A => .gitignore +4 -0
@@ 1,4 @@
+etc/sr.ht/pgp.key
+etc/sr.ht/pgp.pubkey
+postgresql-data
+redis-data
A => Dockerfile +56 -0
@@ 1,56 @@
+FROM alpine:3.15
+COPY etc/apk/repositories /etc/apk/repositories
+RUN wget --quiet --output-document=/etc/apk/keys/alpine@sr.ht.rsa.pub https://mirror.sr.ht/alpine/alpine@sr.ht.rsa.pub
+RUN apk update
+RUN apk add redis postgresql14 postfix meta.sr.ht git.sr.ht todo.sr.ht supervisor nginx fcgiwrap spawn-fcgi py3-gunicorn celery
+
+# setup directories
+RUN mkdir /etc/postfix/sasl && chmod 700 /etc/postfix/sasl
+RUN mkdir /data
+RUN mkdir /var/lib/postgresql/data && chown postgres:postgres /var/lib/postgresql/data && chmod 750 /var/lib/postgresql/data
+RUN mkdir /run/postgresql && chown postgres:postgres /run/postgresql
+RUN mkdir /var/log/supervisord
+
+# setup nginx
+COPY etc/nginx/nginx.conf /etc/nginx/nginx.conf
+COPY etc/nginx/graphql.conf /etc/nginx/graphql.conf
+COPY etc/nginx/headers.conf /etc/nginx/headers.conf
+COPY etc/nginx/web.conf /etc/nginx/web.conf
+COPY etc/nginx/http.d/test.conf /etc/nginx/http.d/test.conf
+COPY --chown=nginx:nginx usr/share/nginx/html/index.html /usr/share/nginx/html/index.html
+COPY --chown=nginx:nginx usr/share/nginx/html/test.cgi /usr/share/nginx/html/test.cgi
+COPY --chown=nginx:nginx usr/share/nginx/html/test.php /usr/share/nginx/html/test.php
+COPY etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf
+COPY etc/nginx/http.d/git.conf /etc/nginx/http.d/git.conf
+COPY etc/nginx/http.d/lists.conf /etc/nginx/http.d/lists.conf
+COPY etc/nginx/http.d/meta.conf /etc/nginx/http.d/meta.conf
+COPY etc/nginx/http.d/todo.conf /etc/nginx/http.d/todo.conf
+
+# setup postfix
+COPY etc/postfix/main.cf /etc/postfix/main.cf
+COPY etc/postfix/master.cf /etc/postfix/master.cf
+COPY etc/postfix/transport /etc/postfix/transport
+RUN postmap /etc/postfix/transport
+COPY etc/postfix/generic /etc/postfix/generic
+RUN postmap /etc/postfix/generic
+COPY etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd
+RUN postmap /etc/postfix/sasl/sasl_passwd
+
+# setup redis
+VOLUME /data
+
+# setup postgresql
+VOLUME /var/lib/postgresql/data
+COPY --chown=postgres:postgres etc/postgresql/postgresql.conf /etc/postgresql/postgresql.conf
+
+# setup sourcehut
+COPY etc/sr.ht/config.ini /etc/sr.ht/config.ini
+COPY etc/sr.ht/pgp.key /etc/sr.ht/pgp.key
+COPY etc/sr.ht/pgp.pubkey /etc/sr.ht/pgp.pubkey
+
+# setup supervisor
+USER root
+EXPOSE 8080
+COPY etc/supervisor/conf.d/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+CMD ["/usr/bin/supervisord","-c","/etc/supervisor/conf.d/supervisord.conf"]
+
A => Makefile +20 -0
@@ 1,20 @@
+image:
+ docker build . --tag tatooine
+
+clean:
+ docker rm --force tatooine-dev
+
+run:
+ docker run -it --name tatooine-dev \
+ --hostname tatooine -p 80:8080 \
+ --mount type=bind,src=/home/al_dente/dev/huttese/redis-data,dst=/data \
+ --mount type=bind,src=/home/al_dente/dev/huttese/postgresql-data,dst=/var/lib/postgresql/data \
+ tatooine
+
+start:
+ docker run --detach --name tatooine-dev \
+ --hostname tatooine -p 80:8080 \
+ --mount type=bind,src=/home/al_dente/dev/huttese/redis-data,dst=/data \
+ --mount type=bind,src=/home/al_dente/dev/huttese/postgresql-data,dst=/var/lib/postgresql/data \
+ tatooine
+
A => README.md +39 -0
@@ 1,39 @@
+## Usage
+
+Disable the haproxy docker container.
+
+Paste the following into the hosts file:
+
+```
+127.0.0.1 git.intra.dominic-ricottone.com lists.intra.dominic-ricottone.com meta.intra.dominic-ricottone.com todo.intra.dominic-ricottone.com
+```
+
+Run `make clean && make run`.
+
+
+## To-Do
+
+nginx proxying is not working
+
+need metasrht service to become accessible so that i can register oauth for git, lists, todo services
+
+should also setup the metasrht-webhook process (celery -A metasrht.webhooks worker --loglevel=info)
+
+maybe should run migration (metasrht-migrate -a upgrade head) every time?
+
+most importantly, need to figure out how to secure pgp keys, worker private key, network private key, and webhook private key
+
+
+## Installation
+
+Run `make image && make start`.
+
+On first run, these need to be done manually. Or at least after the postgres database is running.
