Update CHANGELOG.md

If wings is restarted while a container is already running, the server will be missing it's
configuration, specifically it's stop configuration.  This will cause the stop power action
to terminate the server due to no stop command being set.

.github/workflows/build-test.yml

@@ -60,7 +60,7 @@ jobs:
         run: go test ./...
       - name: Upload Artifact
         uses: actions/upload-artifact@v2
-        if: ${{ matrix.go == '^1.16' && (github.ref == 'refs/heads/develop' || github.event_name == 'pull_request') }}
+        if: ${{ github.ref == 'refs/heads/develop' || github.event_name == 'pull_request' }}
         with:
           name: wings_${{ matrix.goos }}_${{ matrix.goarch }}
           path: build/wings_${{ matrix.goos }}_${{ matrix.goarch }}

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## v1.5.2
+### Fixed
+* Fixes servers not properly re-syncing with the Panel if they are already running causing them to be hard-stopped when terminated, rather than stopped with the configured action.
+
+### Changed
+* Changes SFTP server implementation to use ED25519 server keys rather than deprecated SHA1 RSA keys.
+
+### Added
+* Adds server uptime output in the stats event emitted to the websocket.
+
+## v1.5.1
+### Added
+* Global configuration option for toggling server crash detection (`system.crash_detection.enabled`)
+* RPM specfile
+
 ## v1.5.0
 ### Fixed
 * Fixes a race condition when setting the application name in the console output for a server.

README.md

@@ -30,7 +30,7 @@ I would like to extend my sincere thanks to the following sponsors for helping f
 | [**Spill Hosting**](https://spillhosting.no/) | Spill Hosting is a Norwegian hosting service, which aims for inexpensive services on quality servers. Premium i9-9900K processors will run your game like a dream. |
 | [**DeinServerHost**](https://deinserverhost.de/) | DeinServerHost offers Dedicated, vps and Gameservers for many popular Games like Minecraft and Rust in Germany since 2013. |
 | [**HostBend**](https://hostbend.com/) | HostBend offers a variety of solutions for developers, students, and others who have a tight budget but don't want to compromise quality and support. |
-| [**Capitol Hosting Solutions**](https://capitolsolutions.cloud/) | CHS is *the* budget friendly hosting company for Australian and American gamers, offering a variety of plans from Web Hosting to Game Servers; Custom Solutions too! |
+| [**Capitol Hosting Solutions**](https://chs.gg/) | CHS is *the* budget friendly hosting company for Australian and American gamers, offering a variety of plans from Web Hosting to Game Servers; Custom Solutions too! |
 | [**ByteAnia**](https://byteania.com/?utm_source=pterodactyl) | ByteAnia offers the best performing and most affordable **Ryzen 5000 Series hosting** on the market for *unbeatable prices*! |
 | [**Aussie Server Hosts**](https://aussieserverhosts.com/) | No frills Australian Owned and operated High Performance Server hosting for some of the most demanding games serving Australia and New Zealand. |
 | [**VibeGAMES**](https://vibegames.net/) | VibeGAMES is a game server provider that specializes in DDOS protection for the games we offer. We have multiple locations in the US, Brazil, France, Germany, Singapore, Australia and South Africa.|

cmd/root.go

@@ -214,7 +214,7 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 			//
 			// @see https://github.com/pterodactyl/panel/issues/2475
 			// @see https://github.com/pterodactyl/panel/issues/3358
-			ctx, cancel := context.WithTimeout(cmd.Context(), time.Second * 30)
+			ctx, cancel := context.WithTimeout(cmd.Context(), time.Second*30)
 			defer cancel()
 
 			r, err := s.Environment.IsRunning(ctx)
@@ -255,6 +255,13 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 				// state being tracked.
 				s.Environment.SetState(environment.ProcessOfflineState)
 			}
+
+			if state := s.Environment.State(); state == environment.ProcessStartingState || state == environment.ProcessRunningState {
+				s.Log().Debug("re-syncing server configuration for already running server")
+				if err := s.Sync(); err != nil {
+					s.Log().WithError(err).Error("failed to re-sync server configuration")
+				}
+			}
 		})
 	}
 
