create smb/sftp accounts for ldaptest

remove php-smbclient for now as it's broken
fix ldap
2026-06-03 09:04:12 +02:00 · 2026-05-28 18:48:40 +02:00 · 2026-05-28 18:48:19 +02:00 · 2026-05-28 18:40:21 +02:00 · 2026-05-26 20:49:19 +02:00 · 2026-05-09 16:45:55 +02:00
21 changed files with 356 additions and 139 deletions
--- a/README.md
+++ b/README.md
@ -81,6 +81,8 @@ Additionally, you can use the following options when starting an instance:
 - `smb`: set up a samba server for external storage use.
 - `dav`: set up a WebDAV server for external storage use.
 - `sftp`: set up a SFTP server for external storage use.
+- `sftp-key`: set up a SFTP server for external storage use with public key
+  authentication.
 - `kaspersky`: set up a kaspersky scan engine server in http mode. ( Requires
  [manually setting up the image](https://github.com/icewind1991/kaspersky-docker))
 - `kaspersky-icap`: setup a kaspersky scan engine server in ICAP mode.
--- a/certificates/sftp/id_rsa
+++ b/certificates/sftp/id_rsa
@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA323aWqH6YwRLbCBO94UKOkfnJ2m6Zsic0dMt3TmDnjLU0JzpOt7w
+t5+mMZrEKQTpefozyUHo3z+HkmllLAGOupNy3A+jG2O955UUgw0dGfu6j6OOb66Du9jpqt
+8BQ6gr3cEYASplPI7B889/cVpJ5l1HiBUgyR7Z16v15qCDtmpFVIECAdICEmPosfmZutt3
+YYl9xLay5WCmUztWS/amPcGs0DOEGrWeCtdxGKWT3TywdBKyQ0PbdYMamgDIT7JV1ZSzZP
+aly4sB7E+dpS5AgBFVXmZ61151KN1TJ8gyoUjFhY7ctYEIpncZmyT4PYvyIvxRsbJtvERi
+eNH8DoX5DwtqcxbgHK0OwYtdl4ydRXToYo3l+qIidf+g8ADVea/mbkfTPegdToo3LOuThX
+OwExDlukpM8obFDpz1Yl1L6rRJAVNO1KmHWhn6to23jtYjBhczA2nkemQXQbVSjc/hItjQ
+DIFNMOsLW33P+Y2k9LkpI0TL09ogOxOFZzGZp2tNAAAFgIgMIZ+IDCGfAAAAB3NzaC1yc2
+EAAAGBAN9t2lqh+mMES2wgTveFCjpH5ydpumbInNHTLd05g54y1NCc6Tre8LefpjGaxCkE
+6Xn6M8lB6N8/h5JpZSwBjrqTctwPoxtjveeVFIMNHRn7uo+jjm+ug7vY6arfAUOoK93BGA
+EqZTyOwfPPf3FaSeZdR4gVIMke2der9eagg7ZqRVSBAgHSAhJj6LH5mbrbd2GJfcS2suVg
+plM7Vkv2pj3BrNAzhBq1ngrXcRilk908sHQSskND23WDGpoAyE+yVdWUs2T2pcuLAexPna
+UuQIARVV5metdedSjdUyfIMqFIxYWO3LWBCKZ3GZsk+D2L8iL8UbGybbxEYnjR/A6F+Q8L
+anMW4BytDsGLXZeMnUV06GKN5fqiInX/oPAA1Xmv5m5H0z3oHU6KNyzrk4VzsBMQ5bpKTP
+KGxQ6c9WJdS+q0SQFTTtSph1oZ+raNt47WIwYXMwNp5HpkF0G1Uo3P4SLY0AyBTTDrC1t9
+z/mNpPS5KSNEy9PaIDsThWcxmadrTQAAAAMBAAEAAAGAWCkM/TEnztU9e3M+JX253OhNRe
+h6lB75ffOxh7avgAc3oP8hKkkYu6PDnJQgbb0R8T7wGywmGp0DPhrXQGd27ZjLvBhxeBfB
+sbTJ7LIKdxu0cAQN6nR2Z3M+NF2dLpiXgn80HRWg76W20yDffRcuzLamyIPptWI2e9rPAw
+r4HczOAXuMErLOfXotsbg22BvL/dEWLr4WVdruli32LbArxXd73IVPTYi3TTjYV+zRrPzK
+9WoBK/iFClfKcdT4NTY82llQesuUNu640lEJtT2G3Iba8UZnohyzm/S+UbeU65z8DKD5co
+P7+QehxQSV+kj2BZnTi0WEwsD+GTznJYR5rvUsJCCAzoISsWrncSSgOQhF2XeW/T4ewvH+
+njLZViEhdG8R3kkdDjJG91OrSgrEqlk6Qhz1xEsv1rCOR69En7EJP3TNNrymPXPASrAnuE
+HQkrVgGUfGqyD1sw1e6nBfNWisuw+g99CieIB8EI9WwpxQdKqWNU9Hjx+SAdC3NrPjAAAA
+wQCo0hUGjSf6xhcgeaNa0gWSKEVuFhxR/FaCPTKadV7Md0APW4toeQZDujzDFlCZbQTZjC
+0723B4lKugDzXfsOgvOTKp4vEjZOu0YGruS00LFWM7Sutdzx68b/ZMFALzITt/myKVMdpv
+WpaO+3+PyEYIQH44QrSWw7cKLzNiZ8kt2drPkPktub4o2h5TdIBluEQLJDPMejy8IqQEU8
+aOyJOMvYxAbGAWY7Ck9DGlcJgaFdORROW8d8ZGrHQkyRl41JQAAADBAPeUMsrbI17wPP/s
+Tsrkms5ws5yTz0xle2Wn6HwDSzQRSdn5abnIDYb3QSy0nRBvczef6ssH65dl50+2V4BV2L
+MwHcmKD6/UoFsWwP/RMf1EoacPFiEAWJGxFbOthNX+rx5BpbUHNoQd8xby+88saDI0e8W6
+36HPBZrAZhQljkMa4OJqZDDCpOJvSndXwkZ789E96uprKopJZGwlLmfMtikQpNXT9R+I0b
+SQCJj4yNakcdOE/7UifkOR02u+pgux3wAAAMEA5wdelKwGQ0EdkIF2TM844uLPszo3ZSH+
+Heff/Lbxs1Y+oL0NTJQicwMF0d9WEwBoTZJpuzsQEA1zkfmW0gi2womIRmiY0ZhpxbBuhO
+6XePMIhUfQmWWjaUbAkrNB0eJkSTuUGzwxVkMXehrMuj4gYe8GMC8GgULbP0A8FjH01fKk
+jFwgg4WAg6zUTpck12bh49NZRFyXIbXNk/jjxJtb0p//5TRTUQ6mR5IloaNTM23EiF6tle
+Y6CAchnyhHO0BTAAAACWhhemVAaGF6ZQE=
+-----END OPENSSH PRIVATE KEY-----
--- a/certificates/sftp/id_rsa.pub
+++ b/certificates/sftp/id_rsa.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfbdpaofpjBEtsIE73hQo6R+cnabpmyJzR0y3dOYOeMtTQnOk63vC3n6YxmsQpBOl5+jPJQejfP4eSaWUsAY66k3LcD6MbY73nlRSDDR0Z+7qPo45vroO72Omq3wFDqCvdwRgBKmU8jsHzz39xWknmXUeIFSDJHtnXq/XmoIO2akVUgQIB0gISY+ix+Zm623dhiX3EtrLlYKZTO1ZL9qY9wazQM4QatZ4K13EYpZPdPLB0ErJDQ9t1gxqaAMhPslXVlLNk9qXLiwHsT52lLkCAEVVeZnrXXnUo3VMnyDKhSMWFjty1gQimdxmbJPg9i/Ii/FGxsm28RGJ40fwOhfkPC2pzFuAcrQ7Bi12XjJ1FdOhijeX6oiJ1/6DwANV5r+ZuR9M96B1Oijcs65OFc7ATEOW6SkzyhsUOnPViXUvqtEkBU07UqYdaGfq2jbeO1iMGFzMDaeR6ZBdBtVKNz+Ei2NAMgU0w6wtbfc/5jaT0uSkjRMvT2iA7E4VnMZmna00= haze@haze
--- a/nix/image/php-ext.nix
+++ b/nix/image/php-ext.nix
@ -38,7 +38,7 @@ in
        imagick
      ]
      ++ optionals (!debug) [
-        smbclient # this breaks the build for no apparent reason
+        # smbclient # this breaks the build for no apparent reason
      ]
      ++ optionals withBlackfire [
        blackfire
