Files
57_Wolve c00ca055f2 feat(copyparty): add file-server deployment with SFTP/FTPS + security-notices updater
New deployments/copyparty/: copyparty (copyparty/ac) behind Caddy/LE for the
web UI/WebDAV, plus its own SFTP (password auth) and FTPS listeners published
directly. Ships update.sh, which drives container updates off copyparty's
security-advisories API (api.copyparty.eu/advisories) -- policies latest|security|off.

- Real client IP end-to-end: Caddy XFF/X-Real-IP + copyparty xff-src: lan.
- SFTP host key + self-signed FTPS cert generated/persisted in /cfg; admin
  password generated on first deploy; conf auto-included via the image's % /cfg.
- Firewall opens 80/443 + SFTP/FTPS + passive range (colon form for ports.d).
- Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 15:56:24 -05:00

42 lines
1.5 KiB
YAML

#cloud-config
#
# copyparty (file server) — harden SSH, then deploy, on a fresh host.
#
# Fill in REPO_URL and the values in the runcmd block, then paste this as the
# instance user-data. DNS for COPYPARTY_DOMAIN must point at this host and ports
# 80/443 must be reachable before boot, or the Let's Encrypt cert request fails.
# SFTP/FTPS (3922/3990 + the passive range) are opened too.
packages:
- git
runcmd:
- hostnamectl set-hostname copyparty || true
- |
set -e
REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git
REPO_BRANCH=main
HARDEN_SSH=1 # harden SSH on this fresh VM (set 0 to skip)
SSH_PORT=22
ALLOWED_IP= # optional: whitelist your client IP in sshguard
git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations
cd /opt/automations
# Harden SSH first (PQ KEX, key-only auth, sshguard + deny-by-default
# firewall). The firewall it installs is what deploy.sh registers the
# copyparty ports with.
if [ "$HARDEN_SSH" = 1 ]; then
SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" SKIP_PROMPTS=1 FORCE=1 \
bash scripts/harden-ssh.sh
fi
# Deploy copyparty. DATA_DIR is the shared folder (point it at a data disk);
# FTP_NAT should be this host's public IP if you want passive FTPS via NAT.
COPYPARTY_DOMAIN=files.example.com \
ACME_EMAIL=admin@example.com \
DATA_DIR=/srv/copyparty/data \
UPDATE_POLICY=latest \
FTP_NAT= \
SKIP_PROMPTS=1 \
bash deployments/copyparty/deploy.sh