summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSystem administrator2017-05-29 13:26:10 +0200
committerSystem administrator2017-05-29 13:26:10 +0200
commitbc5c44dd049bad3b007be48b3f8d90886d63c105 (patch)
treea381d989db2295f228f9bc95a774f0cc9aef4c40
downloadserver-bc5c44dd049bad3b007be48b3f8d90886d63c105.tar.gz
server-bc5c44dd049bad3b007be48b3f8d90886d63c105.tar.xz
server-bc5c44dd049bad3b007be48b3f8d90886d63c105.zip
Initial commit
-rwxr-xr-xbin/attach2
-rwxr-xr-xbin/dca13
-rwxr-xr-xbin/mount2
-rwxr-xr-xbin/ngreload3
-rw-r--r--images/git/Dockerfile35
-rwxr-xr-ximages/git/cgit/about-formatting.sh3
-rw-r--r--images/git/cgit/cgit.sass663
-rw-r--r--images/git/cgit/cgitrc46
-rwxr-xr-ximages/git/cgit/syntax-highlighting3.sh121
-rw-r--r--images/git/gitolite/admin.pub1
-rw-r--r--images/git/gitolite/generate_certs.sh7
-rw-r--r--images/git/gitolite/gitolite.rc204
-rw-r--r--images/git/gitolite/sshd_config55
-rw-r--r--images/git/nginx/nginx.conf51
-rw-r--r--images/git/service/daemon/run2
-rw-r--r--images/git/service/fcgiwrap/run2
-rw-r--r--images/git/service/nginx/run2
-rw-r--r--images/git/service/sshd/run4
-rw-r--r--images/matrix/.gitignore3
-rw-r--r--images/matrix/Dockerfile15
-rw-r--r--images/matrix/synapse/homeserver.yaml480
-rw-r--r--images/matrix/synapse/tx0.co.log.config37
-rw-r--r--images/paste/Dockerfile24
-rw-r--r--images/paste/pb/config.yaml7
-rw-r--r--images/paste/service/mongo/run3
-rw-r--r--images/paste/service/uwsgi/run4
-rw-r--r--images/paste/uwsgi/pb.ini7
-rw-r--r--images/router/.gitignore1
-rw-r--r--images/router/Dockerfile11
-rw-r--r--images/router/dhparams.pem13
-rw-r--r--images/router/letsencrypt/config95
-rw-r--r--images/router/letsencrypt/domains.txt1
-rw-r--r--images/router/nginx/fastcgi.conf26
-rw-r--r--images/router/nginx/http.off/matrix14
-rw-r--r--images/router/nginx/http.off/pad15
-rw-r--r--images/router/nginx/http.off/redirect10
-rw-r--r--images/router/nginx/http/git13
-rw-r--r--images/router/nginx/http/paste26
-rw-r--r--images/router/nginx/http/znc13
-rw-r--r--images/router/nginx/koi-utf109
-rw-r--r--images/router/nginx/koi-win103
-rw-r--r--images/router/nginx/mime.types89
-rw-r--r--images/router/nginx/modules/stream.conf1
-rw-r--r--images/router/nginx/nginx.conf67
-rw-r--r--images/router/nginx/snippets/fastcgi_params25
-rw-r--r--images/router/nginx/snippets/scgi_params17
-rw-r--r--images/router/nginx/snippets/ssl_ciphers4
-rw-r--r--images/router/nginx/snippets/ssl_http6
-rw-r--r--images/router/nginx/snippets/ssl_tcp4
-rw-r--r--images/router/nginx/snippets/uwsgi_params17
-rw-r--r--images/router/nginx/snippets/wellknown5
-rw-r--r--images/router/nginx/stream/znc8
-rw-r--r--images/router/nginx/win-utf126
-rw-r--r--images/router/service/letsencrypt/run19
-rw-r--r--images/router/service/nginx/run16
-rw-r--r--images/runit-edge/Dockerfile14
-rw-r--r--images/runit-edge/runit/run17
-rw-r--r--images/runit/Dockerfile14
-rw-r--r--images/runit/runit/run17
-rw-r--r--images/taskwarrior/Dockerfile5
-rw-r--r--images/znc/Dockerfile25
-rw-r--r--images/znc/privmsg.cpp40
-rw-r--r--images/znc/service/znc/run5
-rw-r--r--services.off/matrix.yml16
-rw-r--r--services/git.yml15
-rw-r--r--services/paste.yml12
-rw-r--r--services/router.yml21
-rw-r--r--services/runit-edge.yml6
-rw-r--r--services/runit.yml6
-rw-r--r--services/taskwarrior.yml10
-rw-r--r--services/znc.yml10
71 files changed, 2883 insertions, 0 deletions
diff --git a/bin/attach b/bin/attach
new file mode 100755
index 0000000..81a00ad
--- /dev/null
+++ b/bin/attach
@@ -0,0 +1,2 @@
+#!/bin/sh
+docker exec -it $1 /bin/sh
diff --git a/bin/dca b/bin/dca
new file mode 100755
index 0000000..2289ac1
--- /dev/null
+++ b/bin/dca
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+shopt -s nullglob
+
+echo Using ./services/*.yml
+COMPOSE_OPTIONS=""
+for file in ./services/*.yml; do
+ COMPOSE_OPTIONS="${COMPOSE_OPTIONS} -f $file"
+done
+
+export COMPOSE_PROJECT_NAME=server
+export IMAGES=$PWD/images
+
+docker-compose $COMPOSE_OPTIONS "$@"
diff --git a/bin/mount b/bin/mount
new file mode 100755
index 0000000..8e77608
--- /dev/null
+++ b/bin/mount
@@ -0,0 +1,2 @@
+#!/bin/sh
+docker run -it --rm -v "$1:/mnt" alpine:3.5 /bin/ash -sc 'cd /mnt'
diff --git a/bin/ngreload b/bin/ngreload
new file mode 100755
index 0000000..f8943a1
--- /dev/null
+++ b/bin/ngreload
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+docker exec server_router_1 nginx -s reload
diff --git a/images/git/Dockerfile b/images/git/Dockerfile
new file mode 100644
index 0000000..bd8589e
--- /dev/null
+++ b/images/git/Dockerfile
@@ -0,0 +1,35 @@
+FROM alpine:3.5 AS builder
+
+RUN apk add --no-cache sassc
+
+ADD cgit/cgit.sass /app/
+RUN sassc -t compressed /app/cgit.sass /app/cgit.css
+
+FROM server_runit AS final
+
+RUN apk add --no-cache sudo shadow \
+ git gitolite git-daemon \
+ openssh openssh-client \
+ cgit highlight markdown \
+ nginx spawn-fcgi fcgiwrap
+
+# gitolite
+RUN mkdir -p /data /data/log
+RUN echo 'git:*' | chpasswd
+RUN usermod --home /data/git --move-home git
+
+ADD gitolite/ /app/
+RUN ln -s /app/gitolite.rc /data/git/.gitolite.rc
+RUN chown -R git:git /app/gitolite.rc /data/log /data/git
+RUN sudo -u git GL_LOGFILE=/data/log/gitolite gitolite setup -pk /app/admin.pub
+
+ADD gitolite/sshd_config /etc/ssh/
+ADD gitolite/generate_certs.sh /app/
+
+# cgit
+ADD cgit/cgitrc /etc/
+ADD cgit/syntax-highlighting3.sh /app/
+ADD cgit/about-formatting.sh /app/
+COPY --from=builder /app/cgit.css /usr/share/webapps/cgit/cgit.css
+
+ADD nginx/nginx.conf /etc/nginx/nginx.conf
diff --git a/images/git/cgit/about-formatting.sh b/images/git/cgit/about-formatting.sh
new file mode 100755
index 0000000..2b55866
--- /dev/null
+++ b/images/git/cgit/about-formatting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec markdown
diff --git a/images/git/cgit/cgit.sass b/images/git/cgit/cgit.sass
new file mode 100644
index 0000000..02337b5
--- /dev/null
+++ b/images/git/cgit/cgit.sass
@@ -0,0 +1,663 @@
+$base03: #002b36;
+$base02: #073642;
+$base01: #586e75;
+$base00: #657b83;
+$base0: #839496;
+$base1: #93a1a1;
+$base2: #eee8d5;
+$base3: #fdf6e3;
+$yellow: #b58900;
+$orange: #cb4b16;
+$red: #dc322f;
+$magenta: #d33682;
+$violet: #6c71c4;
+$blue: #268bd2;
+$cyan: #2aa198;
+$green: #859900;
+
+// highlighting
+
+//div
+// &.highlight
+// background-color: $base03
+// span
+// &.k
+// color: $green
+// &.nf
+// color: $blue
+// &.p
+// color: $base1
+// &.s
+// color: $red
+// background-color: $base03
+
+
+div
+ &.highlight
+ background-color: #002b36
+ color: #93a1a1
+ .c
+ color: #586e75
+ .err, .g
+ color: #93a1a1
+ .k
+ color: #859900
+ .l, .n
+ color: #93a1a1
+ .o
+ color: #859900
+ .x
+ color: #cb4b16
+ .p
+ color: #93a1a1
+ .cm
+ color: #586e75
+ .cp
+ color: #859900
+ .c1
+ color: #586e75
+ .cs
+ color: #859900
+ .gd
+ color: #2aa198
+ .ge
+ color: #93a1a1
+ font-style: italic
+ .gr
+ color: #dc322f
+ .gh
+ color: #cb4b16
+ .gi
+ color: #859900
+ .go, .gp
+ color: #93a1a1
+ .gs
+ color: #93a1a1
+ font-weight: bold
+ .gu
+ color: #cb4b16
+ .gt
+ color: #93a1a1
+ .kc
+ color: #cb4b16
+ .kd
+ color: #268bd2
+ .kn, .kp
+ color: #859900
+ .kr
+ color: #268bd2
+ .kt
+ color: #dc322f
+ .ld
+ color: #93a1a1
+ .m, .s
+ color: #2aa198
+ background-color: $base03
+ .na
+ color: #93a1a1
+ .nb
+ color: #B58900
+ .nc
+ color: #268bd2
+ .no
+ color: #cb4b16
+ .nd
+ color: #268bd2
+ .ni, .ne
+ color: #cb4b16
+ .nf
+ color: #268bd2
+ .nl, .nn, .nx, .py
+ color: #93a1a1
+ .nt, .nv
+ color: #268bd2
+ .ow
+ color: #859900
+ .w
+ color: #93a1a1
+ .mf, .mh, .mi, .mo
+ color: #2aa198
+ .sb
+ color: #586e75
+ .sc
+ color: #2aa198
+ .sd
+ color: #93a1a1
+ .s2
+ color: #2aa198
+ .se
+ color: #cb4b16
+ .sh
+ color: #93a1a1
+ .si, .sx
+ color: #2aa198
+ .sr
+ color: #dc322f
+ .s1, .ss
+ color: #2aa198
+ .bp, .vc, .vg, .vi
+ color: #268bd2
+ .il
+ color: #2aa198
+
+// end highlighting
+
+body
+ background-color: $base03
+
+div
+ &#cgit
+ padding: 0em
+ margin: 0em
+ font-family: sans-serif
+ font-size: 10pt
+ color: $base0
+ background: $base03
+ padding: 4px
+ a
+ color: lightblue
+ text-decoration: none
+ &:hover
+ text-decoration: underline
+ table
+ border-collapse: collapse
+ &#header
+ width: 100%
+ margin-bottom: 1em
+ td
+ &.logo
+ width: 96px
+ vertical-align: top
+ &.main
+ font-size: 250%
+ padding-left: 10px
+ white-space: nowrap
+ a
+ color: $base1
+ &.form
+ text-align: right
+ vertical-align: bottom
+ padding-right: 1em
+ padding-bottom: 2px
+ white-space: nowrap
+ form, input, select
+ font-size: 90%
+ &.sub
+ color: #777
+ border-top: solid 1px $base02
+ padding-left: 10px
+ &.tabs
+ border-bottom: solid 3px $base02
+ border-collapse: collapse
+ margin-top: 2em
+ margin-bottom: 0px
+ width: 100%
+ td
+ padding: 0px 1em
+ vertical-align: bottom
+ a
+ padding: 2px 0.75em
+ color: #d3d3d3
+ font-size: 110%
+ &.active
+ color: #d3d3d3
+ background-color: $base02
+ &.form
+ text-align: right
+ form
+ padding-bottom: 2px
+ font-size: 90%
+ white-space: nowrap
+ input, select
+ font-size: 90%
+ div
+ &.path
+ margin: 0px
+ padding: 5px 2em 2px 2em
+ color: $base1
+ background-color: $base03
+ &.content
+ margin: 0px
+ padding: 2em
+ border-bottom: solid 3px $base02
+ table.list
+ width: 100%
+ border: none
+ border-collapse: collapse
+ tr
+ background: $base03
+ &.logheader
+ background: $base03
+ &:hover, &.nohover:hover
+ background: $base02
+ th
+ font-weight: bold
+ /* color: #888;
+ *border-top: dashed 1px #888;
+ *border-bottom: dashed 1px #888;
