Merge branch 'develop' into v2

Update lockfile
2022-04-01 09:48:24 -06:00 · 2022-02-13 13:17:26 -05:00 · 2022-02-13 13:10:36 -05:00 · 2022-01-18 13:12:09 -07:00 · 2021-11-15 10:13:31 -07:00 · 2021-11-15 10:13:19 -07:00
34 changed files with 544 additions and 694 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,28 +1,5 @@
 # Changelog

-## v1.6.4
-### Fixed
-* Fixes a bug causing CPU limiting to not be properly applied to servers.
-* Fixes a bug causing zip archives to decompress without taking into account nested folder structures.
-
-## v1.6.3
-### Fixed
-* Fixes SFTP authentication failing for administrative users due to a permissions adjustment on the Panel.
-
-## v1.6.2
-### Fixed
-* Fixes file upload size not being properly enforced.
-* Fixes a bug that prevented listing a directory when it contained a named pipe. Also added a check to prevent attempting to read a named pipe directly.
-* Fixes a bug with the archiver logic that would include folders that had the same name prefix. (for example, requesting only `map` would also include `map2` and `map3`)
-* Requests to the Panel that return a client error (4xx response code) no longer trigger an exponential backoff, they immediately stop the request.
-
-### Changed
-* CPU limit fields are only set on the Docker container if they have been specified for the server — otherwise they are left empty.
-
-### Added
-* Added the ability to define the location of the temporary folder used by Wings — defaults to `/tmp/pterodactyl`.
-* Adds the ability to authenticate for SFTP using public keys (requires `Panel@1.8.0`).
-
 ## v1.6.1
 ### Fixed
 * Fixes error that would sometimes occur when starting a server that would cause the temporary power action lock to never be released due to a blocked channel.
--- a/7
+++ b/7
@@ -1,18 +1,19 @@
 # Stage 1 (Build)
-FROM golang:1.17-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.17-alpine AS builder

 ARG VERSION
-RUN apk add --update --no-cache git make
+RUN apk add --update --no-cache git make upx
 WORKDIR /app/
 COPY go.mod go.sum /app/
 RUN go mod download
 COPY . /app/
-RUN CGO_ENABLED=0 go build \
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
    -ldflags="-s -w -X github.com/pterodactyl/wings/system.Version=$VERSION" \
    -v \
    -trimpath \
    -o wings \
    wings.go
+RUN upx wings
 RUN echo "ID=\"distroless\"" > /etc/os-release

 # Stage 2 (Final)
--- a/README.md
+++ b/README.md
@@ -19,16 +19,22 @@ I would like to extend my sincere thanks to the following sponsors for helping f
 | Company | About |
 | ------- | ----- |
 | [**WISP**](https://wisp.gg) | Extra features. |
+| [**MixmlHosting**](https://mixmlhosting.com) | MixmlHosting provides high quality Virtual Private Servers along with game servers, all at a affordable price. |
 | [**BisectHosting**](https://www.bisecthosting.com/) | BisectHosting provides Minecraft, Valheim and other server hosting services with the highest reliability and lightning fast support since 2012. |
-| [**Tempest**](https://tempest.net/) | Tempest Hosting is a subsidiary of Path Network, Inc. offering unmetered DDoS protected 10Gbps dedicated servers, starting at just $80/month. Full anycast, tons of filters. |
 | [**Bloom.host**](https://bloom.host) | Bloom.host offers dedicated core VPS and Minecraft hosting with Ryzen 9 processors. With owned-hardware, we offer truly unbeatable prices on high-performance hosting. |
-| [**MineStrator**](https://minestrator.com/) | Looking for the most highend French hosting company for your minecraft server? More than 24,000 members on our discord trust us. Give us a try! |
+| [**MineStrator**](https://minestrator.com/) | Looking for a French highend hosting company for you minecraft server? More than 14,000 members on our discord, trust us. |
+| [**DedicatedMC**](https://dedicatedmc.io/) | DedicatedMC provides Raw Power hosting at affordable pricing, making sure to never compromise on your performance and giving you the best performance money can buy. |
 | [**Skynode**](https://www.skynode.pro/) | Skynode provides blazing fast game servers along with a top-notch user experience. Whatever our clients are looking for, we're able to provide it! |
+| [**XCORE**](https://xcore-server.de/) | XCORE offers High-End Servers for hosting and gaming since 2012. Fast, excellent and well-known for eSports Gaming. |
+| [**RoyaleHosting**](https://royalehosting.net/) | Build your dreams and deploy them with RoyaleHosting’s reliable servers and network. Easy to use, provisioned in a couple of minutes. |
+| [**Spill Hosting**](https://spillhosting.no/) | Spill Hosting is a Norwegian hosting service, which aims for inexpensive services on quality servers. Premium i9-9900K processors will run your game like a dream. |
 | [**DeinServerHost**](https://deinserverhost.de/) | DeinServerHost offers Dedicated, vps and Gameservers for many popular Games like Minecraft and Rust in Germany since 2013. |
+| [**HostBend**](https://hostbend.com/) | HostBend offers a variety of solutions for developers, students, and others who have a tight budget but don't want to compromise quality and support. |
+| [**Capitol Hosting Solutions**](https://chs.gg/) | CHS is *the* budget friendly hosting company for Australian and American gamers, offering a variety of plans from Web Hosting to Game Servers; Custom Solutions too! |
+| [**ByteAnia**](https://byteania.com/?utm_source=pterodactyl) | ByteAnia offers the best performing and most affordable **Ryzen 5000 Series hosting** on the market for *unbeatable prices*! |
 | [**Aussie Server Hosts**](https://aussieserverhosts.com/) | No frills Australian Owned and operated High Performance Server hosting for some of the most demanding games serving Australia and New Zealand. |
-| [**HostEZ**](https://hostez.io) | Providing North America Valheim, Minecraft and other popular games with low latency, high uptime and maximum availability. EZ! |
 | [**VibeGAMES**](https://vibegames.net/) | VibeGAMES is a game server provider that specializes in DDOS protection for the games we offer. We have multiple locations in the US, Brazil, France, Germany, Singapore, Australia and South Africa.|
-| [**Gamenodes**](https://gamenodes.nl) | Gamenodes love quality. For Minecraft, Discord Bots and other services, among others. With our own programmers, we provide just that little bit of extra service! |
+| [**RocketNode**](https://rocketnode.net) | RocketNode is a VPS and Game Server provider that offers the best performing VPS and Game hosting Solutions at affordable prices! |

 ## Documentation
 * [Panel Documentation](https://pterodactyl.io/panel/1.0/getting_started.html)
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -5,16 +5,17 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	"github.com/pterodactyl/wings/internal/cron"
 	log2 "log"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
+	"os/signal"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"

 	"github.com/NYTimes/logrotate"
@@ -29,6 +30,7 @@ import (

 	"github.com/pterodactyl/wings/config"
 	"github.com/pterodactyl/wings/environment"
+	"github.com/pterodactyl/wings/internal/notify"
 	"github.com/pterodactyl/wings/loggers/cli"
 	"github.com/pterodactyl/wings/remote"
 	"github.com/pterodactyl/wings/router"
@@ -260,13 +262,6 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 		}
 	}()

-	if s, err := cron.Scheduler(manager); err != nil {
-		log.WithField("error", err).Fatal("failed to initialize cron system")
-	} else {
-		log.WithField("subsystem", "cron").Info("starting cron processes")
-		s.StartAsync()
-	}
-
 	go func() {
 		// Run the SFTP server.
 		if err := sftp.New(manager).Run(); err != nil {
@@ -332,43 +327,57 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 	}

