Add and document rootful configuration

README.md

@@ -205,7 +205,7 @@ you may also want these, especially on servers:
 
 * [contrib/systemd/copyparty.service](contrib/systemd/copyparty.service) to run copyparty as a systemd service (see guide inside)
 * [contrib/systemd/prisonparty.service](contrib/systemd/prisonparty.service) to run it in a chroot (for extra security)
-* [contrib/podman-systemd/copyparty.container](contrib/podman-systemd/copyparty.container) to run copyparty in a Podman container as a systemd service (see guide inside)
+* [contrib/podman-systemd/](contrib/podman-systemd/) to run copyparty in a Podman container as a systemd service (see guide inside)
 * [contrib/openrc/copyparty](contrib/openrc/copyparty) to run copyparty on Alpine / Gentoo
 * [contrib/rc/copyparty](contrib/rc/copyparty) to run copyparty on FreeBSD
 * [nixos module](#nixos-module) to run copyparty on NixOS hosts

contrib/podman-systemd/README.md

@@ -0,0 +1,52 @@
+# copyparty with Podman and Systemd
+
+Use this configuration is if you want to run copyparty in a Podman container, with the reliability of running the container under a systemd service.
+
+Documentation for `.container` files can be found in the [Container unit](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#container-units-container) docs. Systemd cannot does not understand `.container` files natively, so Podman converts these to `.service` files with a [systemd-generator](https://www.freedesktop.org/software/systemd/man/latest/systemd.generator.html). This process is transparent, but sometimes needs to be debugged in case your `.container` file is malformed. There are instructions to debug the systemd generator below.
+
+To run copyparty in this way, you must already have podman installed. To install Podman, see: https://podman.io/docs/installation
+
+There is a sample configuration file in the same directory as this file (`copyparty.conf`).
+
+## Run the container as root
+
+It's simplest, but less secure to run the container as the root user. I'd recommend trying to get it to run this way before trying to run it as non-root.
+
+First, change this line in the `copyparty-root.container` to reflect the directory you want to share. By default, it shares `/mnt/` but you'll probably want to change this.
+
+```
+Volume=/mnt:/w:z
+```
+
+Note that you can change the owner and group of this share by changing the `uid:` and `gid:` of the volume in `copyparty.conf`, but for simplicity let's assume you want it to be owned by `root:root`.
+
+To install and start copyparty with Podman and systemd as the root user, run the following:
+
+```shell
+sudo mkdir -pv /etc/systemd/container/ /etc/copyparty/
+sudo cp -v copyparty-root.container /etc/systemd/containers/copyparty.container
+sudo cp -v copyparty.conf /etc/copyparty/
+sudo systemctl daemon-reload
+sudo systemctl enable --now copyparty
+```
+
+You can see the status of the service with:
+
+```shell
+sudo systemctl status copyparty
+```
+
+You can see (and follow) the logs with either of these commands:
+
+```shell
+sudo podman logs -f copyparty
+
+# -a is required or else you'll get output like: copyparty[549025]: [649B blob data]
+sudo journalctl -a -f -u copyparty
+```
+
+If the container fails to start, and you've modified the `.container` service, it's likely that your `.container` file failed to be translated into a `.service` file. You can debug the podman service generator with this command:
+
+```shell
+sudo /usr/lib/systemd/system-generators/podman-system-generator --dryrun
+```

contrib/podman-systemd/copyparty-root.container

@@ -0,0 +1,39 @@
+[Container]
+Image=docker.io/copyparty/ac:latest  # It's recommended to replace :latest with a specific version
+ContainerName=copyparty
+
+# Environment variables
+# enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram)
+Environment=LD_PRELOAD=/usr/lib/libmimalloc-secure.so.NOPE
+# ensures log-messages are not delayed (but can reduce speed a tiny bit)
+Environment=PYTHONUNBUFFERED=1
+
+# Ports
+PublishPort=3923:3923
+
+# Volumes
+Volume=/etc/copyparty:/cfg:z
+# Change /mnt to the directory you want to share!
+Volume=/mnt:/w:z
+
+# Give the container time to stop in case the thumbnailer is still running.
+# It's allowed to continue finishing up for 10s after the shutdown signal, give it a 5s buffer
+StopTimeout=15
+
+# hide it from logs with "/._" so it matches the default --lf-url filter
+HealthCmd="wget --spider -q 127.0.0.1:3923/?reset=/._"
+HealthInterval=1m
+HealthTimeout=2s
+HealthRetries=5
+HealthStartPeriod=15s
+
+[Unit]
+After=default.target
+
+[Install]
+# Start by default on boot
+WantedBy=default.target
+
+[Service]
+# Give the container time to start in case it needs to pull the image
+TimeoutStartSec=600

contrib/podman-systemd/copyparty.conf

@@ -0,0 +1,36 @@
+[global]
+  e2dsa  # enable file indexing and filesystem scanning
+  e2ts   # and enable multimedia indexing
+  ansi   # and colors in log messages
+
+  # uncomment the line starting with q, lo: to log to a file instead of stdout/journalctl;
+  # $LOGS_DIRECTORY is usually /var/log/copyparty (comes from systemd)
+  # and copyparty replaces %Y-%m%d with Year-MonthDay, so the
+  # full path will be something like /var/log/copyparty/2023-1130.txt
+  # (note: enable compression by adding .xz at the end)
+  # q, lo: $LOGS_DIRECTORY/%Y-%m%d.log
+
+  # p: 80,443,3923   # listen on 80/443 as well (requires CAP_NET_BIND_SERVICE)
+  # i: 127.0.0.1     # only allow connections from localhost (reverse-proxies)
+  # ftp: 3921        # enable ftp server on port 3921
+  # p: 3939          # listen on another port
+  # df: 16           # stop accepting uploads if less than 16 GB free disk space
+  # ver              # show copyparty version in the controlpanel
+  # grid             # show thumbnails/grid-view by default
+  # theme: 2         # monokai
+  # name: datasaver  # change the server-name that's displayed in the browser
+  # stats, nos-dup   # enable the prometheus endpoint, but disable the dupes counter (too slow)
+  # no-robots, force-js  # make it harder for search engines to read your server
+
+
+[accounts]
+  ed: wark  # username: password
+
+
+[/]            # create a volume at "/" (the webroot), which will
+  /mnt         # share the contents of the "/mnt" folder
+  accs:
+    rw: *      # everyone gets read-write access, but
+    rwmda: ed  # the user "ed" gets read-write-move-delete-admin
+    # uid: 1000  # If you're running as root, you can change the owner of this volume here
+    # gid: 1000  # If you're running as root, you can change the group of this volume here