+ padding: 0.1em 0.5em 0.05em 0.5em
+ vertical-align: baseline
+ td
+ border: none
+ padding: 0.1em 0.5em 0.1em 0.5em
+ &.commitgraph
+ font-family: monospace
+ white-space: pre
+ .column1
+ color: #a00
+ .column2
+ color: #0a0
+ .column3
+ color: #aa0
+ .column4
+ color: #00a
+ .column5
+ color: #a0a
+ .column6
+ color: #0aa
+ &.logsubject
+ font-family: monospace
+ font-weight: bold
+ &.logmsg
+ font-family: monospace
+ white-space: pre
+ padding: 0 0.5em
+ a
+ color: #d3d3d3
+ &.ls-dir
+ font-weight: bold
+ color: #00f
+ &:hover
+ color: lightblue
+ img
+ border: none
+ input#switch-btn
+ margin: 2px 0px 0px 0px
+ td#sidebar input.txt
+ width: 100%
+ margin: 2px 0px 0px 0px
+ table#grid
+ margin: 0px
+ td#content
+ vertical-align: top
+ padding: 1em 2em 1em 1em
+ border: none
+ div#summary
+ vertical-align: top
+ margin-bottom: 1em
+ table#downloads
+ float: right
+ border-collapse: collapse
+ border: solid 1px #777
+ margin-left: 0.5em
+ margin-bottom: 0.5em
+ th
+ background-color: #ccc
+ div
+ &#blob
+ border: solid 1px black
+ &.error
+ color: red
+ font-weight: bold
+ margin: 1em 2em
+ a
+ &.ls-blob, &.ls-dir, &.ls-mod
+ font-family: monospace
+ td
+ &.ls-size
+ text-align: right
+ font-family: monospace
+ width: 10em
+ &.ls-mode
+ font-family: monospace
+ width: 10em
+ table
+ &.blob
+ margin-top: 0.5em
+ td
+ &.lines
+ margin: 0
+ padding: 0 0 0 0.5em
+ vertical-align: top
+ color: $base1
+ &.linenumbers
+ margin: 0
+ padding: 0 0.5em 0 0.5em
+ vertical-align: top
+ text-align: right
+ border-right: 1px solid $base01
+ pre
+ padding: 0
+ margin: 0
+ td.linenumbers a
+ color: gray
+ text-align: right
+ text-decoration: none
+ &.ssdiff td.lineno a
+ color: gray
+ text-align: right
+ text-decoration: none
+ &.blob td.linenumbers a:hover, &.ssdiff td.lineno a:hover
+ color: black
+ &.bin-blob
+ margin-top: 0.5em
+ border: solid 1px black
+ th
+ font-family: monospace
+ white-space: pre
+ border: solid 1px #777
+ padding: 0.5em 1em
+ td
+ font-family: monospace
+ white-space: pre
+ border-left: solid 1px #777
+ padding: 0em 1em
+ &.nowrap td
+ white-space: nowrap
+ &.commit-info
+ border-collapse: collapse
+ margin-top: 1.5em
+ div.cgit-panel
+ float: right
+ margin-top: 1.5em
+ table
+ border-collapse: collapse
+ background-color: $base02
+ th
+ text-align: center
+ td
+ padding: 0.25em 0.5em
+ &.label
+ padding-right: 0.5em
+ &.ctrl
+ padding-left: 0.5em
+ table.commit-info
+ th
+ text-align: left
+ font-weight: normal
+ padding: 0.1em 1em 0.1em 0.1em
+ vertical-align: top
+ td
+ font-weight: normal
+ padding: 0.1em 1em 0.1em 0.1em
+ div
+ &.commit-subject
+ font-weight: bold
+ font-size: 125%
+ margin: 1.5em 0em 0.5em 0em
+ padding: 0em
+ &.commit-msg
+ white-space: pre
+ font-family: monospace
+ &.notes-header
+ font-weight: bold
+ padding-top: 1.5em
+ &.notes
+ white-space: pre
+ font-family: monospace
+ border: solid 1px #ee9
+ background-color: #ffd
+ padding: 0.3em 2em 0.3em 1em
+ float: left
+ &.notes-footer
+ clear: left
+ &.diffstat-header
+ font-weight: bold
+ padding-top: 1.5em
+ table.diffstat
+ border-collapse: collapse
+ background-color: $base02
+ th
+ font-weight: normal
+ text-align: left
+ text-decoration: underline
+ padding: 0.1em 1em 0.1em 0.1em
+ font-size: 100%
+ td
+ padding: 0.2em 0.2em 0.1em 0.1em
+ font-size: 100%
+ border: none
+ &.mode
+ white-space: nowrap
+ span.modechange
+ padding-left: 1em
+ color: $red
+ &.add a
+ color: $green
+ &.del a
+ color: $red
+ &.upd a
+ color: $blue
+ &.graph
+ width: 500px
+ vertical-align: middle
+ table
+ border: none
+ td
+ padding: 0px
+ border: 0px
+ height: 7pt
+ &.add
+ background-color: $green
+ &.rem
+ background-color: $red
+ div.diffstat-summary
+ color: $base0
+ padding-top: 0.5em
+ table.diff
+ width: 100%
+ td
+ font-family: monospace
+ white-space: pre
+ div
+ &.head
+ font-weight: bold
+ margin-top: 1em
+ color: $base0
+ &.hunk
+ color: $base0
+ &.add
+ color: $green
+ &.del
+ color: $red
+ .sha1
+ font-family: monospace
+ font-size: 90%
+ .left
+ text-align: left
+ .right
+ text-align: right
+ table.list td.reposection
+ font-style: italic
+ color: #888
+ a
+ &.button
+ font-size: 80%
+ padding: 0em 0.5em
+ &.primary
+ font-size: 100%
+ &.secondary
+ font-size: 90%
+ td.toplevel-repo
+ table.list td.sublevel-repo
+ padding-left: 1.5em
+ ul.pager
+ list-style-type: none
+ text-align: center
+ margin: 1em 0em 0em 0em
+ padding: 0
+ li
+ display: inline-block
+ margin: 0.25em 0.5em
+ a
+ color: #777
+ .current
+ font-weight: bold
+ span
+ &.age-mins
+ font-weight: bold
+ color: $green
+ &.age-hours
+ color: $green
+ &.age-days
+ color: $green
+ &.age-weeks
+ color: $base0
+ &.age-months
+ color: $base0
+ &.age-years
+ color: $base00
+ div.footer
+ margin-top: 0.5em
+ text-align: center
+ font-size: 80%
+ color: $base01
+ a
+ &.branch-deco
+ color: $green !important
+ margin: 0px 0.5em
+ padding: 0px 0.25em
+ background-color: $base02
+ // border: solid 1px #007700
+ &.tag-deco
+ // color: #000 !important
+ margin: 0px 0.5em
+ padding: 0px 0.25em
+ background-color: $base02
+ // border: solid 1px #777700
+ &.remote-deco
+ color: #000 !important
+ margin: 0px 0.5em
+ padding: 0px 0.25em
+ background-color: #ccccff
+ border: solid 1px #000077
+ &.deco
+ color: $red !important
+ margin: 0px 0.5em
+ padding: 0px 0.25em
+ background-color: $base02
+ // border: solid 1px #770000
+ div.commit-subject a
+ &.branch-deco, &.tag-deco, &.remote-deco, &.deco
+ margin-left: 1em
+ font-size: 75%
+ table
+ &.stats
+ border: solid 1px black
+ border-collapse: collapse
+ th
+ text-align: left
+ padding: 1px 0.5em
+ background-color: #eee
+ border: solid 1px black
+ td
+ text-align: right
+ padding: 1px 0.5em
+ border: solid 1px black
+ &.total
+ font-weight: bold
+ text-align: left
+ &.sum
+ color: #c00
+ font-weight: bold
+ /* background-color: #eee;
+ &.left
+ text-align: left
+ &.vgraph
+ border-collapse: separate
+ border: solid 1px black
+ height: 200px
+ th
+ background-color: #eee
+ font-weight: bold
+ border: solid 1px white
+ padding: 1px 0.5em
+ td
+ vertical-align: bottom
+ padding: 0px 10px
+ div.bar
+ background-color: #eee
+ &.hgraph
+ border: solid 1px black
+ width: 800px
+ th
+ background-color: #eee
+ font-weight: bold
+ border: solid 1px black
+ padding: 1px 0.5em
+ td
+ vertical-align: middle
+ padding: 2px 2px
+ div.bar
+ background-color: #eee
+ height: 1em
+ &.ssdiff
+ width: 100%
+ td
+ font-size: 75%
+ font-family: monospace
+ white-space: pre
+ padding: 1px 4px 1px 4px
+ border-left: solid 1px #aaa
+ border-right: solid 1px #aaa
+ &.add
+ color: black
+ background: #cfc
+ min-width: 50%
+ &.add_dark
+ color: black
+ background: #aca
+ min-width: 50%
+ span.add
+ background: #cfc
+ font-weight: bold
+ td
+ &.del
+ color: black
+ background: #fcc
+ min-width: 50%
+ &.del_dark
+ color: black
+ background: #caa
+ min-width: 50%
+ span.del
+ background: #fcc
+ font-weight: bold
+ td
+ &.changed
+ color: black
+ background: #ffc
+ min-width: 50%
+ &.changed_dark
+ color: black
+ background: #cca
+ min-width: 50%
+ &.lineno
+ color: black
+ background: #eee
+ text-align: right
+ width: 3em
+ min-width: 3em
+ &.hunk
+ color: black
+ background: #ccf
+ border-top: solid 1px #aaa
+ border-bottom: solid 1px #aaa
+ &.head
+ border-top: solid 1px #aaa
+ border-bottom: solid 1px #aaa
+ div.head
+ font-weight: bold
+ color: black
+ &.foot
+ border-top: solid 1px #aaa
+ border-left: none
+ border-right: none
+ border-bottom: none
+ &.space
+ border: none
+ div
+ min-height: 3em
+ &.linenodiv
+ background-color: inherit !important
+ color: lightgray
diff --git a/images/git/cgit/cgitrc b/images/git/cgit/cgitrc
new file mode 100644
index 0000000..0afc48d
--- /dev/null
+++ b/images/git/cgit/cgitrc
@@ -0,0 +1,46 @@
+css=/cgit.css
+logo=/cgit.png
+
+root-title=tx0.co
+clone-prefix=git://tx0.co https://g.tx0.co/git git@tx0.co:
+snapshots=tar.gz tar.xz tar.bz2 zip
+readme=master:README.md
+about-filter=/app/about-formatting.sh
+#/usr/lib/cgit/filters/about-formatting.sh
+source-filter=/app/syntax-highlighting3.sh
+enable-http-clone=0
+strict-export=git-daemon-export-ok
+
+noplainemail=1
+
+enable-index-owner=0
+enable-index-links=0
+enable-commit-graph=1
+enable-log-filecount=1
+enable-log-linecount=1
+
+# if you do not want that webcrawler (like google) index your site
+robots=noindex, nofollow
+
+# if cgit messes up links, use a virtual-root. For example has cgit.example.org/ this value:
+virtual-root=/
+root-desc=Foo.
+
+enable-git-config=1
+section-from-path=1
+remove-suffix=1
+
+project-list=/data/git/projects.list
+scan-path=/data/git/repositories
+
+mimetype.gif=image/gif
+mimetype.html=text/html
+mimetype.jpg=image/jpg
+mimetype.jpeg=image/jpg
+mimetype.pdf=application/pdf
+mimetype.png=image/png
+mimetype.svg=image/svg+xml
+
+readme=:README.md
+readme=:README.txt
+readme=:README
diff --git a/images/git/cgit/syntax-highlighting3.sh b/images/git/cgit/syntax-highlighting3.sh
new file mode 100755
index 0000000..c22337b
--- /dev/null
+++ b/images/git/cgit/syntax-highlighting3.sh
@@ -0,0 +1,121 @@
+#!/bin/sh
+# This script can be used to implement syntax highlighting in the cgit
+# tree-view by refering to this file with the source-filter or repo.source-
+# filter options in cgitrc.
+#
+# This script requires a shell supporting the ${var##pattern} syntax.
+# It is supported by at least dash and bash, however busybox environments
+# might have to use an external call to sed instead.