 	// Check if the server should run with TLS but using autocert.
-	if autotls {
-		m := autocert.Manager{
-			Prompt:     autocert.AcceptTOS,
-			Cache:      autocert.DirCache(path.Join(sys.RootDirectory, "/.tls-cache")),
-			HostPolicy: autocert.HostWhitelist(tlshostname),
-		}
-
-		log.WithField("hostname", tlshostname).Info("webserver is now listening with auto-TLS enabled; certificates will be automatically generated by Let's Encrypt")
-
-		// Hook autocert into the main http server.
-		s.TLSConfig.GetCertificate = m.GetCertificate
-		s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, acme.ALPNProto) // enable tls-alpn ACME challenges
-
-		// Start the autocert server.
-		go func() {
-			if err := http.ListenAndServe(":http", m.HTTPHandler(nil)); err != nil {
-				log.WithError(err).Error("failed to serve autocert http server")
+	go func(s *http.Server, api config.ApiConfiguration, sys config.SystemConfiguration, autotls bool, tlshostname string) {
+		if autotls {
+			m := autocert.Manager{
+				Prompt:     autocert.AcceptTOS,
+				Cache:      autocert.DirCache(path.Join(sys.RootDirectory, "/.tls-cache")),
+				HostPolicy: autocert.HostWhitelist(tlshostname),
 			}
-		}()
-		// Start the main http server with TLS using autocert.
-		if err := s.ListenAndServeTLS("", ""); err != nil {
-			log.WithFields(log.Fields{"auto_tls": true, "tls_hostname": tlshostname, "error": err}).Fatal("failed to configure HTTP server using auto-tls")
+
+			log.WithField("hostname", tlshostname).Info("webserver is now listening with auto-TLS enabled; certificates will be automatically generated by Let's Encrypt")
+
+			// Hook autocert into the main http server.
+			s.TLSConfig.GetCertificate = m.GetCertificate
+			s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, acme.ALPNProto) // enable tls-alpn ACME challenges
+
+			// Start the autocert server.
+			go func() {
+				if err := http.ListenAndServe(":http", m.HTTPHandler(nil)); err != nil {
+					log.WithError(err).Error("failed to serve autocert http server")
+				}
+			}()
+			// Start the main http server with TLS using autocert.
+			if err := s.ListenAndServeTLS("", ""); err != nil {
+				log.WithFields(log.Fields{"auto_tls": true, "tls_hostname": tlshostname, "error": err}).Fatal("failed to configure HTTP server using auto-tls")
+			}
+			return
 		}
-		return
+
+		// Check if main http server should run with TLS. Otherwise reset the TLS
+		// config on the server and then serve it over normal HTTP.
+		if api.Ssl.Enabled {
+			if err := s.ListenAndServeTLS(api.Ssl.CertificateFile, api.Ssl.KeyFile); err != nil {
+				log.WithFields(log.Fields{"auto_tls": false, "error": err}).Fatal("failed to configure HTTPS server")
+			}
+			return
+		}
+		s.TLSConfig = nil
+		if err := s.ListenAndServe(); err != nil {
+			log.WithField("error", err).Fatal("failed to configure HTTP server")
+		}
+	}(s, api, sys, autotls, tlshostname)
+
+	if err := notify.Readiness(); err != nil {
+		log.WithField("error", err).Error("failed to notify systemd of readiness state")
 	}

-	// Check if main http server should run with TLS. Otherwise reset the TLS
-	// config on the server and then serve it over normal HTTP.
-	if api.Ssl.Enabled {
-		if err := s.ListenAndServeTLS(api.Ssl.CertificateFile, api.Ssl.KeyFile); err != nil {
-			log.WithFields(log.Fields{"auto_tls": false, "error": err}).Fatal("failed to configure HTTPS server")
-		}
-		return
-	}
-	s.TLSConfig = nil
-	if err := s.ListenAndServe(); err != nil {
-		log.WithField("error", err).Fatal("failed to configure HTTP server")
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, syscall.SIGINT, syscall.SIGTERM)
+	<-c
+
+	if err := notify.Stopping(); err != nil {
+		log.WithField("error", err).Error("failed to notify systemd of stopping state")
 	}
 }

--- a/config/config.go
+++ b/config/config.go
@@ -163,15 +163,6 @@ type SystemConfiguration struct {
 	// disk usage is not a concern.
 	DiskCheckInterval int64 `default:"150" yaml:"disk_check_interval"`

-	// ActivitySendInterval is the amount of time that should ellapse between aggregated server activity
-	// being sent to the Panel. By default this will send activity collected over the last minute. Keep
-	// in mind that only a fixed number of activity log entries, defined by ActivitySendCount, will be sent
-	// in each run.
-	ActivitySendInterval int64 `default:"60" yaml:"activity_send_interval"`
-
-	// ActivitySendCount is the number of activity events to send per batch.
-	ActivitySendCount int64 `default:"100" yaml:"activity_send_count"`
-
 	// If set to true, file permissions for a server will be checked when the process is
 	// booted. This can cause boot delays if the server has a large amount of files. In most
 	// cases disabling this should not have any major impact unless external processes are
--- a/environment/docker/container.go
+++ b/environment/docker/container.go
@@ -480,3 +480,21 @@ func (e *Environment) convertMounts() []mount.Mount {

 	return out
 }
+
+func (e *Environment) resources() container.Resources {
+	l := e.Configuration.Limits()
+	pids := l.ProcessLimit()
+
+	return container.Resources{
+		Memory:            l.BoundedMemoryLimit(),
+		MemoryReservation: l.MemoryLimit * 1_000_000,
+		MemorySwap:        l.ConvertedSwap(),
+		CPUQuota:          l.ConvertedCpuLimit(),
+		CPUPeriod:         100_000,
+		CPUShares:         1024,
+		BlkioWeight:       l.IoWeight,
+		OomKillDisable:    &l.OOMDisabled,
+		CpusetCpus:        l.Threads,
+		PidsLimit:         &pids,
+	}
+}
--- a/environment/settings.go
+++ b/environment/settings.go
@@ -99,36 +99,21 @@ func (l Limits) ProcessLimit() int64 {
 	return config.Get().Docker.ContainerPidLimit
 }

-// AsContainerResources returns the available resources for a container in a format
-// that Docker understands.
 func (l Limits) AsContainerResources() container.Resources {
 	pids := l.ProcessLimit()
-	resources := container.Resources{
+
+	return container.Resources{
 		Memory:            l.BoundedMemoryLimit(),
 		MemoryReservation: l.MemoryLimit * 1_000_000,
 		MemorySwap:        l.ConvertedSwap(),
+		CPUQuota:          l.ConvertedCpuLimit(),
+		CPUPeriod:         100_000,
+		CPUShares:         1024,
 		BlkioWeight:       l.IoWeight,
 		OomKillDisable:    &l.OOMDisabled,
+		CpusetCpus:        l.Threads,
 		PidsLimit:         &pids,
 	}
-
-	// If the CPU Limit is not set, don't send any of these fields through. Providing
-	// them seems to break some Java services that try to read the available processors.
-	//
-	// @see https://github.com/pterodactyl/panel/issues/3988
-	if l.CpuLimit > 0 {
-		resources.CPUQuota = l.CpuLimit * 1_000
-		resources.CPUPeriod = 100_000
-		resources.CPUShares = 1024
-	}
-
-	// Similar to above, don't set the specific assigned CPUs if we didn't actually limit
-	// the server to any of them.
-	if l.Threads != "" {
-		resources.CpusetCpus = l.Threads
-	}
-
-	return resources
 }

 type Variables map[string]interface{}
--- a/go.mod
+++ b/go.mod
@@ -37,7 +37,7 @@ require (
 	github.com/pkg/sftp v1.13.4
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
 	github.com/spf13/cobra v1.4.0
-	github.com/stretchr/testify v1.7.5
+	github.com/stretchr/testify v1.7.0
 	golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	gopkg.in/ini.v1 v1.66.4
@@ -46,7 +46,7 @@ require (

 require github.com/goccy/go-json v0.9.6

-require golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e // indirect
+require golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 // indirect