+
+```
+su - postgres
+initdb /var/lib/postgresql/data
+createdb -U postgres meta.sr.ht
+metasrht-initdb
+```
+
A => etc/apk/repositories +3 -0
@@ 1,3 @@
+https://mirror.sr.ht/alpine/v3.15/sr.ht
+https://dl-cdn.alpinelinux.org/alpine/v3.15/main
+https://dl-cdn.alpinelinux.org/alpine/v3.15/community
A => etc/nginx/graphql.conf +18 -0
@@ 1,18 @@
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain; charset=utf-8';
+ add_header 'Content-Length' 0;
+ return 204;
+}
+add_header 'Access-Control-Allow-Origin' '*';
+add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
A => +3 -0
@@ 1,3 @@
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Permissions-Policy interest-cohort=();
A => etc/nginx/http.d/default.conf +0 -0
A => etc/nginx/http.d/git.conf +45 -0
@@ 1,45 @@
+server {
+ listen 8080;
+ gzip on;
+ gzip_types text/css text/html;
+ server_name git.intra.dominic-ricottone.com;
+
+ client_max_body_size 100M;
+
+ location / {
+ proxy_pass http://localhost:5001;
+ include headers.conf;
+ add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
+ include web.conf;
+ }
+
+ location /query {
+ proxy_pass http://localhost:5101;
+ include graphql.conf;
+ }
+
+ location /static {
+ root /usr/lib/python3.9/site-packages/gitsrht;
+ expires 30d;
+ }
+
+ location = /authorize {
+ proxy_pass http://localhost:5001;
+ proxy_pass_request_body off;
+ proxy_set_header Content-Length "";
+ proxy_set_header X-Original-URI $request_uri;
+ }
+
+ location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
+ auth_request /authorize;
+ root /var/lib/git;
+ fastcgi_pass localhost:9000;
+ fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param GIT_PROJECT_ROOT $document_root;
+ fastcgi_read_timeout 500s;
+ include fastcgi_params;
+ gzip off;
+ }
+}
+
A => etc/nginx/http.d/lists.conf +25 -0
@@ 1,25 @@
+server {
+ listen 8080;
+ gzip on;
+ gzip_types text/css text/html;
+ server_name lists.intra.dominic-ricottone.com;
+ client_max_body_size 100M;
+
+ location / {
+ proxy_pass http://localhost:5006;
+ include headers.conf;
+ add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'";
+ include web.conf;
+ }
+
+ location /query {
+ proxy_pass http://localhost:5106;
+ include graphql.conf;
+ }
+
+ location /static {
+ root /usr/lib/python3.9/site-packages/listssrht;
+ expires 30d;
+ }
+}
+
A => etc/nginx/http.d/meta.conf +29 -0
@@ 1,29 @@
+server {
+ listen 8080;
+ gzip on;
+ gzip_types text/css text/html;
+ server_name meta.intra.dominic-ricottone.com;
+
+ location / {
+ proxy_pass http://localhost:5000;
+ include headers.conf;
+ add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
+ include web.conf;
+ }
+
+ location /register {
+ proxy_pass http://localhost:5000;
+ add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
+ }
+
+ location /query {
+ proxy_pass http://localhost:5100;
+ include graphql.conf;
+ }
+
+ location /static {
+ root /usr/lib/python3.9/site-packages/metasrht;
+ expires 30d;
+ }
+}
+
A => etc/nginx/http.d/test.conf +39 -0
@@ 1,39 @@
+server {
+ listen 8080 default_server;
+ server_name _;
+
+ root /usr/share/nginx/html;
+
+ location ~ [^/]\.cgi(/|$) {
+ fastcgi_split_path_info ^(.+?\.cgi)(/.*)$;
+ if (!-f $document_root$fastcgi_script_name) {
+ return 404;
+ }
+
+ fastcgi_param HTTP_PROXY "";
+
+ fastcgi_pass localhost:9000;
+ fastcgi_index index.php;
+
+ include fastcgi_params;
+
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ }
+
+ location ~ [^/]\.php(/|$) {
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ if (!-f $document_root$fastcgi_script_name) {
+ return 404;
+ }
+
+ fastcgi_param HTTP_PROXY "";
+
+ fastcgi_pass localhost:9000;
+ fastcgi_index index.php;
+
+ include fastcgi_params;
+
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ }
+}
+
A => etc/nginx/http.d/todo.conf +26 -0
@@ 1,26 @@
+server {
+ listen 8080;
+ gzip on;
+ gzip_types text/css text/html;
+ server_name todo.intra.dominic-ricottone.com;
+
+ client_max_body_size 100M;
+
+ location / {
+ proxy_pass http://localhost:5003;
+ include headers.conf;
+ add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
+ include web.conf;
+ }
+
+ location /query {
+ proxy_pass http://localhost:5103;
+ include graphql.conf;
+ }
+
+ location /static {
+ root /usr/lib/python3.9/site-packages/todosrht;
+ expires 30d;
+ }
+}
+
A => etc/nginx/nginx.conf +35 -0
@@ 1,35 @@
+user nginx;
+worker_processes auto;
+pcre_jit on;
+error_log /var/log/nginx/error.log warn;
+include /etc/nginx/modules/*.conf;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ server_tokens off;
+ client_max_body_size 1m;
+ sendfile on;
+ tcp_nopush on;
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:2m;
+ ssl_session_timeout 1h;
+ ssl_session_tickets off;
+ gzip_vary on;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ include /etc/nginx/http.d/*.conf;
+}
+
+
A => etc/nginx/web.conf +5 -0
@@ 1,5 @@
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
A => etc/postfix/generic +2 -0
@@ 1,2 @@
+@tatooine.localdomain REDACTED
+@tatooine REDACTED
A => etc/postfix/main.cf +678 -0
@@ 1,678 @@
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+# For common configuration examples, see BASIC_CONFIGURATION_README
+# and STANDARD_CONFIGURATION_README. To find these documents, use
+# the command "postconf html_directory readme_directory", or go to
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
+#
+# For best results, change no more than 2-3 parameters at a time,
+# and test if Postfix still works after every change.
+
+# COMPATIBILITY
+#
+# The compatibility_level determines what default settings Postfix
+# will use for main.cf and master.cf settings. These defaults will
+# change over time.
+#
+# To avoid breaking things, Postfix will use backwards-compatible
+# default settings and log where it uses those old backwards-compatible
+# default settings, until the system administrator has determined
+# if any backwards-compatible default settings need to be made
+# permanent in main.cf or master.cf.
+#
+# When this review is complete, update the compatibility_level setting
+# below as recommended in the RELEASE_NOTES file.
+#
+# The level below is what should be used with new (not upgrade) installs.
+
+compatibility_level = 3.6
+
+# SOFT BOUNCE
+#
+# The soft_bounce parameter provides a limited safety net for
+# testing. When soft_bounce is enabled, mail will remain queued that
+# would otherwise bounce. This parameter disables locally-generated
+# bounces, and prevents the SMTP server from rejecting mail permanently
+# (by changing 5xx replies into 4xx replies). However, soft_bounce
+# is no cure for address rewriting mistakes or mail routing mistakes.
+#
+#soft_bounce = no
+
+# LOCAL PATHNAME INFORMATION
+#
+# The queue_directory specifies the location of the Postfix queue.
+# This is also the root directory of Postfix daemons that run chrooted.
+# See the files in examples/chroot-setup for setting up Postfix chroot
+# environments on different UNIX systems.
+
+queue_directory = /var/spool/postfix
+
+# The command_directory parameter specifies the location of all
+# postXXX commands.
+
+command_directory = /usr/sbin
+
+# The daemon_directory parameter specifies the location of all Postfix
+# daemon programs (i.e. programs listed in the master.cf file). This
+# directory must be owned by root.
+
+daemon_directory = /usr/libexec/postfix
+
+# The data_directory parameter specifies the location of Postfix-writable
+# data files (caches, random numbers). This directory must be owned
+# by the mail_owner account (see below).
+
+data_directory = /var/lib/postfix
+
+# QUEUE AND PROCESS OWNERSHIP
+#
+# The mail_owner parameter specifies the owner of the Postfix queue
+# and of most Postfix daemon processes. Specify the name of a user
+# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
+# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
+# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+# USER.
+
+mail_owner = postfix
+
+# The default_privs parameter specifies the default rights used by
+# the local delivery agent for delivery to external file or command.
+# These rights are used in the absence of a recipient user context.
+# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+#
+#default_privs = nobody
+
+# INTERNET HOST AND DOMAIN NAMES
+#
+# The myhostname parameter specifies the internet hostname of this
+# mail system. The default is to use the fully-qualified domain name
+# from gethostname(). $myhostname is used as a default value for many
+# other configuration parameters.
+
+myhostname = tatooine
+
+# The mydomain parameter specifies the local internet domain name.
+# The default is to use $myhostname minus the first component.
+# $mydomain is used as a default value for many other configuration
+# parameters.
