2.3.0 + updates

allow exec'ing service containers
fix mysql 8, again
2026-06-03 17:14:08 +02:00 · 2026-06-03 15:44:38 +02:00 · 2026-06-03 15:32:37 +02:00 · 2026-06-03 15:01:19 +02:00 · 2026-05-28 18:48:40 +02:00 · 2026-05-28 18:48:19 +02:00
26 changed files with 493 additions and 211 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -25,7 +25,7 @@ checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
 dependencies = [
 "cfg-if",
 "cipher",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 ]

 [[package]]
@ -266,9 +266,9 @@ dependencies = [

 [[package]]
 name = "bollard"
-version = "0.20.1"
+version = "0.21.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "227aa051deec8d16bd9c34605e7aaf153f240e35483dd42f6f78903847934738"
+checksum = "c9d0a013e3d3ee4edd61e779adf117944c08902d375f18630a0c5b8f95659734"
 dependencies = [
 "base64",
 "bollard-stubs",
@ -298,9 +298,9 @@ dependencies = [

 [[package]]
 name = "bollard-stubs"
-version = "1.52.1-rc.29.1.3"
+version = "1.53.1-rc.29.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f0a8ca8799131c1837d1282c3f81f31e76ceb0ce426e04a7fe1ccee3287c066"
+checksum = "ce412eb6f7096743011dc3cb5c674caeb24ced61d8c498fe07cf7998a4fea889"
 dependencies = [
 "serde",
 "serde_json",
@ -384,6 +384,17 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"

+[[package]]
+name = "chacha20"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601"
+dependencies = [
+ "cfg-if",
+ "cpufeatures 0.3.0",
+ "rand_core 0.10.1",
+]
+
 [[package]]
 name = "cipher"
 version = "0.4.4"
@ -509,6 +520,15 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "cpufeatures"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "crc32fast"
 version = "1.5.0"
@ -897,6 +917,7 @@ dependencies = [
 "js-sys",
 "libc",
 "r-efi",
+ "rand_core 0.10.1",
 "wasip2",
 "wasip3",
 "wasm-bindgen",
@ -922,15 +943,14 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"

 [[package]]
 name = "git2"
-version = "0.20.4"
+version = "0.21.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b88256088d75a56f8ecfa070513a775dd9107f6530ef14919dac831af9cfe2b"
+checksum = "ddddbf932745a6be37109b6112d3ee09696106f848449069d3a57bba937ab82e"
 dependencies = [
 "bitflags",
 "libc",
 "libgit2-sys",
 "log",
- "url",
 ]

 [[package]]
@ -950,7 +970,7 @@ checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"

 [[package]]
 name = "haze"
-version = "2.2.2"
+version = "2.3.0"
 dependencies = [
 "async-trait",
 "atty",
@ -1491,9 +1511,9 @@ checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"

 [[package]]
 name = "libgit2-sys"
-version = "0.18.3+1.9.2"
+version = "0.18.5+1.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c9b3acc4b91781bb0b3386669d325163746af5f6e4f73e6d2d630e09a35f3487"
+checksum = "005d6ae6eac1912906073e069f7db60b1fa98e052a68227824afe3e3a1c59ca2"
 dependencies = [
 "cc",
 "libc",
@ -1794,16 +1814,24 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"

 [[package]]
 name = "petname"
-version = "2.0.2"
+version = "3.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9cd31dcfdbbd7431a807ef4df6edd6473228e94d5c805e8cf671227a21bad068"
+checksum = "2ce610bff48dd7b6a127e45631795fbb0b302b99a39bef7e6da3d297e8eb2b6b"
 dependencies = [
- "anyhow",
 "clap",
- "itertools",
+ "petname-macros",
+ "rand 0.10.1",
+]
+
+[[package]]
+name = "petname-macros"
+version = "3.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "324239bd00dcf61f1a0e301d4d8f6f8c080a755248fc3fdc817ee1fdbbc27b8b"
+dependencies = [
 "proc-macro2",
 "quote",
- "rand 0.8.5",
+ "syn",
 ]

 [[package]]
@ -1963,35 +1991,25 @@ version = "5.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"

-[[package]]
-name = "rand"
-version = "0.8.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
-dependencies = [
- "libc",
- "rand_chacha 0.3.1",
- "rand_core 0.6.4",
-]
-
 [[package]]
 name = "rand"
 version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
 dependencies = [
- "rand_chacha 0.9.0",
+ "rand_chacha",
 "rand_core 0.9.5",
 ]

 [[package]]
-name = "rand_chacha"
-version = "0.3.1"
+name = "rand"
+version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+checksum = "d2e8e8bcc7961af1fdac401278c6a831614941f6164ee3bf4ce61b7edb162207"
 dependencies = [
- "ppv-lite86",
- "rand_core 0.6.4",
+ "chacha20",
+ "getrandom 0.4.1",
+ "rand_core 0.10.1",
 ]

 [[package]]
@ -2004,15 +2022,6 @@ dependencies = [
 "rand_core 0.9.5",
 ]

-[[package]]
-name = "rand_core"
-version = "0.6.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
-dependencies = [
- "getrandom 0.2.15",
-]
-
 [[package]]
 name = "rand_core"
 version = "0.9.5"
@ -2022,6 +2031,12 @@ dependencies = [
 "getrandom 0.3.4",
 ]

+[[package]]
+name = "rand_core"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69"
+
 [[package]]
 name = "rayon"
 version = "1.12.0"
@ -2374,7 +2389,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
 dependencies = [
 "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 "digest 0.10.7",
 ]

@ -2385,7 +2400,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
 "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 "digest 0.10.7",
 ]

@ -2396,7 +2411,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c5f3b1e2dc8aad28310d8410bd4d7e180eca65fca176c52ab00d364475d0024"
 dependencies = [
 "cfg-if",
- "cpufeatures",
+ "cpufeatures 0.2.17",
 "digest 0.11.1",
 ]

--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "haze"
-version = "2.2.2"
+version = "2.3.0"
 authors = ["Robin Appelman <robin@icewind.nl>"]
 edition = "2021"
 repository = "https://codeberg.org/icewind/haze"
@ -8,7 +8,7 @@ license = "MIT"
 description = "Easy setup and management of Nextcloud test instances using docker"

