repos / pico

pico services - prose.sh, pastes.sh, imgs.sh, feeds.sh, pgs.sh
git clone https://github.com/picosh/pico.git

commit
2453d48
parent
dd502cd
author
Antonio Mika
date
2023-10-05 14:44:37 +0000 UTC
Work on adding bouncer and auth services to deployments
9 files changed,  +197, -98
M .env.example
+11, -4
 1@@ -2,6 +2,7 @@ DATABASE_URL=postgresql://postgres:secret@postgres:5432/pico?sslmode=disable
 2 POSTGRES_PASSWORD=secret
 3 CF_API_TOKEN=secret
 4 
 5+MINIO_CADDYFIL=./caddy/Caddyfile.minio
 6 MINIO_DOMAIN=minio.dev.pico.sh
 7 MINIO_EMAIL=hello@pico.sh
 8 MINIO_URL=http://minio:9000
 9@@ -12,6 +13,7 @@ MINIO_PROMETHEUS_AUTH_TYPE=public
10 MINIO_PROMETHEUS_URL=
11 MINIO_PROMETHEUS_JOB_ID=minio
12 
13+LISTS_CADDYFILE=./caddy/Caddyfile
14 LISTS_V4=
15 LISTS_V6=
16 LISTS_HTTP_V4=$LISTS_V4:80
17@@ -32,6 +34,7 @@ LISTS_PROTOCOL=http
18 LISTS_ALLOW_REGISTER=1
19 LISTS_DEBUG=1
20 
21+PASTES_CADDYFILE=./caddy/Caddyfile
22 PASTES_V4=
23 PASTES_V6=
24 PASTES_HTTP_V4=$PASTES_V4:80
25@@ -52,6 +55,7 @@ PASTES_PROTOCOL=http
26 PASTES_ALLOW_REGISTER=1
27 PASTES_DEBUG=1
28 
29+PROSE_CADDYFILE=./caddy/Caddyfile
30 PROSE_V4=
31 PROSE_V6=
32 PROSE_HTTP_V4=$PROSE_V4:80
33@@ -72,6 +76,7 @@ PROSE_PROTOCOL=http
34 PROSE_ALLOW_REGISTER=1
35 PROSE_DEBUG=1
36 
37+IMGS_CADDYFILE=./caddy/Caddyfile
38 IMGS_V4=
39 IMGS_V6=
40 IMGS_HTTP_V4=$IMGS_V4:80
41@@ -94,6 +99,7 @@ IMGS_STORAGE_DIR=.storage
42 IMGS_DEBUG=1
43 
44 SENDGRID_API_KEY=
45+FEEDS_CADDYFILE=./caddy/Caddyfile
46 FEEDS_V4=
47 FEEDS_V6=
48 FEEDS_HTTP_V4=$FEEDS_V4:80
49@@ -114,6 +120,7 @@ FEEDS_PROTOCOL=http
50 FEEDS_ALLOW_REGISTER=1
51 FEEDS_DEBUG=1
52 
53+PGS_CADDYFILE=./caddy/Caddyfile
54 PGS_V4=
55 PGS_V6=
56 PGS_HTTP_V4=$PGS_V4:80
57@@ -137,10 +144,10 @@ PGS_DEBUG=1
58 
59 AUTH_V4=
60 AUTH_V6=
61-AUTH_HTTP_V4=$AUTH_V4:80
62-AUTH_HTTP_V6=[$AUTH_V6]:80
63-AUTH_HTTPS_V4=$AUTH_V4:443
64-AUTH_HTTPS_V6=[$AUTH_V6]:443
65+AUTH_IRCS_V4=$AUTH_V4:6697
66+AUTH_IRCS_V6=[$AUTH_V6]:6697
67+AUTH_NETWORK=
68+AUTH_REAL_CERT_MOUNT=
69 AUTH_DOMAIN=http://auth.dev.pico.sh:3006
70 AUTH_ISSUER=pico.sh
71 AUTH_WEB_PORT=3000
M Dockerfile
+15, -12
 1@@ -14,7 +14,7 @@ COPY go.* ./
 2 
 3 RUN go mod download
 4 
 5-FROM builder-deps as builder
 6+FROM builder-deps as builder-web
 7 
 8 COPY . .
 9 
10@@ -28,29 +28,32 @@ ENV CC=/app/scripts/gccwrap.sh
11 
12 ENV GOOS=${TARGETOS} GOARCH=${TARGETARCH}
13 
14-RUN go build -ldflags "$LDFLAGS" -tags "netgo osusergo" -o /go/bin/${APP}-ssh ./cmd/${APP}/ssh
15 RUN go build -ldflags "$LDFLAGS" -tags "netgo osusergo" -o /go/bin/${APP}-web ./cmd/${APP}/web
16 
17-FROM scratch as release-ssh
18+FROM builder-web as builder-ssh
19+
20+RUN go build -ldflags "$LDFLAGS" -tags "netgo osusergo" -o /go/bin/${APP}-ssh ./cmd/${APP}/ssh
21+
22+FROM scratch as release-web
23 
24 WORKDIR /app
25 
26 ARG APP=lists
27 
28-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
29-COPY --from=builder /go/bin/${APP}-ssh ./ssh
30+COPY --from=builder-web /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
31+COPY --from=builder-web /go/bin/${APP}-web ./web
32+COPY --from=builder-web /app/${APP}/html ./${APP}/html
33+COPY --from=builder-web /app/${APP}/public ./${APP}/public