@@ -287,12 +294,12 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 
 	sys := config.Get().System
 	// Ensure the archive directory exists.
-	if err := os.MkdirAll(sys.ArchiveDirectory, 0755); err != nil {
+	if err := os.MkdirAll(sys.ArchiveDirectory, 0o755); err != nil {
 		log.WithField("error", err).Error("failed to create archive directory")
 	}
 
 	// Ensure the backup directory exists.
-	if err := os.MkdirAll(sys.BackupDirectory, 0755); err != nil {
+	if err := os.MkdirAll(sys.BackupDirectory, 0o755); err != nil {
 		log.WithField("error", err).Error("failed to create backup directory")
 	}
 
@@ -385,7 +392,7 @@ func initConfig() {
 // in the code without having to pass around a logger instance.
 func initLogging() {
 	dir := config.Get().System.LogDirectory
-	if err := os.MkdirAll(path.Join(dir, "/install"), 0700); err != nil {
+	if err := os.MkdirAll(path.Join(dir, "/install"), 0o700); err != nil {
 		log2.Fatalf("cmd/root: failed to create install directory path: %s", err)
 	}
 	p := filepath.Join(dir, "/wings.log")

config/config.go

@@ -48,10 +48,12 @@ var DefaultTLSConfig = &tls.Config{
 	CurvePreferences:         []tls.CurveID{tls.X25519, tls.CurveP256},
 }
 
-var mu sync.RWMutex
+var (
-var _config *Configuration
+	mu            sync.RWMutex
-var _jwtAlgo *jwt.HMACSHA
+	_config       *Configuration
-var _debugViaFlag bool
+	_jwtAlgo      *jwt.HMACSHA
+	_debugViaFlag bool
+)
 
 // Locker specific to writing the configuration to the disk, this happens
 // in areas that might already be locked, so we don't want to crash the process.
@@ -181,6 +183,9 @@ type SystemConfiguration struct {
 }
 
 type CrashDetection struct {
+	// CrashDetectionEnabled sets if crash detection is enabled globally for all servers on this node.
+	CrashDetectionEnabled bool `default:"true" yaml:"enabled"`
+
 	// Determines if Wings should detect a server that stops with a normal exit code of
 	// "0" as being crashed if the process stopped without any Wings interaction. E.g.
 	// the user did not press the stop button, but the process stopped cleanly.
@@ -375,7 +380,7 @@ func WriteToDisk(c *Configuration) error {
 	if err != nil {
 		return err
 	}
-	if err := ioutil.WriteFile(c.path, b, 0600); err != nil {
+	if err := ioutil.WriteFile(c.path, b, 0o600); err != nil {
 		return err
 	}
 	return nil
@@ -470,7 +475,7 @@ func FromFile(path string) error {
 func ConfigureDirectories() error {
 	root := _config.System.RootDirectory
 	log.WithField("path", root).Debug("ensuring root data directory exists")
-	if err := os.MkdirAll(root, 0700); err != nil {
+	if err := os.MkdirAll(root, 0o700); err != nil {
 		return err
 	}
 
@@ -491,17 +496,17 @@ func ConfigureDirectories() error {
 	}
 
 	log.WithField("path", _config.System.Data).Debug("ensuring server data directory exists")
-	if err := os.MkdirAll(_config.System.Data, 0700); err != nil {
+	if err := os.MkdirAll(_config.System.Data, 0o700); err != nil {
 		return err
 	}
 
 	log.WithField("path", _config.System.ArchiveDirectory).Debug("ensuring archive data directory exists")
-	if err := os.MkdirAll(_config.System.ArchiveDirectory, 0700); err != nil {
+	if err := os.MkdirAll(_config.System.ArchiveDirectory, 0o700); err != nil {
 		return err
 	}
 
 	log.WithField("path", _config.System.BackupDirectory).Debug("ensuring backup data directory exists")
-	if err := os.MkdirAll(_config.System.BackupDirectory, 0700); err != nil {
+	if err := os.MkdirAll(_config.System.BackupDirectory, 0o700); err != nil {
 		return err
 	}
 

environment/docker/stats.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"io"
 	"math"
+	"time"
 