+#
+# Note: the highlight command (http://www.andre-simon.de/) uses css for syntax
+# highlighting, so you'll probably want something like the following included
+# in your css file:
+#
+# Style definition file generated by highlight 2.4.8, http://www.andre-simon.de/
+#
+# table.blob .num { color:#2928ff; }
+# table.blob .esc { color:#ff00ff; }
+# table.blob .str { color:#ff0000; }
+# table.blob .dstr { color:#818100; }
+# table.blob .slc { color:#838183; font-style:italic; }
+# table.blob .com { color:#838183; font-style:italic; }
+# table.blob .dir { color:#008200; }
+# table.blob .sym { color:#000000; }
+# table.blob .kwa { color:#000000; font-weight:bold; }
+# table.blob .kwb { color:#830000; }
+# table.blob .kwc { color:#000000; font-weight:bold; }
+# table.blob .kwd { color:#010181; }
+#
+#
+# Style definition file generated by highlight 2.6.14, http://www.andre-simon.de/
+#
+# body.hl { background-color:#ffffff; }
+# pre.hl { color:#000000; background-color:#ffffff; font-size:10pt; font-family:'Courier New';}
+# .hl.num { color:#2928ff; }
+# .hl.esc { color:#ff00ff; }
+# .hl.str { color:#ff0000; }
+# .hl.dstr { color:#818100; }
+# .hl.slc { color:#838183; font-style:italic; }
+# .hl.com { color:#838183; font-style:italic; }
+# .hl.dir { color:#008200; }
+# .hl.sym { color:#000000; }
+# .hl.line { color:#555555; }
+# .hl.mark { background-color:#ffffbb;}
+# .hl.kwa { color:#000000; font-weight:bold; }
+# .hl.kwb { color:#830000; }
+# .hl.kwc { color:#000000; font-weight:bold; }
+# .hl.kwd { color:#010181; }
+#
+#
+# Style definition file generated by highlight 3.8, http://www.andre-simon.de/
+#
+# body.hl { background-color:#e0eaee; }
+# pre.hl { color:#000000; background-color:#e0eaee; font-size:10pt; font-family:'Courier New';}
+# .hl.num { color:#b07e00; }
+# .hl.esc { color:#ff00ff; }
+# .hl.str { color:#bf0303; }
+# .hl.pps { color:#818100; }
+# .hl.slc { color:#838183; font-style:italic; }
+# .hl.com { color:#838183; font-style:italic; }
+# .hl.ppc { color:#008200; }
+# .hl.opt { color:#000000; }
+# .hl.lin { color:#555555; }
+# .hl.kwa { color:#000000; font-weight:bold; }
+# .hl.kwb { color:#0057ae; }
+# .hl.kwc { color:#000000; font-weight:bold; }
+# .hl.kwd { color:#010181; }
+#
+#
+# Style definition file generated by highlight 3.13, http://www.andre-simon.de/
+#
+# body.hl { background-color:#e0eaee; }
+# pre.hl { color:#000000; background-color:#e0eaee; font-size:10pt; font-family:'Courier New',monospace;}
+# .hl.num { color:#b07e00; }
+# .hl.esc { color:#ff00ff; }
+# .hl.str { color:#bf0303; }
+# .hl.pps { color:#818100; }
+# .hl.slc { color:#838183; font-style:italic; }
+# .hl.com { color:#838183; font-style:italic; }
+# .hl.ppc { color:#008200; }
+# .hl.opt { color:#000000; }
+# .hl.ipl { color:#0057ae; }
+# .hl.lin { color:#555555; }
+# .hl.kwa { color:#000000; font-weight:bold; }
+# .hl.kwb { color:#0057ae; }
+# .hl.kwc { color:#000000; font-weight:bold; }
+# .hl.kwd { color:#010181; }
+#
+#
+# The following environment variables can be used to retrieve the configuration
+# of the repository for which this script is called:
+# CGIT_REPO_URL ( = repo.url setting )
+# CGIT_REPO_NAME ( = repo.name setting )
+# CGIT_REPO_PATH ( = repo.path setting )
+# CGIT_REPO_OWNER ( = repo.owner setting )
+# CGIT_REPO_DEFBRANCH ( = repo.defbranch setting )
+# CGIT_REPO_SECTION ( = section setting )
+# CGIT_REPO_CLONE_URL ( = repo.clone-url setting )
+#
+
+# store filename and extension in local vars
+BASENAME="$1"
+EXTENSION="${BASENAME##*.}"
+
+[ "${BASENAME}" = "${EXTENSION}" ] && EXTENSION=txt
+[ -z "${EXTENSION}" ] && EXTENSION=txt
+
+# map Makefile and Makefile.* to .mk
+[ "${BASENAME%%.*}" = "Makefile" ] && EXTENSION=mk
+
+# highlight versions 2 and 3 have different commandline options. Specifically,
+# the -X option that is used for version 2 is replaced by the -O xhtml option
+# for version 3.
+#
+# Version 2 can be found (for example) on EPEL 5, while version 3 can be
+# found (for example) on EPEL 6.
+#
+# This is for version 2
+#exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
+
+# This is for version 3
+exec highlight --force --inline-css --style=solarized-dark -f -I -O xhtml -S "$EXTENSION" 2>/dev/null
diff --git a/images/git/gitolite/admin.pub b/images/git/gitolite/admin.pub
new file mode 100644
index 0000000..cd1e155
--- /dev/null
+++ b/images/git/gitolite/admin.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDuNResYJNUNlReRIxPMMnI3hAaW5dNs3E2qoeqHsU/nwnL+czVKOkHnG8gQaKSN7q0wVP3o3ozSsGHdYBJ0YrAYMccOPGkPJ6Aua/7LBkxTc1bVbGrPAEVDYfvNKTU0KjbOfUt6bAbtx1KzbzttBHRR14AxHSUH3ELja6a1foATQWyArLmykmo8aFp75n9+b8XVkmtVtSB0VFibMGwLekNgTD1zOZfzqjxD2EQop279Y8s9kfadpxznONLBNgNUZEzkk++MTh2a6OXW4WA2+dH8WaG2hwjghYbqSDlYe9yjyxhRS0ZtUuVlxlMlTsn0MIt/fYlYNSJts4I11ehBQFkzWUv/i/BgKFKX2M1A5fZTI9emlKJ/Iz3EyXNg1VNc/8iCVaWMpKUbT8Hao8qvwihoZegyVZRmCbUDyxVpjy2Qyl3/dl8mjsYbzYK6CyLo198rCeSrYlF7c81KikPmNuibzSL0UHvA94HK7hVWfu+iZKPZOYVdIle25+hZcL+s7GROy5iGWA9qwgaqXShbqhyyg/lXCY8MdyDBdomWrdk9SvQ0hbNLwSrNlcHAoO3H8/HRcoW4/faiFsm8SFF4RnsIYfVNKCUYlf4kspbHUxUWuEMtOxpo/uu3Zs7hI+TQL9FKwrLRgnu72sx0Y1o4PIGHUldSgzoYAxL+EaF3qgYhoOyiVFa5IRioaG9FRFJ1hboq+0XxQXYzJ8z9CrRa/Gxrp/Etqdevm8IjuOWelDAR4UPgeQsvjHvZVxLOGay8wBtA0/My9meouPDn7jzPjfFUcmdB99PM/PfrqJBC+WdldEfURrAeax6b2LidFl3bN4BLGwK0BlPybjgj7jm1THMnnM4F7BmhzA8MN1tmcEIiZSbW3lRjMxTikGkhvq1NbMp/k6ZmMkwJcwORSJRVdji3wYOuQxl2/u+Ey2NtBXyA5TomPvkWR/h9us+2/8WOxVlpjs6PtYEguehLbuqPWANM1FG9ngAMc1yGMp9YXPKQn+xVvOssOK6VoAu57q9zHJ5GQe8Pm6+2Qpq7hWRDkxIfnDGAeLDIlHa4JunX+okSCH14fx2PpwRfQ1UUhp5wnDtcAfkWGmq82HQknAigNWih5LqPthfjMuhUUcgYsciWYFKZbum4/yecfXUUx9SlcAwVrEZ+kwvNw1UsjrRtITsCBaBlSDpioyXYmJ6ldxUOKZiqAvAKeB0zRF3xpALWZuADh22BzWaNeLL8Gw5uR9TV7PGQ9wpd07SRsdabqLtYqg2P0/t+zPlKHNkL80vZjmuYJeHZ6Zmv3K4PsKEsHG3nXcA8PUI09IfvBbUnzlUb46V5K2O6E3iiSeQBRv7jWEkwGZy9/lBMUM7Qxw3a9Hv till@hoeppner.ws
diff --git a/images/git/gitolite/generate_certs.sh b/images/git/gitolite/generate_certs.sh
new file mode 100644
index 0000000..3b75a9d
--- /dev/null
+++ b/images/git/gitolite/generate_certs.sh
@@ -0,0 +1,7 @@
+if [ ! -e /data/ssh/host_rsa_key ]; then
+ echo "Generating host keys"
+ ssh-keygen -t rsa -f /data/ssh/host_rsa_key
+ ssh-keygen -t dsa -f /data/ssh/host_dsa_key
+ ssh-keygen -t ecdsa -f /data/ssh/host_ecdsa_key
+ ssh-keygen -t ed25519 -f /data/ssh/host_ed25519_key
+fi
diff --git a/images/git/gitolite/gitolite.rc b/images/git/gitolite/gitolite.rc
new file mode 100644
index 0000000..2ab1369
--- /dev/null
+++ b/images/git/gitolite/gitolite.rc
@@ -0,0 +1,204 @@
+# configuration variables for gitolite
+
+# This file is in perl syntax. But you do NOT need to know perl to edit it --
+# just mind the commas, use single quotes unless you know what you're doing,
+# and make sure the brackets and braces stay matched up!
+
+# (Tip: perl allows a comma after the last item in a list also!)
+
+# HELP for commands can be had by running the command with "-h".
+
+# HELP for all the other FEATURES can be found in the documentation (look for
+# "list of non-core programs shipped with gitolite" in the master index) or
+# directly in the corresponding source file.
+
+%RC = (
+ #GL_REPO_BASE => '/data/projects/',
+ #GL_ADMIN_BASE => '/data/',
+
+ # ------------------------------------------------------------------
+
+ # default umask gives you perms of '0700'; see the rc file docs for
+ # how/why you might change this
+ UMASK => 0002,
+
+ # look for "git-config" in the documentation
+ GIT_CONFIG_KEYS => 'hooks\.readme url.*insteadOf',
+
+ WRITER_CAN_UPDATE_DESC => 1,
+
+ # comment out if you don't need all the extra detail in the logfile
+ LOG_EXTRA => 1,
+ # logging options
+ # 1. leave this section as is for 'normal' gitolite logging (default)
+ # 2. uncomment this line to log ONLY to syslog:
+ # LOG_DEST => 'syslog',
+ # 3. uncomment this line to log to syslog and the normal gitolite log:
+ # LOG_DEST => 'syslog,normal',
+ # 4. prefixing "repo-log," to any of the above will **also** log just the
+ # update records to "gl-log" in the bare repo directory:
+ # LOG_DEST => 'repo-log,normal',
+ # LOG_DEST => 'repo-log,syslog',
+ # LOG_DEST => 'repo-log,syslog,normal',
+
+ # roles. add more roles (like MANAGER, TESTER, ...) here.
+ # WARNING: if you make changes to this hash, you MUST run 'gitolite
+ # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
+ ROLES => {
+ READERS => 1,
+ WRITERS => 1,
+ },
+
+ # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!!
+ # CACHE => 'Redis',
+
+ # ------------------------------------------------------------------
+
+ # rc variables used by various features
+
+ # the 'info' command prints this as additional info, if it is set
+ # SITE_INFO => 'Please see http://blahblah/gitolite for more help',
+
+ # the CpuTime feature uses these
+ # display user, system, and elapsed times to user after each git operation
+ # DISPLAY_CPU_TIME => 1,
+ # display a warning if total CPU times (u, s, cu, cs) crosses this limit
+ # CPU_TIME_WARN_LIMIT => 0.1,
+
+ # the Mirroring feature needs this
+ # HOSTNAME => "foo",
+
+ # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
+ # CACHE_TTL => 600,
+
+ # ------------------------------------------------------------------
+
+ # suggested locations for site-local gitolite code (see cust.html)
+
+ # this one is managed directly on the server
+ # LOCAL_CODE => "$ENV{HOME}/local",
+
+ # or you can use this, which lets you put everything in a subdirectory
+ # called "local" in your gitolite-admin repo. For a SECURITY WARNING
+ # on this, see http://gitolite.com/gitolite/non-core.html#pushcode
+ # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
+
+ # ------------------------------------------------------------------
+
+ # List of commands and features to enable
+
+ ENABLE => [
+
+ # COMMANDS
+
+ # These are the commands enabled by default
+ 'help',
+ 'desc',
+ 'info',
+ 'perms',
+ 'writable',
+
+ # Uncomment or add new commands here.
+ 'create',
+ # 'fork',
+ # 'mirror',
+ # 'readme',
+ # 'sskm',
+ 'D',
+
+ # These FEATURES are enabled by default.
+
+ # essential (unless you're using smart-http mode)
+ 'ssh-authkeys',
+
+ # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz'
+ 'git-config',
+
+ # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
+ 'daemon',
+
+ # creates projects.list file; if you don't use gitweb, comment this out
+ 'gitweb',
+
+ # These FEATURES are disabled by default; uncomment to enable. If you
+ # need to add new ones, ask on the mailing list :-)
+
+ # user-visible behaviour
+
+ # prevent wild repos auto-create on fetch/clone
+ # 'no-create-on-read',
+ # no auto-create at all (don't forget to enable the 'create' command!)
+ # 'no-auto-create',
+
+ # access a repo by another (possibly legacy) name
+ # 'Alias',
+
+ # give some users direct shell access. See documentation in
+ # sts.html for details on the following two choices.
+ # "Shell $ENV{HOME}/.gitolite.shell-users",
+ # 'Shell alice bob',
+
+ # set default roles from lines like 'option default.roles-1 = ...', etc.
+ # 'set-default-roles',
+
+ # show more detailed messages on deny
+ # 'expand-deny-messages',
+
+ # show a message of the day
+ # 'Motd',
+
+ # system admin stuff
+
+ # enable mirroring (don't forget to set the HOSTNAME too!)
+ # 'Mirroring',
+
+ # allow people to submit pub files with more than one key in them
+ # 'ssh-authkeys-split',
+
+ # selective read control hack
+ # 'partial-copy',
+
+ # manage local, gitolite-controlled, copies of read-only upstream repos
+ 'upstream',
+
+ # updates 'description' file instead of 'gitweb.description' config item
+ 'cgit',
+
+ # allow repo-specific hooks to be added
+ # 'repo-specific-hooks',
+
+ # performance, logging, monitoring...
