~dricottone/container-images

bea5baf47cb3d3cbac3ddffe32e35d334650a101 — Dominic Ricottone 1 year, 6 months ago 8435da1
sr.ht

Adding a postfix server image.

Adding images for the sr.ht system (meta+todo+git).
M README.md => README.md +15 -1
@@ 8,4 8,18 @@
|[nginx](/~dricottone/container-images/tree/dev/item/nginx/README.md)|latest|`registry.intra.dominic-ricottone.com/nginx:latest`|
|[nitter](/~dricottone/container-images/tree/dev/item/nitter/README.md)|amd64,arm64|`registry.intra.dominic-ricottone.com/nitter:amd64`|
|[php](/~dricottone/container-images/tree/dev/item/php/README.md)|latest,readwrite,fpm,development,fpm-development|`registry.intra.dominic-ricottone.com/php:latest`|

|[postfix](/~dricottone/container-images/tree/dev/item/postfix/README.md)|latest|`registry.intra.dominic-ricottone.com/postfix:latest`|
|[srht-core](/~dricottone/container-images/tree/dev/item/srht-core/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-core:latest`|
|[srht-git-api](/~dricottone/container-images/tree/dev/item/srht-git-api/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-api:latest`|
|[srht-git-core](/~dricottone/container-images/tree/dev/item/srht-git-core/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-core:latest`|
|[srht-git-fcgi](/~dricottone/container-images/tree/dev/item/srht-git-fcgi/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-fcgi:latest`|
|[srht-git-ssh](/~dricottone/container-images/tree/dev/item/srht-git-ssh/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-ssh:latest`|
|[srht-git-webhooks](/~dricottone/container-images/tree/dev/item/srht-git-webhooks/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-git-webhooks:latest`|
|[srht-meta-api](/~dricottone/container-images/tree/dev/item/srht-meta-api/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-meta-api:latest`|
|[srht-meta-core](/~dricottone/container-images/tree/dev/item/srht-meta-core/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-meta-core:latest`|
|[srht-meta-webhooks](/~dricottone/container-images/tree/dev/item/srht-meta-webhooks/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-meta-webhooks:latest`|
|[srht-nginx](/~dricottone/container-images/tree/dev/item/srht-nginx/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-nginx:latest`|
|[srht-todo-api](/~dricottone/container-images/tree/dev/item/srht-todo-api/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-todo-api:latest`|
|[srht-todo-core](/~dricottone/container-images/tree/dev/item/srht-todo-core/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-todo-core:latest`|
|[srht-todo-lmtp](/~dricottone/container-images/tree/dev/item/srht-todo-lmtp/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-todo-lmtp:latest`|
|[srht-todo-webhooks](/~dricottone/container-images/tree/dev/item/srht-todo-webhooks/README.md)|latest|`registry.intra.dominic-ricottone.com/srht-todo-webhooks:latest`|

A postfix/Dockerfile => postfix/Dockerfile +23 -0
@@ 0,0 1,23 @@
FROM docker.io/library/alpine:latest

COPY aliases /etc/postfix/aliases
COPY *.cf /etc/postfix/

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

RUN mkdir /etc/postfix/sasl && chmod 700 /etc/postfix/sasl

RUN addgroup -S mailer
RUN adduser -SD -s /bin/sh -G mailer -g mailer mailer

RUN apk add --no-cache postfix

EXPOSE 25
EXPOSE 465
EXPOSE 587

ENTRYPOINT ["/entrypoint.sh"]

CMD ["postfix", "start-fg"]


A postfix/Makefile => postfix/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=postfix
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A postfix/README.md => postfix/README.md +66 -0
@@ 0,0 1,66 @@
# postfix


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Can be used with any container manager toolchain.