 	"emperror.dev/errors"
 	"github.com/docker/docker/api/types"
@@ -12,6 +13,23 @@ import (
 	"github.com/pterodactyl/wings/environment"
 )
 
+// Uptime returns the current uptime of the container in milliseconds. If the
+// container is not currently running this will return 0.
+func (e *Environment) Uptime(ctx context.Context) (int64, error) {
+	ins, err := e.client.ContainerInspect(ctx, e.Id)
+	if err != nil {
+		return 0, errors.Wrap(err, "environment: could not inspect container")
+	}
+	if !ins.State.Running {
+		return 0, nil
+	}
+	started, err := time.Parse(time.RFC3339, ins.State.StartedAt)
+	if err != nil {
+		return 0, errors.Wrap(err, "environment: failed to parse container start time")
+	}
+	return time.Since(started).Milliseconds(), nil
+}
+
 // Attach to the instance and then automatically emit an event whenever the resource usage for the
 // server process changes.
 func (e *Environment) pollResources(ctx context.Context) error {
@@ -28,6 +46,11 @@ func (e *Environment) pollResources(ctx context.Context) error {
 	}
 	defer stats.Body.Close()
 
+	uptime, err := e.Uptime(ctx)
+	if err != nil {
+		e.log().WithField("error", err).Warn("failed to calculate container uptime")
+	}
+
 	dec := json.NewDecoder(stats.Body)
 	for {
 		select {
@@ -50,7 +73,12 @@ func (e *Environment) pollResources(ctx context.Context) error {
 				return nil
 			}
 
+			if !v.PreRead.IsZero() {
+				uptime = uptime + v.Read.Sub(v.PreRead).Milliseconds()
+			}
+
 			st := environment.Stats{
+				Uptime:      uptime,
 				Memory:      calculateDockerMemory(v.MemoryStats),
 				MemoryLimit: v.MemoryStats.Limit,
 				CpuAbsolute: calculateDockerAbsoluteCpu(v.PreCPUStats, v.CPUStats),

environment/environment.go

@@ -104,4 +104,8 @@ type ProcessEnvironment interface {
 	// handle this itself, but there are some scenarios where it is helpful for the server
 	// to update the state externally (e.g. starting -> started).
 	SetState(string)
+
+	// Uptime returns the current environment uptime in milliseconds. This is
+	// the time that has passed since it was last started.
+	Uptime(ctx context.Context) (int64, error)
 }

environment/stats.go

@@ -1,8 +1,6 @@
 package environment
 
-// Defines the current resource usage for a given server instance. If a server is offline you
+// Stats defines the current resource usage for a given server instance.
-// should obviously expect memory and CPU usage to be 0. However, disk will always be returned
-// since that is not dependent on the server being running to collect that data.
 type Stats struct {
 	// The total amount of memory, in bytes, that this server instance is consuming. This is
 	// calculated slightly differently than just using the raw Memory field that the stats
@@ -19,12 +17,11 @@ type Stats struct {
 	// does not take into account any limits on the server process itself.
 	CpuAbsolute float64 `json:"cpu_absolute"`
 