 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -54,7 +54,6 @@ require (
 	github.com/Microsoft/hcsshim v0.9.2 // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bwmarrin/snowflake v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/containerd/containerd v1.6.2 // indirect
 	github.com/containerd/fifo v1.0.0 // indirect
@@ -66,7 +65,6 @@ require (
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/gammazero/deque v0.1.1 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
-	github.com/go-co-op/gocron v1.15.0 // indirect
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
 	github.com/go-playground/validator/v10 v10.10.1 // indirect
@@ -98,15 +96,11 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/ugorji/go/codec v1.2.7 // indirect
 	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
-	github.com/xujiajun/mmap-go v1.0.1 // indirect
-	github.com/xujiajun/nutsdb v0.9.0 // indirect
-	github.com/xujiajun/utils v0.0.0-20190123093513-8bf096c4f53b // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
@@ -117,5 +111,5 @@ require (
 	google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb // indirect
 	google.golang.org/grpc v1.45.0 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -151,8 +151,6 @@ github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx2
 github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
 github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
-github.com/bwmarrin/snowflake v0.3.0 h1:xm67bEhkKh6ij1790JB83OujPR5CzNe8QuQqAgISZN0=
-github.com/bwmarrin/snowflake v0.3.0/go.mod h1:NdZxfVWX+oR6y2K0o6qAYv6gIOP9rjG0/E9WsDpxqwE=
 github.com/cenkalti/backoff/v4 v4.1.1/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/cenkalti/backoff/v4 v4.1.2 h1:6Yo7N8UP2K6LWZnW94DLVSSrbobcWdVzAYOisuDPIFo=
 github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
@@ -402,8 +400,6 @@ github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.7.7 h1:3DoBmSbJbZAWqXJC3SLjAPfutPJJRN1U5pALB7EeTTs=
 github.com/gin-gonic/gin v1.7.7/go.mod h1:axIBovoeJpVj8S3BwE0uPMTeReE4+AfFtqpqaZ1qq1U=
-github.com/go-co-op/gocron v1.15.0 h1:XmiPazahD9aq0/QdK5toCVHfgTXfrZ/s83RpAgzr6SM=
-github.com/go-co-op/gocron v1.15.0/go.mod h1:On9zUZTv7FBeuj9D/cdYyAWcPUiLqqAx7nsPHd0EmKM=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -872,8 +868,6 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1
 github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
-github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
@@ -938,7 +932,6 @@ github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@@ -947,10 +940,6 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.5 h1:s5PTfem8p8EbKQOctVV53k6jCJt3UX4IEJzwh+C324Q=
-github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
@@ -999,13 +988,6 @@ github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofm
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-github.com/xujiajun/gorouter v1.2.0/go.mod h1:yJrIta+bTNpBM/2UT8hLOaEAFckO+m/qmR3luMIQygM=
-github.com/xujiajun/mmap-go v1.0.1 h1:7Se7ss1fLPPRW+ePgqGpCkfGIZzJV6JPq9Wq9iv/WHc=
-github.com/xujiajun/mmap-go v1.0.1/go.mod h1:CNN6Sw4SL69Sui00p0zEzcZKbt+5HtEnYUsc6BKKRMg=
-github.com/xujiajun/nutsdb v0.9.0 h1:vy8rjDp0Sk/SnTAqg61i+G4NIN/3tBKSdZ6rIyKYVIo=
-github.com/xujiajun/nutsdb v0.9.0/go.mod h1:8ZdTTF0cEQO+wN940htfHYKswFql2iB6Osckx+GmOoU=
-github.com/xujiajun/utils v0.0.0-20190123093513-8bf096c4f53b h1:jKG9OiL4T4xQN3IUrhUpc1tG+HfDXppkgVcrAiiaI/0=
-github.com/xujiajun/utils v0.0.0-20190123093513-8bf096c4f53b/go.mod h1:AZd87GYJlUzl82Yab2kTjx1EyXSQCAfZDhpTo1SQC4k=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -1217,7 +1199,6 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181221143128-b4a75ba826a6/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1315,9 +1296,6 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 h1:OH54vjqzRWmbJ62fjuhxy7AxFFgoHN0/DPc/UrL8cAs=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220405210540-1e041c57c461/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e h1:CsOuNlbOuf0mzxJIefr6Q4uAUetRUwZE4qt7VfzP+xo=
-golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1579,8 +1557,6 @@ gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
--- a/internal/cron/activity_cron.go
+++ b/internal/cron/activity_cron.go
@@ -1,98 +0,0 @@
-package cron
-
-import (
-	"context"
-	"emperror.dev/errors"
-	"github.com/apex/log"
-	"github.com/goccy/go-json"
-	"github.com/pterodactyl/wings/internal/database"
-	"github.com/pterodactyl/wings/server"
-	"github.com/pterodactyl/wings/system"
-	"github.com/xujiajun/nutsdb"
-)
-
-var key = []byte("events")
-var processing system.AtomicBool
-
-func processActivityLogs(m *server.Manager, c int64) error {
-	// Don't execute this cron if there is currently one running. Once this task is completed
-	// go ahead and mark it as no longer running.
-	if !processing.SwapIf(true) {
-		return nil
-	}
-	defer processing.Store(false)
-
-	var list [][]byte
-	err := database.DB().View(func(tx *nutsdb.Tx) error {
-		// Grab the oldest 100 activity events that have been logged and send them back to the
-		// Panel for processing. Once completed, delete those events from the database and then
-		// release the lock on this process.
-		end := int(c)
-		if s, err := tx.LSize(database.ServerActivityBucket, key); err != nil {
-			return errors.WithStackIf(err)
-		} else if s < end || s == 0 {
-			if s == 0 {
-				return nil
-			}
-			end = s
-		}
-		l, err := tx.LRange(database.ServerActivityBucket, key, 0, end)
-		if err != nil {
-			// This error is returned when the bucket doesn't exist, which is likely on the
-			// first invocations of Wings since we haven't yet logged any data. There is nothing
-			// that needs to be done if this error occurs.
-			if errors.Is(err, nutsdb.ErrBucket) {
-				return nil
-			}
-			return errors.WithStackIf(err)
-		}
-		list = l
-		return nil
-	})
-
-	if err != nil || len(list) == 0 {
-		return errors.WithStackIf(err)
-	}
-
-	var processed []json.RawMessage
-	for _, l := range list {
-		var v json.RawMessage
-		if err := json.Unmarshal(l, &v); err != nil {
-			log.WithField("error", errors.WithStack(err)).Warn("failed to parse activity event json, skipping entry")
-			continue
-		}
-		processed = append(processed, v)
-	}
-
-	if err := m.Client().SendActivityLogs(context.Background(), processed); err != nil {
-		return errors.WrapIf(err, "cron: failed to send activity events to Panel")
-	}
-
-	return database.DB().Update(func(tx *nutsdb.Tx) error {
-		if m, err := tx.LSize(database.ServerActivityBucket, key); err != nil {
-			return errors.WithStack(err)
-		} else if m > len(list) {
-			// As long as there are more elements than we have in the length of our list
-			// we can just use the existing `LTrim` functionality of nutsdb. This will remove
-			// all of the values we've already pulled and sent to the API.
-			return errors.WithStack(tx.LTrim(database.ServerActivityBucket, key, len(list), -1))
-		} else {
-			i := 0
-			// This is the only way I can figure out to actually empty the items out of the list
-			// because you cannot use `LTrim` (or I cannot for the life of me figure out how) to
-			// trim the slice down to 0 items without it triggering an internal logic error. Perhaps
-			// in a future release they'll have a function to do this (based on my skimming of issues
-			// on GitHub that I cannot read due to translation barriers).
-			for {
-				if i >= m {
-					break
-				}
-				if _, err := tx.LPop(database.ServerActivityBucket, key); err != nil {
-					return errors.WithStack(err)
-				}
-				i++
-			}
-		}
-		return nil
-	})
-}
--- a/internal/cron/cron.go
+++ b/internal/cron/cron.go
@@ -1,36 +0,0 @@
-package cron
-
-import (
-	"emperror.dev/errors"
-	"github.com/apex/log"
-	"github.com/go-co-op/gocron"
-	"github.com/pterodactyl/wings/config"
-	"github.com/pterodactyl/wings/server"
-	"github.com/pterodactyl/wings/system"
-	"time"
-)
-
-var o system.AtomicBool
-
-// Scheduler configures the internal cronjob system for Wings and returns the scheduler
-// instance to the caller. This should only be called once per application lifecycle, additional
-// calls will result in an error being returned.
-func Scheduler(m *server.Manager) (*gocron.Scheduler, error) {
-	if o.Load() {
-		return nil, errors.New("cron: cannot call scheduler more than once in application lifecycle")
-	}
-	o.Store(true)
-	l, err := time.LoadLocation(config.Get().System.Timezone)
-	if err != nil {
-		return nil, errors.Wrap(err, "cron: failed to parse configured system timezone")
-	}
-
-	s := gocron.NewScheduler(l)
-	_, _ = s.Tag("activity").Every(config.Get().System.ActivitySendInterval).Seconds().Do(func() {
-		if err := processActivityLogs(m, config.Get().System.ActivitySendCount); err != nil {
-			log.WithField("error", err).Error("cron: failed to process activity events")
-		}
-	})
-
-	return s, nil
-}
--- a/internal/database/database.go
+++ b/internal/database/database.go
@@ -1,38 +0,0 @@
-package database
-
-import (
-	"emperror.dev/errors"
-	"github.com/apex/log"
-	"github.com/pterodactyl/wings/config"
-	"github.com/xujiajun/nutsdb"
-	"path/filepath"
-	"sync"
-)
-
-var db *nutsdb.DB
-var syncer sync.Once
-
-const (
-	ServerActivityBucket = "server_activity"
-)
-
-func initialize() error {
-	opt := nutsdb.DefaultOptions
-	opt.Dir = filepath.Join(config.Get().System.RootDirectory, "db")
-
-	instance, err := nutsdb.Open(opt)
-	if err != nil {
-		return errors.WithStack(err)
-	}
-	db = instance
-	return nil
-}
-
-func DB() *nutsdb.DB {
-	syncer.Do(func() {
-		if err := initialize(); err != nil {
-			log.WithField("error", err).Fatal("database: failed to initialize instance, this is an unrecoverable error")
-		}
-	})
-	return db
-}
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@@ -0,0 +1,19 @@
+// Package notify handles notifying the operating system of the program's state.
+//
+// For linux based operating systems, this is done through the systemd socket
+// set by "NOTIFY_SOCKET" environment variable.
+//
+// Currently, no other operating systems are supported.
+package notify
+
+func Readiness() error {
+	return readiness()
+}
+
+func Reloading() error {
+	return reloading()
+}
+
+func Stopping() error {
+	return stopping()
+}
--- a/internal/notify/notify_linux.go
+++ b/internal/notify/notify_linux.go
@@ -0,0 +1,48 @@
+package notify
+
+import (
+	"io"
+	"net"
+	"os"
+	"strings"
+)
+
+func notify(path string, r io.Reader) error {
+	s := &net.UnixAddr{
+		Name: path,
+		Net:  "unixgram",
+	}
+	c, err := net.DialUnix(s.Net, nil, s)
+	if err != nil {
+		return err
+	}
+	defer c.Close()
+
+	if _, err := io.Copy(c, r); err != nil {
+		return err
+	}
+	return nil
+}
+
+func socketNotify(payload string) error {
+	v, ok := os.LookupEnv("NOTIFY_SOCKET")
+	if !ok || v == "" {
+		return nil
+	}
+	if err := notify(v, strings.NewReader(payload)); err != nil {
+		return err
+	}
+	return nil
+}
+
+func readiness() error {
+	return socketNotify("READY=1")
+}
+
+func reloading() error {
+	return socketNotify("RELOADING=1")
+}
+
+func stopping() error {
+	return socketNotify("STOPPING=1")
+}
--- a/internal/notify/notify_other.go
+++ b/internal/notify/notify_other.go
@@ -0,0 +1,16 @@
+//go:build !linux
+// +build !linux
+
+package notify
+
+func readiness() error {
+	return nil
+}
+
+func reloading() error {
+	return nil
+}
+
+func stopping() error {
+	return nil
+}
--- a/remote/http.go
+++ b/remote/http.go
@@ -30,7 +30,6 @@ type Client interface {
 	SetInstallationStatus(ctx context.Context, uuid string, successful bool) error
 	SetTransferStatus(ctx context.Context, uuid string, successful bool) error
 	ValidateSftpCredentials(ctx context.Context, request SftpAuthRequest) (SftpAuthResponse, error)
-	SendActivityLogs(ctx context.Context, activity []json.RawMessage) error
 }