Create a `generic(5)` file in `$genericfile`.
Mail with recipient addresses matching the patterns will be rewritten.
It must also be owned (on the host system) by the user that will create the
container (i.e. `root` for conventional `docker(1)` deployments).
It should like like:

```
root@localhost example@gmail.com
@localhost     example@gmail.com
```

Create a `transport(5)` file in `$transportfile`.
Mail is routed based on which pattern the recipient address matches.
It must also be owned (on the host system) by the user that will create the
container (i.e. `root` for conventional `docker(1)` deployments).
It should look like:

```
example.com  local
.example.com local
*            relay:[smtp.gmail.com]:587
```

Create an authentication file in `$saslfile`.
This is required for relaying mail to major email providers, including GMail.
It must also be owned (on the host system) by the user that will create the
container (i.e. `root` for conventional `docker(1)` deployments).
It should look like:

```
[smtp.gmail.com]:587 example@gmail.com:wwwwxxxxyyyyzzzz
```

Create a configuration file in `$conffile`.

Try:

```
$conman run --detach --name postfix --restart always \
  --mount type=bind,src=$genericfile,dst=/etc/postfix/generic,readonly \
  --mount type=bind,src=$transportfile,dst=/etc/postfix/transport,readonly \
  --mount type=bind,src=$saslfile,dst=/etc/postfix/sasl/sasl_passwd,readonly \
  --mount type=bind,src=$conffile,dst=/etc/postfix/main.cf,readonly \
  registry.intra.dominic-ricottone.com/postfix:latest
```


A postfix/aliases => postfix/aliases +16 -0
@@ 0,0 1,16 @@
root: mailer
MAILER-DAEMON: mailer
postmaster: mailer
bin: mailer
daemon: mailer
named: mailer
nobody: mailer
uucp: mailer
www: mailer
ftp-bugs: mailer
postfix: mailer
manager: mailer
dumper: mailer
operator: mailer
abuse: mailer
decode: mailer

A postfix/entrypoint.sh => postfix/entrypoint.sh +8 -0
@@ 0,0 1,8 @@
#!/bin/sh
newaliases
postmap /etc/postfix/transport
postmap /etc/postfix/generic
postmap /etc/postfix/sasl/sasl_passwd

exec "$@"


A postfix/main.cf => postfix/main.cf +58 -0
@@ 0,0 1,58 @@
# postfix main configuration file
# see `postconf(5)` or https://www.postfix.org/BASIC_CONFIGURATION_README.html

compatibility_level = 3.6

# Allowed interfaces and addresses
inet_protocols = ipv4
mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

# Values for default settings
mydomain = dominic-ricottone.com
myhostname = fedora3.$mydomain
mydestination = $myhostname, todo.$mydomain, lists.$mydomain, localhost, localhost.localdomain
myorigin = $mydomain

# Advertise host name after SMTP 200
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)

# Address rewriting
smtp_generic_maps = lmdb:/etc/postfix/generic

# Transport map
transport_maps = lmdb:/etc/postfix/transport

# Authentication
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous

# Encryption
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = encrypt

# If set, mail destined for any member of `$mydestination` would be rejected if user lookup failed
local_recipient_maps =

# Local management
mail_owner = postfix
setgid_group = postdrop

home_mailbox = Maildir/

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
html_directory = no
manpage_directory = /usr/share/man
mail_spool_directory = /var/spool/mail
meta_directory = /etc/postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/readme
sample_directory = /etc/postfix
shlib_directory = /usr/lib/postfix


A postfix/master.cf => postfix/master.cf +88 -0
@@ 0,0 1,88 @@
# postfix master configuration file
# see `master(5)` or https://www.postfix.org/master.5.html
#
# A line beginning with `#` is ignored.
# A line beginning with non-whitespace is a logical line.
# A line beginning with whitespace is a continuation of a logical line.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
# ====================================================================
# non-Postfix software
# ====================================================================
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#cyrus     unix  -       n       n       -       -       pipe
#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#mailman   unix  -       n       n       -       -       pipe
#  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}

A srht-core/.gitignore => srht-core/.gitignore +1 -0
@@ 0,0 1,1 @@
pgp.*

A srht-core/Dockerfile => srht-core/Dockerfile +24 -0
@@ 0,0 1,24 @@
FROM alpine:3.17