--- a/nix/package.nix
+++ b/nix/package.nix
@ -1,6 +1,5 @@
 {
  rustPlatform,
-  pkg-config,
  lib,
  git,
 }: let
@ -10,7 +9,7 @@
  src = sourceByRegex ../. ["Cargo.*" "(src|certificates)(/.*)?"];
  version = (fromTOML (readFile ../Cargo.toml)).package.version;
 in
-  rustPlatform.buildRustPackage rec {
+  rustPlatform.buildRustPackage {
    pname = "haze";

    inherit src version;
--- a/src/main.rs
+++ b/src/main.rs
@ -633,12 +633,7 @@ async fn setup(docker: &Docker, options: CloudOptions, config: &HazeConfig) -> R
        for service in cloud.services() {
            for cmd in service.post_setup(docker, &cloud.id, config).await? {
                cloud
-                    .exec(
-                        docker,
-                        shell_words::split(&cmd).into_diagnostic()?,
-                        false,
-                        Vec::<String>::default(),
-                    )
+                    .exec(docker, cmd, false, Vec::<String>::default())
                    .await?;
            }
        }
--- a/src/service.rs
+++ b/src/service.rs
@ -30,7 +30,7 @@ pub use crate::service::office::Office;
 pub use crate::service::onlyoffice::OnlyOffice;
 pub use crate::service::push::NotifyPush;
 use crate::service::redis::Redis;
-use crate::service::sftp::Sftp;
+use crate::service::sftp::{Sftp, SftpKey};
 use crate::service::sharded::{Sharding, ShardingMigrate, ShardingMigrateUnset, SingleShard};
 use crate::service::smb::Smb;
 use crate::service::webhook::Webhook;
@ -116,7 +116,7 @@ pub trait ServiceTrait {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(Vec::new())
    }

@ -267,6 +267,8 @@ pub enum ServiceType {
    Dav,
    /// Sftp external storage
    Sftp,
+    /// Sftp external storage with public key authentication
+    SftpKey,
    /// ownCloud instance for migration
    Oc,
    /// Imaginary for preview generation
@ -318,6 +320,7 @@ pub enum Service {
    ShardingMigrate(ShardingMigrate),
    ShardingMigrateUnset(ShardingMigrateUnset),
    Sftp(Sftp),
+    SftpKey(SftpKey),
    Kaspersky(Kaspersky),
    KasperskyIcap(KasperskyIcap),
    Clam(Clam),
@ -361,6 +364,7 @@ impl Service {
                }
                ServiceType::Dav => Some(vec![Service::Dav(Dav)]),
                ServiceType::Sftp => Some(vec![Service::Sftp(Sftp)]),
+                ServiceType::SftpKey => Some(vec![Service::SftpKey(SftpKey)]),
                ServiceType::Oc => Some(vec![Service::Oc(Oc)]),
                ServiceType::Imaginary => Some(vec![Service::Imaginary(Imaginary)]),
                ServiceType::Kaspersky => Some(vec![Service::Kaspersky(Kaspersky)]),
@ -437,15 +441,29 @@ impl ServiceTrait for PresetService {
        _docker: &Docker,
        _cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let preset =
            get_preset(&config.preset, &self.0).ok_or_else(|| Report::msg("invalid preset"))?;
        let mut commands: Vec<_> = preset
            .apps
            .iter()
-            .map(|app| format!("occ app:enable {app} --force"))
+            .map(|app| {
+                vec![
+                    "occ".into(),
+                    "app:enable".into(),
+                    app.clone(),
+                    "--force".into(),
+                ]
+            })
            .collect();
-        commands.extend_from_slice(&preset.commands);
+        for cmnd in &preset.commands {
+            commands.push(shell_words::split(cmnd).into_diagnostic()?);
+        }
+
        Ok(commands)
    }
 }
+
+fn split_cmnd(s: &str) -> Vec<String> {
+    s.split(' ').map(String::from).collect()
+}
--- a/src/service/clam.rs
+++ b/src/service/clam.rs
@ -2,7 +2,7 @@ use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::exec::exec;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -85,14 +85,13 @@ impl ServiceTrait for ClamIcap {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=icap".into(),
-            "occ config:app:set files_antivirus av_host --value=clamav-icap".into(),
-            "occ config:app:set files_antivirus av_port --value=1344".into(),
-            "occ config:app:set files_antivirus av_icap_request_service --value=avscan".into(),
-            "occ config:app:set files_antivirus av_icap_response_header --value=X-Infection-Found"
-                .into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=icap"),
+            split_cmnd("occ config:app:set files_antivirus av_host --value=clamav-icap"),
