# not actually YAML but lets pretend:
# -*- mode: yaml -*-
# vim: ft=yaml:


# example config for how copyparty can be used with an identity
# provider, replacing the built-in authentication/authorization
# mechanism, and instead expecting the reverse-proxy to provide
# the requester's username (and possibly a group-name, for
# optional group-based access control)
#
# the filesystem-path `/w` is used as the storage location
# because that is the data-volume in the docker containers,
# because a deployment like this (with an IdP) is more commonly
# seen in containerized environments -- but this is not required
[accounts]
  #match the username to authentik header used, password is ignored
  username: foo

[groups]
  su: username  # "su" is a special group-name in copyparty, members get admin rights

[global]
  e2dsa  # enable file indexing and filesystem scanning
  e2ts   # enable multimedia indexing
  ansi   # enable colors in log messages

  # if we are confident that we got the docker-network config correct
  # (meaning copyparty is only accessible through traefik, and
  #  traefik makes sure that all requests go through authelia),
  # then accept X-Forwarded-For and IdP headers from any private IP:
  xff-src: lan
  
  # enable IdP support by expecting username/groupname in
  # http-headers provided by the reverse-proxy; header "X-IdP-User"
  # will contain the username, "X-IdP-Group" the groupname
  idp-h-usr: X-authentik-username
  idp-h-grp: X-authentik-groups

[/]      # create a volume at "/" (the webroot), which will
  /w     # share /w (the docker data volume, which is mapped to /srv/pub on the host in docker-compose.yml)
  accs:
    rw: *       # everyone gets read-access, but
    rwmda: @su  # the group "su" gets read-write-move-delete-admin


[/u/${u}]    # each user gets their own home-folder at /u/username
  /w/u/${u}  # which will be "u/username" in the docker data volume
  accs:
    r: *              # read-access for anyone, and
    rwmda: ${u}, @su  # read-write-move-delete-admin for that username + the "su" group


[/u/${u}/priv]    # each user also gets a private area at /u/username/priv
  /w/u/${u}/priv  # stored at DATAVOLUME/u/username/priv
  accs:
    rwmda: ${u}, @su  # read-write-move-delete-admin for that username + the "su" group


# and create some strategic volumes to prevent anyone from gaining
# unintended access to priv folders if the users/groups db is lost
[/u]
  /w/u
  accs:
    rwmda: @su