From fe46d748b6290411d1878311cda721400459fe4a Mon Sep 17 00:00:00 2001 From: Dominic Ricottone Date: Wed, 31 Aug 2022 08:04:15 -0500 Subject: [PATCH] Fixes to configuration metasrht now runs and is accessible. The /register path is broken though, and I'll need to play with NGINX proxying to fix it. The container-internal web port (8080) is being appended to the URL. The simplest solution is probably to switch the web port back to 80. Need to setup SSL/TLS certificate as well, so that I only have to migrate this once. A minor issue: the web page reads "Welcome to localhost:5000!". It seems the `origin` key in the config files needs to be the public address, not the internal address. Also, now ready for persistent git repos. --- Makefile | 6 ++- README.md | 10 ++--- sr/Dockerfile | 3 +- sr/etc/sr.ht/config.ini | 52 +---------------------- sr/etc/sr.ht/lists.config.ini | 48 +++++++++++++++++++++ sr/etc/supervisor/conf.d/supervisord.conf | 2 + 6 files changed, 63 insertions(+), 58 deletions(-) create mode 100644 sr/etc/sr.ht/lists.config.ini diff --git a/Makefile b/Makefile index cc3a1d0..c933072 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,9 @@ POSTGRES_LOCALNAME=my-postgres POSTGRES_DATADIR=/home/al_dente/dev/huttese/postgres POSTGRES_CONF=/home/al_dente/dev/huttese/etc/postgresql/postgresql.conf +# configure git +GIT_DATADIR=/home/al_dente/dev/huttese/git/datadir + # set image tag data SRHT_LOCALNAME=srht SRHT_LOCALVERSION=1 @@ -97,6 +100,7 @@ start: image $(CONMAN) run --detach --name $(HUTTESE_SRHT) --restart always \ --hostname tatooine -p 80:8080 \ + --mount type=bind,src=$(GIT_DATADIR),dst=/var/lib/git \ $(SRHT_LOCALNAME) $(CONMAN) network connect --alias $(HUTTESE_SRHT) \ $(HUTTESE_NETWORK) $(HUTTESE_SRHT) @@ -112,6 +116,6 @@ restart: $(CONMAN) restart $(SRHT_LOCALNAME) clean: - $(CONMAN) rm --force $(SRHT_LOCALNAME) >/dev/null 2>&1 || true + $(CONMAN) rm --force $(HUTTESE_SRHT) >/dev/null 2>&1 || true $(CONMAN) image rm --force $(SRHT_LOCALNAME):latest >/dev/null 2>&1 || true diff --git a/README.md b/README.md index 5c4057c..f5ab01a 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Makefile is in the top-level directory. ## To-Do -nginx proxying is not working. +nginx proxying is working sometimes. need metasrht service to become accessible so that i can register oauth for git, lists, todo services. @@ -17,14 +17,12 @@ should also setup the metasrht-webhook process (`celery -A metasrht.webhooks wor maybe should run migration (`metasrht-migrate -a upgrade head`) every time? -probably should not be running most of these services as `root`. -[apkbuilds repo](https://git.sr.ht/~sircmpwn/sr.ht-apkbuilds/tree) indicates that metasrht (and friends) run as `meta`. -Probably have `git`, `lists`, `todo`, and `build` users. - most importantly, need to figure out how to secure pgp keys, worker private key, network private key, and webhook private key. cleanup the postgres files, probably to a `pg` directory. +for now, not targeting listssrht. may add later. + ## Installation @@ -33,7 +31,7 @@ Disable the haproxy docker container. Paste the following into the hosts file: ``` -127.0.0.1 git.intra.dominic-ricottone.com lists.intra.dominic-ricottone.com meta.intra.dominic-ricottone.com todo.intra.dominic-ricottone.com +127.0.0.1 git.intra.dominic-ricottone.com meta.intra.dominic-ricottone.com todo.intra.dominic-ricottone.com test.intra.dominic-ricottone.com ``` Run `make setup && make image && make dbinit && make start`. diff --git a/sr/Dockerfile b/sr/Dockerfile index 289b4a1..85e5984 100644 --- a/sr/Dockerfile +++ b/sr/Dockerfile @@ -19,7 +19,7 @@ COPY --chown=nginx:nginx usr/share/nginx/html/test.cgi /usr/share/nginx/html/tes COPY --chown=nginx:nginx usr/share/nginx/html/test.php /usr/share/nginx/html/test.php COPY etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf COPY etc/nginx/http.d/git.conf /etc/nginx/http.d/git.conf -COPY etc/nginx/http.d/lists.conf /etc/nginx/http.d/lists.conf +#COPY etc/nginx/http.d/lists.conf /etc/nginx/http.d/lists.conf COPY etc/nginx/http.d/meta.conf /etc/nginx/http.d/meta.conf COPY etc/nginx/http.d/todo.conf /etc/nginx/http.d/todo.conf @@ -34,6 +34,7 @@ COPY etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd RUN postmap /etc/postfix/sasl/sasl_passwd # setup sourcehut +VOLUME /var/lib/git COPY etc/sr.ht/config.ini /etc/sr.ht/config.ini COPY etc/sr.ht/pgp.key /etc/sr.ht/pgp.key COPY etc/sr.ht/pgp.pubkey /etc/sr.ht/pgp.pubkey diff --git a/sr/etc/sr.ht/config.ini b/sr/etc/sr.ht/config.ini index bc33e6a..c8b6fc3 100644 --- a/sr/etc/sr.ht/config.ini +++ b/sr/etc/sr.ht/config.ini @@ -4,6 +4,7 @@ site-info=https://dominic-ricottone.com site-blurb=hutt owner-name=Dominic Ricottone owner-email=me@dominic-ricottone.com +global-domain=http://intra.dominic-ricottone.com #environment=production environment=development @@ -38,7 +39,7 @@ smtp-user= smtp-password= # Email address to dump exceptions at? -error-to=me@dominic-ricottone.com +error-to=REDACTED error-from=hutt@tatooine pgp-privkey=/etc/sr.ht/pgp.key @@ -87,55 +88,6 @@ internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 #/usr/bin/buildsrht-keys=builds:builds -[lists.sr.ht] -origin=http://localhost:5006 -# try: meta.localhost/oauth -oauth-client-id= -oauth-client-secret= -api-origin=http://localhost:5106 -posting-domain=lists.tatooine -allow-new-lists=no - -# debug host -debug-host=0.0.0.0 -debug-port=5006 - -# SQLAlchemy connection string -#connection-string=postgresql://postgres@huttpg:5432/lists.sr.ht -connection-string=postgresql://postgres@huttpg:5432/lists.sr.ht?sslmode=disable -migrate-on-upgrade=yes - -# Webhooks connection string -webhooks=redis://huttredis:6379/1 - -# Celery connection string -redis=redis://huttredis:6379/0 - -# Trusted upstream SMTP server generating Authentication-Results header fields -msgauth-server=tatooine - - -[lists.sr.ht::worker] -protocol=lmtp -sock=/tmp/lists.sr.ht-lmtp.sock -sock-group=postfix - -# Content types to reject? -reject-mimetypes=text/html - -# URL for rejection notice? -reject-url=https://man.sr.ht/lists.sr.ht/etiquette.md - - -[lists.sr.ht::api] -max-complexity=200 -max-duration=90s -internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 - - -[lists.sr.ht::redirects] - - [meta.sr.ht] origin=http://localhost:5000 welcome-emails=no diff --git a/sr/etc/sr.ht/lists.config.ini b/sr/etc/sr.ht/lists.config.ini new file mode 100644 index 0000000..28d61ac --- /dev/null +++ b/sr/etc/sr.ht/lists.config.ini @@ -0,0 +1,48 @@ +[lists.sr.ht] +origin=http://localhost:5006 +# try: meta.localhost/oauth +oauth-client-id= +oauth-client-secret= +api-origin=http://localhost:5106 +posting-domain=lists.tatooine +allow-new-lists=no + +# debug host +debug-host=0.0.0.0 +debug-port=5006 + +# SQLAlchemy connection string +#connection-string=postgresql://postgres@huttpg:5432/lists.sr.ht +connection-string=postgresql://postgres@huttpg:5432/lists.sr.ht?sslmode=disable +migrate-on-upgrade=yes + +# Webhooks connection string +webhooks=redis://huttredis:6379/1 + +# Celery connection string +redis=redis://huttredis:6379/0 + +# Trusted upstream SMTP server generating Authentication-Results header fields +msgauth-server=tatooine + + +[lists.sr.ht::worker] +protocol=lmtp +sock=/tmp/lists.sr.ht-lmtp.sock +sock-group=postfix + +# Content types to reject? +reject-mimetypes=text/html + +# URL for rejection notice? +reject-url=https://man.sr.ht/lists.sr.ht/etiquette.md + + +[lists.sr.ht::api] +max-complexity=200 +max-duration=90s +internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 + + +[lists.sr.ht::redirects] + diff --git a/sr/etc/supervisor/conf.d/supervisord.conf b/sr/etc/supervisor/conf.d/supervisord.conf index a139a9c..fe9f916 100644 --- a/sr/etc/supervisor/conf.d/supervisord.conf +++ b/sr/etc/supervisor/conf.d/supervisord.conf @@ -25,11 +25,13 @@ redirect_stderr=true autorestart=true command=gunicorn metasrht.app:app -b 127.0.0.1:5000 -c /etc/sr.ht/meta.sr.ht.gunicorn.conf.py redirect_stderr=true +user=meta [program:metasrht-api] autorestart=true command=metasrht-api redirect_stderr=true +user=meta [program:nginx] autostart=true -- 2.45.2