 type client struct {
@@ -129,19 +128,10 @@ func (c *client) requestOnce(ctx context.Context, method, path string, body io.R
 // and adds the required authentication headers to the request that is being
 // created. Errors returned will be of the RequestError type if there was some
 // type of response from the API that can be parsed.
-func (c *client) request(ctx context.Context, method, path string, body *bytes.Buffer, opts ...func(r *http.Request)) (*Response, error) {
+func (c *client) request(ctx context.Context, method, path string, body io.Reader, opts ...func(r *http.Request)) (*Response, error) {
 	var res *Response
 	err := backoff.Retry(func() error {
-		var b bytes.Buffer
-		if body != nil {
-			// We have to create a copy of the body, otherwise attempting this request again will
-			// send no data if there was initially a body since the "requestOnce" method will read
-			// the whole buffer, thus leaving it empty at the end.
-			if _, err := b.Write(body.Bytes()); err != nil {
-				return backoff.Permanent(errors.Wrap(err, "http: failed to copy body buffer"))
-			}
-		}
-		r, err := c.requestOnce(ctx, method, path, &b, opts...)
+		r, err := c.requestOnce(ctx, method, path, body, opts...)
 		if err != nil {
 			if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
 				return backoff.Permanent(err)
@@ -152,10 +142,12 @@ func (c *client) request(ctx context.Context, method, path string, body *bytes.B
 		if r.HasError() {
 			// Close the request body after returning the error to free up resources.
 			defer r.Body.Close()
-			// Don't keep attempting to access this endpoint if the response is a 4XX
-			// level error which indicates a client mistake. Only retry when the error
-			// is due to a server issue (5XX error).
-			if r.StatusCode >= 400 && r.StatusCode < 500 {
+			// Don't keep spamming the endpoint if we've already made too many requests or
+			// if we're not even authenticated correctly. Retrying generally won't fix either
+			// of these issues.
+			if r.StatusCode == http.StatusForbidden ||
+				r.StatusCode == http.StatusTooManyRequests ||
+				r.StatusCode == http.StatusUnauthorized {
 				return backoff.Permanent(r.Error())
 			}
 			return r.Error()
--- a/remote/servers.go
+++ b/remote/servers.go
@@ -3,7 +3,6 @@ package remote
 import (
 	"context"
 	"fmt"
-	"github.com/goccy/go-json"
 	"strconv"
 	"sync"

@@ -179,16 +178,6 @@ func (c *client) SendRestorationStatus(ctx context.Context, backup string, succe
 	return nil
 }

-// SendActivityLogs sends activity logs back to the Panel for processing.
-func (c *client) SendActivityLogs(ctx context.Context, activity []json.RawMessage) error {
-	resp, err := c.Post(ctx, "/activity", d{"data": activity})
-	if err != nil {
-		return errors.WithStackIf(err)
-	}
-	_ = resp.Body.Close()
-	return nil
-}
-
 // getServersPaged returns a subset of servers from the Panel API using the
 // pagination query parameters.
 func (c *client) getServersPaged(ctx context.Context, page, limit int) ([]RawServerData, Pagination, error) {
--- a/remote/types.go
+++ b/remote/types.go
@@ -2,17 +2,13 @@ package remote

 import (
 	"bytes"
-	"github.com/apex/log"
-	"github.com/goccy/go-json"
 	"regexp"
 	"strings"

-	"github.com/pterodactyl/wings/parser"
-)
+	"github.com/apex/log"
+	"github.com/goccy/go-json"

-const (
-	SftpAuthPassword  = SftpAuthRequestType("password")
-	SftpAuthPublicKey = SftpAuthRequestType("public_key")
+	"github.com/pterodactyl/wings/parser"
 )

 // A generic type allowing for easy binding use when making requests to API
@@ -67,17 +63,15 @@ type RawServerData struct {
 	ProcessConfiguration json.RawMessage `json:"process_configuration"`
 }

-type SftpAuthRequestType string
-
 // SftpAuthRequest defines the request details that are passed along to the Panel
 // when determining if the credentials provided to Wings are valid.
 type SftpAuthRequest struct {
-	Type          SftpAuthRequestType `json:"type"`
-	User          string              `json:"username"`
-	Pass          string              `json:"password"`
-	IP            string              `json:"ip"`
-	SessionID     []byte              `json:"session_id"`
-	ClientVersion []byte              `json:"client_version"`
+	User          string `json:"username"`
+	Pass          string `json:"password"`
+	IP            string `json:"ip"`
+	SessionID     []byte `json:"session_id"`
+	ClientVersion []byte `json:"client_version"`
+	Type          string `json:"type"`
 }

 // SftpAuthResponse is returned by the Panel when a pair of SFTP credentials
@@ -85,6 +79,7 @@ type SftpAuthRequest struct {
 // matched as well as the permissions that are assigned to the authenticated
 // user for the SFTP subsystem.
 type SftpAuthResponse struct {
+	SSHKeys     []string `json:"ssh_keys"`
 	Server      string   `json:"server"`
 	Permissions []string `json:"permissions"`
 }
--- a/router/router.go
+++ b/router/router.go
@@ -66,7 +66,6 @@ func Configure(m *wserver.Manager, client remote.Client) *gin.Engine {
 		server.DELETE("", deleteServer)

 		server.GET("/logs", getServerLogs)
-		server.GET("/activity", getServerActivityLogs)
 		server.POST("/power", postServerPower)
 		server.POST("/commands", postServerCommands)
 		server.POST("/install", postServerInstall)
--- a/router/router_server.go
+++ b/router/router_server.go
@@ -2,9 +2,6 @@ package router

 import (
 	"context"
-	"github.com/goccy/go-json"
-	"github.com/pterodactyl/wings/internal/database"
-	"github.com/xujiajun/nutsdb"
 	"net/http"
 	"os"
 	"strconv"
@@ -43,44 +40,6 @@ func getServerLogs(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"data": out})
 }

-// Returns the activity logs tracked internally for the server instance. Note that these
-// logs are routinely cleared out as Wings communicates directly with the Panel to pass
-// along all of the logs for servers it monitors. As activities are passed to the panel
-// they are deleted from Wings.
-//
-// As a result, this endpoint may or may not return data, and the data returned can change
-// between requests.
-func getServerActivityLogs(c *gin.Context) {
-	s := ExtractServer(c)
-
-	var out [][]byte
-	err := database.DB().View(func(tx *nutsdb.Tx) error {
-		items, err := tx.LRange(database.ServerActivityBucket, []byte(s.ID()), 0, 10)
-		if err != nil {
-			return err
-		}
-		out = items
-		return nil
-	})
-
-	if err != nil {
-		middleware.CaptureAndAbort(c, err)
-		return
-	}
-
-	var activity []*server.Activity
-	for _, b := range out {
-		var a server.Activity
-		if err := json.Unmarshal(b, &a); err != nil {
-			middleware.CaptureAndAbort(c, err)
-			return
-		}
-		activity = append(activity, &a)
-	}
-
-	c.JSON(http.StatusOK, gin.H{"data": activity})
-}
-
 // Handles a request to control the power state of a server. If the action being passed
 // through is invalid a 404 is returned. Otherwise, a HTTP/202 Accepted response is returned
 // and the actual power action is run asynchronously so that we don't have to block the
--- a/router/router_server_files.go
+++ b/router/router_server_files.go
@@ -37,15 +37,6 @@ func getServerFileContents(c *gin.Context) {
 		return
 	}
 	defer f.Close()
-	// Don't allow a named pipe to be opened.
-	//
-	// @see https://github.com/pterodactyl/panel/issues/4059
-	if st.Mode()&os.ModeNamedPipe != 0 {
-		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
-			"error": "Cannot open files of this type.",
-		})
-		return
-	}

 	c.Header("X-Mime-Type", st.Mimetype)
 	c.Header("Content-Length", strconv.Itoa(int(st.Size())))
@@ -131,10 +122,6 @@ func putServerRenameFiles(c *gin.Context) {
 					// Return nil if the error is an is not exists.
 					// NOTE: os.IsNotExist() does not work if the error is wrapped.
 					if errors.Is(err, os.ErrNotExist) {
-						s.Log().WithField("error", err).
-							WithField("from_path", pf).
-							WithField("to_path", pt).
-							Warn("failed to rename: source or target does not exist")
 						return nil
 					}
 					return err
--- a/router/tokens/websocket.go
+++ b/router/tokens/websocket.go
@@ -7,6 +7,7 @@ import (