+
+ # be nice
+ # 'renice 10',
+
+ # log CPU times (user, system, cumulative user, cumulative system)
+ # 'CpuTime',
+
+ # syntactic_sugar for gitolite.conf and included files
+
+ # allow backslash-escaped continuation lines in gitolite.conf
+ # 'continuation-lines',
+
+ # create implicit user groups from directory names in keydir/
+ # 'keysubdirs-as-groups',
+
+ # allow simple line-oriented macros
+ # 'macros',
+
+ # Kindergarten mode
+
+ # disallow various things that sensible people shouldn't be doing anyway
+ # 'Kindergarten',
+ ],
+
+);
+
+# ------------------------------------------------------------------------------
+# per perl rules, this should be the last line in such a file:
+1;
+
+# Local variables:
+# mode: perl
+# End:
+# vim: set syn=perl:
diff --git a/images/git/gitolite/sshd_config b/images/git/gitolite/sshd_config
new file mode 100644
index 0000000..15b448f
--- /dev/null
+++ b/images/git/gitolite/sshd_config
@@ -0,0 +1,55 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /data/ssh/host_rsa_key
+HostKey /data/ssh/host_dsa_key
+HostKey /data/ssh/host_ecdsa_key
+HostKey /data/ssh/host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Logging
+SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+PubkeyAuthentication yes
+AuthorizedKeysFile /data/git/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+X11Forwarding no
+PrintMotd no
+TCPKeepAlive yes
+#UseLogin no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# Subsystem sftp /usr/lib/openssh/sftp-server
diff --git a/images/git/nginx/nginx.conf b/images/git/nginx/nginx.conf
new file mode 100644
index 0000000..9528692
--- /dev/null
+++ b/images/git/nginx/nginx.conf
@@ -0,0 +1,51 @@
+worker_processes 1;
+user root;
+pid /run/nginx.pid;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+ gzip on;
+
+ access_log /dev/stdout;
+ error_log /dev/stderr;
+
+ # Cgit
+ server {
+ listen 80;
+ root /usr/share/webapps/cgit;
+ server_name tx0.co;
+ try_files $uri @cgit;
+
+ location ~ /git(/.*) {
+ # Set chunks to unlimited, as the body's can be huge
+ client_max_body_size 0;
+
+ # Forward REMOTE_USER as we want to know when we are authenticated
+ fastcgi_param REMOTE_USER $remote_user;
+ fastcgi_pass unix:/run/fcgiwrap.sock;
+
+ include fastcgi_params;
+
+ fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
+ # fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /data/git/repositories;
+ fastcgi_param PATH_INFO $1;
+ }
+
+ location @cgit {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_pass unix:/run/fcgiwrap.sock;
+ }
+ }
+}
diff --git a/images/git/service/daemon/run b/images/git/service/daemon/run
new file mode 100644
index 0000000..485e706
--- /dev/null
+++ b/images/git/service/daemon/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec chpst -ugit git daemon --base-path=/data/git/repositories
diff --git a/images/git/service/fcgiwrap/run b/images/git/service/fcgiwrap/run
new file mode 100644
index 0000000..4c7efcb
--- /dev/null
+++ b/images/git/service/fcgiwrap/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec spawn-fcgi -n -s /run/fcgiwrap.sock /usr/bin/fcgiwrap 2>&1
diff --git a/images/git/service/nginx/run b/images/git/service/nginx/run
new file mode 100644
index 0000000..ef7f976
--- /dev/null
+++ b/images/git/service/nginx/run
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec nginx -g 'daemon off;' 2>&1
diff --git a/images/git/service/sshd/run b/images/git/service/sshd/run
new file mode 100644
index 0000000..91abb22
--- /dev/null
+++ b/images/git/service/sshd/run
@@ -0,0 +1,4 @@
+#!/bin/sh
+mkdir -p /data/ssh
+chmod +x /app/generate_certs.sh
+/app/generate_certs.sh && exec /usr/sbin/sshd -D 2>&1
diff --git a/images/matrix/.gitignore b/images/matrix/.gitignore
new file mode 100644
index 0000000..fb801ef
--- /dev/null
+++ b/images/matrix/.gitignore
@@ -0,0 +1,3 @@
+synapse/*signing*
+synapse/*key*
+synapse/*tls*
diff --git a/images/matrix/Dockerfile b/images/matrix/Dockerfile
new file mode 100644
index 0000000..5569475
--- /dev/null
+++ b/images/matrix/Dockerfile
@@ -0,0 +1,15 @@
+FROM alpine:3.5 AS builder
+
+RUN apk add --no-cache build-base ca-certificates python2-dev py2-pip su-exec \
+ py2-psycopg2 py2-msgpack py2-psutil py2-openssl py2-yaml py-twisted py2-netaddr \
+ py2-cffi py2-asn1 py2-asn1-modules py2-cryptography py2-pillow py2-decorator py2-jinja2 \
+ py2-requests py2-simplejson py2-tz py2-crypto py2-dateutil py2-service_identity
+
+RUN pip install https://github.com/kdltr/synapse/tarball/master
+
+ADD synapse /app/synapse
+
+ENTRYPOINT python -m synapse.app.homeserver \
+ --server-name tx0.co \
+ --config-path /app/synapse/homeserver.yaml \
+ --report-stats=no
diff --git a/images/matrix/synapse/homeserver.yaml b/images/matrix/synapse/homeserver.yaml
new file mode 100644
index 0000000..69ffa8e
--- /dev/null
+++ b/images/matrix/synapse/homeserver.yaml
@@ -0,0 +1,480 @@
+# vim:ft=yaml
+# PEM encoded X509 certificate for TLS.
+# You can replace the self-signed certificate that synapse
+# autogenerates on launch with your own SSL certificate + key pair
+# if you like. Any required intermediary certificates can be
+# appended after the primary certificate in hierarchical order.
+tls_certificate_path: "/app/synapse/tx0.co.tls.crt"
+
+# PEM encoded private key for TLS
+tls_private_key_path: "/app/synapse/tx0.co.tls.key"
+
+# PEM dh parameters for ephemeral keys
+tls_dh_params_path: "/app/synapse/tx0.co.tls.dh"
+
+# Don't bind to the https port
+no_tls: False
+
+# List of allowed TLS fingerprints for this server to publish along
+# with the signing keys for this server. Other matrix servers that
+# make HTTPS requests to this server will check that the TLS
+# certificates returned by this server match one of the fingerprints.
+#
+# Synapse automatically adds the fingerprint of its own certificate
+# to the list. So if federation traffic is handle directly by synapse
+# then no modification to the list is required.
+#
+# If synapse is run behind a load balancer that handles the TLS then it
+# will be necessary to add the fingerprints of the certificates used by
+# the loadbalancers to this list if they are different to the one
+# synapse is using.
+#
+# Homeservers are permitted to cache the list of TLS fingerprints
+# returned in the key responses up to the "valid_until_ts" returned in
+# key. It may be necessary to publish the fingerprints of a new
+# certificate and wait until the "valid_until_ts" of the previous key
+# responses have passed before deploying it.
+tls_fingerprints: []
+# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
+
+
+## Server ##
+
+# The domain name of the server, with optional explicit port.
+# This is used by remote servers to connect to this server,
+# e.g. matrix.org, localhost:8080, etc.
+# This is also the last part of your UserID.
+server_name: "tx0.co"
+
+# When running as a daemon, the file to store the pid in
+pid_file: /app/synapse/homeserver.pid
+
+# Whether to serve a web client from the HTTP/HTTPS root resource.
+web_client: True
+
+# The public-facing base URL for the client API (not including _matrix/...)
+# public_baseurl: https://example.com:8448/
+
+# Set the soft limit on the number of file descriptors synapse can use
+# Zero is used to indicate synapse should set the soft limit to the
+# hard limit.
+soft_file_limit: 0
+
+# The GC threshold parameters to pass to `gc.set_threshold`, if defined
+# gc_thresholds: [700, 10, 10]
+
+# List of ports that Synapse should listen on, their purpose and their
+# configuration.
+listeners:
+ # Main HTTPS listener
+ # For when matrix traffic is sent directly to synapse.
+ -
+ # The port to listen for HTTPS requests on.
+ port: 8448
+
+ # Local addresses to listen on.
+ # This will listen on all IPv4 addresses by default.
+ bind_addresses:
+ - '0.0.0.0'
+ # Uncomment to listen on all IPv6 interfaces
+ # N.B: On at least Linux this will also listen on all IPv4
+ # addresses, so you will need to comment out the line above.
+ # - '::'
+
+ # This is a 'http' listener, allows us to specify 'resources'.
+ type: http
+
+ tls: true
+
+ # Use the X-Forwarded-For (XFF) header as the client IP and not the
+ # actual client IP.
+ x_forwarded: false
+
+ # List of HTTP resources to serve on this listener.
+ resources:
+ -
+ # List of resources to host on this listener.
+ names:
+ - client # The client-server APIs, both v1 and v2
+ - webclient # The bundled webclient.
+
+ # Should synapse compress HTTP responses to clients that support it?
+ # This should be disabled if running synapse behind a load balancer
+ # that can do automatic compression.
+ compress: true
+
+ - names: [federation] # Federation APIs
+ compress: false
+
+ # Unsecure HTTP listener,
+ # For when matrix traffic passes through loadbalancer that unwraps TLS.
+ - port: 8008
+ tls: false
+ bind_addresses: ['0.0.0.0']
+ type: http
+
+ x_forwarded: true
+
+ resources:
+ - names: [client, webclient]
+ compress: true
+ - names: [federation]
+ compress: false
+
+ # Turn on the twisted ssh manhole service on localhost on the given
+ # port.
+ # - port: 9000
+ # bind_address: 127.0.0.1
+ # type: manhole
+
+
+# Database configuration
+database:
+ # The database engine name
+ name: "sqlite3"
+ # Arguments to pass to the engine
+ args:
+ # Path to the database
+ database: "/app/synapse/homeserver.db"
+
+# Number of events to cache in memory.
+event_cache_size: "10K"
+
+
+
+# Logging verbosity level. Ignored if log_config is specified.
+verbose: 0
+
+# File to write logging to. Ignored if log_config is specified.
+log_file: "/app/synapse/homeserver.log"
+
+# A yaml python logging config file
+log_config: "/app/synapse/tx0.co.log.config"
+
+
+## Ratelimiting ##
+
+# Number of messages a client can send per second
+rc_messages_per_second: 0.2
+
+# Number of message a client can send before being throttled
+rc_message_burst_count: 10.0
+
+# The federation window size in milliseconds
+federation_rc_window_size: 1000
+
+# The number of federation requests from a single server in a window
+# before the server will delay processing the request.
+federation_rc_sleep_limit: 10
+
+# The duration in milliseconds to delay processing events from
+# remote servers by if they go over the sleep limit.
+federation_rc_sleep_delay: 500
+
+# The maximum number of concurrent federation requests allowed
+# from a single server
+federation_rc_reject_limit: 50
+
+# The number of federation requests to concurrently process from a
+# single server
+federation_rc_concurrent: 3
+
+
+
+# Directory where uploaded images and attachments are stored.
+media_store_path: "/app/synapse/media_store"
+
+# Directory where in-progress uploads are stored.
+uploads_path: "/app/synapse/uploads"
+
+# The largest allowed upload size in bytes
+max_upload_size: "10M"
+
+# Maximum number of pixels that will be thumbnailed
+max_image_pixels: "32M"
+
+# Whether to generate new thumbnails on the fly to precisely match
+# the resolution requested by the client. If true then whenever
+# a new resolution is requested by the client the server will
+# generate a new thumbnail. If false the server will pick a thumbnail
+# from a precalculated list.
+dynamic_thumbnails: false
+
+# List of thumbnail to precalculate when an image is uploaded.
+thumbnail_sizes:
+- width: 32
+ height: 32
+ method: crop
+- width: 96
+ height: 96
+ method: crop
+- width: 320
+ height: 240
+ method: scale
+- width: 640
+ height: 480
+ method: scale
+- width: 800
+ height: 600
+ method: scale
+
+# Is the preview URL API enabled? If enabled, you *must* specify
+# an explicit url_preview_ip_range_blacklist of IPs that the spider is
+# denied from accessing.
+url_preview_enabled: False
+
+# List of IP address CIDR ranges that the URL preview spider is denied
+# from accessing. There are no defaults: you must explicitly
+# specify a list for URL previewing to work. You should specify any
+# internal services in your network that you do not want synapse to try
+# to connect to, otherwise anyone in any Matrix room could cause your
+# synapse to issue arbitrary GET requests to your internal services,
+# causing serious security issues.
+#
+# url_preview_ip_range_blacklist:
+# - '127.0.0.0/8'
+# - '10.0.0.0/8'
+# - '172.16.0.0/12'
+# - '192.168.0.0/16'
+# - '100.64.0.0/10'
+# - '169.254.0.0/16'
+#
+# List of IP address CIDR ranges that the URL preview spider is allowed
+# to access even if they are specified in url_preview_ip_range_blacklist.
+# This is useful for specifying exceptions to wide-ranging blacklisted
+# target IP ranges - e.g. for enabling URL previews for a specific private
+# website only visible in your network.
