From 435f2ca6a2acea6d36a2532b65c3d4d325d0ec55 Mon Sep 17 00:00:00 2001
From: paspo <paolo@asperti.com>
Date: Fri, 13 Dec 2024 11:34:16 +0100
Subject: [PATCH] sftp access

---
 .gitignore                             |  3 +++
 Dockerfile                             |  2 +-
 rootfs/app/entrypoint.sh               | 19 +++++++++++++++++--
 rootfs/app/nginx.conf.tpl              |  2 +-
 rootfs/{ => data}/www/index.html       |  0
 rootfs/etc/ssh/sshd_config.d/port.conf |  1 +
 rootfs/etc/ssh/sshd_config.d/sshd.conf | 24 ++++++++++++++++++++++++
 7 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 .gitignore
 rename rootfs/{ => data}/www/index.html (100%)
 create mode 100644 rootfs/etc/ssh/sshd_config.d/port.conf
 create mode 100644 rootfs/etc/ssh/sshd_config.d/sshd.conf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..87ce121
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+/www
+/ssh
+docker-compose.yaml
diff --git a/Dockerfile b/Dockerfile
index fe9c8ee..44d61a9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ RUN \
 
 COPY rootfs /
 
-VOLUME [ "/www", "/ssh" ]
+VOLUME [ "/data/www", "/ssh" ]
 
 ENV \
   USERNAME=theuser \
diff --git a/rootfs/app/entrypoint.sh b/rootfs/app/entrypoint.sh
index 607d1de..e8cc20e 100755
--- a/rootfs/app/entrypoint.sh
+++ b/rootfs/app/entrypoint.sh
@@ -1,10 +1,12 @@
 #!/bin/sh
 
-WEBROOT=/www
+WEBROOT=/data/www
 PHP=${PHP:-none}
 USERNAME=${USERNAME:-theuser}
 RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
-printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | adduser -DH -h "${WEBROOT}" -G "nginx" -u "1000" "${USERNAME}"
+adduser -DH -h "${WEBROOT}" -G "nginx" -u "1000" "${USERNAME}"
+printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
+echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"
 
 chown "${USERNAME}:nginx" "${WEBROOT}" -R
 find "${WEBROOT}" -type d -exec chmod 0755 {} \;
@@ -12,6 +14,7 @@ find "${WEBROOT}" -type f -exec chmod 0644 {} \;
 
 envsubst < /app/nginx.conf.tpl > /etc/nginx/http.d/default.conf
 
+# start php
 case "${PHP}" in
     "php84") /usr/sbin/php-fpm84 -D ;;
     "php83") /usr/sbin/php-fpm83 -D ;;
@@ -19,4 +22,16 @@ case "${PHP}" in
     *) ;;
 esac
 
+# start ssh
+for keytype in ecdsa rsa ed25519 ; do
+  if [ ! -r "/ssh/ssh_host_${keytype}_key" ] ; then
+    /usr/bin/ssh-keygen -t "${keytype}" -f "/ssh/ssh_host_${keytype}_key" -N ""
+  fi
+  chmod 0600 "/ssh/ssh_host_${keytype}_key"
+  chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
+done
+chmod 0700 "${WEBROOT}/.ssh"
+/usr/sbin/sshd -e
+
+# start nginx
 nginx
diff --git a/rootfs/app/nginx.conf.tpl b/rootfs/app/nginx.conf.tpl
index 629969e..d1f2ee4 100644
--- a/rootfs/app/nginx.conf.tpl
+++ b/rootfs/app/nginx.conf.tpl
@@ -4,7 +4,7 @@ access_log /dev/stdout;
 server {
     listen 80 default_server;
     listen [::]:80 default_server;
-    root   /www;
+    root   /data/www;
     # server_name  localhost;
 
     #access_log  /var/log/nginx/host.access.log  main;
diff --git a/rootfs/www/index.html b/rootfs/data/www/index.html
similarity index 100%
rename from rootfs/www/index.html
rename to rootfs/data/www/index.html
diff --git a/rootfs/etc/ssh/sshd_config.d/port.conf b/rootfs/etc/ssh/sshd_config.d/port.conf
new file mode 100644
index 0000000..541d4c1
--- /dev/null
+++ b/rootfs/etc/ssh/sshd_config.d/port.conf
@@ -0,0 +1 @@
+Port 22
diff --git a/rootfs/etc/ssh/sshd_config.d/sshd.conf b/rootfs/etc/ssh/sshd_config.d/sshd.conf
new file mode 100644
index 0000000..6e573f4
--- /dev/null
+++ b/rootfs/etc/ssh/sshd_config.d/sshd.conf
@@ -0,0 +1,24 @@
+HostKey /ssh/ssh_host_rsa_key
+HostKey /ssh/ssh_host_ecdsa_key
+HostKey /ssh/ssh_host_ed25519_key
+
+#SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 1m
+PermitRootLogin no
+PubkeyAuthentication yes
+MaxAuthTries 3
+PrintMotd no
+
+AuthorizedKeysFile      /ssh/authorized_keys
+PasswordAuthentication no
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
+Subsystem       sftp    internal-sftp
+
+ChrootDirectory /data
+ForceCommand internal-sftp -d /data/www