S3FSFTP

Docker container providing SFTP using an S3 bucket for the users' home directories.

Using Docker Hub

docker pull ryanwinchester/s3fsftp:latest

Using the repository

• For local dev, set the required environment variables in the .env file.
• For production, set the ENV variables for the container runtime.
• Programs in ./scripts/sftp.d will automatically run when the container starts.
• Build docker container with docker compose build (or ./scripts/docker/build.sh).
• Run docker container with docker compose up (or ./scripts/docker/run.sh).

ENV vars

• AWS_S3_AUTHFILE - The name of the auth file used by s3fs (defaults to /etc/passwd-s3fs).
• AWS_S3_BUCKET* - The name of the bucket in S3 to mount.
• AWS_S3_CREDENTIALS* - AWS S3 credentials (key and ID).
• AWS_S3_MOUNT - The path to mount the bucket (defaults to /opt/s3fs/bucket)
• AWS_S3_REGION* - The region of the S3 bucket (e.g. ca-central-1).
• AWS_S3_URL* - The S3 url (e.g. https://s3.ca-central-1.amazonaws.com).
• SSH_HOST_DSA_KEY (base64-encoded)
• SSH_HOST_DSA_PUBLIC_KEY (base64-encoded)
• SSH_HOST_ECDSA_KEY (base64-encoded)
• SSH_HOST_ECDSA_PUBLIC_KEY (base64-encoded)
• SSH_HOST_ED25519_KEY (base64-encoded)
• SSH_HOST_ED25519_PUBLIC_KEY (base64-encoded)
• SSH_HOST_RSA_KEY (base64-encoded)
• SSH_HOST_RSA_PUBLIC_KEY (base64-encoded)
• USER_CONFIG* (base64-encoded)

*required

Secret format

AWS_S3_CREDENTIALS

${AWS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}

USER_CONFIG (base64-encoded):

{
  "users": [
    {
      "username": "foo",
      "uid": 1004,
      "gid": 1000,
      "folders": [
        {"path": "outgoing", "umask": "0770"}
      ],
      "publicKeys": [
        "ssh-rsa AAAAB3NzaC1yc2EAAAH+PqrlQ83wwpayFqTITgqZWL+UE8= foobar@example.com"
      ]
    }
  ]
}

Acknowledgements

• Built on atmoz/sftp
• Relies on s3fs-fuse
• Used part of the mounting script from efrecon/docker-s3fs-client's entrypoint file.