diff options
| author | System administrator | 2017-05-29 13:26:10 +0200 |
|---|---|---|
| committer | System administrator | 2017-05-29 13:26:10 +0200 |
| commit | bc5c44dd049bad3b007be48b3f8d90886d63c105 (patch) | |
| tree | a381d989db2295f228f9bc95a774f0cc9aef4c40 | |
| download | server-bc5c44dd049bad3b007be48b3f8d90886d63c105.tar.gz server-bc5c44dd049bad3b007be48b3f8d90886d63c105.tar.xz server-bc5c44dd049bad3b007be48b3f8d90886d63c105.zip | |
Initial commit
71 files changed, 2883 insertions, 0 deletions
diff --git a/bin/attach b/bin/attach new file mode 100755 index 0000000..81a00ad --- /dev/null +++ b/bin/attach @@ -0,0 +1,2 @@ +#!/bin/sh +docker exec -it $1 /bin/sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +shopt -s nullglob + +echo Using ./services/*.yml +COMPOSE_OPTIONS="" +for file in ./services/*.yml; do + COMPOSE_OPTIONS="${COMPOSE_OPTIONS} -f $file" +done + +export COMPOSE_PROJECT_NAME=server +export IMAGES=$PWD/images + +docker-compose $COMPOSE_OPTIONS "$@" diff --git a/bin/mount b/bin/mount new file mode 100755 index 0000000..8e77608 --- /dev/null +++ b/bin/mount @@ -0,0 +1,2 @@ +#!/bin/sh +docker run -it --rm -v "$1:/mnt" alpine:3.5 /bin/ash -sc 'cd /mnt' diff --git a/bin/ngreload b/bin/ngreload new file mode 100755 index 0000000..f8943a1 --- /dev/null +++ b/bin/ngreload @@ -0,0 +1,3 @@ +#!/bin/sh + +docker exec server_router_1 nginx -s reload diff --git a/images/git/Dockerfile b/images/git/Dockerfile new file mode 100644 index 0000000..bd8589e --- /dev/null +++ b/images/git/Dockerfile @@ -0,0 +1,35 @@ +FROM alpine:3.5 AS builder + +RUN apk add --no-cache sassc + +ADD cgit/cgit.sass /app/ +RUN sassc -t compressed /app/cgit.sass /app/cgit.css + +FROM server_runit AS final + +RUN apk add --no-cache sudo shadow \ + git gitolite git-daemon \ + openssh openssh-client \ + cgit highlight markdown \ + nginx spawn-fcgi fcgiwrap + +# gitolite +RUN mkdir -p /data /data/log +RUN echo 'git:*' | chpasswd +RUN usermod --home /data/git --move-home git + +ADD gitolite/ /app/ +RUN ln -s /app/gitolite.rc /data/git/.gitolite.rc +RUN chown -R git:git /app/gitolite.rc /data/log /data/git +RUN sudo -u git GL_LOGFILE=/data/log/gitolite gitolite setup -pk /app/admin.pub + +ADD gitolite/sshd_config /etc/ssh/ +ADD gitolite/generate_certs.sh /app/ + +# cgit +ADD cgit/cgitrc /etc/ +ADD cgit/syntax-highlighting3.sh /app/ +ADD cgit/about-formatting.sh /app/ +COPY --from=builder /app/cgit.css /usr/share/webapps/cgit/cgit.css + +ADD nginx/nginx.conf /etc/nginx/nginx.conf diff --git a/images/git/cgit/about-formatting.sh b/images/git/cgit/about-formatting.sh new file mode 100755 index 0000000..2b55866 --- /dev/null +++ b/images/git/cgit/about-formatting.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +exec markdown diff --git a/images/git/cgit/cgit.sass b/images/git/cgit/cgit.sass new file mode 100644 index 0000000..02337b5 --- /dev/null +++ b/images/git/cgit/cgit.sass @@ -0,0 +1,663 @@ +$base03: #002b36; +$base02: #073642; +$base01: #586e75; +$base00: #657b83; +$base0: #839496; +$base1: #93a1a1; +$base2: #eee8d5; +$base3: #fdf6e3; +$yellow: #b58900; +$orange: #cb4b16; +$red: #dc322f; +$magenta: #d33682; +$violet: #6c71c4; +$blue: #268bd2; +$cyan: #2aa198; +$green: #859900; + +// highlighting + +//div +// &.highlight +// background-color: $base03 +// span +// &.k +// color: $green +// &.nf +// color: $blue +// &.p +// color: $base1 +// &.s +// color: $red +// background-color: $base03 + + +div + &.highlight + background-color: #002b36 + color: #93a1a1 + .c + color: #586e75 + .err, .g + color: #93a1a1 + .k + color: #859900 + .l, .n + color: #93a1a1 + .o + color: #859900 + .x + color: #cb4b16 + .p + color: #93a1a1 + .cm + color: #586e75 + .cp + color: #859900 + .c1 + color: #586e75 + .cs + color: #859900 + .gd + color: #2aa198 + .ge + color: #93a1a1 + font-style: italic + .gr + color: #dc322f + .gh + color: #cb4b16 + .gi + color: #859900 + .go, .gp + color: #93a1a1 + .gs + color: #93a1a1 + font-weight: bold + .gu + color: #cb4b16 + .gt + color: #93a1a1 + .kc + color: #cb4b16 + .kd + color: #268bd2 + .kn, .kp + color: #859900 + .kr + color: #268bd2 + .kt + color: #dc322f + .ld + color: #93a1a1 + .m, .s + color: #2aa198 + background-color: $base03 + .na + color: #93a1a1 + .nb + color: #B58900 + .nc + color: #268bd2 + .no + color: #cb4b16 + .nd + color: #268bd2 + .ni, .ne + color: #cb4b16 + .nf + color: #268bd2 + .nl, .nn, .nx, .py + color: #93a1a1 + .nt, .nv + color: #268bd2 + .ow + color: #859900 + .w + color: #93a1a1 + .mf, .mh, .mi, .mo + color: #2aa198 + .sb + color: #586e75 + .sc + color: #2aa198 + .sd + color: #93a1a1 + .s2 + color: #2aa198 + .se + color: #cb4b16 + .sh + color: #93a1a1 + .si, .sx + color: #2aa198 + .sr + color: #dc322f + .s1, .ss + color: #2aa198 + .bp, .vc, .vg, .vi + color: #268bd2 + .il + color: #2aa198 + +// end highlighting + +body + background-color: $base03 + +div + &#cgit + padding: 0em + margin: 0em + font-family: sans-serif + font-size: 10pt + color: $base0 + background: $base03 + padding: 4px + a + color: lightblue + text-decoration: none + &:hover + text-decoration: underline + table + border-collapse: collapse + &#header + width: 100% + margin-bottom: 1em + td + &.logo + width: 96px + vertical-align: top + &.main + font-size: 250% + padding-left: 10px + white-space: nowrap + a + color: $base1 + &.form + text-align: right + vertical-align: bottom + padding-right: 1em + padding-bottom: 2px + white-space: nowrap + form, input, select + font-size: 90% + &.sub + color: #777 + border-top: solid 1px $base02 + padding-left: 10px + &.tabs + border-bottom: solid 3px $base02 + border-collapse: collapse + margin-top: 2em + margin-bottom: 0px + width: 100% + td + padding: 0px 1em + vertical-align: bottom + a + padding: 2px 0.75em + color: #d3d3d3 + font-size: 110% + &.active + color: #d3d3d3 + background-color: $base02 + &.form + text-align: right + form + padding-bottom: 2px + font-size: 90% + white-space: nowrap + input, select + font-size: 90% + div + &.path + margin: 0px + padding: 5px 2em 2px 2em + color: $base1 + background-color: $base03 + &.content + margin: 0px + padding: 2em + border-bottom: solid 3px $base02 + table.list + width: 100% + border: none + border-collapse: collapse + tr + background: $base03 + &.logheader + background: $base03 + &:hover, &.nohover:hover + background: $base02 + th + font-weight: bold + /* color: #888; + *border-top: dashed 1px #888; + *border-bottom: dashed 1px #888; + padding: 0.1em 0.5em 0.05em 0.5em + vertical-align: baseline + td + border: none + padding: 0.1em 0.5em 0.1em 0.5em + &.commitgraph + font-family: monospace + white-space: pre + .column1 + color: #a00 + .column2 + color: #0a0 + .column3 + color: #aa0 + .column4 + color: #00a + .column5 + color: #a0a + .column6 + color: #0aa + &.logsubject + font-family: monospace + font-weight: bold + &.logmsg + font-family: monospace + white-space: pre + padding: 0 0.5em + a + color: #d3d3d3 + &.ls-dir + font-weight: bold + color: #00f + &:hover + color: lightblue + img + border: none + input#switch-btn + margin: 2px 0px 0px 0px + td#sidebar input.txt + width: 100% + margin: 2px 0px 0px 0px + table#grid + margin: 0px + td#content + vertical-align: top + padding: 1em 2em 1em 1em + border: none + div#summary + vertical-align: top + margin-bottom: 1em + table#downloads + float: right + border-collapse: collapse + border: solid 1px #777 + margin-left: 0.5em + margin-bottom: 0.5em + th + background-color: #ccc + div + &#blob + border: solid 1px black + &.error + color: red + font-weight: bold + margin: 1em 2em + a + &.ls-blob, &.ls-dir, &.ls-mod + font-family: monospace + td + &.ls-size + text-align: right + font-family: monospace + width: 10em + &.ls-mode + font-family: monospace + width: 10em + table + &.blob + margin-top: 0.5em + td + &.lines + margin: 0 + padding: 0 0 0 0.5em + vertical-align: top + color: $base1 + &.linenumbers + margin: 0 + padding: 0 0.5em 0 0.5em + vertical-align: top + text-align: right + border-right: 1px solid $base01 + pre + padding: 0 + margin: 0 + td.linenumbers a + color: gray + text-align: right + text-decoration: none + &.ssdiff td.lineno a + color: gray + text-align: right + text-decoration: none + &.blob td.linenumbers a:hover, &.ssdiff td.lineno a:hover + color: black + &.bin-blob + margin-top: 0.5em + border: solid 1px black + th + font-family: monospace + white-space: pre + border: solid 1px #777 + padding: 0.5em 1em + td + font-family: monospace + white-space: pre + border-left: solid 1px #777 + padding: 0em 1em + &.nowrap td + white-space: nowrap + &.commit-info + border-collapse: collapse + margin-top: 1.5em + div.cgit-panel + float: right + margin-top: 1.5em + table + border-collapse: collapse + background-color: $base02 + th + text-align: center + td + padding: 0.25em 0.5em + &.label + padding-right: 0.5em + &.ctrl + padding-left: 0.5em + table.commit-info + th + text-align: left + font-weight: normal + padding: 0.1em 1em 0.1em 0.1em + vertical-align: top + td + font-weight: normal + padding: 0.1em 1em 0.1em 0.1em + div + &.commit-subject + font-weight: bold + font-size: 125% + margin: 1.5em 0em 0.5em 0em + padding: 0em + &.commit-msg + white-space: pre + font-family: monospace + &.notes-header + font-weight: bold + padding-top: 1.5em + &.notes + white-space: pre + font-family: monospace + border: solid 1px #ee9 + background-color: #ffd + padding: 0.3em 2em 0.3em 1em + float: left + &.notes-footer + clear: left + &.diffstat-header + font-weight: bold + padding-top: 1.5em + table.diffstat + border-collapse: collapse + background-color: $base02 + th + font-weight: normal + text-align: left + text-decoration: underline + padding: 0.1em 1em 0.1em 0.1em + font-size: 100% + td + padding: 0.2em 0.2em 0.1em 0.1em + font-size: 100% + border: none + &.mode + white-space: nowrap + span.modechange + padding-left: 1em + color: $red + &.add a + color: $green + &.del a + color: $red + &.upd a + color: $blue + &.graph + width: 500px + vertical-align: middle + table + border: none + td + padding: 0px + border: 0px + height: 7pt + &.add + background-color: $green + &.rem + background-color: $red + div.diffstat-summary + color: $base0 + padding-top: 0.5em + table.diff + width: 100% + td + font-family: monospace + white-space: pre + div + &.head + font-weight: bold + margin-top: 1em + color: $base0 + &.hunk + color: $base0 + &.add + color: $green + &.del + color: $red + .sha1 + font-family: monospace + font-size: 90% + .left + text-align: left + .right + text-align: right + table.list td.reposection + font-style: italic + color: #888 + a + &.button + font-size: 80% + padding: 0em 0.5em + &.primary + font-size: 100% + &.secondary + font-size: 90% + td.toplevel-repo + table.list td.sublevel-repo + padding-left: 1.5em + ul.pager + list-style-type: none + text-align: center + margin: 1em 0em 0em 0em + padding: 0 + li + display: inline-block + margin: 0.25em 0.5em + a + color: #777 + .current + font-weight: bold + span + &.age-mins + font-weight: bold + color: $green + &.age-hours + color: $green + &.age-days + color: $green + &.age-weeks + color: $base0 + &.age-months + color: $base0 + &.age-years + color: $base00 + div.footer + margin-top: 0.5em + text-align: center + font-size: 80% + color: $base01 + a + &.branch-deco + color: $green !important + margin: 0px 0.5em + padding: 0px 0.25em + background-color: $base02 + // border: solid 1px #007700 + &.tag-deco + // color: #000 !important + margin: 0px 0.5em + padding: 0px 0.25em + background-color: $base02 + // border: solid 1px #777700 + &.remote-deco + color: #000 !important + margin: 0px 0.5em + padding: 0px 0.25em + background-color: #ccccff + border: solid 1px #000077 + &.deco + color: $red !important + margin: 0px 0.5em + padding: 0px 0.25em + background-color: $base02 + // border: solid 1px #770000 + div.commit-subject a + &.branch-deco, &.tag-deco, &.remote-deco, &.deco + margin-left: 1em + font-size: 75% + table + &.stats + border: solid 1px black + border-collapse: collapse + th + text-align: left + padding: 1px 0.5em + background-color: #eee + border: solid 1px black + td + text-align: right + padding: 1px 0.5em + border: solid 1px black + &.total + font-weight: bold + text-align: left + &.sum + color: #c00 + font-weight: bold + /* background-color: #eee; + &.left + text-align: left + &.vgraph + border-collapse: separate + border: solid 1px black + height: 200px + th + background-color: #eee + font-weight: bold + border: solid 1px white + padding: 1px 0.5em + td + vertical-align: bottom + padding: 0px 10px + div.bar + background-color: #eee + &.hgraph + border: solid 1px black + width: 800px + th + background-color: #eee + font-weight: bold + border: solid 1px black + padding: 1px 0.5em + td + vertical-align: middle + padding: 2px 2px + div.bar + background-color: #eee + height: 1em + &.ssdiff + width: 100% + td + font-size: 75% + font-family: monospace + white-space: pre + padding: 1px 4px 1px 4px + border-left: solid 1px #aaa + border-right: solid 1px #aaa + &.add + color: black + background: #cfc + min-width: 50% + &.add_dark + color: black + background: #aca + min-width: 50% + span.add + background: #cfc + font-weight: bold + td + &.del + color: black + background: #fcc + min-width: 50% + &.del_dark + color: black + background: #caa + min-width: 50% + span.del + background: #fcc + font-weight: bold + td + &.changed + color: black + background: #ffc + min-width: 50% + &.changed_dark + color: black + background: #cca + min-width: 50% + &.lineno + color: black + background: #eee + text-align: right + width: 3em + min-width: 3em + &.hunk + color: black + background: #ccf + border-top: solid 1px #aaa + border-bottom: solid 1px #aaa + &.head + border-top: solid 1px #aaa + border-bottom: solid 1px #aaa + div.head + font-weight: bold + color: black + &.foot + border-top: solid 1px #aaa + border-left: none + border-right: none + border-bottom: none + &.space + border: none + div + min-height: 3em + &.linenodiv + background-color: inherit !important + color: lightgray diff --git a/images/git/cgit/cgitrc b/images/git/cgit/cgitrc new file mode 100644 index 0000000..0afc48d --- /dev/null +++ b/images/git/cgit/cgitrc @@ -0,0 +1,46 @@ +css=/cgit.css +logo=/cgit.png + +root-title=tx0.co +clone-prefix=git://tx0.co https://g.tx0.co/git git@tx0.co: +snapshots=tar.gz tar.xz tar.bz2 zip +readme=master:README.md +about-filter=/app/about-formatting.sh +#/usr/lib/cgit/filters/about-formatting.sh +source-filter=/app/syntax-highlighting3.sh +enable-http-clone=0 +strict-export=git-daemon-export-ok + +noplainemail=1 + +enable-index-owner=0 +enable-index-links=0 +enable-commit-graph=1 +enable-log-filecount=1 +enable-log-linecount=1 + +# if you do not want that webcrawler (like google) index your site +robots=noindex, nofollow + +# if cgit messes up links, use a virtual-root. For example has cgit.example.org/ this value: +virtual-root=/ +root-desc=Foo. + +enable-git-config=1 +section-from-path=1 +remove-suffix=1 + +project-list=/data/git/projects.list +scan-path=/data/git/repositories + +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpg +mimetype.jpeg=image/jpg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + +readme=:README.md +readme=:README.txt +readme=:README diff --git a/images/git/cgit/syntax-highlighting3.sh b/images/git/cgit/syntax-highlighting3.sh new file mode 100755 index 0000000..c22337b --- /dev/null +++ b/images/git/cgit/syntax-highlighting3.sh @@ -0,0 +1,121 @@ +#!/bin/sh +# This script can be used to implement syntax highlighting in the cgit +# tree-view by refering to this file with the source-filter or repo.source- +# filter options in cgitrc. +# +# This script requires a shell supporting the ${var##pattern} syntax. +# It is supported by at least dash and bash, however busybox environments +# might have to use an external call to sed instead. +# +# Note: the highlight command (http://www.andre-simon.de/) uses css for syntax +# highlighting, so you'll probably want something like the following included +# in your css file: +# +# Style definition file generated by highlight 2.4.8, http://www.andre-simon.de/ +# +# table.blob .num { color:#2928ff; } +# table.blob .esc { color:#ff00ff; } +# table.blob .str { color:#ff0000; } +# table.blob .dstr { color:#818100; } +# table.blob .slc { color:#838183; font-style:italic; } +# table.blob .com { color:#838183; font-style:italic; } +# table.blob .dir { color:#008200; } +# table.blob .sym { color:#000000; } +# table.blob .kwa { color:#000000; font-weight:bold; } +# table.blob .kwb { color:#830000; } +# table.blob .kwc { color:#000000; font-weight:bold; } +# table.blob .kwd { color:#010181; } +# +# +# Style definition file generated by highlight 2.6.14, http://www.andre-simon.de/ +# +# body.hl { background-color:#ffffff; } +# pre.hl { color:#000000; background-color:#ffffff; font-size:10pt; font-family:'Courier New';} +# .hl.num { color:#2928ff; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#ff0000; } +# .hl.dstr { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.dir { color:#008200; } +# .hl.sym { color:#000000; } +# .hl.line { color:#555555; } +# .hl.mark { background-color:#ffffbb;} +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#830000; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# Style definition file generated by highlight 3.8, http://www.andre-simon.de/ +# +# body.hl { background-color:#e0eaee; } +# pre.hl { color:#000000; background-color:#e0eaee; font-size:10pt; font-family:'Courier New';} +# .hl.num { color:#b07e00; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#bf0303; } +# .hl.pps { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.ppc { color:#008200; } +# .hl.opt { color:#000000; } +# .hl.lin { color:#555555; } +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#0057ae; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# Style definition file generated by highlight 3.13, http://www.andre-simon.de/ +# +# body.hl { background-color:#e0eaee; } +# pre.hl { color:#000000; background-color:#e0eaee; font-size:10pt; font-family:'Courier New',monospace;} +# .hl.num { color:#b07e00; } +# .hl.esc { color:#ff00ff; } +# .hl.str { color:#bf0303; } +# .hl.pps { color:#818100; } +# .hl.slc { color:#838183; font-style:italic; } +# .hl.com { color:#838183; font-style:italic; } +# .hl.ppc { color:#008200; } +# .hl.opt { color:#000000; } +# .hl.ipl { color:#0057ae; } +# .hl.lin { color:#555555; } +# .hl.kwa { color:#000000; font-weight:bold; } +# .hl.kwb { color:#0057ae; } +# .hl.kwc { color:#000000; font-weight:bold; } +# .hl.kwd { color:#010181; } +# +# +# The following environment variables can be used to retrieve the configuration +# of the repository for which this script is called: +# CGIT_REPO_URL ( = repo.url setting ) +# CGIT_REPO_NAME ( = repo.name setting ) +# CGIT_REPO_PATH ( = repo.path setting ) +# CGIT_REPO_OWNER ( = repo.owner setting ) +# CGIT_REPO_DEFBRANCH ( = repo.defbranch setting ) +# CGIT_REPO_SECTION ( = section setting ) +# CGIT_REPO_CLONE_URL ( = repo.clone-url setting ) +# + +# store filename and extension in local vars +BASENAME="$1" +EXTENSION="${BASENAME##*.