+            split_cmnd("occ config:app:set files_antivirus av_port --value=1344"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_request_service --value=avscan"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_response_header --value=X-Infection-Found"),
        ])
    }
 }
@ -171,7 +170,7 @@ impl ServiceTrait for ClamIcapTls {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let mut cert = Vec::new();
        exec(
            docker,
@ -191,14 +190,13 @@ impl ServiceTrait for ClamIcapTls {
            .wrap_err("Failed to write icap certificate")?;

        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=icap".into(),
-            "occ config:app:set files_antivirus av_icap_tls --value=1".into(),
-            "occ config:app:set files_antivirus av_host --value=clamav-icap-tls".into(),
-            "occ config:app:set files_antivirus av_port --value=1345".into(),
-            "occ config:app:set files_antivirus av_icap_request_service --value=avscan".into(),
-            "occ config:app:set files_antivirus av_icap_response_header --value=X-Infection-Found"
-                .into(),
-            "occ security:certificates:import data/icap-cert.pem".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=icap"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_tls --value=1"),
+            split_cmnd("occ config:app:set files_antivirus av_host --value=clamav-icap-tls"),
+            split_cmnd("occ config:app:set files_antivirus av_port --value=1345"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_request_service --value=avscan"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_response_header --value=X-Infection-Found"),
+            split_cmnd("occ security:certificates:import data/icap-cert.pem"),
        ])
    }
 }
@ -221,10 +219,10 @@ impl ServiceTrait for Clam {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=executable".into(),
-            "occ config:app:set files_antivirus av_path --value=/bin/clamscan".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=executable"),
+            split_cmnd("occ config:app:set files_antivirus av_path --value=/bin/clamscan"),
        ])
    }
 }
@ -294,10 +292,12 @@ impl ServiceTrait for ClamSocket {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=socket".into(),
-            "occ config:app:set files_antivirus av_socket --value=tcp://clamav-socket:3310".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=socket"),
+            split_cmnd(
+                "occ config:app:set files_antivirus av_socket --value=tcp://clamav-socket:3310",
+            ),
        ])
    }
 }
--- a/src/service/dav.rs
+++ b/src/service/dav.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::config::ContainerCreateBody;
 use bollard::models::{EndpointSettings, HostConfig, NetworkingConfig};
@ -76,12 +76,12 @@ impl ServiceTrait for Dav {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ files_external:create dav dav password::password".into(),
-            "occ files_external:config 1 host dav".into(),
-            "occ files_external:config 1 user test".into(),
-            "occ files_external:config 1 password test".into(),
+            split_cmnd("occ files_external:create dav dav password::password"),
+            split_cmnd("occ files_external:config 1 host dav"),
+            split_cmnd("occ files_external:config 1 user test"),
+            split_cmnd("occ files_external:config 1 password test"),
        ])
    }
 }
--- a/src/service/imaginary.rs
+++ b/src/service/imaginary.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::config::NetworkingConfig;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig};
@ -71,11 +71,14 @@ impl ServiceTrait for Imaginary {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:system:set enabledPreviewProviders 0 --value='OC\\Preview\\Imaginary'"
-                .into(),
-            "occ config:system:set preview_imaginary_url --value='http://imaginary:9000'".into(),
+            split_cmnd(
+                "occ config:system:set enabledPreviewProviders 0 --value='OC\\Preview\\Imaginary'",
+            ),
+            split_cmnd(
+                "occ config:system:set preview_imaginary_url --value='http://imaginary:9000'",
+            ),
        ])
    }
 }
--- a/src/service/kaspersky.rs
+++ b/src/service/kaspersky.rs
@ -2,7 +2,7 @@ use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::exec::exec;
 use crate::image::{image_exists, pull_image};
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -101,11 +101,11 @@ impl ServiceTrait for Kaspersky {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=kaspersky".into(),
-            "occ config:app:set files_antivirus av_host --value=kaspersky".into(),
