From 5e8a72a714fd396159b6e0be57bce1a35f72e14f Mon Sep 17 00:00:00 2001 From: aleidk Date: Mon, 10 Feb 2025 13:01:24 -0300 Subject: [PATCH 1/2] revert: remove lemmy service --- files/docker/lemmy/customPostgresql.sql | 32 ------ files/docker/lemmy/docker-stack.yaml | 131 ------------------------ files/docker/lemmy/lemmy.hjson | 21 ---- files/docker/lemmy/pictrs.toml | 10 -- files/docker/lemmy/postgres_pass.txt | 9 -- playbooks/docker/services.yaml | 35 ------- 6 files changed, 238 deletions(-) delete mode 100644 files/docker/lemmy/customPostgresql.sql delete mode 100644 files/docker/lemmy/docker-stack.yaml delete mode 100644 files/docker/lemmy/lemmy.hjson delete mode 100644 files/docker/lemmy/pictrs.toml delete mode 100644 files/docker/lemmy/postgres_pass.txt diff --git a/files/docker/lemmy/customPostgresql.sql b/files/docker/lemmy/customPostgresql.sql deleted file mode 100644 index 4cff0f6..0000000 --- a/files/docker/lemmy/customPostgresql.sql +++ /dev/null @@ -1,32 +0,0 @@ --- DB Version: 17 --- OS Type: linux --- DB Type: web --- Total Memory (RAM): 512 MB --- Data Storage: hdd - -ALTER SYSTEM SET - max_connections = '200'; -ALTER SYSTEM SET - shared_buffers = '128MB'; -ALTER SYSTEM SET - effective_cache_size = '384MB'; -ALTER SYSTEM SET - maintenance_work_mem = '32MB'; -ALTER SYSTEM SET - checkpoint_completion_target = '0.9'; -ALTER SYSTEM SET - wal_buffers = '3932kB'; -ALTER SYSTEM SET - default_statistics_target = '100'; -ALTER SYSTEM SET - random_page_cost = '4'; -ALTER SYSTEM SET - effective_io_concurrency = '2'; -ALTER SYSTEM SET - work_mem = '327kB'; -ALTER SYSTEM SET - huge_pages = 'off'; -ALTER SYSTEM SET - min_wal_size = '1GB'; -ALTER SYSTEM SET - max_wal_size = '4GB'; diff --git a/files/docker/lemmy/docker-stack.yaml b/files/docker/lemmy/docker-stack.yaml deleted file mode 100644 index 441787d..0000000 --- a/files/docker/lemmy/docker-stack.yaml +++ /dev/null @@ -1,131 +0,0 @@ -networks: - reverse_proxy: - external: true - -configs: - lemmy_customPostgresql.sql: - external: true - -secrets: - lemmy_lemmy.hjson: - external: true - lemmy_postgres_pass.txt: - external: true - lemmy_pictrs.toml: - external: true - -volumes: - ui_themes: - pictrs: - db: - -services: - lemmy: - image: dessalines/lemmy:0.19.8 - restart: always - networks: - - default - - reverse_proxy - environment: - - RUST_LOG="info" - secrets: - - source: lemmy_lemmy.hjson - target: /config/config.hjson - deploy: - rollback_config: - failure_action: continue - update_config: - delay: 2s - failure_action: rollback - order: start-first - placement: - constraints: - - node.labels.services_kind==${SERVICE_KIND:-common} - labels: - - traefik.enable=true - - traefik.http.routers.lemmy.rule=Host(`lemmy.alecodes.page`) && (PathRegexp(`^/(api|pictrs|feeds|nodeinfo|\\.well-known)`) || HeaderRegexp(`Accept`, `^application/.*`)) - - traefik.http.services.lemmy.loadbalancer.server.port=8536 - - traefik.http.middlewares.lemmy-max-bodysize.buffering.maxRequestBodyBytes=20971520 # 20M - - traefik.http.routers.lemmy.middlewares=lemmy-max-bodysize - - lemmy_ui: - image: dessalines/lemmy-ui:0.19.8 - restart: always - networks: - - default - - reverse_proxy - environment: - - LEMMY_UI_LEMMY_INTERNAL_HOST=tasks.lemmy:8536 - - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.alecodes.page - - LEMMY_UI_HTTPS=true - volumes: - - ui_themes:/app/extra_themes - deploy: - rollback_config: - failure_action: continue - update_config: - delay: 2s - failure_action: rollback - order: start-first - placement: - constraints: - - node.labels.services_kind==${SERVICE_KIND:-common} - labels: - - "traefik.enable=true" - - "traefik.http.middlewares.lemmy-ui-client-max-bodysize.buffering.maxRequestBodyBytes=20971520" # 20M - - "traefik.http.routers.lemmy-ui.middlewares=lemmy-ui-client-max-bodysize" - - "traefik.http.routers.lemmy-ui.rule=Host(`lemmy.alecodes.page`)" - - "traefik.http.routers.lemmy-ui.service=lemmy-ui" - - "traefik.http.services.lemmy-ui.loadbalancer.server.port=1234" - - - "traefik.http.routers.lemmy-security-txt.rule=Host(`lemmy.alecodes.page`) && Path(`/.well-known/security.txt`)" - - "traefik.http.routers.lemmy-security-txt.service=lemmy-security-txt" - - "traefik.http.services.lemmy-security-txt.loadbalancer.server.port=1234" - - pictrs: - image: asonix/pictrs:0.5.16 - restart: always - # this needs to match the pictrs url in lemmy_lemmy.hjson - entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -c /run/secrets/lemmy_pictrs.toml run - secrets: - - lemmy_pictrs.toml - environment: - - RUST_BACKTRACE=full - user: 991:991 - volumes: - - pictrs:/mnt:Z - deploy: - rollback_config: - failure_action: continue - update_config: - delay: 2s - failure_action: rollback - order: start-first - placement: - constraints: - - node.labels.services_kind==${SERVICE_KIND:-common} - - lemmy_db: - image: pgautoupgrade/pgautoupgrade:17-bookworm - restart: always - secrets: - - lemmy_postgres_pass.txt - configs: - - source: lemmy_customPostgresql.sql - target: /docker-entrypoint-initdb.d/config.sql - environment: - - POSTGRES_USER=lemmy - - POSTGRES_PASSWORD_FILE=/run/secrets/lemmy_postgres_pass.txt - - POSTGRES_DB=lemmy - volumes: - - db:/var/lib/postgresql/data:Z - deploy: - rollback_config: - failure_action: continue - update_config: - delay: 2s - failure_action: rollback - order: start-first - placement: - constraints: - - node.labels.services_kind==${SERVICE_KIND:-common} diff --git a/files/docker/lemmy/lemmy.hjson b/files/docker/lemmy/lemmy.hjson deleted file mode 100644 index 00222e4..0000000 --- a/files/docker/lemmy/lemmy.hjson +++ /dev/null @@ -1,21 +0,0 @@ -{ - # for more info about the config, check out the documentation - # https://join-lemmy.org/docs/en/administration/configuration.html - hostname: "lemmy.alecodes.page" - tls_enabled: true - database: { - host: "tasks.lemmy_db" - password: "529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8" - } - pictrs: { - url: "http://tasks.pictrs:8080/" - api_key: "529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8" - } - email: { - smtp_server: "smtp.gmail.com:587" - smtp_login: "ale.navarro.parra@gmail.com" - smtp_password: "steuuamhzngjgfwn" - smtp_from_address: "ale.navarro.parra@gmail.com" - tls_type: "starttls" - } -} diff --git a/files/docker/lemmy/pictrs.toml b/files/docker/lemmy/pictrs.toml deleted file mode 100644 index 6d156d0..0000000 --- a/files/docker/lemmy/pictrs.toml +++ /dev/null @@ -1,10 +0,0 @@ -[server] -api_key = '529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8' - -[media.animation] -max_width = 256 -max_height = 256 -max_frame_count = 400 - -[media.video] -video_codec = 'vp9' diff --git a/files/docker/lemmy/postgres_pass.txt b/files/docker/lemmy/postgres_pass.txt deleted file mode 100644 index ac5ba52..0000000 --- a/files/docker/lemmy/postgres_pass.txt +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -65343339376264393533303231656562316534643432643737653132646561316266386363376331 -6137323165303633633535653537336436333834363564660a303934353533643965323636346536 -38613331623336303130383261623162333437363830326434393463333564623032383434316130 -6564646161353937320a666531326338663433326431346539346335346430653032643530386231 -64636263343437333066323163336637386639643836336438663730623633633666383737353461 -62656262626537303838613764366565393863393961373564343230363433343737303834353037 -31653136323563333164303766636539313362363434336430303962653633316661623932396137 -39353136643865303636 