switched to key-based auth for SSH, added docs

Fix owner on /content
2025-01-25 18:51:02 -05:00 · 2025-01-25 00:13:24 -05:00
3 changed files with 33 additions and 12 deletions
--- a/.env.sample
+++ b/.env.sample
@ -29,5 +29,4 @@ COMPOSE_FILE="compose.yml"

 # Enable an SSH server to allow SFTP uploads to the web root
 #COMPOSE_FILE="$COMPOSE_FILE:compose.sftp.yml"
-#SECRET_SSH_PASSWORD_VERSION=v1
-#SSH_PORT="2222" # this doesn't work yet, maybe an abra bug?
+#PUBLIC_KEY="ssh-ed25519 AAAAC3NzaJ1lZDI1NTE5AAAAIXqf4nxUxuGmLOaxXXXXXXXXoM/GwhcrAgmtbgXToaYmCJ user@host" # Replace with a public key you generate
--- a/README.md
+++ b/README.md
@ -28,5 +28,20 @@ Custom HTML website, served using Nginx.
 abra app cp YOURAPPDOMAIN index.html app:/usr/share/nginx/html
 ```

+## Allowing upload via SSH/SFTP
+To allow management of your site's files using scp, rsync or other SSH-based tools:
+1. If you don't already have one, generate an SSH keypair using `ssh-keygen`
+1. `abra app config YOURAPPDOMAIN`
+2. Uncomment these lines and add your public key:
+```
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sftp.yml"
+#PUBLIC_KEY="ssh-ed25519 AAAAC3NzaJ1lZDI1NTE5AAAAIXqf4nxUxuGmLOaxXXXXXXXXoM/GwhcrAgmtbgXToaYmCJ user@host" # Replace with a public key you generate
+```
+3. `abra app undeploy YOURAPPDOMAIN`
+3. `abra app deploy YOURAPPDOMAIN`
+4. Test the SSH connection: `ssh -p 2220 sftp@YOURAPPDOMAIN`
+5. You can copy local files into the server's web root with a command like: `scp -r -P 2220 * sftp@YOURAPPDOMAIN:/content`
+
+
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
--- a/compose.sftp.yml
+++ b/compose.sftp.yml
@ -8,23 +8,30 @@ services:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
-      - PASSWORD_ACCESS=true
-      - USER_PASSWORD_FILE=/run/secrets/ssh_password
      - USER_NAME=sftp
-    secrets:
-      - ssh_password
+      - PUBLIC_KEY
    volumes:
-      - content:/content
+      - content:/content:rw
    ports:
      - 2220:2222
    deploy:
      restart_policy:
        condition: on-failure
-
-secrets:
-  ssh_password:
-    external: true
-    name: ${STACK_NAME}_ssh_password_${SECRET_SSH_PASSWORD_VERSION}
+  # The following is an admittedly hacky way of setting the owner
+  # of the `content` volume to the unprivileged `sftp` user, so
+  # that content can be transferred through the unprivileged sshd process
+  # using `scp` etc.
+  sshstart:
+    image: lscr.io/linuxserver/openssh-server:latest
+    user: root
+    depends_on:
+      - ssh
+    deploy:
+      restart_policy:
+        condition: none
+    volumes:
+      - content:/content:rw
+    entrypoint: [ "bash", "-c", "sleep 10 && chown -R 1000:1000 /content"]

 volumes:
  content:
Author	SHA1	Message	Date
marlon	ba1c22690b	switched to key-based auth for SSH, added docs Some checks failed continuous-integration/drone/pr Build is failing Details	2025-01-25 18:51:02 -05:00
maximumultraist	29c4030009	Fix owner on /content	2025-01-25 00:13:24 -05:00