Add alpine minimal sftp container

Containerfile

@@ -36,4 +36,4 @@ LABEL org.nethserver.images="${REPOBASE}/nethvoice-mariadb:${IMAGETAG} \
     docker.io/library/redis:7.0.10-alpine \
     ${REPOBASE}/nethvoice-reports-ui:${IMAGETAG} \
     ${REPOBASE}/nethvoice-reports-api:${IMAGETAG} \
-    docker.io/drakkan/sftpgo:v2"
+    ${REPOBASE}/nethvoice-sftp:${IMAGETAG}"

build-images.sh

@@ -141,6 +141,19 @@ buildah build --force-rm --layers --jobs "$(nproc)" --target ui-production \
 images+=("${repobase}/${reponame}")
 popd
 
+#########################
+##   sftp recordings   ##
+#########################
+echo "[*] Build SFTP Recordings container"
+reponame="nethvoice-sftp"
+pushd janus
+buildah build --force-rm --layers --jobs "$(nproc)" \
+	--tag "${repobase}/${reponame}" \
+	--tag "${repobase}/${reponame}:${IMAGETAG:-latest}"
+popd
+
+# Append the image URL to the images array
+images+=("${repobase}/${reponame}")
 
 # Setup CI when pushing to Github.
 # Warning! docker::// protocol expects lowercase letters (,,)

imageroot/systemd/user/sftp.service

@@ -0,0 +1,32 @@
+[Unit]
+Description=Podman sftp.service
+After=nginx.service
+
+[Service]
+Environment=PODMAN_SYSTEMD_UNIT=%n
+EnvironmentFile=%S/state/environment
+WorkingDirectory=%S/state
+Restart=always
+TimeoutStopSec=70
+ExecStartPre=/bin/rm -f %t/sftp.pid %t/sftp.ctr-id
+ExecStart=/usr/bin/podman run --conmon-pidfile %t/sftp.pid \
+    --cidfile %t/sftp.ctr-id --cgroups=no-conmon \
+    --replace \
+    --detach \
+    --name sftp \
+    --volume moh:/home/asterisk/data/moh:z \
+    --volume sftp_ssh:/etc/ssh:Z \
+	--env=ASTERISK_RECORDING_SFTP_PORT \
+	--env=AMPMGRUSER \
+	--env=AMPDBUSER \
+	--env=AMPDBHOST \
+	--env=AMPDBNAME \
+	--env-file=%S/state/passwords.env \
+    ${NETHVOICE_SFTP_IMAGE}
+ExecStop=/usr/bin/podman stop --ignore --cidfile %t/sftp.ctr-id -t 10
+ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/sftp.ctr-id
+PIDFile=%t/sftp.pid
+Type=forking
+
+[Install]
+WantedBy=default.target

sftp/Containerfile

@@ -0,0 +1,27 @@
+# Use Alpine Linux as the base image
+FROM alpine:latest
+
+# Install necessary packages
+RUN apk add --no-cache \
+    openssh-server \
+    openssh-sftp-server \
+    mariadb-connector-c \
+    linux-pam \
+	bash
+
+# Create a user for SFTP access
+RUN addgroup -g 991 asterisk && \
+	adduser -D -u 990 -h /var/sftp -s /sbin/nologin -G asterisk asterisk && \
+	mkdir -p /var/sftp/files && \
+	chown asterisk:asterisk /var/sftp/files && \
+	chown root:root /var/sftp && \
+    chmod 755 /var/sftp
+
+# Copy configuration files
+COPY sshd_config /etc/ssh/sshd_config
+COPY pam_config /etc/pam.d/sshd
+COPY check_mysql_password.sh /usr/local/bin/check_mysql_password.sh
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["/usr/sbin/sshd", "-D", "-e"]

sftp/check_mysql_password.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Source MySQL credentials
+source /etc/mysql-auth.conf
+
+# Read password from stdin
+read -r PASSWORD
+
+# Calculate SHA1 of input password
+INPUT_SHA1=$(echo -n "${PASSWORD}" | sha1sum | awk '{print $1}')
+
+# Get stored SHA1 from database
+STORED_SHA1=$(mysql -h "${AMP_DB_HOST}" -u "${AMP_DB_USER}" -p"${AMP_DB_PASS}" --database "${AMP_DB_NAME}" -sN -e "SELECT password_sha1 FROM ampusers WHERE username = 'admin';" 2>/dev/null)
+
+# Compare hashes
+if [ "${INPUT_SHA1}" = "${STORED_SHA1}" ]; then
+    exit 0
+else
+    exit 1
+fi

sftp/entrypoint.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# change sshd port with env variable ASTERISK_RECORDING_SFTP_PORT
+sed -i "s/Port .*/Port ${ASTERISK_RECORDING_SFTP_PORT}/" /etc/ssh/sshd_config
+
+# Check if host keys exist; if not, generate them
+if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+    echo "SSH host keys not found, generating..."
+    ssh-keygen -A
+fi
+
+# Create MySQL credentials file
+cat > /etc/mysql-auth.conf <<EOF
+AMP_DB_USER="${AMPDBUSER:-freepbxuser}"
+AMP_DB_PASS="${AMPDBPASS}"
+AMP_DB_HOST="${AMPDBHOST:-127.0.0.1}"
+AMP_DB_NAME="${AMPDBNAME:-asterisk}"
+EOF
+
+# Set proper permissions
+chmod 600 /etc/mysql-auth.conf
+
+/usr/sbin/sshd -D -e

sftp/pam_config

@@ -0,0 +1 @@
+auth requisite pam_exec.so debug expose_authtok /usr/local/bin/check_mysql_password.sh

sftp/sshd_config

@@ -0,0 +1,43 @@
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# Include configuration snippets before processing this file to allow the
+# snippets to override directives set in this file.
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port 22
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+MaxAuthTries 3
+MaxSessions 10
+
+PubkeyAuthentication yes
+AuthorizedKeysFile	/etc/ssh/authorized_keys
+
+PasswordAuthentication yes
+#PermitEmptyPasswords no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
+Subsystem	sftp	internal-sftp
+
+Subsystem sftp internal-sftp
+Match User asterisk
+    ChrootDirectory /var/sftp
+    ForceCommand internal-sftp
+    PasswordAuthentication yes