RUN apk add --no-cache wget

RUN mv /etc/apk/repositories /etc/apk/repositories.bak
RUN arch="$(apk --print-arch)"; \
	case "$arch" in \
		x86_64) \
			repouri="https://mirror.sr.ht/alpine/v3.17/sr.ht"; \
			keyuri="https://mirror.sr.ht/alpine"; \
			keyfile="alpine@sr.ht.rsa.pub"; \
			;; \
		aarch64) \
			repouri="https://pkg.intra.dominic-ricottone.com/alpine/v3.17"; \
			keyuri="https://pkg.intra.dominic-ricottone.com/alpine"; \
			keyfile="me@dominic-ricottone.com.rsa.pub"; \
			;; \
		*) exit 1; ;; \
	esac; \
	wget --quiet --output-document=/etc/apk/keys/$keyfile $keyuri/$keyfile; \
	echo "$repouri" | cat - /etc/apk/repositories.bak >/etc/apk/repositories

COPY pgp.* /etc/sr.ht/


A srht-core/Makefile => srht-core/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-core
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-core/README.md => srht-core/README.md +26 -0
@@ 0,0 1,26 @@
# srht-core


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

A base image that sorts out the installation of architecture-dependent
package repositories.

Requires a pair of passwordless PGP keys.
Try `gpg --edit-key KEYID` to remove the password,
then export with `gpg --armor --export-options export-minimal --export KEYID`
and `gpg --armor --export-secret-key KEYID`.


A srht-git-api/Dockerfile => srht-git-api/Dockerfile +4 -0
@@ 0,0 1,4 @@
FROM registry.intra.dominic-ricottone.com/srht-git-core:latest

CMD ["gitsrht-api", "-b", ":5101"]


A srht-git-api/Makefile => srht-git-api/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-git-api
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-git-api/README.md => srht-git-api/README.md +40 -0
@@ 0,0 1,40 @@
# srht-git-api


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the API server for a sr.ht system's git service.

Used by proxying from `nginx(8)`.
The below location should be added to the server configuration for
`git.example.com`.

```
location /query {
    proxy_pass http://localhost:5101;
}
```

The container needs to be reachable from `nginx(8)` on port 5101.
Consider either using a pod or creating a bridge network.
It also needs to have the git repositories mounted to `/var/lib/git`.

```
$conman run --detach --name srht-git-api --restart always \
    --mount type=bind,src=/host/path/to/git/repos,dst=/var/lib/git,z \
    registry.intra.dominic-ricottone.com/srht-git-api:latest
```


A srht-git-core/Dockerfile => srht-git-core/Dockerfile +17 -0
@@ 0,0 1,17 @@
FROM registry.intra.dominic-ricottone.com/srht-core:latest

# user `git` should be created with PID=100:GID=101
RUN addgroup -S git
RUN adduser -SD -h /var/lib/git -s /bin/sh -G git -g git git

VOLUME /var/lib/git
RUN chown git:git /var/lib/git

RUN apk add --no-cache git.sr.ht py3-srht py3-gunicorn

USER git

ENV HOME=/var/lib/git

CMD ["gunicorn", "gitsrht.app:app", "-b", "127.0.0.1:5001", "-c", "/etc/sr.ht/git.sr.ht.gunicorn.conf.py"]


A srht-git-core/Makefile => srht-git-core/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-git-core
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-git-core/README.md => srht-git-core/README.md +44 -0
@@ 0,0 1,44 @@
# srht-git-core


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the web server for a sr.ht system's git service.

Used by proxying from `nginx(8)`.
The below location should be added to the server configuration for
`git.example.com`.

```
location / {
    proxy_pass http://localhost:5001;
}

location = /authorize {
    proxy_pass http://localhost:5001;
}
```

The container needs to be reachable from `nginx(8)` on port 5001.
Consider either using a pod or creating a bridge network.
It also needs to have the git repositories mounted to `/var/lib/git`.

```
$conman run --detach --name srht-git-core --restart always \
    --mount type=bind,src=/host/path/to/git/repos,dst=/var/lib/git,z \
    registry.intra.dominic-ricottone.com/srht-git-core:latest
```


A srht-git-fcgi/Dockerfile => srht-git-fcgi/Dockerfile +12 -0
@@ 0,0 1,12 @@
FROM registry.intra.dominic-ricottone.com/fcgi:latest

VOLUME /var/lib/git

# user `git` should be created with PID=100:GID=101
RUN addgroup -S git
RUN adduser -SD -h /var/lib/git -s /bin/sh -G git -g git git

RUN apk add --no-cache git-daemon

USER git


A srht-git-fcgi/Makefile => srht-git-fcgi/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-git-fcgi
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-git-fcgi/README.md => srht-git-fcgi/README.md +45 -0
@@ 0,0 1,45 @@
# srht-git-fcgi


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the FastCGI server for a sr.ht system's git service.