+
+mydomain = tatooine
+
+# SENDING MAIL
+#
+# The myorigin parameter specifies the domain that locally-posted
+# mail appears to come from. The default is to append $myhostname,
+# which is fine for small sites. If you run a domain with multiple
+# machines, you should (1) change this to $mydomain and (2) set up
+# a domain-wide alias database that aliases each user to
+# user@that.users.mailhost.
+#
+# For the sake of consistency between sender and recipient addresses,
+# myorigin also specifies the default domain name that is appended
+# to recipient addresses that have no @domain part.
+#
+#myorigin = $myhostname
+#myorigin = $mydomain
+
+# RECEIVING MAIL
+
+# The inet_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on. By default,
+# the software claims all active interfaces on the machine. The
+# parameter also controls delivery of mail to user@[ip.address].
+#
+# See also the proxy_interfaces parameter, for network addresses that
+# are forwarded to us via a proxy or network address translator.
+#
+# Note: you need to stop/start Postfix when this parameter changes.
+#
+#inet_interfaces = all
+#inet_interfaces = $myhostname
+#inet_interfaces = $myhostname, localhost
+
+# The proxy_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on by way of a
+# proxy or network address translation unit. This setting extends
+# the address list specified with the inet_interfaces parameter.
+#
+# You must specify your proxy/NAT addresses when your system is a
+# backup MX host for other domains, otherwise mail delivery loops
+# will happen when the primary MX host is down.
+#
+#proxy_interfaces =
+#proxy_interfaces = 1.2.3.4
+
+# The mydestination parameter specifies the list of domains that this
+# machine considers itself the final destination for.
+#
+# These domains are routed to the delivery agent specified with the
+# local_transport parameter setting. By default, that is the UNIX
+# compatible delivery agent that lookups all recipients in /etc/passwd
+# and /etc/aliases or their equivalent.
+#
+# The default is $myhostname + localhost.$mydomain + localhost. On
+# a mail domain gateway, you should also include $mydomain.
+#
+# Do not specify the names of virtual domains - those domains are
+# specified elsewhere (see VIRTUAL_README).
+#
+# Do not specify the names of domains that this machine is backup MX
+# host for. Specify those names via the relay_domains settings for
+# the SMTP server, or use permit_mx_backup if you are lazy (see
+# STANDARD_CONFIGURATION_README).
+#
+# The local machine is always the final destination for mail addressed
+# to user@[the.net.work.address] of an interface that the mail system
+# receives mail on (see the inet_interfaces parameter).
+#
+# Specify a list of host or domain names, /file/name or type:table
+# patterns, separated by commas and/or whitespace. A /file/name
+# pattern is replaced by its contents; a type:table is matched when
+# a name matches a lookup key (the right-hand side is ignored).
+# Continue long lines by starting the next line with whitespace.
+#
+# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
+
+mydestination = $myhostname, localhost.$mydomain, localhost
+
+# REJECTING MAIL FOR UNKNOWN LOCAL USERS
+#
+# The local_recipient_maps parameter specifies optional lookup tables
+# with all names or addresses of users that are local with respect
+# to $mydestination, $inet_interfaces or $proxy_interfaces.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown local users. This parameter is defined by default.
+#
+# To turn off local recipient checking in the SMTP server, specify
+# local_recipient_maps = (i.e. empty).
+#
+# The default setting assumes that you use the default Postfix local
+# delivery agent for local delivery. You need to update the
+# local_recipient_maps setting if:
+#
+# - You define $mydestination domain recipients in files other than
+# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
+# For example, you define $mydestination domain recipients in
+# the $virtual_mailbox_maps files.
+#
+# - You redefine the local delivery agent in master.cf.
+#
+# - You redefine the "local_transport" setting in main.cf.
+#
+# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
+# feature of the Postfix local delivery agent (see local(8)).
+#
+# Details are described in the LOCAL_RECIPIENT_README file.
+#
+# Beware: if the Postfix SMTP server runs chrooted, you probably have
+# to access the passwd file via the proxymap service, in order to
+# overcome chroot restrictions. The alternative, having a copy of
+# the system passwd file in the chroot jail is just not practical.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify a bare username, an @domain.tld
+# wild-card, or specify a user@domain.tld address.
+#
+#local_recipient_maps = unix:passwd.byname $alias_maps
+#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
+#local_recipient_maps =
+
+# The unknown_local_recipient_reject_code specifies the SMTP server
+# response code when a recipient domain matches $mydestination or
+# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
+# and the recipient address or address local-part is not found.
+#
+# The default setting is 550 (reject mail) but it is safer to start
+# with 450 (try again later) until you are certain that your
+# local_recipient_maps settings are OK.
+
+unknown_local_recipient_reject_code = 550
+
+# TRUST AND RELAY CONTROL
+
+# The mynetworks parameter specifies the list of "trusted" SMTP
+# clients that have more privileges than "strangers".
+#
+# In particular, "trusted" SMTP clients are allowed to relay mail
+# through Postfix. See the smtpd_recipient_restrictions parameter
+# in postconf(5).
+#
+# You can specify the list of "trusted" network addresses by hand
+# or you can let Postfix do it for you (which is the default).
+#
+# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
+# clients in the same IP subnetworks as the local machine.
+# On Linux, this works correctly only with interfaces specified
+# with the "ifconfig" command.
+#
+# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
+# clients in the same IP class A/B/C networks as the local machine.
+# Don't do this with a dialup site - it would cause Postfix to "trust"
+# your entire provider's network. Instead, specify an explicit
+# mynetworks list by hand, as described below.
+#
+# Specify "mynetworks_style = host" when Postfix should "trust"
+# only the local machine.
+#
+#mynetworks_style = class
+#mynetworks_style = subnet
+#mynetworks_style = host
+
+# Alternatively, you can specify the mynetworks list by hand, in
+# which case Postfix ignores the mynetworks_style setting.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+
+mynetworks = 127.0.0.0/8
+
+# The relay_domains parameter restricts what destinations this system will
+# relay mail to. See the smtpd_recipient_restrictions description in
+# postconf(5) for detailed information.
+#
+# By default, Postfix relays mail
+# - from "trusted" clients (IP address matches $mynetworks) to any destination,
+# - from "untrusted" clients to destinations that match $relay_domains or
+# subdomains thereof, except addresses with sender-specified routing.
+# The default relay_domains value is $mydestination.
+#
+# In addition to the above, the Postfix SMTP server by default accepts mail
+# that Postfix is final destination for:
+# - destinations that match $inet_interfaces or $proxy_interfaces,
+# - destinations that match $mydestination
+# - destinations that match $virtual_alias_domains,
+# - destinations that match $virtual_mailbox_domains.
+# These destinations do not need to be listed in $relay_domains.
+#
+# Specify a list of hosts or domains, /file/name patterns or type:name
+# lookup tables, separated by commas and/or whitespace. Continue
+# long lines by starting the next line with whitespace. A file name
+# is replaced by its contents; a type:name table is matched when a
+# (parent) domain appears as lookup key.
+#
+# NOTE: Postfix will not automatically forward mail for domains that
+# list this system as their primary or backup MX host. See the
+# permit_mx_backup restriction description in postconf(5).
+#
+#relay_domains = $mydestination
+
+# INTERNET OR INTRANET
+
+# The relayhost parameter specifies the default host to send mail to
+# when no entry is matched in the optional transport(5) table. When
+# no relayhost is given, mail is routed directly to the destination.
