~dricottone/huttese

fe46d748b6290411d1878311cda721400459fe4a — Dominic Ricottone 2 years ago 6476da7
Fixes to configuration

metasrht now runs and is accessible. The /register path is broken
though, and I'll need to play with NGINX proxying to fix it.
The container-internal web port (8080) is being appended to the URL. The
simplest solution is probably to switch the web port back to 80.
Need to setup SSL/TLS certificate as well, so that I only have to
migrate this once.

A minor issue: the web page reads "Welcome to localhost:5000!". It seems
the `origin` key in the config files needs to be the public address, not
the internal address.

Also, now ready for persistent git repos.
M Makefile => Makefile +5 -1
@@ 18,6 18,9 @@ POSTGRES_LOCALNAME=my-postgres
POSTGRES_DATADIR=/home/al_dente/dev/huttese/postgres
POSTGRES_CONF=/home/al_dente/dev/huttese/etc/postgresql/postgresql.conf

# configure git
GIT_DATADIR=/home/al_dente/dev/huttese/git/datadir

# set image tag data
SRHT_LOCALNAME=srht
SRHT_LOCALVERSION=1


@@ 97,6 100,7 @@ start: image

	$(CONMAN) run --detach --name $(HUTTESE_SRHT) --restart always \
		--hostname tatooine -p 80:8080 \
		--mount type=bind,src=$(GIT_DATADIR),dst=/var/lib/git \
		$(SRHT_LOCALNAME)
	$(CONMAN) network connect --alias $(HUTTESE_SRHT) \
		$(HUTTESE_NETWORK) $(HUTTESE_SRHT)


@@ 112,6 116,6 @@ restart:
	$(CONMAN) restart $(SRHT_LOCALNAME)

clean:
	$(CONMAN) rm --force $(SRHT_LOCALNAME) >/dev/null 2>&1 || true
	$(CONMAN) rm --force $(HUTTESE_SRHT) >/dev/null 2>&1 || true
	$(CONMAN) image rm --force $(SRHT_LOCALNAME):latest >/dev/null 2>&1 || true


M README.md => README.md +4 -6
@@ 9,7 9,7 @@ Makefile is in the top-level directory.

## To-Do

nginx proxying is not working.
nginx proxying is working sometimes.

need metasrht service to become accessible so that i can register oauth for git, lists, todo services.



@@ 17,14 17,12 @@ should also setup the metasrht-webhook process (`celery -A metasrht.webhooks wor

maybe should run migration (`metasrht-migrate -a upgrade head`) every time?

probably should not be running most of these services as `root`.
[apkbuilds repo](https://git.sr.ht/~sircmpwn/sr.ht-apkbuilds/tree) indicates that metasrht (and friends) run as `meta`.
Probably have `git`, `lists`, `todo`, and `build` users.

most importantly, need to figure out how to secure pgp keys, worker private key, network private key, and webhook private key.

cleanup the postgres files, probably to a `pg` directory.

for now, not targeting listssrht. may add later.


## Installation



@@ 33,7 31,7 @@ Disable the haproxy docker container.
Paste the following into the hosts file:

```
127.0.0.1       git.intra.dominic-ricottone.com lists.intra.dominic-ricottone.com meta.intra.dominic-ricottone.com todo.intra.dominic-ricottone.com
127.0.0.1       git.intra.dominic-ricottone.com meta.intra.dominic-ricottone.com todo.intra.dominic-ricottone.com test.intra.dominic-ricottone.com
```

Run `make setup && make image && make dbinit && make start`.

M sr/Dockerfile => sr/Dockerfile +2 -1
@@ 19,7 19,7 @@ COPY --chown=nginx:nginx usr/share/nginx/html/test.cgi /usr/share/nginx/html/tes
COPY --chown=nginx:nginx usr/share/nginx/html/test.php /usr/share/nginx/html/test.php
COPY etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf
COPY etc/nginx/http.d/git.conf /etc/nginx/http.d/git.conf
COPY etc/nginx/http.d/lists.conf /etc/nginx/http.d/lists.conf
#COPY etc/nginx/http.d/lists.conf /etc/nginx/http.d/lists.conf
COPY etc/nginx/http.d/meta.conf /etc/nginx/http.d/meta.conf
COPY etc/nginx/http.d/todo.conf /etc/nginx/http.d/todo.conf



