Oauth proxy and monitoring init

3 files changed, 47 insertions, 12 deletions

diff --git a/playbooks/roles/bin/templates/stacks/docker-compose.yml b/playbooks/roles/bin/templates/stacks/docker-compose.yml
index 5f99f8b..f1a86c4 100644
--- a/playbooks/roles/bin/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/bin/templates/stacks/docker-compose.yml
@@ -1,21 +1,21 @@
 services:
-  bin:
-    image: stonith404/pingvin-share
+  copyparty:
+    image: copyparty/ac:latest
+    user: "1000:1000"
     volumes:
-      - {{ bin_base }}/volumes/data:/data
+      - "{{ bin_base }}/volumes/share:/w:z"
+      - "{{ bin_base }}/volumes/conf:/cfg:z"
     environment:
       - TZ={{ timezone }}
       - DEPLOYMENT_TIME={{ deployment_time }}
-      - TRUST_PROXY=true
-      - API_URL=https://{{ bin_domain }}
-      - DATA_DIRECTORY=/data
-      - DATABASE_URL=file:/data/pingvin-share.db?connection_limit=1
+      - LD_PRELOAD=/usr/lib/libmimalloc-secure.so.NOPE
+      - PYTHONUNBUFFERED=1
     healthcheck:
-      test: ["CMD", "curl", "--fail", "http://localhost:3000/api/configs"]
-      timeout: 3s
+      test: ["CMD-SHELL", "wget --spider -q 127.0.0.1:3923/?reset=/._"]
       interval: 1m
-      retries: 2
-      start_period: 10s
+      timeout: 2s
+      retries: 5
+      start_period: 15s
     networks:
       - proxy
     deploy:
@@ -34,7 +34,8 @@ services:
         - traefik.http.routers.bin.tls.certResolver=letsencrypt
         - traefik.http.routers.bin.rule=Host(`{{ bin_domain }}`)
         - traefik.http.routers.bin.entrypoints=websecure
-        - traefik.http.services.bin.loadbalancer.server.port=3000
+        - traefik.http.routers.bin.middlewares=oauth-verify
+        - traefik.http.services.bin.loadbalancer.server.port=3923
 
 networks:
   proxy:
diff --git a/playbooks/roles/bin/templates/volumes/conf/copyparty.conf b/playbooks/roles/bin/templates/volumes/conf/copyparty.conf
new file mode 100644
index 0000000..eaea0a6
--- /dev/null
+++ b/playbooks/roles/bin/templates/volumes/conf/copyparty.conf
@@ -0,0 +1,34 @@
+[global]
+  e2dsa  # enable file indexing and filesystem scanning
+  e2ts   # enable multimedia indexing
+  ansi   # enable colors in log messages
+  #q      # disable logging for more performance
+
+  # if we are confident that we got the docker-network config correct
+  # (meaning copyparty is only accessible through traefik, and
+  #  traefik makes sure that all requests go through authelia),
+  # then accept X-Forwarded-For and IdP headers from any private IP:
+  xff-src: lan
+
+  idp-h-usr: x-auth-request-user
+  idp-h-grp: x-auth-request-groups
+  idp-h-key: x-auth-request-{{ oauth_proxy_super_secret_header }}
+
+[/]      # create a volume at "/" (the webroot), which will
+  /w
+  accs:
+    rw: *       # everyone gets read-access, but
+    rwmda: @{{ admins }}  # the group "su" gets read-write-move-delete-admin
+
+
+[/u/${u}]    # each user gets their own home-folder at /u/username
+  /w/u/${u}  # which will be "u/username" in the docker data volume
+  accs:
+    r: *              # read-access for anyone, and
+    rwmda: ${u}, @{{ admins }}  # read-write-move-delete-admin for that username + the "su" group
+
+
+[/u/${u}/priv]    # each user also gets a private area at /u/username/priv
+  /w/u/${u}/priv  # stored at DATAVOLUME/u/username/priv
+  accs:
+    rwmda: ${u}, @{{ admins }}  # read-write-move-delete-admin for that username + the "su" group
diff --git a/playbooks/roles/bin/templates/volumes/data/.gitkeep b/playbooks/roles/bin/templates/volumes/share/.gitkeep
index e69de29..e69de29 100644
--- a/playbooks/roles/bin/templates/volumes/data/.gitkeep
+++ b/playbooks/roles/bin/templates/volumes/share/.gitkeep