-	// The current disk space being used by the server. This is cached to prevent slow lookup
-	// issues on frequent refreshes.
-	// Disk int64 `json:"disk_bytes"`
-
 	// Current network transmit in & out for a container.
 	Network NetworkStats `json:"network"`
+
+	// The current uptime of the container, in milliseconds.
+	Uptime int64 `json:"uptime"`
 }
 
 type NetworkStats struct {

go.mod

@@ -33,7 +33,6 @@ require (
 	github.com/gorilla/websocket v1.4.2
 	github.com/iancoleman/strcase v0.2.0
 	github.com/icza/dyno v0.0.0-20210726202311-f1bafe5d9996
-	github.com/imdario/mergo v0.3.12
 	github.com/juju/ratelimit v1.0.1
 	github.com/karrick/godirwalk v1.16.1
 	github.com/klauspost/compress v1.13.2 // indirect

go.sum

@@ -513,8 +513,6 @@ github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
-github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=

rpm/ptero-wings.spec

@@ -0,0 +1,114 @@
+Name:       ptero-wings
+Version:    1.5.0
+Release:    1%{?dist}
+Summary:    The server control plane for Pterodactyl Panel. Written from the ground-up with security, speed, and stability in mind.
+BuildArch:  x86_64
+License:    MIT
+URL:        https://github.com/pterodactyl/wings
+Source0:    https://github.com/pterodactyl/wings/releases/download/v%{version}/wings_linux_amd64
+
+%if 0%{?rhel} && 0%{?rhel} <= 8
+BuildRequires:  systemd
+%else
+BuildRequires:  systemd-rpm-macros
+%endif
+
+
+%description
+Wings is Pterodactyl's server control plane, built for the rapidly
+changing gaming industry and designed to be highly performant and
+secure. Wings provides an HTTP API allowing you to interface directly
+with running server instances, fetch server logs, generate backups,
+and control all aspects of the server lifecycle.
+
+In addition, Wings ships with a built-in SFTP server allowing your
+system to remain free of Pterodactyl specific dependencies, and
+allowing users to authenticate with the same credentials they would
+normally use to access the Panel.
+
+%prep
+
+%build
+#nothing required
+
+%install
+mkdir -p %{buildroot}%{_bindir}
+mkdir -p %{buildroot}%{_unitdir}
+cp %{_sourcedir}/wings_linux_amd64 %{buildroot}%{_bindir}/wings
+
+cat > %{buildroot}%{_unitdir}/wings.service << EOF
+[Unit]
+Description=Pterodactyl Wings Daemon
+After=docker.service
+Requires=docker.service
+PartOf=docker.service
+StartLimitIntervalSec=600
+
+[Service]
+WorkingDirectory=/etc/pterodactyl
+ExecStart=/usr/bin/wings
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+StartLimitInterval=180
+StartLimitBurst=30
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+%files
+%attr(0755, root, root) %{_prefix}/bin/wings
+%attr(0644, root, root) %{_unitdir}/wings.service
+
+%post
+
+# Reload systemd
+systemctl daemon-reload
+
+# Create the required directory structure
+mkdir -p /etc/pterodactyl
+mkdir -p /var/lib/pterodactyl/{archives,backups,volumes}
+mkdir -p /var/log/pterodactyl/install
+
+%preun
+
+systemctl is-active %{name} >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+    systemctl stop %{name}
+fi
+
+systemctl is-enabled %{name} >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+    systemctl disable %{name}
+fi
+
+%postun
+rm -rf /var/log/pterodactyl
+
+%verifyscript
+
+wings --version
+
+%changelog
+* Sun Sep 12 2021 Capitol Hosting Solutions Systems Engineering <syseng@chs.gg> - 1.5.0-1
+- specfile by Capitol Hosting Solutions, Upstream by Pterodactyl
+- Rebased for https://github.com/pterodactyl/wings/releases/tag/v1.5.0
+- Fixes a race condition when setting the application name in the console output for a server.
+- Fixes a server being reinstalled causing the file_denylist parameter for an Egg to be ignored until Wings is restarted.
+- Fixes YAML file parser not correctly setting boolean values.
+- Fixes potential issue where the underlying websocket connection is closed but the parent request context is not yet canceled causing a write over a closed connection.
+- Fixes race condition when closing all active websocket connections when a server is deleted.
+- Fixes logic to determine if a server's context is closed out and send a websocket close message to connected clients. Previously this fired off whenever the request itself was closed, and not when the server context was closed.
+- Exposes 8080 in the wings Dockerfile to better support reverse proxy tools.
+- Releases are now built using Go 1.17 — the minimum version required to build Wings remains Go 1.16.
+- Simplifed the logic powering server updates to only pull information from the Panel rather than trying to accept updated values. All parts of Wings needing the most up-to-date server details should call Server#Sync() to fetch the latest stored build information.
+- Installer#New() no longer requires passing all of the server data as a byte slice, rather a new Installer#ServerDetails struct is exposed which can be passed and accepts a UUID and if the server should be started after the installer finishes.
+- Removes complicated (and unused) logic during the server installation process that was a hold-over from legacy Wings architectures.
+- Removes the PATCH /api/servers/:server endpoint — if you were previously using this API call it should be replaced with POST /api/servers/:server/sync.
+
+* Wed Aug 25 2021 Capitol Hosting Solutions Systems Engineering <syseng@chs.gg> - 1.4.7-1
+- specfile by Capitol Hosting Solutions, Upstream by Pterodactyl
+- Rebased for https://github.com/pterodactyl/wings/releases/tag/v1.4.7
+- SFTP access is now properly denied if a server is suspended.
+- Correctly uses start_on_completion and crash_detection_enabled for servers.

