M README.md => README.md +15 -1
@@ 8,4 8,18 @@
|[nginx](/~dricottone/container-images/tree/dev/item/nginx/README.md)|latest|`registry.intra.dominic-ricottone.com/nginx:latest`|
|[nitter](/~dricottone/container-images/tree/dev/item/nitter/README.md)|amd64,arm64|`registry.intra.dominic-ricottone.com/nitter:amd64`|
|[php](/~dricottone/container-images/tree/dev/item/php/README.md)|latest,readwrite,fpm,development,fpm-development|`registry.intra.dominic-ricottone.com/php:latest`|
-
+|[postfix](/~dricottone/container-images/tree/dev/item/postfix/README.md)|latest|`registry.intra.dominic-ricottone.com/postfix:latest`|
+|[srht-core](/~dricottone/container-images/tree/dev/item/srht-core/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-core:latest`|
+|[srht-git-api](/~dricottone/container-images/tree/dev/item/srht-git-api/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-api:latest`|
+|[srht-git-core](/~dricottone/container-images/tree/dev/item/srht-git-core/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-core:latest`|
+|[srht-git-fcgi](/~dricottone/container-images/tree/dev/item/srht-git-fcgi/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-fcgi:latest`|
+|[srht-git-ssh](/~dricottone/container-images/tree/dev/item/srht-git-ssh/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-ssh:latest`|
+|[srht-git-webhooks](/~dricottone/container-images/tree/dev/item/srht-git-webhooks/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-webhooks:latest`|
+|[srht-meta-api](/~dricottone/container-images/tree/dev/item/srht-meta-api/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-meta-api:latest`|
+|[srht-meta-core](/~dricottone/container-images/tree/dev/item/srht-meta-core/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-meta-core:latest`|
+|[srht-meta-webhooks](/~dricottone/container-images/tree/dev/item/srht-meta-webhooks/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-meta-webhooks:latest`|
+|[srht-nginx](/~dricottone/container-images/tree/dev/item/srht-nginx/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-nginx:latest`|
+|[srht-todo-api](/~dricottone/container-images/tree/dev/item/srht-todo-api/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-todo-api:latest`|
+|[srht-todo-core](/~dricottone/container-images/tree/dev/item/srht-todo-core/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-todo-core:latest`|
+|[srht-todo-lmtp](/~dricottone/container-images/tree/dev/item/srht-todo-lmtp/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-todo-lmtp:latest`|
+|[srht-todo-webhooks](/~dricottone/container-images/tree/dev/item/srht-todo-webhooks/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-todo-webhooks:latest`|
A postfix/Dockerfile => postfix/Dockerfile +23 -0
@@ 0,0 1,23 @@
+FROM docker.io/library/alpine:latest
+
+COPY aliases /etc/postfix/aliases
+COPY *.cf /etc/postfix/
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+RUN mkdir /etc/postfix/sasl && chmod 700 /etc/postfix/sasl
+
+RUN addgroup -S mailer
+RUN adduser -SD -s /bin/sh -G mailer -g mailer mailer
+
+RUN apk add --no-cache postfix
+
+EXPOSE 25
+EXPOSE 465
+EXPOSE 587
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["postfix", "start-fg"]
+
A postfix/Makefile => postfix/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=postfix
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A postfix/README.md => postfix/README.md +66 -0
@@ 0,0 1,66 @@
+# postfix
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Can be used with any container manager toolchain.
+
+Create a `generic(5)` file in `$genericfile`.
+Mail with recipient addresses matching the patterns will be rewritten.
+It must also be owned (on the host system) by the user that will create the
+container (i.e. `root` for conventional `docker(1)` deployments).
+It should like like:
+
+```
+root@localhost example@gmail.com
+@localhost example@gmail.com
+```
+
+Create a `transport(5)` file in `$transportfile`.
+Mail is routed based on which pattern the recipient address matches.
+It must also be owned (on the host system) by the user that will create the
+container (i.e. `root` for conventional `docker(1)` deployments).
