chore: add files from base_repo template

.devfiles/hooks/commit-msg.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+cog verify --file "$1"

.devfiles/hooks/pre-commit.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+cd "$root"
+
+export PATH=$PATH:.devfiles/bin
+
+gitleaks git
+
+# Only validate encrypted files if we are tracking any
+if [[ -e .ageboxreg.yml ]]; then
+  agebox validate --no-decrypt
+fi

.devfiles/justfile

@@ -1,14 +1,22 @@
 set dotenv-load := true
 
+export PATH := source_dir() + "/bin:" + source_dir() + "/scripts:" + env("PATH")
 export AGEBOX_DEBUG := "0"
 export AGEBOX_PUBLIC_KEYS := source_dir() + "/public_keys.txt"
 
-fetch-deps:
-  .devfiles/scripts/fetch_gh_release.sh "slok/agebox" "agebox-linux-amd64" "agebox"
+# Install agebox from the latest github realse
+install-agebox:
+  curl -sSL "https://github.com/slok/agebox/releases/latest/download/agebox-linux-amd64" -o .devfiles/bin/agebox
+  chmod + x .devfiles/bin/agebox
+
+[no-cd]
+install-hooks:
+  cog install-hook --all
 
 # Easy and simple file repository encryption tool based on Age.
+[working-directory('..')]
 agebox +ARGS="--help":
-  @.devfiles/bin/agebox  {{ ARGS }}
+  @agebox  {{ ARGS }}
 
 # Encrypt the provided files, relative to project root.
 encrypt +FILES: (agebox "encrypt " + FILES)
@@ -26,7 +34,11 @@ decrypt-all: (agebox "decrypt --all --force")
 reencrypt: (agebox "reencrypt")
 
 # Show the content of an encrypted file to stdout.
-peek +FILES: (agebox "cat " + FILES)
+crypt-peek +FILES: (agebox "cat " + FILES)
 
 # Validate that all tracked files are encrypted.
-check:(agebox "validate --no-decrypt ")
+crypt-check:(agebox "validate --no-decrypt ")
+
+# Validate no credentials are pushed to git
+leaks:
+  @gitleaks git --verbose --redact

.devfiles/scripts/dependecy-check.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+export PATH=$root/.devfiles/bin:$root/.devfiles/scripts:$PATH
+
+devtools=(
+  age
+  agebox
+  cog
+  gitleaks
+)
+
+missing_tools=()
+
+for cmd in "${devtools[@]}"; do
+  if ! command -v "$cmd" &>/dev/null; then
+    missing_tools+=("$cmd")
+  fi
+done
+
+if [[ ${#missing_tools[@]} != 0 ]]; then
+  echo "The following tools where not found:"
+  printf "%s\n" "${missing_tools[@]}"
+  exit 1
+else
+  echo -e "All tools are installed!"
+fi

.devfiles/scripts/gitignore.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+root="$(git rev-parse --show-toplevel)"
+
+base_url="https://git.alecodes.page/api/v1/gitignore/templates"
+
+query="$*"
+
+list_available() {
+  curl -Ssl $base_url | jq -r '.[]'
+}
+
+if [[ -z $query ]]; then
+  list_available
+  exit 0
+fi
+
+tmp_file="$(mktemp)"
+
+for template in $query; do
+  # Capitalize the string
+  template=${template,,}
+  template=${template^}
+
+  response="$(curl -Ssl "$base_url/$template")"
+  name="$(echo "$response" | jq -r '.name')"
+  content="$(echo "$response" | jq -r '.source')"
+
+  if [[ "$content" == "null" ]]; then
+    echo "Template not found, available options:"
+    list_available
+    exit 1
+  fi
+
+  printf "\n### %s\n\n%s\n\n" "$name" "$content" >>"$tmp_file"
+done
+
+sed -i -ne "/#### -- TEMPLATES BEGIN -- ####/ {p; r $tmp_file" -e ':a; n; /#### -- TEMPLATES END -- ####/ {p; b}; ba}; p' "$root/.gitignore"
+
+rm "$tmp_file"

.gitleaksignore

@@ -0,0 +1,3 @@
+467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/lemmy.hjson:generic-api-key:12
+467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/lemmy.hjson:generic-api-key:8
+467de171837c165cd412332584d54201f93b0d41:files/docker/lemmy/pictrs.toml:generic-api-key:2

