- commit
- 2453d48
- parent
- dd502cd
- author
- Antonio Mika
- date
- 2023-10-05 14:44:37 +0000 UTC
Work on adding bouncer and auth services to deployments
9 files changed,
+197,
-98
+11,
-4
1@@ -2,6 +2,7 @@ DATABASE_URL=postgresql://postgres:secret@postgres:5432/pico?sslmode=disable
2 POSTGRES_PASSWORD=secret
3 CF_API_TOKEN=secret
4
5+MINIO_CADDYFIL=./caddy/Caddyfile.minio
6 MINIO_DOMAIN=minio.dev.pico.sh
7 MINIO_EMAIL=hello@pico.sh
8 MINIO_URL=http://minio:9000
9@@ -12,6 +13,7 @@ MINIO_PROMETHEUS_AUTH_TYPE=public
10 MINIO_PROMETHEUS_URL=
11 MINIO_PROMETHEUS_JOB_ID=minio
12
13+LISTS_CADDYFILE=./caddy/Caddyfile
14 LISTS_V4=
15 LISTS_V6=
16 LISTS_HTTP_V4=$LISTS_V4:80
17@@ -32,6 +34,7 @@ LISTS_PROTOCOL=http
18 LISTS_ALLOW_REGISTER=1
19 LISTS_DEBUG=1
20
21+PASTES_CADDYFILE=./caddy/Caddyfile
22 PASTES_V4=
23 PASTES_V6=
24 PASTES_HTTP_V4=$PASTES_V4:80
25@@ -52,6 +55,7 @@ PASTES_PROTOCOL=http
26 PASTES_ALLOW_REGISTER=1
27 PASTES_DEBUG=1
28
29+PROSE_CADDYFILE=./caddy/Caddyfile
30 PROSE_V4=
31 PROSE_V6=
32 PROSE_HTTP_V4=$PROSE_V4:80
33@@ -72,6 +76,7 @@ PROSE_PROTOCOL=http
34 PROSE_ALLOW_REGISTER=1
35 PROSE_DEBUG=1
36
37+IMGS_CADDYFILE=./caddy/Caddyfile
38 IMGS_V4=
39 IMGS_V6=
40 IMGS_HTTP_V4=$IMGS_V4:80
41@@ -94,6 +99,7 @@ IMGS_STORAGE_DIR=.storage
42 IMGS_DEBUG=1
43
44 SENDGRID_API_KEY=
45+FEEDS_CADDYFILE=./caddy/Caddyfile
46 FEEDS_V4=
47 FEEDS_V6=
48 FEEDS_HTTP_V4=$FEEDS_V4:80
49@@ -114,6 +120,7 @@ FEEDS_PROTOCOL=http
50 FEEDS_ALLOW_REGISTER=1
51 FEEDS_DEBUG=1
52
53+PGS_CADDYFILE=./caddy/Caddyfile
54 PGS_V4=
55 PGS_V6=
56 PGS_HTTP_V4=$PGS_V4:80
57@@ -137,10 +144,10 @@ PGS_DEBUG=1
58
59 AUTH_V4=
60 AUTH_V6=
61-AUTH_HTTP_V4=$AUTH_V4:80
62-AUTH_HTTP_V6=[$AUTH_V6]:80
63-AUTH_HTTPS_V4=$AUTH_V4:443
64-AUTH_HTTPS_V6=[$AUTH_V6]:443
65+AUTH_IRCS_V4=$AUTH_V4:6697
66+AUTH_IRCS_V6=[$AUTH_V6]:6697
67+AUTH_NETWORK=
68+AUTH_REAL_CERT_MOUNT=
69 AUTH_DOMAIN=http://auth.dev.pico.sh:3006
70 AUTH_ISSUER=pico.sh
71 AUTH_WEB_PORT=3000
+15,
-12
1@@ -14,7 +14,7 @@ COPY go.* ./
2
3 RUN go mod download
4
5-FROM builder-deps as builder
6+FROM builder-deps as builder-web
7
8 COPY . .
9
10@@ -28,29 +28,32 @@ ENV CC=/app/scripts/gccwrap.sh
11
12 ENV GOOS=${TARGETOS} GOARCH=${TARGETARCH}
13
14-RUN go build -ldflags "$LDFLAGS" -tags "netgo osusergo" -o /go/bin/${APP}-ssh ./cmd/${APP}/ssh
15 RUN go build -ldflags "$LDFLAGS" -tags "netgo osusergo" -o /go/bin/${APP}-web ./cmd/${APP}/web
16
17-FROM scratch as release-ssh
18+FROM builder-web as builder-ssh
19+
20+RUN go build -ldflags "$LDFLAGS" -tags "netgo osusergo" -o /go/bin/${APP}-ssh ./cmd/${APP}/ssh
21+
22+FROM scratch as release-web
23
24 WORKDIR /app
25
26 ARG APP=lists
27
28-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
29-COPY --from=builder /go/bin/${APP}-ssh ./ssh
