c00ca055f2
New deployments/copyparty/: copyparty (copyparty/ac) behind Caddy/LE for the web UI/WebDAV, plus its own SFTP (password auth) and FTPS listeners published directly. Ships update.sh, which drives container updates off copyparty's security-advisories API (api.copyparty.eu/advisories) -- policies latest|security|off. - Real client IP end-to-end: Caddy XFF/X-Real-IP + copyparty xff-src: lan. - SFTP host key + self-signed FTPS cert generated/persisted in /cfg; admin password generated on first deploy; conf auto-included via the image's % /cfg. - Firewall opens 80/443 + SFTP/FTPS + passive range (colon form for ports.d). - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
42 lines
1.5 KiB
YAML
42 lines
1.5 KiB
YAML
#cloud-config
|
|
#
|
|
# copyparty (file server) — harden SSH, then deploy, on a fresh host.
|
|
#
|
|
# Fill in REPO_URL and the values in the runcmd block, then paste this as the
|
|
# instance user-data. DNS for COPYPARTY_DOMAIN must point at this host and ports
|
|
# 80/443 must be reachable before boot, or the Let's Encrypt cert request fails.
|
|
# SFTP/FTPS (3922/3990 + the passive range) are opened too.
|
|
|
|
packages:
|
|
- git
|
|
|
|
runcmd:
|
|
- hostnamectl set-hostname copyparty || true
|
|
- |
|
|
set -e
|
|
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
|
|
REPO_BRANCH=main
|
|
HARDEN_SSH=1 # harden SSH on this fresh VM (set 0 to skip)
|
|
SSH_PORT=22
|
|
ALLOWED_IP= # optional: whitelist your client IP in sshguard
|
|
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
|
|
cd /opt/automations
|
|
|
|
# Harden SSH first (PQ KEX, key-only auth, sshguard + deny-by-default
|
|
# firewall). The firewall it installs is what deploy.sh registers the
|
|
# copyparty ports with.
|
|
if [ "$HARDEN_SSH" = 1 ]; then
|
|
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" SKIP_PROMPTS=1 FORCE=1 \
|
|
bash scripts/harden-ssh.sh
|
|
fi
|
|
|
|
# Deploy copyparty. DATA_DIR is the shared folder (point it at a data disk);
|
|
# FTP_NAT should be this host's public IP if you want passive FTPS via NAT.
|
|
COPYPARTY_DOMAIN=files.example.com \
|
|
ACME_EMAIL=admin@example.com \
|
|
DATA_DIR=/srv/copyparty/data \
|
|
UPDATE_POLICY=latest \
|
|
FTP_NAT= \
|
|
SKIP_PROMPTS=1 \
|
|
bash deployments/copyparty/deploy.sh
|