server/resources.go

@@ -46,6 +46,7 @@ func (ru *ResourceUsage) Reset() {
 
 	ru.Memory = 0
 	ru.CpuAbsolute = 0
+	ru.Uptime = 0
 	ru.Network.TxBytes = 0
 	ru.Network.RxBytes = 0
 }

server/server.go

@@ -188,7 +188,9 @@ func (s *Server) Sync() error {
 // can be called from scoped where the server may not be fully initialized,
 // therefore other things like the filesystem and environment may not exist yet.
 func (s *Server) SyncWithConfiguration(cfg remote.ServerConfigurationResponse) error {
-	c := Configuration{}
+	c := Configuration{
+		CrashDetectionEnabled: config.Get().System.CrashDetection.CrashDetectionEnabled,
+	}
 	if err := json.Unmarshal(cfg.Settings, &c); err != nil {
 		return errors.WithStackIf(err)
 	}
@@ -196,9 +198,9 @@ func (s *Server) SyncWithConfiguration(cfg remote.ServerConfigurationResponse) e
 	s.cfg.mu.Lock()
 	defer s.cfg.mu.Unlock()
 
-	// Lock the new configuration. Since we have the defered Unlock above we need
+	// Lock the new configuration. Since we have the deferred Unlock above we need
 	// to make sure that the NEW configuration object is already locked since that
-	// defer is running on the memory address for "s.cfg.mu" which we're explcitly
+	// defer is running on the memory address for "s.cfg.mu" which we're explicitly
 	// changing on the next line.
 	c.mu.Lock()
 
@@ -259,7 +261,7 @@ func (s *Server) EnsureDataDirectoryExists() error {
 	if _, err := os.Lstat(s.fs.Path()); err != nil {
 		if os.IsNotExist(err) {
 			s.Log().Debug("server: creating root directory and setting permissions")
-			if err := os.MkdirAll(s.fs.Path(), 0700); err != nil {
+			if err := os.MkdirAll(s.fs.Path(), 0o700); err != nil {
 				return errors.WithStack(err)
 			}
 			if err := s.fs.Chown("/"); err != nil {

sftp/server.go

@@ -3,7 +3,6 @@ package sftp
 import (
 	"context"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"io"
@@ -18,6 +17,7 @@ import (
 	"emperror.dev/errors"
 	"github.com/apex/log"
 	"github.com/pkg/sftp"
+	"golang.org/x/crypto/ed25519"
 	"golang.org/x/crypto/ssh"
 
 	"github.com/pterodactyl/wings/config"
@@ -48,18 +48,20 @@ func New(m *server.Manager) *SFTPServer {
 	}
 }
 