+#
+# On an intranet, specify the organizational domain name. If your
+# internal DNS uses no MX records, specify the name of the intranet
+# gateway host instead.
+#
+# In the case of SMTP, specify a domain, host, host:port, [host]:port,
+# [address] or [address]:port; the form [host] turns off MX lookups.
+#
+# If you're connected via UUCP, see also the default_transport parameter.
+
+relayhost = [smtp.gmail.com]:587
+smtp_sasl_auth_enable = yes
+smtp_sasl_security_options = noanonymous
+smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
+smtp_tls_security_level = encrypt
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+# REJECTING UNKNOWN RELAY USERS
+#
+# The relay_recipient_maps parameter specifies optional lookup tables
+# with all addresses in the domains that match $relay_domains.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown relay users. This feature is off by default.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify an @domain.tld wild-card, or specify
+# a user@domain.tld address.
+#
+#relay_recipient_maps = hash:/etc/postfix/relay_recipients
+
+# INPUT RATE CONTROL
+#
+# The in_flow_delay configuration parameter implements mail input
+# flow control. This feature is turned on by default, although it
+# still needs further development (it's disabled on SCO UNIX due
+# to an SCO bug).
+#
+# A Postfix process will pause for $in_flow_delay seconds before
+# accepting a new message, when the message arrival rate exceeds the
+# message delivery rate. With the default 100 SMTP server process
+# limit, this limits the mail inflow to 100 messages a second more
+# than the number of messages delivered per second.
+#
+# Specify 0 to disable the feature. Valid delays are 0..10.
+#
+#in_flow_delay = 1s
+
+# ADDRESS REWRITING
+#
+# The ADDRESS_REWRITING_README document gives information about
+# address masquerading or other forms of address rewriting including
+# username->Firstname.Lastname mapping.
+
+smtp_generic_maps = lmdb:/etc/postfix/generic
+
+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+#
+# The VIRTUAL_README document gives information about the many forms
+# of domain hosting that Postfix supports.
+
+# "USER HAS MOVED" BOUNCE MESSAGES
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# TRANSPORT MAP
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+local_transport = local:$myhostname
+transport_maps = lmdb:/etc/postfix/transport
+
+# ALIAS DATABASE
+#
+# The alias_maps parameter specifies the list of alias databases used
+# by the local delivery agent. The default list is system dependent.
+#
+# On systems with NIS, the default is to search the local alias
+# database, then the NIS alias database. See aliases(5) for syntax
+# details.
+#
+# If you change the alias database, run "postalias /etc/aliases" (or
+# wherever your system stores the mail alias file), or simply run
+# "newaliases" to build the necessary DBM or DB file.
+#
+# It will take a minute or so before changes become visible. Use
+# "postfix reload" to eliminate the delay.
+#
+#alias_maps = dbm:/etc/aliases
+#alias_maps = hash:/etc/aliases
+#alias_maps = hash:/etc/aliases, nis:mail.aliases
+#alias_maps = netinfo:/aliases
+
+# The alias_database parameter specifies the alias database(s) that
+# are built with "newaliases" or "sendmail -bi". This is a separate
+# configuration parameter, because alias_maps (see above) may specify
+# tables that are not necessarily all under control by Postfix.
+#
+#alias_database = dbm:/etc/aliases
+#alias_database = dbm:/etc/mail/aliases
+#alias_database = hash:/etc/aliases
+#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
+
+# ADDRESS EXTENSIONS (e.g., user+foo)
+#
+# The recipient_delimiter parameter specifies the separator between
+# user names and address extensions (user+foo). See canonical(5),
+# local(8), relocated(5) and virtual(5) for the effects this has on
+# aliases, canonical, virtual, relocated and .forward file lookups.
+# Basically, the software tries user+foo and .forward+foo before
+# trying user and .forward.
+#
+#recipient_delimiter = +
+
+# DELIVERY TO MAILBOX
+#
+# The home_mailbox parameter specifies the optional pathname of a
+# mailbox file relative to a user's home directory. The default
+# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
+# "Maildir/" for qmail-style delivery (the / is required).
+
+home_mailbox = Maildir/
+
+# The mail_spool_directory parameter specifies the directory where
+# UNIX-style mailboxes are kept. The default setting depends on the
+# system type.
+#
+#mail_spool_directory = /var/mail
+#mail_spool_directory = /var/spool/mail
+
+# The mailbox_command parameter specifies the optional external
+# command to use instead of mailbox delivery. The command is run as
+# the recipient with proper HOME, SHELL and LOGNAME environment settings.
+# Exception: delivery for root is done as $default_user.
+#
+# Other environment variables of interest: USER (recipient username),
+# EXTENSION (address extension), DOMAIN (domain part of address),
+# and LOCAL (the address localpart).
+#
+# Unlike other Postfix configuration parameters, the mailbox_command
+# parameter is not subjected to $parameter substitutions. This is to
+# make it easier to specify shell syntax (see example below).
+#
+# Avoid shell meta characters because they will force Postfix to run
+# an expensive shell process. Procmail alone is expensive enough.
+#
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
+#mailbox_command = /some/where/procmail
+#mailbox_command = /some/where/procmail -a "$EXTENSION"
+
+# The mailbox_transport specifies the optional transport in master.cf
+# to use after processing aliases and .forward files. This parameter
+# has precedence over the mailbox_command, fallback_transport and
+# luser_relay parameters.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf. The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
+# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
+#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
+#
+# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
+# subsequent line in master.cf.
+#mailbox_transport = cyrus
+
+# The fallback_transport specifies the optional transport in master.cf
+# to use for recipients that are not found in the UNIX passwd database.
+# This parameter has precedence over the luser_relay parameter.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf. The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#fallback_transport = lmtp:unix:/file/name
+#fallback_transport = cyrus
+#fallback_transport =
+
+# The luser_relay parameter specifies an optional destination address
+# for unknown recipients. By default, mail for unknown@$mydestination,
+# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
+# as undeliverable.
+#
+# The following expansions are done on luser_relay: $user (recipient
+# username), $shell (recipient shell), $home (recipient home directory),
+# $recipient (full recipient address), $extension (recipient address
+# extension), $domain (recipient domain), $local (entire recipient
+# localpart), $recipient_delimiter. Specify ${name?value} or
+# ${name:value} to expand value only when $name does (does not) exist.
+#
+# luser_relay works only for the default Postfix local delivery agent.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must specify "local_recipient_maps =" (i.e. empty) in
+# the main.cf file, otherwise the SMTP server will reject mail for
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#luser_relay = $user@other.host
+#luser_relay = $local@other.host
+#luser_relay = admin+$local
+
+# JUNK MAIL CONTROLS
+#
+# The controls listed here are only a very small subset. The file
+# SMTPD_ACCESS_README provides an overview.
+
+# The header_checks parameter specifies an optional table with patterns
+# that each logical message header is matched against, including
+# headers that span multiple physical lines.
+#
+# By default, these patterns also apply to MIME headers and to the
+# headers of attached messages. With older Postfix versions, MIME and
+# attached message headers were treated as body text.
+#
+# For details, see "man header_checks".