+It should look like:
+
+```
+example.com local
+.example.com local
+* relay:[smtp.gmail.com]:587
+```
+
+Create an authentication file in `$saslfile`.
+This is required for relaying mail to major email providers, including GMail.
+It must also be owned (on the host system) by the user that will create the
+container (i.e. `root` for conventional `docker(1)` deployments).
+It should look like:
+
+```
+[smtp.gmail.com]:587 example@gmail.com:wwwwxxxxyyyyzzzz
+```
+
+Create a configuration file in `$conffile`.
+
+Try:
+
+```
+$conman run --detach --name postfix --restart always \
+ --mount type=bind,src=$genericfile,dst=/etc/postfix/generic,readonly \
+ --mount type=bind,src=$transportfile,dst=/etc/postfix/transport,readonly \
+ --mount type=bind,src=$saslfile,dst=/etc/postfix/sasl/sasl_passwd,readonly \
+ --mount type=bind,src=$conffile,dst=/etc/postfix/main.cf,readonly \
+ registry.intra.dominic-ricottone.com/postfix:latest
+```
+
A postfix/aliases => postfix/aliases +16 -0
@@ 0,0 1,16 @@
+root: mailer
+MAILER-DAEMON: mailer
+postmaster: mailer
+bin: mailer
+daemon: mailer
+named: mailer
+nobody: mailer
+uucp: mailer
+www: mailer
+ftp-bugs: mailer
+postfix: mailer
+manager: mailer
+dumper: mailer
+operator: mailer
+abuse: mailer
+decode: mailer
A postfix/entrypoint.sh => postfix/entrypoint.sh +8 -0
@@ 0,0 1,8 @@
+#!/bin/sh
+newaliases
+postmap /etc/postfix/transport
+postmap /etc/postfix/generic
+postmap /etc/postfix/sasl/sasl_passwd
+
+exec "$@"
+
A postfix/main.cf => postfix/main.cf +58 -0
@@ 0,0 1,58 @@
+# postfix main configuration file
+# see `postconf(5)` or https://www.postfix.org/BASIC_CONFIGURATION_README.html
+
+compatibility_level = 3.6
+
+# Allowed interfaces and addresses
+inet_protocols = ipv4
+mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
+
+# Values for default settings
+mydomain = dominic-ricottone.com
+myhostname = fedora3.$mydomain
+mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain
+myorigin = $mydomain
+
+# Advertise host name after SMTP 200
+smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+
+# Address rewriting
+smtp_generic_maps = lmdb:/etc/postfix/generic
+
+# Transport map
+transport_maps = lmdb:/etc/postfix/transport
+
+# Authentication
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
+smtp_sasl_security_options = noanonymous
+
+# Encryption
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtp_tls_security_level = encrypt
+
+# If set, mail destined for any member of `$mydestination` would be rejected if user lookup failed
+local_recipient_maps =
+
+# Local management
+mail_owner = postfix
+setgid_group = postdrop
+
+home_mailbox = Maildir/
+
+sendmail_path = /usr/sbin/sendmail
+newaliases_path = /usr/bin/newaliases
+mailq_path = /usr/bin/mailq
+
+command_directory = /usr/sbin
+daemon_directory = /usr/libexec/postfix
+data_directory = /var/lib/postfix
+html_directory = no
+manpage_directory = /usr/share/man
+mail_spool_directory = /var/spool/mail
+meta_directory = /etc/postfix
+queue_directory = /var/spool/postfix
+readme_directory = /usr/share/doc/postfix/readme
+sample_directory = /etc/postfix
+shlib_directory = /usr/lib/postfix
+
A postfix/master.cf => postfix/master.cf +88 -0
@@ 0,0 1,88 @@
+# postfix master configuration file
+# see `master(5)` or https://www.postfix.org/master.5.html
+#
+# A line beginning with `#` is ignored.
+# A line beginning with non-whitespace is a logical line.
