feat: webdav provided by sftpgo

flake.lock

@@ -628,10 +628,10 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1708252756,
-        "narHash": "sha256-X88eosccBrDxn7BIVf8zmjhBjIDXs9PFJsVkanzSUKw=",
+        "lastModified": 1708352242,
+        "narHash": "sha256-Fb5jPRNXSd+DWURvl2XG/nFNuVh3OXjFkagncZp6n6A=",
         "ref": "refs/heads/main",
-        "rev": "241dc94cf90b8d4ab8dec31eec0b07c35af42ba8",
+        "rev": "bc863eaccbe62dc240f879f7fc12e7855c5192cc",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"

hosts/idols_kana/caddy.nix

@@ -31,6 +31,14 @@
       encode zstd gzip
       reverse_proxy http://localhost:3001
     '';
+    virtualHosts."http://sftpgo.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:5010
+    '';
+    virtualHosts."http://webdav.writefor.fun".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy http://localhost:5005
+    '';
   };
   networking.firewall.allowedTCPPorts = [80 443];
 }

hosts/idols_kana/oci-containers/dashy/dashy_conf.yml

@@ -173,7 +173,7 @@ sections:
   - name: System Monitoring & Control
     icon: fas fa-monitor-heart-rate
     items:
-      - &ref_9
+      - &ref_8
         title: Grafana
         description: Data visualised on dashboards
         icon: hl-grafana
@@ -181,23 +181,23 @@ sections:
         target: newtab
         statusCheck: true
         statusCheckAllowInsecure: true
-        id: 1_2578_grafana
-      - &ref_10
+        id: 0_2578_grafana
+      - &ref_9
         title: Prometheus Dashboard
         description: Monitoring - Prometheus
         icon: si-prometheus
         url: http://prometheus.writefor.fun
         target: newtab
         statusCheck: true
-        id: 2_2578_prometheus
-      - &ref_11
+        id: 1_2578_prometheusdashboard
+      - &ref_10
         title: Uptime Kuma
         description: Uptime Checking
         icon: hl-uptime-kuma
         url: http://uptime-kuma.writefor.fun
         target: newtab
         statusCheck: true
-        id: 3_2578_uptimekuma
+        id: 2_2578_uptimekuma
     displayData:
       sortBy: default
       rows: 1
@@ -205,13 +205,13 @@ sections:
       collapsed: false
       hideForGuests: false
     filteredItems:
+      - *ref_8
       - *ref_9
       - *ref_10
-      - *ref_11
   - name: Productivity
     icon: fas fa-bookmark
     items:
-      - &ref_12
+      - &ref_11
         title: Cloud IDE
         description: Eclipse Che - Cloud IDE
         icon: hl-code
@@ -220,11 +220,11 @@ sections:
         statusCheck: true
         id: 0_1302_cloudide
     filteredItems:
-      - *ref_12
+      - *ref_11
   - name: Media & Entertainment
     icon: fas fa-photo-video
     items:
-      - &ref_13
+      - &ref_12
         title: Home Assistant
         description: Smart home control
         icon: hl-home-assistant
@@ -232,6 +232,14 @@ sections:
         target: newtab
         statusCheck: true
         id: 0_1956_homeassistant
+      - &ref_13
+        title: SFTPGO Web Admin Console
+        description: WebDAV & SFTP server
+        icon: http://sftpgo.writefor.fun/static/img/logo.png
+        url: http://sftpgo.writefor.fun/web/admin/folders
+        target: newtab
+        statusCheck: true
+        id: 1_1956_sftpgowebadminconsole
     displayData:
       sortBy: default
       rows: 1
@@ -239,4 +247,5 @@ sections:
       collapsed: false
       hideForGuests: false
     filteredItems:
+      - *ref_12
       - *ref_13

