diff options
author | Mike Crute <mike@crute.us> | 2022-12-05 22:39:45 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2022-12-05 22:39:45 -0800 |
commit | 384e3dce5ff75d7a92455f9bd1a5f4e07a20ae67 (patch) | |
tree | 8b8959febca00ce6a975d1432a7724d56adc803b | |
parent | 2140cdadde6cb657441b8469ea03cc968047ee30 (diff) | |
download | dockerfiles-384e3dce5ff75d7a92455f9bd1a5f4e07a20ae67.tar.bz2 dockerfiles-384e3dce5ff75d7a92455f9bd1a5f4e07a20ae67.tar.xz dockerfiles-384e3dce5ff75d7a92455f9bd1a5f4e07a20ae67.zip |
code-host: migrate to simplevisor
-rw-r--r-- | code-host/Dockerfile | 30 | ||||
-rw-r--r-- | code-host/Makefile | 12 | ||||
-rw-r--r-- | code-host/code.crute.me | 100 | ||||
-rw-r--r-- | code-host/code.ini (renamed from code-host/etc/uwsgi/code.ini) | 0 | ||||
-rwxr-xr-x | code-host/etc/service/nginx/log/run | 3 | ||||
-rwxr-xr-x | code-host/etc/service/nginx/run | 23 | ||||
-rwxr-xr-x | code-host/etc/service/ssh/log/run | 3 | ||||
-rwxr-xr-x | code-host/etc/service/uwsgi/log/run | 3 | ||||
-rwxr-xr-x | code-host/etc/service/uwsgi/run | 23 | ||||
-rw-r--r-- | code-host/nginx.conf | 386 | ||||
-rw-r--r-- | code-host/simplevisor.json | 34 | ||||
-rwxr-xr-x | code-host/ssh-setup.sh (renamed from code-host/etc/service/ssh/run) | 3 | ||||
-rw-r--r-- | code-host/sshd_config (renamed from code-host/etc/ssh/sshd_config) | 0 |
13 files changed, 439 insertions, 181 deletions
diff --git a/code-host/Dockerfile b/code-host/Dockerfile index d7392fe..b867c36 100644 --- a/code-host/Dockerfile +++ b/code-host/Dockerfile | |||
@@ -1,37 +1,33 @@ | |||
1 | FROM alpine:edge | 1 | FROM alpine:edge |
2 | LABEL maintainer="Mike Crute <mike@crute.us>" | 2 | LABEL maintainer="Mike Crute <mike@crute.us>" |
3 | 3 | ||
4 | # locale-gen en_US.UTF-8 && \ | ||
5 | |||
6 | RUN set -euxo pipefail; \ | 4 | RUN set -euxo pipefail; \ |
7 | apk --no-cache add \ | 5 | apk --no-cache add \ |
8 | bash \ | 6 | bash \ |
9 | cgit \ | 7 | cgit \ |
10 | dumb-init \ | ||
11 | gitolite \ | 8 | gitolite \ |
12 | nginx \ | 9 | nginx \ |
13 | openssh \ | 10 | openssh \ |
14 | perl-json \ | 11 | perl-json \ |
15 | py3-pygments \ | 12 | py3-pygments \ |
16 | py3-docutils \ | 13 | py3-docutils \ |
17 | runit \ | ||
18 | su-exec \ | ||
19 | uwsgi \ | 14 | uwsgi \ |
20 | uwsgi-cgi \ | 15 | uwsgi-cgi \ |
21 | uwsgi-router_static \ | 16 | uwsgi-router_static \ |
17 | libcap \ | ||
22 | ; \ | 18 | ; \ |
23 | rm -rf /etc/nginx; \ | 19 | mkdir -p /logs; \ |
24 | mkdir -p /srv/nginx-conf /logs; \ | 20 | rm /etc/nginx/nginx.conf; \ |
25 | ln -s /usr/bin/rst2html /usr/bin/rst2html.py; \ | 21 | ln -sf /usr/bin/rst2html /usr/bin/rst2html.py; \ |
26 | addgroup -g 1005 -S code; \ | 22 | addgroup -g 1005 -S code; \ |
27 | adduser -u 1005 -s /bin/sh -S -h /srv/code -H -D -G code code; | 23 | adduser -u 1005 -s /bin/sh -S -h /srv/code -H -D -G code code; \ |
28 | 24 | setcap cap_net_bind_service=+ep /usr/sbin/sshd; | |
29 | ADD etc/ /etc/ | ||
30 | ADD code.crute.me /srv/nginx-conf/ | ||
31 | ADD nginx_bootstrap / | ||
32 | 25 | ||
33 | ENV ACTIVE_PROFILE INTERNAL | 26 | ADD nginx.conf /etc/nginx/nginx.conf |
34 | ENV NGINX_PP_DISABLE_SSL_DEFAULT true | 27 | ADD /simplevisor /simplevisor |
28 | ADD /simplevisor.json /simplevisor.json | ||
29 | ADD /ssh-setup.sh /ssh-setup.sh | ||
30 | ADD /code.ini /etc/uwsgi/code.ini | ||
31 | ADD /sshd_config /etc/ssh/sshd_config | ||
35 | 32 | ||
36 | STOPSIGNAL SIGHUP | 33 | CMD [ "/simplevisor", "--no-vault" ] |
37 | CMD [ "/usr/bin/dumb-init", "/sbin/runsvdir", "/etc/service" ] | ||