}" + +[ "${BASENAME}" = "${EXTENSION}" ] && EXTENSION=txt +[ -z "${EXTENSION}" ] && EXTENSION=txt + +# map Makefile and Makefile.* to .mk +[ "${BASENAME%%.*}" = "Makefile" ] && EXTENSION=mk + +# highlight versions 2 and 3 have different commandline options. Specifically, +# the -X option that is used for version 2 is replaced by the -O xhtml option +# for version 3. +# +# Version 2 can be found (for example) on EPEL 5, while version 3 can be +# found (for example) on EPEL 6. +# +# This is for version 2 +#exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null + +# This is for version 3 +exec highlight --force --inline-css --style=solarized-dark -f -I -O xhtml -S "$EXTENSION" 2>/dev/null diff --git a/images/git/gitolite/admin.pub b/images/git/gitolite/admin.pub new file mode 100644 index 0000000..cd1e155 --- /dev/null +++ b/images/git/gitolite/admin.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDuNResYJNUNlReRIxPMMnI3hAaW5dNs3E2qoeqHsU/nwnL+czVKOkHnG8gQaKSN7q0wVP3o3ozSsGHdYBJ0YrAYMccOPGkPJ6Aua/7LBkxTc1bVbGrPAEVDYfvNKTU0KjbOfUt6bAbtx1KzbzttBHRR14AxHSUH3ELja6a1foATQWyArLmykmo8aFp75n9+b8XVkmtVtSB0VFibMGwLekNgTD1zOZfzqjxD2EQop279Y8s9kfadpxznONLBNgNUZEzkk++MTh2a6OXW4WA2+dH8WaG2hwjghYbqSDlYe9yjyxhRS0ZtUuVlxlMlTsn0MIt/fYlYNSJts4I11ehBQFkzWUv/i/BgKFKX2M1A5fZTI9emlKJ/Iz3EyXNg1VNc/8iCVaWMpKUbT8Hao8qvwihoZegyVZRmCbUDyxVpjy2Qyl3/dl8mjsYbzYK6CyLo198rCeSrYlF7c81KikPmNuibzSL0UHvA94HK7hVWfu+iZKPZOYVdIle25+hZcL+s7GROy5iGWA9qwgaqXShbqhyyg/lXCY8MdyDBdomWrdk9SvQ0hbNLwSrNlcHAoO3H8/HRcoW4/faiFsm8SFF4RnsIYfVNKCUYlf4kspbHUxUWuEMtOxpo/uu3Zs7hI+TQL9FKwrLRgnu72sx0Y1o4PIGHUldSgzoYAxL+EaF3qgYhoOyiVFa5IRioaG9FRFJ1hboq+0XxQXYzJ8z9CrRa/Gxrp/Etqdevm8IjuOWelDAR4UPgeQsvjHvZVxLOGay8wBtA0/My9meouPDn7jzPjfFUcmdB99PM/PfrqJBC+WdldEfURrAeax6b2LidFl3bN4BLGwK0BlPybjgj7jm1THMnnM4F7BmhzA8MN1tmcEIiZSbW3lRjMxTikGkhvq1NbMp/k6ZmMkwJcwORSJRVdji3wYOuQxl2/u+Ey2NtBXyA5TomPvkWR/h9us+2/8WOxVlpjs6PtYEguehLbuqPWANM1FG9ngAMc1yGMp9YXPKQn+xVvOssOK6VoAu57q9zHJ5GQe8Pm6+2Qpq7hWRDkxIfnDGAeLDIlHa4JunX+okSCH14fx2PpwRfQ1UUhp5wnDtcAfkWGmq82HQknAigNWih5LqPthfjMuhUUcgYsciWYFKZbum4/yecfXUUx9SlcAwVrEZ+kwvNw1UsjrRtITsCBaBlSDpioyXYmJ6ldxUOKZiqAvAKeB0zRF3xpALWZuADh22BzWaNeLL8Gw5uR9TV7PGQ9wpd07SRsdabqLtYqg2P0/t+zPlKHNkL80vZjmuYJeHZ6Zmv3K4PsKEsHG3nXcA8PUI09IfvBbUnzlUb46V5K2O6E3iiSeQBRv7jWEkwGZy9/lBMUM7Qxw3a9Hv till@hoeppner.ws diff --git a/images/git/gitolite/generate_certs.sh b/images/git/gitolite/generate_certs.sh new file mode 100644 index 0000000..3b75a9d --- /dev/null +++ b/images/git/gitolite/generate_certs.sh @@ -0,0 +1,7 @@ +if [ ! -e /data/ssh/host_rsa_key ]; then + echo "Generating host keys" + ssh-keygen -t rsa -f /data/ssh/host_rsa_key + ssh-keygen -t dsa -f /data/ssh/host_dsa_key + ssh-keygen -t ecdsa -f /data/ssh/host_ecdsa_key + ssh-keygen -t ed25519 -f /data/ssh/host_ed25519_key +fi diff --git a/images/git/gitolite/gitolite.rc b/images/git/gitolite/gitolite.rc new file mode 100644 index 0000000..2ab1369 --- /dev/null +++ b/images/git/gitolite/gitolite.rc @@ -0,0 +1,204 @@ +# configuration variables for gitolite + +# This file is in perl syntax. But you do NOT need to know perl to edit it -- +# just mind the commas, use single quotes unless you know what you're doing, +# and make sure the brackets and braces stay matched up! + +# (Tip: perl allows a comma after the last item in a list also!) + +# HELP for commands can be had by running the command with "-h". + +# HELP for all the other FEATURES can be found in the documentation (look for +# "list of non-core programs shipped with gitolite" in the master index) or +# directly in the corresponding source file. + +%RC = ( + #GL_REPO_BASE => '/data/projects/', + #GL_ADMIN_BASE => '/data/', + + # ------------------------------------------------------------------ + + # default umask gives you perms of '0700'; see the rc file docs for + # how/why you might change this + UMASK => 0002, + + # look for "git-config" in the documentation + GIT_CONFIG_KEYS => 'hooks\.readme url.*insteadOf', + + WRITER_CAN_UPDATE_DESC => 1, + + # comment out if you don't need all the extra detail in the logfile + LOG_EXTRA => 1, + # logging options + # 1. leave this section as is for 'normal' gitolite logging (default) + # 2. uncomment this line to log ONLY to syslog: + # LOG_DEST => 'syslog', + # 3. uncomment this line to log to syslog and the normal gitolite log: + # LOG_DEST => 'syslog,normal', + # 4. prefixing "repo-log," to any of the above will **also** log just the + # update records to "gl-log" in the bare repo directory: + # LOG_DEST => 'repo-log,normal', + # LOG_DEST => 'repo-log,syslog', + # LOG_DEST => 'repo-log,syslog,normal', + + # roles. add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' + ROLES => { + READERS => 1, + WRITERS => 1, + }, + + # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!! + # CACHE => 'Redis', + + # ------------------------------------------------------------------ + + # rc variables used by various features + + # the 'info' command prints this as additional info, if it is set + # SITE_INFO => 'Please see http://blahblah/gitolite for more help', + + # the CpuTime feature uses these + # display user, system, and elapsed times to user after each git operation + # DISPLAY_CPU_TIME => 1, + # display a warning if total CPU times (u, s, cu, cs) crosses this limit + # CPU_TIME_WARN_LIMIT => 0.1, + + # the Mirroring feature needs this + # HOSTNAME => "foo", + + # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING! + # CACHE_TTL => 600, + + # ------------------------------------------------------------------ + + # suggested locations for site-local gitolite code (see cust.html) + + # this one is managed directly on the server + # LOCAL_CODE => "$ENV{HOME}/local", + + # or you can use this, which lets you put everything in a subdirectory + # called "local" in your gitolite-admin repo. For a SECURITY WARNING + # on this, see http://gitolite.com/gitolite/non-core.html#pushcode + # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + + # ------------------------------------------------------------------ + + # List of commands and features to enable + + ENABLE => [ + + # COMMANDS + + # These are the commands enabled by default + 'help', + 'desc', + 'info', + 'perms', + 'writable', + + # Uncomment or add new commands here. + 'create', + # 'fork', + # 'mirror', + # 'readme', + # 'sskm', + 'D', + + # These FEATURES are enabled by default. + + # essential (unless you're using smart-http mode) + 'ssh-authkeys', + + # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz' + 'git-config', + + # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out + 'daemon', + + # creates projects.list file; if you don't use gitweb, comment this out + 'gitweb', + + # These FEATURES are disabled by default; uncomment to enable. If you + # need to add new ones, ask on the mailing list :-) + + # user-visible behaviour + + # prevent wild repos auto-create on fetch/clone + # 'no-create-on-read', + # no auto-create at all (don't forget to enable the 'create' command!) + # 'no-auto-create', + + # access a repo by another (possibly legacy) name + # 'Alias', + + # give some users direct shell access. See documentation in + # sts.html for details on the following two choices. + # "Shell $ENV{HOME}/.gitolite.shell-users", + # 'Shell alice bob', + + # set default roles from lines like 'option default.roles-1 = ...', etc. + # 'set-default-roles', + + # show more detailed messages on deny + # 'expand-deny-messages', + + # show a message of the day + # 'Motd', + + # system admin stuff + + # enable mirroring (don't forget to set the HOSTNAME too!) + # 'Mirroring', + + # allow people to submit pub files with more than one key in them + # 'ssh-authkeys-split', + + # selective read control hack + # 'partial-copy', + + # manage local, gitolite-controlled, copies of read-only upstream repos + 'upstream', + + # updates 'description' file instead of 'gitweb.description' config item + 'cgit', + + # allow repo-specific hooks to be added + # 'repo-specific-hooks', + + # performance, logging, monitoring... + + # be nice + # 'renice 10', + + # log CPU times (user, system, cumulative user, cumulative system) + # 'CpuTime', + + # syntactic_sugar for gitolite.conf and included files + + # allow backslash-escaped continuation lines in gitolite.conf + # 'continuation-lines', + + # create implicit user groups from directory names in keydir/ + # 'keysubdirs-as-groups', + + # allow simple line-oriented macros + # 'macros', + + # Kindergarten mode + + # disallow various things that sensible people shouldn't be doing