+# A line beginning with whitespace is a continuation of a logical line.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - n - - smtpd
+#smtp inet n - n - 1 postscreen
+#smtpd pass - - n - - smtpd
+#dnsblog unix - - n - 0 dnsblog
+#tlsproxy unix - - n - 0 tlsproxy
+submission inet n - n - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+ -o smtpd_relay_restrictions=permit
+# -o milter_macro_daemon_name=ORIGINATING
+smtps inet n - n - - smtpd
+# -o syslog_name=postfix/smtps
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - n - - qmqpd
+pickup unix n - n 60 1 pickup
+cleanup unix n - n - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - n - - smtp
+relay unix - - n - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+scache unix - - n - 1 scache
+postlog unix-dgram n - n - 1 postlogd
+# ====================================================================
+# non-Postfix software
+# ====================================================================
+#maildrop unix - n n - - pipe
+# flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#cyrus unix - n n - - pipe
+# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#uucp unix - n n - - pipe
+# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#ifmail unix - n n - - pipe
+# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#bsmtp unix - n n - - pipe
+# flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient
+#scalemail-backend unix - n n - 2 pipe
+# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
+# ${nexthop} ${user} ${extension}
+#mailman unix - n n - - pipe
+# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+# ${nexthop} ${user}
A srht-core/.gitignore => srht-core/.gitignore +1 -0
A srht-core/Dockerfile => srht-core/Dockerfile +24 -0
@@ 0,0 1,24 @@
+FROM alpine:3.17
+
+RUN apk add --no-cache wget
+
+RUN mv /etc/apk/repositories /etc/apk/repositories.bak
+RUN arch="$(apk --print-arch)"; \
+ case "$arch" in \
+ x86_64) \
+ repouri="https://mirror.sr.ht/alpine/v3.17/sr.ht"; \
+ keyuri="https://mirror.sr.ht/alpine"; \
+ keyfile="alpine@sr.ht.rsa.pub"; \
+ ;; \
+ aarch64) \
+ repouri="https://pkg.intra.dominic-ricottone.com/alpine/v3.17"; \
+ keyuri="https://pkg.intra.dominic-ricottone.com/alpine"; \
+ keyfile="me@dominic-ricottone.com.rsa.pub"; \
+ ;; \
+ *) exit 1; ;; \
+ esac; \
+ wget --quiet --output-document=/etc/apk/keys/$keyfile $keyuri/$keyfile; \
+ echo "$repouri" | cat - /etc/apk/repositories.bak >/etc/apk/repositories
+
+COPY pgp.* /etc/sr.ht/
+
A srht-core/Makefile => srht-core/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-core
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-core/README.md => srht-core/README.md +26 -0
@@ 0,0 1,26 @@
+# srht-core
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+A base image that sorts out the installation of architecture-dependent
+package repositories.
+
+Requires a pair of passwordless PGP keys.
+Try `gpg --edit-key KEYID` to remove the password,
+then export with `gpg --armor --export-options export-minimal --export KEYID`
+and `gpg --armor --export-secret-key KEYID`.
+
A srht-git-api/Dockerfile => srht-git-api/Dockerfile +4 -0
@@ 0,0 1,4 @@
+FROM registry.intra.dominic-ricottone.com/srht-git-core:latest
+
+CMD ["gitsrht-api", "-b", ":5101"]
+
A srht-git-api/Makefile => srht-git-api/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-git-api
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-git-api/README.md => srht-git-api/README.md +40 -0
@@ 0,0 1,40 @@
+# srht-git-api
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the API server for a sr.ht system's git service.
+
+Used by proxying from `nginx(8)`.
+The below location should be added to the server configuration for
+`git.example.com`.
+
+```
+location /query {
+ proxy_pass http://localhost:5101;
+}
+```
+
+The container needs to be reachable from `nginx(8)` on port 5101.
+Consider either using a pod or creating a bridge network.
+It also needs to have the git repositories mounted to `/var/lib/git`.