 [dependencies]
-bollard = "0.20.1"
+bollard = "0.21.0"
 maplit = "1.0.2"
 camino = { version = "1.2.2", features = ["serde1"] }
 tokio = { version = "1.49.0", features = ["fs", "macros", "signal", "rt-multi-thread"] }
@ -20,7 +20,7 @@ toml = "1.0.3"
 directories-next = "2.0.0"
 serde = "1.0.228"
 serde_json = "1.0.149"
-petname = "2.0.2"
+petname = "3.0.0"
 reqwest = { version = "0.13.2", default-features = false, features = ["rustls"] }
 tar = "0.4.44"
 flate2 = "1.1.9"
@ -31,7 +31,7 @@ shell-words = "1.1.1"
 tracing = "0.1.44"
 tracing-subscriber = "0.3.22"
 atty = "0.2.14"
-git2 = { version = "0.20.4", default-features = false }
+git2 = { version = "0.21.0", default-features = false }
 itertools = { version = "0.14.0", features = ["use_alloc"] }
 local-ip-address = "0.6.10"
 strum = { version = "0.28.0", features = ["derive"] }
--- a/README.md
+++ b/README.md
@ -81,6 +81,8 @@ Additionally, you can use the following options when starting an instance:
 - `smb`: set up a samba server for external storage use.
 - `dav`: set up a WebDAV server for external storage use.
 - `sftp`: set up a SFTP server for external storage use.
+- `sftp-key`: set up a SFTP server for external storage use with public key
+  authentication.
 - `kaspersky`: set up a kaspersky scan engine server in http mode. ( Requires
  [manually setting up the image](https://github.com/icewind1991/kaspersky-docker))
 - `kaspersky-icap`: setup a kaspersky scan engine server in ICAP mode.
@ -149,11 +151,14 @@ haze [match] db
 #### Execute a command on an instance

 ```bash
-haze [match] exec [cmd]
+haze [match] [service] [cmd]
 ```