+#
+# url_preview_ip_range_whitelist:
+# - '192.168.1.1'
+
+# Optional list of URL matches that the URL preview spider is
+# denied from accessing. You should use url_preview_ip_range_blacklist
+# in preference to this, otherwise someone could define a public DNS
+# entry that points to a private IP address and circumvent the blacklist.
+# This is more useful if you know there is an entire shape of URL that
+# you know that will never want synapse to try to spider.
+#
+# Each list entry is a dictionary of url component attributes as returned
+# by urlparse.urlsplit as applied to the absolute form of the URL. See
+# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit
+# The values of the dictionary are treated as an filename match pattern
+# applied to that component of URLs, unless they start with a ^ in which
+# case they are treated as a regular expression match. If all the
+# specified component matches for a given list item succeed, the URL is
+# blacklisted.
+#
+# url_preview_url_blacklist:
+# # blacklist any URL with a username in its URI
+# - username: '*'
+#
+# # blacklist all *.google.com URLs
+# - netloc: 'google.com'
+# - netloc: '*.google.com'
+#
+# # blacklist all plain HTTP URLs
+# - scheme: 'http'
+#
+# # blacklist http(s)://www.acme.com/foo
+# - netloc: 'www.acme.com'
+# path: '/foo'
+#
+# # blacklist any URL with a literal IPv4 address
+# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
+
+# The largest allowed URL preview spidering size in bytes
+max_spider_size: "10M"
+
+
+
+
+## Captcha ##
+# See docs/CAPTCHA_SETUP for full details of configuring this.
+
+# This Home Server's ReCAPTCHA public key.
+recaptcha_public_key: "YOUR_PUBLIC_KEY"
+
+# This Home Server's ReCAPTCHA private key.
+recaptcha_private_key: "YOUR_PRIVATE_KEY"
+
+# Enables ReCaptcha checks when registering, preventing signup
+# unless a captcha is answered. Requires a valid ReCaptcha
+# public/private key.
+enable_registration_captcha: False
+
+# A secret key used to bypass the captcha test entirely.
+#captcha_bypass_secret: "YOUR_SECRET_HERE"
+
+# The API endpoint to use for verifying m.login.recaptcha responses.
+recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+
+
+## Turn ##
+
+# The public URIs of the TURN server to give to clients
+turn_uris: []
+
+# The shared secret used to compute passwords for the TURN server
+turn_shared_secret: "YOUR_SHARED_SECRET"
+
+# The Username and password if the TURN server needs them and
+# does not use a token
+#turn_username: "TURNSERVER_USERNAME"
+#turn_password: "TURNSERVER_PASSWORD"
+
+# How long generated TURN credentials last
+turn_user_lifetime: "1h"
+
+
+## Registration ##
+
+# Enable registration for new users.
+enable_registration: False
+
+# If set, allows registration by anyone who also has the shared
+# secret, even if registration is otherwise disabled.
+registration_shared_secret: "vb8CLE^i;WW@g7KDdhcIJqUdFTNVp&7.w4l1xWeICoOz~;cYv="
+
+# Set the number of bcrypt rounds used to generate password hash.
+# Larger numbers increase the work factor needed to generate the hash.
+# The default number of rounds is 12.
+bcrypt_rounds: 12
+
+# Allows users to register as guests without a password/email/etc, and
+# participate in rooms hosted on this server which have been made
+# accessible to anonymous users.
+allow_guest_access: False
+
+# The list of identity servers trusted to verify third party
+# identifiers by this server.
+trusted_third_party_id_servers:
+ - matrix.org
+ - vector.im
+
+
+## Metrics ###
+
+# Enable collection and rendering of performance metrics
+enable_metrics: False
+report_stats: False
+
+
+## API Configuration ##
+
+# A list of event types that will be included in the room_invite_state
+room_invite_state_types:
+ - "m.room.join_rules"
+ - "m.room.canonical_alias"
+ - "m.room.avatar"
+ - "m.room.name"
+
+
+# A list of application service config file to use
+app_service_config_files: []
+
+
+macaroon_secret_key: "HO.JIQfbn_&lUMdP:28LO13i62M~T&VcuabW,I3PBCYGPA+fSk"
+
+# Used to enable access token expiration.
+expire_access_token: False
+
+## Signing Keys ##
+
+# Path to the signing key to sign messages with
+signing_key_path: "/app/synapse/tx0.co.signing.key"
+
+# The keys that the server used to sign messages with but won't use
+# to sign new messages. E.g. it has lost its private key
+old_signing_keys: {}
+# "ed25519:auto":
+# # Base64 encoded public key
+# key: "The public part of your old signing key."
+# # Millisecond POSIX timestamp when the key expired.
+# expired_ts: 123456789123
+
+# How long key response published by this server is valid for.
+# Used to set the valid_until_ts in /key/v2 APIs.
+# Determines how quickly servers will query to check which keys
+# are still valid.
+key_refresh_interval: "1d" # 1 Day.
+
+# The trusted servers to download signing keys from.
+perspectives:
+ servers:
+ "matrix.org":
+ verify_keys:
+ "ed25519:auto":
+ key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+
+
+
+# Enable SAML2 for registration and login. Uses pysaml2
+# config_path: Path to the sp_conf.py configuration file
+# idp_redirect_url: Identity provider URL which will redirect
+# the user back to /login/saml2 with proper info.
+# See pysaml2 docs for format of config.
+#saml2_config:
+# enabled: true
+# config_path: "/app/synapse/sp_conf.py"
+# idp_redirect_url: "http://tx0.co/idp"
+
+
+
+# Enable CAS for registration and login.
+#cas_config:
+# enabled: true
+# server_url: "https://cas-server.com"
+# service_url: "https://homesever.domain.com:8448"
+# #required_attributes:
+# # name: value
+
+
+# The JWT needs to contain a globally unique "sub" (subject) claim.
+#
+# jwt_config:
+# enabled: true
+# secret: "a secret"
+# algorithm: "HS256"
+
+
+
+# Enable password for login.
+password_config:
+ enabled: true
+ # Uncomment and change to a secret random string for extra security.
+ # DO NOT CHANGE THIS AFTER INITIAL SETUP!
+ #pepper: ""
+
+
+
+# Enable sending emails for notification events
+# Defining a custom URL for Riot is only needed if email notifications
+# should contain links to a self-hosted installation of Riot; when set
+# the "app_name" setting is ignored.
+#email:
+# enable_notifs: false
+# smtp_host: "localhost"
+# smtp_port: 25
+# notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>"
+# app_name: Matrix
+# template_dir: res/templates
+# notif_template_html: notif_mail.html
+# notif_template_text: notif_mail.txt
+# notif_for_new_users: True
+# riot_base_url: "http://localhost/riot"
+
+
+# password_providers:
+# - module: "ldap_auth_provider.LdapAuthProvider"
+# config:
+# enabled: true
+# uri: "ldap://ldap.example.com:389"
+# start_tls: true
+# base: "ou=users,dc=example,dc=com"
+# attributes:
+# uid: "cn"
+# mail: "email"
+# name: "givenName"
+# #bind_dn:
+# #bind_password:
+# #filter: "(objectClass=posixAccount)"
diff --git a/images/matrix/synapse/tx0.co.log.config b/images/matrix/synapse/tx0.co.log.config
new file mode 100644
index 0000000..5c86bcc
--- /dev/null
+++ b/images/matrix/synapse/tx0.co.log.config
@@ -0,0 +1,37 @@
+
+version: 1
+
+formatters:
+ precise:
+ format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
+
+filters:
+ context:
+ (): synapse.util.logcontext.LoggingContextFilter
+ request: ""
+
+handlers:
+ file:
+ class: logging.handlers.RotatingFileHandler
+ formatter: precise
+ filename: /app/synapse/homeserver.log
+ maxBytes: 104857600
+ backupCount: 10
+ filters: [context]
+ console:
+ class: logging.StreamHandler
+ formatter: precise
+ filters: [context]
+
+loggers:
+ synapse:
+ level: INFO
+
+ synapse.storage.SQL:
+ # beware: increasing this to DEBUG will make synapse log sensitive
+ # information such as access tokens.
+ level: INFO
+
+root:
+ level: INFO
+ handlers: [file, console]
diff --git a/images/paste/Dockerfile b/images/paste/Dockerfile
new file mode 100644
index 0000000..9eedd40
--- /dev/null
+++ b/images/paste/Dockerfile
@@ -0,0 +1,24 @@
+# Currently uses edge instead of 3.5 because it needs
+# the mongodb package only available on edge
+
+FROM alpine:edge AS builder
+
+RUN apk add --no-cache git python3 py3-pip nodejs nodejs-npm graphicsmagick
+RUN git clone --single-branch --depth=1 --recursive https://github.com/ptpb/pb /app/pb
+
+RUN cd /app/pb \
+ && npm install -g grunt-cli \
+ && npm install && (cd node_modules/pbs; npm install) \
+ && grunt
+
+RUN cd /app/pb \
+ && pip3 install --user -r requirements.txt
+
+FROM server_runit-edge
+
+RUN apk add --no-cache python3 uwsgi-python3 mongodb
+COPY --from=builder /app/pb /app/pb
+COPY --from=builder /root/.local /root/.local
+
+ADD pb/config.yaml /root/.config/pb/config.yaml
+ADD uwsgi/pb.ini /app/pb.ini
diff --git a/images/paste/pb/config.yaml b/images/paste/pb/config.yaml
new file mode 100644
index 0000000..ebf8837
--- /dev/null
+++ b/images/paste/pb/config.yaml
@@ -0,0 +1,7 @@
+DEBUG: false
+
+MONGO:
+ host: localhost
+ port: 27017
+
+MONGO_DATABASE: pb
diff --git a/images/paste/service/mongo/run b/images/paste/service/mongo/run
new file mode 100644
index 0000000..996df8b
--- /dev/null
+++ b/images/paste/service/mongo/run
@@ -0,0 +1,3 @@
+#!/bin/sh
+mkdir -p /data/db
+mongod
diff --git a/images/paste/service/uwsgi/run b/images/paste/service/uwsgi/run
new file mode 100644
index 0000000..2900244
--- /dev/null
+++ b/images/paste/service/uwsgi/run
@@ -0,0 +1,4 @@
+#!/bin/sh
+export PYTHONPATH=/app/pb:$PYTHONPATH
+/app/pb/runonce.py
+exec uwsgi --ini /app/pb.ini
diff --git a/images/paste/uwsgi/pb.ini b/images/paste/uwsgi/pb.ini
new file mode 100644
index 0000000..b035e38
--- /dev/null
+++ b/images/paste/uwsgi/pb.ini
@@ -0,0 +1,7 @@
+[uwsgi]
+socket = [::]:10002
+mountpoint = /app/pb
+module = pb.run:app
+plugins = python3
+processes = 4
+threads = 4
diff --git a/images/router/.gitignore b/images/router/.gitignore
new file mode 100644
index 0000000..5224f03
--- /dev/null
+++ b/images/router/.gitignore
@@ -0,0 +1 @@
+auth/*
diff --git a/images/router/Dockerfile b/images/router/Dockerfile
new file mode 100644
index 0000000..f7717fe
--- /dev/null
+++ b/images/router/Dockerfile
@@ -0,0 +1,11 @@
+FROM server_runit
+
+RUN apk add --no-cache nginx nginx-mod-stream bash curl git openssl
+RUN git clone --single-branch --depth=1 \
+ https://github.com/lukas2511/dehydrated /app/dehydrated
+
+ADD letsencrypt /app/letsencrypt/
+RUN rm -rf /etc/nginx/conf.d
+ADD nginx /etc/nginx/
+ADD auth /app/auth
+ADD dhparams.pem /app/
diff --git a/images/router/dhparams.pem b/images/router/dhparams.pem
new file mode 100644
index 0000000..3530d79
--- /dev/null
+++ b/images/router/dhparams.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAj8BEpaKdrasUzeqS1KaWlOBJTaLTHHpVzkjUdPgsgKyf3sI18b5X
+r6QF4KOu0oU4V23j3Zbc6qHdIAa+HnYvw/A+ShFTC6CkFlmHE5MDgbyABmtXXqCy
+HiiGUalmReOZUhWNXI2+VqZHRjFH58ivoMJvkoyAesNjUGM1qq8oVyhUsmWYmU1A
+dwC4hGYpRnf6bOHeI0l5/b2q8jSix2UxYWrqQlg0Yi/RovVlk3SEpKclOQ4zrrxi
+BUrOpZ3Oedl4tKeIA50dAnkjh05EnYMhG0SPXY9mPyxAQl0xAByh/15aAT+XZ+Zn
+gYqh+frTciPPk5LoRZ3Ym7yRbbY8A3Y9iYe1kySEUiN5KKt0wa1RIH3rp6VYlU0J
+nYbzNLuVe9HYb9v4hoWcy4p5qPAXzO9cJHJmo3Y7JpcUY/dQBSiarT12LoPlLCHP
+72uwxWA9FQZRpI2MPYOyG1SifojX2GIY03mGL3LTnbjdmAbCDx6FpcddCZPbmOXj
+y+NhzLGZCzKGprleoY8rI9wMBbyGjE43ikOr8JkUPXc7IhOE5KmYnI8YHgkAHKhn
+c9R2k2tAGYoxCfdhh6RdaRgcT/JqtyljEYVJWzYvfKfGHaGE7u+u4AudBCbjKgXs
+Ns2e3CRprxvvK8DhcRwVYNJax6ecJqn+5EESrSJ/8EhjEm056rS3PqMCAQI=
+-----END DH PARAMETERS-----
diff --git a/images/router/letsencrypt/config b/images/router/letsencrypt/config
new file mode 100644
index 0000000..e641f19
--- /dev/null
+++ b/images/router/letsencrypt/config
@@ -0,0 +1,95 @@
+########################################################
+# This is the main config file for dehydrated #
+# #
+# This file is looked for in the following locations: #
+# $SCRIPTDIR/config (next to this script) #
+# /usr/local/etc/dehydrated/config #
+# /etc/dehydrated/config #
+# ${PWD}/config (in current working-directory) #
+# #
+# Default values of this config are in comments #
+########################################################
+
+# Resolve names to addresses of IP version only. (curl)
+# supported values: 4, 6
+# default: <unset>
+#IP_VERSION=
+
+# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
+CA="https://acme-v01.api.letsencrypt.org/directory"
+
+# Path to certificate authority license terms redirect (default: https://acme-v01.api.letsencrypt.org/terms)
+CA_TERMS="https://acme-v01.api.letsencrypt.org/terms"
+
+#CA="https://acme-staging.api.letsencrypt.org/directory"
+#CA_TERMS="https://acme-staging.api.letsencrypt.org/terms"
+
+# Path to license agreement (default: <unset>)
+#LICENSE=""
+
+# Which challenge should be used? Currently http-01 and dns-01 are supported
+CHALLENGETYPE="http-01"
+
+# Path to a directory containing additional config files, allowing to override
+# the defaults found in the main configuration file. Additional config files
+# in this directory needs to be named with a '.sh' ending.