-            "occ config:app:set files_antivirus av_port --value=80".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=kaspersky"),
+            split_cmnd("occ config:app:set files_antivirus av_host --value=kaspersky"),
+            split_cmnd("occ config:app:set files_antivirus av_port --value=80"),
        ])
    }
 }
@ -187,13 +187,15 @@ impl ServiceTrait for KasperskyIcap {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=icap".into(),
-            "occ config:app:set files_antivirus av_host --value=kaspersky-icap".into(),
-            "occ config:app:set files_antivirus av_port --value=1344".into(),
-            "occ config:app:set files_antivirus av_icap_request_service --value=req".into(),
-            "occ config:app:set files_antivirus av_icap_response_header --value=X-Virus-ID".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=icap"),
+            split_cmnd("occ config:app:set files_antivirus av_host --value=kaspersky-icap"),
+            split_cmnd("occ config:app:set files_antivirus av_port --value=1344"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_request_service --value=req"),
+            split_cmnd(
+                "occ config:app:set files_antivirus av_icap_response_header --value=X-Virus-ID",
+            ),
        ])
    }
 }
--- a/src/service/ldap.rs
+++ b/src/service/ldap.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::{HazeConfig, ProxyConfig};
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::config::NetworkingConfig;
 use bollard::models::{ContainerCreateBody, ContainerState, EndpointSettings, HostConfig};
@ -92,30 +92,29 @@ impl ServiceTrait for Ldap {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ ldap:create-empty-config".into(),
-            "occ ldap:set-config s01 ldapHost 'ldap://ldap'".into(),
-            "occ ldap:set-config s01 ldapPort '389'".into(),
-            "occ ldap:set-config s01 ldapAgentName 'cn=admin,dc=example,dc=org'".into(),
-            "occ ldap:set-config s01 ldapAgentPassword 'haze'".into(),
-            "occ ldap:set-config s01 ldapBase 'dc=example,dc=org'".into(),
-            "occ ldap:set-config s01 ldapBaseUsers 'dc=example,dc=org'".into(),
-            "occ ldap:set-config s01 ldapBaseGroups 'dc=example,dc=org'".into(),
-            "occ ldap:set-config s01 ldapLoginFilter '(&(&(objectclass=inetOrgPerson))(uid=%uid))'"
-                .into(),
-            "occ ldap:set-config s01 ldapUserFilter '((objectclass=inetOrgPerson))'".into(),
-            "occ ldap:set-config s01 ldapUserFilterMode '0'".into(),
-            "occ ldap:set-config s01 ldapUserDisplayName 'sn'".into(),
-            "occ ldap:set-config s01 ldapUserFilterObjectclass 'inetOrgPerson'".into(),
-            "occ ldap:set-config s01 ldapGroupFilter '(&(|(objectclass=posixGroup)))'".into(),
-            "occ ldap:set-config s01 ldapGroupFilterObjectclass 'posixGroup'".into(),
-            "occ ldap:set-config s01 ldapEmailAttribute 'email'".into(),
-            "occ ldap:set-config s01 ldapUuidUserAttribute 'email'".into(),
-            "occ ldap:set-config s01 ldapUuidUserAttribute 'auto'".into(),
-            "occ ldap:set-config s01 ldapUuidGroupAttribute 'auto'".into(),
-            "occ ldap:set-config s01 ldapLoginFilterUsername '1'".into(),
-            "occ ldap:set-config s01 ldapConfigurationActive '1'".into(),
+            split_cmnd("occ ldap:create-empty-config"),
+            split_cmnd("occ ldap:set-config s01 ldapHost ldap://ldap"),
+            split_cmnd("occ ldap:set-config s01 ldapPort 389"),
+            split_cmnd("occ ldap:set-config s01 ldapAgentName cn=admin,dc=example,dc=org"),
+            split_cmnd("occ ldap:set-config s01 ldapAgentPassword haze"),
+            split_cmnd("occ ldap:set-config s01 ldapBase dc=example,dc=org"),
+            split_cmnd("occ ldap:set-config s01 ldapBaseUsers dc=example,dc=org"),
+            split_cmnd("occ ldap:set-config s01 ldapBaseGroups dc=example,dc=org"),
+            split_cmnd("occ ldap:set-config s01 ldapLoginFilter (&(&(objectclass=inetOrgPerson))(uid=%uid))"),
+            split_cmnd("occ ldap:set-config s01 ldapUserFilter ((objectclass=inetOrgPerson))"),
+            split_cmnd("occ ldap:set-config s01 ldapUserFilterMode 0"),
+            split_cmnd("occ ldap:set-config s01 ldapUserDisplayName sn"),
+            split_cmnd("occ ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson"),
+            split_cmnd("occ ldap:set-config s01 ldapGroupFilter (&(|(objectclass=posixGroup)))"),
