Dockerfile

@@ -1,4 +1,3 @@
-# syntax=docker/dockerfile:1.7
 FROM python:3.14.3-slim
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
@@ -6,7 +5,6 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 
 WORKDIR /app
 
-# Install build deps for any wheels that need compilation, then clean up
 RUN apt-get update \ 
     && apt-get install -y --no-install-recommends build-essential \ 
     && rm -rf /var/lib/apt/lists/*
@@ -16,10 +14,8 @@ RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
-# Make entrypoint executable
 RUN chmod +x docker-entrypoint.sh
 
-# Create data directory and set permissions
 RUN mkdir -p /app/data \
     && useradd -m -u 1000 myfsio \ 
     && chown -R myfsio:myfsio /app

scripts/install.sh

@@ -192,31 +192,86 @@ cat > "$INSTALL_DIR/myfsio.env" << EOF
 # Generated by install.sh on $(date)
 # Documentation: https://go.jzwsite.com/myfsio
 
-# Storage paths
+# =============================================================================
+# STORAGE PATHS
+# =============================================================================
 STORAGE_ROOT=$DATA_DIR
 LOG_DIR=$LOG_DIR
 
-# Network
+# =============================================================================
+# NETWORK
+# =============================================================================
 APP_HOST=0.0.0.0
 APP_PORT=$API_PORT
 
-# Security - CHANGE IN PRODUCTION
-SECRET_KEY=$SECRET_KEY
-CORS_ORIGINS=*
-
-# Public URL (set this if behind a reverse proxy)
+# Public URL (set this if behind a reverse proxy for presigned URLs)
 $(if [[ -n "$API_URL" ]]; then echo "API_BASE_URL=$API_URL"; else echo "# API_BASE_URL=https://s3.example.com"; fi)
 
-# Logging
+# =============================================================================
+# SECURITY
+# =============================================================================
+# Secret key for session signing (auto-generated if not set)
+SECRET_KEY=$SECRET_KEY
+
+# CORS settings - restrict in production
+CORS_ORIGINS=*
+
+# Brute-force protection
+AUTH_MAX_ATTEMPTS=5
+AUTH_LOCKOUT_MINUTES=15
+
+# Reverse proxy settings (set to number of trusted proxies in front)
+# NUM_TRUSTED_PROXIES=1
+
+# Allow internal admin endpoints (only enable on trusted networks)
+# ALLOW_INTERNAL_ENDPOINTS=false
+
+# Allowed hosts for redirects (comma-separated, empty = restrict all)
+# ALLOWED_REDIRECT_HOSTS=
+
+# =============================================================================
+# LOGGING
+# =============================================================================
 LOG_LEVEL=INFO
 LOG_TO_FILE=true
 
-# Rate limiting
+# =============================================================================
+# RATE LIMITING
+# =============================================================================
 RATE_LIMIT_DEFAULT=200 per minute
+# RATE_LIMIT_LIST_BUCKETS=60 per minute
+# RATE_LIMIT_BUCKET_OPS=120 per minute
+# RATE_LIMIT_OBJECT_OPS=240 per minute
+# RATE_LIMIT_ADMIN=60 per minute
 