diff --git a/code-host/Makefile b/code-host/Makefile index 652bf8a..070ca73 100644 --- a/code-host/Makefile +++ b/code-host/Makefile | |||
@@ -1,13 +1,11 @@ | |||
1 | IMAGE=docker.crute.me/code-host:latest | 1 | VERSION=1.2.3-r3 |
2 | VERSION_TAG=$(VERSION) | ||
3 | IMAGE=docker.crute.me/code-host:$(VERSION_TAG) | ||
4 | LATEST=$(subst :$(VERSION_TAG),,$(IMAGE)):latest | ||
2 | 5 | ||
3 | all: | 6 | all: |
4 | @echo "Must update for new nginx minder"; exit 1 | ||
5 | cp ../nginx-common/main.go . | ||
6 | CGO_ENABLED=0 go build -o nginx_bootstrap main.go | ||
7 | rm -rf ./etc/nginx/ && cp -r ../nginx-common/conf ./etc/nginx/ | ||
8 | docker pull alpine:edge | 7 | docker pull alpine:edge |
9 | docker build -t $(IMAGE) . | 8 | docker build -t $(IMAGE) . |
10 | rm -rf ./etc/nginx/ main.go nginx_bootstrap | ||
11 | 9 | ||
12 | all-no-cache: | 10 | all-no-cache: |
13 | docker build --no-cache -t $(IMAGE) . | 11 | docker build --no-cache -t $(IMAGE) . |
@@ -21,3 +19,5 @@ run: | |||
21 | 19 | ||
22 | publish: | 20 | publish: |
23 | docker push $(IMAGE) | 21 | docker push $(IMAGE) |
22 | docker tag $(IMAGE) $(LATEST) | ||
23 | docker push $(LATEST) | ||
diff --git a/code-host/code.crute.me b/code-host/code.crute.me deleted file mode 100644 index 1937391..0000000 --- a/code-host/code.crute.me +++ /dev/null | |||
@@ -1,100 +0,0 @@ | |||
1 | # vi:ft=nginx | ||
2 | # preprocess: link_for INTERNAL | ||
3 | |||
4 | # TODO: Consolidate these into one, they differ only by hostname and SSL cert | ||
5 | # This is like this because I'm not sure if redirects will work at all with | ||
6 | # git pulls and pretty much all repositories use code.crute.me not .us | ||
7 | |||
8 | include includes/internal_ip_cgit_acl.conf; | ||
9 | |||
10 | server { | ||
11 | listen *:443 ssl http2; | ||
12 | listen [::]:443 ssl http2; | ||
13 | |||
14 | server_name code.crute.me; | ||
15 | access_log /logs/code.crute.me.log combined_host; | ||
16 | |||
17 | include includes/hardened_ssl.conf; | ||
18 | include includes/hardened_headers.conf; | ||
19 | |||
20 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem; | ||
21 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem; | ||
22 | |||
23 | add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always; | ||
24 | |||
25 | client_max_body_size 4G; | ||
26 | |||
27 | # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some | ||
28 | # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some | ||
29 | # point it's just quick and easy to put it here. | ||
30 | location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ { | ||
31 | if ($arg_go-get = "1") { | ||
32 | add_header Content-Type text/plain; | ||
33 | return 200 '<html><head> | ||
34 | <meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo"> | ||
35 | <meta name="go-source" content="$host/$user/$repo | ||
36 | https://$host/$user/$repo | ||
37 | https://$host/$user/$repo/tree{/dir} | ||
38 | https://$host/$user/$repo/tree{/dir}/{file}#n{line}"> | ||
39 | </head></html>'; | ||
40 | } | ||
41 | |||
42 | include uwsgi_params; | ||
43 | uwsgi_modifier1 9; | ||
44 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
45 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
46 | } | ||
47 | |||
48 | location / { | ||
49 | include uwsgi_params; | ||
50 | uwsgi_modifier1 9; | ||
51 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
52 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
53 | } | ||
54 | } | ||
55 | |||
56 | server { | ||
57 | listen *:443 ssl http2; | ||
58 | listen [::]:443 ssl http2; | ||
59 | |||