.justfile

@@ -1,4 +1,5 @@
-import '.devfiles/justfile'
+# Repo management tasks
+mod repo '.devfiles/justfile'
 
 export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt"
 export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt"

cog.toml

@@ -0,0 +1,31 @@
+from_latest_tag = false
+ignore_merge_commits = true
+disable_changelog = false
+disable_bump_commit = false
+generate_mono_repository_global_tag = true
+generate_mono_repository_package_tags = true
+branch_whitelist = []
+skip_ci = "[skip ci]"
+skip_untracked = false
+pre_bump_hooks = []
+post_bump_hooks = []
+pre_package_bump_hooks = []
+post_package_bump_hooks = []
+
+[git_hooks]
+
+[git_hooks.pre-commit]
+path = ".devfiles/hooks/pre-commit.sh"
+
+[git_hooks.commit-msg]
+path = ".devfiles/hooks/commit-msg.sh"
+
+[commit_types]
+
+[changelog]
+path = "CHANGELOG.md"
+authors = []
+
+[bump_profiles]
+
+[packages]

files/docker/lemmy/customPostgresql.sql

@@ -1,32 +0,0 @@
--- DB Version: 17
--- OS Type: linux
--- DB Type: web
--- Total Memory (RAM): 512 MB
--- Data Storage: hdd
-
-ALTER SYSTEM SET
- max_connections = '200';
-ALTER SYSTEM SET
- shared_buffers = '128MB';
-ALTER SYSTEM SET
- effective_cache_size = '384MB';
-ALTER SYSTEM SET
- maintenance_work_mem = '32MB';
-ALTER SYSTEM SET
- checkpoint_completion_target = '0.9';
-ALTER SYSTEM SET
- wal_buffers = '3932kB';
-ALTER SYSTEM SET
- default_statistics_target = '100';
-ALTER SYSTEM SET
- random_page_cost = '4';
-ALTER SYSTEM SET
- effective_io_concurrency = '2';
-ALTER SYSTEM SET
- work_mem = '327kB';
-ALTER SYSTEM SET
- huge_pages = 'off';
-ALTER SYSTEM SET
- min_wal_size = '1GB';
-ALTER SYSTEM SET
- max_wal_size = '4GB';

files/docker/lemmy/docker-stack.yaml

@@ -1,131 +0,0 @@
-networks:
-  reverse_proxy:
-    external: true
-
-configs:
-  lemmy_customPostgresql.sql:
-    external: true
-
-secrets:
-  lemmy_lemmy.hjson:
-    external: true
-  lemmy_postgres_pass.txt:
-    external: true
-  lemmy_pictrs.toml:
-    external: true
-
-volumes:
-  ui_themes:
-  pictrs:
-  db:
-
-services:
-  lemmy:
-    image: dessalines/lemmy:0.19.8
-    restart: always
-    networks:
-      - default
-      - reverse_proxy
-    environment:
-      - RUST_LOG="info"
-    secrets:
-      - source: lemmy_lemmy.hjson
-        target: /config/config.hjson
-    deploy:
-      rollback_config:
-        failure_action: continue
-      update_config:
-        delay: 2s
-        failure_action: rollback
-        order: start-first
-      placement:
-        constraints:
-          - node.labels.services_kind==${SERVICE_KIND:-common}
-      labels:
-        - traefik.enable=true
-        - traefik.http.routers.lemmy.rule=Host(`lemmy.alecodes.page`) && (PathRegexp(`^/(api|pictrs|feeds|nodeinfo|\\.well-known)`) || HeaderRegexp(`Accept`, `^application/.*`))
-        - traefik.http.services.lemmy.loadbalancer.server.port=8536
-        - traefik.http.middlewares.lemmy-max-bodysize.buffering.maxRequestBodyBytes=20971520 # 20M
-        - traefik.http.routers.lemmy.middlewares=lemmy-max-bodysize
-
-  lemmy_ui:
-    image: dessalines/lemmy-ui:0.19.8
-    restart: always
-    networks:
-      - default
-      - reverse_proxy
-    environment:
-      - LEMMY_UI_LEMMY_INTERNAL_HOST=tasks.lemmy:8536
-      - LEMMY_UI_LEMMY_EXTERNAL_HOST=lemmy.alecodes.page
-      - LEMMY_UI_HTTPS=true
-    volumes:
-      - ui_themes:/app/extra_themes
-    deploy:
-      rollback_config:
-        failure_action: continue
-      update_config:
-        delay: 2s
-        failure_action: rollback
-        order: start-first
-      placement:
-        constraints:
-          - node.labels.services_kind==${SERVICE_KIND:-common}
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.middlewares.lemmy-ui-client-max-bodysize.buffering.maxRequestBodyBytes=20971520" # 20M
-        - "traefik.http.routers.lemmy-ui.middlewares=lemmy-ui-client-max-bodysize"
-        - "traefik.http.routers.lemmy-ui.rule=Host(`lemmy.alecodes.page`)"
-        - "traefik.http.routers.lemmy-ui.service=lemmy-ui"
-        - "traefik.http.services.lemmy-ui.loadbalancer.server.port=1234"
-
-        - "traefik.http.routers.lemmy-security-txt.rule=Host(`lemmy.alecodes.page`) && Path(`/.well-known/security.txt`)"
-        - "traefik.http.routers.lemmy-security-txt.service=lemmy-security-txt"
-        - "traefik.http.services.lemmy-security-txt.loadbalancer.server.port=1234"
-
-  pictrs:
-    image: asonix/pictrs:0.5.16
-    restart: always
-    # this needs to match the pictrs url in lemmy_lemmy.hjson
-    entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -c /run/secrets/lemmy_pictrs.toml run
-    secrets:
-      - lemmy_pictrs.toml
-    environment:
-      - RUST_BACKTRACE=full
-    user: 991:991
-    volumes:
-      - pictrs:/mnt:Z
-    deploy:
-      rollback_config:
-        failure_action: continue
-      update_config:
-        delay: 2s
-        failure_action: rollback
-        order: start-first
-      placement:
-        constraints:
-          - node.labels.services_kind==${SERVICE_KIND:-common}
-
-  lemmy_db:
-    image: pgautoupgrade/pgautoupgrade:17-bookworm
-    restart: always
-    secrets:
-      - lemmy_postgres_pass.txt
-    configs:
-      - source: lemmy_customPostgresql.sql
-        target: /docker-entrypoint-initdb.d/config.sql
-    environment:
-      - POSTGRES_USER=lemmy
-      - POSTGRES_PASSWORD_FILE=/run/secrets/lemmy_postgres_pass.txt
-      - POSTGRES_DB=lemmy
-    volumes:
-      - db:/var/lib/postgresql/data:Z
-    deploy:
-      rollback_config:
-        failure_action: continue
-      update_config:
-        delay: 2s
-        failure_action: rollback
-        order: start-first
-      placement:
-        constraints:
-          - node.labels.services_kind==${SERVICE_KIND:-common}

