Files
57_Wolve c00ca055f2 feat(copyparty): add file-server deployment with SFTP/FTPS + security-notices updater
New deployments/copyparty/: copyparty (copyparty/ac) behind Caddy/LE for the
web UI/WebDAV, plus its own SFTP (password auth) and FTPS listeners published
directly. Ships update.sh, which drives container updates off copyparty's
security-advisories API (api.copyparty.eu/advisories) -- policies latest|security|off.

- Real client IP end-to-end: Caddy XFF/X-Real-IP + copyparty xff-src: lan.
- SFTP host key + self-signed FTPS cert generated/persisted in /cfg; admin
  password generated on first deploy; conf auto-included via the image's % /cfg.
- Firewall opens 80/443 + SFTP/FTPS + passive range (colon form for ports.d).
- Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 15:56:24 -05:00

63 lines
2.5 KiB
Plaintext

# copyparty configuration (TEMPLATE).
#
# deploy.sh copies this to cfg/copyparty.conf on first deploy, replacing
# __ADMIN_PW__ with a generated password (and uncommenting ftp-nat if FTP_NAT is
# set). The image auto-includes every *.conf in /cfg (its baked-in config ends
# with `% /cfg`), so this file is loaded automatically -- no -c flag needed.
#
# Reload after editing, no restart: docker compose exec copyparty kill -s USR1 1
# Permission letters: r=read w=write/upload m=move/rename d=delete a=admin g=get-only
[global]
# -- Behind Caddy (real client IP) --
# Trust the reverse proxy's X-Forwarded-For. Only Caddy can reach :3923 (it is
# not published), so `lan` (trust private nets) is safe and robust; narrow it
# to the exact docker subnet copyparty names in a startup warning if you like.
xff-src: lan
# -- Security notices (copyparty's built-in vulnerability check) --
# Periodically checks whether THIS version has a known advisory and warns in
# the log / control panel. The companion update.sh acts on the same feed.
vc-url: https://api.copyparty.eu/advisories
vc-age: 3
# vc-exit # opt-in: shut down if running a vulnerable version -- only
# enable together with the security updater, or it will loop.
# -- Indexing / media --
e2dsa # up2k database + filesystem scan (dedup, search)
e2ts # parse media tags for the indexer
# -- SFTP + FTPS (direct listeners; NOT proxied by Caddy) --
sftp: 3922 # SFTP server
sftp-pw # allow password auth (not just ssh keys)
ftps: 3990 # explicit-TLS FTPS (plaintext `ftp` intentionally omitted)
ftp-pr: 12000-12099 # passive TCP port range (also published in docker-compose.yml)
cert: /cfg/ftps.pem # self-signed by deploy.sh; swap in Caddy's LE cert to taste
# ftp-nat: 203.0.113.10 # set to the server's public IP for passive FTPS via NAT
[accounts]
# deploy.sh replaces __ADMIN_PW__ with a generated password on first run.
admin: __ADMIN_PW__
# Default volume: the whole data root, private to admin. Open it up below.
[/]
/w
accs:
rwmda: admin
# --- examples (uncomment + adjust) -----------------------------------------
# Public read-only share of /w/pub for anyone (no login):
# [/pub]
# /w/pub
# accs:
# r: *
#
# Anonymous write-only dropbox (uploads, no listing or download):
# [/inbox]
# /w/inbox
# accs:
# w: *
#
# Add another account: put `bob: s3cret` under [accounts] above, then grant it
# access in a volume, e.g. `rw: bob` inside that volume's accs: block.