+            split_cmnd("occ ldap:set-config s01 ldapGroupFilterObjectclass posixGroup"),
+            split_cmnd("occ ldap:set-config s01 ldapEmailAttribute email"),
+            split_cmnd("occ ldap:set-config s01 ldapUuidUserAttribute email"),
+            split_cmnd("occ ldap:set-config s01 ldapUuidUserAttribute auto"),
+            split_cmnd("occ ldap:set-config s01 ldapUuidGroupAttribute auto"),
+            split_cmnd("occ ldap:set-config s01 ldapLoginFilterUsername 1"),
+            split_cmnd("occ ldap:set-config s01 ldapConfigurationActive 1"),
        ])
    }

--- a/src/service/mail.rs
+++ b/src/service/mail.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -70,14 +70,14 @@ impl ServiceTrait for Mail {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:system:set mail_smtpmode --value smtp".into(),
-            "occ config:system:set mail_sendmailmode --value smtp".into(),
-            "occ config:system:set mail_domain --value haze".into(),
-            "occ config:system:set mail_smtphost --value mail".into(),
-            "occ config:system:set mail_smtpport --value 25".into(),
-            "occ user:setting admin settings email admin@haze".into(),
+            split_cmnd("occ config:system:set mail_smtpmode --value smtp"),
+            split_cmnd("occ config:system:set mail_sendmailmode --value smtp"),
+            split_cmnd("occ config:system:set mail_domain --value haze"),
+            split_cmnd("occ config:system:set mail_smtphost --value mail"),
+            split_cmnd("occ config:system:set mail_smtpport --value 25"),
+            split_cmnd("occ user:setting admin settings email admin@haze"),
        ])
    }
 }
--- a/src/service/objectstore.rs
+++ b/src/service/objectstore.rs
@ -2,7 +2,7 @@ use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::exec::exec;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{
    ContainerCreateBody, ContainerState, EndpointSettings, HostConfig, NetworkingConfig,
@ -247,18 +247,18 @@ impl ServiceTrait for ObjectStore {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        match self {
            ObjectStore::S3 => Ok(vec![
-                "occ files_external:create s3 amazons3 amazons3::accesskey".into(),
-                "occ files_external:config 1 bucket ext".into(),
-                "occ files_external:config 1 hostname s3".into(),
-                "occ files_external:config 1 port 9000".into(),
-                "occ files_external:config 1 use_ssl false".into(),
-                "occ files_external:config 1 use_path_style true".into(),
-                "occ files_external:config 1 key minio".into(),
-                "occ files_external:config 1 secret minio123".into(),
-                "mc alias set s3 http://s3:9000 minio minio123".into(),
+                split_cmnd("occ files_external:create s3 amazons3 amazons3::accesskey"),
+                split_cmnd("occ files_external:config 1 bucket ext"),
+                split_cmnd("occ files_external:config 1 hostname s3"),
+                split_cmnd("occ files_external:config 1 port 9000"),
+                split_cmnd("occ files_external:config 1 use_ssl false"),
+                split_cmnd("occ files_external:config 1 use_path_style true"),
+                split_cmnd("occ files_external:config 1 key minio"),
+                split_cmnd("occ files_external:config 1 secret minio123"),
+                split_cmnd("mc alias set s3 http://s3:9000 minio minio123"),
            ]),
            // ObjectStore::S3s => Ok(vec![
            //     "occ files_external:create s3 amazons3 amazons3::accesskey".into(),
--- a/src/service/oc.rs
+++ b/src/service/oc.rs
@ -83,7 +83,7 @@ impl ServiceTrait for Oc {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        if let Some(ip) = self.get_ips(docker, cloud_id).await?.next() {
            let container = self.container_name(cloud_id).unwrap();
            let addr = config.proxy.addr(&container, ip);
--- a/src/service/office.rs
+++ b/src/service/office.rs
@ -119,7 +119,7 @@ impl ServiceTrait for Office {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let container = &self.container_name(cloud_id).unwrap();
        let info = docker
            .inspect_container(container, None)
@ -152,8 +152,22 @@ impl ServiceTrait for Office {
            .addr_with_port(container, ip, self.proxy_port());

        Ok(vec![
-            format!(r#"occ config:app:set richdocuments public_wopi_url --value="{public}""#),
-            r#"occ richdocuments:setup --wopi-url "http://office:9980" --callback-url "http://cloud""#.into(),
