From 7a229f6e7999443e81f4eb62dac4515680c131af Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Mon, 19 Feb 2024 14:22:27 +0800 Subject: [PATCH] feat: webdav provided by sftpgo --- flake.lock | 6 +- hosts/idols_kana/caddy.nix | 8 ++ .../oci-containers/dashy/dashy_conf.yml | 29 ++++-- hosts/idols_kana/sftpgo.nix | 97 +++++++++++++++++++ hosts/idols_ruby/prometheus/default.nix | 13 +++ secrets/nixos.nix | 6 ++ 6 files changed, 146 insertions(+), 13 deletions(-) create mode 100644 hosts/idols_kana/sftpgo.nix diff --git a/flake.lock b/flake.lock index fffe22ff..3edd4353 100644 --- a/flake.lock +++ b/flake.lock @@ -628,10 +628,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1708252756, - "narHash": "sha256-X88eosccBrDxn7BIVf8zmjhBjIDXs9PFJsVkanzSUKw=", + "lastModified": 1708352242, + "narHash": "sha256-Fb5jPRNXSd+DWURvl2XG/nFNuVh3OXjFkagncZp6n6A=", "ref": "refs/heads/main", - "rev": "241dc94cf90b8d4ab8dec31eec0b07c35af42ba8", + "rev": "bc863eaccbe62dc240f879f7fc12e7855c5192cc", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" diff --git a/hosts/idols_kana/caddy.nix b/hosts/idols_kana/caddy.nix index 33ef7d4a..24db2d57 100644 --- a/hosts/idols_kana/caddy.nix +++ b/hosts/idols_kana/caddy.nix @@ -31,6 +31,14 @@ encode zstd gzip reverse_proxy http://localhost:3001 ''; + virtualHosts."http://sftpgo.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:5010 + ''; + virtualHosts."http://webdav.writefor.fun".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:5005 + ''; }; networking.firewall.allowedTCPPorts = [80 443]; } diff --git a/hosts/idols_kana/oci-containers/dashy/dashy_conf.yml b/hosts/idols_kana/oci-containers/dashy/dashy_conf.yml index 3dfa751b..3602d842 100644 --- a/hosts/idols_kana/oci-containers/dashy/dashy_conf.yml +++ b/hosts/idols_kana/oci-containers/dashy/dashy_conf.yml @@ -173,7 +173,7 @@ sections: - name: System Monitoring & Control icon: fas fa-monitor-heart-rate items: - - &ref_9 + - &ref_8 title: Grafana description: Data visualised on dashboards icon: hl-grafana @@ -181,23 +181,23 @@ sections: target: newtab statusCheck: true statusCheckAllowInsecure: true - id: 1_2578_grafana - - &ref_10 + id: 0_2578_grafana + - &ref_9 title: Prometheus Dashboard description: Monitoring - Prometheus icon: si-prometheus url: http://prometheus.writefor.fun target: newtab statusCheck: true - id: 2_2578_prometheus - - &ref_11 + id: 1_2578_prometheusdashboard + - &ref_10 title: Uptime Kuma description: Uptime Checking icon: hl-uptime-kuma url: http://uptime-kuma.writefor.fun target: newtab statusCheck: true - id: 3_2578_uptimekuma + id: 2_2578_uptimekuma displayData: sortBy: default rows: 1 @@ -205,13 +205,13 @@ sections: collapsed: false hideForGuests: false filteredItems: + - *ref_8 - *ref_9 - *ref_10 - - *ref_11 - name: Productivity icon: fas fa-bookmark items: - - &ref_12 + - &ref_11 title: Cloud IDE description: Eclipse Che - Cloud IDE icon: hl-code @@ -220,11 +220,11 @@ sections: statusCheck: true id: 0_1302_cloudide filteredItems: - - *ref_12 + - *ref_11 - name: Media & Entertainment icon: fas fa-photo-video items: - - &ref_13 + - &ref_12 title: Home Assistant description: Smart home control icon: hl-home-assistant @@ -232,6 +232,14 @@ sections: target: newtab statusCheck: true id: 0_1956_homeassistant + - &ref_13 + title: SFTPGO Web Admin Console + description: WebDAV & SFTP server + icon: http://sftpgo.writefor.fun/static/img/logo.png + url: http://sftpgo.writefor.fun/web/admin/folders + target: newtab + statusCheck: true + id: 1_1956_sftpgowebadminconsole displayData: sortBy: default rows: 1 @@ -239,4 +247,5 @@ sections: collapsed: false hideForGuests: false filteredItems: + - *ref_12 - *ref_13 diff --git a/hosts/idols_kana/sftpgo.nix b/hosts/idols_kana/sftpgo.nix new file mode 100644 index 00000000..b5330529 --- /dev/null +++ b/hosts/idols_kana/sftpgo.nix @@ -0,0 +1,97 @@ +{config, ...