anyway + # 'Kindergarten', + ], + +); + +# ------------------------------------------------------------------------------ +# per perl rules, this should be the last line in such a file: +1; + +# Local variables: +# mode: perl +# End: +# vim: set syn=perl: diff --git a/images/git/gitolite/sshd_config b/images/git/gitolite/sshd_config new file mode 100644 index 0000000..15b448f --- /dev/null +++ b/images/git/gitolite/sshd_config @@ -0,0 +1,55 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /data/ssh/host_rsa_key +HostKey /data/ssh/host_dsa_key +HostKey /data/ssh/host_ecdsa_key +HostKey /data/ssh/host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Logging +SyslogFacility AUTH +LogLevel VERBOSE + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +PubkeyAuthentication yes +AuthorizedKeysFile /data/git/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +X11Forwarding no +PrintMotd no +TCPKeepAlive yes +#UseLogin no + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/images/git/nginx/nginx.conf b/images/git/nginx/nginx.conf new file mode 100644 index 0000000..9528692 --- /dev/null +++ b/images/git/nginx/nginx.conf @@ -0,0 +1,51 @@ +worker_processes 1; +user root; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + + access_log /dev/stdout; + error_log /dev/stderr; + + # Cgit + server { + listen 80; + root /usr/share/webapps/cgit; + server_name tx0.co; + try_files $uri @cgit; + + location ~ /git(/.*) { + # Set chunks to unlimited, as the body's can be huge + client_max_body_size 0; + + # Forward REMOTE_USER as we want to know when we are authenticated + fastcgi_param REMOTE_USER $remote_user; + fastcgi_pass unix:/run/fcgiwrap.sock; + + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; + # fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param GIT_PROJECT_ROOT /data/git/repositories; + fastcgi_param PATH_INFO $1; + } + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:/run/fcgiwrap.sock; + } + } +} diff --git a/images/git/service/daemon/run b/images/git/service/daemon/run new file mode 100644 index 0000000..485e706 --- /dev/null +++ b/images/git/service/daemon/run @@ -0,0 +1,2 @@ +#!/bin/sh +exec chpst -ugit git daemon --base-path=/data/git/repositories diff --git a/images/git/service/fcgiwrap/run b/images/git/service/fcgiwrap/run new file mode 100644 index 0000000..4c7efcb --- /dev/null +++ b/images/git/service/fcgiwrap/run @@ -0,0 +1,2 @@ +#!/bin/sh +exec spawn-fcgi -n -s /run/fcgiwrap.sock /usr/bin/fcgiwrap 2>&1 diff --git a/images/git/service/nginx/run b/images/git/service/nginx/run new file mode 100644 index 0000000..ef7f976 --- /dev/null +++ b/images/git/service/nginx/run @@ -0,0 +1,2 @@ +#!/bin/sh +exec nginx -g 'daemon off;' 2>&1 diff --git a/images/git/service/sshd/run b/images/git/service/sshd/run new file mode 100644 index 0000000..91abb22 --- /dev/null +++ b/images/git/service/sshd/run @@ -0,0 +1,4 @@ +#!/bin/sh +mkdir -p /data/ssh +chmod +x /app/generate_certs.sh +/app/generate_certs.sh && exec /usr/sbin/sshd -D 2>&1 diff --git a/images/matrix/.gitignore b/images/matrix/.gitignore new file mode 100644 index 0000000..fb801ef --- /dev/null +++ b/images/matrix/.gitignore @@ -0,0 +1,3 @@ +synapse/*signing* +synapse/*key* +synapse/*tls* diff --git a/images/matrix/Dockerfile b/images/matrix/Dockerfile new file mode 100644 index 0000000..5569475 --- /dev/null +++ b/images/matrix/Dockerfile @@ -0,0 +1,15 @@ +FROM alpine:3.5 AS builder + +RUN apk add --no-cache build-base ca-certificates python2-dev py2-pip su-exec \ + py2-psycopg2 py2-msgpack py2-psutil py2-openssl py2-yaml py-twisted py2-netaddr \ + py2-cffi py2-asn1 py2-asn1-modules py2-cryptography py2-pillow py2-decorator py2-jinja2 \ + py2-requests py2-simplejson py2-tz py2-crypto py2-dateutil py2-service_identity + +RUN pip install https://github.com/kdltr/synapse/tarball/master + +ADD synapse /app/synapse + +ENTRYPOINT python -m synapse.app.homeserver \ + --server-name tx0.co \ + --config-path /app/synapse/homeserver.yaml \ + --report-stats=no diff --git a/images/matrix/synapse/homeserver.yaml b/images/matrix/synapse/homeserver.yaml new file mode 100644 index 0000000..69ffa8e --- /dev/null +++ b/images/matrix/synapse/homeserver.yaml @@ -0,0 +1,480 @@ +# vim:ft=yaml +# PEM encoded X509 certificate for TLS. +# You can replace the self-signed certificate that synapse +# autogenerates on launch with your own SSL certificate + key pair +# if you like. Any required intermediary certificates can be +# appended after the primary certificate in hierarchical order. +tls_certificate_path: "/app/synapse/tx0.co.tls.crt" + +# PEM encoded private key for TLS +tls_private_key_path: "/app/synapse/tx0.co.tls.key" + +# PEM dh parameters for ephemeral keys +tls_dh_params_path: "/app/synapse/tx0.co.tls.dh" + +# Don't bind to the https port +no_tls: False + +# List of allowed TLS fingerprints for this server to publish along +# with the signing keys for this server. Other matrix servers that +# make HTTPS requests to this server will check that the TLS +# certificates returned by this server match one of the fingerprints. +# +# Synapse automatically adds the fingerprint of its own certificate +# to the list. So if federation traffic is handle directly by synapse +# then no modification to the list is required. +# +# If synapse is run behind a load balancer that handles the TLS then it +# will be necessary to add the fingerprints of the certificates used by +# the loadbalancers to this list if they are different to the one +# synapse is using. +# +# Homeservers are permitted to cache the list of TLS fingerprints +# returned in the key responses up to the "valid_until_ts" returned in +# key. It may be necessary to publish the fingerprints of a new +# certificate and wait until the "valid_until_ts" of the previous key +# responses have passed before deploying it. +tls_fingerprints: [] +# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}] + + +## Server ## + +# The domain name of the server, with optional explicit port. +# This is used by remote servers to connect to this server, +# e.g. matrix.org, localhost:8080, etc. +# This is also the last part of your UserID. +server_name: "tx0.co" + +# When running as a daemon, the file to store the pid in +pid_file: /app/synapse/homeserver.pid + +# Whether to serve a web client from the HTTP/HTTPS root resource. +web_client: True + +# The public-facing base URL for the client API (not including _matrix/...) +# public_baseurl: https://example.com:8448/ + +# Set the soft limit on the number of file descriptors synapse can use +# Zero is used to indicate synapse should set the soft limit to the +# hard limit. +soft_file_limit: 0 + +# The GC threshold parameters to pass to `gc.set_threshold`, if defined +# gc_thresholds: [700, 10, 10] + +# List of ports that Synapse should listen on, their purpose and their +# configuration. +listeners: + # Main HTTPS listener + # For when matrix traffic is sent directly to synapse. + - + # The port to listen for HTTPS requests on. + port: 8448 + + # Local addresses to listen on. + # This will listen on all IPv4 addresses by default. + bind_addresses: + - '0.0.0.0' + # Uncomment to listen on all IPv6 interfaces + # N.B: On at least Linux this will also listen on all IPv4 + # addresses, so you will need to comment out the line above. + # - '::' + + # This is a 'http' listener, allows us to specify 'resources'. + type: http + + tls: true + + # Use the X-Forwarded-For (XFF) header as the client IP and not the + # actual client IP. + x_forwarded: false + + # List of HTTP resources to serve on this listener. + resources: + - + # List of resources to host on this listener. + names: + - client # The client-server APIs, both v1 and v2 + - webclient # The bundled webclient. + + # Should synapse compress HTTP responses to clients that support it? + # This should be disabled if running synapse behind a load balancer + # that can do automatic compression. + compress: true + + - names: [federation] # Federation APIs + compress: false + + # Unsecure HTTP listener, + # For when matrix traffic passes through loadbalancer that unwraps TLS. + - port: 8008 + tls: false + bind_addresses: ['0.0.0.0'] + type: http + + x_forwarded: true + + resources: + - names: [client, webclient] + compress: true + - names: [federation] + compress: false + + # Turn on the twisted ssh manhole service on localhost on the given + # port. + # - port: 9000 + # bind_address: 127.0.0.1 + # type: manhole + + +# Database configuration +database: + # The database engine name + name: "sqlite3" + # Arguments to pass to the engine + args: + # Path to the database + database: "/app/synapse/homeserver.db" + +# Number of events to cache in memory. +event_cache_size: "10K" + + + +# Logging verbosity level. Ignored if log_config is specified. +verbose: 0 + +# File to write logging to. Ignored if log_config is specified. +log_file: "/app/synapse/homeserver.log" + +# A yaml python logging config file +log_config: "/app/synapse/tx0.co.log.config" + + +## Ratelimiting ## + +# Number of messages a client can send per second +rc_messages_per_second: 0.2 + +# Number of message a client can send before being throttled +rc_message_burst_count: 10.0 + +# The federation