60 | server_name code.crute.us; | ||
61 | access_log /logs/code.crute.me.log combined_host; | ||
62 | |||
63 | include includes/hardened_ssl.conf; | ||
64 | include includes/hardened_headers.conf; | ||
65 | |||
66 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_us.pem; | ||
67 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_us_key.pem; | ||
68 | |||
69 | add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always; | ||
70 | |||
71 | client_max_body_size 4G; | ||
72 | |||
73 | # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some | ||
74 | # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some | ||
75 | # point it's just quick and easy to put it here. | ||
76 | location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ { | ||
77 | if ($arg_go-get = "1") { | ||
78 | add_header Content-Type text/plain; | ||
79 | return 200 '<html><head> | ||
80 | <meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo"> | ||
81 | <meta name="go-source" content="$host/$user/$repo | ||
82 | https://$host/$user/$repo | ||
83 | https://$host/$user/$repo/tree{/dir} | ||
84 | https://$host/$user/$repo/tree{/dir}/{file}#n{line}"> | ||
85 | </head></html>'; | ||
86 | } | ||
87 | |||
88 | include uwsgi_params; | ||
89 | uwsgi_modifier1 9; | ||
90 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
91 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
92 | } | ||
93 | |||
94 | location / { | ||
95 | include uwsgi_params; | ||
96 | uwsgi_modifier1 9; | ||
97 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
98 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
99 | } | ||
100 | } | ||
diff --git a/code-host/etc/uwsgi/code.ini b/code-host/code.ini index 686fef8..686fef8 100644 --- a/code-host/etc/uwsgi/code.ini +++ b/code-host/code.ini | |||
diff --git a/code-host/etc/service/nginx/log/run b/code-host/etc/service/nginx/log/run deleted file mode 100755 index 6193824..0000000 --- a/code-host/etc/service/nginx/log/run +++ /dev/null | |||
@@ -1,3 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | cat - | ||
diff --git a/code-host/etc/service/nginx/run b/code-host/etc/service/nginx/run deleted file mode 100755 index 79dcaf1..0000000 --- a/code-host/etc/service/nginx/run +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # runsv sends us a TERM but uwsgi will only shutdown cleanly | ||
4 | # if it receives an INT so we need to translate the signal | ||
5 | # properly for uwsgi | ||
6 | trap 'kill -INT $PID' TERM | ||
7 | |||
8 | /nginx_bootstrap /usr/sbin/nginx -g "daemon off;" & | ||
9 | |||
10 | PID=$! | ||
11 | |||
12 | # wait for uwsgi, will get cancelled when runsv TERMs us and | ||
13 | # the trap will get executed next, unless something goes wrong | ||
14 | # and uwsgi fails then this wait will run | ||
15 | wait $PID | ||
16 | |||
17 | # if something went wrong then unregister the trap because it | ||
18 | # won't have a target | ||
19 | trap - TERM | ||
20 | |||
21 | # waiting on a dead process will return the return code of the | ||
22 | # processes original exit | ||
23 | wait $PID | ||
diff --git a/code-host/etc/service/ssh/log/run b/code-host/etc/service/ssh/log/run deleted file mode 100755 index 6193824..0000000 --- a/code-host/etc/service/ssh/log/run +++ /dev/null | |||
@@ -1,3 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | cat - | ||
diff --git a/code-host/etc/service/uwsgi/log/run b/code-host/etc/service/uwsgi/log/run deleted file mode 100755 index 6193824..0000000 --- a/code-host/etc/service/uwsgi/log/run +++ /dev/null | |||