+            vec![
+                "occ".into(),
+                "config:app:set".into(),
+                "richdocuments".into(),
+                "public_wopi_url".into(),
+                "--value".into(),
+                public,
+            ],
+            vec![
+                "occ".into(),
+                "richdocuments:setup".into(),
+                "--wopi-url".into(),
+                "http://office:9980".into(),
+                "--callback-url".into(),
+                "http://cloud".into(),
+            ],
        ])
    }

--- a/src/service/onlyoffice.rs
+++ b/src/service/onlyoffice.rs
@ -2,7 +2,7 @@ use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::exec::exec;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{
    ContainerCreateBody, ContainerState, EndpointSettings, HostConfig, NetworkingConfig,
@ -82,7 +82,7 @@ impl ServiceTrait for OnlyOffice {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let info = docker
            .inspect_container(&self.container_name(cloud_id).unwrap(), None)
            .await
@ -137,16 +137,44 @@ impl ServiceTrait for OnlyOffice {
            );

            Ok(vec![
-                format!("occ config:app:set onlyoffice DocumentServerUrl --value {addr}/"),
-                format!("occ config:app:set onlyoffice jwt_secret --value {secret}"),
-                "occ onlyoffice:documentserver --check".into(),
+                vec![
+                    "occ".into(),
+                    "config:app:set".into(),
+                    "onlyoffice".into(),
+                    "DocumentServerUrl".into(),
+                    "--value".into(),
+                    addr,
+                ],
+                vec![
+                    "occ".into(),
+                    "config:app:set".into(),
+                    "onlyoffice".into(),
+                    "jwt_secret".into(),
+                    "--value".into(),
+                    secret.into(),
+                ],
+                split_cmnd("occ onlyoffice:documentserver --check"),
            ])
        } else {
            Ok(vec![
-                format!("occ config:app:set onlyoffice DocumentServerUrl --value https://{ip}/"),
-                "occ config:app:set onlyoffice verify_peer_off --value true".into(),
-                format!("occ config:app:set onlyoffice jwt_secret --value {secret}"),
-                "occ onlyoffice:documentserver --check".into(),
+                vec![
+                    "occ".into(),
+                    "config:app:set".into(),
+                    "onlyoffice".into(),
+                    "DocumentServerUrl".into(),
+                    "--value".into(),
+                    format!("https://{ip}/"),
+                ],
+                split_cmnd("occ config:app:set onlyoffice verify_peer_off --value true"),
+                vec![
+                    "occ".into(),
+                    "config:app:set".into(),
+                    "onlyoffice".into(),
+                    "jwt_secret".into(),
+                    "--value".into(),
+                    secret.into(),
+                ],
+                split_cmnd("occ onlyoffice:documentserver --check"),
            ])
        }
    }
--- a/src/service/push.rs
+++ b/src/service/push.rs
@ -87,7 +87,7 @@ impl ServiceTrait for NotifyPush {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let mut ips: Vec<_> = self.get_ips(docker, cloud_id).await?.collect();
        if let Ok(local_interfaces) = list_afinet_netifas() {
            ips.extend(local_interfaces.into_iter().map(|(_, ip)| ip));
@ -97,10 +97,14 @@ impl ServiceTrait for NotifyPush {
            .iter()
            .enumerate()
            .map(|(i, ip)| {
-                format!(
-                    "occ config:system:set trusted_proxies {} --value {ip}",
-                    i + 1
-                )
+                vec![
+                    "occ".into(),
+                    "config:system:set".into(),
+                    "trusted_proxies".into(),
+                    (i + 1).to_string(),
+                    "--value".into(),
+                    ip.to_string(),
+                ]
            })
            .collect();

@ -108,7 +112,7 @@ impl ServiceTrait for NotifyPush {
            config
                .proxy
                .addr_with_port(&self.container_name(cloud_id).unwrap(), ips[0], 7867);
-        commands.push(format!("occ notify_push:setup {}", addr));
+        commands.push(vec!["occ".into(), "notify_push:setup".into(), addr]);
        Ok(commands)