window size in milliseconds +federation_rc_window_size: 1000 + +# The number of federation requests from a single server in a window +# before the server will delay processing the request. +federation_rc_sleep_limit: 10 + +# The duration in milliseconds to delay processing events from +# remote servers by if they go over the sleep limit. +federation_rc_sleep_delay: 500 + +# The maximum number of concurrent federation requests allowed +# from a single server +federation_rc_reject_limit: 50 + +# The number of federation requests to concurrently process from a +# single server +federation_rc_concurrent: 3 + + + +# Directory where uploaded images and attachments are stored. +media_store_path: "/app/synapse/media_store" + +# Directory where in-progress uploads are stored. +uploads_path: "/app/synapse/uploads" + +# The largest allowed upload size in bytes +max_upload_size: "10M" + +# Maximum number of pixels that will be thumbnailed +max_image_pixels: "32M" + +# Whether to generate new thumbnails on the fly to precisely match +# the resolution requested by the client. If true then whenever +# a new resolution is requested by the client the server will +# generate a new thumbnail. If false the server will pick a thumbnail +# from a precalculated list. +dynamic_thumbnails: false + +# List of thumbnail to precalculate when an image is uploaded. +thumbnail_sizes: +- width: 32 + height: 32 + method: crop +- width: 96 + height: 96 + method: crop +- width: 320 + height: 240 + method: scale +- width: 640 + height: 480 + method: scale +- width: 800 + height: 600 + method: scale + +# Is the preview URL API enabled? If enabled, you *must* specify +# an explicit url_preview_ip_range_blacklist of IPs that the spider is +# denied from accessing. +url_preview_enabled: False + +# List of IP address CIDR ranges that the URL preview spider is denied +# from accessing. There are no defaults: you must explicitly +# specify a list for URL previewing to work. You should specify any +# internal services in your network that you do not want synapse to try +# to connect to, otherwise anyone in any Matrix room could cause your +# synapse to issue arbitrary GET requests to your internal services, +# causing serious security issues. +# +# url_preview_ip_range_blacklist: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' +# - '100.64.0.0/10' +# - '169.254.0.0/16' +# +# List of IP address CIDR ranges that the URL preview spider is allowed +# to access even if they are specified in url_preview_ip_range_blacklist. +# This is useful for specifying exceptions to wide-ranging blacklisted +# target IP ranges - e.g. for enabling URL previews for a specific private +# website only visible in your network. +# +# url_preview_ip_range_whitelist: +# - '192.168.1.1' + +# Optional list of URL matches that the URL preview spider is +# denied from accessing. You should use url_preview_ip_range_blacklist +# in preference to this, otherwise someone could define a public DNS +# entry that points to a private IP address and circumvent the blacklist. +# This is more useful if you know there is an entire shape of URL that +# you know that will never want synapse to try to spider. +# +# Each list entry is a dictionary of url component attributes as returned +# by urlparse.urlsplit as applied to the absolute form of the URL. See +# https://docs.python.org/2/library/urlparse.html#urlparse.urlsplit +# The values of the dictionary are treated as an filename match pattern +# applied to that component of URLs, unless they start with a ^ in which +# case they are treated as a regular expression match. If all the +# specified component matches for a given list item succeed, the URL is +# blacklisted. +# +# url_preview_url_blacklist: +# # blacklist any URL with a username in its URI +# - username: '*' +# +# # blacklist all *.google.com URLs +# - netloc: 'google.com' +# - netloc: '*.google.com' +# +# # blacklist all plain HTTP URLs +# - scheme: 'http' +# +# # blacklist http(s)://www.acme.com/foo +# - netloc: 'www.acme.com' +# path: '/foo' +# +# # blacklist any URL with a literal IPv4 address +# - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +# The largest allowed URL preview spidering size in bytes +max_spider_size: "10M" + + + + +## Captcha ## +# See docs/CAPTCHA_SETUP for full details of configuring this. + +# This Home Server's ReCAPTCHA public key. +recaptcha_public_key: "YOUR_PUBLIC_KEY" + +# This Home Server's ReCAPTCHA private key. +recaptcha_private_key: "YOUR_PRIVATE_KEY" + +# Enables ReCaptcha checks when registering, preventing signup +# unless a captcha is answered. Requires a valid ReCaptcha +# public/private key. +enable_registration_captcha: False + +# A secret key used to bypass the captcha test entirely. +#captcha_bypass_secret: "YOUR_SECRET_HERE" + +# The API endpoint to use for verifying m.login.recaptcha responses. +recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify" + + +## Turn ## + +# The public URIs of the TURN server to give to clients +turn_uris: [] + +# The shared secret used to compute passwords for the TURN server +turn_shared_secret: "YOUR_SHARED_SECRET" + +# The Username and password if the TURN server needs them and +# does not use a token +#turn_username: "TURNSERVER_USERNAME" +#turn_password: "TURNSERVER_PASSWORD" + +# How long generated TURN credentials last +turn_user_lifetime: "1h" + + +## Registration ## + +# Enable registration for new users. +enable_registration: False + +# If set, allows registration by anyone who also has the shared +# secret, even if registration is otherwise disabled. +registration_shared_secret: "vb8CLE^i;WW@g7KDdhcIJqUdFTNVp&7.w4l1xWeICoOz~;cYv=" + +# Set the number of bcrypt rounds used to generate password hash. +# Larger numbers increase the work factor needed to generate the hash. +# The default number of rounds is 12. +bcrypt_rounds: 12 + +# Allows users to register as guests without a password/email/etc, and +# participate in rooms hosted on this server which have been made +# accessible to anonymous users. +allow_guest_access: False + +# The list of identity servers trusted to verify third party +# identifiers by this server. +trusted_third_party_id_servers: + - matrix.org + - vector.im + + +## Metrics ### + +# Enable collection and rendering of performance metrics +enable_metrics: False +report_stats: False + + +## API Configuration ## + +# A list of event types that will be included in the room_invite_state +room_invite_state_types: + - "m.room.join_rules" + - "m.room.canonical_alias" + - "m.room.avatar" + - "m.room.name" + + +# A list of application service config file to use +app_service_config_files: [] + + +macaroon_secret_key: "HO.JIQfbn_&lUMdP:28LO13i62M~T&VcuabW,I3PBCYGPA+fSk" + +# Used to enable access token expiration. +expire_access_token: False + +## Signing Keys ## + +# Path to the signing key to sign messages with +signing_key_path: "/app/synapse/tx0.co.signing.key" + +# The keys that the server used to sign messages with but won't use +# to sign new messages. E.g. it has lost its private key +old_signing_keys: {} +# "ed25519:auto": +# # Base64 encoded public key +# key: "The public part of your old signing key." +# # Millisecond POSIX timestamp when the key expired. +# expired_ts: 123456789123 + +# How long key response published by this server is valid for. +# Used to set the valid_until_ts in /key/v2 APIs. +# Determines how quickly servers will query to check which keys +# are still valid. +key_refresh_interval: "1d" # 1 Day. + +# The trusted servers to download signing keys from. +perspectives: + servers: + "matrix.org": + verify_keys: + "ed25519:auto": + key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw" + + + +# Enable SAML2 for registration and login. Uses pysaml2 +# config_path: Path to the sp_conf.py configuration file +# idp_redirect_url: Identity provider URL which will redirect +# the user back to /login/saml2 with proper info. +# See pysaml2 docs for format of config. +#saml2_config: +# enabled: true +# config_path: "/app/synapse/sp_conf.py" +# idp_redirect_url: "http://tx0.co/idp" + + + +# Enable CAS for registration and login. +#cas_config: +# enabled: true +# server_url: "https://cas-server.com" +# service_url: "https://homesever.domain.com:8448" +# #required_attributes: +# # name: value + + +# The JWT needs to contain a globally unique "sub" (subject) claim. +# +# jwt_config: +# enabled: true +# secret: "a secret" +# algorithm: "HS256" + + + +# Enable password for login. +password_config: + enabled: true + # Uncomment and change to a secret random string for extra security. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + #pepper: "" + + + +# Enable sending emails for notification events +# Defining a custom URL for Riot is only needed if email notifications +# should contain links to a self-hosted installation of Riot; when set +# the "app_name" setting is ignored. +#email: +# enable_notifs: false +# smtp_host: "localhost" +# smtp_port: 25 +# notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>" +# app_name: Matrix +# template_dir: res/templates +# notif_template_html: notif_mail.html +# notif_template_text: notif_mail.txt +# notif_for_new_users: True +# riot_base_url: "http://localhost/riot" + + +# password_providers: +# - module: "ldap_auth_provider.LdapAuthProvider" +# config: +# enabled: true +# uri: "ldap://ldap.example.com:389" +# start_tls: true +# base: "ou=users,dc=example,dc=com" +# attributes: +# uid: "cn" +# mail: "email" +# name: "givenName" +# #bind_dn: +# #bind_password: +# #filter: "(objectClass=posixAccount)" diff --git a/images/matrix/synapse/tx0.co.log.config b/images/matrix/synapse/tx0.co.log.config new file mode 100644 index 0000000..5c86bcc --- /dev/null +++ b/images/matrix/synapse/tx0.co.log.config @@ -0,0 +1,37 @@ + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' + +filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + +handlers: + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + filename: /app/synapse/homeserver.log + maxBytes: 104857600 + backupCount: 10 + filters: [context] + console: + class: logging.StreamHandler + formatter: precise + filters: [context] + +loggers: + synapse: + level: INFO + + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + +root: + level: INFO + handlers: [file, console] diff --git a/images/paste/Dockerfile b/images/paste/Dockerfile new file mode 100644 index 0000000..9eedd40 --- /dev/null +++ b/images/paste/Dockerfile @@ -0,0 +1,24 @@ +# Currently uses edge instead of 3.5 because it needs +# the mongodb package only available on edge + +FROM alpine:edge AS builder + +RUN apk add --no-cache git python3 py3-pip nodejs nodejs-npm graphicsmagick +RUN git clone --single-branch --depth=1 --recursive https://github.com/ptpb/pb /app/pb + +RUN cd /app/pb \ + && npm install -g grunt-cli \ + && npm install && (cd node_modules/pbs; npm install) \ + && grunt + +RUN cd /app/pb \ + && pip3 install --user -r requirements.txt + +FROM server_runit-edge + +RUN apk add --no-cache python3 uwsgi-python3 mongodb +COPY --from=builder /app/pb /app/pb +COPY --from=builder /root/.local /root/.local + +ADD pb/config.yaml /root/.config/pb/config.yaml +ADD uwsgi/pb.ini /app/pb.ini diff --git a/images/paste/pb/config.yaml b/images/paste/pb/config.yaml new file mode 100644 index 0000000..ebf8837 --- /dev/null +++ b/images/paste/pb/config.yaml @@ -0,0 +1,7 @@ +DEBUG: false + +MONGO: + host: localhost + port: 27017 + +MONGO_DATABASE: pb diff --git a/images/paste/service/mongo/run b/images/paste/service/mongo/run new file mode 100644 index 0000000..996df8b --- /dev/null +++ b/images/paste/service/mongo/run @@ -0,0 +1,3 @@ +#!/bin/sh +mkdir -p /data/db +mongod diff --git a/images/paste/service/uwsgi/run b/images/paste/service/uwsgi/run new file mode 100644 index 0000000..2900244 --- /dev/null +++ b/images/paste/service/uwsgi/run @@ -0,0 +1,4 @@ +#!/bin/sh +export PYTHONPATH=/app/pb:$PYTHONPATH +/app/pb/runonce.py +exec uwsgi --ini /app/pb.ini diff --git a/images/paste/uwsgi/pb.ini b/images/paste/uwsgi/pb.ini new file mode 100644 index 0000000..b035e38 --- /dev/null +++ b/images/paste/uwsgi/pb.ini @@ -0,0 +1,7 @@ +[uwsgi] +socket = [::]:10002 +mountpoint = /app/pb +module = pb.run:app +plugins = python3 +processes = 4 +threads = 4 diff --git a/images/router/.gitignore b/images/router/.gitignore new file mode 100644 index 0000000..5224f03 --- /dev/null +++ b/images/router/.gitignore @@ -0,0 +1 @@ +auth/* diff --git a/images/router/Dockerfile b/images/router/Dockerfile new file mode 100644 index 0000000..f7717fe --- /dev/null +++ b/images/router/Dockerfile @@ -0,0 +1,11 @@ +FROM server_runit + +RUN apk add --no-cache nginx nginx-mod-stream bash curl git openssl +RUN git clone --single-branch --depth=1 \ + https://github.com/lukas2511/dehydrated /app/dehydrated + +ADD letsencrypt /app/letsencrypt/ +RUN rm -rf /etc/nginx/conf.d +ADD nginx /etc/nginx/ +ADD auth /app/auth +ADD dhparams.pem /app/ diff --git a/images/router/dhparams.pem b/images/router/dhparams.pem new file mode 100644 index 0000000..3530d79 --- /dev/null +++ b/images/router/dhparams.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAj8BEpaKdrasUzeqS1KaWlOBJTaLTHHpVzkjUdPgsgKyf3sI18b5X +r6QF4KOu0oU4V23j3Zbc6qHdIAa+HnYvw/A+ShFTC6CkFlmHE5MDgbyABmtXXqCy +HiiGUalmReOZUhWNXI2+VqZHRjFH58ivoMJvkoyAesNjUGM1qq8oVyhUsmWYmU1A +dwC4hGYpRnf6bOHeI0l5/b2q8jSix2UxYWrqQlg0Yi/RovVlk3SEpKclOQ4zrrxi +BUrOpZ3Oedl4tKeIA50dAnkjh05EnYMhG0SPXY9mPyxAQl0xAByh/15aAT+XZ+Zn +gYqh+frTciPPk5LoRZ3Ym7yRbbY8A3Y9iYe1kySEUiN5KKt0wa1RIH3rp6VYlU0J +nYbzNLuVe9HYb9v4hoWcy4p5qPAXzO9cJHJmo3Y7JpcUY/dQBSiarT12LoPlLCHP +72uwxWA9FQZRpI2MPYOyG1SifojX2GIY03mGL3LTnbjdmAbCDx6FpcddCZPbmOXj +y+NhzLGZCzKGprleoY8rI9wMBbyGjE43ikOr8JkUPXc7IhOE5KmYnI8YHgkAHKhn +c9R2k2tAGYoxCfdhh6RdaRgcT/JqtyljEYVJWzYvfKfGHaGE7u+u4AudBCbjKgXs +Ns2e3CRprxvvK8DhcRwVYNJax6ecJqn+5EESrSJ/8EhjEm056rS3PqMCAQI= +-----END DH PARAMETERS----- diff --git a/images/router/letsencrypt/config b/images/router/letsencrypt/config new file mode 100644 index 0000000..e641f19 --- /dev/null +++ b/images/router/letsencrypt/config @@ -0,0 +1,95 @@ +######################################################## +# This is the main config file for dehydrated # +# # +# This file is looked for in the following locations: # +# $SCRIPTDIR/config (next to this script) # +# /usr/local/etc/dehydrated/config # +# /etc/dehydrated/config # +# ${PWD}/config (in current working-directory) # +# # +# Default values of this config are in comments # +######################################################## + +# Resolve names to addresses of IP version only. (curl) +# supported values: 4, 6 +# default: <unset> +#IP_VERSION= + +# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) +CA="https://acme-v01.api.letsencrypt.org/directory" + +# Path to certificate authority license terms redirect (default: https://acme-v01.api.letsencrypt.org/terms) +CA_TERMS="https://acme-v01.api.letsencrypt.org/terms" + +#CA="https://acme-staging.api.letsencrypt.org/directory" +#CA_TERMS="https://acme-staging.api.letsencrypt.org/terms" + +# Path to license agreement (default: <unset>) +#LICENSE="" + +# Which challenge should be used? Currently http-01 and dns-01 are supported +CHALLENGETYPE="http-01" + +# Path to a directory containing additional config files, allowing to override +# the defaults found in the main configuration file. Additional config files +# in this directory needs to be named with a '.sh' ending. +# default: <unset> +#CONFIG_D= + +# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) +#BASEDIR=$SCRIPTDIR + +# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt) +DOMAINS_TXT="/app/letsencrypt/domains.txt" + +# Output directory for generated certificates +CERTDIR="/data/certs" + +# Directory for account keys and registration information +ACCOUNTDIR="/data/accounts" + +# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated) +WELLKNOWN="/data/wellknown/acme-challenge" + +# Default keysize for private keys (default: 4096) +KEYSIZE="4096" + +# Path to openssl config file (default: <unset> - tries to figure out system default) +#OPENSSL_CNF= + +# Program or function called in certain situations +# +# After generating the challenge-response, or after failed challenge (in this case altname is empty) +# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content +# +# After successfully signing certificate +# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem +# +# BASEDIR and WELLKNOWN variables are exported and can be used in an external program +# default: <unset> +#HOOK= + +# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no) +#HOOK_CHAIN="no" + +# Minimum days before expiration to automatically renew certificate (default: 30) +#RENEW_DAYS="30" + +# Regenerate private keys instead of just signing new certificates on renewal (default: yes) +#PRIVATE_KEY_RENEW="yes" + +# Create an extra private key for rollover (default: no) +#PRIVATE_KEY_ROLLOVER="no" + +# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 +#KEY_ALGO=rsa + +# E-mail to use during the registration (default: <unset>) +CONTACT_EMAIL=till@hoeppner.ws + +# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock) +LOCKFILE="/app/letsencrypt/lock" + +# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no) +#OCSP_MUST_STAPLE="no" + diff --git a/images/router/letsencrypt/domains.txt b/images/router/letsencrypt/domains.txt new file mode 100644 index 0000000..d062476 --- /dev/null +++ b/images/router/letsencrypt/domains.txt @@ -0,0 +1 @@ +tx0.co m.tx0.co matrix.tx0.co g.tx0.co git.tx0.co z.tx0.co znc.tx0.co p.tx0.co paste.tx0.co diff --git a/images/router/nginx/fastcgi.conf b/images/router/nginx/fastcgi.conf new file mode 100644 index 0000000..091738c --- /dev/null +++ b/images/router/nginx/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/images/router/nginx/http.off/matrix b/images/router/nginx/http.off/matrix new file mode 100644 index 0000000..cedd917 --- /dev/null +++ b/images/router/nginx/http.off/matrix @@ -0,0 +1,14 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name m.tx0.co; + + include snippets/ssl; + include snippets/wellknown; + + location /_matrix { + proxy_pass http://matrix:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } +} diff --git a/images/router/nginx/http.off/pad b/images/router/nginx/http.off/pad new file mode 100644 index 0000000..4aa0e2e --- /dev/null +++ b/images/router/nginx/http.off/pad @@ -0,0 +1,15 