+
+```
+$conman run --detach --name srht-git-api --restart always \
+ --mount type=bind,src=/host/path/to/git/repos,dst=/var/lib/git,z \
+ registry.intra.dominic-ricottone.com/srht-git-api:latest
+```
+
A srht-git-core/Dockerfile => srht-git-core/Dockerfile +17 -0
@@ 0,0 1,17 @@
+FROM registry.intra.dominic-ricottone.com/srht-core:latest
+
+# user `git` should be created with PID=100:GID=101
+RUN addgroup -S git
+RUN adduser -SD -h /var/lib/git -s /bin/sh -G git -g git git
+
+VOLUME /var/lib/git
+RUN chown git:git /var/lib/git
+
+RUN apk add --no-cache git.sr.ht py3-srht py3-gunicorn
+
+USER git
+
+ENV HOME=/var/lib/git
+
+CMD ["gunicorn", "gitsrht.app:app", "-b", "127.0.0.1:5001", "-c", "/etc/sr.ht/git.sr.ht.gunicorn.conf.py"]
+
A srht-git-core/Makefile => srht-git-core/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-git-core
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-git-core/README.md => srht-git-core/README.md +44 -0
@@ 0,0 1,44 @@
+# srht-git-core
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the web server for a sr.ht system's git service.
+
+Used by proxying from `nginx(8)`.
+The below location should be added to the server configuration for
+`git.example.com`.
+
+```
+location / {
+ proxy_pass http://localhost:5001;
+}
+
+location = /authorize {
+ proxy_pass http://localhost:5001;
+}
+```
+
+The container needs to be reachable from `nginx(8)` on port 5001.
+Consider either using a pod or creating a bridge network.
+It also needs to have the git repositories mounted to `/var/lib/git`.
+
+```
+$conman run --detach --name srht-git-core --restart always \
+ --mount type=bind,src=/host/path/to/git/repos,dst=/var/lib/git,z \
+ registry.intra.dominic-ricottone.com/srht-git-core:latest
+```
+
A srht-git-fcgi/Dockerfile => srht-git-fcgi/Dockerfile +12 -0
@@ 0,0 1,12 @@
+FROM registry.intra.dominic-ricottone.com/fcgi:latest
+
+VOLUME /var/lib/git
+
+# user `git` should be created with PID=100:GID=101
+RUN addgroup -S git
+RUN adduser -SD -h /var/lib/git -s /bin/sh -G git -g git git
+
+RUN apk add --no-cache git-daemon
+
+USER git
+
A srht-git-fcgi/Makefile => srht-git-fcgi/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-git-fcgi
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-git-fcgi/README.md => srht-git-fcgi/README.md +45 -0
@@ 0,0 1,45 @@
+# srht-git-fcgi
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the FastCGI server for a sr.ht system's git service.
+
+Used by proxying from `nginx(8)`.
+The below location should be added to the server configuration for
+`git.example.com`.
+
+```
+location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
+ auth_request /authorize;
+ root /var/lib/git;
+ fastcgi_pass localhost:9000;
+ fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param GIT_PROJECT_ROOT $document_root;
+}
+```
+
+The container needs to be reachable from `nginx(8)` on port 9000.
+Consider either using a pod or creating a bridge network.
+It also needs to have the git repositories mounted to `/var/lib/git`.
