copyparty

2025-08-24 14:50:35 +02:00
parent 7978dc1987
commit 871a270a21
5 changed files with 120 additions and 31 deletions
--- a/system-modules/nx2site/copyparty.nix
+++ b/system-modules/nx2site/copyparty.nix
@@ -0,0 +1,44 @@
+{ config, pkgs, ... }@all: with all; {
+  imports = [ inputs.copyparty.nixosModules.default ];
+  config = {
+    sops.secrets."nx2site/copyparty/user-password/${hyper.user}".owner = "copyparty";
+    environment.systemPackages = with pkgs; [ copyparty ];
+    services.copyparty = {
+      enable = true;
+      package = pkgs.copyparty;
+      openFilesLimit = 8192;
+      settings = {
+        i = [ "0.0.0.0" "unix:770:copyparty:/dev/shm/party.sock" ];
+        p = [ 3210 3211 ];
+        no-reload = true;
+        ignored-flag = false;
+        shr = "/shares";
+        css-browser = "https://nx2.site/copyparty/extra-browser.css";
+        theme = 6;
+        xff-hdr = "X-Forwarded-For"; # so that cpp knows the real client ip behind nginx. Must match with nginx config
+        rproxy = 1;
+        no-robots = true;
+      };
+      accounts = {
+        "${hyper.user}" = {
+          passwordFile = config.sops.secrets."nx2site/copyparty/user-password/${hyper.user}".path;
+        };
+      };
+      volumes = {
+        "/" = {
+          path = "/srv/copyparty/root";
+          access = {
+            "A" = "${hyper.user}";
+          };
+          flags = {
+            fk = 4; # url password length
+            scan = 60; # scan interval in seconds 
+            e2d = true; # volflag "e2d" enables the uploads database
+            d2t = true; # "d2t" disables multimedia parsers (in case the uploads are malicious)
+            nohash = "\.iso$"; # skips hashing file contents if path matches *.iso
+          };
+        };
+      };
+    };
+  };
+}
--- a/system-modules/nx2site/proxy.nix
+++ b/system-modules/nx2site/proxy.nix
@@ -19,7 +19,7 @@
    };
  };
  users.users."nginx" = {
-    extraGroups = [ "nginx" "acme" ];
+    extraGroups = [ "nginx" "acme" "copyparty" ];
    useDefaultShell = false;
    linger = true;
    home = "/var/nginx/";
@@ -65,6 +65,14 @@
    statusPage = false;
    streamConfig = ""; # udp config
    validateConfigFile = true;
+    upstreams = {
+      "partysock" = {
+        servers."unix:/dev/shm/party.sock".fail_timeout = "1s";
+        extraConfig = /* nginx */ ''
+          keepalive 1;
+        '';
+      };
+    };
    virtualHosts = let
      vh = {
        kTLS = true;
@@ -186,10 +194,41 @@
      #     proxyWebsockets = true;
      #   }; }; 
      # };
+      "file.${hyper.domain}" = { # copyparty
+        listen = dl;
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://partysock";
+            proxyWebsockets = true;
+            extraConfig = /* nginx */ ''
+          		proxy_redirect off;
+          		# disable buffering (next 4 lines)
+          		# proxy_http_version 1.1; # this is set by nixos
+          		client_max_body_size 0;
+          		proxy_buffering off;
+          		proxy_request_buffering off;
+          		# improve download speed from 600 to 1500 MiB/s
+          		proxy_buffers 32 8k;
+          		proxy_buffer_size 16k;
+          		proxy_busy_buffers_size 24k;
+
+          		proxy_set_header   Connection        "Keep-Alive";
+          		proxy_set_header   Host              $host;
+          		proxy_set_header   X-Real-IP         $remote_addr;
+          		proxy_set_header   X-Forwarded-Proto $scheme;
+          		proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+          		# NOTE: with cloudflare you want this X-Forwarded-For instead:
+          		#proxy_set_header   X-Forwarded-For   $http_cf_connecting_ip;
+            ''; 
+          };
+        };
+      };
      "~^(.*).${hyper.domain}$" = {
        listen = dl;
        root = "/var/nginx/webroot";
-        locations = { "~.*" = { return = "301 https://${hyper.domain}/502.html"; }; };
+        locations."~.*".return = "502";
      };
    };
  };