provision/upload/README.md from QutBioacoustics/baw-server

provision/upload/README.md
Summary

Maintainability

Test Coverage

Issues
See: https://hub.docker.com/repository/docker/qutecoacoustics/sftpgo/general

Taken from: https://github.com/drakkan/sftpgo/tree/master/docker/sftpgo/alpine

# SFTPGo with Docker and Alpine

This DockerFile is made to build image to host multiple instances of SFTPGo started with different users.

## Example

It is recommend you use a dedicated linux user to do uploading.
For dev purposes we use the standard ubuntu user (1000:1000).

See our docker-compose file for an example container invocation.

We have set the entrypoint script to always check if the database is initiated.
This does a `sftpgo initprovider` check on every boot. If not needed, sftpgo does
nothing, returns 0, and continues to run `CMD` (for which the default is `serve`)

Here is an example boot command using most of the available options.

```bash
# Start the image
sudo docker rm sftpgo && sudo docker run --name sftpgo \
  -e SFTPGO_LOG_FILE_PATH= \
  -e SFTPGO_CONFIG_DIR=/srv/sftpgo/config \
  -e SFTPGO_HTTPD__TEMPLATES_PATH=/srv/sftpgo/web/templates \
  -e SFTPGO_HTTPD__STATIC_FILES_PATH=/srv/sftpgo/web/static \
  -e SFTPGO_HTTPD__BACKUPS_PATH=/srv/sftpgo/backups \
  -p 8080:8080 \
  -p 2022:2022 \
  -e PUID=1003 \
  -e GUID=1003 \
  -v /home/sftpuser/conf/:/srv/sftpgo/config \
  -v /home/sftpuser/data:/data \
  -v /home/sftpuser/backups:/srv/sftpgo/backups \
  sftpgo
```

If you want to enable FTP/S you also need the publish the FTP port and the FTP passive port range, defined in your `Dockerfile`, by adding, for example, the following options to the `docker run` command `-p 2121:2121 -p 50000-50100:50000-50100`. The same goes for WebDAV, you need to publish the configured port.

The script `entrypoint.sh` makes sure to correct the permissions of directories and start the process with the right user.

Several images can be run with different parameters.


# Dev authentication

Password for dev authentication is:

- username: upload_admin
- password: password

Stored in `config/httpd_auth`, generated with `htpasswd`.

DO NOT USE THIS CONFIGURATION FOR PRODUCTION!

# Production setup
In production ensure:

- docker binds the 8080 port to an internal subnet
- that certificates are setup and used for the connection
- that the admin password is long, strong, and random!

Also add a dedicated user for uploads, ensure they do not have a login shell:

```
RUN mkdir -p ${DATA_DIR} ${CONFIG_DIR} ${WEB_DIR} ${BACKUPS_DIR}
RUN groupadd --system -g ${GID} ${GROUPNAME}
RUN useradd --system --create-home --no-log-init --home-dir ${HOME_DIR} --comment "SFTPGo user" --shell /bin/false --gid ${GID} --uid ${UID} ${USERNAME}
```

# Binding home directory

In our use case for this uploader service, we wish to expose the `harvester_to_do` directory.

So mount `<persistent_storage_base_dir>/harvester_to_do` to `/data`