files/docker/lemmy/lemmy.hjson

@@ -1,21 +0,0 @@
-{
-  # for more info about the config, check out the documentation
-  # https://join-lemmy.org/docs/en/administration/configuration.html
-  hostname: "lemmy.alecodes.page"
-  tls_enabled: true
-  database: {
-    host: "tasks.lemmy_db"
-    password: "529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8"
-  }
-  pictrs: {
-    url: "http://tasks.pictrs:8080/"
-    api_key: "529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8"
-  }
-  email: {
-    smtp_server: "smtp.gmail.com:587"
-    smtp_login: "ale.navarro.parra@gmail.com"
-    smtp_password: "steuuamhzngjgfwn"
-    smtp_from_address: "ale.navarro.parra@gmail.com"
-    tls_type: "starttls"
-  }
-}

files/docker/lemmy/pictrs.toml

@@ -1,10 +0,0 @@
-[server]
-api_key = '529a6b836665075b535f8cc56d8f30cde7b7c9b01062feaa1b0da817fd7af2f8'
-
-[media.animation]
-max_width = 256
-max_height = 256
-max_frame_count = 400
-
-[media.video]
-video_codec = 'vp9'

files/docker/lemmy/postgres_pass.txt

@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65343339376264393533303231656562316534643432643737653132646561316266386363376331
-6137323165303633633535653537336436333834363564660a303934353533643965323636346536
-38613331623336303130383261623162333437363830326434393463333564623032383434316130
-6564646161353937320a666531326338663433326431346539346335346430653032643530386231
-64636263343437333066323163336637386639643836336438663730623633633666383737353461
-62656262626537303838613764366565393863393961373564343230363433343737303834353037
-31653136323563333164303766636539313362363434336430303962653633316661623932396137
-39353136643865303636