 If no `cmd` is specified it will launch `bash`

+If a service name or `db` is provided, the command will be in the container of
+the service or database.
+
 #### Create a new instance and run a command

 ```bash
--- a/certificates/sftp/id_rsa
+++ b/certificates/sftp/id_rsa
@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA323aWqH6YwRLbCBO94UKOkfnJ2m6Zsic0dMt3TmDnjLU0JzpOt7w
+t5+mMZrEKQTpefozyUHo3z+HkmllLAGOupNy3A+jG2O955UUgw0dGfu6j6OOb66Du9jpqt
+8BQ6gr3cEYASplPI7B889/cVpJ5l1HiBUgyR7Z16v15qCDtmpFVIECAdICEmPosfmZutt3
+YYl9xLay5WCmUztWS/amPcGs0DOEGrWeCtdxGKWT3TywdBKyQ0PbdYMamgDIT7JV1ZSzZP
+aly4sB7E+dpS5AgBFVXmZ61151KN1TJ8gyoUjFhY7ctYEIpncZmyT4PYvyIvxRsbJtvERi
+eNH8DoX5DwtqcxbgHK0OwYtdl4ydRXToYo3l+qIidf+g8ADVea/mbkfTPegdToo3LOuThX
+OwExDlukpM8obFDpz1Yl1L6rRJAVNO1KmHWhn6to23jtYjBhczA2nkemQXQbVSjc/hItjQ
+DIFNMOsLW33P+Y2k9LkpI0TL09ogOxOFZzGZp2tNAAAFgIgMIZ+IDCGfAAAAB3NzaC1yc2
+EAAAGBAN9t2lqh+mMES2wgTveFCjpH5ydpumbInNHTLd05g54y1NCc6Tre8LefpjGaxCkE
+6Xn6M8lB6N8/h5JpZSwBjrqTctwPoxtjveeVFIMNHRn7uo+jjm+ug7vY6arfAUOoK93BGA
+EqZTyOwfPPf3FaSeZdR4gVIMke2der9eagg7ZqRVSBAgHSAhJj6LH5mbrbd2GJfcS2suVg
+plM7Vkv2pj3BrNAzhBq1ngrXcRilk908sHQSskND23WDGpoAyE+yVdWUs2T2pcuLAexPna
+UuQIARVV5metdedSjdUyfIMqFIxYWO3LWBCKZ3GZsk+D2L8iL8UbGybbxEYnjR/A6F+Q8L
+anMW4BytDsGLXZeMnUV06GKN5fqiInX/oPAA1Xmv5m5H0z3oHU6KNyzrk4VzsBMQ5bpKTP
+KGxQ6c9WJdS+q0SQFTTtSph1oZ+raNt47WIwYXMwNp5HpkF0G1Uo3P4SLY0AyBTTDrC1t9
+z/mNpPS5KSNEy9PaIDsThWcxmadrTQAAAAMBAAEAAAGAWCkM/TEnztU9e3M+JX253OhNRe
+h6lB75ffOxh7avgAc3oP8hKkkYu6PDnJQgbb0R8T7wGywmGp0DPhrXQGd27ZjLvBhxeBfB
+sbTJ7LIKdxu0cAQN6nR2Z3M+NF2dLpiXgn80HRWg76W20yDffRcuzLamyIPptWI2e9rPAw
+r4HczOAXuMErLOfXotsbg22BvL/dEWLr4WVdruli32LbArxXd73IVPTYi3TTjYV+zRrPzK
+9WoBK/iFClfKcdT4NTY82llQesuUNu640lEJtT2G3Iba8UZnohyzm/S+UbeU65z8DKD5co
+P7+QehxQSV+kj2BZnTi0WEwsD+GTznJYR5rvUsJCCAzoISsWrncSSgOQhF2XeW/T4ewvH+
+njLZViEhdG8R3kkdDjJG91OrSgrEqlk6Qhz1xEsv1rCOR69En7EJP3TNNrymPXPASrAnuE
+HQkrVgGUfGqyD1sw1e6nBfNWisuw+g99CieIB8EI9WwpxQdKqWNU9Hjx+SAdC3NrPjAAAA
+wQCo0hUGjSf6xhcgeaNa0gWSKEVuFhxR/FaCPTKadV7Md0APW4toeQZDujzDFlCZbQTZjC
+0723B4lKugDzXfsOgvOTKp4vEjZOu0YGruS00LFWM7Sutdzx68b/ZMFALzITt/myKVMdpv
+WpaO+3+PyEYIQH44QrSWw7cKLzNiZ8kt2drPkPktub4o2h5TdIBluEQLJDPMejy8IqQEU8
+aOyJOMvYxAbGAWY7Ck9DGlcJgaFdORROW8d8ZGrHQkyRl41JQAAADBAPeUMsrbI17wPP/s
+Tsrkms5ws5yTz0xle2Wn6HwDSzQRSdn5abnIDYb3QSy0nRBvczef6ssH65dl50+2V4BV2L
+MwHcmKD6/UoFsWwP/RMf1EoacPFiEAWJGxFbOthNX+rx5BpbUHNoQd8xby+88saDI0e8W6
+36HPBZrAZhQljkMa4OJqZDDCpOJvSndXwkZ789E96uprKopJZGwlLmfMtikQpNXT9R+I0b
+SQCJj4yNakcdOE/7UifkOR02u+pgux3wAAAMEA5wdelKwGQ0EdkIF2TM844uLPszo3ZSH+
+Heff/Lbxs1Y+oL0NTJQicwMF0d9WEwBoTZJpuzsQEA1zkfmW0gi2womIRmiY0ZhpxbBuhO
+6XePMIhUfQmWWjaUbAkrNB0eJkSTuUGzwxVkMXehrMuj4gYe8GMC8GgULbP0A8FjH01fKk
+jFwgg4WAg6zUTpck12bh49NZRFyXIbXNk/jjxJtb0p//5TRTUQ6mR5IloaNTM23EiF6tle
+Y6CAchnyhHO0BTAAAACWhhemVAaGF6ZQE=
+-----END OPENSSH PRIVATE KEY-----
--- a/certificates/sftp/id_rsa.pub
+++ b/certificates/sftp/id_rsa.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfbdpaofpjBEtsIE73hQo6R+cnabpmyJzR0y3dOYOeMtTQnOk63vC3n6YxmsQpBOl5+jPJQejfP4eSaWUsAY66k3LcD6MbY73nlRSDDR0Z+7qPo45vroO72Omq3wFDqCvdwRgBKmU8jsHzz39xWknmXUeIFSDJHtnXq/XmoIO2akVUgQIB0gISY+ix+Zm623dhiX3EtrLlYKZTO1ZL9qY9wazQM4QatZ4K13EYpZPdPLB0ErJDQ9t1gxqaAMhPslXVlLNk9qXLiwHsT52lLkCAEVVeZnrXXnUo3VMnyDKhSMWFjty1gQimdxmbJPg9i/Ii/FGxsm28RGJ40fwOhfkPC2pzFuAcrQ7Bi12XjJ1FdOhijeX6oiJ1/6DwANV5r+ZuR9M96B1Oijcs65OFc7ATEOW6SkzyhsUOnPViXUvqtEkBU07UqYdaGfq2jbeO1iMGFzMDaeR6ZBdBtVKNz+Ei2NAMgU0w6wtbfc/5jaT0uSkjRMvT2iA7E4VnMZmna00= haze@haze
--- a/nix/image/php-ext.nix
+++ b/nix/image/php-ext.nix
@ -38,7 +38,7 @@ in
        imagick
      ]
      ++ optionals (!debug) [
-        smbclient # this breaks the build for no apparent reason
+        # smbclient # this breaks the build for no apparent reason
      ]
      ++ optionals withBlackfire [
        blackfire
--- a/nix/package.nix
+++ b/nix/package.nix
@ -1,6 +1,5 @@
 {
  rustPlatform,
-  pkg-config,
  lib,
  git,
 }: let
@ -10,7 +9,7 @@
  src = sourceByRegex ../. ["Cargo.*" "(src|certificates)(/.*)?"];
  version = (fromTOML (readFile ../Cargo.toml)).package.version;
 in
-  rustPlatform.buildRustPackage rec {
+  rustPlatform.buildRustPackage {
    pname = "haze";

    inherit src version;
--- a/src/args.rs
+++ b/src/args.rs
@ -165,6 +165,7 @@ impl LogService {
 #[derive(Debug, Clone, Eq, PartialEq)]
 pub enum ExecService {
    Db,
+    Service(Service),
 }

 impl HazeArgs {
@ -232,6 +233,14 @@ impl HazeArgs {
                        args.next();
                        Some(ExecService::Db)
                    }
+                    Some(arg) => Service::from_type(&[], arg.as_ref())
+                        .into_iter()
+                        .filter_map(|services| services.into_iter().next())
+                        .next()
+                        .map(|service| {
+                            args.next();
+                            ExecService::Service(service)
+                        }),
                    _ => None,
                };

--- a/src/database.rs
+++ b/src/database.rs
@ -219,14 +219,6 @@ impl Database {
                    }
                }),
            }),
-            cmd: if self.image() == "mysql:8" {
-                Some(vec![
-                    "--default-authentication-plugin".into(),
-                    "mysql_native_password".into(),
-                ])
-            } else {
-                None
-            },
            ..Default::default()
        };
        let id = docker
--- a/src/main.rs
+++ b/src/main.rs
@ -148,6 +148,9 @@ async fn main() -> Result<ExitCode> {
            root,
        } => {
            let cloud = Cloud::get_by_filter(&docker, filter, &config).await?;
+            let env = get_forward_env();
+            let tty = atty::is(atty::Stream::Stdout);
+
            match service {
                None => {
                    let command = if command.is_empty() {
@ -155,8 +158,7 @@ async fn main() -> Result<ExitCode> {
                    } else {
                        command
                    };
-                    let env = get_forward_env();
-                    let tty = atty::is(atty::Stream::Stdout);
+
                    let user = if root { "root" } else { "haze" };
                    if tty {
                        exec_tty(&docker, &cloud.id, user, command, env).await?;
@ -165,19 +167,42 @@ async fn main() -> Result<ExitCode> {
                    }
                }
                Some(ExecService::Db) => {
-                    cloud
-                        .db()
-                        .exec_sh(
-                            &docker,
-                            &cloud.id,
-                            if command.is_empty() {
+                    let command = if command.is_empty() {
                        vec!["bash".to_string()]