34 
35-ENTRYPOINT ["/app/ssh"]
36+ENTRYPOINT ["/app/web"]
37 
38-FROM scratch as release-web
39+FROM scratch as release-ssh
40 
41 WORKDIR /app
42 
43 ARG APP=lists
44 
45-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
46-COPY --from=builder /go/bin/${APP}-web ./web
47-COPY --from=builder /app/${APP}/html ./${APP}/html
48-COPY --from=builder /app/${APP}/public ./${APP}/public
49+COPY --from=builder-ssh /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
50+COPY --from=builder-ssh /go/bin/${APP}-ssh ./ssh
51 
52-ENTRYPOINT ["/app/web"]
53+ENTRYPOINT ["/app/ssh"]
D auth/Dockerfile
+0, -41
 1@@ -1,41 +0,0 @@
 2-FROM --platform=$BUILDPLATFORM golang:1.21 as builder-deps
 3-LABEL maintainer="Pico Maintainers <hello@pico.sh>"
 4-
 5-WORKDIR /app
 6-
 7-RUN dpkg --add-architecture arm64 && dpkg --add-architecture amd64
 8-RUN apt-get update
 9-RUN apt-get install -y git ca-certificates \
10-    libwebp-dev:amd64 libwebp-dev:arm64 \
11-    crossbuild-essential-amd64 crossbuild-essential-arm64 \
12-    libc-dev:amd64 libc-dev:arm64
13-
14-COPY go.* ./
15-
16-RUN go mod download
17-
18-FROM builder-deps as builder
19-
20-COPY . .
21-
22-ARG TARGETOS
23-ARG TARGETARCH
24-
25-ENV CGO_ENABLED=1
26-ENV LDFLAGS="-s -w -linkmode external -extldflags '-static -lm -pthread'"
27-ENV CC=/app/scripts/gccwrap.sh
28-
29-ENV GOOS=${TARGETOS} GOARCH=${TARGETARCH}
30-
31-RUN go build -ldflags "$LDFLAGS" -tags "netgo osusergo" -o /go/bin/auth ./cmd/auth
32-
33-FROM scratch as release-web
34-
35-WORKDIR /app
36-
37-ARG APP=lists
38-
39-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
40-COPY --from=builder /go/bin/auth ./web
41-
42-ENTRYPOINT ["/app/web"]
A caddy/Caddyfile.auth
+111, -0
  1@@ -0,0 +1,111 @@
  2+{
  3+	on_demand_tls {
  4+		ask http://web:3000/check
  5+		interval 1m
  6+		burst 10
  7+	}
  8+}
  9+
 10+*.{$APP_DOMAIN}, {$APP_DOMAIN} {
 11+	reverse_proxy web:3000
 12+	tls {$APP_EMAIL} {
 13+		dns cloudflare {$CF_API_TOKEN}
 14+		resolvers 1.1.1.1
 15+	}
 16+	encode zstd gzip
 17+
 18+	header {
 19+		# disable FLoC tracking
 20+		Permissions-Policy interest-cohort=()
 21+
 22+		# enable HSTS
 23+		Strict-Transport-Security max-age=31536000;
 24+
 25+		# disable clients from sniffing the media type
 26+		X-Content-Type-Options nosniff
 27+
 28+		# clickjacking protection
 29+		X-Frame-Options DENY
 30+
 31+		# keep referrer data off of HTTP connections
 32+		Referrer-Policy no-referrer-when-downgrade
 33+
 34+		Content-Security-Policy "default-src 'self'; img-src * 'unsafe-inline'; style-src * 'unsafe-inline'"
 35+
 36+		X-XSS-Protection "1; mode=block"
 37+	}
 38+
 39+	@caddymetrics {
 40+		host {$APP_DOMAIN}
 41+		path /_caddy/metrics
 42+	}
 43+
 44+	metrics @caddymetrics {
 45+		disable_openmetrics
 46+	}
 47+
 48+	@appmetrics {
 49+		host {$APP_DOMAIN}
 50+		path /_app/metrics
 51+	}
 52+
 53+	handle @appmetrics {
 54+		rewrite * /metrics
 55+		reverse_proxy ssh:9222
 56+	}
 57+}
 58+
 59+*.pico.sh, pico.sh {
 60+       @auth {
 61+               host auth.pico.sh
 62+       }
 63+
 64+       @irc {
 65+               host irc.pico.sh
 66+       }
 67+
