Merge branch 'master' into antifascista

.woodpecker.yml

@@ -2,13 +2,18 @@ pipeline:
   publish:
     image: plugins/docker
     registry: registry.nulo.in
-    repo: registry.nulo.in/sutty/CHANGEME
+    repo: registry.nulo.in/sutty/geminabox
     tags:
-    - ${ALPINE_VERSION}
+    - ${ALPINE_VERSION}-${RUBY_VERSION}.${RUBY_PATCH}
     - latest
     build_args:
+    - RUBY_VERSION=${RUBY_VERSION}
+    - RUBY_PATCH=${RUBY_PATCH}
+    - NIO4R_VERSION=${NIO4R_VERSION}
+    - PUMA_VERSION=${PUMA_VERSION}
+    - HIREDIS_VERSION=${HIREDIS_VERSION}
     - ALPINE_VERSION=${ALPINE_VERSION}
-    - BASE_IMAGE=registry.nulo.in/sutty/monit
+    - BASE_IMAGE=registry.nulo.in/sutty/ruby
     username: sutty
     secrets:
     - docker_password
@@ -16,7 +21,19 @@ pipeline:
       branch: antifascista
       event: push
 matrix:
-  ALPINE_VERSION:
+  NIO4R_VERSION: 2.5.8
-  - 3.13.7
+  PUMA_VERSION: 5.6.2
-  - 3.14.3
+  HIREDIS_VERSION: 0.6.3
-  - 3.15.0
+  include:
+  - ALPINE_VERSION: 3.13.6
+    RUBY_VERSION: 2.7
+    RUBY_PATCH: 5
+  - ALPINE_VERSION: 3.13.7
+    RUBY_VERSION: 2.7
+    RUBY_PATCH: 5
+  - ALPINE_VERSION: 3.14.3
+    RUBY_VERSION: 2.7
+    RUBY_PATCH: 5
+  - ALPINE_VERSION: 3.15.0
+    RUBY_VERSION: 3.0
+    RUBY_PATCH: 3

Dockerfile

@@ -1,4 +1,43 @@
 ARG ALPINE_VERSION=3.13.6
-ARG BASE_IMAGE=sutty/monit
+ARG RUBY_VERSION=2.7
-FROM ${BASE_IMAGE}:${ALPINE_VERSION}
+ARG RUBY_PATCH=5
+ARG BASE_IMAGE=registry.nulo.in/sutty/ruby
+FROM ${BASE_IMAGE}:${ALPINE_VERSION}-${RUBY_VERSION}.${RUBY_PATCH}
+
+ARG ALPINE_VERSION
+ARG NIO4R_VERSION=2.5.8
+ARG PUMA_VERSION=5.6.2
+ARG HIREDIS_VERSION=0.6.3
+
 MAINTAINER "f <f@sutty.nl>"
+
+ENV RACK_ENV=production
+ENV REDIS_SERVER=redis://redis:6379/2
+
+RUN getent group 82 || addgroup -g 82 -S www-data
+RUN adduser -s /bin/sh -G www-data -h /srv -D ruby
+RUN install -dm 2750 -o ruby -g www-data /srv/gems
+
+RUN apk add --no-cache daemonize
+
+USER ruby
+WORKDIR /srv
+COPY --chown=ruby:www-data ./Gemfile .
+COPY --chown=ruby:www-data ./config.ru .
+COPY --chown=ruby:www-data ./${ALPINE_VERSION}/nio4r-${NIO4R_VERSION}-x86_64-linux-musl.gem .
+COPY --chown=ruby:www-data ./${ALPINE_VERSION}/puma-${PUMA_VERSION}-x86_64-linux-musl.gem .
+COPY --chown=ruby:www-data ./${ALPINE_VERSION}/hiredis-${HIREDIS_VERSION}-x86_64-linux-musl.gem .
+
+# Bootstrap
+RUN gem install --no-document --user-install \
+      ./nio4r-${NIO4R_VERSION}-x86_64-linux-musl.gem \
+      ./puma-${PUMA_VERSION}-x86_64-linux-musl.gem \
+      ./hiredis-${HIREDIS_VERSION}-x86_64-linux-musl.gem
+RUN bundle install --no-cache --clean --path ~/.gem
+
+COPY ./monit.conf /etc/monit.d/geminabox.conf
+COPY ./geminabox.sh /usr/local/bin/geminabox
+
+USER root
+EXPOSE 9292
+VOLUME /srv/gems

Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+gem 'redis-rack'
+gem 'hiredis'
+gem 'redis', require: %w[redis redis/connection/hiredis]
+gem 'geminabox'
+gem 'puma'

config.ru

@@ -0,0 +1,45 @@
+require 'geminabox'
+require 'rack/session/redis'
+require 'securerandom'
+
+Geminabox.data = '/srv/gems'
+Geminabox.rubygems_proxy = true
+Geminabox.allow_remote_failure = true
+
+# https://github.com/geminabox/geminabox/wiki/Http-Basic-Auth
+Geminabox::Server.helpers do
+  def protected!
+    unless authorized?
+      response['WWW-Authenticate'] = %(Basic realm="Geminabox")
+      halt 401, "No pushing or deleting without auth.\n"
+    end
+  end
+
+  def authorized?
+    @auth ||=  Rack::Auth::Basic::Request.new(request.env)
+    @auth.provided? &&
+      @auth.basic? &&
+      @auth.credentials &&
+      @auth.credentials == [ENV.fetch('HTTP_BASIC_USER', SecureRandom.hex),
+                            ENV.fetch('HTTP_BASIC_PASSWORD', SecureRandom.hex)]
+  end
+end
+
+Geminabox::Server.before '/upload' do
+  protected!
+end
+
+Geminabox::Server.before do
+  protected! if request.delete?
+end
+
+Geminabox::Server.before '/api/v1/gems' do
+  unless ENV['HTTP_AUTHORIZATION'] == 'API_KEY'
+    halt 401, "Access Denied. Api_key invalid or missing.\n"
+  end
+end
+
+use Rack::Session::Redis, redis_server: ENV['REDIS_SERVER']
+use Rack::Protection
+
+run Geminabox::Server

geminabox.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+dir=/srv/gems
+pid=/tmp/geminabox.pid
+
+cd ${dir}
+
+for link in Gemfile Gemfile.lock .bundle config.ru; do
+  test -e ${link} || ln -s ../${link} .
+done
+
+chown -R ruby:www-data ${dir}
+
+case $1 in
+  start)
+    rm -f ${pid}
+    daemonize -p ${pid} -l ${pid} -c ${dir} -u ruby /usr/bin/bundle exec rackup
+    ;;
+  start)
+    test ! -f ${pid} || cat ${pid} | xargs -r kill
+    rm -f ${pid}
+    ;;
+esac

monit.conf

@@ -0,0 +1,4 @@
+check process geminabox with pidfile /tmp/geminabox.pid
+  start program = "/usr/local/bin/geminabox start"
+  stop program = "/usr/local/bin/geminabox stop"
+  if failed port 9292 protocol http for 3 times within 5 cycles then restart