+
+```
+$conman run --detach --name srht-git-fcgi --restart always \
+ --mount type=bind,src=/host/path/to/git/repos,dst=/var/lib/git,z \
+ registry.intra.dominic-ricottone.com/srht-git-fcgi:latest
+```
+
A srht-git-ssh/.gitignore => srht-git-ssh/.gitignore +3 -0
@@ 0,0 1,3 @@
+*_key
+*_key.pub
+
A srht-git-ssh/Dockerfile => srht-git-ssh/Dockerfile +20 -0
@@ 0,0 1,20 @@
+FROM registry.intra.dominic-ricottone.com/srht-git-core:latest
+
+USER root
+
+RUN apk add --no-cache openssh
+
+COPY ssh* /etc/ssh/
+RUN chmod 600 /etc/ssh/*_key
+RUN chmod 644 /etc/ssh/*_key.pub
+
+RUN touch /var/log/gitsrht-shell
+RUN chmod 666 /var/log/gitsrht-shell
+
+RUN touch /var/log/gitsrht-update-hook
+RUN chmod 666 /var/log/gitsrht-update-hook
+
+EXPOSE 22
+
+CMD ["/usr/sbin/sshd", "-D", "-e"]
+
A srht-git-ssh/Makefile => srht-git-ssh/Makefile +18 -0
@@ 0,0 1,18 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-git-ssh
+TAG=latest
+
+KEYS=ssh_host_dsa_key.pub ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub ssh_host_dsa_key ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
+
+image: $(KEYS)
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+$(KEYS):
+ ssh-keygen -A -f ./
+
+.PHONY: image
A srht-git-ssh/README.md => srht-git-ssh/README.md +33 -0
@@ 0,0 1,33 @@
+# srht-git-ssh
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the SSH server for a sr.ht system's git service.
+
+The container needs to have the git repositories mounted to `/var/lib/git`.
+
+```
+$conman run --detach --name srht-git-ssh --restart always \
+ --mount type=bind,src=/host/path/to/git/repos,dst=/var/lib/git,z \
+ registry.intra.dominic-ricottone.com/srht-git-ssh:latest
+```
+
+The server will listen on port 22.
+
+After starting the container, log in and set the password for the git user.
+This needs to be done interactively.
+
A srht-git-ssh/sshd_config => srht-git-ssh/sshd_config +118 -0
@@ 0,0 1,118 @@
+# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+AuthorizedKeysCommand /usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k"
+AuthorizedKeysCommandUser root
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#KbdInteractiveAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+# Feel free to re-enable these if your use case requires them.
+AllowTcpForwarding yes
+GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+PermitUserEnvironment SRHT_*
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
+
A srht-git-webhooks/Dockerfile => srht-git-webhooks/Dockerfile +4 -0
@@ 0,0 1,4 @@
+FROM registry.intra.dominic-ricottone.com/srht-git-core:latest
+
+CMD ["celery", "-A", "gitsrht.webhooks", "worker", "--loglevel=info"]
+
A srht-git-webhooks/Makefile => srht-git-webhooks/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-git-webhooks
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-git-webhooks/README.md => srht-git-webhooks/README.md +25 -0
@@ 0,0 1,25 @@
+# srht-git-webhooks
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the web workers for a sr.ht system's git service.
+
+```
+$conman run --detach --name srht-git-webhooks --restart always \
+ registry.intra.dominic-ricottone.com/srht-git-webhooks:latest
+```
+
A srht-meta-api/Dockerfile => srht-meta-api/Dockerfile +4 -0
@@ 0,0 1,4 @@
+FROM registry.intra.dominic-ricottone.com/srht-meta-core:latest
+
+CMD ["metasrht-api", "-b", ":5100"]
+
A srht-meta-api/Makefile => srht-meta-api/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-meta-api
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-meta-api/README.md => srht-meta-api/README.md +38 -0
@@ 0,0 1,38 @@
+# srht-meta-api
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the API server for a sr.ht system's user account service.
+
+Used by proxying from `nginx(8)`.
+The below location should be added to the server configuration for
+`meta.example.com`.
+
+```
+location /query {
+ proxy_pass http://localhost:5100;
+}
+```
+
+The container needs to be reachable from `nginx(8)` on port 5100.
+Consider either using a pod or creating a bridge network.