30+COPY --from=builder-web /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
31+COPY --from=builder-web /go/bin/${APP}-web ./web
32+COPY --from=builder-web /app/${APP}/html ./${APP}/html
33+COPY --from=builder-web /app/${APP}/public ./${APP}/public
34
35-ENTRYPOINT ["/app/ssh"]
36+ENTRYPOINT ["/app/web"]
37
38-FROM scratch as release-web
39+FROM scratch as release-ssh
40
41 WORKDIR /app
42
43 ARG APP=lists
44
45-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
46-COPY --from=builder /go/bin/${APP}-web ./web
47-COPY --from=builder /app/${APP}/html ./${APP}/html
48-COPY --from=builder /app/${APP}/public ./${APP}/public
49+COPY --from=builder-ssh /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
50+COPY --from=builder-ssh /go/bin/${APP}-ssh ./ssh
51
52-ENTRYPOINT ["/app/web"]
53+ENTRYPOINT ["/app/ssh"]
+0,
-41
1@@ -1,41 +0,0 @@
2-FROM --platform=$BUILDPLATFORM golang:1.21 as builder-deps
3-LABEL maintainer="Pico Maintainers <hello@pico.sh>"
4-
5-WORKDIR /app
6-
7-RUN dpkg --add-architecture arm64 && dpkg --add-architecture amd64
8-RUN apt-get update
9-RUN apt-get install -y git ca-certificates \
10- libwebp-dev:amd64 libwebp-dev:arm64 \
11- crossbuild-essential-amd64 crossbuild-essential-arm64 \
12- libc-dev:amd64 libc-dev:arm64
13-
14-COPY go.* ./
15-
16-RUN go mod download
17-
18-FROM builder-deps as builder
19-
20-COPY . .
21-
22-ARG TARGETOS
23-ARG TARGETARCH
24-
25-ENV CGO_ENABLED=1
26-ENV LDFLAGS="-s -w -linkmode external -extldflags '-static -lm -pthread'"
27-ENV CC=/app/scripts/gccwrap.sh
28-
29-ENV GOOS=${TARGETOS} GOARCH=${TARGETARCH}
30-
31-RUN go build -ldflags "$LDFLAGS" -tags "netgo osusergo" -o /go/bin/auth ./cmd/auth
32-
33-FROM scratch as release-web
34-
35-WORKDIR /app
36-
37-ARG APP=lists
38-
39-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
40-COPY --from=builder /go/bin/auth ./web
41-
42-ENTRYPOINT ["/app/web"]
+111,
-0
1@@ -0,0 +1,111 @@
2+{
3+ on_demand_tls {
4+ ask http://web:3000/check
5+ interval 1m
6+ burst 10
7+ }
8+}
9+
10+*.{$APP_DOMAIN}, {$APP_DOMAIN} {
11+ reverse_proxy web:3000
12+ tls {$APP_EMAIL} {
13+ dns cloudflare {$CF_API_TOKEN}
14+ resolvers 1.1.1.1
15+ }
16+ encode zstd gzip
17+
18+ header {
19+ # disable FLoC tracking
20+ Permissions-Policy interest-cohort=()
21+
22+ # enable HSTS
23+ Strict-Transport-Security max-age=31536000;
24+
25+ # disable clients from sniffing the media type
26+ X-Content-Type-Options nosniff
27+
28+ # clickjacking protection
29+ X-Frame-Options DENY
30+
31+ # keep referrer data off of HTTP connections
32+ Referrer-Policy no-referrer-when-downgrade
33+
34+ Content-Security-Policy "default-src 'self'; img-src * 'unsafe-inline'; style-src * 'unsafe-inline'"
35+
36+ X-XSS-Protection "1; mode=block"