@@ -1,3 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | cat - | ||
diff --git a/code-host/etc/service/uwsgi/run b/code-host/etc/service/uwsgi/run deleted file mode 100755 index 30bfc38..0000000 --- a/code-host/etc/service/uwsgi/run +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # runsv sends us a TERM but uwsgi will only shutdown cleanly | ||
4 | # if it receives an INT so we need to translate the signal | ||
5 | # properly for uwsgi | ||
6 | trap 'kill -INT $PID' TERM | ||
7 | |||
8 | /usr/sbin/uwsgi --ini /etc/uwsgi/code.ini & | ||
9 | |||
10 | PID=$! | ||
11 | |||
12 | # wait for uwsgi, will get cancelled when runsv TERMs us and | ||
13 | # the trap will get executed next, unless something goes wrong | ||
14 | # and uwsgi fails then this wait will run | ||
15 | wait $PID | ||
16 | |||
17 | # if something went wrong then unregister the trap because it | ||
18 | # won't have a target | ||
19 | trap - TERM | ||
20 | |||
21 | # waiting on a dead process will return the return code of the | ||
22 | # processes original exit | ||
23 | wait $PID | ||
diff --git a/code-host/nginx.conf b/code-host/nginx.conf new file mode 100644 index 0000000..9d61863 --- /dev/null +++ b/code-host/nginx.conf | |||
@@ -0,0 +1,386 @@ | |||
1 | daemon off; | ||
2 | user nginx; | ||
3 | worker_processes 1; | ||
4 | |||
5 | error_log /dev/stdout warn; | ||
6 | pid /var/run/nginx.pid; | ||
7 | |||
8 | events { | ||
9 | worker_connections 1024; | ||
10 | } | ||
11 | |||
12 | http { | ||
13 | types { | ||
14 | text/html html htm shtml; | ||
15 | text/css css; | ||
16 | text/xml xml; | ||
17 | image/gif gif; | ||
18 | image/jpeg jpeg jpg; | ||
19 | application/javascript js; | ||
20 | application/atom+xml atom; | ||
21 | application/rss+xml rss; | ||
22 | |||
23 | text/mathml mml; | ||
24 | text/plain txt; | ||
25 | text/vnd.sun.j2me.app-descriptor jad; | ||
26 | text/vnd.wap.wml wml; | ||
27 | text/x-component htc; | ||
28 | |||
29 | image/png png; | ||
30 | image/svg+xml svg svgz; | ||
31 | image/tiff tif tiff; | ||
32 | image/vnd.wap.wbmp wbmp; | ||
33 | image/webp webp; | ||
34 | image/x-icon ico; | ||
35 | image/x-jng jng; | ||
36 | image/x-ms-bmp bmp; | ||
37 | |||
38 | font/woff woff; | ||
39 | font/woff2 woff2; | ||
40 | |||
41 | application/java-archive jar war ear; | ||
42 | application/json json; | ||
43 | application/mac-binhex40 hqx; | ||
44 | application/msword doc; | ||
45 | application/pdf pdf; | ||
46 | application/postscript ps eps ai; | ||
47 | application/rtf rtf; | ||
48 | application/vnd.apple.mpegurl m3u8; | ||
49 | application/vnd.google-earth.kml+xml kml; | ||
50 | application/vnd.google-earth.kmz kmz; | ||
51 | application/vnd.ms-excel xls; | ||
52 | application/vnd.ms-fontobject eot; | ||
53 | application/vnd.ms-powerpoint ppt; | ||
54 | application/vnd.oasis.opendocument.graphics odg; | ||
55 | application/vnd.oasis.opendocument.presentation odp; | ||
56 | application/vnd.oasis.opendocument.spreadsheet ods; | ||
57 | application/vnd.oasis.opendocument.text odt; | ||
58 | application/vnd.openxmlformats-officedocument.presentationml.presentation | ||
59 | pptx; | ||
60 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet | ||
61 | xlsx; | ||
62 | application/vnd.openxmlformats-officedocument.wordprocessingml.document | ||
63 | docx; | ||
64 | application/vnd.wap.wmlc wmlc; | ||
65 | application/x-7z-compressed 7z; | ||
66 | application/x-cocoa cco; | ||
67 | application/x-java-archive-diff jardiff; | ||
68 | application/x-java-jnlp-file jnlp; | ||
69 | application/x-makeself run; | ||