 	"github.com/apex/log"
 	"github.com/gbrlsnchs/jwt/v3"
+	"github.com/goccy/go-json"
 )

 // The time at which Wings was booted. No JWT's created before this time are allowed to
@@ -34,15 +35,15 @@ func DenyJTI(jti string) {
 	denylist.Store(jti, time.Now())
 }

-// WebsocketPayload defines the JWT payload for a websocket connection. This JWT is passed along to
-// the websocket after it has been connected to by sending an "auth" event.
+// A JWT payload for Websocket connections. This JWT is passed along to the Websocket after
+// it has been connected to by sending an "auth" event.
 type WebsocketPayload struct {
 	jwt.Payload
 	sync.RWMutex

-	UserUUID    string   `json:"user_uuid"`
-	ServerUUID  string   `json:"server_uuid"`
-	Permissions []string `json:"permissions"`
+	UserID      json.Number `json:"user_id"`
+	ServerUUID  string      `json:"server_uuid"`
+	Permissions []string    `json:"permissions"`
 }

 // Returns the JWT payload.
--- a/router/websocket/listeners.go
+++ b/router/websocket/listeners.go
@@ -164,6 +164,5 @@ func (h *Handler) listenForServerEvents(ctx context.Context) error {
 	if err != nil {
 		return errors.WithStack(err)
 	}
-
 	return nil
 }
--- a/router/websocket/websocket.go
+++ b/router/websocket/websocket.go
@@ -40,7 +40,6 @@ type Handler struct {
 	Connection   *websocket.Conn `json:"-"`
 	jwt          *tokens.WebsocketPayload
 	server       *server.Server
-	ra           server.RequestActivity
 	uuid         uuid.UUID
 }

@@ -110,7 +109,6 @@ func GetHandler(s *server.Server, w http.ResponseWriter, r *http.Request) (*Hand
 		Connection: conn,
 		jwt:        nil,
 		server:     s,
-		ra:         s.NewRequestActivity("", r.RemoteAddr),
 		uuid:       u,
 	}, nil
 }
@@ -266,7 +264,6 @@ func (h *Handler) GetJwt() *tokens.WebsocketPayload {
 // setJwt sets the JWT for the websocket in a race-safe manner.
 func (h *Handler) setJwt(token *tokens.WebsocketPayload) {
 	h.Lock()
-	h.ra = h.ra.SetUser(token.UserUUID)
 	h.jwt = token
 	h.Unlock()
 }
@@ -368,10 +365,6 @@ func (h *Handler) HandleInbound(ctx context.Context, m Message) error {
 				return nil
 			}

-			if err == nil {
-				_ = h.ra.Save(h.server, server.Event(server.ActivityPowerPrefix+action), nil)
-			}
-
 			return err
 		}
 	case SendServerLogsEvent:
@@ -428,10 +421,6 @@ func (h *Handler) HandleInbound(ctx context.Context, m Message) error {
 				}
 			}

-			_ = h.ra.Save(h.server, server.ActivityConsoleCommand, server.ActivityMeta{
-				"command": strings.Join(m.Args, ""),
-			})
-
 			return h.server.Environment.SendCommand(strings.Join(m.Args, ""))
 		}
 	}
--- a/server/activity.go
+++ b/server/activity.go
@@ -1,130 +0,0 @@
-package server
-
-import (
-	"emperror.dev/errors"
-	"github.com/apex/log"
-	"github.com/goccy/go-json"
-	"github.com/pterodactyl/wings/internal/database"
-	"github.com/xujiajun/nutsdb"
-	"regexp"
-	"time"
-)
-
-type Event string
-type ActivityMeta map[string]interface{}
-
-const ActivityPowerPrefix = "power_"
-
-const (
-	ActivityConsoleCommand = Event("console_command")
-)
-
-var ipTrimRegex = regexp.MustCompile(`(:\d*)?$`)
-
-type Activity struct {
-	// User is UUID of the user that triggered this event, or an empty string if the event
-	// cannot be tied to a specific user, in which case we will assume it was the system
-	// user.
-	User string `json:"user"`
-	// Server is the UUID of the server this event is associated with.
-	Server string `json:"server"`
-	// Event is a string that describes what occurred, and is used by the Panel instance to
-	// properly associate this event in the activity logs.
-	Event Event `json:"event"`
-	// Metadata is either a null value, string, or a JSON blob with additional event specific
-	// metadata that can be provided.
-	Metadata ActivityMeta `json:"metadata"`
-	// IP is the IP address that triggered this event, or an empty string if it cannot be
-	// determined properly.
-	IP        string    `json:"ip"`
-	Timestamp time.Time `json:"timestamp"`
-}
-
-// RequestActivity is a wrapper around a LoggedEvent that is able to track additional request
-// specific metadata including the specific user and IP address associated with all subsequent
-// events. The internal logged event structure can be extracted by calling RequestEvent.Event().
-type RequestActivity struct {
-	server string
-	user   string
-	ip     string
-}
-
-// Event returns the underlying logged event from the RequestEvent instance and sets the
-// specific event and metadata on it.
-func (ra RequestActivity) Event(event Event, metadata ActivityMeta) Activity {
-	return Activity{
-		User:     ra.user,
-		Server:   ra.server,
-		IP:       ra.ip,
-		Event:    event,
-		Metadata: metadata,
-	}
-}
-
-// Save creates a new event instance and saves it. If an error is encountered it is automatically
-// logged to the provided server's error logging output. The error is also returned to the caller
-// but can be ignored.
-func (ra RequestActivity) Save(s *Server, event Event, metadata ActivityMeta) error {
-	if err := ra.Event(event, metadata).Save(); err != nil {
-		s.Log().WithField("error", err).WithField("event", event).Error("activity: failed to save event")
-		return errors.WithStack(err)
-	}
-	return nil
-}
-
-// IP returns the IP address associated with this entry.
-func (ra RequestActivity) IP() string {
-	return ra.ip
-}
-
-// SetUser clones the RequestActivity struct and sets a new user value on the copy
-// before returning it.
-func (ra RequestActivity) SetUser(u string) RequestActivity {
-	c := ra
-	c.user = u
-	return c
-}
-
-// Save logs the provided event using Wings' internal K/V store so that we can then
-// pass it along to the Panel at set intervals. In addition, this will ensure that the events
-// are persisted to the disk, even between instance restarts.
-func (a Activity) Save() error {
-	if a.Timestamp.IsZero() {
-		a.Timestamp = time.Now().UTC()
-	}
-
-	// Since the "RemoteAddr" field can often include a port on the end we need to
-	// trim that off, otherwise it'll fail validation when sent to the Panel.
-	a.IP = ipTrimRegex.ReplaceAllString(a.IP, "")
-
-	value, err := json.Marshal(a)
-	if err != nil {
-		return errors.Wrap(err, "database: failed to marshal activity into json bytes")
-	}
-
-	return database.DB().Update(func(tx *nutsdb.Tx) error {
-		log.WithField("subsystem", "activity").
-			WithFields(log.Fields{"server": a.Server, "user": a.User, "event": a.Event, "ip": a.IP}).
-			Debug("saving activity to database")
-
-		if err := tx.RPush(database.ServerActivityBucket, []byte("events"), value); err != nil {
-			return errors.WithStack(err)
-		}
-		return nil
-	})
-}
-
-func (s *Server) NewRequestActivity(user string, ip string) RequestActivity {
-	return RequestActivity{server: s.ID(), user: user, ip: ip}
-}
-
-// NewActivity creates a new event instance for the server in question.
-func (s *Server) NewActivity(user string, event Event, metadata ActivityMeta, ip string) Activity {
-	return Activity{
-		User:     user,
-		Server:   s.ID(),
-		Event:    event,
-		Metadata: metadata,
-		IP:       ip,
-	}
-}
--- a/server/filesystem/archive.go
+++ b/server/filesystem/archive.go
@@ -130,7 +130,7 @@ func (a *Archive) withFilesCallback(tw *tar.Writer) func(path string, de *godirw
 		for _, f := range a.Files {
 			// If the given doesn't match, or doesn't have the same prefix continue
 			// to the next item in the loop.
-			if p != f && !strings.HasPrefix(strings.TrimSuffix(p, "/")+"/", f) {
+			if p != f && !strings.HasPrefix(p, f) {
 				continue
 			}

