Optionnal sftp

conf/ssh_regenconf_hook

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+force=${2:-0}  # 0/1 --force argument
+dryrun=${3:-0}  # 0/1 --dry-run argument
+pending_conf=$4 # Path of the pending conf file
+
+# https://github.com/YunoHost/yunohost/blob/c7eaeca6486e6240c832b8863791f8b03520a0f0/data/hooks/conf_regen/43-dnsmasq
+
+do_pre_regen() {
+    if [ $dryrun -eq 0 ]
+    then
+        # Remove added lines into the sshd config
+        sed -i "/##-> __APP__/,/##<- __APP__/d" /etc/ssh/sshd_config
+    fi
+}
+
+do_post_regen() {
+    # Harden SSH connection for the user
+    if ! grep --quiet "^##-> __APP__$" /etc/ssh/sshd_config
+    then
+        echo "##-> __APP__
+    # Hardening user connection
+    Match User __USER__
+    ChrootDirectory %h
+    ForceCommand internal-sftp
+    AllowTcpForwarding no
+    PermitTunnel no
+    X11Forwarding no
+    PasswordAuthentication yes
+##<- __APP__" | tee -a "/etc/ssh/sshd_config" >/dev/null
+
+        # Reload sshd
+        systemctl reload ssh
+   fi
+}
+
+case "$1" in
+    pre)
+        do_pre_regen
+        ;;
+    post)
+        do_post_regen
+        ;;
+    *)
+        echo "Hook called with unknown argument \`$1'" >&2
+        exit 1
+        ;;
+esac
+
+exit 0

manifest.json

@@ -42,9 +42,19 @@
                 "example": "/site",
                 "default": "/site"
             },
+            {
+                "name": "with_sftp",
+                "type": "boolean",
+                "ask": {
+                    "en": "Do you need a SFTP access?",
+                    "fr": "Avez-vous besoin d'un accès SFTP ?"
+                },
+                "default": true
+            },
             {
                 "name": "password",
                 "type": "password",
+                "optional": true,
                 "ask": {
                     "en": "Set the password for the SFTP access. ≥ 5 character",
                     "fr": "Définissez le mot de passe pour l'accès SFTP. ≥ cinq charactères"

scripts/backup

@@ -27,6 +27,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql)
+with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp)
 
 #=================================================
 # STANDARD BACKUP STEPS
@@ -60,6 +61,17 @@ if [ $with_mysql -eq 1 ]; then
     ynh_mysql_dump_db --database="$db_name" > db.sql
 fi
 
+#=================================================
+# BACKUP SPECIFIC FILES
+#=================================================
+
+if [ $with_sftp -eq 1 ]
+then
+    ynh_script_progression --message="Backup specific files..."
+
+    ynh_backup "/usr/share/yunohost/hooks/conf_regen/90-ssh_$app"
+fi
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/install

@@ -24,6 +24,7 @@ ynh_abort_if_errors
 domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
 password=$YNH_APP_ARG_PASSWORD
+with_sftp=$YNH_APP_ARG_WITH_SFTP
 is_public=$YNH_APP_ARG_IS_PUBLIC
 
 with_mysql=$YNH_APP_ARG_WITH_MYSQL
@@ -39,10 +40,13 @@ ynh_script_progression --message="Validating installation parameters..." --weigh
 final_path=/var/www/$app
 test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
 
-# Check password strength
-if [ ${#password} -le 5 ]
+if [ $with_sftp -eq 1 ]
 then
-    ynh_die --message="The password is too weak, it must be longer than 5 characters"
+    # Check password strength
+    if [ ${#password} -le 5 ]
+    then
+        ynh_die --message="The password is too weak, it must be longer than 5 characters"
+    fi
 fi
 
 # Register (book) web path
@@ -58,7 +62,7 @@ ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=is_public --value=$is_public
 ynh_app_setting_set --app=$app --key=with_mysql --value=$with_mysql
-ynh_app_setting_set --app=$app --key=password --value="$password"
+ynh_app_setting_set --app=$app --key=with_sftp --value=$with_sftp
 ynh_app_setting_set --app=$app --key=user --value=$user
 ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 
@@ -94,35 +98,47 @@ ynh_script_progression --message="Configuring system user..."
 # Create a standard user (not a system user for sftp)
 ynh_system_user_exists --username=$user || \
     useradd -d "$final_path" -M --user-group "$user"
-# Add the password to this user
-chpasswd <<< "${user}:${password}"
+if [ $with_sftp -eq 1 ]
+then
+    # Add the password to this user
+    ynh_print_OFF; chpasswd <<< "${user}:${password}"; ynh_print_ON
+    ynh_print_OFF; ynh_app_setting_set --app=$app --key=password --value="$password"; ynh_print_ON
+fi
 
 #=================================================
 # SPECIFIC SETUP
 #=================================================
 # CONFIGURE SSH
 #=================================================
-ynh_script_progression --message="Configuring ssh..."
+if [ $with_sftp -eq 1 ]
+then
+    ynh_script_progression --message="Configuring ssh..."
 