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name pad.tx0.co; + + include snippets/ssl; + include snippets/wellknown; + + location / { + auth_basic "pad"; + auth_basic_user_file pad/passwd; + proxy_pass http://etherpad; + } +} diff --git a/images/router/nginx/http.off/redirect b/images/router/nginx/http.off/redirect new file mode 100644 index 0000000..8548646 --- /dev/null +++ b/images/router/nginx/http.off/redirect @@ -0,0 +1,10 @@ +server { + listen 80 default_server deferred; + listen [::]:80 default_server deferred; + + server_name _; + + include snippets/wellknown; + + return 301 https://$server_name$request_uri; +} diff --git a/images/router/nginx/http/git b/images/router/nginx/http/git new file mode 100644 index 0000000..0b14c54 --- /dev/null +++ b/images/router/nginx/http/git @@ -0,0 +1,13 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name g.tx0.co git.tx0.co; + + include snippets/ssl_http; + include snippets/wellknown; + + location / { + proxy_pass http://git; + } +} diff --git a/images/router/nginx/http/paste b/images/router/nginx/http/paste new file mode 100644 index 0000000..4e0c75b --- /dev/null +++ b/images/router/nginx/http/paste @@ -0,0 +1,26 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tx0.co p.tx0.co paste.tx0.co; + + include snippets/ssl_http; + include snippets/wellknown; + + location / { + limit_except GET HEAD { + auth_basic 'Restricted'; + auth_basic_user_file /app/auth/paste; + } + + include snippets/uwsgi_params; + + uwsgi_pass paste:10002; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Fowarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } +} diff --git a/images/router/nginx/http/znc b/images/router/nginx/http/znc new file mode 100644 index 0000000..6028ca9 --- /dev/null +++ b/images/router/nginx/http/znc @@ -0,0 +1,13 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name z.tx0.co znc.tx0.co; + + include snippets/ssl_http; + include snippets/wellknown; + + location / { + proxy_pass http://znc; + } +} diff --git a/images/router/nginx/koi-utf b/images/router/nginx/koi-utf new file mode 100644 index 0000000..e7974ff --- /dev/null +++ b/images/router/nginx/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; # + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/images/router/nginx/koi-win b/images/router/nginx/koi-win new file mode 100644 index 0000000..72afabe --- /dev/null +++ b/images/router/nginx/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; # + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/images/router/nginx/mime.types b/images/router/nginx/mime.types new file mode 100644 index 0000000..89be9a4 --- /dev/null +++ b/images/router/nginx/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/images/router/nginx/modules/stream.conf b/images/router/nginx/modules/stream.conf new file mode 100644 index 0000000..9b0cbc3 --- /dev/null +++ b/images/router/nginx/modules/stream.conf @@ -0,0 +1 @@ +load_module "modules/ngx_stream_module.so"; diff --git a/images/router/nginx/nginx.conf b/images/router/nginx/nginx.conf new file mode 100644 index 0000000..cb9b8c8 --- /dev/null +++ b/images/router/nginx/nginx.conf @@ -0,0 +1,67 @@ +worker_processes auto; +pid /run/nginx.pid; + +include modules/stream.conf; + +events { + worker_connections 1024; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + #include /etc/nginx/mime.types; + default_type application/octet-stream; + + include snippets/ssl_ciphers; + ssl_session_cache shared:SSL:25m; + ssl_session_timeout 10m; + + # Gzip + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javasc$ + + # Logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + include snippets/ssl_http; + return 503; + } + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/http/*; +} + +stream { + include snippets/ssl_ciphers; + + ssl_session_cache shared:TCP:25m; + ssl_session_timeout 10m; + + include /etc/nginx/stream/*; +} diff --git a/images/router/nginx/snippets/fastcgi_params b/images/router/nginx/snippets/fastcgi_params new file mode 100644 index 0000000..28decb9 --- /dev/null +++ b/images/router/nginx/snippets/fastcgi_params @@ -0,0 +1,25 @@ + +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/images/router/nginx/snippets/scgi_params b/images/router/nginx/snippets/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/images/router/nginx/snippets/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/images/router/nginx/snippets/ssl_ciphers b/images/router/nginx/snippets/ssl_ciphers new file mode 100644 index 0000000..6eefe74 --- /dev/null +++ b/images/router/nginx/snippets/ssl_ciphers @@ -0,0 +1,4 @@ + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_prefer_server_ciphers on; + diff --git a/images/router/nginx/snippets/ssl_http b/images/router/nginx/snippets/ssl_http new file mode 100644 index 0000000..78d171e --- /dev/null +++ b/images/router/nginx/snippets/ssl_http @@ -0,0 +1,6 @@ +ssl_certificate /data/certs/tx0.co/fullchain.pem; +ssl_certificate_key /data/certs/tx0.co/privkey.pem; + +ssl_dhparam /app/dhparams.pem; + +add_header Strict-Transport-Security "max-age=31536000" always; diff --git a/images/router/nginx/snippets/ssl_tcp b/images/router/nginx/snippets/ssl_tcp new file mode 100644 index 0000000..b59b7bf --- /dev/null +++ b/images/router/nginx/snippets/ssl_tcp @@ -0,0 +1,4 @@ +ssl_certificate /data/certs/tx0.co/fullchain.pem; +ssl_certificate_key /data/certs/tx0.co/privkey.pem; + +ssl_dhparam /app/dhparams.pem; diff --git a/images/router/nginx/snippets/uwsgi_params b/images/router/nginx/snippets/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/images/router/nginx/snippets/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/images/router/nginx/snippets/wellknown b/images/router/nginx/snippets/wellknown new file mode 100644 index 0000000..17aacf7 --- /dev/null +++ b/images/router/nginx/snippets/wellknown @@ -0,0 +1,5 @@ +location ^~ /.well-known/ { + alias /data/wellknown/; + try_files $uri $uri/ =404; + break; +} diff --git a/images/router/nginx/stream/znc b/images/router/nginx/stream/znc new file mode 100644 index 0000000..e496af7 --- /dev/null +++ b/images/router/nginx/stream/znc @@ -0,0 +1,8 @@ +server { + listen 6667 ssl; + listen [::]:6667 ssl; + + include snippets/ssl_tcp; + + proxy_pass znc:6667; +} diff --git a/images/router/nginx/win-utf b/images/router/nginx/win-utf new file mode 100644 index 0000000..ed8bc00 --- /dev/null +++ b/images/router/nginx/win-utf @@ -0,0 +1,126 @@ + +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A ; # single low-9 quotation mark + + 84 E2809E ; # double low-9 quotation mark + 85 E280A6 ; # ellipsis + 86 E280A0 ; # dagger + 87 E280A1 ; # double dagger + 88 E282AC ; # euro + 89 E280B0 ; # per mille + + 91 E28098 ; # left single quotation mark + 92 E28099 ; # right single quotation mark + 93 E2809C ; # left double quotation mark + 94 E2809D ; # right double quotation mark + 95 E280A2 ; # bullet + 96 E28093 ; # en dash + 97 E28094 ; # em dash + + 99 E284A2 ; # trade mark sign + + A0 C2A0 ; # + A1 D18E ; # capital Byelorussian short U + A2 D19E ; # small Byelorussian short u + + A4 C2A4 ; # currency sign + A5 D290 ; # capital Ukrainian soft G + A6 C2A6 ; # borken bar + A7 C2A7 ; # section sign + A8 D081 ; # capital YO + A9 C2A9 ; # (C) + AA D084 ; # capital Ukrainian YE + AB C2AB ; # left-pointing double angle quotation mark + AC C2AC ; # not sign + AD C2AD ; # soft hypen + AE C2AE ; # (R) + AF D087 ; # capital Ukrainian YI + + B0 C2B0 ; # ° + B1 C2B1 ; # plus-minus sign + B2 D086 ; # capital Ukrainian I + B3 D196 ; # small Ukrainian i + B4 D291 ; # small Ukrainian soft g + B5 C2B5 ; # micro sign + B6 C2B6 ; # pilcrow sign + B7 C2B7 ; # · + B8 D191 ; # small yo + B9 E28496 ; # numero sign + BA D194 ; # small Ukrainian ye + BB C2BB ; # right-pointing double angle quotation mark + + BF D197 ; # small Ukrainian yi + + C0 D090 ; # capital A + C1 D091 ; # capital B + C2 D092 ; # capital V + C3 D093 ; # capital G + C4 D094 ; # capital D + C5 D095 ; # capital YE + C6 D096 ; # capital ZH + C7 D097 ; # capital Z + C8 D098 ; # capital I + C9 D099 ; # capital J + CA D09A ; # capital K + CB D09B ; # capital L + CC D09C ; # capital M + CD D09D ; # capital N + CE D09E ; # capital O + CF D09F ; # capital P + + D0 D0A0 ; # capital R + D1 D0A1 ; # capital S + D2 D0A2 ; # capital T + D3 D0A3 ; # capital U + D4 D0A4 ; # capital F + D5 D0A5 ; # capital KH + D6 D0A6 ; # capital TS + D7 D0A7 ; # capital CH + D8 D0A8 ; # capital SH + D9 D0A9 ; # capital SHCH + DA D0AA ; # capital hard sign + DB D0AB ; # capital Y + DC D0AC ; # capital soft sign + DD D0AD ; # capital E + DE D0AE ; # capital YU + DF D0AF ; # capital YA + + E0 D0B0 ; # small a + E1 D0B1 ; # small b + E2 D0B2 ; # small v + E3 D0B3 ; # small g + E4 D0B4 ; # small d + E5 D0B5 ; # small ye + E6 D0B6 ; # small zh + E7 D0B7 ; # small z + E8 D0B8 ; # small i + E9 D0B9 ; # small j + EA D0BA ; # small k + EB D0BB ; # small l + EC D0BC ; # small m + ED D0BD ; # small n + EE D0BE ; # small o + EF D0BF ; # small p + + F0 D180 ; # small r + F1 D181 ; # small s + F2 D182 ; # small t + F3 D183 ; # small u + F4 D184 ; # small f + F5 D185 ; # small kh + F6 D186 ; # small ts + F7 D187 ; # small ch + F8 D188 ; # small sh + F9 D189 ; # small shch + FA D18A ; # small hard sign + FB D18B ; # small y + FC D18C ; # small soft sign + FD D18D ; # small e + FE D18E ; # small yu + FF D18F ; # small ya +} diff --git a/images/router/service/letsencrypt/run b/images/router/service/letsencrypt/run new file mode 100644 index 0000000..7fcc76d --- /dev/null +++ b/images/router/service/letsencrypt/run @@ -0,0 +1,19 @@ +#!