    }

--- a/src/service/redis.rs
+++ b/src/service/redis.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -70,7 +70,9 @@ impl ServiceTrait for Redis {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
-        Ok(vec!["occ config:system:set redis host --value redis".into()])
+    ) -> Result<Vec<Vec<String>>> {
+        Ok(vec![split_cmnd(
+            "occ config:system:set redis host --value redis",
+        )])
    }
 }
--- a/src/service/sftp.rs
+++ b/src/service/sftp.rs
@ -1,13 +1,14 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
 use bollard::Docker;
 use maplit::hashmap;
-use miette::IntoDiagnostic;
+use miette::{Context, IntoDiagnostic};
+use std::fs::{create_dir_all, write};

 #[derive(Debug, Clone, Eq, PartialEq)]
 pub struct Sftp;
@ -50,7 +51,10 @@ impl ServiceTrait for Sftp {
                    }
                }),
            }),
-            cmd: Some(vec!["test:test:::data".into()]),
+            cmd: Some(vec![
+                "test:test:::data".into(),
+                "ldaptest:test:::data".into(),
+            ]),
            ..Default::default()
        };
        let id = docker
@ -75,13 +79,119 @@ impl ServiceTrait for Sftp {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ files_external:create sftp sftp password::password".into(),
-            "occ files_external:config 1 host sftp".into(),
-            "occ files_external:config 1 user test".into(),
-            "occ files_external:config 1 root data".into(),
-            "occ files_external:config 1 password test".into(),
+            split_cmnd("occ files_external:create sftp sftp password::password"),
+            split_cmnd("occ files_external:config 1 host sftp"),
+            split_cmnd("occ files_external:config 1 user test"),
+            split_cmnd("occ files_external:config 1 root data"),
+            split_cmnd("occ files_external:config 1 password test"),
+        ])
+    }
+}
+
+#[derive(Debug, Clone, Eq, PartialEq)]
+pub struct SftpKey;
+
+#[async_trait::async_trait]
+impl ServiceTrait for SftpKey {
+    fn name(&self) -> &str {
+        "sftp-key"
+    }
+
+    async fn spawn(
+        &self,
+        docker: &Docker,
+        cloud_id: &str,
+        network: &str,
+        config: &HazeConfig,
+        _options: &CloudOptions,
+    ) -> Result<Vec<String>> {
+        let image = "atmoz/sftp:alpine";
+        pull_image(docker, image).await?;
+        let options = Some(CreateContainerOptions {
+            name: self.container_name(cloud_id),
+            ..CreateContainerOptions::default()
+        });
+        let key_dir = config.work_dir.join("certificates/sftp");
+        create_dir_all(&key_dir)
+            .into_diagnostic()
+            .wrap_err("Failed to create sftp certificate directory")?;
+        let private_path = key_dir.join("id_rsa");
+        let public_path = key_dir.join("id_rsa.pub");
+        let private_key = include_str!("../../certificates/sftp/id_rsa");
+        let public_key = include_str!("../../certificates/sftp/id_rsa.pub");
+        if !private_path.exists() {
+            write(&private_path, private_key)
+                .into_diagnostic()
+                .wrap_err("Failed to write sftp client certificate")?;
+        }
+        if !public_path.exists() {
+            write(&public_path, public_key)
+                .into_diagnostic()
+                .wrap_err("Failed to write sftp client key")?;
+        }
+
+        let volumes = vec![format!("{public_path}:/home/test/.ssh/keys/id_rsa:ro")];
+
+        let config = ContainerCreateBody {
+            image: Some(image.into()),
+            host_config: Some(HostConfig {
+                network_mode: Some(network.to_string()),
+                binds: Some(volumes),
+                ..Default::default()
+            }),
+            labels: Some(hashmap! {
+                "haze-type".into() => self.name().into(),
+                "haze-cloud-id".into() => cloud_id.into(),
+            }),
+            networking_config: Some(NetworkingConfig {
+                endpoints_config: Some(hashmap! {
+                    network.into() => EndpointSettings {
+                        aliases: Some(vec![self.name().to_string()]),
+                        ..Default::default()
+                    }
+                }),
+            }),
+            cmd: Some(vec!["test::::data".into()]),
+            ..Default::default()
+        };
+        let id = docker
+            .create_container(options, config)
+            .await
+            .into_diagnostic()?