--- a/server/filesystem/compress.go
+++ b/server/filesystem/compress.go
@@ -5,12 +5,9 @@ import (
 	"archive/zip"
 	"compress/gzip"
 	"fmt"
-	gzip2 "github.com/klauspost/compress/gzip"
-	zip2 "github.com/klauspost/compress/zip"
 	"os"
 	"path"
 	"path/filepath"
-	"reflect"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -175,26 +172,13 @@ func ExtractNameFromArchive(f archiver.File) string {
 		return f.Name()
 	}
 	switch s := sys.(type) {
-	case *zip.FileHeader:
-		return s.Name
-	case *zip2.FileHeader:
-		return s.Name
 	case *tar.Header:
 		return s.Name
 	case *gzip.Header:
 		return s.Name
-	case *gzip2.Header:
+	case *zip.FileHeader:
 		return s.Name
 	default:
-		// At this point we cannot figure out what type of archive this might be so
-		// just try to find the name field in the struct. If it is found return it.
-		field := reflect.Indirect(reflect.ValueOf(sys)).FieldByName("Name")
-		if field.IsValid() {
-			return field.String()
-		}
-		// Fallback to the basename of the file at this point. There is nothing we can really
-		// do to try and figure out what the underlying directory of the file is supposed to
-		// be since it didn't implement a name field.
 		return f.Name()
 	}
 }
--- a/server/filesystem/filesystem.go
+++ b/server/filesystem/filesystem.go
@@ -115,6 +115,19 @@ func (fs *Filesystem) Touch(p string, flag int) (*os.File, error) {
 	return f, nil
 }

+// Reads a file on the system and returns it as a byte representation in a file
+// reader. This is not the most memory efficient usage since it will be reading the
+// entirety of the file into memory.
+func (fs *Filesystem) Readfile(p string, w io.Writer) error {
+	file, _, err := fs.File(p)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	_, err = bufio.NewReader(file).WriteTo(w)
+	return err
+}
+
 // Writefile writes a file to the system. If the file does not already exist one
 // will be created. This will also properly recalculate the disk space used by
 // the server when writing new files or modifying existing ones.
@@ -171,16 +184,16 @@ func (fs *Filesystem) CreateDirectory(name string, p string) error {
 	return os.MkdirAll(cleaned, 0o755)
 }

-// Rename moves (or renames) a file or directory.
+// Moves (or renames) a file or directory.
 func (fs *Filesystem) Rename(from string, to string) error {
 	cleanedFrom, err := fs.SafePath(from)
 	if err != nil {
-		return errors.WithStack(err)
+		return err
 	}

 	cleanedTo, err := fs.SafePath(to)
 	if err != nil {
-		return errors.WithStack(err)
+		return err
 	}

 	// If the target file or directory already exists the rename function will fail, so just
@@ -202,10 +215,7 @@ func (fs *Filesystem) Rename(from string, to string) error {
 		}
 	}

-	if err := os.Rename(cleanedFrom, cleanedTo); err != nil {
-		return errors.WithStack(err)
-	}
-	return nil
+	return os.Rename(cleanedFrom, cleanedTo)
 }

 // Recursively iterates over a file or directory and sets the permissions on all of the
@@ -482,11 +492,7 @@ func (fs *Filesystem) ListDirectory(p string) ([]Stat, error) {
 					cleanedp, _ = fs.SafePath(filepath.Join(cleaned, f.Name()))
 				}

-				// Don't try to detect the type on a pipe — this will just hang the application and
-				// you'll never get a response back.
-				//
-				// @see https://github.com/pterodactyl/panel/issues/4059
-				if cleanedp != "" && f.Mode()&os.ModeNamedPipe == 0 {
+				if cleanedp != "" {
 					m, _ = mimetype.DetectFile(filepath.Join(cleaned, f.Name()))
 				} else {
 					// Just pass this for an unknown type because the file could not safely be resolved within
--- a/server/filesystem/filesystem_test.go
+++ b/server/filesystem/filesystem_test.go
@@ -1,7 +1,6 @@
 package filesystem

 import (
-	"bufio"
 	"bytes"
 	"errors"
 	"math/rand"
@@ -45,14 +44,6 @@ type rootFs struct {
 	root string
 }

-func getFileContent(file *os.File) string {
-	var w bytes.Buffer
-	if _, err := bufio.NewReader(file).WriteTo(&w); err != nil {
-		panic(err)
-	}
-	return w.String()
-}
-
 func (rfs *rootFs) CreateServerFile(p string, c []byte) error {
 	f, err := os.Create(filepath.Join(rfs.root, "/server", p))

@@ -84,6 +75,54 @@ func (rfs *rootFs) reset() {
 	}
 }

+func TestFilesystem_Readfile(t *testing.T) {
+	g := Goblin(t)
+	fs, rfs := NewFs()
+
+	g.Describe("Readfile", func() {
+		buf := &bytes.Buffer{}
+
+		g.It("opens a file if it exists on the system", func() {
+			err := rfs.CreateServerFileFromString("test.txt", "testing")
+			g.Assert(err).IsNil()
+
+			err = fs.Readfile("test.txt", buf)
+			g.Assert(err).IsNil()
+			g.Assert(buf.String()).Equal("testing")
+		})
+
+		g.It("returns an error if the file does not exist", func() {
+			err := fs.Readfile("test.txt", buf)
+			g.Assert(err).IsNotNil()
+			g.Assert(errors.Is(err, os.ErrNotExist)).IsTrue()
+		})
+
+		g.It("returns an error if the \"file\" is a directory", func() {
+			err := os.Mkdir(filepath.Join(rfs.root, "/server/test.txt"), 0o755)
+			g.Assert(err).IsNil()
+
+			err = fs.Readfile("test.txt", buf)
+			g.Assert(err).IsNotNil()
+			g.Assert(IsErrorCode(err, ErrCodeIsDirectory)).IsTrue()
+		})
+
+		g.It("cannot open a file outside the root directory", func() {
+			err := rfs.CreateServerFileFromString("/../test.txt", "testing")
+			g.Assert(err).IsNil()
+
+			err = fs.Readfile("/../test.txt", buf)
+			g.Assert(err).IsNotNil()
+			g.Assert(IsErrorCode(err, ErrCodePathResolution)).IsTrue()
+		})
+
+		g.AfterEach(func() {
+			buf.Truncate(0)
+			atomic.StoreInt64(&fs.diskUsed, 0)
+			rfs.reset()
+		})
+	})
+}
+
 func TestFilesystem_Writefile(t *testing.T) {
 	g := Goblin(t)
 	fs, rfs := NewFs()
@@ -101,10 +140,9 @@ func TestFilesystem_Writefile(t *testing.T) {
 			err := fs.Writefile("test.txt", r)
 			g.Assert(err).IsNil()

-			f, _, err := fs.File("test.txt")
+			err = fs.Readfile("test.txt", buf)
 			g.Assert(err).IsNil()
-			defer f.Close()
-			g.Assert(getFileContent(f)).Equal("test file content")
+			g.Assert(buf.String()).Equal("test file content")
 			g.Assert(atomic.LoadInt64(&fs.diskUsed)).Equal(r.Size())
 		})

@@ -114,10 +152,9 @@ func TestFilesystem_Writefile(t *testing.T) {
 			err := fs.Writefile("/some/nested/test.txt", r)
 			g.Assert(err).IsNil()

-			f, _, err := fs.File("/some/nested/test.txt")
+			err = fs.Readfile("/some/nested/test.txt", buf)
 			g.Assert(err).IsNil()
-			defer f.Close()
-			g.Assert(getFileContent(f)).Equal("test file content")
+			g.Assert(buf.String()).Equal("test file content")
 		})

 		g.It("can create a new file inside a nested directory without a trailing slash", func() {
@@ -126,10 +163,9 @@ func TestFilesystem_Writefile(t *testing.T) {
 			err := fs.Writefile("some/../foo/bar/test.txt", r)
 			g.Assert(err).IsNil()

-			f, _, err := fs.File("foo/bar/test.txt")
+			err = fs.Readfile("foo/bar/test.txt", buf)
 			g.Assert(err).IsNil()
-			defer f.Close()
-			g.Assert(getFileContent(f)).Equal("test file content")
+			g.Assert(buf.String()).Equal("test file content")
 		})

 		g.It("cannot create a file outside the root directory", func() {
@@ -154,6 +190,28 @@ func TestFilesystem_Writefile(t *testing.T) {
 			g.Assert(IsErrorCode(err, ErrCodeDiskSpace)).IsTrue()
 		})

+		/*g.It("updates the total space used when a file is appended to", func() {
+			atomic.StoreInt64(&fs.diskUsed, 100)
+
+			b := make([]byte, 100)
+			_, _ = rand.Read(b)
+
+			r := bytes.NewReader(b)
+			err := fs.Writefile("test.txt", r)
+			g.Assert(err).IsNil()
+			g.Assert(atomic.LoadInt64(&fs.diskUsed)).Equal(int64(200))
+
+			// If we write less data than already exists, we should expect the total
+			// disk used to be decremented.
+			b = make([]byte, 50)
+			_, _ = rand.Read(b)
+
+			r = bytes.NewReader(b)
+			err = fs.Writefile("test.txt", r)
+			g.Assert(err).IsNil()
+			g.Assert(atomic.LoadInt64(&fs.diskUsed)).Equal(int64(150))
+		})*/
+
 		g.It("truncates the file when writing new contents", func() {
 			r := bytes.NewReader([]byte("original data"))
 			err := fs.Writefile("test.txt", r)
@@ -163,10 +221,9 @@ func TestFilesystem_Writefile(t *testing.T) {
 			err = fs.Writefile("test.txt", r)
 			g.Assert(err).IsNil()