70 | application/x-perl pl pm; | ||
71 | application/x-pilot prc pdb; | ||
72 | application/x-rar-compressed rar; | ||
73 | application/x-redhat-package-manager rpm; | ||
74 | application/x-sea sea; | ||
75 | application/x-shockwave-flash swf; | ||
76 | application/x-stuffit sit; | ||
77 | application/x-tcl tcl tk; | ||
78 | application/x-x509-ca-cert der pem crt; | ||
79 | application/x-xpinstall xpi; | ||
80 | application/xhtml+xml xhtml; | ||
81 | application/xspf+xml xspf; | ||
82 | application/zip zip; | ||
83 | |||
84 | application/octet-stream bin exe dll; | ||
85 | application/octet-stream deb; | ||
86 | application/octet-stream dmg; | ||
87 | application/octet-stream iso img; | ||
88 | application/octet-stream msi msp msm; | ||
89 | |||
90 | audio/midi mid midi kar; | ||
91 | audio/mpeg mp3; | ||
92 | audio/ogg ogg; | ||
93 | audio/x-m4a m4a; | ||
94 | audio/x-realaudio ra; | ||
95 | |||
96 | video/3gpp 3gpp 3gp; | ||
97 | video/mp2t ts; | ||
98 | video/mp4 mp4; | ||
99 | video/mpeg mpeg mpg; | ||
100 | video/quicktime mov; | ||
101 | video/webm webm; | ||
102 | video/x-flv flv; | ||
103 | video/x-m4v m4v; | ||
104 | video/x-mng mng; | ||
105 | video/x-ms-asf asx asf; | ||
106 | video/x-ms-wmv wmv; | ||
107 | video/x-msvideo avi; | ||
108 | } | ||
109 | |||
110 | default_type application/octet-stream; | ||
111 | |||
112 | log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' | ||
113 | '"$request" $status $body_bytes_sent ' | ||
114 | '"$http_referer" "$http_user_agent"'; | ||
115 | |||
116 | access_log /logs/default_server.log combined_host; | ||
117 | |||
118 | sendfile on; | ||
119 | tcp_nopush on; | ||
120 | server_tokens off; | ||
121 | |||
122 | keepalive_timeout 128; | ||
123 | |||
124 | # Try to avoid buffering requests to disk | ||
125 | client_body_buffer_size 1024k; | ||
126 | |||
127 | gzip on; | ||
128 | gzip_proxied any; | ||
129 | gzip_disable "msie6"; | ||
130 | gzip_types application/javascript application/rss+xml application/x-javascript application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; | ||
131 | |||
132 | ssl_session_cache shared:SSL:10m; | ||
133 | ssl_session_timeout 10m; | ||
134 | ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; | ||
135 | |||
136 | map $http_host $can_redirect { | ||
137 | hostnames; | ||
138 | |||
139 | default 0; | ||
140 | crute.me 1; | ||
141 | *.crute.me 1; | ||
142 | crute.us 1; | ||
143 | *.crute.us 1; | ||
144 | } | ||
145 | |||
146 | server { | ||
147 | listen *:80 default_server; | ||
148 | listen [::]:80 default_server; | ||
149 | |||
150 | access_log /logs/default_http_vhost.log combined_host; | ||
151 | |||
152 | location / { | ||
153 | if ($can_redirect) { | ||
154 | rewrite (.*) https://$http_host$1 permanent; | ||
155 | } | ||
156 | |||
157 | default_type text/plain; | ||
158 | return 404 "not found"; | ||
159 | } | ||
160 | } | ||
161 | |||
162 | # TODO: Consolidate these into one, they differ only by hostname and SSL cert | ||
163 | # This is like this because I'm not sure if redirects will work at all with | ||
164 | # git pulls and pretty much all repositories use code.crute.me not .us | ||
165 | |||
166 | geo $cgit_config { | ||
167 | default "/srv/code/etc/cgit-public.cfg"; | ||
168 | |||
169 | # Global V4 Internal Network | ||
170 | 172.16.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
171 | # FKL1 V4 Internal network | ||
172 | 172.18.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
173 | # SEA4 V4 Internal network | ||
174 | 172.19.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
