#!/bin/sh

if [ ${DISABLE_SFTP} -eq 1 ] ; then
  exit 0
fi

echo "# Configuring ssh"

# make sure directory exists
mkdir -p "${PATH_SSH_HOST}"

for keytype in ecdsa rsa ed25519 ; do
  if [ ! -r "${PATH_SSH_HOST}/ssh_host_${keytype}_key" ] ; then
    /usr/bin/ssh-keygen -t "${keytype}" -f "${PATH_SSH_HOST}/ssh_host_${keytype}_key" -N ""
  fi
  chmod 0600 "${PATH_SSH_HOST}/ssh_host_${keytype}_key"
  chmod 0644 "${PATH_SSH_HOST}/ssh_host_${keytype}_key.pub"
done

# set authorized_keys permissions
if [ -f "${PATH_SSH_HOST}/authorized_keys" ] ; then
  chmod 0600 "${PATH_SSH_HOST}/authorized_keys"
  chown "${USERNAME}:${GROUPNAME}" "${PATH_SSH_HOST}/authorized_keys"
fi

if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
  chmod 0700 "${PATH_WEBROOT}/.ssh"
fi

# configure sshd
cat >/etc/ssh/sshd_config.d/sshd.conf <<EOF
HostKey ${PATH_SSH_HOST}/ssh_host_rsa_key
HostKey ${PATH_SSH_HOST}/ssh_host_ecdsa_key
HostKey ${PATH_SSH_HOST}/ssh_host_ed25519_key

#SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 1m
PermitRootLogin no
PubkeyAuthentication yes
MaxAuthTries 3
PrintMotd no

AuthorizedKeysFile      ${PATH_SSH_HOST}/authorized_keys
PasswordAuthentication no

AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

Subsystem       sftp    internal-sftp

ChrootDirectory ${PATH_BASE}
ForceCommand internal-sftp -d ${PATH_WEBROOT}
EOF