-# Optional: Encryption (uncomment to enable)
+# =============================================================================
+# SERVER TUNING (0 = auto-detect based on system resources)
+# =============================================================================
+# SERVER_THREADS=0
+# SERVER_CONNECTION_LIMIT=0
+# SERVER_BACKLOG=0
+# SERVER_CHANNEL_TIMEOUT=120
+
+# =============================================================================
+# ENCRYPTION (uncomment to enable)
+# =============================================================================
 # ENCRYPTION_ENABLED=true
 # KMS_ENABLED=true
+
+# =============================================================================
+# SITE SYNC / REPLICATION (for multi-site deployments)
+# =============================================================================
+# SITE_ID=site-1
+# SITE_ENDPOINT=https://s3-site1.example.com
+# SITE_REGION=us-east-1
+# SITE_SYNC_ENABLED=false
+
+# =============================================================================
+# OPTIONAL FEATURES
+# =============================================================================
+# LIFECYCLE_ENABLED=false
+# METRICS_HISTORY_ENABLED=false
+# OPERATION_METRICS_ENABLED=false
 EOF
 chmod 600 "$INSTALL_DIR/myfsio.env"
 echo "  [OK] Created $INSTALL_DIR/myfsio.env"
@@ -308,7 +363,7 @@ if [[ "$SKIP_SYSTEMD" != true ]]; then
         systemctl start myfsio
         echo "  [OK] Service started"
         echo ""
-        
+
         read -p "Would you like to enable MyFSIO to start on boot? [Y/n] " -n 1 -r
         echo
         if [[ ! $REPLY =~ ^[Nn]$ ]]; then
@@ -316,12 +371,37 @@ if [[ "$SKIP_SYSTEMD" != true ]]; then
             echo "  [OK] Service enabled on boot"
         fi
         echo ""
-        
-        sleep 2
+
+        echo "  Waiting for service initialization..."
+        sleep 3
+
         echo "  Service Status:"
         echo "  ---------------"
         if systemctl is-active --quiet myfsio; then
             echo "  [OK] MyFSIO is running"
+
+            IAM_FILE="$DATA_DIR/.myfsio.sys/config/iam.json"
+            if [[ -f "$IAM_FILE" ]]; then
+                echo ""
+                echo "  ============================================"
+                echo "  ADMIN CREDENTIALS (save these securely!)"
+                echo "  ============================================"
+                if command -v jq &>/dev/null; then
+                    ACCESS_KEY=$(jq -r '.users[0].access_key' "$IAM_FILE" 2>/dev/null)
+                    SECRET_KEY=$(jq -r '.users[0].secret_key' "$IAM_FILE" 2>/dev/null)
+                else
+                    ACCESS_KEY=$(grep -o '"access_key"[[:space:]]*:[[:space:]]*"[^"]*"' "$IAM_FILE" | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+                    SECRET_KEY=$(grep -o '"secret_key"[[:space:]]*:[[:space:]]*"[^"]*"' "$IAM_FILE" | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+                fi
+                if [[ -n "$ACCESS_KEY" && -n "$SECRET_KEY" ]]; then
+                    echo "  Access Key: $ACCESS_KEY"
+                    echo "  Secret Key: $SECRET_KEY"
+                else
+                    echo "  [!] Could not parse credentials from $IAM_FILE"
+                    echo "      Check the file manually or view service logs."
+                fi
+                echo "  ============================================"
+            fi
         else
             echo "  [WARNING] MyFSIO may not have started correctly"
             echo "            Check logs with: journalctl -u myfsio -f"
@@ -346,19 +426,26 @@ echo "Access Points:"
 echo "  API:  http://$(hostname -I 2>/dev/null | awk '{print $1}' || echo "localhost"):$API_PORT"
 echo "  UI:   http://$(hostname -I 2>/dev/null | awk '{print $1}' || echo "localhost"):$UI_PORT/ui"
 echo ""
-echo "Default Credentials:"
-echo "  Username: localadmin"
-echo "  Password: localadmin"
-echo "  [!] WARNING: Change these immediately after first login!"
+echo "Credentials:"
+echo "  Admin credentials were shown above (if service was started)."
+echo "  You can also find them in: $DATA_DIR/.myfsio.sys/config/iam.json"
 echo ""
 echo "Configuration Files:"
 echo "  Environment:     $INSTALL_DIR/myfsio.env"
 echo "  IAM Users:       $DATA_DIR/.myfsio.sys/config/iam.json"
 echo "  Bucket Policies: $DATA_DIR/.myfsio.sys/config/bucket_policies.json"
+echo "  Secret Key:      $DATA_DIR/.myfsio.sys/config/.secret (auto-generated)"
+echo ""
+echo "Security Notes:"
+echo "  - Rate limiting is enabled by default (200 req/min)"
+echo "  - Brute-force protection: 5 attempts, 15 min lockout"
+echo "  - Set CORS_ORIGINS to specific domains in production"
+echo "  - Set NUM_TRUSTED_PROXIES if behind a reverse proxy"
 echo ""
 echo "Useful Commands:"
 echo "  Check status:    sudo systemctl status myfsio"
 echo "  View logs:       sudo journalctl -u myfsio -f"
+echo "  Validate config: $INSTALL_DIR/myfsio --check-config"
 echo "  Restart:         sudo systemctl restart myfsio"
 echo "  Stop:            sudo systemctl stop myfsio"
 echo ""

scripts/uninstall.sh

@@ -88,7 +88,8 @@ echo "The following items will be removed:"
 echo ""
 echo "  Install directory: $INSTALL_DIR"
 if [[ "$KEEP_DATA" != true ]]; then
-    echo "  Data directory:    $DATA_DIR (ALL YOUR DATA WILL BE DELETED!)"
+    echo "  Data directory:    $DATA_DIR"
+    echo "                     [!] ALL DATA, IAM USERS, AND ENCRYPTION KEYS WILL BE DELETED!"
 else
     echo "  Data directory:    $DATA_DIR (WILL BE KEPT)"
 fi
@@ -227,8 +228,15 @@ echo ""
 if [[ "$KEEP_DATA" == true ]]; then
     echo "Your data has been preserved at: $DATA_DIR"
     echo ""
-    echo "To reinstall MyFSIO with existing data, run:"
-    echo "  curl -fsSL https://go.jzwsite.com/myfsio-install | sudo bash"
+    echo "Preserved files include:"
+    echo "  - All buckets and objects"
+    echo "  - IAM configuration: $DATA_DIR/.myfsio.sys/config/iam.json"
+    echo "  - Bucket policies:   $DATA_DIR/.myfsio.sys/config/bucket_policies.json"
+    echo "  - Secret key:        $DATA_DIR/.myfsio.sys/config/.secret"
+    echo "  - Encryption keys:   $DATA_DIR/.myfsio.sys/keys/ (if encryption was enabled)"
+    echo ""
+    echo "To reinstall MyFSIO with existing data:"
+    echo "  ./install.sh --data-dir $DATA_DIR"
     echo ""
 fi