diff --git a/playbooks/docker/services.yaml b/playbooks/docker/services.yaml index dabe244..5e1c169 100644 --- a/playbooks/docker/services.yaml +++ b/playbooks/docker/services.yaml @@ -20,38 +20,3 @@ # name: "{{ project_name }}" # compose: # - "{{ lookup('file', '../../files/docker/rss/docker-stack.yaml') | from_yaml }}" - - - name: Deploy Lemmy Services - vars: - project_name: lemmy - block: - - name: Create config - loop: - - customPostgresql.sql - community.docker.docker_config: - name: '{{ project_name + "_" + item }}' - data: "{{ lookup('file', '../../files/docker/lemmy/{{ item }}') | b64encode }}" - data_is_b64: true - state: present - labels: - com.docker.stack.namespace: "{{ project_name }}" - - name: Create secrets - loop: - - lemmy.hjson - - postgres_pass.txt - - pictrs.toml - community.docker.docker_secret: - name: '{{ project_name + "_" + item }}' - data: "{{ lookup('file', '../../files/docker/lemmy/{{ item }}') | b64encode }}" - data_is_b64: true - state: present - labels: - com.docker.stack.namespace: "{{ project_name }}" - - name: Deploy lemmy stack - # environment: "{{ lookup('ini', '../../files/docker/lemmy/.env') }}" - community.docker.docker_stack: - state: present - prune: true - name: "{{ project_name }}" - compose: - - "{{ lookup('file', '../../files/docker/lemmy/docker-stack.yaml') | from_yaml }}" From fd44bd54a50a81ab79c1b6fb7ebe5839dacce479 Mon Sep 17 00:00:00 2001 From: aleidk Date: Mon, 10 Feb 2025 13:16:28 -0300 Subject: [PATCH 2/2] chore: add files from base_repo template --- .devfiles/hooks/.gitkeep | 0 .devfiles/hooks/commit-msg.sh | 5 ++++ .devfiles/hooks/pre-commit.sh | 16 ++++++++++ .devfiles/justfile | 22 ++++++++++---- .devfiles/scripts/.gitkeep | 0 .devfiles/scripts/dependecy-check.sh | 30 +++++++++++++++++++ .devfiles/scripts/gitignore.sh | 42 +++++++++++++++++++++++++++ .env.agebox | Bin 0 -> 462 bytes .gitleaksignore | 3 ++ .justfile | 3 +- cog.toml | 31 ++++++++++++++++++++ roles/common/files/robo_key | 25 ---------------- roles/common/files/robo_key.agebox | 5 ++++ 13 files changed, 151 insertions(+), 31 deletions(-) create mode 100644 .devfiles/hooks/.gitkeep create mode 100644 .devfiles/hooks/commit-msg.sh create mode 100644 .devfiles/hooks/pre-commit.sh create mode 100644 .devfiles/scripts/.gitkeep create mode 100755 .devfiles/scripts/dependecy-check.sh create mode 100755 .devfiles/scripts/gitignore.sh create mode 100644 .env.agebox create mode 100644 .gitleaksignore create mode 100644 cog.toml delete mode 100644 roles/common/files/robo_key create mode 100644 roles/common/files/robo_key.agebox diff --git a/.devfiles/hooks/.gitkeep b/.devfiles/hooks/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/.devfiles/hooks/commit-msg.sh b/.devfiles/hooks/commit-msg.sh new file mode 100644 index 0000000..1c54b90 --- /dev/null +++ b/.devfiles/hooks/commit-msg.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +cog verify --file "$1" diff --git a/.devfiles/hooks/pre-commit.sh b/.devfiles/hooks/pre-commit.sh new file mode 100644 index 0000000..c8d84f5 --- /dev/null +++ b/.devfiles/hooks/pre-commit.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +root="$(git rev-parse --show-toplevel)" + +cd "$root" + +export PATH=$PATH:.devfiles/bin + +gitleaks git + +# Only validate encrypted files if we are tracking any +if [[ -e .ageboxreg.yml ]]; then + agebox validate --no-decrypt +fi diff --git a/.devfiles/justfile b/.devfiles/justfile index 1833382..2d9a105 100644 --- a/.devfiles/justfile +++ b/.devfiles/justfile @@ -1,14 +1,22 @@ set dotenv-load := true +export PATH := source_dir() + "/bin:" + source_dir() + "/scripts:" + env("PATH") export AGEBOX_DEBUG := "0" export AGEBOX_PUBLIC_KEYS := source_dir() + "/public_keys.txt" -fetch-deps: - .devfiles/scripts/fetch_gh_release.sh "slok/agebox" "agebox-linux-amd64" "agebox" +# Install agebox from the latest github realse +install-agebox: + curl -sSL "https://github.com/slok/agebox/releases/latest/download/agebox-linux-amd64" -o .devfiles/bin/agebox + chmod + x .devfiles/bin/agebox + +[no-cd] +install-hooks: + cog install-hook --all # Easy and simple file repository encryption tool based on Age. +[working-directory('..')] agebox +ARGS="--help": - @.devfiles/bin/agebox {{ ARGS }} + @agebox {{ ARGS }} # Encrypt the provided files, relative to project root. encrypt +FILES: (agebox "encrypt " + FILES) @@ -26,7 +34,11 @@ decrypt-all: (agebox "decrypt --all --force") reencrypt: (agebox "reencrypt") # Show the content of an encrypted file to stdout. -peek +FILES: (agebox "cat " + FILES) +crypt-peek +FILES: (agebox "cat " + FILES) # Validate that all tracked files are encrypted. -check:(agebox "validate --no-decrypt ") +crypt-check:(agebox "validate --no-decrypt ") + +# Validate no credentials are pushed to git +leaks: + @gitleaks git --verbose --redact diff --git a/.devfiles/scripts/.gitkeep b/.devfiles/scripts/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/.devfiles/scripts/dependecy-check.sh b/.devfiles/scripts/dependecy-check.sh new file mode 100755 index 0000000..684a14b --- /dev/null +++ b/.devfiles/scripts/dependecy-check.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +set -euo pipefail + +root="$(git rev-parse --show-toplevel)" + +export PATH=$root/.devfiles/bin:$root/.devfiles/scripts:$PATH + +devtools=( + age + agebox + cog + gitleaks +) + +missing_tools=() + +for cmd in "${devtools[@]}"; do + if ! command -v "$cmd" &>/dev/null; then + missing_tools+=("$cmd") + fi +done + +if [[ ${#missing_tools[@]} != 0 ]]; then + echo "The following tools where not found:" + printf "%s\n" "${missing_tools[@]}" + exit 1 +else + echo -e "All tools are installed!" +fi diff --git a/.devfiles/scripts/gitignore.sh b/.devfiles/scripts/gitignore.sh new file mode 100755 index 0000000..0b5100d --- /dev/null +++ b/.devfiles/scripts/gitignore.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +set -euo pipefail + +root="$(git rev-parse --show-toplevel)" + +base_url="https://git.alecodes.page/api/v1/gitignore/templates" + +query="$*" + +list_available() { + curl -Ssl $base_url | jq -r '.[]' +} + +if [[ -z $query ]]; then + list_available + exit 0 +fi + +tmp_file="$(mktemp)" + +for template in $query; do + # Capitalize the string + template=${template,,} + template=${template^} + + response="$(curl -Ssl "$base_url/$template")" + name="$(echo "$response" | jq -r '.name')" + content="$(echo "$response" | jq -r '.source')" + + if [[ "$content" == "null" ]]; then + echo "Template not found, available options:" + list_available + exit 1 + fi + + printf "\n### %s\n\n%s\n\n" "$name" "$content" >>"$tmp_file" +done + +sed -i -ne "/#### -- TEMPLATES BEGIN -- ####/ {p; r $tmp_file" -e ':a; n; /#### -- TEMPLATES END -- ####/ {p; b}; ba}; p' "$root/.gitignore" + +rm "$tmp_file" diff --git a/.env.agebox b/.env.agebox new file mode 100644 index 0000000000000000000000000000000000000000..ae7ac752cbbcba1333f0bfd9bb5a3fe26dbf7df0 GIT binary patch literal 462 zcmV;<0WtnzXJsvAZewzJaCB*JZZ2ymSura}OiFJ}Q%X-yFmYN`Z+T>JZFgojQcVg{S9wK4ZF)gyZESNgQfo9ZS3-9+ zQa5E;GHOeBbZc5#R7gU1NK9BWL`e!QEiE8YF+wypQ$=9dxFscG>A|Ti2hR9A+Nm$c~(ZM1n<^D X25519 gYcsPablv8DX5YR2YElCe9IYxd4jACU30GaL97JfETM +PSYUSaAkiHBtprz6qUKqP8RFPkgHCwwnFCACzKlsGU0 +--- giGOMUX2iMWaixyGM7ZxyCPMz10xFxNIJA9vpsJEW+4 +JvtpT(~AnfL3$PyU !]oޘב/׏L S:b-frql=@wrq6{eۃlg u{bL_>cb4?e})Pp|D,oIX_cpG%yG)`sR7PRKu% z0aԮXKr>'SLwppIo/M /2:@.n9 cXG_-ObOPTDƙ`p:F{,xULa1erB\J BqesBѽ="X70=vyWǁ }U'!: ;pnr2D*nQv4%|KxH\1:D40r{ \ No newline at end of file