c00ca055f2
New deployments/copyparty/: copyparty (copyparty/ac) behind Caddy/LE for the web UI/WebDAV, plus its own SFTP (password auth) and FTPS listeners published directly. Ships update.sh, which drives container updates off copyparty's security-advisories API (api.copyparty.eu/advisories) -- policies latest|security|off. - Real client IP end-to-end: Caddy XFF/X-Real-IP + copyparty xff-src: lan. - SFTP host key + self-signed FTPS cert generated/persisted in /cfg; admin password generated on first deploy; conf auto-included via the image's % /cfg. - Firewall opens 80/443 + SFTP/FTPS + passive range (colon form for ports.d). - Wired into automations.sh, README, .gitignore; cloud-init for fresh VMs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
63 lines
2.5 KiB
Plaintext
63 lines
2.5 KiB
Plaintext
# copyparty configuration (TEMPLATE).
|
|
#
|
|
# deploy.sh copies this to cfg/copyparty.conf on first deploy, replacing
|
|
# __ADMIN_PW__ with a generated password (and uncommenting ftp-nat if FTP_NAT is
|
|
# set). The image auto-includes every *.conf in /cfg (its baked-in config ends
|
|
# with `% /cfg`), so this file is loaded automatically -- no -c flag needed.
|
|
#
|
|
# Reload after editing, no restart: docker compose exec copyparty kill -s USR1 1
|
|
# Permission letters: r=read w=write/upload m=move/rename d=delete a=admin g=get-only
|
|
|
|
[global]
|
|
# -- Behind Caddy (real client IP) --
|
|
# Trust the reverse proxy's X-Forwarded-For. Only Caddy can reach :3923 (it is
|
|
# not published), so `lan` (trust private nets) is safe and robust; narrow it
|
|
# to the exact docker subnet copyparty names in a startup warning if you like.
|
|
xff-src: lan
|
|
|
|
# -- Security notices (copyparty's built-in vulnerability check) --
|
|
# Periodically checks whether THIS version has a known advisory and warns in
|
|
# the log / control panel. The companion update.sh acts on the same feed.
|
|
vc-url: https://api.copyparty.eu/advisories
|
|
vc-age: 3
|
|
# vc-exit # opt-in: shut down if running a vulnerable version -- only
|
|
# enable together with the security updater, or it will loop.
|
|
|
|
# -- Indexing / media --
|
|
e2dsa # up2k database + filesystem scan (dedup, search)
|
|
e2ts # parse media tags for the indexer
|
|
|
|
# -- SFTP + FTPS (direct listeners; NOT proxied by Caddy) --
|
|
sftp: 3922 # SFTP server
|
|
sftp-pw # allow password auth (not just ssh keys)
|
|
ftps: 3990 # explicit-TLS FTPS (plaintext `ftp` intentionally omitted)
|
|
ftp-pr: 12000-12099 # passive TCP port range (also published in docker-compose.yml)
|
|
cert: /cfg/ftps.pem # self-signed by deploy.sh; swap in Caddy's LE cert to taste
|
|
# ftp-nat: 203.0.113.10 # set to the server's public IP for passive FTPS via NAT
|
|
|
|
[accounts]
|
|
# deploy.sh replaces __ADMIN_PW__ with a generated password on first run.
|
|
admin: __ADMIN_PW__
|
|
|
|
# Default volume: the whole data root, private to admin. Open it up below.
|
|
[/]
|
|
/w
|
|
accs:
|
|
rwmda: admin
|
|
|
|
# --- examples (uncomment + adjust) -----------------------------------------
|
|
# Public read-only share of /w/pub for anyone (no login):
|
|
# [/pub]
|
|
# /w/pub
|
|
# accs:
|
|
# r: *
|
|
#
|
|
# Anonymous write-only dropbox (uploads, no listing or download):
|
|
# [/inbox]
|
|
# /w/inbox
|
|
# accs:
|
|
# w: *
|
|
#
|
|
# Add another account: put `bob: s3cret` under [accounts] above, then grant it
|
|
# access in a volume, e.g. `rw: bob` inside that volume's accs: block.
|