{"id":15395474,"url":"https://github.com/stef/stash","last_synced_at":"2025-04-16T00:10:22.455Z","repository":{"id":7898877,"uuid":"9278840","full_name":"stef/stash","owner":"stef","description":"a private dropbox","archived":false,"fork":false,"pushed_at":"2013-07-28T15:30:53.000Z","size":230,"stargazers_count":17,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-16T00:09:42.426Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stef.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-04-07T15:44:35.000Z","updated_at":"2023-09-08T16:38:41.000Z","dependencies_parsed_at":"2022-08-20T05:11:14.017Z","dependency_job_id":null,"html_url":"https://github.com/stef/stash","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stef%2Fstash","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stef%2Fstash/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stef%2Fstash/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stef%2Fstash/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stef","download_url":"https://codeload.github.com/stef/stash/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249173086,"owners_count":21224483,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-01T15:28:28.179Z","updated_at":"2025-04-16T00:10:22.438Z","avatar_url":"https://github.com/stef.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"* stash\nstash is a private dropbox.\n\nIf you want someone to be able to upload files from their browser\ndirectly onto your computer at home, install stash once, and allow\ndedicated access to your friends to share files with you. Maybe your\ndad wants to send you the video from the family event, or a colleague\na huge database, stash might be the right thing. If you run stash on a\nserver on the internet, your uploads are encrypted and only accessible\nwith your secret PGP key. There's a short time when the file is\nunencrypted in memory (but not on disk!) on your server while\nuploading, but you can get around that uploading stuff that is already\nencrypted.\n\nwhere's the screenshots? here: [[screenshots/]]\n\nstash should be easy to use for uploaders, while providing the\nfollowing attributes:\n - Allow upload of huge files (I know, it's HTTP, still).\n - The only private information retained is the public PGP keys of the\n   stash owners. No passwords even. Just make an extra PGP key and\n   email for an added anon factor.\n - Uploaded files are automatically encrypted with the stash owners\n   key. This can be disabled, if you want to upload data that is\n   already encrypted.\n - Stash owners are automatically emailed to the email address listed\n   in their public key about new uploads. These emails are also PGP\n   encrypted.\n - User authentication is done using [[https://github.com/stef/tlsauth/][tlsauth]]: uploaders do not need a\n   cert, new stash owners registering either, but all other parts\n   require valid certs.\n - Stash IDs are generated randomly and should be hard to guess, this\n   the only protection - tlsauth does not protect these upload forms -\n   this is intentional to make it useful for \"mom\". however you can\n   also specify your own human parseable stash ID if needed, tlsauth\n   should be mandatory then for uploads as well.\n - Even though stash uses certificates for authentication, the user\n   management is very simple and similar to normal user admin\n   workflows, the only difference is that users have to import their\n   cert into their browser after certification.\n\n* Installation\n  If you are of the adventurous type you might want to try out the\n  automatic and never-before tested install.sh, which does all -\n  except the last two: \"import\" and \"done\" - these below\n  automagically.  Otherwise you'll be setting up an onion service,\n  nginx, a CA and related certificates, importing some of them into\n  browsers and also configuring the stash.\n** Depends\n   tlsauth, nginx\n** Setup a tor hidden service\nIf you don't need a hidden service (why not? - it's nice to go behind\nNAT), then you can skip this, but the install script does it anyway.\n\nCreate this hidden service in your /etc/tor/torrc file:\n#+BEGIN_SRC sh\nsudo cat \u003e\u003e/etc/tor/torrc \u003c\u003cEOT\nHiddenServiceDir /var/lib/tor/stash/\nHiddenServicePort 443 127.0.0.1:23443\nHiddenServicePort 80 127.0.0.1:23080\nEOT\n#+END_SRC\nthen restart tor and get the hostname:\n#+BEGIN_SRC sh\nsudo /etc/init.d/tor restart\nsudo cat /var/lib/tor/stash/hostname\n#+END_SRC\nremember this hostname and use it in all later steps.