@@ 34,6 34,7 @@ COPY etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd
RUN postmap /etc/postfix/sasl/sasl_passwd

# setup sourcehut
VOLUME /var/lib/git
COPY etc/sr.ht/config.ini /etc/sr.ht/config.ini
COPY etc/sr.ht/pgp.key /etc/sr.ht/pgp.key
COPY etc/sr.ht/pgp.pubkey /etc/sr.ht/pgp.pubkey

M sr/etc/sr.ht/config.ini => sr/etc/sr.ht/config.ini +2 -50
@@ 4,6 4,7 @@ site-info=https://dominic-ricottone.com
site-blurb=hutt
owner-name=Dominic Ricottone
owner-email=me@dominic-ricottone.com
global-domain=http://intra.dominic-ricottone.com

#environment=production
environment=development


@@ 38,7 39,7 @@ smtp-user=
smtp-password=

# Email address to dump exceptions at?
error-to=me@dominic-ricottone.com
error-to=REDACTED
error-from=hutt@tatooine

pgp-privkey=/etc/sr.ht/pgp.key


@@ 87,55 88,6 @@ internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
#/usr/bin/buildsrht-keys=builds:builds


[lists.sr.ht]
origin=http://localhost:5006
# try: meta.localhost/oauth
oauth-client-id=
oauth-client-secret=
api-origin=http://localhost:5106
posting-domain=lists.tatooine
allow-new-lists=no

# debug host
debug-host=0.0.0.0
debug-port=5006

# SQLAlchemy connection string
#connection-string=postgresql://postgres@huttpg:5432/lists.sr.ht
connection-string=postgresql://postgres@huttpg:5432/lists.sr.ht?sslmode=disable
migrate-on-upgrade=yes

# Webhooks connection string
webhooks=redis://huttredis:6379/1

# Celery connection string
redis=redis://huttredis:6379/0

# Trusted upstream SMTP server generating Authentication-Results header fields
msgauth-server=tatooine


[lists.sr.ht::worker]
protocol=lmtp
sock=/tmp/lists.sr.ht-lmtp.sock
sock-group=postfix

# Content types to reject?
reject-mimetypes=text/html

# URL for rejection notice?
reject-url=https://man.sr.ht/lists.sr.ht/etiquette.md


[lists.sr.ht::api]
max-complexity=200
max-duration=90s
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8


[lists.sr.ht::redirects]


[meta.sr.ht]
origin=http://localhost:5000
welcome-emails=no

A sr/etc/sr.ht/lists.config.ini => sr/etc/sr.ht/lists.config.ini +48 -0
@@ 0,0 1,48 @@
[lists.sr.ht]
origin=http://localhost:5006
# try: meta.localhost/oauth
oauth-client-id=
oauth-client-secret=
api-origin=http://localhost:5106
posting-domain=lists.tatooine
allow-new-lists=no

# debug host
debug-host=0.0.0.0
debug-port=5006

# SQLAlchemy connection string
#connection-string=postgresql://postgres@huttpg:5432/lists.sr.ht
connection-string=postgresql://postgres@huttpg:5432/lists.sr.ht?sslmode=disable
migrate-on-upgrade=yes

# Webhooks connection string
webhooks=redis://huttredis:6379/1

# Celery connection string
redis=redis://huttredis:6379/0

# Trusted upstream SMTP server generating Authentication-Results header fields
msgauth-server=tatooine


[lists.sr.ht::worker]
protocol=lmtp
sock=/tmp/lists.sr.ht-lmtp.sock
sock-group=postfix

# Content types to reject?
reject-mimetypes=text/html

# URL for rejection notice?
reject-url=https://man.sr.ht/lists.sr.ht/etiquette.md


[lists.sr.ht::api]
max-complexity=200
max-duration=90s
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8


[lists.sr.ht::redirects]


M sr/etc/supervisor/conf.d/supervisord.conf => sr/etc/supervisor/conf.d/supervisord.conf +2 -0
@@ 25,11 25,13 @@ redirect_stderr=true
autorestart=true
command=gunicorn metasrht.app:app -b 127.0.0.1:5000 -c /etc/sr.ht/meta.sr.ht.gunicorn.conf.py
redirect_stderr=true
user=meta

[program:metasrht-api]
autorestart=true
command=metasrht-api
redirect_stderr=true
user=meta

[program:nginx]
autostart=true