-			f, _, err := fs.File("test.txt")
+			err = fs.Readfile("test.txt", buf)
 			g.Assert(err).IsNil()
-			defer f.Close()
-			g.Assert(getFileContent(f)).Equal("new data")
+			g.Assert(buf.String()).Equal("new data")
 		})

 		g.AfterEach(func() {
--- a/server/filesystem/path_test.go
+++ b/server/filesystem/path_test.go
@@ -119,6 +119,16 @@ func TestFilesystem_Blocks_Symlinks(t *testing.T) {
 		panic(err)
 	}

+	g.Describe("Readfile", func() {
+		g.It("cannot read a file symlinked outside the root", func() {
+			b := bytes.Buffer{}
+
+			err := fs.Readfile("symlinked.txt", &b)
+			g.Assert(err).IsNotNil()
+			g.Assert(IsErrorCode(err, ErrCodePathResolution)).IsTrue()
+		})
+	})
+
 	g.Describe("Writefile", func() {
 		g.It("cannot write to a file symlinked outside the root", func() {
 			r := bytes.NewReader([]byte("testing"))
--- a/sftp/handler.go
+++ b/sftp/handler.go
@@ -125,7 +125,7 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
 	return f, nil
 }

-// Filecmd hander for basic SFTP system calls related to files, but not anything to do with reading
+// Filecmd handler for basic SFTP system calls related to files, but not anything to do with reading
 // or writing to those files.
 func (h *Handler) Filecmd(request *sftp.Request) error {
 	if h.ro {
@@ -288,10 +288,14 @@ func (h *Handler) can(permission string) bool {
 		return false
 	}

+	// SFTPServer owners and super admins have their permissions returned as '[*]' via the Panel
+	// API, so for the sake of speed do an initial check for that before iterating over the
+	// entire array of permissions.
+	if len(h.permissions) == 1 && h.permissions[0] == "*" {
+		return true
+	}
 	for _, p := range h.permissions {
-		// If we match the permission specifically, or the user has been granted the "*"
-		// permission because they're an admin, let them through.
-		if p == permission || p == "*" {
+		if p == permission {
 			return true
 		}
 	}
--- a/sftp/server.go
+++ b/sftp/server.go
@@ -1,11 +1,17 @@
 package sftp

 import (
+	"bytes"
 	"context"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"io"
+	"io/ioutil"
 	"net"
 	"os"
 	"path"
@@ -16,7 +22,6 @@ import (
 	"emperror.dev/errors"
 	"github.com/apex/log"
 	"github.com/pkg/sftp"
-	"golang.org/x/crypto/ed25519"
 	"golang.org/x/crypto/ssh"

 	"github.com/pterodactyl/wings/config"
@@ -51,42 +56,28 @@ func New(m *server.Manager) *SFTPServer {
 // SFTP connections. This will automatically generate an ED25519 key if one does
 // not already exist on the system for host key verification purposes.
 func (c *SFTPServer) Run() error {
-	if _, err := os.Stat(c.PrivateKeyPath()); os.IsNotExist(err) {
-		if err := c.generateED25519PrivateKey(); err != nil {
-			return err
-		}
-	} else if err != nil {
-		return errors.Wrap(err, "sftp: could not stat private key file")
-	}
-	pb, err := os.ReadFile(c.PrivateKeyPath())
-	if err != nil {
-		return errors.Wrap(err, "sftp: could not read private key file")
-	}
-	private, err := ssh.ParsePrivateKey(pb)
+	keys, err := c.loadPrivateKeys()
 	if err != nil {
 		return err
 	}

 	conf := &ssh.ServerConfig{
-		NoClientAuth: false,
-		MaxAuthTries: 6,
-		PasswordCallback: func(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) {
-			return c.makeCredentialsRequest(conn, remote.SftpAuthPassword, string(password))
-		},
-		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
-			return c.makeCredentialsRequest(conn, remote.SftpAuthPublicKey, string(ssh.MarshalAuthorizedKey(key)))
-		},
+		NoClientAuth:      false,
+		MaxAuthTries:      6,
+		PasswordCallback:  c.passwordCallback,
+		PublicKeyCallback: c.publicKeyCallback,
+	}
+
+	for _, k := range keys {
+		conf.AddHostKey(k)
 	}
-	conf.AddHostKey(private)

 	listener, err := net.Listen("tcp", c.Listen)
 	if err != nil {
 		return err
 	}

-	public := string(ssh.MarshalAuthorizedKey(private.PublicKey()))
-	log.WithField("listen", c.Listen).WithField("public_key", strings.Trim(public, "\n")).Info("sftp server listening for connections")
-
+	log.WithField("listen", c.Listen).Info("sftp server listening for connections")
 	for {
 		if conn, _ := listener.Accept(); conn != nil {
 			go func(conn net.Conn) {
@@ -112,7 +103,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
 		// If its not a session channel we just move on because its not something we
 		// know how to handle at this point.
 		if ch.ChannelType() != "session" {
-			ch.Reject(ssh.UnknownChannelType, "unknown channel type")
+			_ = ch.Reject(ssh.UnknownChannelType, "unknown channel type")
 			continue
 		}

@@ -126,7 +117,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
 				// Channels have a type that is dependent on the protocol. For SFTP
 				// this is "subsystem" with a payload that (should) be "sftp". Discard
 				// anything else we receive ("pty", "shell", etc)
-				req.Reply(req.Type == "subsystem" && string(req.Payload[4:]) == "sftp", nil)
+				_ = req.Reply(req.Type == "subsystem" && string(req.Payload[4:]) == "sftp", nil)
 			}
 		}(requests)

@@ -144,6 +135,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
 			return s.ID() == uuid
 		})
 		if srv == nil {
+			_ = conn.Close()
 			continue
 		}

@@ -151,48 +143,172 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
 		// them access to the underlying filesystem.
 		handler := sftp.NewRequestServer(channel, NewHandler(sconn, srv).Handlers())
 		if err := handler.Serve(); err == io.EOF {
-			handler.Close()
+			_ = handler.Close()
 		}
 	}
 }

-// Generates a new ED25519 private key that is used for host authentication when
-// a user connects to the SFTP server.
-func (c *SFTPServer) generateED25519PrivateKey() error {
-	_, priv, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return errors.Wrap(err, "sftp: failed to generate ED25519 private key")
+func (c *SFTPServer) loadPrivateKeys() ([]ssh.Signer, error) {
+	if _, err := os.Stat(path.Join(c.BasePath, ".sftp/id_rsa")); err != nil {
+		if !os.IsNotExist(err) {
+			return nil, err
+		}
+
+		if err := c.generateRSAPrivateKey(); err != nil {
+			return nil, err
+		}
 	}
-	if err := os.MkdirAll(path.Dir(c.PrivateKeyPath()), 0o755); err != nil {
-		return errors.Wrap(err, "sftp: could not create internal sftp data directory")
-	}
-	o, err := os.OpenFile(c.PrivateKeyPath(), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
+	rsaBytes, err := ioutil.ReadFile(path.Join(c.BasePath, ".sftp/id_rsa"))
 	if err != nil {
-		return errors.WithStack(err)
+		return nil, errors.Wrap(err, "sftp/server: could not read private key file")
+	}
+	rsaPrivateKey, err := ssh.ParsePrivateKey(rsaBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err := os.Stat(path.Join(c.BasePath, ".sftp/id_ecdsa")); err != nil {
+		if !os.IsNotExist(err) {
+			return nil, err
+		}
+
+		if err := c.generateECDSAPrivateKey(); err != nil {
+			return nil, err
+		}
+	}
+	ecdsaBytes, err := ioutil.ReadFile(path.Join(c.BasePath, ".sftp/id_ecdsa"))
+	if err != nil {
+		return nil, errors.Wrap(err, "sftp/server: could not read private key file")
+	}
+	ecdsaPrivateKey, err := ssh.ParsePrivateKey(ecdsaBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err := os.Stat(path.Join(c.BasePath, ".sftp/id_ed25519")); err != nil {
+		if !os.IsNotExist(err) {
+			return nil, err
+		}
+
+		if err := c.generateEd25519PrivateKey(); err != nil {
+			return nil, err
+		}
+	}
+	ed25519Bytes, err := ioutil.ReadFile(path.Join(c.BasePath, ".sftp/id_ed25519"))
+	if err != nil {
+		return nil, errors.Wrap(err, "sftp/server: could not read private key file")
+	}
+	ed25519PrivateKey, err := ssh.ParsePrivateKey(ed25519Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return []ssh.Signer{
+		rsaPrivateKey,
+		ecdsaPrivateKey,
+		ed25519PrivateKey,
+	}, nil
+}
+
+// generateRSAPrivateKey generates a RSA-4096 private key that will be used by the SFTP server.
+func (c *SFTPServer) generateRSAPrivateKey() error {
+	key, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(path.Dir(c.PrivateKeyPath("rsa")), 0o755); err != nil {
+		return errors.Wrap(err, "sftp/server: could not create .sftp directory")
+	}
+	o, err := os.OpenFile(c.PrivateKeyPath("rsa"), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
+	if err != nil {
+		return err
 	}
 	defer o.Close()