Used by proxying from `nginx(8)`.
The below location should be added to the server configuration for
`git.example.com`.

```
location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
    auth_request /authorize;
    root /var/lib/git;
    fastcgi_pass localhost:9000;
    fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
    fastcgi_param PATH_INFO $uri;
    fastcgi_param GIT_PROJECT_ROOT $document_root;
}
```

The container needs to be reachable from `nginx(8)` on port 9000.
Consider either using a pod or creating a bridge network.
It also needs to have the git repositories mounted to `/var/lib/git`.

```
$conman run --detach --name srht-git-fcgi --restart always \
    --mount type=bind,src=/host/path/to/git/repos,dst=/var/lib/git,z \
    registry.intra.dominic-ricottone.com/srht-git-fcgi:latest
```


A srht-git-ssh/.gitignore => srht-git-ssh/.gitignore +3 -0
@@ 0,0 1,3 @@
*_key
*_key.pub


A srht-git-ssh/Dockerfile => srht-git-ssh/Dockerfile +20 -0
@@ 0,0 1,20 @@
FROM registry.intra.dominic-ricottone.com/srht-git-core:latest

USER root

RUN apk add --no-cache openssh

COPY ssh* /etc/ssh/
RUN chmod 600 /etc/ssh/*_key
RUN chmod 644 /etc/ssh/*_key.pub

RUN touch /var/log/gitsrht-shell
RUN chmod 666 /var/log/gitsrht-shell

RUN touch /var/log/gitsrht-update-hook
RUN chmod 666 /var/log/gitsrht-update-hook

EXPOSE 22

CMD ["/usr/sbin/sshd", "-D", "-e"]


A srht-git-ssh/Makefile => srht-git-ssh/Makefile +18 -0
@@ 0,0 1,18 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-git-ssh
TAG=latest

KEYS=ssh_host_dsa_key.pub ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub ssh_host_dsa_key ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key

image: $(KEYS)
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

$(KEYS):
	ssh-keygen -A -f ./

.PHONY: image

A srht-git-ssh/README.md => srht-git-ssh/README.md +33 -0
@@ 0,0 1,33 @@
# srht-git-ssh


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the SSH server for a sr.ht system's git service.

The container needs to have the git repositories mounted to `/var/lib/git`.

```
$conman run --detach --name srht-git-ssh --restart always \
    --mount type=bind,src=/host/path/to/git/repos,dst=/var/lib/git,z \
    registry.intra.dominic-ricottone.com/srht-git-ssh:latest
```

The server will listen on port 22.

After starting the container, log in and set the password for the git user.
This needs to be done interactively.


A srht-git-ssh/sshd_config => srht-git-ssh/sshd_config +118 -0
@@ 0,0 1,118 @@
#       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

AuthorizedKeysCommand /usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k"
AuthorizedKeysCommandUser root

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
# Feel free to re-enable these if your use case requires them.
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
PermitUserEnvironment SRHT_*
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server


A srht-git-webhooks/Dockerfile => srht-git-webhooks/Dockerfile +4 -0
@@ 0,0 1,4 @@
FROM registry.intra.dominic-ricottone.com/srht-git-core:latest

CMD ["celery", "-A", "gitsrht.webhooks", "worker", "--loglevel=info"]


A srht-git-webhooks/Makefile => srht-git-webhooks/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-git-webhooks
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-git-webhooks/README.md => srht-git-webhooks/README.md +25 -0
@@ 0,0 1,25 @@
# srht-git-webhooks


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the web workers for a sr.ht system's git service.

```
$conman run --detach --name srht-git-webhooks --restart always \
    registry.intra.dominic-ricottone.com/srht-git-webhooks:latest
```


A srht-meta-api/Dockerfile => srht-meta-api/Dockerfile +4 -0
@@ 0,0 1,4 @@
FROM registry.intra.dominic-ricottone.com/srht-meta-core:latest

CMD ["metasrht-api", "-b", ":5100"]


A srht-meta-api/Makefile => srht-meta-api/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-meta-api
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-meta-api/README.md => srht-meta-api/README.md +38 -0
@@ 0,0 1,38 @@
# srht-meta-api


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the API server for a sr.ht system's user account service.