175 | # ORD1 V4 Internal network | ||
176 | 172.20.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
177 | # Mobile V4 Internal network | ||
178 | 172.21.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
179 | # PDX1 V6 Network | ||
180 | 2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg"; | ||
181 | # CMH1 V6 Network | ||
182 | 2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg"; | ||
183 | # SEA1 Internal V6 Network | ||
184 | 2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg"; | ||
185 | # SEA4 Internal V6 Network | ||
186 | 2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg"; | ||
187 | # SEA4 Remote Access VPN V6 Network | ||
188 | 2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg"; | ||
189 | # ORD1 Internal V6 Network | ||
190 | 2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg"; | ||
191 | # FKL1 Internal V6 Network | ||
192 | 2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg"; | ||
193 | # Mobile V6 Internal Network | ||
194 | 2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg"; | ||
195 | } | ||
196 | |||
197 | server { | ||
198 | listen *:443 ssl http2; | ||
199 | listen [::]:443 ssl http2; | ||
200 | |||
201 | server_name code.crute.me; | ||
202 | access_log /logs/code.crute.me.log combined_host; | ||
203 | |||
204 | ssl_protocols TLSv1.2 TLSv1.3; | ||
205 | ssl_prefer_server_ciphers on; | ||
206 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL"; | ||
207 | ssl_stapling on; | ||
208 | ssl_stapling_verify on; | ||
209 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
210 | resolver_timeout 5s; | ||
211 | |||
212 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; | ||
213 | add_header X-Frame-Options "SAMEORIGIN" always; | ||
214 | add_header X-Content-Type-Options "nosniff" always; | ||
215 | add_header X-Xss-Protection "1; mode=block" always; | ||
216 | add_header Referrer-Policy "same-origin" always; | ||
217 | |||
218 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem; | ||
219 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem; | ||
220 | |||
221 | add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always; | ||
222 | |||
223 | client_max_body_size 4G; | ||
224 | |||
225 | # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some | ||
226 | # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some | ||
227 | # point it's just quick and easy to put it here. | ||
228 | location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ { | ||
229 | if ($arg_go-get = "1") { | ||
230 | add_header Content-Type text/plain; | ||
231 | return 200 '<html><head> | ||
232 | <meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo"> | ||
233 | <meta name="go-source" content="$host/$user/$repo | ||
234 | https://$host/$user/$repo | ||
235 | https://$host/$user/$repo/tree{/dir} | ||
236 | https://$host/$user/$repo/tree{/dir}/{file}#n{line}"> | ||
237 | </head></html>'; | ||
238 | } | ||
239 | |||
240 | uwsgi_param QUERY_STRING $query_string; | ||
241 | uwsgi_param REQUEST_METHOD $request_method; | ||
242 | uwsgi_param CONTENT_TYPE $content_type; | ||
243 | uwsgi_param CONTENT_LENGTH $content_length; | ||
244 | |||
245 | uwsgi_param REQUEST_URI $request_uri; | ||
246 | uwsgi_param PATH_INFO $document_uri; | ||
247 | uwsgi_param DOCUMENT_ROOT $document_root; | ||
248 | uwsgi_param SERVER_PROTOCOL $server_protocol; | ||
249 | uwsgi_param REQUEST_SCHEME $scheme; | ||
250 | uwsgi_param HTTPS $https if_not_empty; | ||
251 | |||
252 | uwsgi_param REMOTE_ADDR $remote_addr; | ||