                    } else {
                        command
-                            },
-                            atty::is(atty::Stream::Stdout),
-                        )
-                        .await?;
+                    };
+
+                    cloud.db().exec_sh(&docker, &cloud.id, command, tty).await?;
+                }
+                Some(ExecService::Service(service)) => {
+                    let Some(container) = service.container_name(&cloud.id) else {
+                        eprintln!(
+                            "Service {} can't be exec'ed as it has no associated container",
+                            service.name()
+                        );
+                        return Ok(ExitCode::FAILURE);
+                    };
+                    if service.exec_shell() == "" && command.is_empty() {
+                        eprintln!(
+                            "Service {} can't be exec'ed as it has no shell",
+                            service.name()
+                        );
+                        return Ok(ExitCode::FAILURE);
+                    }
+
+                    let command = if command.is_empty() {
+                        vec![service.exec_shell().to_string()]
+                    } else {
+                        command
+                    };
+
+                    let user = if root { "root" } else { service.exec_user() };
+                    if tty {
+                        exec_tty(&docker, &container, user, command, env).await?;
+                    } else {
+                        exec(&docker, &container, user, command, env, Some(stdout())).await?;
+                    }
                }
            }
        }
@ -633,12 +658,7 @@ async fn setup(docker: &Docker, options: CloudOptions, config: &HazeConfig) -> R
        for service in cloud.services() {
            for cmd in service.post_setup(docker, &cloud.id, config).await? {
                cloud
-                    .exec(
-                        docker,
-                        shell_words::split(&cmd).into_diagnostic()?,
-                        false,
-                        Vec::<String>::default(),
-                    )
+                    .exec(docker, cmd, false, Vec::<String>::default())
                    .await?;
            }
        }
--- a/src/service.rs
+++ b/src/service.rs
@ -30,7 +30,7 @@ pub use crate::service::office::Office;
 pub use crate::service::onlyoffice::OnlyOffice;
 pub use crate::service::push::NotifyPush;
 use crate::service::redis::Redis;
-use crate::service::sftp::Sftp;
+use crate::service::sftp::{Sftp, SftpKey};
 use crate::service::sharded::{Sharding, ShardingMigrate, ShardingMigrateUnset, SingleShard};
 use crate::service::smb::Smb;
 use crate::service::webhook::Webhook;
@ -116,7 +116,7 @@ pub trait ServiceTrait {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(Vec::new())
    }

@ -194,6 +194,14 @@ pub trait ServiceTrait {
    fn proxy_port(&self) -> u16 {
        80
    }
+
+    fn exec_user(&self) -> &'static str {
+        "root"
+    }
+
+    fn exec_shell(&self) -> &'static str {
+        "bash"
+    }
 }

 #[derive(Clone, Eq, PartialEq, Debug)]
@ -242,6 +250,7 @@ pub enum ServiceType {
    /// Ldap admin interface
    LdapAdmin,
    /// OnlyOffice
+    #[strum(serialize = "onlyoffice", serialize = "only-office")]
    OnlyOffice,
    /// Libre office online
    Office,
@ -267,6 +276,8 @@ pub enum ServiceType {
    Dav,
    /// Sftp external storage
    Sftp,
+    /// Sftp external storage with public key authentication
+    SftpKey,
    /// ownCloud instance for migration
    Oc,
    /// Imaginary for preview generation
@ -318,6 +329,7 @@ pub enum Service {
    ShardingMigrate(ShardingMigrate),
    ShardingMigrateUnset(ShardingMigrateUnset),
    Sftp(Sftp),
+    SftpKey(SftpKey),
    Kaspersky(Kaspersky),
    KasperskyIcap(KasperskyIcap),
    Clam(Clam),
@ -361,6 +373,7 @@ impl Service {
                }
                ServiceType::Dav => Some(vec![Service::Dav(Dav)]),
                ServiceType::Sftp => Some(vec![Service::Sftp(Sftp)]),
+                ServiceType::SftpKey => Some(vec![Service::SftpKey(SftpKey)]),
                ServiceType::Oc => Some(vec![Service::Oc(Oc)]),
                ServiceType::Imaginary => Some(vec![Service::Imaginary(Imaginary)]),
                ServiceType::Kaspersky => Some(vec![Service::Kaspersky(Kaspersky)]),
@ -437,15 +450,29 @@ impl ServiceTrait for PresetService {
        _docker: &Docker,
        _cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let preset =
            get_preset(&config.preset, &self.0).ok_or_else(|| Report::msg("invalid preset"))?;
        let mut commands: Vec<_> = preset
            .apps
            .iter()
-            .map(|app| format!("occ app:enable {app} --force"))
+            .map(|app| {
+                vec![
+                    "occ".into(),
+                    "app:enable".into(),
+                    app.clone(),
+                    "--force".into(),
+                ]
+            })
            .collect();
-        commands.extend_from_slice(&preset.commands);
+        for cmnd in &preset.commands {
+            commands.push(shell_words::split(cmnd).into_diagnostic()?);
+        }
+
        Ok(commands)
    }
 }
+
+fn split_cmnd(s: &str) -> Vec<String> {
+    s.split(' ').map(String::from).collect()
+}
--- a/src/service/clam.rs
+++ b/src/service/clam.rs
@ -2,7 +2,7 @@ use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::exec::exec;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -85,14 +85,13 @@ impl ServiceTrait for ClamIcap {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=icap".into(),
-            "occ config:app:set files_antivirus av_host --value=clamav-icap".into(),
-            "occ config:app:set files_antivirus av_port --value=1344".into(),
-            "occ config:app:set files_antivirus av_icap_request_service --value=avscan".into(),
-            "occ config:app:set files_antivirus av_icap_response_header --value=X-Infection-Found"
-                .into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=icap"),
+            split_cmnd("occ config:app:set files_antivirus av_host --value=clamav-icap"),
+            split_cmnd("occ config:app:set files_antivirus av_port --value=1344"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_request_service --value=avscan"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_response_header --value=X-Infection-Found"),
        ])
    }
 }
@ -171,7 +170,7 @@ impl ServiceTrait for ClamIcapTls {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let mut cert = Vec::new();
        exec(
            docker,
@ -191,14 +190,13 @@ impl ServiceTrait for ClamIcapTls {
            .wrap_err("Failed to write icap certificate")?;