}: { + # Read SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD from a file + systemd.services.sftpgo.serviceConfig.EnvironmentFile = config.age.secrets."sftpgo.env".path; + + services.sftpgo = { + enable = true; + user = "sftpgo"; + dataDir = "/var/lib/sftpgo"; + extraArgs = [ + "--log-level" + "info" + ]; + # https://github.com/drakkan/sftpgo/blob/2.5.x/docs/full-configuration.md + settings = { + common = { + # Auto-blocking policy for SFTPGo and thus helps to prevent DoS (Denial of Service) and brute force password guessing. + defender = { + enable = true; + }; + }; + # Where to store stfpgo's data + data_provider = { + driver = "sqlite"; + name = "sftpgo.db"; + password_hashing = { + algo = "argon2id"; + # options for argon2id hashing algorithm. + # The memory and iterations parameters control the computational cost of hashing the password. + argon2_options = { + memory = 65536; # KiB + iterations = 2; # The number of iterations over the memory. + parallelism = 2; # The number of threads (or lanes) used by the algorithm. + }; + }; + password_validation = { + # What Entropy Value Should I Use? + # somewhere in the 50-70 range seems "reasonable". + # https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use + admins.min_entropy = 60; + users.min_entropy = 60; + }; + # Cache passwords in memory to avoid hashing the same password multiple times(it costs). + password_caching = true; + # create the default admin user via environment variables + # SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD + create_default_admin = true; + }; + + # WebDAV is a popular protocol for file sharing, better than CIFS/SMB, NFS, etc. + # it's save to use WebDAV over HTTPS on public networks. + webdavd.bindings = [ + { + address = "127.0.0.1"; + port = 5005; + } + ]; + # HTTP Server provides a simple web interface to manage the server. + httpd.bindings = [ + { + address = "127.0.0.1"; + enable_https = false; + port = 5010; + client_ip_proxy_header = "X-Forwarded-For"; + # a basic built-in web interface that allows you to manage users, + # virtual folders, admins and connections. + # url: http://127.0.0.1:8080/web/admin + enable_web_admin = true; + # A basic front-end web interface for your users. + # It allows end-users to browse and manage their files and change their credentials. + enable_web_client = true; + enable_rest_api = true; + } + ]; + # prometheus metrics + telemetry = { + bind_port = 10000; + bind_address = "0.0.0.0"; + # auth_user_file = ""; + }; + # multi-factor authentication settings + mfa.totp = [ + { + # Unique configuration name, not visible to the authentication apps. + # Should not to be changed after the first user has been created. + name = "SFTPGo"; + # Name of the issuing Organization/Company + issuer = "SFTPGo"; + # Algorithm to use for HMAC + # Currently Google Authenticator app on iPhone seems to only support sha1 + algo = "sha1"; + } + ]; + # SMTP configuration enables SFTPGo email sending capabilities + # smtp = {}; + }; + }; +} diff --git a/hosts/idols_ruby/prometheus/default.nix b/hosts/idols_ruby/prometheus/default.nix index 0046ac7c..ad141257 100644 --- a/hosts/idols_ruby/prometheus/default.nix +++ b/hosts/idols_ruby/prometheus/default.nix @@ -89,6 +89,19 @@ } ]; } + + { + job_name = "sftpgo-embedded-exporter"; + scrape_interval = "30s"; + metrics_path = "/metrics"; + static_configs = [ + { + targets = ["${vars_networking.hostAddress.kana.address}:10000"]; + labels.type = "app"; + labels.app = "v2ray"; + } + ]; + } ]; # specifies Alertmanager instances the Prometheus server sends alerts to diff --git a/secrets/nixos.nix b/secrets/nixos.nix index 751c0809..14609a66 100644 --- a/secrets/nixos.nix +++ b/secrets/nixos.nix @@ -198,6 +198,12 @@ in { file = "${mysecrets}/server/transmission-credentials.json.age"; } // high_security; + + "sftpgo.env" = { + file = "${mysecrets}/server/sftpgo.env.age"; + mode = "0400"; + owner = "sftpgo"; + }; }; })