-	b, err := x509.MarshalPKCS8PrivateKey(priv)
-	if err != nil {
-		return errors.Wrap(err, "sftp: failed to marshal private key into bytes")
-	}
-	if err := pem.Encode(o, &pem.Block{Type: "PRIVATE KEY", Bytes: b}); err != nil {
-		return errors.Wrap(err, "sftp: failed to write ED25519 private key to disk")
+	if err := pem.Encode(o, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	}); err != nil {
+		return err
 	}
 	return nil
 }

-func (c *SFTPServer) makeCredentialsRequest(conn ssh.ConnMetadata, t remote.SftpAuthRequestType, p string) (*ssh.Permissions, error) {
+// generateECDSAPrivateKey generates a ECDSA-P256 private key that will be used by the SFTP server.
+func (c *SFTPServer) generateECDSAPrivateKey() error {
+	key, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(path.Dir(c.PrivateKeyPath("ecdsa")), 0o755); err != nil {
+		return errors.Wrap(err, "sftp/server: could not create .sftp directory")
+	}
+	o, err := os.OpenFile(c.PrivateKeyPath("ecdsa"), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
+	if err != nil {
+		return err
+	}
+	defer o.Close()
+
+	privBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return err
+	}
+
+	if err := pem.Encode(o, &pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: privBytes,
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+// generateEd25519PrivateKey generates an ed25519 private key that will be used by the SFTP server.
+func (c *SFTPServer) generateEd25519PrivateKey() error {
+	_, key, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(path.Dir(c.PrivateKeyPath("ed25519")), 0o755); err != nil {
+		return errors.Wrap(err, "sftp/server: could not create .sftp directory")
+	}
+	o, err := os.OpenFile(c.PrivateKeyPath("ed25519"), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
+	if err != nil {
+		return err
+	}
+	defer o.Close()
+
+	privBytes, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return err
+	}
+
+	if err := pem.Encode(o, &pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: privBytes,
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+// PrivateKeyPath returns the path the host private key for this server instance.
+func (c *SFTPServer) PrivateKeyPath(name string) string {
+	return path.Join(c.BasePath, ".sftp", "id_"+name)
+}
+
+// A function capable of validating user credentials with the Panel API.
+func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
 	request := remote.SftpAuthRequest{
-		Type:          t,
 		User:          conn.User(),
-		Pass:          p,
+		Pass:          string(pass),
 		IP:            conn.RemoteAddr().String(),
 		SessionID:     conn.SessionID(),
 		ClientVersion: conn.ClientVersion(),
+		Type:          "password",
 	}

-	logger := log.WithFields(log.Fields{"subsystem": "sftp", "method": request.Type, "username": request.User, "ip": request.IP})
+	logger := log.WithFields(log.Fields{"subsystem": "sftp", "username": conn.User(), "ip": conn.RemoteAddr().String()})
 	logger.Debug("validating credentials for SFTP connection")

 	if !validUsernameRegexp.MatchString(request.User) {
@@ -200,6 +316,51 @@ func (c *SFTPServer) makeCredentialsRequest(conn ssh.ConnMetadata, t remote.Sftp
 		return nil, &remote.SftpInvalidCredentialsError{}
 	}

+	if len(pass) < 1 {
+		logger.Warn("failed to validate user credentials (invalid format)")
+		return nil, &remote.SftpInvalidCredentialsError{}
+	}
+
+	resp, err := c.manager.Client().ValidateSftpCredentials(context.Background(), request)
+	if err != nil {
+		if _, ok := err.(*remote.SftpInvalidCredentialsError); ok {
+			logger.Warn("failed to validate user credentials (invalid username or password)")
+		} else {
+			logger.WithField("error", err).Error("encountered an error while trying to validate user credentials")
+		}
+		return nil, err
+	}
+
+	logger.WithField("server", resp.Server).Debug("credentials validated and matched to server instance")
+	sshPerm := &ssh.Permissions{
+		Extensions: map[string]string{
+			"uuid":        resp.Server,
+			"user":        conn.User(),
+			"permissions": strings.Join(resp.Permissions, ","),
+		},
+	}
+
+	return sshPerm, nil
+}
+
+func (c *SFTPServer) publicKeyCallback(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+	request := remote.SftpAuthRequest{
+		User:          conn.User(),
+		Pass:          "KEKW",
+		IP:            conn.RemoteAddr().String(),
+		SessionID:     conn.SessionID(),
+		ClientVersion: conn.ClientVersion(),
+		Type:          "publicKey",
+	}
+
+	logger := log.WithFields(log.Fields{"subsystem": "sftp", "username": conn.User(), "ip": conn.RemoteAddr().String()})
+	logger.Debug("validating public key for SFTP connection")
+
+	if !validUsernameRegexp.MatchString(request.User) {
+		logger.Warn("failed to validate user credentials (invalid format)")
+		return nil, &remote.SftpInvalidCredentialsError{}
+	}
+
 	resp, err := c.manager.Client().ValidateSftpCredentials(context.Background(), request)
 	if err != nil {
 		if _, ok := err.(*remote.SftpInvalidCredentialsError); ok {
@@ -210,19 +371,27 @@ func (c *SFTPServer) makeCredentialsRequest(conn ssh.ConnMetadata, t remote.Sftp
 		return nil, err
 	}

-	logger.WithField("server", resp.Server).Debug("credentials validated and matched to server instance")
-	permissions := ssh.Permissions{
-		Extensions: map[string]string{
-			"uuid":        resp.Server,
-			"user":        conn.User(),
-			"permissions": strings.Join(resp.Permissions, ","),
-		},
+	if len(resp.SSHKeys) < 1 {
+		return nil, &remote.SftpInvalidCredentialsError{}
 	}

-	return &permissions, nil
-}
+	for _, k := range resp.SSHKeys {
+		storedPublicKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(k))
+		if err != nil {
+			return nil, err
+		}

-// PrivateKeyPath returns the path the host private key for this server instance.
-func (c *SFTPServer) PrivateKeyPath() string {
-	return path.Join(c.BasePath, ".sftp/id_ed25519")
+		if !bytes.Equal(key.Marshal(), storedPublicKey.Marshal()) {
+			continue
+		}
+
+		return &ssh.Permissions{
+			Extensions: map[string]string{
+				"uuid":        resp.Server,
+				"user":        conn.User(),
+				"permissions": strings.Join(resp.Permissions, ","),
+			},
+		}, nil
+	}
+	return nil, &remote.SftpInvalidCredentialsError{}
 }
--- a/system/strings.go
+++ b/system/strings.go
@@ -1,20 +0,0 @@
-package system
-
-import (
-	"math/rand"
-	"strings"
-)
-
-const characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"
-
-// RandomString generates a random string of alpha-numeric characters using a
-// pseudo-random number generator. The output of this function IS NOT cryptographically
-// secure, it is used solely for generating random strings outside a security context.
-func RandomString(n int) string {
-	var b strings.Builder
-	b.Grow(n)
-	for i := 0; i < n; i++ {
-		b.WriteByte(characters[rand.Intn(len(characters))])
-	}
-	return b.String()
-}
--- a/wings.go
+++ b/wings.go
@@ -2,16 +2,8 @@ package main

 import (
 	"github.com/pterodactyl/wings/cmd"
-	"math/rand"
-	"time"
 )

 func main() {
-	// Since we make use of the math/rand package in the code, especially for generating
-	// non-cryptographically secure random strings we need to seed the RNG. Just make use
-	// of the current time for this.
-	rand.Seed(time.Now().UnixNano())
-
-	// Execute the main binary code.
 	cmd.Execute()
 }
Author	SHA1	Message	Date
Matthew Penner	ee280f1deb	Merge branch 'develop' into v2	2022-04-01 09:48:24 -06:00
Dane Everitt	355c10c1e4	Update lockfile	2022-02-13 13:17:26 -05:00
Dane Everitt	04933c153b	Merge branch 'develop' into v2	2022-02-13 13:10:36 -05:00
Matthew Penner	f1344f1a82	Merge branch 'develop' into v2	2022-01-18 13:12:09 -07:00
Matthew Penner	d874af85db	tweaks to websocket event handling	2021-11-15 10:13:31 -07:00
Matthew Penner	54b6033392	update dependencies	2021-11-15 10:13:19 -07:00
Matthew Penner	10a2ffc0a7	Merge branch 'develop' into v2	2021-10-28 23:58:12 -06:00
Matthew Penner	ede1cdc76f	Merge branch 'develop' into v2	2021-10-05 19:01:34 -06:00
Dane Everitt	9e98287172	Merge branch 'develop' into v2	2021-09-19 11:17:05 -07:00
Matthew Penner	6653466ca8	Merge branch 'develop' into v2	2021-09-01 16:33:32 -06:00
Matthew Penner	f54a736353	add support for systemd notify	2021-08-02 15:17:22 -06:00
Matthew Penner	d3360f0fd9	sftp: add support for ssh keys	2021-08-02 15:17:22 -06:00