        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=icap".into(),
-            "occ config:app:set files_antivirus av_icap_tls --value=1".into(),
-            "occ config:app:set files_antivirus av_host --value=clamav-icap-tls".into(),
-            "occ config:app:set files_antivirus av_port --value=1345".into(),
-            "occ config:app:set files_antivirus av_icap_request_service --value=avscan".into(),
-            "occ config:app:set files_antivirus av_icap_response_header --value=X-Infection-Found"
-                .into(),
-            "occ security:certificates:import data/icap-cert.pem".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=icap"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_tls --value=1"),
+            split_cmnd("occ config:app:set files_antivirus av_host --value=clamav-icap-tls"),
+            split_cmnd("occ config:app:set files_antivirus av_port --value=1345"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_request_service --value=avscan"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_response_header --value=X-Infection-Found"),
+            split_cmnd("occ security:certificates:import data/icap-cert.pem"),
        ])
    }
 }
@ -221,10 +219,10 @@ impl ServiceTrait for Clam {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=executable".into(),
-            "occ config:app:set files_antivirus av_path --value=/bin/clamscan".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=executable"),
+            split_cmnd("occ config:app:set files_antivirus av_path --value=/bin/clamscan"),
        ])
    }
 }
@ -294,10 +292,12 @@ impl ServiceTrait for ClamSocket {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=socket".into(),
-            "occ config:app:set files_antivirus av_socket --value=tcp://clamav-socket:3310".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=socket"),
+            split_cmnd(
+                "occ config:app:set files_antivirus av_socket --value=tcp://clamav-socket:3310",
+            ),
        ])
    }
 }
--- a/src/service/dav.rs
+++ b/src/service/dav.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::config::ContainerCreateBody;
 use bollard::models::{EndpointSettings, HostConfig, NetworkingConfig};
@ -76,12 +76,12 @@ impl ServiceTrait for Dav {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ files_external:create dav dav password::password".into(),
-            "occ files_external:config 1 host dav".into(),
-            "occ files_external:config 1 user test".into(),
-            "occ files_external:config 1 password test".into(),
+            split_cmnd("occ files_external:create dav dav password::password"),
+            split_cmnd("occ files_external:config 1 host dav"),
+            split_cmnd("occ files_external:config 1 user test"),
+            split_cmnd("occ files_external:config 1 password test"),
        ])
    }
 }
--- a/src/service/imaginary.rs
+++ b/src/service/imaginary.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::config::NetworkingConfig;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig};
@ -71,11 +71,14 @@ impl ServiceTrait for Imaginary {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:system:set enabledPreviewProviders 0 --value='OC\\Preview\\Imaginary'"
-                .into(),
-            "occ config:system:set preview_imaginary_url --value='http://imaginary:9000'".into(),
+            split_cmnd(
+                "occ config:system:set enabledPreviewProviders 0 --value='OC\\Preview\\Imaginary'",
+            ),
+            split_cmnd(
+                "occ config:system:set preview_imaginary_url --value='http://imaginary:9000'",
+            ),
        ])
    }
 }
--- a/src/service/kaspersky.rs
+++ b/src/service/kaspersky.rs
@ -2,7 +2,7 @@ use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::exec::exec;
 use crate::image::{image_exists, pull_image};
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -101,11 +101,11 @@ impl ServiceTrait for Kaspersky {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=kaspersky".into(),
-            "occ config:app:set files_antivirus av_host --value=kaspersky".into(),
-            "occ config:app:set files_antivirus av_port --value=80".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=kaspersky"),
+            split_cmnd("occ config:app:set files_antivirus av_host --value=kaspersky"),
+            split_cmnd("occ config:app:set files_antivirus av_port --value=80"),
        ])
    }
 }
@ -187,13 +187,15 @@ impl ServiceTrait for KasperskyIcap {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:app:set files_antivirus av_mode --value=icap".into(),
-            "occ config:app:set files_antivirus av_host --value=kaspersky-icap".into(),
-            "occ config:app:set files_antivirus av_port --value=1344".into(),
-            "occ config:app:set files_antivirus av_icap_request_service --value=req".into(),
-            "occ config:app:set files_antivirus av_icap_response_header --value=X-Virus-ID".into(),
+            split_cmnd("occ config:app:set files_antivirus av_mode --value=icap"),
+            split_cmnd("occ config:app:set files_antivirus av_host --value=kaspersky-icap"),
+            split_cmnd("occ config:app:set files_antivirus av_port --value=1344"),
+            split_cmnd("occ config:app:set files_antivirus av_icap_request_service --value=req"),
+            split_cmnd(
+                "occ config:app:set files_antivirus av_icap_response_header --value=X-Virus-ID",
+            ),
        ])
    }
 }
--- a/src/service/ldap.rs
+++ b/src/service/ldap.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::{HazeConfig, ProxyConfig};
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::config::NetworkingConfig;
 use bollard::models::{ContainerCreateBody, ContainerState, EndpointSettings, HostConfig};
@ -92,30 +92,29 @@ impl ServiceTrait for Ldap {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ ldap:create-empty-config".into(),
-            "occ ldap:set-config s01 ldapHost 'ldap://ldap'".into(),
-            "occ ldap:set-config s01 ldapPort '389'".into(),
-            "occ ldap:set-config s01 ldapAgentName 'cn=admin,dc=example,dc=org'".into(),
-            "occ ldap:set-config s01 ldapAgentPassword 'haze'".into(),
-            "occ ldap:set-config s01 ldapBase 'dc=example,dc=org'".into(),
-            "occ ldap:set-config s01 ldapBaseUsers 'dc=example,dc=org'".into(),
-            "occ ldap:set-config s01 ldapBaseGroups 'dc=example,dc=org'".into(),
-            "occ ldap:set-config s01 ldapLoginFilter '(&(&(objectclass=inetOrgPerson))(uid=%uid))'"
-                .into(),
-            "occ ldap:set-config s01 ldapUserFilter '((objectclass=inetOrgPerson))'".into(),
-            "occ ldap:set-config s01 ldapUserFilterMode '0'".into(),
