From 29a983d559d51410d6d83a492e8ce653b57f4c0c Mon Sep 17 00:00:00 2001 From: Stefan Ostermann Date: Wed, 21 Jan 2026 21:28:12 +0000 Subject: [PATCH] copyparty --- copyparty/cpp/copyparty.conf | 82 ++++++++++++++++++++++++++++++++++++ copyparty/docker-compose.yml | 25 +++++++++++ 2 files changed, 107 insertions(+) create mode 100644 copyparty/cpp/copyparty.conf create mode 100644 copyparty/docker-compose.yml diff --git a/copyparty/cpp/copyparty.conf b/copyparty/cpp/copyparty.conf new file mode 100644 index 0000000..6a0d6e4 --- /dev/null +++ b/copyparty/cpp/copyparty.conf @@ -0,0 +1,82 @@ +# not actually YAML but lets pretend: +# -*- mode: yaml -*- +# vim: ft=yaml: + + +# example config for how authelia can be used to replace +# copyparty's built-in authentication/authorization mechanism, +# providing copyparty with HTTP headers through traefik to +# signify who the user is, and what groups they belong to +# +# the filesystem-path that will be shared with copyparty is +# specified in the docker-compose in the parent folder, where +# a real filesystem-path is mapped onto this container's path `/w`, +# meaning `/w` in this config-file is actually `/srv/pub` in the +# outside world (assuming you didn't modify that value) + + +[global] + e2dsa # enable file indexing and filesystem scanning + e2ts # enable multimedia indexing + ansi # enable colors in log messages + #q # disable logging for more performance + + # if we are confident that we got the docker-network config correct + # (meaning copyparty is only accessible through traefik, and + # traefik makes sure that all requests go through authelia), + # then accept X-Forwarded-For and IdP headers from any private IP: + xff-src: lan + + # enable IdP support by expecting username/groupname in + # http-headers provided by the reverse-proxy; header "X-IdP-User" + # will contain the username, "X-IdP-Group" the groupname + idp-h-usr: remote-user + idp-h-grp: remote-groups + + # DEBUG: show all incoming request headers from traefik/authelia + #ihead: * + + +[/] # create a volume at "/" (the webroot), which will + /w # share /w (the docker data volume, which is mapped to /srv/pub on the host in docker-compose.yml) + accs: + rw: * # everyone gets read-access, but + rwmda: @su # the group "su" gets read-write-move-delete-admin + + +[/u/${u}] # each user gets their own home-folder at /u/username + /w/u/${u} # which will be "u/username" in the docker data volume + accs: + r: * # read-access for anyone, and + rwmda: ${u}, @su # read-write-move-delete-admin for that username + the "su" group + + +[/u/${u}/priv] # each user also gets a private area at /u/username/priv + /w/u/${u}/priv # stored at DATAVOLUME/u/username/priv + accs: + rwmda: ${u}, @su # read-write-move-delete-admin for that username + the "su" group + + +[/lounge/${g}] # each group gets their own shared volume + /w/lounge/${g} # stored at DATAVOLUME/lounge/groupname + accs: + r: * # read-access for anyone, and + rwmda: @${g}, @su # read-write-move-delete-admin for that group + the "su" group + + +[/lounge/${g}/priv] # and a private area for each group too + /w/lounge/${g}/priv # stored at DATAVOLUME/lounge/groupname/priv + accs: + rwmda: @${g}, @su # read-write-move-delete-admin for that group + the "su" group + + +# and create some strategic volumes to prevent anyone from gaining +# unintended access to priv folders if the users/groups db is lost +[/u] + /w/u + accs: + rwmda: @su +[/lounge] + /w/lounge + accs: + rwmda: @su diff --git a/copyparty/docker-compose.yml b/copyparty/docker-compose.yml new file mode 100644 index 0000000..ae097a3 --- /dev/null +++ b/copyparty/docker-compose.yml @@ -0,0 +1,25 @@ +--- + +services: + copyparty: + image: copyparty/ac:latest + container_name: idp_copyparty + user: "1000:1000" # should match the user/group of your fileshare volumes + volumes: + - ./cpp/:/cfg:z # the copyparty config folder + - /media:/w:z # this is where we declare that "/srv/pub" is the filesystem-path on the server that shall be shared online + ports: + - "3923:3923" + labels: + - 'traefik.enable=true' + - 'traefik.http.routers.copyparty.rule=Host(`fs.example.com`)' + - 'traefik.http.routers.copyparty.entrypoints=websecure' + - 'traefik.http.routers.copyparty.tls=true' + - 'traefik.http.routers.copyparty.tls.certresolver=letsencrypt' # ← THIS IS CRUCIAL + - 'traefik.http.routers.copyparty.middlewares=authelia@docker' + stop_grace_period: 15s # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal + environment: + LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE + # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram) + PYTHONUNBUFFERED: 1 + # ensures log-messages are not delayed (but can reduce speed a tiny bit)