+# default: <unset>
+#CONFIG_D=
+
+# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
+#BASEDIR=$SCRIPTDIR
+
+# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
+DOMAINS_TXT="/app/letsencrypt/domains.txt"
+
+# Output directory for generated certificates
+CERTDIR="/data/certs"
+
+# Directory for account keys and registration information
+ACCOUNTDIR="/data/accounts"
+
+# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
+WELLKNOWN="/data/wellknown/acme-challenge"
+
+# Default keysize for private keys (default: 4096)
+KEYSIZE="4096"
+
+# Path to openssl config file (default: <unset> - tries to figure out system default)
+#OPENSSL_CNF=
+
+# Program or function called in certain situations
+#
+# After generating the challenge-response, or after failed challenge (in this case altname is empty)
+# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
+#
+# After successfully signing certificate
+# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
+#
+# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
+# default: <unset>
+#HOOK=
+
+# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
+#HOOK_CHAIN="no"
+
+# Minimum days before expiration to automatically renew certificate (default: 30)
+#RENEW_DAYS="30"
+
+# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
+#PRIVATE_KEY_RENEW="yes"
+
+# Create an extra private key for rollover (default: no)
+#PRIVATE_KEY_ROLLOVER="no"
+
+# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+#KEY_ALGO=rsa
+
+# E-mail to use during the registration (default: <unset>)
+CONTACT_EMAIL=till@hoeppner.ws
+
+# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
+LOCKFILE="/app/letsencrypt/lock"
+
+# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+#OCSP_MUST_STAPLE="no"
+
diff --git a/images/router/letsencrypt/domains.txt b/images/router/letsencrypt/domains.txt
new file mode 100644
index 0000000..d062476
--- /dev/null
+++ b/images/router/letsencrypt/domains.txt
@@ -0,0 +1 @@
+tx0.co m.tx0.co matrix.tx0.co g.tx0.co git.tx0.co z.tx0.co znc.tx0.co p.tx0.co paste.tx0.co
diff --git a/images/router/nginx/fastcgi.conf b/images/router/nginx/fastcgi.conf
new file mode 100644
index 0000000..091738c
--- /dev/null
+++ b/images/router/nginx/fastcgi.conf
@@ -0,0 +1,26 @@
+
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/images/router/nginx/http.off/matrix b/images/router/nginx/http.off/matrix
new file mode 100644
index 0000000..cedd917
--- /dev/null
+++ b/images/router/nginx/http.off/matrix
@@ -0,0 +1,14 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name m.tx0.co;
+
+ include snippets/ssl;
+ include snippets/wellknown;
+
+ location /_matrix {
+ proxy_pass http://matrix:8008;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+}
diff --git a/images/router/nginx/http.off/pad b/images/router/nginx/http.off/pad
new file mode 100644
index 0000000..4aa0e2e
--- /dev/null
+++ b/images/router/nginx/http.off/pad
@@ -0,0 +1,15 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ server_name pad.tx0.co;
+
+ include snippets/ssl;
+ include snippets/wellknown;
+
+ location / {
+ auth_basic "pad";
+ auth_basic_user_file pad/passwd;
+ proxy_pass http://etherpad;
+ }
+}
diff --git a/images/router/nginx/http.off/redirect b/images/router/nginx/http.off/redirect
new file mode 100644
index 0000000..8548646
--- /dev/null
+++ b/images/router/nginx/http.off/redirect
@@ -0,0 +1,10 @@
+server {
+ listen 80 default_server deferred;
+ listen [::]:80 default_server deferred;
+
+ server_name _;
+
+ include snippets/wellknown;
+
+ return 301 https://$server_name$request_uri;
+}
diff --git a/images/router/nginx/http/git b/images/router/nginx/http/git
new file mode 100644
index 0000000..0b14c54
--- /dev/null
+++ b/images/router/nginx/http/git
@@ -0,0 +1,13 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name g.tx0.co git.tx0.co;
+
+ include snippets/ssl_http;
+ include snippets/wellknown;
+
+ location / {
+ proxy_pass http://git;
+ }
+}
diff --git a/images/router/nginx/http/paste b/images/router/nginx/http/paste
new file mode 100644
index 0000000..4e0c75b
--- /dev/null
+++ b/images/router/nginx/http/paste
@@ -0,0 +1,26 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name tx0.co p.tx0.co paste.tx0.co;
+
+ include snippets/ssl_http;
+ include snippets/wellknown;
+
+ location / {
+ limit_except GET HEAD {
+ auth_basic 'Restricted';
+ auth_basic_user_file /app/auth/paste;
+ }
+
+ include snippets/uwsgi_params;
+
+ uwsgi_pass paste:10002;
+
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Fowarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $server_name;
+ }
+}
diff --git a/images/router/nginx/http/znc b/images/router/nginx/http/znc
new file mode 100644
index 0000000..6028ca9
--- /dev/null
+++ b/images/router/nginx/http/znc
@@ -0,0 +1,13 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name z.tx0.co znc.tx0.co;
+
+ include snippets/ssl_http;
+ include snippets/wellknown;
+
+ location / {
+ proxy_pass http://znc;
+ }
+}
diff --git a/images/router/nginx/koi-utf b/images/router/nginx/koi-utf
new file mode 100644
index 0000000..e7974ff
--- /dev/null
+++ b/images/router/nginx/koi-utf
@@ -0,0 +1,109 @@
+
+# This map is not a full koi8-r <> utf8 map: it does not contain
+# box-drawing and some other characters. Besides this map contains
+# several koi8-u and Byelorussian letters which are not in koi8-r.
+# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
+# map instead.
+
+charset_map koi8-r utf-8 {
+
+ 80 E282AC ; # euro
+
+ 95 E280A2 ; # bullet
+
+ 9A C2A0 ; # &nbsp;
+
+ 9E C2B7 ; # &middot;
+
+ A3 D191 ; # small yo
+ A4 D194 ; # small Ukrainian ye
+
+ A6 D196 ; # small Ukrainian i
+ A7 D197 ; # small Ukrainian yi
+
+ AD D291 ; # small Ukrainian soft g
+ AE D19E ; # small Byelorussian short u
+
+ B0 C2B0 ; # &deg;
+
+ B3 D081 ; # capital YO
+ B4 D084 ; # capital Ukrainian YE
+
+ B6 D086 ; # capital Ukrainian I
+ B7 D087 ; # capital Ukrainian YI
+
+ B9 E28496 ; # numero sign
+
+ BD D290 ; # capital Ukrainian soft G
+ BE D18E ; # capital Byelorussian short U
+
+ BF C2A9 ; # (C)
+
+ C0 D18E ; # small yu
+ C1 D0B0 ; # small a
+ C2 D0B1 ; # small b
+ C3 D186 ; # small ts
+ C4 D0B4 ; # small d
+ C5 D0B5 ; # small ye
+ C6 D184 ; # small f
+ C7 D0B3 ; # small g
+ C8 D185 ; # small kh
+ C9 D0B8 ; # small i
+ CA D0B9 ; # small j
+ CB D0BA ; # small k
+ CC D0BB ; # small l
+ CD D0BC ; # small m
+ CE D0BD ; # small n
+ CF D0BE ; # small o
+
+ D0 D0BF ; # small p
+ D1 D18F ; # small ya
+ D2 D180 ; # small r
+ D3 D181 ; # small s
+ D4 D182 ; # small t
+ D5 D183 ; # small u
+ D6 D0B6 ; # small zh
+ D7 D0B2 ; # small v
+ D8 D18C ; # small soft sign
+ D9 D18B ; # small y
+ DA D0B7 ; # small z
+ DB D188 ; # small sh
+ DC D18D ; # small e
+ DD D189 ; # small shch
+ DE D187 ; # small ch
+ DF D18A ; # small hard sign
+
+ E0 D0AE ; # capital YU
+ E1 D090 ; # capital A
+ E2 D091 ; # capital B
+ E3 D0A6 ; # capital TS
+ E4 D094 ; # capital D
+ E5 D095 ; # capital YE
+ E6 D0A4 ; # capital F
+ E7 D093 ; # capital G
+ E8 D0A5 ; # capital KH
+ E9 D098 ; # capital I
+ EA D099 ; # capital J
+ EB D09A ; # capital K
+ EC D09B ; # capital L
+ ED D09C ; # capital M
+ EE D09D ; # capital N
+ EF D09E ; # capital O
+
+ F0 D09F ; # capital P
+ F1 D0AF ; # capital YA
+ F2 D0A0 ; # capital R
+ F3 D0A1 ; # capital S
+ F4 D0A2 ; # capital T
+ F5 D0A3 ; # capital U
+ F6 D096 ; # capital ZH
+ F7 D092 ; # capital V
+ F8 D0AC ; # capital soft sign
+ F9 D0AB ; # capital Y
+ FA D097 ; # capital Z
+ FB D0A8 ; # capital SH
+ FC D0AD ; # capital E
+ FD D0A9 ; # capital SHCH
+ FE D0A7 ; # capital CH
+ FF D0AA ; # capital hard sign
+}
diff --git a/images/router/nginx/koi-win b/images/router/nginx/koi-win
new file mode 100644
index 0000000..72afabe
--- /dev/null
+++ b/images/router/nginx/koi-win
@@ -0,0 +1,103 @@
+
+charset_map koi8-r windows-1251 {
+
+ 80 88 ; # euro
+
+ 95 95 ; # bullet
+
+ 9A A0 ; # &nbsp;
+
+ 9E B7 ; # &middot;
+
+ A3 B8 ; # small yo
+ A4 BA ; # small Ukrainian ye
+
+ A6 B3 ; # small Ukrainian i
+ A7 BF ; # small Ukrainian yi
+
+ AD B4 ; # small Ukrainian soft g
+ AE A2 ; # small Byelorussian short u
+
+ B0 B0 ; # &deg;
+
+ B3 A8 ; # capital YO
+ B4 AA ; # capital Ukrainian YE
+
+ B6 B2 ; # capital Ukrainian I
+ B7 AF ; # capital Ukrainian YI
+
+ B9 B9 ; # numero sign
+
+ BD A5 ; # capital Ukrainian soft G
+ BE A1 ; # capital Byelorussian short U
+
+ BF A9 ; # (C)
+
+ C0 FE ; # small yu
+ C1 E0 ; # small a
+ C2 E1 ; # small b
+ C3 F6 ; # small ts
+ C4 E4 ; # small d
+ C5 E5 ; # small ye
+ C6 F4 ; # small f
+ C7 E3 ; # small g
+ C8 F5 ; # small kh
+ C9 E8 ; # small i
+ CA E9 ; # small j
+ CB EA ; # small k
+ CC EB ; # small l
+ CD EC ; # small m
+ CE ED ; # small n
+ CF EE ; # small o
+
+ D0 EF ; # small p
+ D1 FF ; # small ya
+ D2 F0 ; # small r