-            "occ ldap:set-config s01 ldapUserDisplayName 'sn'".into(),
-            "occ ldap:set-config s01 ldapUserFilterObjectclass 'inetOrgPerson'".into(),
-            "occ ldap:set-config s01 ldapGroupFilter '(&(|(objectclass=posixGroup)))'".into(),
-            "occ ldap:set-config s01 ldapGroupFilterObjectclass 'posixGroup'".into(),
-            "occ ldap:set-config s01 ldapEmailAttribute 'email'".into(),
-            "occ ldap:set-config s01 ldapUuidUserAttribute 'email'".into(),
-            "occ ldap:set-config s01 ldapUuidUserAttribute 'auto'".into(),
-            "occ ldap:set-config s01 ldapUuidGroupAttribute 'auto'".into(),
-            "occ ldap:set-config s01 ldapLoginFilterUsername '1'".into(),
-            "occ ldap:set-config s01 ldapConfigurationActive '1'".into(),
+            split_cmnd("occ ldap:create-empty-config"),
+            split_cmnd("occ ldap:set-config s01 ldapHost ldap://ldap"),
+            split_cmnd("occ ldap:set-config s01 ldapPort 389"),
+            split_cmnd("occ ldap:set-config s01 ldapAgentName cn=admin,dc=example,dc=org"),
+            split_cmnd("occ ldap:set-config s01 ldapAgentPassword haze"),
+            split_cmnd("occ ldap:set-config s01 ldapBase dc=example,dc=org"),
+            split_cmnd("occ ldap:set-config s01 ldapBaseUsers dc=example,dc=org"),
+            split_cmnd("occ ldap:set-config s01 ldapBaseGroups dc=example,dc=org"),
+            split_cmnd("occ ldap:set-config s01 ldapLoginFilter (&(&(objectclass=inetOrgPerson))(uid=%uid))"),
+            split_cmnd("occ ldap:set-config s01 ldapUserFilter ((objectclass=inetOrgPerson))"),
+            split_cmnd("occ ldap:set-config s01 ldapUserFilterMode 0"),
+            split_cmnd("occ ldap:set-config s01 ldapUserDisplayName sn"),
+            split_cmnd("occ ldap:set-config s01 ldapUserFilterObjectclass inetOrgPerson"),
+            split_cmnd("occ ldap:set-config s01 ldapGroupFilter (&(|(objectclass=posixGroup)))"),
+            split_cmnd("occ ldap:set-config s01 ldapGroupFilterObjectclass posixGroup"),
+            split_cmnd("occ ldap:set-config s01 ldapEmailAttribute email"),
+            split_cmnd("occ ldap:set-config s01 ldapUuidUserAttribute email"),
+            split_cmnd("occ ldap:set-config s01 ldapUuidUserAttribute auto"),
+            split_cmnd("occ ldap:set-config s01 ldapUuidGroupAttribute auto"),
+            split_cmnd("occ ldap:set-config s01 ldapLoginFilterUsername 1"),
+            split_cmnd("occ ldap:set-config s01 ldapConfigurationActive 1"),
        ])
    }

--- a/src/service/mail.rs
+++ b/src/service/mail.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -70,14 +70,14 @@ impl ServiceTrait for Mail {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ config:system:set mail_smtpmode --value smtp".into(),
-            "occ config:system:set mail_sendmailmode --value smtp".into(),
-            "occ config:system:set mail_domain --value haze".into(),
-            "occ config:system:set mail_smtphost --value mail".into(),
-            "occ config:system:set mail_smtpport --value 25".into(),
-            "occ user:setting admin settings email admin@haze".into(),
+            split_cmnd("occ config:system:set mail_smtpmode --value smtp"),
+            split_cmnd("occ config:system:set mail_sendmailmode --value smtp"),
+            split_cmnd("occ config:system:set mail_domain --value haze"),
+            split_cmnd("occ config:system:set mail_smtphost --value mail"),
+            split_cmnd("occ config:system:set mail_smtpport --value 25"),
+            split_cmnd("occ user:setting admin settings email admin@haze"),
        ])
    }
 }
--- a/src/service/objectstore.rs
+++ b/src/service/objectstore.rs
@ -2,7 +2,7 @@ use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::exec::exec;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{
    ContainerCreateBody, ContainerState, EndpointSettings, HostConfig, NetworkingConfig,
@ -247,18 +247,18 @@ impl ServiceTrait for ObjectStore {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        match self {
            ObjectStore::S3 => Ok(vec![
-                "occ files_external:create s3 amazons3 amazons3::accesskey".into(),
-                "occ files_external:config 1 bucket ext".into(),
-                "occ files_external:config 1 hostname s3".into(),
-                "occ files_external:config 1 port 9000".into(),
-                "occ files_external:config 1 use_ssl false".into(),
-                "occ files_external:config 1 use_path_style true".into(),
-                "occ files_external:config 1 key minio".into(),
-                "occ files_external:config 1 secret minio123".into(),
-                "mc alias set s3 http://s3:9000 minio minio123".into(),
+                split_cmnd("occ files_external:create s3 amazons3 amazons3::accesskey"),
+                split_cmnd("occ files_external:config 1 bucket ext"),
+                split_cmnd("occ files_external:config 1 hostname s3"),
+                split_cmnd("occ files_external:config 1 port 9000"),
+                split_cmnd("occ files_external:config 1 use_ssl false"),
+                split_cmnd("occ files_external:config 1 use_path_style true"),
+                split_cmnd("occ files_external:config 1 key minio"),
+                split_cmnd("occ files_external:config 1 secret minio123"),
+                split_cmnd("mc alias set s3 http://s3:9000 minio minio123"),
            ]),
            // ObjectStore::S3s => Ok(vec![
            //     "occ files_external:create s3 amazons3 amazons3::accesskey".into(),
--- a/src/service/oc.rs
+++ b/src/service/oc.rs
@ -83,7 +83,7 @@ impl ServiceTrait for Oc {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        if let Some(ip) = self.get_ips(docker, cloud_id).await?.next() {
            let container = self.container_name(cloud_id).unwrap();
            let addr = config.proxy.addr(&container, ip);
--- a/src/service/office.rs
+++ b/src/service/office.rs
@ -119,7 +119,7 @@ impl ServiceTrait for Office {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let container = &self.container_name(cloud_id).unwrap();
        let info = docker
            .inspect_container(container, None)
@ -152,8 +152,22 @@ impl ServiceTrait for Office {
            .addr_with_port(container, ip, self.proxy_port());

        Ok(vec![
-            format!(r#"occ config:app:set richdocuments public_wopi_url --value="{public}""#),
-            r#"occ richdocuments:setup --wopi-url "http://office:9980" --callback-url "http://cloud""#.into(),
+            vec![
+                "occ".into(),
+                "config:app:set".into(),
+                "richdocuments".into(),
+                "public_wopi_url".into(),
+                "--value".into(),
+                public,