Used by proxying from `nginx(8)`.
The below location should be added to the server configuration for
`meta.example.com`.

```
location /query {
    proxy_pass http://localhost:5100;
}
```

The container needs to be reachable from `nginx(8)` on port 5100.
Consider either using a pod or creating a bridge network.

```
$conman run --detach --name srht-meta-api --restart always \
    registry.intra.dominic-ricottone.com/srht-meta-api:latest
```


A srht-meta-core/Dockerfile => srht-meta-core/Dockerfile +10 -0
@@ 0,0 1,10 @@
FROM registry.intra.dominic-ricottone.com/srht-core:latest

RUN apk add --no-cache meta.sr.ht py3-srht py3-gunicorn

# user `meta` is created by a post-installation hook in `meta.sr.ht`
# the UID/GID do not matter, so allow the hook to manage it
USER meta

CMD ["gunicorn", "metasrht.app:app", "-b", "127.0.0.1:5000", "-c", "/etc/sr.ht/meta.sr.ht.gunicorn.conf.py"]


A srht-meta-core/Makefile => srht-meta-core/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-meta-core
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-meta-core/README.md => srht-meta-core/README.md +47 -0
@@ 0,0 1,47 @@
# srht-meta-core


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the web server for a sr.ht system's user account service.

Used by proxying from `nginx(8)`.
The below location should be added to the server configuration for
`meta.example.com`.

```
location / {
    proxy_pass http://localhost:5000;
}

location = /register {
    proxy_pass http://localhost:5000;
}

location /.well-known/oauth-authorization-server {
    proxy_pass http://localhost:5000;
}

```

The container needs to be reachable from `nginx(8)` on port 5000.
Consider either using a pod or creating a bridge network.

```
$conman run --detach --name srht-meta-core --restart always \
    registry.intra.dominic-ricottone.com/srht-meta-core:latest
```


A srht-meta-webhooks/Dockerfile => srht-meta-webhooks/Dockerfile +4 -0
@@ 0,0 1,4 @@
FROM registry.intra.dominic-ricottone.com/srht-meta-core:latest

CMD ["celery", "-A", "metasrht.webhooks", "worker", "--loglevel=info"]


A srht-meta-webhooks/Makefile => srht-meta-webhooks/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-meta-webhooks
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-meta-webhooks/README.md => srht-meta-webhooks/README.md +25 -0
@@ 0,0 1,25 @@
# srht-meta-webhooks


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the web workers for a sr.ht system's user account service.

```
$conman run --detach --name srht-meta-webhooks --restart always \
    registry.intra.dominic-ricottone.com/srht-meta-webhooks:latest
```


A srht-nginx/Dockerfile => srht-nginx/Dockerfile +10 -0
@@ 0,0 1,10 @@
FROM registry.intra.dominic-ricottone.com/srht-core:latest AS builder

RUN apk add --no-cache git.sr.ht meta.sr.ht todo.sr.ht

FROM registry.intra.dominic-ricottone.com/nginx:latest

COPY --from=builder /usr/lib/python3.10/site-packages/gitsrht /var/www/gitsrht/
COPY --from=builder /usr/lib/python3.10/site-packages/metasrht /var/www/metasrht/
COPY --from=builder /usr/lib/python3.10/site-packages/todosrht /var/www/todosrht/


A srht-nginx/Makefile => srht-nginx/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-nginx
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-nginx/README.md => srht-nginx/README.md +20 -0
@@ 0,0 1,20 @@
# srht-nginx


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the static content server and caching reverse proxy for a sr.ht system.


