Add SFTP deploy hook #6353
Add SFTP deploy hook #6353
Conversation
| _debug _cfullchain "$_cfullchain" | ||
|
|
||
| # HOSTS is required to login by sftp to remote host. | ||
| _migratedeployconf Le_Deploy_sftp_hosts DEPLOY_SFTP_HOSTS |
There was a problem hiding this comment.
why do you need to migrate Le_Deploy_sftp_hosts ?
There was a problem hiding this comment.
The script needs to save configuration for future runs so they don't have to be passed as environment variables to be useful (i.e. when using --renew-all it needs to use a different the destination location for every certificate, it the location where passed as environment variable, one certificate might overwrite another or simply be stored in the wrong place).
To do that I copied what the ssh.sh hook did assuming it to be the proper way. It also used that _migradedeployconf function.
There was a problem hiding this comment.
Pull Request Overview
Adds a new SFTP-based deploy hook script as an alternative to the SSH deploy hook, reducing required user privileges by using ForceCommand internal-sftp and /sbin/nologin.
- Introduces
deploy/sftp.shimplementingsftp_deploy()with support for multiple hosts - Allows optional customization of key, cert, CA, and fullchain file paths via environment variables
- Uses a heredoc to batch/send SFTP commands per host
Comments suppressed due to low confidence (1)
deploy/sftp.sh:23
- Consider adding unit or integration tests for
sftp_deploy()to cover multiple hosts, missing optional variables, and error scenarios.
sftp_deploy() {
| sftp "$_sftp_host"\ | ||
| <<EOF |
There was a problem hiding this comment.
The script expects host:port syntax (e.g., 192.168.0.1:22), but sftp doesn’t accept that form. Parse $_sftp_host into host and port, then invoke sftp with -P <port> or -oPort=<port>.
| sftp "$_sftp_host"\ | |
| <<EOF | |
| # Extract host and port from _sftp_host | |
| _host=$(echo "$_sftp_host" | cut -d':' -f1) | |
| _port=$(echo "$_sftp_host" | cut -d':' -f2) | |
| # Check if a port is specified | |
| if [ -n "$_port" ]; then | |
| sftp -P "$_port" "$_host" <<EOF | |
| else | |
| sftp "$_host" <<EOF | |
| fi |
Copilot uses AI. Check for mistakes.
| # export DEPLOY_SFTP_KEYFILE="/etc/stunnel/stunnel.pem" # defaults to ~/acme_sftp_deploy/<domain>/<domain>.key | ||
| # export DEPLOY_SFTP_CERTFILE="/etc/stunnel/stunnel.pem" ~/acme_sftp_deploy/<domain>/<domain>.cer | ||
| # export DEPLOY_SFTP_CAFILE="/etc/stunnel/uca.pem" ~/acme_sftp_deploy/<domain>/ca.cer | ||
| # export DEPLOY_SFTP_FULLCHAIN="" ~/acme_sftp_deploy/<domain>/fullchain.cer |
There was a problem hiding this comment.
The default-path hint is merged into the export line. Separate it into its own comment (prefix with #) so it's clear what’s the default vs. what’s the example export.
| # export DEPLOY_SFTP_KEYFILE="/etc/stunnel/stunnel.pem" # defaults to ~/acme_sftp_deploy/<domain>/<domain>.key | |
| # export DEPLOY_SFTP_CERTFILE="/etc/stunnel/stunnel.pem" ~/acme_sftp_deploy/<domain>/<domain>.cer | |
| # export DEPLOY_SFTP_CAFILE="/etc/stunnel/uca.pem" ~/acme_sftp_deploy/<domain>/ca.cer | |
| # export DEPLOY_SFTP_FULLCHAIN="" ~/acme_sftp_deploy/<domain>/fullchain.cer | |
| # export DEPLOY_SFTP_KEYFILE="/etc/stunnel/stunnel.pem" | |
| # Default: ~/acme_sftp_deploy/<domain>/<domain>.key | |
| # export DEPLOY_SFTP_CERTFILE="/etc/stunnel/stunnel.pem" | |
| # Default: ~/acme_sftp_deploy/<domain>/<domain>.cer | |
| # export DEPLOY_SFTP_CAFILE="/etc/stunnel/uca.pem" | |
| # Default: ~/acme_sftp_deploy/<domain>/ca.cer | |
| # export DEPLOY_SFTP_FULLCHAIN="" | |
| # Default: ~/acme_sftp_deploy/<domain>/fullchain.cer |
Copilot uses AI. Check for mistakes.
| put $_ckey $_ckey_path | ||
| put $_ccert $_ccert_path | ||
| put $_cca $_cca_path | ||
| put $_cfullchain $_cfullchain_path |
There was a problem hiding this comment.
Wrap file paths in quotes in the heredoc to handle spaces, e.g., put "$_ckey" "$_ckey_path".
| put $_ckey $_ckey_path | |
| put $_ccert $_ccert_path | |
| put $_cca $_cca_path | |
| put $_cfullchain $_cfullchain_path | |
| put "$_ckey" "$_ckey_path" | |
| put "$_ccert" "$_ccert_path" | |
| put "$_cca" "$_cca_path" | |
| put "$_cfullchain" "$_cfullchain_path" |
Copilot uses AI. Check for mistakes.
This pull request adds an sftp based deploy hook, it is meant as an alternative to the ssh deploy when there is no need to run command on the server, so that the privileges of the deployment user can further reduced.
Specifically, using sftp instead of ssh allows one to set the
ForceCommand internal-sftpsshd option and the/sbin/nologinshell on the deployment user, reducing the attack surface.The hook is loosely inspired by the ssh hook, although it lacks the more advanced options. It supports deploying on many servers, possibly with different ports and users (unlike the ssh hook which requires all servers to have the same user). Like the ssh hook it requires the local deployment user to be able to login without entering a password. It allows specifying custom paths for the certificate files. The environment variables usage is described in a comment at the beginning of the file.
To send the commands to the sftp server I used an HEREDOC, I don't really like it, but I'm not aware better way to do it.