+ D3 F1 ; # small s
+ D4 F2 ; # small t
+ D5 F3 ; # small u
+ D6 E6 ; # small zh
+ D7 E2 ; # small v
+ D8 FC ; # small soft sign
+ D9 FB ; # small y
+ DA E7 ; # small z
+ DB F8 ; # small sh
+ DC FD ; # small e
+ DD F9 ; # small shch
+ DE F7 ; # small ch
+ DF FA ; # small hard sign
+
+ E0 DE ; # capital YU
+ E1 C0 ; # capital A
+ E2 C1 ; # capital B
+ E3 D6 ; # capital TS
+ E4 C4 ; # capital D
+ E5 C5 ; # capital YE
+ E6 D4 ; # capital F
+ E7 C3 ; # capital G
+ E8 D5 ; # capital KH
+ E9 C8 ; # capital I
+ EA C9 ; # capital J
+ EB CA ; # capital K
+ EC CB ; # capital L
+ ED CC ; # capital M
+ EE CD ; # capital N
+ EF CE ; # capital O
+
+ F0 CF ; # capital P
+ F1 DF ; # capital YA
+ F2 D0 ; # capital R
+ F3 D1 ; # capital S
+ F4 D2 ; # capital T
+ F5 D3 ; # capital U
+ F6 C6 ; # capital ZH
+ F7 C2 ; # capital V
+ F8 DC ; # capital soft sign
+ F9 DB ; # capital Y
+ FA C7 ; # capital Z
+ FB D8 ; # capital SH
+ FC DD ; # capital E
+ FD D9 ; # capital SHCH
+ FE D7 ; # capital CH
+ FF DA ; # capital hard sign
+}
diff --git a/images/router/nginx/mime.types b/images/router/nginx/mime.types
new file mode 100644
index 0000000..89be9a4
--- /dev/null
+++ b/images/router/nginx/mime.types
@@ -0,0 +1,89 @@
+
+types {
+ text/html html htm shtml;
+ text/css css;
+ text/xml xml;
+ image/gif gif;
+ image/jpeg jpeg jpg;
+ application/javascript js;
+ application/atom+xml atom;
+ application/rss+xml rss;
+
+ text/mathml mml;
+ text/plain txt;
+ text/vnd.sun.j2me.app-descriptor jad;
+ text/vnd.wap.wml wml;
+ text/x-component htc;
+
+ image/png png;
+ image/tiff tif tiff;
+ image/vnd.wap.wbmp wbmp;
+ image/x-icon ico;
+ image/x-jng jng;
+ image/x-ms-bmp bmp;
+ image/svg+xml svg svgz;
+ image/webp webp;
+
+ application/font-woff woff;
+ application/java-archive jar war ear;
+ application/json json;
+ application/mac-binhex40 hqx;
+ application/msword doc;
+ application/pdf pdf;
+ application/postscript ps eps ai;
+ application/rtf rtf;
+ application/vnd.apple.mpegurl m3u8;
+ application/vnd.ms-excel xls;
+ application/vnd.ms-fontobject eot;
+ application/vnd.ms-powerpoint ppt;
+ application/vnd.wap.wmlc wmlc;
+ application/vnd.google-earth.kml+xml kml;
+ application/vnd.google-earth.kmz kmz;
+ application/x-7z-compressed 7z;
+ application/x-cocoa cco;
+ application/x-java-archive-diff jardiff;
+ application/x-java-jnlp-file jnlp;
+ application/x-makeself run;
+ application/x-perl pl pm;
+ application/x-pilot prc pdb;
+ application/x-rar-compressed rar;
+ application/x-redhat-package-manager rpm;
+ application/x-sea sea;
+ application/x-shockwave-flash swf;
+ application/x-stuffit sit;
+ application/x-tcl tcl tk;
+ application/x-x509-ca-cert der pem crt;
+ application/x-xpinstall xpi;
+ application/xhtml+xml xhtml;
+ application/xspf+xml xspf;
+ application/zip zip;
+
+ application/octet-stream bin exe dll;
+ application/octet-stream deb;
+ application/octet-stream dmg;
+ application/octet-stream iso img;
+ application/octet-stream msi msp msm;
+
+ application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
+ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
+ application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
+
+ audio/midi mid midi kar;
+ audio/mpeg mp3;
+ audio/ogg ogg;
+ audio/x-m4a m4a;
+ audio/x-realaudio ra;
+
+ video/3gpp 3gpp 3gp;
+ video/mp2t ts;
+ video/mp4 mp4;
+ video/mpeg mpeg mpg;
+ video/quicktime mov;
+ video/webm webm;
+ video/x-flv flv;
+ video/x-m4v m4v;
+ video/x-mng mng;
+ video/x-ms-asf asx asf;
+ video/x-ms-wmv wmv;
+ video/x-msvideo avi;
+}
diff --git a/images/router/nginx/modules/stream.conf b/images/router/nginx/modules/stream.conf
new file mode 100644
index 0000000..9b0cbc3
--- /dev/null
+++ b/images/router/nginx/modules/stream.conf
@@ -0,0 +1 @@
+load_module "modules/ngx_stream_module.so";
diff --git a/images/router/nginx/nginx.conf b/images/router/nginx/nginx.conf
new file mode 100644
index 0000000..cb9b8c8
--- /dev/null
+++ b/images/router/nginx/nginx.conf
@@ -0,0 +1,67 @@
+worker_processes auto;
+pid /run/nginx.pid;
+
+include modules/stream.conf;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+
+ #include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ include snippets/ssl_ciphers;
+ ssl_session_cache shared:SSL:25m;
+ ssl_session_timeout 10m;
+
+ # Gzip
+ gzip on;
+ gzip_disable "msie6";
+
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javasc$
+
+ # Logging
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ server_name _;
+ return 301 https://$host$request_uri;
+ }
+
+ server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+
+ server_name _;
+ include snippets/ssl_http;
+ return 503;
+ }
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/http/*;
+}
+
+stream {
+ include snippets/ssl_ciphers;
+
+ ssl_session_cache shared:TCP:25m;
+ ssl_session_timeout 10m;
+
+ include /etc/nginx/stream/*;
+}
diff --git a/images/router/nginx/snippets/fastcgi_params b/images/router/nginx/snippets/fastcgi_params
new file mode 100644
index 0000000..28decb9
--- /dev/null
+++ b/images/router/nginx/snippets/fastcgi_params
@@ -0,0 +1,25 @@
+
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/images/router/nginx/snippets/scgi_params b/images/router/nginx/snippets/scgi_params
new file mode 100644
index 0000000..6d4ce4f
--- /dev/null
+++ b/images/router/nginx/snippets/scgi_params
@@ -0,0 +1,17 @@
+
+scgi_param REQUEST_METHOD $request_method;
+scgi_param REQUEST_URI $request_uri;
+scgi_param QUERY_STRING $query_string;
+scgi_param CONTENT_TYPE $content_type;
+
+scgi_param DOCUMENT_URI $document_uri;
+scgi_param DOCUMENT_ROOT $document_root;
+scgi_param SCGI 1;
+scgi_param SERVER_PROTOCOL $server_protocol;
+scgi_param REQUEST_SCHEME $scheme;
+scgi_param HTTPS $https if_not_empty;
+
+scgi_param REMOTE_ADDR $remote_addr;
+scgi_param REMOTE_PORT $remote_port;
+scgi_param SERVER_PORT $server_port;
+scgi_param SERVER_NAME $server_name;
diff --git a/images/router/nginx/snippets/ssl_ciphers b/images/router/nginx/snippets/ssl_ciphers
new file mode 100644
index 0000000..6eefe74
--- /dev/null
+++ b/images/router/nginx/snippets/ssl_ciphers
@@ -0,0 +1,4 @@
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ ssl_prefer_server_ciphers on;
+
diff --git a/images/router/nginx/snippets/ssl_http b/images/router/nginx/snippets/ssl_http
new file mode 100644
index 0000000..78d171e
--- /dev/null
+++ b/images/router/nginx/snippets/ssl_http
@@ -0,0 +1,6 @@
+ssl_certificate /data/certs/tx0.co/fullchain.pem;
+ssl_certificate_key /data/certs/tx0.co/privkey.pem;
+
+ssl_dhparam /app/dhparams.pem;
+
+add_header Strict-Transport-Security "max-age=31536000" always;
diff --git a/images/router/nginx/snippets/ssl_tcp b/images/router/nginx/snippets/ssl_tcp
new file mode 100644
index 0000000..b59b7bf
--- /dev/null
+++ b/images/router/nginx/snippets/ssl_tcp
@@ -0,0 +1,4 @@
+ssl_certificate /data/certs/tx0.co/fullchain.pem;
+ssl_certificate_key /data/certs/tx0.co/privkey.pem;
+
+ssl_dhparam /app/dhparams.pem;
diff --git a/images/router/nginx/snippets/uwsgi_params b/images/router/nginx/snippets/uwsgi_params
new file mode 100644
index 0000000..09c732c
--- /dev/null
+++ b/images/router/nginx/snippets/uwsgi_params
@@ -0,0 +1,17 @@
+
+uwsgi_param QUERY_STRING $query_string;
+uwsgi_param REQUEST_METHOD $request_method;
+uwsgi_param CONTENT_TYPE $content_type;
+uwsgi_param CONTENT_LENGTH $content_length;
+
+uwsgi_param REQUEST_URI $request_uri;
+uwsgi_param PATH_INFO $document_uri;
+uwsgi_param DOCUMENT_ROOT $document_root;
+uwsgi_param SERVER_PROTOCOL $server_protocol;
+uwsgi_param REQUEST_SCHEME $scheme;
+uwsgi_param HTTPS $https if_not_empty;
+
+uwsgi_param REMOTE_ADDR $remote_addr;
+uwsgi_param REMOTE_PORT $remote_port;
+uwsgi_param SERVER_PORT $server_port;
+uwsgi_param SERVER_NAME $server_name;
diff --git a/images/router/nginx/snippets/wellknown b/images/router/nginx/snippets/wellknown
new file mode 100644
index 0000000..17aacf7
--- /dev/null
+++ b/images/router/nginx/snippets/wellknown
@@ -0,0 +1,5 @@
+location ^~ /.well-known/ {
+ alias /data/wellknown/;
+ try_files $uri $uri/ =404;
+ break;
+}
diff --git a/images/router/nginx/stream/znc b/images/router/nginx/stream/znc
new file mode 100644
index 0000000..e496af7
--- /dev/null
+++ b/images/router/nginx/stream/znc
@@ -0,0 +1,8 @@
+server {
+ listen 6667 ssl;
+ listen [::]:6667 ssl;
+
+ include snippets/ssl_tcp;
+
+ proxy_pass znc:6667;
+}
diff --git a/images/router/nginx/win-utf b/images/router/nginx/win-utf
new file mode 100644
index 0000000..ed8bc00
--- /dev/null
+++ b/images/router/nginx/win-utf
@@ -0,0 +1,126 @@
+
+# This map is not a full windows-1251 <> utf8 map: it does not
+# contain Serbian and Macedonian letters. If you need a full map,
+# use contrib/unicode2nginx/win-utf map instead.