+
+```
+$conman run --detach --name srht-meta-api --restart always \
+ registry.intra.dominic-ricottone.com/srht-meta-api:latest
+```
+
A srht-meta-core/Dockerfile => srht-meta-core/Dockerfile +10 -0
@@ 0,0 1,10 @@
+FROM registry.intra.dominic-ricottone.com/srht-core:latest
+
+RUN apk add --no-cache meta.sr.ht py3-srht py3-gunicorn
+
+# user `meta` is created by a post-installation hook in `meta.sr.ht`
+# the UID/GID do not matter, so allow the hook to manage it
+USER meta
+
+CMD ["gunicorn", "metasrht.app:app", "-b", "127.0.0.1:5000", "-c", "/etc/sr.ht/meta.sr.ht.gunicorn.conf.py"]
+
A srht-meta-core/Makefile => srht-meta-core/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-meta-core
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-meta-core/README.md => srht-meta-core/README.md +47 -0
@@ 0,0 1,47 @@
+# srht-meta-core
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the web server for a sr.ht system's user account service.
+
+Used by proxying from `nginx(8)`.
+The below location should be added to the server configuration for
+`meta.example.com`.
+
+```
+location / {
+ proxy_pass http://localhost:5000;
+}
+
+location = /register {
+ proxy_pass http://localhost:5000;
+}
+
+location /.well-known/oauth-authorization-server {
+ proxy_pass http://localhost:5000;
+}
+
+```
+
+The container needs to be reachable from `nginx(8)` on port 5000.
+Consider either using a pod or creating a bridge network.
+
+```
+$conman run --detach --name srht-meta-core --restart always \
+ registry.intra.dominic-ricottone.com/srht-meta-core:latest
+```
+
A srht-meta-webhooks/Dockerfile => srht-meta-webhooks/Dockerfile +4 -0
@@ 0,0 1,4 @@
+FROM registry.intra.dominic-ricottone.com/srht-meta-core:latest
+
+CMD ["celery", "-A", "metasrht.webhooks", "worker", "--loglevel=info"]
+
A srht-meta-webhooks/Makefile => srht-meta-webhooks/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-meta-webhooks
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-meta-webhooks/README.md => srht-meta-webhooks/README.md +25 -0
@@ 0,0 1,25 @@
+# srht-meta-webhooks
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the web workers for a sr.ht system's user account service.
+
+```
+$conman run --detach --name srht-meta-webhooks --restart always \
+ registry.intra.dominic-ricottone.com/srht-meta-webhooks:latest
+```
+
A srht-nginx/Dockerfile => srht-nginx/Dockerfile +10 -0
@@ 0,0 1,10 @@
+FROM registry.intra.dominic-ricottone.com/srht-core:latest AS builder
+
+RUN apk add --no-cache git.sr.ht meta.sr.ht todo.sr.ht
+
+FROM registry.intra.dominic-ricottone.com/nginx:latest
+
+COPY --from=builder /usr/lib/python3.10/site-packages/gitsrht /var/www/gitsrht/
+COPY --from=builder /usr/lib/python3.10/site-packages/metasrht /var/www/metasrht/
+COPY --from=builder /usr/lib/python3.10/site-packages/todosrht /var/www/todosrht/
+
A srht-nginx/Makefile => srht-nginx/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-nginx
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-nginx/README.md => srht-nginx/README.md +20 -0
@@ 0,0 1,20 @@
+# srht-nginx
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the static content server and caching reverse proxy for a sr.ht system.
+
A srht-todo-api/Dockerfile => srht-todo-api/Dockerfile +4 -0
@@ 0,0 1,4 @@
+FROM registry.intra.dominic-ricottone.com/srht-todo-core:latest
+
+CMD ["todosrht-api", "-b", ":5103"]
+
A srht-todo-api/Makefile => srht-todo-api/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-todo-api
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-todo-api/README.md => srht-todo-api/README.md +38 -0
@@ 0,0 1,38 @@
+# srht-todo-api
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the API server for a sr.ht system's issue tracker service.
+
+Used by proxying from `nginx(8)`.
+The below location should be added to the server configuration for
+`todo.example.com`.
+
+```
+location /query {
+ proxy_pass http://localhost:5103;
+}
+```
+
+The container needs to be reachable from `nginx(8)` on port 5103.