+#
+#header_checks = regexp:/etc/postfix/header_checks
+
+# FAST ETRN SERVICE
+#
+# Postfix maintains per-destination logfiles with information about
+# deferred mail, so that mail can be flushed quickly with the SMTP
+# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
+# See the ETRN_README document for a detailed description.
+#
+# The fast_flush_domains parameter controls what destinations are
+# eligible for this service. By default, they are all domains that
+# this server is willing to relay mail to.
+#
+#fast_flush_domains = $relay_domains
+
+# SHOW SOFTWARE VERSION OR NOT
+#
+# The smtpd_banner parameter specifies the text that follows the 220
+# code in the SMTP server's greeting banner. Some people like to see
+# the mail version advertised. By default, Postfix shows no version.
+#
+# You MUST specify $myhostname at the start of the text. That is an
+# RFC requirement. Postfix itself does not care.
+#
+#smtpd_banner = $myhostname ESMTP $mail_name
+#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+
+# PARALLEL DELIVERY TO THE SAME DESTINATION
+#
+# How many parallel deliveries to the same user or domain? With local
+# delivery, it does not make sense to do massively parallel delivery
+# to the same user, because mailbox updates must happen sequentially,
+# and expensive pipelines in .forward files can cause disasters when
+# too many are run at the same time. With SMTP deliveries, 10
+# simultaneous connections to the same domain could be sufficient to
+# raise eyebrows.
+#
+# Each message delivery transport has its XXX_destination_concurrency_limit
+# parameter. The default is $default_destination_concurrency_limit for
+# most delivery transports. For the local delivery agent the default is 2.
+
+#local_destination_concurrency_limit = 2
+#default_destination_concurrency_limit = 20
+
+# DEBUGGING CONTROL
+#
+# The debug_peer_level parameter specifies the increment in verbose
+# logging level when an SMTP client or server host name or address
+# matches a pattern in the debug_peer_list parameter.
+
+debug_peer_level = 2
+
+# The debug_peer_list parameter specifies an optional list of domain
+# or network patterns, /file/name patterns or type:name tables. When
+# an SMTP client or server host name or address matches a pattern,
+# increase the verbose logging level by the amount specified in the
+# debug_peer_level parameter.
+#
+#debug_peer_list = 127.0.0.1
+#debug_peer_list = some.domain
+
+# The debugger_command specifies the external command that is executed
+# when a Postfix daemon program is run with the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+
+debugger_command =
+ PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+ ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# If you can't use X, use this to capture the call stack when a
+# daemon crashes. The result is in a file in the configuration
+# directory, and is named after the process name and the process ID.
+#
+# debugger_command =
+# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
+# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
+# >$config_directory/$process_name.$process_id.log & sleep 5
+#
+# Another possibility is to run gdb under a detached screen session.
+# To attach to the screen session, su root and run "screen -r
+# <id_string>" where <id_string> uniquely matches one of the detached
+# sessions (from "screen -list").
+#
+# debugger_command =
+# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
+# -dmS $process_name gdb $daemon_directory/$process_name
+# $process_id & sleep 1
+
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# The following parameters are used when installing a new Postfix version.
+#
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+
+sendmail_path = /usr/sbin/sendmail
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+
+newaliases_path = /usr/bin/newaliases
+
+# mailq_path: The full pathname of the Postfix mailq command. This
+# is the Sendmail-compatible mail queue listing command.
+
+mailq_path = /usr/bin/mailq
+
+# setgid_group: The group for mail submission and queue management
+# commands. This must be a group name with a numerical group ID that
+# is not shared with other accounts, not even with the Postfix account.
+
+setgid_group = postdrop
+
+# html_directory: The location of the Postfix HTML documentation.
+
+html_directory = no
+
+# manpage_directory: The location of the Postfix on-line manual pages.
+
+manpage_directory = /usr/share/man
+
+# sample_directory: The location of the Postfix sample configuration files.
+# This parameter is obsolete as of Postfix 2.1.
+
+sample_directory = /etc/postfix
+
+# readme_directory: The location of the Postfix README files.
+
+readme_directory = /usr/share/doc/postfix/readme
+inet_protocols = ipv4
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib/postfix
+
A => etc/postfix/master.cf +137 -0
@@ 1,137 @@
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - n - - smtpd
+#smtp inet n - n - 1 postscreen
+#smtpd pass - - n - - smtpd
+#dnsblog unix - - n - 0 dnsblog
+#tlsproxy unix - - n - 0 tlsproxy
+# Choose one: enable submission for loopback clients only, or for any client.
+127.0.0.1:submission inet n - n - - smtpd
+#submission inet n - n - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+ -o smtpd_relay_restrictions=permit
+# -o milter_macro_daemon_name=ORIGINATING
+# Choose one: enable smtps for loopback clients only, or for any client.
+#127.0.0.1:smtps inet n - n - - smtpd
+#smtps inet n - n - - smtpd
+# -o syslog_name=postfix/smtps
+# -o smtpd_tls_wrappermode=yes
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - n - - qmqpd
+pickup unix n - n 60 1 pickup
+cleanup unix n - n - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - n 1000? 1 tlsmgr
+rewrite unix - - n - - trivial-rewrite
+bounce unix - - n - 0 bounce
+defer unix - - n - 0 bounce
+trace unix - - n - 0 bounce
+verify unix - - n - 1 verify
+flush unix n - n 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - n - - smtp
+relay unix - - n - - smtp
+ -o syslog_name=postfix/$service_name
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - n - - showq
+error unix - - n - - error
+retry unix - - n - - error
+discard unix - - n - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - n - - lmtp
+anvil unix - - n - 1 anvil
+scache unix - - n - 1 scache
+postlog unix-dgram n - n - 1 postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop unix - n n - - pipe
+# flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+#
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp unix - n n - - pipe
+# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# ====================================================================
+#
+# Other external delivery methods.