+
+charset_map windows-1251 utf-8 {
+
+ 82 E2809A ; # single low-9 quotation mark
+
+ 84 E2809E ; # double low-9 quotation mark
+ 85 E280A6 ; # ellipsis
+ 86 E280A0 ; # dagger
+ 87 E280A1 ; # double dagger
+ 88 E282AC ; # euro
+ 89 E280B0 ; # per mille
+
+ 91 E28098 ; # left single quotation mark
+ 92 E28099 ; # right single quotation mark
+ 93 E2809C ; # left double quotation mark
+ 94 E2809D ; # right double quotation mark
+ 95 E280A2 ; # bullet
+ 96 E28093 ; # en dash
+ 97 E28094 ; # em dash
+
+ 99 E284A2 ; # trade mark sign
+
+ A0 C2A0 ; # &nbsp;
+ A1 D18E ; # capital Byelorussian short U
+ A2 D19E ; # small Byelorussian short u
+
+ A4 C2A4 ; # currency sign
+ A5 D290 ; # capital Ukrainian soft G
+ A6 C2A6 ; # borken bar
+ A7 C2A7 ; # section sign
+ A8 D081 ; # capital YO
+ A9 C2A9 ; # (C)
+ AA D084 ; # capital Ukrainian YE
+ AB C2AB ; # left-pointing double angle quotation mark
+ AC C2AC ; # not sign
+ AD C2AD ; # soft hypen
+ AE C2AE ; # (R)
+ AF D087 ; # capital Ukrainian YI
+
+ B0 C2B0 ; # &deg;
+ B1 C2B1 ; # plus-minus sign
+ B2 D086 ; # capital Ukrainian I
+ B3 D196 ; # small Ukrainian i
+ B4 D291 ; # small Ukrainian soft g
+ B5 C2B5 ; # micro sign
+ B6 C2B6 ; # pilcrow sign
+ B7 C2B7 ; # &middot;
+ B8 D191 ; # small yo
+ B9 E28496 ; # numero sign
+ BA D194 ; # small Ukrainian ye
+ BB C2BB ; # right-pointing double angle quotation mark
+
+ BF D197 ; # small Ukrainian yi
+
+ C0 D090 ; # capital A
+ C1 D091 ; # capital B
+ C2 D092 ; # capital V
+ C3 D093 ; # capital G
+ C4 D094 ; # capital D
+ C5 D095 ; # capital YE
+ C6 D096 ; # capital ZH
+ C7 D097 ; # capital Z
+ C8 D098 ; # capital I
+ C9 D099 ; # capital J
+ CA D09A ; # capital K
+ CB D09B ; # capital L
+ CC D09C ; # capital M
+ CD D09D ; # capital N
+ CE D09E ; # capital O
+ CF D09F ; # capital P
+
+ D0 D0A0 ; # capital R
+ D1 D0A1 ; # capital S
+ D2 D0A2 ; # capital T
+ D3 D0A3 ; # capital U
+ D4 D0A4 ; # capital F
+ D5 D0A5 ; # capital KH
+ D6 D0A6 ; # capital TS
+ D7 D0A7 ; # capital CH
+ D8 D0A8 ; # capital SH
+ D9 D0A9 ; # capital SHCH
+ DA D0AA ; # capital hard sign
+ DB D0AB ; # capital Y
+ DC D0AC ; # capital soft sign
+ DD D0AD ; # capital E
+ DE D0AE ; # capital YU
+ DF D0AF ; # capital YA
+
+ E0 D0B0 ; # small a
+ E1 D0B1 ; # small b
+ E2 D0B2 ; # small v
+ E3 D0B3 ; # small g
+ E4 D0B4 ; # small d
+ E5 D0B5 ; # small ye
+ E6 D0B6 ; # small zh
+ E7 D0B7 ; # small z
+ E8 D0B8 ; # small i
+ E9 D0B9 ; # small j
+ EA D0BA ; # small k
+ EB D0BB ; # small l
+ EC D0BC ; # small m
+ ED D0BD ; # small n
+ EE D0BE ; # small o
+ EF D0BF ; # small p
+
+ F0 D180 ; # small r
+ F1 D181 ; # small s
+ F2 D182 ; # small t
+ F3 D183 ; # small u
+ F4 D184 ; # small f
+ F5 D185 ; # small kh
+ F6 D186 ; # small ts
+ F7 D187 ; # small ch
+ F8 D188 ; # small sh
+ F9 D189 ; # small shch
+ FA D18A ; # small hard sign
+ FB D18B ; # small y
+ FC D18C ; # small soft sign
+ FD D18D ; # small e
+ FE D18E ; # small yu
+ FF D18F ; # small ya
+}
diff --git a/images/router/service/letsencrypt/run b/images/router/service/letsencrypt/run
new file mode 100644
index 0000000..7fcc76d
--- /dev/null
+++ b/images/router/service/letsencrypt/run
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# wait for nginx to startup, for http challenge
+sv start nginx || exit 1
+sleep 10
+
+# half a day, 60 * 60 * 12
+INTERVAL=43200
+
+mkdir -p /data/wellknown/acme-challenge
+
+/app/dehydrated/dehydrated --register --accept-terms --config /app/letsencrypt/config
+
+while true; do
+ echo "Updating certificates"
+ /app/dehydrated/dehydrated --cron --config /app/letsencrypt/config
+ nginx -s reload # certificates might have changed
+ sleep $INTERVAL
+done
diff --git a/images/router/service/nginx/run b/images/router/service/nginx/run
new file mode 100644
index 0000000..bfc6e24
--- /dev/null
+++ b/images/router/service/nginx/run
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+ln -sf /dev/stdout /var/log/nginx/access.log
+ln -sf /dev/stderr /var/log/nginx/error.log
+
+# nginx doesn't start without certificates,
+# so generate untrusted ones for startup
+if [ ! -d "/data/certs/tx0.co" ]; then
+ echo "Generating dummy certificates"
+ mkdir -p /data/certs/tx0.co
+ openssl req -x509 -nodes -batch -newkey rsa:512 -days 0 \
+ -keyout /data/certs/tx0.co/privkey.pem \
+ -out /data/certs/tx0.co/fullchain.pem
+fi
+
+exec nginx -g 'daemon off;'
diff --git a/images/runit-edge/Dockerfile b/images/runit-edge/Dockerfile
new file mode 100644
index 0000000..d0c2040
--- /dev/null
+++ b/images/runit-edge/Dockerfile
@@ -0,0 +1,14 @@
+FROM alpine:edge
+
+RUN apk add --no-cache sudo shadow runit
+
+# runit
+ADD runit/run /app/runit/run
+ONBUILD ADD service /etc/service
+# Make sure all service and log files are executable
+ONBUILD RUN find -L /etc/service \( -name run -or -name finish -or -name down \) -exec chmod +x {} \;
+
+# If supplied as "ENTRYPOINT foo" it will be wrapped in "/bin/sh -c",
+# but that will swallow signals and we rely on those
+ONBUILD RUN chmod +x /app/runit/run
+ONBUILD ENTRYPOINT ["/app/runit/run"]
diff --git a/images/runit-edge/runit/run b/images/runit-edge/runit/run
new file mode 100644
index 0000000..c3861c2
--- /dev/null
+++ b/images/runit-edge/runit/run
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+echo "Found services:"
+find /etc/service -mindepth 1 -maxdepth 1
+
+/sbin/runsvdir /etc/service &
+runsvdir_pid=$!
+echo "Started runit as $runsvdir_pid"
+
+runit_stop() {
+ echo "Stopping runit"
+ # "If runsvdir receives HUP, it sends TERM to each runsv process"
+ kill -HUP $runsvdir_pid
+}
+
+trap "runit_stop" SIGTERM
+wait
diff --git a/images/runit/Dockerfile b/images/runit/Dockerfile
new file mode 100644
index 0000000..9ec17b7
--- /dev/null
+++ b/images/runit/Dockerfile
@@ -0,0 +1,14 @@
+FROM alpine:3.5
+
+RUN apk add --no-cache sudo shadow runit
+
+# runit
+ADD runit/run /app/runit/run
+ONBUILD ADD service /etc/service
+# Make sure all service and log files are executable
+ONBUILD RUN find -L /etc/service \( -name run -or -name finish -or -name down \) -exec chmod +x {} \;
+
+# If supplied as "ENTRYPOINT foo" it will be wrapped in "/bin/sh -c",
+# but that will swallow signals and we rely on those
+ONBUILD RUN chmod +x /app/runit/run
+ONBUILD ENTRYPOINT ["/app/runit/run"]
diff --git a/images/runit/runit/run b/images/runit/runit/run
new file mode 100644
index 0000000..c3861c2
--- /dev/null
+++ b/images/runit/runit/run
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+echo "Found services:"
+find /etc/service -mindepth 1 -maxdepth 1
+
+/sbin/runsvdir /etc/service &
+runsvdir_pid=$!
+echo "Started runit as $runsvdir_pid"
+
+runit_stop() {
+ echo "Stopping runit"
+ # "If runsvdir receives HUP, it sends TERM to each runsv process"
+ kill -HUP $runsvdir_pid
+}
+
+trap "runit_stop" SIGTERM
+wait
diff --git a/images/taskwarrior/Dockerfile b/images/taskwarrior/Dockerfile
new file mode 100644
index 0000000..b732c28
--- /dev/null
+++ b/images/taskwarrior/Dockerfile
@@ -0,0 +1,5 @@
+FROM alpine:3.5
+
+RUN apk add --no-cache taskd
+
+ENTRYPOINT exec taskd server --data /data/
diff --git a/images/znc/Dockerfile b/images/znc/Dockerfile
new file mode 100644
index 0000000..6dfec6a
--- /dev/null
+++ b/images/znc/Dockerfile
@@ -0,0 +1,25 @@
+FROM alpine:3.5 AS builder
+
+RUN apk add --no-cache build-base git automake autoconf openssl-dev icu-dev
+
+RUN git clone --single-branch --depth=1 --recursive https://github.com/znc/znc.git /tmp/znc
+
+RUN mkdir -p /app /data
+RUN cd /tmp/znc \
+ && ./autogen.sh \
+ && ./configure --prefix="/app/znc" \
+ && make \
+ && make install
+
+ADD privmsg.cpp /tmp/
+RUN cd /tmp/ \
+ && /app/znc/bin/znc-buildmod /tmp/privmsg.cpp \
+ && mv privmsg.so /app/znc/lib/znc/
+
+FROM server_runit
+
+RUN apk add --no-cache sudo libcap openssl icu
+COPY --from=builder /app /app
+
+# -S: system, -h: home
+RUN adduser -S -h /data znc && chmod a+x /data
diff --git a/images/znc/privmsg.cpp b/images/znc/privmsg.cpp
new file mode 100644
index 0000000..0659f96
--- /dev/null
+++ b/images/znc/privmsg.cpp
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004-2012 See the AUTHORS file for details.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ */
+
+#include <znc/IRCNetwork.h>
+#include <znc/Modules.h>
+
+class CPrivMsgMod : public CModule {
+public:
+ MODCONSTRUCTOR(CPrivMsgMod) {}
+
+ virtual EModRet OnUserMsg(CString& sTarget, CString& sMessage) {
+ if (m_pNetwork && m_pNetwork->GetIRCSock() && !m_pNetwork->IsChan(sTarget)) {
+ m_pNetwork->PutUser(":" + m_pNetwork->GetIRCNick().GetNickMask() + " PRIVMSG " + sTarget + " :" + sMessage, NULL, m_pClient);
+ }
+
+ return CONTINUE;
+ }
+
+ virtual EModRet OnUserAction(CString& sTarget, CString& sMessage) {
+ if (m_pNetwork && m_pNetwork->GetIRCSock() && !m_pNetwork->IsChan(sTarget)) {
+ m_pNetwork->PutUser(":" + m_pNetwork->GetIRCNick().GetNickMask() + " PRIVMSG " + sTarget + " :\x01" + "ACTION " + sMessage + "\x01", NULL, m_pClient);
+ }
+
+ return CONTINUE;
+ }
+};
+
+template<> void TModInfo<CPrivMsgMod>(CModInfo& Info) {
+ Info.SetWikiPage("privmsg");
+ Info.AddType(CModInfo::NetworkModule);
+ Info.AddType(CModInfo::GlobalModule);
+}
+
+USERMODULEDEFS(CPrivMsgMod, "Send outgoing PRIVMSGs and CTCP ACTIONs to other clients")
+
diff --git a/images/znc/service/znc/run b/images/znc/service/znc/run
new file mode 100644
index 0000000..14814ea
--- /dev/null
+++ b/images/znc/service/znc/run
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+chown -R znc /data
+setcap 'cap_net_bind_service=+ep' /app/znc/bin/znc
+exec sudo -u znc /app/znc/bin/znc --foreground --datadir /data
diff --git a/services.off/matrix.yml b/services.off/matrix.yml
new file mode 100644
index 0000000..0a8ce79
--- /dev/null
+++ b/services.off/matrix.yml
@@ -0,0 +1,16 @@
+version: '3'
+
+volumes:
+ synapse_data:
+
+services:
+ matrix:
+ image: silviof/docker-matrix
+ command: start
+ ports:
+ - "8448:8448" # matrix federation
+ volumes:
+ - synapse_data:/data/
+ environment:
+ - SERVER_NAME=m.tx0.co
+ - REPORT_STATS=no
diff --git a/services/git.yml b/services/git.yml
new file mode 100644
index 0000000..68129e3
--- /dev/null
+++ b/services/git.yml
@@ -0,0 +1,15 @@
+version: '3'
+
+volumes:
+ git_data:
+
+services:
+ git:
+ depends_on:
+ - runit
+ build: $IMAGES/git
+ ports:
+ - "22:22" # ssh
+ - "9418:9418" # git://
+ volumes:
+ - git_data:/data
diff --git a/services/paste.yml b/services/paste.yml
new file mode 100644
index 0000000..477301d
--- /dev/null
+++ b/services/paste.yml
@@ -0,0 +1,12 @@
+version: '3'
+
+volumes:
+ paste_data:
+
+services:
+ paste:
+ depends_on:
+ - runit-edge
+ build: $IMAGES/paste
+ volumes:
+ - paste_data:/data
diff --git a/services/router.yml b/services/router.yml
new file mode 100644
index 0000000..1c43a65
--- /dev/null
+++ b/services/router.yml
@@ -0,0 +1,21 @@
+version: '3'
+
+volumes:
+ router_data:
+
+services:
+ router:
+ build: $IMAGES/router
+ depends_on:
+ - runit
+ - git
+ - paste
+ - znc
+ - taskwarrior
+ ports:
+ - "80:80" # http
+ - "443:443" # https
+ - "6667:6667" # IRC (TLS terminated)
+ volumes:
+ - $IMAGES/router/nginx/:/etc/nginx:ro
+ - router_data:/data
diff --git a/services/runit-edge.yml b/services/runit-edge.yml
new file mode 100644
index 0000000..ed131ea
--- /dev/null
+++ b/services/runit-edge.yml
@@ -0,0 +1,6 @@
+version: '3'
+
+services:
+ runit-edge:
+ build: $IMAGES/runit-edge
+ entrypoint: /bin/true
diff --git a/services/runit.yml b/services/runit.yml
new file mode 100644
index 0000000..be5cc99
--- /dev/null
+++ b/services/runit.yml
@@ -0,0 +1,6 @@
+version: '3'
+
+services:
+ runit:
+ build: $IMAGES/runit
+ entrypoint: /bin/true
diff --git a/services/taskwarrior.yml b/services/taskwarrior.yml
new file mode 100644
index 0000000..41e015e
--- /dev/null
+++ b/services/taskwarrior.yml
@@ -0,0 +1,10 @@
+version: '3'
+
+volumes:
+ taskwarrior_data:
+
+services:
+ taskwarrior:
+ build: $IMAGES/taskwarrior
+ volumes:
+ - taskwarrior_data:/data
diff --git a/services/znc.yml b/services/znc.yml
new file mode 100644
index 0000000..624a252
--- /dev/null
+++ b/services/znc.yml
@@ -0,0 +1,10 @@
+version: '3'
+
+volumes:
+ znc_data:
+
+services:
+ znc:
+ build: $IMAGES/znc
+ volumes:
+ - znc_data:/data