+Consider either using a pod or creating a bridge network.
+
+```
+$conman run --detach --name srht-todo-api --restart always \
+ registry.intra.dominic-ricottone.com/srht-todo-api:latest
+```
+
A srht-todo-core/Dockerfile => srht-todo-core/Dockerfile +10 -0
@@ 0,0 1,10 @@
+FROM registry.intra.dominic-ricottone.com/srht-core:latest
+
+RUN apk add --no-cache todo.sr.ht py3-srht py3-gunicorn
+
+# user `todo` is created by a post-installation hook in `todo.sr.ht`
+# the UID/GID do not matter, so allow the hook to manage it
+USER todo
+
+CMD ["gunicorn", "todosrht.app:app", "-b", "127.0.0.1:5003", "-c", "/etc/sr.ht/todo.sr.ht.gunicorn.conf.py"]
+
A srht-todo-core/Makefile => srht-todo-core/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-todo-core
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-todo-core/README.md => srht-todo-core/README.md +38 -0
@@ 0,0 1,38 @@
+# srht-todo-core
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the web server for a sr.ht system's issue tracker service.
+
+Used by proxying from `nginx(8)`.
+The below location should be added to the server configuration for
+`todo.example.com`.
+
+```
+location / {
+ proxy_pass http://localhost:5003;
+}
+```
+
+The container needs to be reachable from `nginx(8)` on port 5003.
+Consider either using a pod or creating a bridge network.
+
+```
+$conman run --detach --name srht-todo-core --restart always \
+ registry.intra.dominic-ricottone.com/srht-todo-core:latest
+```
+
A srht-todo-lmtp/Dockerfile => srht-todo-lmtp/Dockerfile +10 -0
@@ 0,0 1,10 @@
+FROM registry.intra.dominic-ricottone.com/srht-todo-core:latest
+
+USER root
+
+RUN apk add --no-cache postfix
+
+USER postfix
+
+CMD ["todosrht-lmtp"]
+
A srht-todo-lmtp/Makefile => srht-todo-lmtp/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-todo-lmtp
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-todo-lmtp/README.md => srht-todo-lmtp/README.md +28 -0
@@ 0,0 1,28 @@
+# srht-todo-lmtp
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the LMTP server for a sr.ht system's issue tracker service.
+
+The container needs to be have a sockets directory mounted.
+
+```
+$conman run --detach --name srht-todo-lmtp --restart always \
+ --mount type=bind,src=$socksdir,dst=/var/socks \
+ registry.intra.dominic-ricottone.com/srht-todo-lmtp:latest
+```
+
A srht-todo-webhooks/Dockerfile => srht-todo-webhooks/Dockerfile +4 -0
@@ 0,0 1,4 @@
+FROM registry.intra.dominic-ricottone.com/srht-todo-core:latest
+
+CMD ["celery", "-A", "todosrht.webhooks", "worker", "--loglevel=info"]
+
A srht-todo-webhooks/Makefile => srht-todo-webhooks/Makefile +13 -0
@@ 0,0 1,13 @@
+CONMAN=sudo docker
+
+REGISTRY=registry.intra.dominic-ricottone.com
+IMAGE=srht-todo-webhooks
+TAG=latest
+
+image:
+ $(CONMAN) buildx build --push \
+ --platform linux/arm64,linux/amd64 \
+ --tag $(REGISTRY)/$(IMAGE):$(TAG) \
+ .
+
+.PHONY: image
A srht-todo-webhooks/README.md => srht-todo-webhooks/README.md +25 -0
@@ 0,0 1,25 @@
+# srht-todo-webhooks
+
+
+## Build and Deploy
+
+```
+make image
+```
+
+
+### Tags
+
+ + `latest`
+
+----
+
+## Use
+
+Deploy the web workers for a sr.ht system's issue tracker service.
+
+```
+$conman run --detach --name srht-todo-webhooks --restart always \
+ registry.intra.dominic-ricottone.com/srht-todo-webhooks:latest
+```
+