+#
+#ifmail unix - n n - - pipe
+# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#
+#bsmtp unix - n n - - pipe
+# flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient
+#
+#scalemail-backend unix - n n - 2 pipe
+# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
+# ${nexthop} ${user} ${extension}
+#
+#mailman unix - n n - - pipe
+# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+# ${nexthop} ${user}
A => etc/postfix/sasl/sasl_passwd +1 -0
@@ 1,1 @@
+[smtp.gmail.com]:587 REDACTED
A => etc/postfix/transport +3 -0
@@ 1,3 @@
+lists.tatooine.localdomain lmtp:unix:/tmp/lists.sr.ht-lmtp.sock
+tatooine.localdomain local:tatooine
+tatooine local:tatooine
A => etc/postgresql/postgresql.conf +619 -0
@@ 1,619 @@
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+# name = value
+#
+# (The "=" is optional.) Whitespace may be used. Comments are introduced with
+# "#" anywhere on a line. The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal. If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()". Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on". Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units: B = bytes Time units: us = microseconds
+# kB = kilobytes ms = milliseconds
+# MB = megabytes s = seconds
+# GB = gigabytes min = minutes
+# TB = terabytes h = hours
+# d = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable
+
+data_directory = '/var/lib/postgresql/data' # use data in another directory
+hba_file = '/var/lib/postgresql/data/pg_hba.conf' # host-based authentication file
+ident_file = '/var/lib/postgresql/data/pg_ident.conf' # ident configuration file
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = '' # write an extra PID file
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = 'localhost' # comma-separated list of addresses; defaults to 'localhost'; use '*' for all
+port = 5432
+#max_connections = 100
+#superuser_reserved_connections = 3
+unix_socket_directories = '/run/postgresql' # comma-separated list of directories
+#unix_socket_group = ''
+#unix_socket_permissions = 0777 # begin with 0 to use octal notation
+bonjour = off
+#bonjour_name = '' # defaults to the computer name
+
+# - TCP settings -
+# see "man tcp" for details
+
+tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; 0 selects the system default
+tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; 0 selects the system default
+tcp_keepalives_count = 0 # TCP_KEEPCNT; 0 selects the system default
+tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; 0 selects the system default
+
+client_connection_check_interval = 0 # time between checks for client disconnection while running queries; 0 for never
+
+# - Authentication -
+
+#authentication_timeout = 1min # 1s-600s
+#password_encryption = scram-sha-256 # scram-sha-256 or md5
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_crl_dir = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1.2'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+#shared_buffers = 32MB # min 128kB
+#huge_pages = try # on, off, or try
+#huge_page_size = 0 # zero for system default
+#temp_buffers = 8MB # min 800kB
+#max_prepared_transactions = 0 # zero disables the feature; it is not advisable to set nonzero unless you actively intend to use prepared transactions
+#work_mem = 4MB # min 64kB
+#hash_mem_multiplier = 1.0 # 1-1000.0 multiplier on hash table work_mem
+#maintenance_work_mem = 64MB # min 1MB
+#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
+#logical_decoding_work_mem = 64MB # min 64kB
+#max_stack_depth = 2MB # min 100kB
+#shared_memory_type = mmap # the default is the first option supported by the operating system: mmap, sysv, windows
+#dynamic_shared_memory_type = posix # the default is the first option supported by the operating system: posix, sysv, windows, mmap
+#min_dynamic_shared_memory = 0MB
+
+# - Disk -
+
+#temp_file_limit = -1 # limits per-process temp file space in kilobytes, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000 # min 64
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1 # 0-10000 credits
+#vacuum_cost_page_miss = 2 # 0-10000 credits
+#vacuum_cost_page_dirty = 20 # 0-10000 credits
+#vacuum_cost_limit = 200 # 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms # 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 0 # measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#backend_flush_after = 0 # measured in pages, 0 disables
+#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
+#maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching
+#max_worker_processes = 8 # (change requires restart)
+#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
+#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
+#max_parallel_workers = 8 # maximum number of max_worker_processes that can be used in parallel operations
+#parallel_leader_participation = on
+#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica # minimal, replica, or logical
+#fsync = on # flush data to disk for crash safety (turning this off can cause unrecoverable data corruption)
+#synchronous_commit = on # synchronization level; off, local, remote_write, remote_apply, on
+#wal_sync_method = fsync # the default is the first option supported by the operating system: open_datasync, fdatasync (default on Linux and FreeBSD), fsync, fsync_writethrough, open_sync
+#full_page_writes = on # recover from partial page writes
+#wal_log_hints = off # also do full page writes of non-critical updates
+#wal_compression = off # enable compression of full-page writes
+#wal_init_zero = on # zero-fill new WAL files
+#wal_recycle = on # recycle WAL files
+#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
+#wal_writer_delay = 200ms # 1-10000 milliseconds
+#wal_writer_flush_after = 1MB # measured in pages, 0 disables
+#wal_skip_threshold = 2MB
+
+#commit_delay = 0 # range 0-100000, in microseconds
+#commit_siblings = 5 # range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min # range 30s-1d
+#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 0 # measured in pages, 0 disables
+#checkpoint_warning = 30s # 0 disables
+#max_wal_size = 1GB
+#min_wal_size = 80MB
+
+# - Archiving -
+
+#archive_mode = off # enables archiving; off, on, or always
+#Placeholders for archive_command and restore_command:
+# %p = path of file to archive
+# %f = file name only
+#archive_command = '' # command to use to archive a logfile segment; placeholders: %p = path of file to archive, %f = file name only
+#archive_timeout = 0 # force a logfile segment switch after this number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = '' # command to use to restore an archived logfile segment
+#archive_cleanup_command = '' # command to execute at every restartpoint; see placeholders on line 198
+#recovery_end_command = '' # command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = '' # 'immediate' to end recovery as soon as a consistent state is reached
+#recovery_target_name = '' # the named restore point to which recovery will proceed
+#recovery_target_time = '' # the time stamp up to which recovery will proceed
+#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
+#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
+#recovery_target_inclusive = on # Specifies whether to stop: just after the specified recovery target (on), or just before the recovery target (off)
+#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
+#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the primary and on any standby that will send replication data.
+
+#max_wal_senders = 10 # max number of walsender processes
+#max_replication_slots = 10 # max number of replication slots
+#wal_keep_size = 0 # in megabytes; 0 disables
+#max_slot_wal_keep_size = -1 # in megabytes; -1 disables
+#wal_sender_timeout = 60s # in milliseconds; 0 disables
+#track_commit_timestamp = off # collect timestamp of transaction commit
+
+# - Primary Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = '' # standby servers that provide sync rep method to choose sync standbys, number of sync standbys, and comma-separated list of application_name from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a primary server.
+
+#primary_conninfo = '' # connection string to sending server
+#primary_slot_name = '' # replication slot on sending server
+#promote_trigger_file = '' # file name whose presence ends recovery
+#hot_standby = on # "off" disallows queries during recovery
+#max_standby_archive_delay = 30s # max delay before canceling queries when reading WAL from archive; -1 allows indefinite delay
+#max_standby_streaming_delay = 30s # max delay before canceling queries when reading streaming WAL; -1 allows indefinite delay
+#wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name is not set
+#wal_receiver_status_interval = 10s # send replies at least this often; 0 disables
+#hot_standby_feedback = off # send info from standby to prevent query conflicts
+#wal_receiver_timeout = 60s # time that receiver waits for communication from primary in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s # time to wait before retrying to retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4 # taken from max_worker_processes
+#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_async_append = on
+#enable_bitmapscan = on
+#enable_gathermerge = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_incremental_sort = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_memoize = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0 # measured on an arbitrary scale
+#random_page_cost = 4.0 # same scale as above
+#cpu_tuple_cost = 0.01 # same scale as above
+#cpu_index_tuple_cost = 0.005 # same scale as above
+#cpu_operator_cost = 0.0025 # same scale as above
+#parallel_setup_cost = 1000.0 # same scale as above
+#parallel_tuple_cost = 0.1 # same scale as above
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+#jit_above_cost = 100000 # perform JIT compilation if available and query more expensive than this; -1 disables
+#jit_inline_above_cost = 500000 # inline small functions if query is more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if query is more expensive than this; -1 disables
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5 # range 1-10
+#geqo_pool_size = 0 # selects default based on effort
+#geqo_generations = 0 # selects default based on effort
+#geqo_selection_bias = 2.0 # range 1.5-2.0
+#geqo_seed = 0.0 # range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100 # range 1-10000
+#constraint_exclusion = partition # on, off, or partition
+#cursor_tuple_fraction = 0.1 # range 0.0-1.0
+#from_collapse_limit = 8
+#jit = on # allow JIT compilation
+#join_collapse_limit = 8 # 1 disables collapsing of explicit JOIN clauses
+#plan_cache_mode = auto # auto, force_generic_plan or force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+log_destination = 'stderr' # Valid values are combinations of stderr, csvlog, syslog, and eventlog, depending on platform. csvlog requires logging_collector to be on.
