initial import

rootfs/app/entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+USERNAME=${USERNAME:-borgstore}
+PUID=${PUID:-1000}
+GROUPNAME=${GROUPNAME:-borgstore}
+PGID=${PGID:-1000}
+DATADIR=/data
+SSH_PUBKEY=${SSH_PUBKEY:-}
+
+addgroup -g "${PGID}" "${GROUPNAME}"
+adduser -DH -h "${DATADIR}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
+
+RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
+printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
+
+chown "${PUID}:${GROUPNAME}" "${DATADIR}" -R
+find "${DATADIR}" -type d -exec chmod 0755 {} \;
+find "${DATADIR}" -type f -exec chmod 0644 {} \;
+
+echo "AllowUsers ${USERNAME}" > /etc/ssh/sshd_config.d/user.conf
+
+mkdir -p /ssh "${DATADIR}"
+for keytype in ecdsa rsa ed25519 ; do
+  if [ ! -r "/ssh/ssh_host_${keytype}_key" ] ; then
+    /usr/bin/ssh-keygen -t "${keytype}" -f "/ssh/ssh_host_${keytype}_key" -N ""
+  fi
+  chmod 0600 "/ssh/ssh_host_${keytype}_key"
+  chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
+done
+
+if [ ! -r /ssh/authorized_keys ]; then
+  echo "${SSH_PUBKEY}" > /ssh/authorized_keys
+fi
+
+/usr/sbin/sshd -eD

rootfs/app/restricted-ssh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ "$1" = "borg" ] && [ "$2" = "serve" ] ; then
+    # shellcheck disable=SC2068
+    $@ --restrict-to-path /data
+else
+    exit 1
+fi

rootfs/etc/ssh/sshd_config.d/port.conf

@@ -0,0 +1 @@
+Port 22

rootfs/etc/ssh/sshd_config.d/sshd.conf

@@ -0,0 +1,31 @@
+HostKey /ssh/ssh_host_rsa_key
+HostKey /ssh/ssh_host_ecdsa_key
+HostKey /ssh/ssh_host_ed25519_key
+
+#SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 1m
+PermitRootLogin no
+PubkeyAuthentication yes
+MaxAuthTries 3
+PrintMotd no
+PermitUserEnvironment no
+
+ClientAliveInterval 10
+ClientAliveCountMax 3
+
+UseDNS no
+  
+AuthorizedKeysFile      /ssh/authorized_keys
+PasswordAuthentication no
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
+Subsystem       sftp    internal-sftp
+
+# ChrootDirectory /data
+
+ForceCommand /app/restricted-ssh ${SSH_ORIGINAL_COMMAND}