37+ }
38+
39+ @caddymetrics {
40+ host {$APP_DOMAIN}
41+ path /_caddy/metrics
42+ }
43+
44+ metrics @caddymetrics {
45+ disable_openmetrics
46+ }
47+
48+ @appmetrics {
49+ host {$APP_DOMAIN}
50+ path /_app/metrics
51+ }
52+
53+ handle @appmetrics {
54+ rewrite * /metrics
55+ reverse_proxy ssh:9222
56+ }
57+}
58+
59+*.pico.sh, pico.sh {
60+ @auth {
61+ host auth.pico.sh
62+ }
63+
64+ @irc {
65+ host irc.pico.sh
66+ }
67+
68+ reverse_proxy @auth auth-web:3000
69+
70+ reverse_proxy @irc https://bouncer:8080 {
71+ transport http {
72+ tls_insecure_skip_verify
73+ }
74+ }
75+
76+ tls {$APP_EMAIL} {
77+ dns cloudflare {$CF_API_TOKEN}
78+ resolvers 1.1.1.1
79+ }
80+ encode zstd gzip
81+
82+ header {
83+ # disable FLoC tracking
84+ Permissions-Policy interest-cohort=()
85+
86+ # enable HSTS
87+ Strict-Transport-Security max-age=31536000;
88+
89+ # disable clients from sniffing the media type
90+ X-Content-Type-Options nosniff
91+
92+ # clickjacking protection
93+ X-Frame-Options DENY
94+
95+ # keep referrer data off of HTTP connections
96+ Referrer-Policy no-referrer-when-downgrade
97+
98+ Content-Security-Policy "default-src 'self'; img-src * 'unsafe-inline'; style-src * 'unsafe-inline'"
99+
100+ X-XSS-Protection "1; mode=block"
101+
102+ Access-Control-Allow-Origin "https://chat.pico.sh"
103+ }
104+}
105+
106+:443 {
107+ reverse_proxy web:3000
108+ tls {$APP_EMAIL} {
109+ on_demand
110+ }
111+ encode zstd gzip
112+}
+0,
-34
1@@ -1,34 +0,0 @@
2-version "3.8"
3-services:
4- auth-caddy:
5- image: ghcr.io/picosh/pico/caddy:latest
6- restart: always
7- env_file:
8- - .env.prod
9- volumes:
10- - ./caddy/Caddyfile:/etc/caddy/Caddyfile
11- - ./data/auth-caddy/data:/data
12- - ./data/auth-caddy/config:/config
13- ports:
14- - "${AUTH_HTTPS_V4:-443}:443"
15- - "${AUTH_HTTP_V4:-80}:80"
16- - "${AUTH_HTTPS_V6:-[::1]:443}:443"
17- - "${AUTH_HTTP_V6:-[::1]:80}:80"
18- auth:
19- image: ghcr.io/picosh/pico/auth:latest
20- restart: always
21- env_file:
22- - .env.prod
23- soju:
24- image: ghcr.io/picosh/pico/bouncer:latest
25- restart: always
26- env_file:
27- - .env.prod
28- volumes:
29- - soju_data:/app/db
30- - certs:/certs
31- ports:
32- - "6697:6697"
33-volumes:
34- soju_data:
35- certs:
+20,
-0
1@@ -137,3 +137,23 @@ services:
2 - ./data/feeds-ssh/data:/app/ssh_data
3 ports:
4 - "2224:2222"
5+ auth-web:
6+ build:
7+ args:
8+ APP: auth
9+ target: release-web
10+ env_file:
11+ - .env.example
12+ ports:
13+ - "3006:3000"
14+ bouncer:
15+ build:
16+ context: bouncer/
17+ env_file:
18+ - .env.example
19+ volumes:
20+ - ./data/bouncer:/app/db
21+ - ./data/certs:/certs
22+ ports:
23+ - "6697:6697"
24+ - "8080:8080"
+19,
-0
1@@ -0,0 +1,19 @@
2+version: "3.8"
3+services:
4+ auth-web:
5+ networks:
6+ - ${AUTH_NETWORK}