253 | uwsgi_param REMOTE_PORT $remote_port; | ||
254 | uwsgi_param SERVER_PORT $server_port; | ||
255 | uwsgi_param SERVER_NAME $server_name; | ||
256 | |||
257 | uwsgi_param HTTP_HOST $host; | ||
258 | uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; | ||
259 | |||
260 | uwsgi_modifier1 9; | ||
261 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
262 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
263 | } | ||
264 | |||
265 | location / { | ||
266 | uwsgi_param QUERY_STRING $query_string; | ||
267 | uwsgi_param REQUEST_METHOD $request_method; | ||
268 | uwsgi_param CONTENT_TYPE $content_type; | ||
269 | uwsgi_param CONTENT_LENGTH $content_length; | ||
270 | |||
271 | uwsgi_param REQUEST_URI $request_uri; | ||
272 | uwsgi_param PATH_INFO $document_uri; | ||
273 | uwsgi_param DOCUMENT_ROOT $document_root; | ||
274 | uwsgi_param SERVER_PROTOCOL $server_protocol; | ||
275 | uwsgi_param REQUEST_SCHEME $scheme; | ||
276 | uwsgi_param HTTPS $https if_not_empty; | ||
277 | |||
278 | uwsgi_param REMOTE_ADDR $remote_addr; | ||
279 | uwsgi_param REMOTE_PORT $remote_port; | ||
280 | uwsgi_param SERVER_PORT $server_port; | ||
281 | uwsgi_param SERVER_NAME $server_name; | ||
282 | |||
283 | uwsgi_param HTTP_HOST $host; | ||
284 | uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; | ||
285 | |||
286 | uwsgi_modifier1 9; | ||
287 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
288 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
289 | } | ||
290 | } | ||
291 | |||
292 | server { | ||
293 | listen *:443 ssl http2; | ||
294 | listen [::]:443 ssl http2; | ||
295 | |||
296 | server_name code.crute.us; | ||
297 | access_log /logs/code.crute.me.log combined_host; | ||
298 | |||
299 | ssl_protocols TLSv1.2 TLSv1.3; | ||
300 | ssl_prefer_server_ciphers on; | ||
301 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL"; | ||
302 | ssl_stapling on; | ||
303 | ssl_stapling_verify on; | ||
304 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
305 | resolver_timeout 5s; | ||
306 | |||
307 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; | ||
308 | add_header X-Frame-Options "SAMEORIGIN" always; | ||
309 | add_header X-Content-Type-Options "nosniff" always; | ||
310 | add_header X-Xss-Protection "1; mode=block" always; | ||
311 | add_header Referrer-Policy "same-origin" always; | ||
312 | |||
313 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_us.pem; | ||
314 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_us_key.pem; | ||
315 | |||
316 | add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always; | ||
317 | |||
318 | client_max_body_size 4G; | ||
319 | |||
320 | # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some | ||
321 | # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some | ||
322 | # point it's just quick and easy to put it here. | ||
323 | location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ { | ||
324 | if ($arg_go-get = "1") { | ||
325 | add_header Content-Type text/plain; | ||
326 | return 200 '<html><head> | ||
327 | <meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo"> | ||
328 | <meta name="go-source" content="$host/$user/$repo | ||
329 | https://$host/$user/$repo | ||
330 | https://$host/$user/$repo/tree{/dir} | ||
331 | https://$host/$user/$repo/tree{/dir}/{file}#n{line}"> | ||
332 | </head></html>'; | ||
333 | } | ||
334 | |||
335 | uwsgi_param QUERY_STRING $query_string; | ||
336 | uwsgi_param REQUEST_METHOD $request_method; | ||
337 | uwsgi_param CONTENT_TYPE $content_type; | ||
