Browse Source

create & start docker container running fphammerle/sftpd:0.1.0-openssh8.4p1r3-armv7; fetch ssh host keys

https://git.hammerle.me/fphammerle/ansible-role-mysqldump-sshd/commit/564d95de0fa521f3d3bfbeee637b9d826bae54cb
https://git.hammerle.me/fphammerle/ansible-role-mysqldump-sshd/commit/d218f6cee8ad499019cbe2af155ded61f1c566d8
Fabian Peter Hammerle 2 years ago
commit
ae1af8bc27
3 changed files with 77 additions and 0 deletions
  1. 26 0
      README.md
  2. 4 0
      defaults/main.yml
  3. 47 0
      tasks/main.yml

+ 26 - 0
README.md

@@ -0,0 +1,26 @@
+# Ansible Role: sftpd 💾 🐳 🐙
+
+Single-user [OpenSSH server](https://www.openssh.com/) restricted to SFTP access
+
+## Required Variables
+
+```yaml
+sftpd_container_name: sftpd
+sftpd_published_port: 2200
+sftpd_client_public_keys: |
+  ssh-rsa ...
+  ssh-rsa ...
+sftpd_data_volume_name: sftpd_data
+```
+
+## Optional Variables
+
+```yaml
+sftpd_container_image: docker.io/fphammerle/sftpd@sha256:2280b68c09554e2f521640566b0580590d006c4592ebd6899d3d72c8620cbbb8
+```
+
+## Returned Variables
+
+```yaml
+sftpd_host_keys
+```

+ 4 - 0
defaults/main.yml

@@ -0,0 +1,4 @@
+# https://github.com/fphammerle/docker-sftpd/tags
+# object f13f2a68f908649eacf33f35078baf8658950403
+# tag docker/0.1.0-openssh8.4p1r3-armv7
+sftpd_container_image: docker.io/fphammerle/sftpd@sha256:2280b68c09554e2f521640566b0580590d006c4592ebd6899d3d72c8620cbbb8

+ 47 - 0
tasks/main.yml

@@ -0,0 +1,47 @@
+- docker_container:
+    name: '{{ sftpd_container_name }}'
+    image: '{{ sftpd_container_image }}'
+    env:
+      SSH_CLIENT_PUBLIC_KEYS: "{{ sftpd_client_public_keys }}"
+    read_only: yes
+    mounts:
+    - type: volume
+      source: '{{ sftpd_container_name }}_host_keys'
+      target: /etc/ssh/host_keys
+      read_only: no
+    - type: volume
+      source: '{{ sftpd_data_volume_name }}'
+      target: /data
+      read_only: yes
+    - type: tmpfs
+      target: /home/nonroot/.ssh # authorized_keys
+      tmpfs_size: 16k
+      tmpfs_mode: '1777'
+    published_ports: ['0.0.0.0:{{ sftpd_published_port }}:2200']
+    cap_drop: [ALL]
+    # ChrootDirectory
+    capabilities: [SETUID, SETGID, SYS_CHROOT]
+    security_opts: [no-new-privileges]
+    cpus: 0.8
+    memory: 64M
+    restart_policy: unless-stopped
+    state: started
+  register:  _container
+- name: wait for host keys
+  wait_for:
+    path: >-
+      {{ (_container.container.Mounts
+          | items2dict(key_name='Destination', value_name='Source'))
+         ['/etc/ssh/host_keys'] }}/{{ item }}.pub
+  loop: [rsa, ed25519]
+  register: _host_keys_files
+- name: read host keys
+  slurp:
+    src: '{{ item }}'
+  loop: "{{ _host_keys_files.results | map(attribute='path') | list }}"
+  register: _host_keys_base64
+- name: decode host keys
+  set_fact:
+    sftpd_host_keys: >-
+      {{ _host_keys_base64.results | map(attribute='content')
+         | map('b64decode') | map('trim') | list }}