+            ],
+            vec![
+                "occ".into(),
+                "richdocuments:setup".into(),
+                "--wopi-url".into(),
+                "http://office:9980".into(),
+                "--callback-url".into(),
+                "http://cloud".into(),
+            ],
        ])
    }

--- a/src/service/onlyoffice.rs
+++ b/src/service/onlyoffice.rs
@ -2,7 +2,7 @@ use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::exec::exec;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{
    ContainerCreateBody, ContainerState, EndpointSettings, HostConfig, NetworkingConfig,
@ -82,7 +82,7 @@ impl ServiceTrait for OnlyOffice {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let info = docker
            .inspect_container(&self.container_name(cloud_id).unwrap(), None)
            .await
@ -137,16 +137,44 @@ impl ServiceTrait for OnlyOffice {
            );

            Ok(vec![
-                format!("occ config:app:set onlyoffice DocumentServerUrl --value {addr}/"),
-                format!("occ config:app:set onlyoffice jwt_secret --value {secret}"),
-                "occ onlyoffice:documentserver --check".into(),
+                vec![
+                    "occ".into(),
+                    "config:app:set".into(),
+                    "onlyoffice".into(),
+                    "DocumentServerUrl".into(),
+                    "--value".into(),
+                    addr,
+                ],
+                vec![
+                    "occ".into(),
+                    "config:app:set".into(),
+                    "onlyoffice".into(),
+                    "jwt_secret".into(),
+                    "--value".into(),
+                    secret.into(),
+                ],
+                split_cmnd("occ onlyoffice:documentserver --check"),
            ])
        } else {
            Ok(vec![
-                format!("occ config:app:set onlyoffice DocumentServerUrl --value https://{ip}/"),
-                "occ config:app:set onlyoffice verify_peer_off --value true".into(),
-                format!("occ config:app:set onlyoffice jwt_secret --value {secret}"),
-                "occ onlyoffice:documentserver --check".into(),
+                vec![
+                    "occ".into(),
+                    "config:app:set".into(),
+                    "onlyoffice".into(),
+                    "DocumentServerUrl".into(),
+                    "--value".into(),
+                    format!("https://{ip}/"),
+                ],
+                split_cmnd("occ config:app:set onlyoffice verify_peer_off --value true"),
+                vec![
+                    "occ".into(),
+                    "config:app:set".into(),
+                    "onlyoffice".into(),
+                    "jwt_secret".into(),
+                    "--value".into(),
+                    secret.into(),
+                ],
+                split_cmnd("occ onlyoffice:documentserver --check"),
            ])
        }
    }
--- a/src/service/push.rs
+++ b/src/service/push.rs
@ -87,7 +87,7 @@ impl ServiceTrait for NotifyPush {
        docker: &Docker,
        cloud_id: &str,
        config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        let mut ips: Vec<_> = self.get_ips(docker, cloud_id).await?.collect();
        if let Ok(local_interfaces) = list_afinet_netifas() {
            ips.extend(local_interfaces.into_iter().map(|(_, ip)| ip));
@ -97,10 +97,14 @@ impl ServiceTrait for NotifyPush {
            .iter()
            .enumerate()
            .map(|(i, ip)| {
-                format!(
-                    "occ config:system:set trusted_proxies {} --value {ip}",
-                    i + 1
-                )
+                vec![
+                    "occ".into(),
+                    "config:system:set".into(),
+                    "trusted_proxies".into(),
+                    (i + 1).to_string(),
+                    "--value".into(),
+                    ip.to_string(),
+                ]
            })
            .collect();

@ -108,7 +112,7 @@ impl ServiceTrait for NotifyPush {
            config
                .proxy
                .addr_with_port(&self.container_name(cloud_id).unwrap(), ips[0], 7867);
-        commands.push(format!("occ notify_push:setup {}", addr));
+        commands.push(vec!["occ".into(), "notify_push:setup".into(), addr]);
        Ok(commands)
    }

--- a/src/service/redis.rs
+++ b/src/service/redis.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -70,7 +70,13 @@ impl ServiceTrait for Redis {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
-        Ok(vec!["occ config:system:set redis host --value redis".into()])
+    ) -> Result<Vec<Vec<String>>> {
+        Ok(vec![split_cmnd(
+            "occ config:system:set redis host --value redis",
+        )])
+    }
+
+    fn exec_shell(&self) -> &'static str {
+        "sh"
    }
 }
--- a/src/service/sftp.rs
+++ b/src/service/sftp.rs
@ -1,13 +1,14 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
 use bollard::Docker;
 use maplit::hashmap;
-use miette::IntoDiagnostic;
+use miette::{Context, IntoDiagnostic};
+use std::fs::{create_dir_all, write};

 #[derive(Debug, Clone, Eq, PartialEq)]
 pub struct Sftp;
@ -50,7 +51,10 @@ impl ServiceTrait for Sftp {
                    }
                }),
            }),
-            cmd: Some(vec!["test:test:::data".into()]),
+            cmd: Some(vec![
+                "test:test:::data".into(),
+                "ldaptest:test:::data".into(),
+            ]),
            ..Default::default()
        };
        let id = docker
@ -75,13 +79,119 @@ impl ServiceTrait for Sftp {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ files_external:create sftp sftp password::password".into(),
-            "occ files_external:config 1 host sftp".into(),
-            "occ files_external:config 1 user test".into(),
-            "occ files_external:config 1 root data".into(),
-            "occ files_external:config 1 password test".into(),
+            split_cmnd("occ files_external:create sftp sftp password::password"),
+            split_cmnd("occ files_external:config 1 host sftp"),
+            split_cmnd("occ files_external:config 1 user test"),
+            split_cmnd("occ files_external:config 1 root data"),
+            split_cmnd("occ files_external:config 1 password test"),
+        ])
+    }
+}
+
+#[derive(Debug, Clone, Eq, PartialEq)]
+pub struct SftpKey;
+
+#[async_trait::async_trait]
+impl ServiceTrait for SftpKey {
+    fn name(&self) -> &str {
+        "sftp-key"
+    }
+
+    async fn spawn(
+        &self,
+        docker: &Docker,
+        cloud_id: &str,
+        network: &str,
+        config: &HazeConfig,
+        _options: &CloudOptions,
+    ) -> Result<Vec<String>> {
+        let image = "atmoz/sftp:alpine";