-# Harden SSH connection for the user
-echo "##-> ${app}
-# Hardening user connection
-Match User ${user}
-  ChrootDirectory %h
-  ForceCommand internal-sftp
-  AllowTcpForwarding no
-  PermitTunnel no
-  X11Forwarding no
-##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null
+    cp -R ../conf/ssh_regenconf_hook /usr/share/yunohost/hooks/conf_regen/90-ssh_$app
 
-ynh_systemd_action --service_name=ssh --action=reload
+    ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app
+    ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app
+
+    yunohost tools regen-conf ssh
+fi
 
 #=================================================
 # MODIFY A CONFIG FILE
 #=================================================
 
-ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file=../sources/www/index.html
-ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=../sources/www/index.html
+mkdir -p "$final_path/www"
+
+if [ $with_sftp -eq 1 ]
+then
+    ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file=../sources/www/index.html
+    ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=../sources/www/index.html
+
+    # Copy files to the right place
+    cp "../sources/www/index.html" "$final_path/www/index.html"
+else
+    # Copy files to the right place
+    cp "../sources/www/index_no_sftp.html" "$final_path/www/index.html"
+fi
 
 if [ $with_mysql -eq 1 ]; then
     # Store the database access

scripts/remove

@@ -18,6 +18,7 @@ app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql)
+with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp)
 user=$(ynh_app_setting_get --app=$app --key=user)
 
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
@@ -66,10 +67,16 @@ ynh_remove_fpm_config
 #=================================================
 # REMOVE THE CUSTOM SSH CONFIG
 #=================================================
-ynh_script_progression --message="Removing the custom ssh config"
 
-sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config
-ynh_systemd_action --service_name=ssh --action=reload
+if [ $with_sftp -eq 1 ]
+then
+    ynh_script_progression --message="Removing the custom ssh config..."
+
+    sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config
+    ynh_systemd_action --service_name=ssh --action=reload
+    # Remove regen-conf hook
+    ynh_secure_remove --file="/usr/share/yunohost/hooks/conf_regen/90-ssh_$app"
+fi
 
 #=================================================
 # GENERIC FINALIZATION

scripts/restore

@@ -29,6 +29,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql)
 password=$(ynh_app_setting_get --app=$app --key=password)
+with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp)
 user=$(ynh_app_setting_get --app=$app --key=user)
 
 #=================================================
@@ -76,8 +77,14 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei
 # Create a standard user (not a system user for sftp)
 ynh_system_user_exists --username=$user || \
     useradd -d "$final_path" -M --user-group "$user"
-# Add the password to this user
-chpasswd <<< "${user}:${password}"
+
+ynh_print_OFF
+if [ -n "$password" ]
+then
+    # Add the password to this user
+    chpasswd <<< "${user}:${password}"
+fi
+ynh_print_ON
 
 #=================================================
 # RESTORE USER RIGHTS
@@ -100,20 +107,15 @@ ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf"
 #=================================================
 # CONFIGURE SSH
 #=================================================
-ynh_script_progression --message="Configuring ssh..."
 
-# Harden SSH connection for the user
-echo "##-> ${app}
-# Hardening user connection
-Match User ${user}
-  ChrootDirectory %h
-  ForceCommand internal-sftp
-  AllowTcpForwarding no
-  PermitTunnel no
-  X11Forwarding no
-##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null
+if [ $with_sftp -eq 1 ]
+then
+    ynh_script_progression --message="Configuring ssh..."
 
-ynh_systemd_action --service_name=ssh --action=reload
+    ynh_restore_file "/usr/share/yunohost/hooks/conf_regen/90-ssh_$app"
+
+    yunohost tools regen-conf ssh
+fi
 
 #=================================================
 # GENERIC FINALIZATION

scripts/upgrade

@@ -24,6 +24,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql)
 password=$(ynh_app_setting_get --app=$app --key=password)
+with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp)
 user=$(ynh_app_setting_get --app=$app --key=user)
 
 admin_mail_html=$(ynh_app_setting_get --app=$app --key=admin_mail_html)
@@ -69,6 +70,13 @@ if [ -z "$fpm_usage" ]; then
 	fpm_usage=low
 	ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage
 fi
+
+# If with_sftp doesn't exist, create it
+if [ -z "$with_sftp" ]; then
+	with_sftp=1
+	ynh_app_setting_set --app=$app --key=with_sftp --value=$with_sftp
+fi
+
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
@@ -114,8 +122,11 @@ ynh_script_progression --message="Making sure dedicated system user exists..." -
 # Create a standard user (not a system user for sftp)
 ynh_system_user_exists --username=$user || \
     useradd -d "$final_path" -M --user-group "$user"
-# Add the password to this user
-chpasswd <<< "${user}:${password}"
+if [ $with_sftp -eq 1 ]
+then
+    # Add the password to this user
+    ynh_print_OFF; chpasswd <<< "${user}:${password}"; ynh_print_ON
+fi
 
 # Change the user group for previous my_webapp install script
 groupadd -f "$user"
@@ -148,22 +159,18 @@ fi
 #=================================================
 # CONFIGURE SSH
 #=================================================
-ynh_script_progression --message="Configuring ssh..." --time --weight=1
 
-# Remove the previous config for upgrading it
-sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config
-# Harden SSH connection for the user
-echo "##-> ${app}
-# Hardening user connection
-Match User ${user}
-  ChrootDirectory %h
-  ForceCommand internal-sftp
-  AllowTcpForwarding no
-  PermitTunnel no
-  X11Forwarding no
-##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null
+if [ $with_sftp -eq 1 ]
+then
+    ynh_script_progression --message="Configuring ssh..." --weight=1
 
-ynh_systemd_action --service_name=ssh --action=reload
+    cp -R ../conf/ssh_regenconf_hook /usr/share/yunohost/hooks/conf_regen/90-ssh_$app
+
+    ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app
+    ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app
+
+    yunohost tools regen-conf ssh
+fi
 
 #=================================================
 # GENERIC FINALIZATION

sources/www/index_no_sftp.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Custom Web App</title>
+  </head>
+  <body>
+    <h1>It works!</h1>
+    <p>Congratulation, you have just installed your custom web app.</p>
+
+    <p>As a reward, here is a random cat picture:</p>
+    <img src="https://thecatapi.com/api/images/get?format=src&type=gif">
+  </body>
+</html>