338 | uwsgi_param CONTENT_LENGTH $content_length; | ||
339 | |||
340 | uwsgi_param REQUEST_URI $request_uri; | ||
341 | uwsgi_param PATH_INFO $document_uri; | ||
342 | uwsgi_param DOCUMENT_ROOT $document_root; | ||
343 | uwsgi_param SERVER_PROTOCOL $server_protocol; | ||
344 | uwsgi_param REQUEST_SCHEME $scheme; | ||
345 | uwsgi_param HTTPS $https if_not_empty; | ||
346 | |||
347 | uwsgi_param REMOTE_ADDR $remote_addr; | ||
348 | uwsgi_param REMOTE_PORT $remote_port; | ||
349 | uwsgi_param SERVER_PORT $server_port; | ||
350 | uwsgi_param SERVER_NAME $server_name; | ||
351 | |||
352 | uwsgi_param HTTP_HOST $host; | ||
353 | uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; | ||
354 | |||
355 | uwsgi_modifier1 9; | ||
356 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
357 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
358 | } | ||
359 | |||
360 | location / { | ||
361 | uwsgi_param QUERY_STRING $query_string; | ||
362 | uwsgi_param REQUEST_METHOD $request_method; | ||
363 | uwsgi_param CONTENT_TYPE $content_type; | ||
364 | uwsgi_param CONTENT_LENGTH $content_length; | ||
365 | |||
366 | uwsgi_param REQUEST_URI $request_uri; | ||
367 | uwsgi_param PATH_INFO $document_uri; | ||
368 | uwsgi_param DOCUMENT_ROOT $document_root; | ||
369 | uwsgi_param SERVER_PROTOCOL $server_protocol; | ||
370 | uwsgi_param REQUEST_SCHEME $scheme; | ||
371 | uwsgi_param HTTPS $https if_not_empty; | ||
372 | |||
373 | uwsgi_param REMOTE_ADDR $remote_addr; | ||
374 | uwsgi_param REMOTE_PORT $remote_port; | ||
375 | uwsgi_param SERVER_PORT $server_port; | ||
376 | uwsgi_param SERVER_NAME $server_name; | ||
377 | |||
378 | uwsgi_param HTTP_HOST $host; | ||
379 | uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; | ||
380 | |||
381 | uwsgi_modifier1 9; | ||
382 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
383 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
384 | } | ||
385 | } | ||
386 | } | ||
diff --git a/code-host/simplevisor.json b/code-host/simplevisor.json new file mode 100644 index 0000000..4a252b3 --- /dev/null +++ b/code-host/simplevisor.json | |||
@@ -0,0 +1,34 @@ | |||
1 | { | ||
2 | "env": { | ||
3 | "pass": [ | ||
4 | "PATH", | ||
5 | "HOSTNAME", | ||
6 | "SHLVL", | ||
7 | "HOME", | ||
8 | "PWD" | ||
9 | ] | ||
10 | }, | ||
11 | "jobs": { | ||
12 | "init": [ | ||
13 | { | ||
14 | "cmd": ["/ssh-setup.sh"], | ||
15 | "run-as": "root" | ||
16 | } | ||
17 | ], | ||
18 | "main": [ | ||
19 | { | ||
20 | "cmd": ["/usr/sbin/nginx"], | ||
21 | "run-as": "root" | ||
22 | }, | ||
23 | { | ||
24 | "cmd": ["/usr/sbin/sshd", "-D", "-e"], | ||
25 | "run-as": "code" | ||
26 | }, | ||
27 | { | ||
28 | "cmd": ["/usr/sbin/uwsgi", "--ini", "/etc/uwsgi/code.ini"], | ||
29 | "kill-signal": "INT", | ||
30 | "run-as": "root" | ||
31 | } | ||
32 | ] | ||
33 | } | ||
34 | } | ||
diff --git a/code-host/etc/service/ssh/run b/code-host/ssh-setup.sh index 2677956..a896fb0 100755 --- a/code-host/etc/service/ssh/run +++ b/code-host/ssh-setup.sh | |||
@@ -20,6 +20,3 @@ if [ ! -f "$ED25519_KEY_FILE" ]; then | |||
20 | ssh-keygen -f "$ED25519_KEY_FILE" -N '' -t ed25519 | 20 | ssh-keygen -f "$ED25519_KEY_FILE" -N '' -t ed25519 |
21 | chown code:code "$ED25519_KEY_FILE" | 21 | chown code:code "$ED25519_KEY_FILE" |
22 | fi | 22 | fi |
23 | |||
24 | setcap cap_net_bind_service=+ep /usr/sbin/sshd | ||
25 | /sbin/su-exec code /usr/sbin/sshd -D -e | ||
diff --git a/code-host/etc/ssh/sshd_config b/code-host/sshd_config index 9078d2e..9078d2e 100644 --- a/code-host/etc/ssh/sshd_config +++ b/code-host/sshd_config | |||