILE=/run/secrets/ssh_password + - USER_NAME=sftp + secrets: + - ssh_password + volumes: + - content:/content + ports: + - 2220:2222 + deploy: + restart_policy: + condition: on-failure + +secrets: + ssh_password: + external: true + name: ${STACK_NAME}_ssh_password_${SECRET_SSH_PASSWORD_VERSION} + +volumes: + content: + +networks: + proxy: + external: true From 29c403000908b66438c5e66de869bce793e5a288 Mon Sep 17 00:00:00 2001 From: maximumultraist Date: Sat, 25 Jan 2025 00:13:24 -0500 Subject: [PATCH 2/3] Fix owner on /content --- compose.sftp.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/compose.sftp.yml b/compose.sftp.yml index 10b1a12..7a8fca7 100644 --- a/compose.sftp.yml +++ b/compose.sftp.yml @@ -14,12 +14,27 @@ services: secrets: - ssh_password volumes: - - content:/content + - content:/content:rw ports: - 2220:2222 deploy: restart_policy: condition: on-failure + # The following is an admittedly hacky way of setting the owner + # of the `content` volume to the unprivileged `sftp` user, so + # that content can be transferred through the unprivileged sshd process + # using `scp` etc. + sshstart: + image: lscr.io/linuxserver/openssh-server:latest + user: root + depends_on: + - ssh + deploy: + restart_policy: + condition: none + volumes: + - content:/content:rw + entrypoint: [ "bash", "-c", "sleep 10 && chown -R 1000:1000 /content"] secrets: ssh_password: From ba1c22690b75835206e5da552ebd81bbb26e8aab Mon Sep 17 00:00:00 2001 From: marlon Date: Sat, 25 Jan 2025 18:51:02 -0500 Subject: [PATCH 3/3] switched to key-based auth for SSH, added docs --- .env.sample | 3 +-- README.md | 15 +++++++++++++++ compose.sftp.yml | 10 +--------- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/.env.sample b/.env.sample index 6b27e7b..98d1b56 100644 --- a/.env.sample +++ b/.env.sample @@ -29,5 +29,4 @@ COMPOSE_FILE="compose.yml" # Enable an SSH server to allow SFTP uploads to the web root #COMPOSE_FILE="$COMPOSE_FILE:compose.sftp.yml" -#SECRET_SSH_PASSWORD_VERSION=v1 -#SSH_PORT="2222" # this doesn't work yet, maybe an abra bug? \ No newline at end of file +#PUBLIC_KEY="ssh-ed25519 AAAAC3NzaJ1lZDI1NTE5AAAAIXqf4nxUxuGmLOaxXXXXXXXXoM/GwhcrAgmtbgXToaYmCJ user@host" # Replace with a public key you generate \ No newline at end of file diff --git a/README.md b/README.md index 51d2480..c375358 100644 --- a/README.md +++ b/README.md @@ -28,5 +28,20 @@ Custom HTML website, served using Nginx. abra app cp YOURAPPDOMAIN index.html app:/usr/share/nginx/html ``` +## Allowing upload via SSH/SFTP +To allow management of your site's files using scp, rsync or other SSH-based tools: +1. If you don't already have one, generate an SSH keypair using `ssh-keygen` +1. `abra app config YOURAPPDOMAIN` +2. Uncomment these lines and add your public key: +``` +#COMPOSE_FILE="$COMPOSE_FILE:compose.sftp.yml" +#PUBLIC_KEY="ssh-ed25519 AAAAC3NzaJ1lZDI1NTE5AAAAIXqf4nxUxuGmLOaxXXXXXXXXoM/GwhcrAgmtbgXToaYmCJ user@host" # Replace with a public key you generate +``` +3. `abra app undeploy YOURAPPDOMAIN` +3. `abra app deploy YOURAPPDOMAIN` +4. Test the SSH connection: `ssh -p 2220 sftp@YOURAPPDOMAIN` +5. You can copy local files into the server's web root with a command like: `scp -r -P 2220 * sftp@YOURAPPDOMAIN:/content` + + [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik diff --git a/compose.sftp.yml b/compose.sftp.yml index 7a8fca7..399f305 100644 --- a/compose.sftp.yml +++ b/compose.sftp.yml @@ -8,11 +8,8 @@ services: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - - PASSWORD_ACCESS=true - - USER_PASSWORD_FILE=/run/secrets/ssh_password - USER_NAME=sftp - secrets: - - ssh_password + - PUBLIC_KEY volumes: - content:/content:rw ports: @@ -36,11 +33,6 @@ services: - content:/content:rw entrypoint: [ "bash", "-c", "sleep 10 && chown -R 1000:1000 /content"] -secrets: - ssh_password: - external: true - name: ${STACK_NAME}_ssh_password_${SECRET_SSH_PASSWORD_VERSION} - volumes: content: