embedded cert.sh

rootfs/app/acme-cert-init.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+
+MASQUERADE=${MASQUERADE:-127.0.0.1}
+ACME_SERVER=${ACME_SERVER:-letsencrypt}
+ACME_DNS=${ACME_DNS:-myapi}
+
+if [ ! -d /acme/cert ] ; then
+    mkdir -p /acme/cert
+fi
+
+if [ -n "${ACME_EMAIL}" ] ; then
+    ACME_EMAIL="--accountemail ${ACME_EMAIL}"
+fi
+
+if [ ! -f "/acme/cert/cert.pem" ] ; then
+    echo "Initializing certificate with acme.sh"
+    # shellcheck disable=SC2086
+    acme.sh --issue -d "${MASQUERADE}" \
+        --home /acme \
+        --dns "${ACME_DNS}" \
+        --server "${ACME_SERVER}" \
+        --cert-file /acme/cert/cert.pem \
+        --key-file /acme/cert/privkey.pem \
+        --fullchain-file /acme/cert/chain.pem \
+        --reloadcmd /app/acme-refresh-cert.sh ${ACME_EMAIL}
+else
+    echo "Certificate ready"
+fi

rootfs/app/acme-cron.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+if [ "$ENABLE_ACME" = "1" ] ; then
+  /usr/bin/acme.sh --cron --home /acme
+fi

rootfs/app/acme-refresh-cert.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+############ FILES
+
+TLS_CERT=/acme/cert/cert.pem
+TLS_KEY=/acme/cert/privkey.pem
+TLS_CHAIN=/acme/cert/chain.pem
+
+[ ! -f "$TLS_CERT" ] && exit 1
+[ ! -f "$TLS_KEY" ] && exit 1
+[ ! -f "$TLS_CHAIN" ] && exit 1
+
+############ CHECK CERT KEY ALGO
+ALGO=$(openssl x509 -in "$TLS_CERT"-text | sed -n 's/\ *Public Key Algorithm: //p' | tr '\n')
+
+############ UPDATE cert config if needed
+if [ "$ALGO" = "id-ecPublicKey" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSECCertificateFile                    "$TLS_CERT"
+  TLSECCertificateKeyFile                 "$TLS_KEY"
+  TLSCertificateChainFile                 "$TLS_CHAIN"
+</IfModule>
+EOF
+fi
+
+if [ "$ALGO" = "rsaEncryption" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSRSACertificateFile                    "$TLS_CERT"
+  TLSRSACertificateKeyFile                 "$TLS_KEY"
+  TLSCertificateChainFile                  "$TLS_CHAIN"
+</IfModule>
+EOF
+fi
+
+############ RELOAD PROFTPD IF RUNNING
+pidof proftpd >/dev/null && killall -HUP proftpd

rootfs/app/cert-init.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+############ TLS
+TLS_CERT=${TLS_CERT:-/certs/cert.pem}
+TLS_KEY=${TLS_KEY:-/certs/privkey.pem}
+TLS_CHAIN=${TLS_CHAIN:-/certs/chain.pem}
+
+cat "$TLS_CERT" > /etc/proftpd/cert.pem
+cat "$TLS_KEY" > /etc/proftpd/privkey.pem
+cat "$TLS_CHAIN "> /etc/proftpd/chain.pem
+
+############ CHECK CERT KEY ALGO
+ALGO=$(openssl x509 -in /etc/proftpd/cert.pem -text | sed -n 's/\ *Public Key Algorithm: //p' | tr '\n')
+
+############ UPDATE cert config if needed
+if [ "$ALGO" = "id-ecPublicKey" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSECCertificateFile                    /etc/proftpd/cert.pem
+  TLSECCertificateKeyFile                 /etc/proftpd/privkey.pem
+  TLSCertificateChainFile                 /etc/proftpd/chain.pem
+</IfModule>
+EOF
+fi
+
+if [ "$ALGO" = "rsaEncryption" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSRSACertificateFile                    /etc/proftpd/cert.pem
+  TLSRSACertificateKeyFile                 /etc/proftpd/privkey.pem
+  TLSCertificateChainFile                  /etc/proftpd/chain.pem
+</IfModule>
+EOF
+fi
+
+md5sum "$TLS_CERT" > /app/sums
+echo "Certificate ready"

rootfs/app/cron.sh

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+############ IF ACME IS ENABLED, THIS IS THE WRONG SCRIPT
+if [ ! "$ENABLE_ACME" = "1" ] ; then
+  exit
+fi
+
+############ TLS
+TLS_CERT=${TLS_CERT:-/certs/cert.pem}
+TLS_KEY=${TLS_KEY:-/certs/privkey.pem}
+TLS_CHAIN=${TLS_CHAIN:-/certs/chain.pem}
+
+cat "$TLS_CERT" > /etc/proftpd/cert.pem
+cat "$TLS_KEY" > /etc/proftpd/privkey.pem
+cat "$TLS_CHAIN" > /etc/proftpd/chain.pem
+
+############ IF CERT IS THE SAME, THEN EXIT
+md5sum -c /app/sums >/dev/null 2>/dev/null && exit
+
+############ CHECK CERT KEY ALGO
+ALGO=$(openssl x509 -in /etc/proftpd/cert.pem -text | sed -n 's/\ *Public Key Algorithm: //p' | tr '\n')
+
+if [ "$ALGO" = "id-ecPublicKey" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSECCertificateFile                    /etc/proftpd/cert.pem
+  TLSECCertificateKeyFile                 /etc/proftpd/privkey.pem
+  TLSCertificateChainFile                 /etc/proftpd/chain.pem
+</IfModule>
+EOF
+fi
+
+if [ "$ALGO" = "rsaEncryption" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSRSACertificateFile                    /etc/proftpd/cert.pem
+  TLSRSACertificateKeyFile                 /etc/proftpd/privkey.pem
+  TLSCertificateChainFile                  /etc/proftpd/chain.pem
+</IfModule>
+EOF
+fi
+
+md5sum "$TLS_CERT" > /app/sums
+
+############ RELOAD
+killall -HUP proftpd