+
+# This is used when logging to stderr:
+logging_collector = off # Enable capturing of stderr and csvlog into log files. Required to be on for csvlogs.
+
+# These are only used if logging_collector is on:
+#log_directory = 'log' # directory where log files are written, can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, can include strftime() escapes
+#log_file_mode = 0600 # creation mode for log files, begin with 0 to use octal notation
+#log_rotation_age = 1d # Automatic rotation of logfiles will happen after that time. 0 disables.
+#log_rotation_size = 10MB # Automatic rotation of logfiles will happen after that much log output. 0 disables.
+#log_truncate_on_rotation = off # If on, an existing log file with the same name as the new log file will be truncated rather than appended to. But such truncation only occurs on time-driven rotation, not on restarts or size-driven rotation. Default is off, meaning append to existing files in all cases.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (Windows):
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+# Values for log_min_messages and log_min_error_statement:
+# debug5
+# debug4
+# debug3
+# debug2
+# debug1
+# info
+# notice
+# warning
+# error
+# log
+# fatal
+# panic
+log_min_messages = info
+
+log_min_error_statement = info # see values on line 368; panic = effectively off
+
+#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements and their durations, > 0 logs only statements running at least this number of milliseconds
+
+#log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements and their durations, > 0 logs only a sample of statements running at least this number of milliseconds; sample fraction is determined by log_statement_sample_rate
+
+#log_statement_sample_rate = 1.0 # fraction of logged statements exceeding log_min_duration_sample to be logged; 1.0 logs all such statements, 0.0 never logs
+
+
+#log_transaction_sample_rate = 0.0 # fraction of transactions whose statements are logged regardless of their duration; 1.0 logs all statements from all transactions, 0.0 never logs
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_autovacuum_min_duration = -1 # log autovacuum activity; -1 disables, 0 logs all actions and their durations, > 0 logs only actions running at least this number of milliseconds.
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default # terse, default, or verbose messages
+#log_hostname = off
+# Placeholders for log_line_prefix:
+# %a = application name
+# %u = user name
+# %d = database name
+# %r = remote host and port
+# %h = remote host
+# %b = backend type
+# %p = process ID
+# %P = process ID of parallel group leader
+# %t = timestamp without milliseconds
+# %m = timestamp with milliseconds
+# %n = timestamp with milliseconds (as a Unix epoch)
+# %Q = query ID (0 if none or not computed)
+# %i = command tag
+# %e = SQL state
+# %c = session ID
+# %l = session line number
+# %s = session start timestamp
+# %v = virtual transaction ID
+# %x = transaction ID (0 if none)
+# %q = stop here in non-session processes
+# %% = '%'
+#log_line_prefix = '%m [%p] '
+#log_lock_waits = off # log lock waits >= deadlock_timeout
+#log_recovery_conflict_waits = off # log standby recovery conflict waits >= deadlock_timeout
+#log_parameter_max_length = -1 # when logging statements, limit logged bind-parameter values to N bytes; -1 means print in full, 0 disables
+#log_parameter_max_length_on_error = 0 # when logging an error, limit logged bind-parameter values to N bytes; -1 means print in full, 0 disables
+#log_statement = 'none' # none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1 # log temporary files equal or larger than the specified size in kilobytes; -1 disables, 0 logs all temp files
+#log_timezone = 'GMT'
+
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = '' # added to process titles if nonempty
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_activity_query_size = 1024
+#track_counts = on
+#track_io_timing = off
+#track_wal_io_timing = off
+#track_functions = none # none, pl, all
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#compute_query_id = auto
+#log_statement_stats = off
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on # Enable autovacuum subprocess? 'on' requires track_counts to also be on.
+#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
+#autovacuum_naptime = 1min # time between autovacuum runs
+#autovacuum_vacuum_threshold = 50 # min number of row updates before vacuum
+#autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts before vacuum; -1 disables insert vacuums
+#autovacuum_analyze_threshold = 50 # min number of row updates before analyze
+#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
+#autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table size before insert vacuum
+#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
+#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age before forced vacuum
+#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for autovacuum, in milliseconds; -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for autovacuum, -1 means use vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+# Values for client_min_messages:
+# debug5
+# debug4
+# debug3
+# debug2
+# debug1
+# log
+# notice
+# warning
+# error
+#client_min_messages = notice
+#search_path = '"$user", public' # schema names
+#row_security = on
+#default_table_access_method = 'heap'
+#default_tablespace = '' # a tablespace name, '' uses the default
+#default_toast_compression = 'pglz' # 'pglz' or 'lz4'
+#temp_tablespaces = '' # a list of tablespace names, '' uses only default tablespace
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0 # in milliseconds, 0 is disabled
+#lock_timeout = 0 # in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
+#idle_session_timeout = 0 # in milliseconds, 0 is disabled
+#vacuum_freeze_table_age = 150000000
+#vacuum_freeze_min_age = 50000000
+#vacuum_failsafe_age = 1600000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_failsafe_age = 1600000000
+#bytea_output = 'hex' # hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+#datestyle = 'iso, mdy'
+#intervalstyle = 'postgres'
+#timezone = 'GMT'
+#timezone_abbreviations = 'Default' # Select the set of available time zone abbreviations; Default, Australia (historical usage), India; You can create your own file in share/timezonesets/.
+#extra_float_digits = 1 # min -15, max 3; any value >0 actually selects precise output mode
+#client_encoding = sql_ascii # actually, defaults to database encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#lc_messages = 'C' # locale for system error message strings
+#lc_monetary = 'C' # locale for monetary formatting
+#lc_numeric = 'C' # locale for number formatting
+#lc_time = 'C' # locale for time formatting
+
+# default configuration for text search
+#default_text_search_config = 'pg_catalog.simple'
+
+# - Shared Library Preloading -
+
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#shared_preload_libraries = '' # (change requires restart)
+#jit_provider = 'llvmjit' # JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+#gin_fuzzy_search_limit = 0
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64 # min 10
+#max_pred_locks_per_transaction = 64 # min 10
+#max_pred_locks_per_relation = -2 # negative values mean; (max_pred_locks_per_transaction / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2 # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding # on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off # terminate session on any error?
+#restart_after_crash = on # reinitialize after backend crash?
+#data_sync_retry = off # retry or panic on failure to fsync data?
+#recovery_init_sync_method = fsync # fsync, syncfs (Linux 5.8+)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf. Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...' # include files ending in '.conf' from a directory, e.g., 'conf.d'
+#include_if_exists = '...' # include file only if it exists
+#include = '...' # include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
A => etc/sr.ht/config.ini +210 -0
@@ 1,210 @@
+[sr.ht]
+site-name=tatooine
+site-info=https://dominic-ricottone.com
+site-blurb=hutt
+owner-name=Dominic Ricottone
+owner-email=me@dominic-ricottone.com
+
+#environment=production
+environment=development
+
+# URL for source code?
+source-url=https://git.sr.ht/~sircmpwn/srht
+# URL for privacy policy?
