Add file upload portal with per-customer links and WebDAV admin access

- Customer upload via token link (no login), optional password + expiry,
  drag & drop for files and folders with preserved structure
- Admin portal with setup wizard, role-based users (admin/staff),
  per-customer WebDAV access rules (read/write), session auth
- WebDAV container (Debian apache2) with htpasswd + access.conf
  auto-generated from the SQLite DB and reloaded via inotifywait
- Configurable public base URL and janitor cron interval in admin UI;
  janitor reconciles the uploads table with the filesystem

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

webdav/Dockerfile

@@ -0,0 +1,28 @@
+FROM debian:bookworm-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      apache2 apache2-utils inotify-tools \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN a2enmod dav dav_fs auth_basic authn_file authz_user authz_core \
+             setenvif mime alias autoindex dir \
+  && a2dissite 000-default
+
+# Create a user with UID 1000 so file ownership matches the app container.
+RUN groupadd -g 1000 webdav \
+ && useradd -u 1000 -g 1000 -s /usr/sbin/nologin -M webdav \
+ && sed -i \
+    -e 's|^export APACHE_RUN_USER=.*|export APACHE_RUN_USER=webdav|' \
+    -e 's|^export APACHE_RUN_GROUP=.*|export APACHE_RUN_GROUP=webdav|' \
+    /etc/apache2/envvars
+
+COPY webdav.conf /etc/apache2/conf-enabled/webdav.conf
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 80
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["apachectl", "-D", "FOREGROUND"]

webdav/entrypoint.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+set -e
+
+CONFIG_DIR="${WEBDAV_CONFIG_DIR:-/webdav-config}"
+
+mkdir -p /var/lib/dav /data/uploads "$CONFIG_DIR"
+chown -R 1000:1000 /var/lib/dav /data/uploads "$CONFIG_DIR" 2>/dev/null || true
+
+# Ensure the referenced files exist so Apache starts even before first sync.
+[ -f "$CONFIG_DIR/htpasswd" ]    || : > "$CONFIG_DIR/htpasswd"
+[ -f "$CONFIG_DIR/access.conf" ] || : > "$CONFIG_DIR/access.conf"
+chown 1000:1000 "$CONFIG_DIR/htpasswd" "$CONFIG_DIR/access.conf" 2>/dev/null || true
+
+# Graceful-reload watcher: triggered when htpasswd / access.conf are rewritten.
+(
+  sleep 2
+  while :; do
+    if command -v inotifywait >/dev/null 2>&1; then
+      inotifywait -q -e close_write,moved_to,create,delete -- "$CONFIG_DIR" >/dev/null 2>&1 || sleep 2
+    else
+      sleep 5
+    fi
+    sleep 1
+    echo "[webdav] config changed -> apachectl graceful"
+    apachectl graceful 2>/dev/null || true
+  done
+) &
+
+# Apache2 needs these env vars when started via apachectl
+. /etc/apache2/envvars
+
+exec "$@"

webdav/webdav.conf

@@ -0,0 +1,32 @@
+DavLockDB "/var/lib/dav/DavLock"
+
+<VirtualHost *:80>
+    DocumentRoot "/data/uploads"
+
+    # Autoindex icons (explicit, no auth)
+    Alias /icons/ "/usr/share/apache2/icons/"
+    <Directory "/usr/share/apache2/icons">
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+
+    <Directory "/data/uploads">
+        DAV On
+        AllowOverride None
+        Options Indexes
+        AuthType Basic
+        AuthName "WebDAV"
+        AuthBasicProvider file
+        AuthUserFile /webdav-config/htpasswd
+        Require valid-user
+    </Directory>
+
+    LimitXMLRequestBody 0
+
+    # Per-customer ACLs (regenerated by the app container)
+    Include /webdav-config/access.conf
+
+    ErrorLog /dev/stderr
+    CustomLog /dev/stdout combined
+</VirtualHost>