rootfs/app/entrypoint.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+############ MASQUERADE
+MASQUERADE=${MASQUERADE:-127.0.0.1}
+echo "MasqueradeAddress ${MASQUERADE}" > /etc/proftpd/conf.d/masquerade.conf
+
+############ AUTH
+[ ! -f /auth/passwd ] && touch /auth/passwd
+chmod 0600 /auth/passwd
+chmod 0700 /auth
+
+############ PASSIVE PORTS
+PASSIVEPORTS_START=${PASSIVEPORTS_START:-50000}
+PASSIVEPORTS_END=${PASSIVEPORTS_END:-50050}
+echo "PassivePorts ${PASSIVEPORTS_START} ${PASSIVEPORTS_END}" > /etc/proftpd/conf.d/passive_ports.conf
+
+############ MAX CLIENTS
+MAXCLIENTS=${MAXCLIENTS:-30}
+MAXCLIENTSPERHOST=${MAXCLIENTSPERHOST:-5}
+echo "Maxclients ${MAXCLIENTS}" > /etc/proftpd/conf.d/maxclients.conf
+echo "MaxClientsPerHost ${MAXCLIENTSPERHOST}" >> /etc/proftpd/conf.d/maxclients.conf
+
+############ CERT INIT
+ENABLE_ACME=${ENABLE_ACME:-no}
+
+if [ "$ENABLE_ACME" = "1" ] ; then
+  /app/acme-cert-init.sh
+else
+  /app/cert-init.sh
+fi
+
+############ START CRON
+crond -b
+
+############ START
+proftpd -n

rootfs/app/refresh-cert.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+############ FILES
+
+TLS_CERT=/acme/cert/cert.pem
+TLS_KEY=/acme/cert/privkey.pem
+TLS_CHAIN=/acme/cert/chain.pem
+
+[ ! -f "$TLS_CERT" ] && exit 1
+[ ! -f "$TLS_KEY" ] && exit 1
+[ ! -f "$TLS_CHAIN" ] && exit 1
+
+############ CHECK CERT KEY ALGO
+ALGO=$(openssl x509 -in "$TLS_CERT"-text | sed -n 's/\ *Public Key Algorithm: //p' | tr '\n')
+
+############ UPDATE cert config if needed
+if [ "$ALGO" = "id-ecPublicKey" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSECCertificateFile                    "$TLS_CERT"
+  TLSECCertificateKeyFile                 "$TLS_KEY"
+  TLSCertificateChainFile                 "$TLS_CHAIN"
+</IfModule>
+EOF
+fi
+
+if [ "$ALGO" = "rsaEncryption" ] ; then
+cat > /etc/proftpd/conf.d/certificate.conf <<EOF
+<IfModule mod_tls.c>
+  TLSRSACertificateFile                    "$TLS_CERT"
+  TLSRSACertificateKeyFile                 "$TLS_KEY"
+  TLSCertificateChainFile                  "$TLS_CHAIN"
+</IfModule>
+EOF
+fi
+
+############ RELOAD PROFTPD IF RUNNING
+pidof proftpd >/dev/null && killall -HUP proftpd

rootfs/etc/periodic/daily/acme-cron.sh

@@ -0,0 +1 @@
+../../../app/acme-cron.sh

rootfs/etc/periodic/hourly/cron.sh

@@ -0,0 +1 @@
+../../../app/cron.sh

rootfs/etc/proftpd/conf.d/custom.conf

@@ -0,0 +1,26 @@
+AuthOrder mod_auth_file.c
+AuthUserFile /auth/passwd
+RequireValidShell off
+ScoreBoardFile /run/proftpd/scoreboard
+AllowOverwrite  on
+AllowStoreRestart On
+AllowRetrieveRestart On
+WtmpLog off
+UseReverseDNS off
+DefaultRoot ~
+
+<IfModule mod_tls.c>
+  TLSEngine                               on
+  TLSVerifyClient                         off
+  TLSRenegotiate                          none
+  TLSProtocol                             TLSv1.2 TLSv1.3
+  TLSOptions                              NoSessionReuseRequired AllowClientRenegotiations
+  TLSRequired                             on
+</IfModule>
+
+<IfModule mod_delay.c>
+  DelayOnEvent FailedLogin 5s
+  DelayTable /run/proftpd/proftpd.delay
+</IfModule>
+
+Include /etc/proftpd/custom.conf.d/