+        pull_image(docker, image).await?;
+        let options = Some(CreateContainerOptions {
+            name: self.container_name(cloud_id),
+            ..CreateContainerOptions::default()
+        });
+        let key_dir = config.work_dir.join("certificates/sftp");
+        create_dir_all(&key_dir)
+            .into_diagnostic()
+            .wrap_err("Failed to create sftp certificate directory")?;
+        let private_path = key_dir.join("id_rsa");
+        let public_path = key_dir.join("id_rsa.pub");
+        let private_key = include_str!("../../certificates/sftp/id_rsa");
+        let public_key = include_str!("../../certificates/sftp/id_rsa.pub");
+        if !private_path.exists() {
+            write(&private_path, private_key)
+                .into_diagnostic()
+                .wrap_err("Failed to write sftp client certificate")?;
+        }
+        if !public_path.exists() {
+            write(&public_path, public_key)
+                .into_diagnostic()
+                .wrap_err("Failed to write sftp client key")?;
+        }
+
+        let volumes = vec![format!("{public_path}:/home/test/.ssh/keys/id_rsa:ro")];
+
+        let config = ContainerCreateBody {
+            image: Some(image.into()),
+            host_config: Some(HostConfig {
+                network_mode: Some(network.to_string()),
+                binds: Some(volumes),
+                ..Default::default()
+            }),
+            labels: Some(hashmap! {
+                "haze-type".into() => self.name().into(),
+                "haze-cloud-id".into() => cloud_id.into(),
+            }),
+            networking_config: Some(NetworkingConfig {
+                endpoints_config: Some(hashmap! {
+                    network.into() => EndpointSettings {
+                        aliases: Some(vec![self.name().to_string()]),
+                        ..Default::default()
+                    }
+                }),
+            }),
+            cmd: Some(vec!["test::::data".into()]),
+            ..Default::default()
+        };
+        let id = docker
+            .create_container(options, config)
+            .await
+            .into_diagnostic()?
+            .id;
+        docker.start_container(&id, None).await.into_diagnostic()?;
+        Ok(vec![id])
+    }
+
+    fn container_name(&self, cloud_id: &str) -> Option<String> {
+        Some(format!("{}-sftp-key", cloud_id))
+    }
+
+    fn apps(&self) -> &'static [&'static str] {
+        &["files_external"]
+    }
+
+    async fn post_setup(
+        &self,
+        _docker: &Docker,
+        _cloud_id: &str,
+        _config: &HazeConfig,
+    ) -> Result<Vec<Vec<String>>> {
+        Ok(vec![
+            split_cmnd("occ files_external:create sftp sftp publickey::rsa_private"),
+            split_cmnd("occ files_external:config 1 host sftp-key"),
+            split_cmnd("occ files_external:config 1 user test"),
+            split_cmnd("occ files_external:config 1 root data"),
+            vec![
+                "occ".into(),
+                "files_external:config".into(),
+                "--value-from-file".into(),
+                "1".into(),
+                "private_key".into(),
+                "/certificates/sftp/id_rsa".into(),
+            ],
        ])
    }
 }
--- a/src/service/smb.rs
+++ b/src/service/smb.rs
@ -1,7 +1,7 @@
 use crate::cloud::CloudOptions;
 use crate::config::HazeConfig;
 use crate::image::pull_image;
-use crate::service::ServiceTrait;
+use crate::service::{split_cmnd, ServiceTrait};
 use crate::Result;
 use bollard::models::{ContainerCreateBody, EndpointSettings, HostConfig, NetworkingConfig};
 use bollard::query_parameters::CreateContainerOptions;
@ -40,8 +40,10 @@ impl ServiceTrait for Smb {
            }),
            env: Some(vec![
                "ACCOUNT_test=test".into(),
+                "ACCOUNT_ldaptest=test".into(),
                "UID_test=1000".into(),
                "SAMBA_VOLUME_CONFIG_test=[test]; path=/tmp; valid users = test; guest ok = no; read only = no; browseable = yes".into(),
+                "SAMBA_VOLUME_CONFIG_ldaptest=[ldaptest]; path=/tmp; valid users = ldaptest; guest ok = no; read only = no; browseable = yes".into(),
            ]),
            labels: Some(hashmap! {
                "haze-type".into() => self.name().into(),
@ -79,13 +81,17 @@ impl ServiceTrait for Smb {
        _docker: &Docker,
        _cloud_id: &str,
        _config: &HazeConfig,
-    ) -> Result<Vec<String>> {
+    ) -> Result<Vec<Vec<String>>> {
        Ok(vec![
-            "occ files_external:create smb smb password::password".into(),
-            "occ files_external:config 1 host smb".into(),
-            "occ files_external:config 1 user test".into(),
-            "occ files_external:config 1 password test".into(),
-            "occ files_external:config 1 share test".into(),
+            split_cmnd("occ files_external:create smb smb password::password"),
+            split_cmnd("occ files_external:config 1 host smb"),
+            split_cmnd("occ files_external:config 1 user test"),
+            split_cmnd("occ files_external:config 1 password test"),
+            split_cmnd("occ files_external:config 1 share test"),
        ])
    }
+
+    fn exec_shell(&self) -> &'static str {
+        "sh"
+    }
 }
--- a/src/service/webhook.rs
+++ b/src/service/webhook.rs
@ -68,4 +68,8 @@ impl ServiceTrait for Webhook {
    fn proxy_port(&self) -> u16 {
        8080
    }
+
+    fn exec_shell(&self) -> &'static str {
+        ""
+    }
 }
Author	SHA1	Message	Date
Robin Appelman	a38de3fdee	2.3.0 + updates	2026-06-03 15:44:38 +02:00
Robin Appelman	d138740bbd	allow exec'ing service containers	2026-06-03 15:32:37 +02:00
Robin Appelman	fc6cde4161	fix mysql 8, again fixes #25	2026-06-03 15:01:19 +02:00
Robin Appelman	a3f2355dea	create smb/sftp accounts for ldaptest	2026-05-28 18:48:40 +02:00
Robin Appelman	d852f9db4f	remove php-smbclient for now as it's broken	2026-05-28 18:48:19 +02:00
Robin Appelman	92fbc74a5b	fix ldap	2026-05-28 18:40:21 +02:00
Robin Appelman	204fb676d6	add sftp with key authentication service	2026-05-26 20:49:19 +02:00
Robin Appelman	f99238121b	nix cleanup	2026-05-09 16:45:55 +02:00
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfbdpaofpjBEtsIE73hQo6R+cnabpmyJzR0y3dOYOeMtTQnOk63vC3n6YxmsQpBOl5+jPJQejfP4eSaWUsAY66k3LcD6MbY73nlRSDDR0Z+7qPo45vroO72Omq3wFDqCvdwRgBKmU8jsHzz39xWknmXUeIFSDJHtnXq/XmoIO2akVUgQIB0gISY+ix+Zm623dhiX3EtrLlYKZTO1ZL9qY9wazQM4QatZ4K13EYpZPdPLB0ErJDQ9t1gxqaAMhPslXVlLNk9qXLiwHsT52lLkCAEVVeZnrXXnUo3VMnyDKhSMWFjty1gQimdxmbJPg9i/Ii/FGxsm28RGJ40fwOhfkPC2pzFuAcrQ7Bi12XjJ1FdOhijeX6oiJ1/6DwANV5r+ZuR9M96B1Oijcs65OFc7ATEOW6SkzyhsUOnPViXUvqtEkBU07UqYdaGfq2jbeO1iMGFzMDaeR6ZBdBtVKNz+Ei2NAMgU0w6wtbfc/5jaT0uSkjRMvT2iA7E4VnMZmna00= haze@haze