+privacy-policy=
+# Email address to contact regarding security?
+security-address=
+
+# try: `srht-keygen service`
+service-key=REDACTED
+# try: `srht-keygen network`
+network-key=REDACTED
+
+redis-host=redis://localhost
+
+
+[objects]
+s3-upstream=
+s3-access-key=
+s3-secret-key=
+
+[mail]
+smtp-host=tatooine
+smtp-port=25
+smtp-from=hutt@tatooine
+smtp-encryption=insecure
+smtp-auth=none
+smtp-user=
+smtp-password=
+
+# Email address to dump exceptions at?
+error-to=me@dominic-ricottone.com
+error-from=hutt@tatooine
+
+pgp-privkey=/etc/sr.ht/pgp.key
+pgp-pubkey=/etc/sr.ht/pgp.pubkey
+pgp-key-id=REDACTED
+
+
+[webhooks]
+# try: `srht-keygen webhook`
+private-key=REDACTED
+
+
+[git.sr.ht]
+origin=http://git.intra.dominic-ricottone.com
+debug-host=0.0.0.0
+debug-port=5001
+api-origin=http://localhost:5101
+# try: meta.localhost/oauth
+oauth-client-id=CHANGEME
+oauth-client-secret=CHANGEME
+repos=/rar/lib/git/
+post-update-script=/usr/bin/gitsrht-update-hook
+outgoing-domain=tatooine
+
+# SQLAlchemy connection string
+#connection-string=postgresql://postgres@localhost/git.sr.ht
+connection-string=postgresql://postgres@localhost/git.sr.ht?sslmode=disable
+migrate-on-upgrade=yes
+
+# Webhooks connection string
+webhooks=redis://localhost:6379/1
+
+s3-bucket=
+s3-prefix=
+
+
+
+[git.sr.ht::api]
+max-complexity=200
+max-duration=3s
+internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
+
+
+[git.sr.ht::dispatch]
+/usr/bin/gitsrht-keys=git:git
+#/usr/bin/buildsrht-keys=builds:builds
+
+
+[lists.sr.ht]
+origin=http://localhost:5006
+# try: meta.localhost/oauth
+oauth-client-id=
+oauth-client-secret=
+api-origin=http://localhost:5106
+posting-domain=lists.tatooine
+allow-new-lists=no
+
+# debug host
+debug-host=0.0.0.0
+debug-port=5006
+
+# SQLAlchemy connection string
+#connection-string=postgresql://postgres@localhost/lists.sr.ht
+connection-string=postgresql://postgres@localhost/lists.sr.ht?sslmode=disable
+migrate-on-upgrade=yes
+
+# Webhooks connection string
+webhooks=redis://localhost:6379/1
+
+# Celery connection string
+redis=redis://localhost:6379/0
+
+# Trusted upstream SMTP server generating Authentication-Results header fields
+msgauth-server=tatooine
+
+
+[lists.sr.ht::worker]
+protocol=lmtp
+sock=/tmp/lists.sr.ht-lmtp.sock
+sock-group=postfix
+
+# Content types to reject?
+reject-mimetypes=text/html
+
+# URL for rejection notice?
+reject-url=https://man.sr.ht/lists.sr.ht/etiquette.md
+
+
+[lists.sr.ht::api]
+max-complexity=200
+max-duration=90s
+internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
+
+
+[lists.sr.ht::redirects]
+
+
+[meta.sr.ht]
+origin=http://localhost:5000
+welcome-emails=no
+api-origin=http://localhost:5100
+
+# Debug host
+debug-host=0.0.0.0
+debug-port=5000
+
+# SQLAlchemy connection string
+#connection-string=postgresql://postgres@localhost/meta.sr.ht
+connection-string=postgresql://postgres@localhost/meta.sr.ht?sslmode=disable
+migrate-on-upgrade=yes
+
+# Webhooks connection string
+webhooks=redis://localhost:6379/1
+
+
+[meta.sr.ht::api]
+max-complexity=200
+max-duration=3s
+internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
+
+
+[meta.sr.ht::settings]
+registration=no
+onboarding-redirect=https://dominic-ricottone.com
+user-invites=0
+
+
+[meta.sr.ht::aliases]
+
+
+[meta.sr.ht::billing]
+enabled=no
+
+# Stripe API
+stripe-public-key=
+stripe-secret-key=
+
+
+[meta.sr.ht::auth]
+#auth-method=unix-pam
+auth-method=builtin
+
+
+[meta.sr.ht::auth::unix-pam]
+email-default-domain=dominic-ricottone.com
+service=sshd
+admin-group=wheel
+create-users=no
+user-group=srht
+
+
+[todo.sr.ht]
+origin=http://localhost:5003
+debug-host=0.0.0.0
+debug-port=5003
+# try: meta.localhost/oauth
+oauth-client-id=
+oauth-client-secret=
+notify-from=hutt@tatooine
+
+# SQLAlchemy connection string
+#connection-string=postgresql://postgres@localhost/todo.sr.ht
+connection-string=postgresql://postgres@localhost/todo.sr.ht?sslmode=disable
+migrate-on-upgrade=yes
+
+# Webhooks connection string
+webhooks=redis://localhost:6379/1
+
+
A => etc/supervisor/conf.d/supervisord.conf +50 -0
@@ 1,50 @@
+[supervisord]
+childlogdir=/var/log/supervisord
+logfile=/dev/stderr
+logfile_maxbytes=0
+nodaemon=true
+user=root
+
+[program:crond]
+autostart=true
+command=crond -f -l 2
+redirect_stderr=true
+
+[program:postfix]
+autorestart=false
+command=postfix start
+startsecs=0
+redirect_stderr=true
+
+[program:postgresql]
+autorestart=true
+command=postgres -c config_file=/etc/postgresql/postgresql.conf
+redirect_stderr=true
+user=postgres
+
+[program:redis]
+autorestart=true
+command=redis-server --save 60 1 --loglevel warning
+redirect_stderr=true
+
+[program:spawn-fcgi]
+autorestart=true
+command=spawn-fcgi -n -u nginx -p 9000 -- /usr/bin/fcgiwrap -f
+redirect_stderr=true
+
+[program:metasrht]
+autorestart=true
+command=gunicorn metasrht.app:app -b 127.0.0.1:5000 -c /etc/sr.ht/meta.sr.ht.gunicorn.conf.py
+redirect_stderr=true
+
+[program:metasrht-api]
+autorestart=true
+command=metasrht-api
+redirect_stderr=true
+
+[program:nginx]
+autostart=true
+command=nginx -g 'daemon off;'
+redirect_stderr=true
+
+
A => usr/share/nginx/html/index.html +12 -0
@@ 1,12 @@
+<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" name="viewport" content="width=device-width, initial-scale=1">
+<title>Hello world</title>
+</head>
+<body>
+<h1>Hello world</h1>
+<p>This is a test page.</p>
+</body>
+</html>
+
A => usr/share/nginx/html/test.cgi +4 -0
@@ 1,4 @@
+#!/bin/sh
+echo "<h1>Hello world</h1>"
+echo "<p>This is a really dumb CGI script</p>"
+
A => usr/share/nginx/html/test.php +2 -0
@@ 1,2 @@
+<?php var_export($_SERVER)?>
+