playbooks/docker/services.yaml

@@ -20,38 +20,3 @@
     #       name: "{{ project_name }}"
     #       compose:
     #         - "{{ lookup('file', '../../files/docker/rss/docker-stack.yaml') | from_yaml }}"
-
-    - name: Deploy Lemmy Services
-      vars:
-        project_name: lemmy
-      block:
-      - name: Create config
-        loop:
-          - customPostgresql.sql
-        community.docker.docker_config:
-          name: '{{ project_name + "_" + item }}'
-          data: "{{ lookup('file', '../../files/docker/lemmy/{{ item }}') | b64encode }}"
-          data_is_b64: true
-          state: present
-          labels:
-            com.docker.stack.namespace: "{{ project_name }}"
-      - name: Create secrets
-        loop:
-          - lemmy.hjson
-          - postgres_pass.txt
-          - pictrs.toml
-        community.docker.docker_secret:
-          name: '{{ project_name + "_" + item }}'
-          data: "{{ lookup('file', '../../files/docker/lemmy/{{ item }}') | b64encode }}"
-          data_is_b64: true
-          state: present
-          labels:
-            com.docker.stack.namespace: "{{ project_name }}"
-      - name: Deploy lemmy stack
-        # environment: "{{ lookup('ini', '../../files/docker/lemmy/.env') }}"
-        community.docker.docker_stack:
-          state: present
-          prune: true
-          name: "{{ project_name }}"
-          compose:
-            - "{{ lookup('file', '../../files/docker/lemmy/docker-stack.yaml') | from_yaml }}"

roles/common/files/robo_key

@@ -1,25 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-34326137303139636664306330643433353766383839373262633531633336336434326136633331
-6266336136633662366234303339343435633935653835330a313337386531346535633164363732
-33333162663564343032323038353737663532616133353538626265646665393131336132393863
-3335613064643365380a366633363531363332663939343030373265343438633365633264376236
-30313862373337343961363164666166633137636232646365666333333261356264313235643365
-36663336636132376366396338346164303066343234613236633561393063313636616630303838
-33636231373465333830613630393366653363643561396465363765383764326538633464366530
-66626363336565343832373631363237653333653265616331623938356266343235656239656134
-66306565646333656337336632636162356531666337613766396439623135633430623132643335
-32373965613962336338633933346437396139393539656437326666363661653231653230313634
-61633032316436646663616437343161363534383365656364303131646636643232366361653231
-30643839343961366665653265666662386537623738356537393364336365396136346361656538
-38653936613261306632386665336162666539646564666232353064646564643036343437396566
-64656261633534316166656564326563323732316436316161303633373564653834356433366561
-39643164373866346531353037613563623038626536616434316266323130643534303736653263
-63643632316562616462333835343437613865363763323464646231343066393264653833383662
-30326332373432326665306338383963333137376538373839626631356236353838376332636132
-64636632336139396437356336326331343832346166386136356239323966376532346130613833
-36316633633536653163313166396238373139383763306532346334343466366136636339646235
-66326162323666306566616339353930353732336538303835366132363139336462373736366538
-39636138383536363332326534356366313362353739373666303133326364643832616431316363
-35393364386536393761303733336230633832646531623264616463323862313565316566666137
-30306433313563313363643034356265316564393166336361663431633930663361356432313861
-38393732626237353131

roles/common/files/robo_key.agebox

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> X25519 gYcsPablv8DX5YR2YElCe9IYxd4jACU30GaL97JfETM
+PSYUSaAkiHBtprz6qUKqP8RFPkgHCwwnFCACzKlsGU0
+--- giGOMUX2iMWaixyGM7ZxyCPMz10xFxNIJA9vpsJEW+4
+Jïö™µ–vÝtôüpŸT(~AnfL¦™¿“3Â$PÈyU	î<>“²ü!˜…]ìoޘב/×<>£LµÓ¦S:…bÔå-fÓÂrÿ¢Åql¢=@Ùwrq6{±eÛƒ€lg¸ø<C2B8>ö‘ué”Ã×{<7B>›b·L_®“º>cÆb4?eŠ®}¡)Pp|ÚD,üØo²¢Ië’X•_×c´ì‰êƒpGÖø¡¿%y¾ÿG)`<60>žãŒsR7PR<50>æKu%¼	ÁØz0a›Ô®˜XKìrÍ>'ðßSáÖLwÁp¬pIo/MåšçÎ	è/2:€@.n9þcXùåÔÃÙG_¤-ŽObš†½O<C2BD>PÆTDÆ™`p:F˜¬{,ŠxUµûLa• 1•ãšerÓÙB»½‹‡\ÅJ
Bë˜q¬e…sB‘ѽ=ˆíù"è‹X7õ0<C3B5>=vyWÆÇ<C386>
Îÿ¿æ}U¦'ÒÅõ!å:Ö ;p·‡nÌÂr2ªD¨*²n¤äQv4™É%ª|Kx¯ó®ŸîÃH“\“Ç1¬¤:D40r«ì†{†”