Sharing is caring
I share quite a few files with my friends and family, but have experienced some bumps along the way to my current optimal setup. At first, I setup an Apache HTTP file server secured by Authentik. This worked great for users already registered to my authentication, but not so great for those without an account. The file management aspect also became unwieldy, as I’d have to manually hardlink files, zip folders, and prune unused media. This solution left much to be desired, so I went searching for another.
Of course, I didn’t get rid of the Apache file server altogether. I just needed to supplement it with another service capable of checking the following boxes:
- Download link obfuscation
- Automated file expiry by days or download count
- Secure admin dashboard to upload files or folders
- API for CLI usage
- OAuth2/OIDC support
Enter: Gokapi
Okay, you caught me. Gokapi didn’t just magically check every box. The criteria evolved as I got to know this formidable piece of software. It was love at first deploy and got even better with the release of their CLI tool. But before we get into that, I’ll share my compose file and detail my setup.
Configuration with Traefik
---
services:
gokapi:
image: f0rc3/gokapi:v2.1.0
container_name: gokapi
restart: unless-stopped
networks:
- frontend-external
environment:
- GOKAPI_MAX_FILESIZE=10240 # Sets the maximum allowed file size in MB to 10GB
- DOCKER_NONROOT=true # Runs the binary in the container as a non-root user
- GOKAPI_LENGTH_ID=30 # Sets the obfuscation length of the download link
volumes:
- ./data:/app/data
- ./config:/app/config
labels:
- traefik.enable=true
- traefik.docker.network=frontend-external
- traefik.http.services.gokapi.loadbalancer.server.port=53842
- traefik.http.routers.gokapi-external.entrypoints=web-external
- traefik.http.routers.gokapi-external.rule=Host(`gokapi.domain.tld`) && (PathPrefix(`/d`) || PathPrefix(`/assets`) || PathPrefix(`/js`) || PathPrefix(`/css`))
- traefik.http.routers.gokapi.entrypoints=websecure
- traefik.http.routers.gokapi.rule=Host(`gokapi.domain.tld`)
- traefik.http.routers.gokapi.middlewares=ip-whitelist@file
networks:
frontend-external:
external: true
As you might have noticed, the Traefik labels for Gokapi are a bit involved. To further secure the webpage, I’ve split it to two routers; gokapi and gokapi-external. The external router, which is publicly resolvable, only exposes the download path and its accompanying webpage dependencies. This was done by trial-and-error while inspecting the Web Debugger until the page looked fully loaded.
The internal router, which is not publicly resolvable, exposes the entire Gokapi service to a select few whitelisted IP addresses. On top of that, I’ve configured Gokapi to only allow admin users from Authentik to access the admin dashboard through SSO. Let’s get into that next!
OAuth2/OIDC
Following Gokapi’s OAuth2 setup guide, it’s relatively straightforward if you’ve enrolled other services to OIDC before. Here’s an example below.
Be sure to change the placeholders and correct the OAuthGroups value to match your Authentik admin group name.
{
"Authentication": {
"Method": 1,
"SaltAdmin": "your-random-string",
"SaltFiles": "your-other-random-string",
"Username": "admin@domain.tld",
"HeaderKey": "",
"OauthProvider": "https://authentik.domain.tld/application/o/gokapi/",
"OAuthClientId": "your-client-id",
"OAuthClientSecret": "your-client-secret",
"OauthGroupScope": "groups",
"OAuthRecheckInterval": 24,
"OAuthGroups": ["admin"], # Make sure this matches your Group name!
"OnlyRegisteredUsers": true
},
...
}
Powerful CLI
Now that we’ve got the deployment and configuration out of the way, it’s time to shift into overdrive with Gokapi’s CLI tool! It has streamlined my file sharing, making it easy to get a shareable download link from any workstation.
The binaries are listed under Assets on Gokapi’s GitHub Releases. Below are some steps to download it via command line. Pick the latest version and correct architecture for your system. Personally, I place my scripts and binaries in ~/bin, and add it to my PATH to execute it in my shell.
wget https://github.com/Forceu/Gokapi/releases/download/v2.1.0/gokapi-cli-linux_amd64.zip
unzip gokapi-cli-linux_amd64.zip
mv gokapi-cli-linux_amd64 ~/bin/gokapi-cli
chmod +x ~/bin/gokapi-cli
echo "export PATH=$PATH:$HOME/bin" >> ~/.bashrc
source ~/.bashrc
To authenticate the CLI tool with your instance, complete the following steps:
gokapi-cli login -c ~/.config/gokapi.conf-cstores your plaintext credentials in a desirable location. Totally optional!
- Input your Gokapi URL
- Input your device’s API key (created in the admin dashboard)
Now you’re ready to share a file!
gokapi-cli upload --file path/to/file- use
-cif it can’t find your credentials
- use
But it doesn’t end there. The CLI tool is powerful and with that comes the burden of options and flags. I want to share files at lightning speed! Below are a couple Bash aliases that are stored in my ~/.bashrc file. Making any changes to your this file requires you to source ~/.bashrc to activate them.
alias share='gokapi-cli upload -c $HOME/.config/gokapi.conf --expiry-days 1 --expiry-downloads 1 --file'
alias shared='gokapi-cli upload-dir -c $HOME/.config/gokapi.conf --expiry-days 1 --expiry-downloads 1 --directory'
Now, all I have to do is share file.txt, copy the outputted link, and share it with whomever!
Afterword
By now, you should have a working Gokapi instance with an OIDC-secured internal admin dashboard, publicly accessible download links, and a blazing-fast workflow to share files from the CLI. Thanks so much for reading, and happy sharing!