A srht-todo-api/Dockerfile => srht-todo-api/Dockerfile +4 -0
@@ 0,0 1,4 @@
FROM registry.intra.dominic-ricottone.com/srht-todo-core:latest

CMD ["todosrht-api", "-b", ":5103"]


A srht-todo-api/Makefile => srht-todo-api/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-todo-api
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-todo-api/README.md => srht-todo-api/README.md +38 -0
@@ 0,0 1,38 @@
# srht-todo-api


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the API server for a sr.ht system's issue tracker service.

Used by proxying from `nginx(8)`.
The below location should be added to the server configuration for
`todo.example.com`.

```
location /query {
    proxy_pass http://localhost:5103;
}
```

The container needs to be reachable from `nginx(8)` on port 5103.
Consider either using a pod or creating a bridge network.

```
$conman run --detach --name srht-todo-api --restart always \
    registry.intra.dominic-ricottone.com/srht-todo-api:latest
```


A srht-todo-core/Dockerfile => srht-todo-core/Dockerfile +10 -0
@@ 0,0 1,10 @@
FROM registry.intra.dominic-ricottone.com/srht-core:latest

RUN apk add --no-cache todo.sr.ht py3-srht py3-gunicorn

# user `todo` is created by a post-installation hook in `todo.sr.ht`
# the UID/GID do not matter, so allow the hook to manage it
USER todo

CMD ["gunicorn", "todosrht.app:app", "-b", "127.0.0.1:5003", "-c", "/etc/sr.ht/todo.sr.ht.gunicorn.conf.py"]


A srht-todo-core/Makefile => srht-todo-core/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-todo-core
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-todo-core/README.md => srht-todo-core/README.md +38 -0
@@ 0,0 1,38 @@
# srht-todo-core


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the web server for a sr.ht system's issue tracker service.

Used by proxying from `nginx(8)`.
The below location should be added to the server configuration for
`todo.example.com`.

```
location / {
    proxy_pass http://localhost:5003;
}
```

The container needs to be reachable from `nginx(8)` on port 5003.
Consider either using a pod or creating a bridge network.

```
$conman run --detach --name srht-todo-core --restart always \
    registry.intra.dominic-ricottone.com/srht-todo-core:latest
```


A srht-todo-lmtp/Dockerfile => srht-todo-lmtp/Dockerfile +10 -0
@@ 0,0 1,10 @@
FROM registry.intra.dominic-ricottone.com/srht-todo-core:latest

USER root

RUN apk add --no-cache postfix

USER postfix

CMD ["todosrht-lmtp"]


A srht-todo-lmtp/Makefile => srht-todo-lmtp/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-todo-lmtp
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-todo-lmtp/README.md => srht-todo-lmtp/README.md +28 -0
@@ 0,0 1,28 @@
# srht-todo-lmtp


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the LMTP server for a sr.ht system's issue tracker service.

The container needs to be have a sockets directory mounted.

```
$conman run --detach --name srht-todo-lmtp --restart always \
    --mount type=bind,src=$socksdir,dst=/var/socks \
    registry.intra.dominic-ricottone.com/srht-todo-lmtp:latest
```


A srht-todo-webhooks/Dockerfile => srht-todo-webhooks/Dockerfile +4 -0
@@ 0,0 1,4 @@
FROM registry.intra.dominic-ricottone.com/srht-todo-core:latest

CMD ["celery", "-A", "todosrht.webhooks", "worker", "--loglevel=info"]


A srht-todo-webhooks/Makefile => srht-todo-webhooks/Makefile +13 -0
@@ 0,0 1,13 @@
CONMAN=sudo docker

REGISTRY=registry.intra.dominic-ricottone.com
IMAGE=srht-todo-webhooks
TAG=latest

image:
	$(CONMAN) buildx build --push \
		--platform linux/arm64,linux/amd64 \
		--tag $(REGISTRY)/$(IMAGE):$(TAG) \
		.

.PHONY: image

A srht-todo-webhooks/README.md => srht-todo-webhooks/README.md +25 -0
@@ 0,0 1,25 @@
# srht-todo-webhooks


## Build and Deploy

```
make image
```


### Tags

 + `latest`

----

## Use

Deploy the web workers for a sr.ht system's issue tracker service.

```
$conman run --detach --name srht-todo-webhooks --restart always \
    registry.intra.dominic-ricottone.com/srht-todo-webhooks:latest
```