+            .id;
+        docker.start_container(&id, None).await.into_diagnostic()?;
+        Ok(vec![id])
+    }
+
+    fn container_name(&self, cloud_id: &str) -> Option<String> {
+        Some(format!("{}-sftp-key", cloud_id))
+    }
+
+    fn apps(&self) -> &'static [&'static str] {
+        &["files_external"]
+    }
+
+    async fn post_setup(
+        &self,
+        _docker: &Docker,
+        _cloud_id: &str,
+        _config: &HazeConfig,
+    ) -> Result<Vec<Vec<String>>> {
+        Ok(vec![
+            split_cmnd("occ files_external:create sftp sftp publickey::rsa_private"),
+            split_cmnd("occ files_external:config 1 host sftp-key"),
+            split_cmnd("occ files_external:config 1 user test"),
+            split_cmnd("occ files_external:config 1 root data"),
+            vec![
+                "occ".into(),
+                "files_external:config".into(),
+                "--value-from-file".into(),
+                "1".into(),
+                "private_key".into(),
+                "/certificates/sftp/id_rsa".into(),
+            ],
        ])
    }
 }
--- a/src/service/smb.rs
+++ b/src/service/smb.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -40,8 +40,10 @@ impl ServiceTrait for Smb {
            }),
            env: Some(vec![
                "ACCOUNT_test=test".into(),
+                "ACCOUNT_ldaptest=test".into(),
                "UID_test=1000".into(),
                "SAMBA_VOLUME_CONFIG_test=[test]; path=/tmp; valid users = test; guest ok = no; read only = no; browseable = yes".into(),
+                "SAMBA_VOLUME_CONFIG_ldaptest=[ldaptest]; path=/tmp; valid users = ldaptest; guest ok = no; read only = no; browseable = yes".into(),
            ]),
            labels: Some(hashmap! {
                "haze-type".into() => self.name().into(),
@ -79,13 +81,13 @@ impl ServiceTrait for Smb {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ files_external:create smb smb password::password".into(),
-            "occ files_external:config 1 host smb".into(),
-            "occ files_external:config 1 user test".into(),
-            "occ files_external:config 1 password test".into(),
-            "occ files_external:config 1 share test".into(),
+            split_cmnd("occ files_external:create smb smb password::password"),
+            split_cmnd("occ files_external:config 1 host smb"),
+            split_cmnd("occ files_external:config 1 user test"),
+            split_cmnd("occ files_external:config 1 password test"),
+            split_cmnd("occ files_external:config 1 share test"),
        ])
    }
 }
Author	SHA1	Message	Date
Robin Appelman	a3f2355dea	create smb/sftp accounts for ldaptest	2026-05-28 18:48:40 +02:00
Robin Appelman	d852f9db4f	remove php-smbclient for now as it's broken	2026-05-28 18:48:19 +02:00
Robin Appelman	92fbc74a5b	fix ldap	2026-05-28 18:40:21 +02:00
Robin Appelman	204fb676d6	add sftp with key authentication service	2026-05-26 20:49:19 +02:00
Robin Appelman	f99238121b	nix cleanup	2026-05-09 16:45:55 +02:00
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfbdpaofpjBEtsIE73hQo6R+cnabpmyJzR0y3dOYOeMtTQnOk63vC3n6YxmsQpBOl5+jPJQejfP4eSaWUsAY66k3LcD6MbY73nlRSDDR0Z+7qPo45vroO72Omq3wFDqCvdwRgBKmU8jsHzz39xWknmXUeIFSDJHtnXq/XmoIO2akVUgQIB0gISY+ix+Zm623dhiX3EtrLlYKZTO1ZL9qY9wazQM4QatZ4K13EYpZPdPLB0ErJDQ9t1gxqaAMhPslXVlLNk9qXLiwHsT52lLkCAEVVeZnrXXnUo3VMnyDKhSMWFjty1gQimdxmbJPg9i/Ii/FGxsm28RGJ40fwOhfkPC2pzFuAcrQ7Bi12XjJ1FdOhijeX6oiJ1/6DwANV5r+ZuR9M96B1Oijcs65OFc7ATEOW6SkzyhsUOnPViXUvqtEkBU07UqYdaGfq2jbeO1iMGFzMDaeR6ZBdBtVKNz+Ei2NAMgU0w6wtbfc/5jaT0uSkjRMvT2iA7E4VnMZmna00= haze@haze