/bin/sh + +# wait for nginx to startup, for http challenge +sv start nginx || exit 1 +sleep 10 + +# half a day, 60 * 60 * 12 +INTERVAL=43200 + +mkdir -p /data/wellknown/acme-challenge + +/app/dehydrated/dehydrated --register --accept-terms --config /app/letsencrypt/config + +while true; do + echo "Updating certificates" + /app/dehydrated/dehydrated --cron --config /app/letsencrypt/config + nginx -s reload # certificates might have changed + sleep $INTERVAL +done diff --git a/images/router/service/nginx/run b/images/router/service/nginx/run new file mode 100644 index 0000000..bfc6e24 --- /dev/null +++ b/images/router/service/nginx/run @@ -0,0 +1,16 @@ +#!/bin/sh + +ln -sf /dev/stdout /var/log/nginx/access.log +ln -sf /dev/stderr /var/log/nginx/error.log + +# nginx doesn't start without certificates, +# so generate untrusted ones for startup +if [ ! -d "/data/certs/tx0.co" ]; then + echo "Generating dummy certificates" + mkdir -p /data/certs/tx0.co + openssl req -x509 -nodes -batch -newkey rsa:512 -days 0 \ + -keyout /data/certs/tx0.co/privkey.pem \ + -out /data/certs/tx0.co/fullchain.pem +fi + +exec nginx -g 'daemon off;' diff --git a/images/runit-edge/Dockerfile b/images/runit-edge/Dockerfile new file mode 100644 index 0000000..d0c2040 --- /dev/null +++ b/images/runit-edge/Dockerfile @@ -0,0 +1,14 @@ +FROM alpine:edge + +RUN apk add --no-cache sudo shadow runit + +# runit +ADD runit/run /app/runit/run +ONBUILD ADD service /etc/service +# Make sure all service and log files are executable +ONBUILD RUN find -L /etc/service \( -name run -or -name finish -or -name down \) -exec chmod +x {} \; + +# If supplied as "ENTRYPOINT foo" it will be wrapped in "/bin/sh -c", +# but that will swallow signals and we rely on those +ONBUILD RUN chmod +x /app/runit/run +ONBUILD ENTRYPOINT ["/app/runit/run"] diff --git a/images/runit-edge/runit/run b/images/runit-edge/runit/run new file mode 100644 index 0000000..c3861c2 --- /dev/null +++ b/images/runit-edge/runit/run @@ -0,0 +1,17 @@ +#!/bin/sh + +echo "Found services:" +find /etc/service -mindepth 1 -maxdepth 1 + +/sbin/runsvdir /etc/service & +runsvdir_pid=$! +echo "Started runit as $runsvdir_pid" + +runit_stop() { + echo "Stopping runit" + # "If runsvdir receives HUP, it sends TERM to each runsv process" + kill -HUP $runsvdir_pid +} + +trap "runit_stop" SIGTERM +wait diff --git a/images/runit/Dockerfile b/images/runit/Dockerfile new file mode 100644 index 0000000..9ec17b7 --- /dev/null +++ b/images/runit/Dockerfile @@ -0,0 +1,14 @@ +FROM alpine:3.5 + +RUN apk add --no-cache sudo shadow runit + +# runit +ADD runit/run /app/runit/run +ONBUILD ADD service /etc/service +# Make sure all service and log files are executable +ONBUILD RUN find -L /etc/service \( -name run -or -name finish -or -name down \) -exec chmod +x {} \; + +# If supplied as "ENTRYPOINT foo" it will be wrapped in "/bin/sh -c", +# but that will swallow signals and we rely on those +ONBUILD RUN chmod +x /app/runit/run +ONBUILD ENTRYPOINT ["/app/runit/run"] diff --git a/images/runit/runit/run b/images/runit/runit/run new file mode 100644 index 0000000..c3861c2 --- /dev/null +++ b/images/runit/runit/run @@ -0,0 +1,17 @@ +#!/bin/sh + +echo "Found services:" +find /etc/service -mindepth 1 -maxdepth 1 + +/sbin/runsvdir /etc/service & +runsvdir_pid=$! +echo "Started runit as $runsvdir_pid" + +runit_stop() { + echo "Stopping runit" + # "If runsvdir receives HUP, it sends TERM to each runsv process" + kill -HUP $runsvdir_pid +} + +trap "runit_stop" SIGTERM +wait diff --git a/images/taskwarrior/Dockerfile b/images/taskwarrior/Dockerfile new file mode 100644 index 0000000..b732c28 --- /dev/null +++ b/images/taskwarrior/Dockerfile @@ -0,0 +1,5 @@ +FROM alpine:3.5 + +RUN apk add --no-cache taskd + +ENTRYPOINT exec taskd server --data /data/ diff --git a/images/znc/Dockerfile b/images/znc/Dockerfile new file mode 100644 index 0000000..6dfec6a --- /dev/null +++ b/images/znc/Dockerfile @@ -0,0 +1,25 @@ +FROM alpine:3.5 AS builder + +RUN apk add --no-cache build-base git automake autoconf openssl-dev icu-dev + +RUN git clone --single-branch --depth=1 --recursive https://github.com/znc/znc.git /tmp/znc + +RUN mkdir -p /app /data +RUN cd /tmp/znc \ + && ./autogen.sh \ + && ./configure --prefix="/app/znc" \ + && make \ + && make install + +ADD privmsg.cpp /tmp/ +RUN cd /tmp/ \ + && /app/znc/bin/znc-buildmod /tmp/privmsg.cpp \ + && mv privmsg.so /app/znc/lib/znc/ + +FROM server_runit + +RUN apk add --no-cache sudo libcap openssl icu +COPY --from=builder /app /app + +# -S: system, -h: home +RUN adduser -S -h /data znc && chmod a+x /data diff --git a/images/znc/privmsg.cpp b/images/znc/privmsg.cpp new file mode 100644 index 0000000..0659f96 --- /dev/null +++ b/images/znc/privmsg.cpp @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2004-2012 See the AUTHORS file for details. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation. + */ + +#include <znc/IRCNetwork.h> +#include <znc/Modules.h> + +class CPrivMsgMod : public CModule { +public: + MODCONSTRUCTOR(CPrivMsgMod) {} + + virtual EModRet OnUserMsg(CString& sTarget, CString& sMessage) { + if (m_pNetwork && m_pNetwork->GetIRCSock() && !m_pNetwork->IsChan(sTarget)) { + m_pNetwork->PutUser(":" + m_pNetwork->GetIRCNick().GetNickMask() + " PRIVMSG " + sTarget + " :" + sMessage, NULL, m_pClient); + } + + return CONTINUE; + } + + virtual EModRet OnUserAction(CString& sTarget, CString& sMessage) { + if (m_pNetwork && m_pNetwork->GetIRCSock() && !m_pNetwork->IsChan(sTarget)) { + m_pNetwork->PutUser(":" + m_pNetwork->GetIRCNick().GetNickMask() + " PRIVMSG " + sTarget + " :\x01" + "ACTION " + sMessage + "\x01", NULL, m_pClient); + } + + return CONTINUE; + } +}; + +template<> void TModInfo<CPrivMsgMod>(CModInfo& Info) { + Info.SetWikiPage("privmsg"); + Info.AddType(CModInfo::NetworkModule); + Info.AddType(CModInfo::GlobalModule); +} + +USERMODULEDEFS(CPrivMsgMod, "Send outgoing PRIVMSGs and CTCP ACTIONs to other clients") + diff --git a/images/znc/service/znc/run b/images/znc/service/znc/run new file mode 100644 index 0000000..14814ea --- /dev/null +++ b/images/znc/service/znc/run @@ -0,0 +1,5 @@ +#!/bin/sh + +chown -R znc /data +setcap 'cap_net_bind_service=+ep' /app/znc/bin/znc +exec sudo -u znc /app/znc/bin/znc --foreground --datadir /data diff --git a/services.off/matrix.yml b/services.off/matrix.yml new file mode 100644 index 0000000..0a8ce79 --- /dev/null +++ b/services.off/matrix.yml @@ -0,0 +1,16 @@ +version: '3' + +volumes: + synapse_data: + +services: + matrix: + image: silviof/docker-matrix + command: start + ports: + - "8448:8448" # matrix federation + volumes: + - synapse_data:/data/ + environment: + - SERVER_NAME=m.tx0.co + - REPORT_STATS=no diff --git a/services/git.yml b/services/git.yml new file mode 100644 index 0000000..68129e3 --- /dev/null +++ b/services/git.yml @@ -0,0 +1,15 @@ +version: '3' + +volumes: + git_data: + +services: + git: + depends_on: + - runit + build: $IMAGES/git + ports: + - "22:22" # ssh + - "9418:9418" # git:// + volumes: + - git_data:/data diff --git a/services/paste.yml b/services/paste.yml new file mode 100644 index 0000000..477301d --- /dev/null +++ b/services/paste.yml @@ -0,0 +1,12 @@ +version: '3' + +volumes: + paste_data: + +services: + paste: + depends_on: + - runit-edge + build: $IMAGES/paste + volumes: + - paste_data:/data diff --git a/services/router.yml b/services/router.yml new file mode 100644 index 0000000..1c43a65 --- /dev/null +++ b/services/router.yml @@ -0,0 +1,21 @@ +version: '3' + +volumes: + router_data: + +services: + router: + build: $IMAGES/router + depends_on: + - runit + - git + - paste + - znc + - taskwarrior + ports: + - "80:80" # http + - "443:443" # https + - "6667:6667" # IRC (TLS terminated) + volumes: + - $IMAGES/router/nginx/:/etc/nginx:ro + - router_data:/data diff --git a/services/runit-edge.yml b/services/runit-edge.yml new file mode 100644 index 0000000..ed131ea --- /dev/null +++ b/services/runit-edge.yml @@ -0,0 +1,6 @@ +version: '3' + +services: + runit-edge: + build: $IMAGES/runit-edge + entrypoint: /bin/true diff --git a/services/runit.yml b/services/runit.yml new file mode 100644 index 0000000..be5cc99 --- /dev/null +++ b/services/runit.yml @@ -0,0 +1,6 @@ +version: '3' + +services: + runit: + build: $IMAGES/runit + entrypoint: /bin/true diff --git a/services/taskwarrior.yml b/services/taskwarrior.yml new file mode 100644 index 0000000..41e015e --- /dev/null +++ b/services/taskwarrior.yml @@ -0,0 +1,10 @@ +version: '3' + +volumes: + taskwarrior_data: + +services: + taskwarrior: + build: $IMAGES/taskwarrior + volumes: + - taskwarrior_data:/data diff --git a/services/znc.yml b/services/znc.yml new file mode 100644 index 0000000..624a252 --- /dev/null +++ b/services/znc.yml @@ -0,0 +1,10 @@ +version: '3' + +volumes: + znc_data: + +services: + znc: + build: $IMAGES/znc + volumes: + - znc_data:/data |