One shared login (htpasswd) for all players, writable. Config is rendered from a template and mounted read-only, so git stays authoritative — the admin console loads but cannot save, by design. Filestash's OIDC/SAML middlewares are enterprise-only, so Keycloak SSO is out; FILES_AUTH keeps htpasswd/passthrough switchable for later. Auth-off (passthrough) is only valid once the host is off the public internet — render-config.sh warns loudly when rendering it. Three traps, all found by testing against the pinned image: - the `local` backend is admin-gated: without LOCAL_BACKEND_SECRET in the connection params every login fails with "backend error - Not Allowed" - the htpasswd plugin only accepts $2a$ bcrypt, so a $2y$ hash from `htpasswd -B` fails every login silently — use `openssl passwd -6`. render-config.sh rejects the wrong format rather than shipping it - APPLICATION_URL/ADMIN_PASSWORD env make filestash rewrite config.json at boot, which fails on the :ro mount — both live in the rendered config Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
31 lines
805 B
Cheetah
31 lines
805 B
Cheetah
{
|
|
"general": {
|
|
"name": "Ulicraft Files",
|
|
"host": "https://files.${BASE_DOMAIN}",
|
|
"secret_key": "${FILES_SECRET_KEY}",
|
|
"editor": "base",
|
|
"display_hidden": false,
|
|
"upload_button": true,
|
|
"fork_button": false
|
|
},
|
|
"auth": {
|
|
"admin": "${FILES_ADMIN_PASSWORD_HASH}"
|
|
},
|
|
"middleware": {
|
|
"identity_provider": {
|
|
"type": "${FILES_IDP_TYPE}",
|
|
"params": "${FILES_IDP_PARAMS}"
|
|
},
|
|
"attribute_mapping": {
|
|
"related_backend": "files",
|
|
"params": "{\"files\":{\"type\":\"local\",\"path\":\"/data/files/\",\"password\":\"${FILES_LOCAL_SECRET}\"}}"
|
|
}
|
|
},
|
|
"connections": [
|
|
{
|
|
"label": "files",
|
|
"type": "local"
|
|
}
|
|
]
|
|
}
|