hosts/idols_kana/sftpgo.nix

@@ -0,0 +1,97 @@
+{config, ...}: {
+  # Read SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD from a file
+  systemd.services.sftpgo.serviceConfig.EnvironmentFile = config.age.secrets."sftpgo.env".path;
+
+  services.sftpgo = {
+    enable = true;
+    user = "sftpgo";
+    dataDir = "/var/lib/sftpgo";
+    extraArgs = [
+      "--log-level"
+      "info"
+    ];
+    # https://github.com/drakkan/sftpgo/blob/2.5.x/docs/full-configuration.md
+    settings = {
+      common = {
+        # Auto-blocking policy for SFTPGo and thus helps to prevent DoS (Denial of Service) and brute force password guessing.
+        defender = {
+          enable = true;
+        };
+      };
+      # Where to store stfpgo's data
+      data_provider = {
+        driver = "sqlite";
+        name = "sftpgo.db";
+        password_hashing = {
+          algo = "argon2id";
+          # options for argon2id hashing algorithm.
+          # The memory and iterations parameters control the computational cost of hashing the password.
+          argon2_options = {
+            memory = 65536; # KiB
+            iterations = 2; # The number of iterations over the memory.
+            parallelism = 2; # The number of threads (or lanes) used by the algorithm.
+          };
+        };
+        password_validation = {
+          # What Entropy Value Should I Use?
+          # somewhere in the 50-70 range seems "reasonable".
+          # https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
+          admins.min_entropy = 60;
+          users.min_entropy = 60;
+        };
+        # Cache passwords in memory to avoid hashing the same password multiple times(it costs).
+        password_caching = true;
+        # create the default admin user via environment variables
+        # SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD
+        create_default_admin = true;
+      };
+
+      # WebDAV is a popular protocol for file sharing, better than CIFS/SMB, NFS, etc.
+      # it's save to use WebDAV over HTTPS on public networks.
+      webdavd.bindings = [
+        {
+          address = "127.0.0.1";
+          port = 5005;
+        }
+      ];
+      # HTTP Server provides a simple web interface to manage the server.
+      httpd.bindings = [
+        {
+          address = "127.0.0.1";
+          enable_https = false;
+          port = 5010;
+          client_ip_proxy_header = "X-Forwarded-For";
+          # a basic built-in web interface that allows you to manage users,
+          # virtual folders, admins and connections.
+          # url: http://127.0.0.1:8080/web/admin
+          enable_web_admin = true;
+          # A basic front-end web interface for your users.
+          # It allows end-users to browse and manage their files and change their credentials.
+          enable_web_client = true;
+          enable_rest_api = true;
+        }
+      ];
+      # prometheus metrics
+      telemetry = {
+        bind_port = 10000;
+        bind_address = "0.0.0.0";
+        # auth_user_file = "";
+      };
+      # multi-factor authentication settings
+      mfa.totp = [
+        {
+          # Unique configuration name, not visible to the authentication apps.
+          # Should not to be changed after the first user has been created.
+          name = "SFTPGo";
+          # Name of the issuing Organization/Company
+          issuer = "SFTPGo";
+          # Algorithm to use for HMAC
+          # Currently Google Authenticator app on iPhone seems to only support sha1
+          algo = "sha1";
+        }
+      ];
+      # SMTP configuration enables SFTPGo email sending capabilities
+      # smtp = {};
+    };
+  };
+}

hosts/idols_ruby/prometheus/default.nix

@@ -89,6 +89,19 @@
           }
         ];
       }
+
+      {
+        job_name = "sftpgo-embedded-exporter";
+        scrape_interval = "30s";
+        metrics_path = "/metrics";
+        static_configs = [
+          {
+            targets = ["${vars_networking.hostAddress.kana.address}:10000"];
+            labels.type = "app";
+            labels.app = "v2ray";
+          }
+        ];
+      }
     ];
 
     # specifies Alertmanager instances the Prometheus server sends alerts to

secrets/nixos.nix

@@ -198,6 +198,12 @@ in {
               file = "${mysecrets}/server/transmission-credentials.json.age";
             }
             // high_security;
+
+          "sftpgo.env" = {
+            file = "${mysecrets}/server/sftpgo.env.age";
+            mode = "0400";
+            owner = "sftpgo";
+          };
         };
       })