 68+       reverse_proxy @auth auth-web:3000
 69+
 70+       reverse_proxy @irc https://bouncer:8080 {
 71+               transport http {
 72+                       tls_insecure_skip_verify
 73+               }
 74+       }
 75+
 76+       tls {$APP_EMAIL} {
 77+               dns cloudflare {$CF_API_TOKEN}
 78+               resolvers 1.1.1.1
 79+       }
 80+       encode zstd gzip
 81+
 82+       header {
 83+               # disable FLoC tracking
 84+               Permissions-Policy interest-cohort=()
 85+
 86+               # enable HSTS
 87+               Strict-Transport-Security max-age=31536000;
 88+
 89+               # disable clients from sniffing the media type
 90+               X-Content-Type-Options nosniff
 91+
 92+               # clickjacking protection
 93+               X-Frame-Options DENY
 94+
 95+               # keep referrer data off of HTTP connections
 96+               Referrer-Policy no-referrer-when-downgrade
 97+
 98+               Content-Security-Policy "default-src 'self'; img-src * 'unsafe-inline'; style-src * 'unsafe-inline'"
 99+
100+               X-XSS-Protection "1; mode=block"
101+
102+			   Access-Control-Allow-Origin "https://chat.pico.sh"
103+       }
104+}
105+
106+:443 {
107+	reverse_proxy web:3000
108+	tls {$APP_EMAIL} {
109+		on_demand
110+	}
111+	encode zstd gzip
112+}
D docker-compose.irc.yml
+0, -34
 1@@ -1,34 +0,0 @@
 2-version "3.8"
 3-services:
 4-  auth-caddy:
 5-    image: ghcr.io/picosh/pico/caddy:latest
 6-    restart: always
 7-    env_file:
 8-      - .env.prod
 9-    volumes:
10-      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
11-      - ./data/auth-caddy/data:/data
12-      - ./data/auth-caddy/config:/config
13-    ports:
14-      - "${AUTH_HTTPS_V4:-443}:443"
15-      - "${AUTH_HTTP_V4:-80}:80"
16-      - "${AUTH_HTTPS_V6:-[::1]:443}:443"
17-      - "${AUTH_HTTP_V6:-[::1]:80}:80"
18-  auth:
19-    image: ghcr.io/picosh/pico/auth:latest
20-    restart: always
21-    env_file:
22-      - .env.prod
23-  soju:
24-    image: ghcr.io/picosh/pico/bouncer:latest
25-    restart: always
26-    env_file:
27-      - .env.prod
28-    volumes:
29-      - soju_data:/app/db
30-      - certs:/certs
31-    ports:
32-      - "6697:6697"
33-volumes:
34-  soju_data:
35-  certs:
M docker-compose.override.yml
+20, -0
 1@@ -137,3 +137,23 @@ services:
 2       - ./data/feeds-ssh/data:/app/ssh_data
 3     ports:
 4       - "2224:2222"
 5+  auth-web:
 6+    build:
 7+      args:
 8+        APP: auth
 9+      target: release-web
10+    env_file:
11+      - .env.example
12+    ports:
13+      - "3006:3000"
14+  bouncer:
15+    build:
16+      context: bouncer/
17+    env_file:
18+      - .env.example
19+    volumes:
20+      - ./data/bouncer:/app/db
21+      - ./data/certs:/certs
22+    ports:
23+      - "6697:6697"
24+      - "8080:8080"
A docker-compose.prod-irc.yml
+19, -0
 1@@ -0,0 +1,19 @@
 2+version: "3.8"
 3+services:
 4+  auth-web:
 5+    networks:
 6+      - ${AUTH_NETWORK}
 7+    env_file:
 8+      - .env.prod
 9+  bouncer:
10+    networks:
11+      - ${AUTH_NETWORK}
12+    env_file:
13+      - .env.prod
14+    ports:
15+      - "${AUTH_IRCS_V4:-6697}:6697"
16+      - "${AUTH_IRCS_V6:-[::1]:6697}:6697"
17+    volumes:
18+      - ./data/bouncer:/app/db
19+      - ./data/certs:/certs
20+      - ${AUTH_REAL_CERT_MOUNT}
M docker-compose.prod.yml
+7, -7
 1@@ -17,7 +17,7 @@ services:
 2       APP_DOMAIN: ${MINIO_DOMAIN:-minio.pico.sh}
 3       APP_EMAIL: ${MINIO_EMAIL:-hello@pico.sh}
 4     volumes:
 5-      - ./caddy/Caddyfile.minio:/etc/caddy/Caddyfile
 6+      - ${MINIO_CADDYFILE}:/etc/caddy/Caddyfile
 7       - ./data/minio-caddy/data:/data
 8       - ./data/minio-caddy/config:/config
 9     ports:
10@@ -45,7 +45,7 @@ services:
11       APP_DOMAIN: ${LISTS_DOMAIN:-lists.sh}
12       APP_EMAIL: ${LISTS_EMAIL:-hello@pico.sh}
13     volumes:
14-      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
15+      - ${LISTS_CADDYFILE}:/etc/caddy/Caddyfile
16       - ./data/lists-caddy/data:/data
17       - ./data/lists-caddy/config:/config
18     ports:
19@@ -87,7 +87,7 @@ services:
20       APP_DOMAIN: ${PASTES_DOMAIN:-pastes.sh}
21       APP_EMAIL: ${PASTES_EMAIL:-hello@pico.sh}
22     volumes:
23-      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
24+      - ${PASTES_CADDYFILE}:/etc/caddy/Caddyfile
25       - ./data/pastes-caddy/data:/data
26       - ./data/pastes-caddy/config:/config
27     ports:
28@@ -129,7 +129,7 @@ services:
29       APP_DOMAIN: ${PROSE_DOMAIN:-prose.sh}
30       APP_EMAIL: ${PROSE_EMAIL:-hello@pico.sh}
31     volumes:
32-      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
33+      - ${PROSE_CADDYFILE}:/etc/caddy/Caddyfile
34       - ./data/prose-caddy/data:/data
35       - ./data/prose-caddy/config:/config
36     ports:
37@@ -171,7 +171,7 @@ services:
38       APP_DOMAIN: ${IMGS_DOMAIN:-imgs.sh}
39       APP_EMAIL: ${IMGS_EMAIL:-hello@pico.sh}
40     volumes:
41-      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
42+      - ${IMGS_CADDYFILE}:/etc/caddy/Caddyfile
43       - ./data/imgs-caddy/data:/data
44       - ./data/imgs-caddy/config:/config
45     ports:
46@@ -216,7 +216,7 @@ services:
47       APP_DOMAIN: ${PGS_DOMAIN:-pgs.sh}
48       APP_EMAIL: ${PGS_EMAIL:-hello@pico.sh}
49     volumes:
50-      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
51+      - ${PGS_CADDYFILE}:/etc/caddy/Caddyfile
52       - ./data/pgs-caddy/data:/data
53       - ./data/pgs-caddy/config:/config
54     ports:
55@@ -261,7 +261,7 @@ services:
56       APP_DOMAIN: ${FEEDS_DOMAIN:-feeds.sh}
57       APP_EMAIL: ${FEEDS_EMAIL:-hello@pico.sh}
58     volumes:
59-      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
60+      - ${FEEDS_CADDYFILE}:/etc/caddy/Caddyfile
61       - ./data/feeds-caddy/data:/data
62       - ./data/feeds-caddy/config:/config
63     ports:
M docker-compose.yml
+14, -0
 1@@ -97,3 +97,17 @@ services:
 2       - feeds
 3       - services
 4       - all
 5+  auth-web:
 6+    image: ghcr.io/picosh/pico/auth:latest
 7+    restart: always
 8+    profiles:
 9+      - auth
10+      - services
11+      - all
12+  bouncer:
13+    image: ghcr.io/picosh/pico/bouncer:latest
14+    restart: always
15+    profiles:
16+      - bouncer
17+      - services
18+      - all