\n** Get stash and dependencies\n#+BEGIN_SRC sh\n   git clone https://github.com/stef/stash\n   cd stash\n   pip install -r requirements.txt\n#+END_SRC\n   After also installing the necessary dependencies, we can\n** Create the CAs\n*** create a Root CA\n    ...for signing the https server certificate and the subCA.\n    #+BEGIN_SRC sh\n./tlsauth.py CA createca http://\u003chostname\u003e/crl.pem \"\u003chostname\u003e CA\" email1@\u003chostname\u003e\n    #+END_SRC\n*** create a subCA\n    ...for the client auth keys\n    #+BEGIN_SRC sh\n./tlsauth.py subCA createca http://\u003chostname\u003e/client-crl.pem \"\u003chostname\u003e client CA\" email@\u003chostname\u003e CA\n    #+END_SRC\n*** create https server certificate\n    #+BEGIN_SRC sh\n./tlsauth.py CA newcsr \u003chostname\u003e root@\u003chostname\u003e \u003eCA/server.key\n    #+END_SRC\n*** Sign server cert with Root CA\n    #+BEGIN_SRC sh\n./tlsauth.py CA sign \u003cCA/server.key \u003eCA/public/server.pem\n    #+END_SRC\n*** Remove Root CA private key\nIt is important to remove and store the root CA private key in a safe\noffline location, as it can be used to mount a MITM attack against all\nusers, who trust this key. You need this key in 1 year, when you need\nto renew your client CA certificate (per default it's only valid for\none year!)\n    #+BEGIN_SRC sh\nmv root-ca/private/root.key \u003cprivate and save location\u003e\n    #+END_SRC\n** Setup nginx\nAdapt the path \"/var/run/stash\" and the hostname in stash.nginx.conf, then\n#+BEGIN_SRC sh\ncp stash.nginx.conf /etc/nginx/sites-available/stash\nln -s /etc/nginx/sites-available/stash /etc/nginx/sites-enabled/\n/etc/init.d/nginx restart\n#+END_SRC\n** Create your own client certificate\nThis step is like setting up the admin account on other systems:\n#+BEGIN_SRC sh\n./tlsauth.py subCA newcsr joe joe@localhost \u003ejoe.key\n./tlsauth.py subCA sign \u003cjoe.key \u003ejoe.cert\n./tlsauth.py root-ca p12 joe.key \u003cjoe.cert \u003ejoe.p12\n#+END_SRC\nStore the files ending in .key and .cert in some safe offline storage.\n** Configure stash\nedit cfg.py and set:\n - 'sender' to some email address for the origin of mails sent by stash\n - 'admins' is a list of emails, that when presented a certificate with\n   an email in this list, the user will have admin privileges.\n - 'secret' to some long random string\n - 'root' to some path which will serve as root for all file operations.\n - 'ca' to the directory containing your CA files under 'root'\n - 'notify' to False if you don't want any notifications being sent out after uploads.\n** Start stash wsgi daemon\n#+BEGIN_SRC sh\nuwsgi --socket 127.0.0.1:23023 --chdir $PWD --pp $PWD/.. -w stash -p 1 --py-auto-reload 1\n#+END_SRC\n** Importing certificates\nOpen in your favorite browser the following url:\nhttp://\u003chostname\u003e/cert.pem\n\nWhich should offer you to automatically import the CA root certificate\ninto your browsers, and it also asks you what you want to trust it,\nallow your browser to trust this CA with servers and user, but not\nsoftware.\n\nAlso download and import the .p12 certificate generated in \"Create your own\nclient Certificate\" into your browser.\n** Done\nvisit:\n - To create a new stash: https://\u003chostname\u003e/settings/newstash\n - to list stashes: https://\u003chostname\u003e/settings/stashes\n - to list user access requests: https://\u003chostname\u003e/settings/requests\n\nYour friends can now request access to your stash by going to:\nhttps://\u003chostname\u003e/settings/register\n\nHowever this generates the certificate in your browser, and if you -\nas I - do not trust your browser, you might want to generate your keys\nand certs offline in a more controlled environment and upload your CSR\nhere: https://\u003chostname\u003e/settings/request\n\nAlso my firefox did not store the generated key in the keystore, so i\nhad to use a proper CSR anyway.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstef%2Fstash","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstef%2Fstash","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstef%2Fstash/lists"}