7+ env_file:
8+ - .env.prod
9+ bouncer:
10+ networks:
11+ - ${AUTH_NETWORK}
12+ env_file:
13+ - .env.prod
14+ ports:
15+ - "${AUTH_IRCS_V4:-6697}:6697"
16+ - "${AUTH_IRCS_V6:-[::1]:6697}:6697"
17+ volumes:
18+ - ./data/bouncer:/app/db
19+ - ./data/certs:/certs
20+ - ${AUTH_REAL_CERT_MOUNT}
+7,
-7
1@@ -17,7 +17,7 @@ services:
2 APP_DOMAIN: ${MINIO_DOMAIN:-minio.pico.sh}
3 APP_EMAIL: ${MINIO_EMAIL:-hello@pico.sh}
4 volumes:
5- - ./caddy/Caddyfile.minio:/etc/caddy/Caddyfile
6+ - ${MINIO_CADDYFILE}:/etc/caddy/Caddyfile
7 - ./data/minio-caddy/data:/data
8 - ./data/minio-caddy/config:/config
9 ports:
10@@ -45,7 +45,7 @@ services:
11 APP_DOMAIN: ${LISTS_DOMAIN:-lists.sh}
12 APP_EMAIL: ${LISTS_EMAIL:-hello@pico.sh}
13 volumes:
14- - ./caddy/Caddyfile:/etc/caddy/Caddyfile
15+ - ${LISTS_CADDYFILE}:/etc/caddy/Caddyfile
16 - ./data/lists-caddy/data:/data
17 - ./data/lists-caddy/config:/config
18 ports:
19@@ -87,7 +87,7 @@ services:
20 APP_DOMAIN: ${PASTES_DOMAIN:-pastes.sh}
21 APP_EMAIL: ${PASTES_EMAIL:-hello@pico.sh}
22 volumes:
23- - ./caddy/Caddyfile:/etc/caddy/Caddyfile
24+ - ${PASTES_CADDYFILE}:/etc/caddy/Caddyfile
25 - ./data/pastes-caddy/data:/data
26 - ./data/pastes-caddy/config:/config
27 ports:
28@@ -129,7 +129,7 @@ services:
29 APP_DOMAIN: ${PROSE_DOMAIN:-prose.sh}
30 APP_EMAIL: ${PROSE_EMAIL:-hello@pico.sh}
31 volumes:
32- - ./caddy/Caddyfile:/etc/caddy/Caddyfile
33+ - ${PROSE_CADDYFILE}:/etc/caddy/Caddyfile
34 - ./data/prose-caddy/data:/data
35 - ./data/prose-caddy/config:/config
36 ports:
37@@ -171,7 +171,7 @@ services:
38 APP_DOMAIN: ${IMGS_DOMAIN:-imgs.sh}
39 APP_EMAIL: ${IMGS_EMAIL:-hello@pico.sh}
40 volumes:
41- - ./caddy/Caddyfile:/etc/caddy/Caddyfile
42+ - ${IMGS_CADDYFILE}:/etc/caddy/Caddyfile
43 - ./data/imgs-caddy/data:/data
44 - ./data/imgs-caddy/config:/config
45 ports:
46@@ -216,7 +216,7 @@ services:
47 APP_DOMAIN: ${PGS_DOMAIN:-pgs.sh}
48 APP_EMAIL: ${PGS_EMAIL:-hello@pico.sh}
49 volumes:
50- - ./caddy/Caddyfile:/etc/caddy/Caddyfile
51+ - ${PGS_CADDYFILE}:/etc/caddy/Caddyfile
52 - ./data/pgs-caddy/data:/data
53 - ./data/pgs-caddy/config:/config
54 ports:
55@@ -261,7 +261,7 @@ services:
56 APP_DOMAIN: ${FEEDS_DOMAIN:-feeds.sh}
57 APP_EMAIL: ${FEEDS_EMAIL:-hello@pico.sh}
58 volumes:
59- - ./caddy/Caddyfile:/etc/caddy/Caddyfile
60+ - ${FEEDS_CADDYFILE}:/etc/caddy/Caddyfile
61 - ./data/feeds-caddy/data:/data
62 - ./data/feeds-caddy/config:/config
63 ports:
+14,
-0
1@@ -97,3 +97,17 @@ services:
2 - feeds
3 - services
4 - all
5+ auth-web:
6+ image: ghcr.io/picosh/pico/auth:latest
7+ restart: always
8+ profiles:
9+ - auth
10+ - services
11+ - all
12+ bouncer:
13+ image: ghcr.io/picosh/pico/bouncer:latest
14+ restart: always
15+ profiles:
16+ - bouncer
17+ - services
18+ - all