-// Starts the SFTP server and add a persistent listener to handle inbound SFTP connections.
+// Run starts the SFTP server and add a persistent listener to handle inbound
+// SFTP connections. This will automatically generate an ED25519 key if one does
+// not already exist on the system for host key verification purposes.
 func (c *SFTPServer) Run() error {
-	if _, err := os.Stat(path.Join(c.BasePath, ".sftp/id_rsa")); os.IsNotExist(err) {
+	if _, err := os.Stat(c.PrivateKeyPath()); os.IsNotExist(err) {
-		if err := c.generatePrivateKey(); err != nil {
+		if err := c.generateED25519PrivateKey(); err != nil {
 			return err
 		}
 	} else if err != nil {
-		return errors.Wrap(err, "sftp/server: could not stat private key file")
+		return errors.Wrap(err, "sftp: could not stat private key file")
 	}
-	pb, err := ioutil.ReadFile(path.Join(c.BasePath, ".sftp/id_rsa"))
+	pb, err := ioutil.ReadFile(c.PrivateKeyPath())
 	if err != nil {
-		return errors.Wrap(err, "sftp/server: could not read private key file")
+		return errors.Wrap(err, "sftp: could not read private key file")
 	}
 	private, err := ssh.ParsePrivateKey(pb)
 	if err != nil {
@@ -78,7 +80,9 @@ func (c *SFTPServer) Run() error {
 		return err
 	}
 
-	log.WithField("listen", c.Listen).Info("sftp server listening for connections")
+	public := string(ssh.MarshalAuthorizedKey(private.PublicKey()))
+	log.WithField("listen", c.Listen).WithField("public_key", strings.Trim(public, "\n")).Info("sftp server listening for connections")
+
 	for {
 		if conn, _ := listener.Accept(); conn != nil {
 			go func(conn net.Conn) {
@@ -148,26 +152,30 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
 	}
 }
 
-// Generates a private key that will be used by the SFTP server.
+// Generates a new ED25519 private key that is used for host authentication when
-func (c *SFTPServer) generatePrivateKey() error {
+// a user connects to the SFTP server.
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
+func (c *SFTPServer) generateED25519PrivateKey() error {
+	_, priv, err := ed25519.GenerateKey(rand.Reader)
 	if err != nil {
-		return errors.WithStack(err)
+		return errors.Wrap(err, "sftp: failed to generate ED25519 private key")
 	}
-	if err := os.MkdirAll(path.Join(c.BasePath, ".sftp"), 0755); err != nil {
+	if err := os.MkdirAll(path.Dir(c.PrivateKeyPath()), 0755); err != nil {
-		return errors.Wrap(err, "sftp/server: could not create .sftp directory")
+		return errors.Wrap(err, "sftp: could not create internal sftp data directory")
 	}
-	o, err := os.OpenFile(path.Join(c.BasePath, ".sftp/id_rsa"), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	o, err := os.OpenFile(c.PrivateKeyPath(), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return errors.WithStack(err)
 	}
 	defer o.Close()
 
-	err = pem.Encode(o, &pem.Block{
+	b, err := x509.MarshalPKCS8PrivateKey(priv)
-		Type:  "RSA PRIVATE KEY",
+	if err != nil {
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
+		return errors.Wrap(err, "sftp: failed to marshal private key into bytes")
-	})
+	}
-	return errors.WithStack(err)
+	if err := pem.Encode(o, &pem.Block{Type: "PRIVATE KEY", Bytes: b}); err != nil {
+		return errors.Wrap(err, "sftp: failed to write ED25519 private key to disk")
+	}
+	return nil
 }
 
 // A function capable of validating user credentials with the Panel API.
@@ -209,3 +217,8 @@ func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.
 
 	return sshPerm, nil
 }
+
+// PrivateKeyPath returns the path the host private key for this server instance.
+func (c *SFTPServer) PrivateKeyPath() string {
+	return path.Join(c.BasePath, ".sftp/id_ed25519")
+}