feat(files): add Filestash player file share at files.${BASE_DOMAIN}
One shared login (htpasswd) for all players, writable. Config is rendered from a template and mounted read-only, so git stays authoritative — the admin console loads but cannot save, by design. Filestash's OIDC/SAML middlewares are enterprise-only, so Keycloak SSO is out; FILES_AUTH keeps htpasswd/passthrough switchable for later. Auth-off (passthrough) is only valid once the host is off the public internet — render-config.sh warns loudly when rendering it. Three traps, all found by testing against the pinned image: - the `local` backend is admin-gated: without LOCAL_BACKEND_SECRET in the connection params every login fails with "backend error - Not Allowed" - the htpasswd plugin only accepts $2a$ bcrypt, so a $2y$ hash from `htpasswd -B` fails every login silently — use `openssl passwd -6`. render-config.sh rejects the wrong format rather than shipping it - APPLICATION_URL/ADMIN_PASSWORD env make filestash rewrite config.json at boot, which fails on the :ro mount — both live in the rendered config Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
10
caddy/conf.d/60-files.caddy
Normal file
10
caddy/conf.d/60-files.caddy
Normal file
@@ -0,0 +1,10 @@
|
||||
# Files — Filestash player file share (filestash service). Shared login,
|
||||
# writable. See plan/20-files.md.
|
||||
#
|
||||
# Filestash blocks any request whose Host header doesn't match its configured
|
||||
# `general.host` (https://files.${BASE_DOMAIN}), with "only traffic from X is
|
||||
# allowed". The host nginx forwards the original Host, and caddy passes it
|
||||
# through untouched — do NOT rewrite it here or every request 403s.
|
||||
http://files.{$BASE_DOMAIN} {
|
||||
reverse_proxy filestash:8334
|
||||
}
|
||||
Reference in New Issue
Block a user