Bump

Signed-off-by: dubo-dubon-duponey <dubodubonduponey+github@pm.me>
dubo-dubon-duponey · Aug 31, 2020 · c820ed6 · c820ed6
1 parent d3d69b5
commit c820ed6
Show file tree

Hide file tree

Showing 12 changed files with 148 additions and 99 deletions.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -2,10 +2,6 @@ name: CI
 
 on: [push, pull_request]
 
-env:
-  DEBOOTSTRAP_SUITE: buster
-  DEBOOTSTRAP_DATE: 2020-08-01
-
 jobs:
   test:
     # The type of runner that the job will run on
@@ -15,6 +11,8 @@ jobs:
     steps:
       - name: Checks-out repository
         uses: actions/checkout@v2
+        with:
+          submodules: true
 
       - name: Enable cache
         uses: actions/cache@v2.1.1
@@ -31,7 +29,7 @@ jobs:
         run: |
           mkdir -p "$GITHUB_WORKSPACE/cache/apt"
           chmod a+rwx "$GITHUB_WORKSPACE/cache/apt"
-          docker run -d --name aptcache --read-only --cap-drop=ALL --volume $GITHUB_WORKSPACE/cache/apt:/data --expose 3142 dubodubonduponey/aptutil
+          docker run -d --name aptcache --read-only --cap-drop=ALL --volume $GITHUB_WORKSPACE/cache/apt:/data --expose 3142 dubodubonduponey/aptutil:buster-2020-08-01
 
       - name: Install multi-arch buildx environment
         run: |

diff --git a/.travis.yml b/.travis.yml
@@ -27,7 +27,7 @@ before_install:
   - docker run --rm --privileged docker/binfmt:a7996909642ee92942dcd6cff44b9b95f08dad64
 
 install:
-  - curl -sL -o hadolint "https://github.com/hadolint/hadolint/releases/download/v1.16.0/hadolint-$(uname -s)-$(uname -m)"
+  - curl -sL -o hadolint "https://github.com/hadolint/hadolint/releases/download/v1.18.0/hadolint-$(uname -s)-$(uname -m)"
     && chmod 700 ./hadolint
 
 script:
@@ -36,8 +36,4 @@ script:
 matrix:
   include:
     - os: linux
-      dist: bionic
-      env:
-        - DEBOOTSTRAP_SUITE=buster
-        - DEBOOTSTRAP_DATE=2020-08-01
-        - TEST_DOES_NOT_BUILD=
+      dist: focal
diff --git a/Dockerfile b/Dockerfile
@@ -39,16 +39,14 @@ RUN           env GOOS=linux GOARCH="$(printf "%s" "$TARGETPLATFORM" | sed -E 's
 # hadolint ignore=DL3006
 FROM          --platform=$BUILDPLATFORM $BUILDER_BASE                                                                   AS builder-caddy
 
-# This is 1.0.5
+# This is 2.1.1+ with golang 1.15 support (08/21/2020)
 ARG           GIT_REPO=github.com/caddyserver/caddy
-ARG           GIT_VERSION=11ae1aa6b88e45b077dd97cb816fe06cd91cca67
+ARG           GIT_VERSION=0279a57ac465b2920abf71d86203d9feac2015b5
 
 WORKDIR       $GOPATH/src/$GIT_REPO
 RUN           git clone https://$GIT_REPO .
 RUN           git checkout $GIT_VERSION
 
-COPY          builder/main.go cmd/caddy/main.go
-
 # hadolint ignore=DL4006
 RUN           env GOOS=linux GOARCH="$(printf "%s" "$TARGETPLATFORM" | sed -E 's/^[^/]+\/([^/]+).*/\1/')" go build -v -ldflags "-s -w" \
                 -o /dist/boot/bin/caddy ./cmd/caddy
@@ -94,14 +92,19 @@ COPY          --from=builder --chown=$BUILD_UID:root /dist .
 EXPOSE        8080/tcp
 
 VOLUME        /data
+VOLUME        /tmp
+
+ENV           ARCHITECTURES=armel,armhf,arm64,amd64,i386,s390x,ppc64el
 
 ENV           USERNAME=dubo-dubon-duponey
-ENV           PASSWORD=l00t
-ENV           ARCHITECTURES=amd64,arm64,armel,armhf
+ENV           PASSWORD=base64_bcrypt_encoded_use_caddy_hash_password_to_generate
+ENV           REALM="My precious"
+ENV           LOG_LEVEL=info
+ENV           PORT=8080
+
 
 # System constants, unlikely to ever require modifications in normal use
 ENV           HEALTHCHECK_URL=http://127.0.0.1:10042/healthcheck
-ENV           PORT=8080
 
 HEALTHCHECK   --interval=30s --timeout=30s --start-period=10s --retries=1 CMD http-health || exit 1
 

diff --git a/README.md b/README.md
@@ -0,0 +1,25 @@
+# Docker Aptly
+
+```bash
+
+# Start the way you want
+docker run -d \
+    --cap-drop ALL \
+    --read-only \
+    dubodubonduponey/aptly
+
+# Trust Debian keys
+docker exec -ti apt-mirror /boot/entrypoint.sh trust keys.gnupg.net 04EE7237B7D453EC 648ACFD622F3D138 EF0F382A1A7B6500 DCC9EFBF77E11517 AA8E81B4331F7F50 112695A0E562B32A
+
+# Generate your signing key
+docker exec -ti apt-mirror /boot/entrypoint.sh init "Dubo Dubon Duponey" dubodubonduponey@jsboot.space
+
+# Create new mirrors
+docker exec -ti apt-mirror /boot/entrypoint.sh aptly mirror create my-buster-mirror http://deb.debian.org/debian buster main contrib non-free
+docker exec -ti apt-mirror /boot/entrypoint.sh aptly mirror create my-buster-updates-mirror http://deb.debian.org/debian buster-updates main contrib non-free
+docker exec -ti apt-mirror /boot/entrypoint.sh aptly mirror create my-buster-security-mirror http://security.debian.org/debian-security buster/updates main contrib non-free
+
+# Force a first refresh of all mirrors
+docker exec -ti apt-mirror /boot/entrypoint.sh refresh
+```
+
diff --git a/build.sh b/build.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-export DEBOOTSTRAP_DATE="${DEBOOTSTRAP_DATE:-2020-08-01}"
+export DEBOOTSTRAP_DATE="${DEBOOTSTRAP_DATE:-2020-08-15}"
 
 # For good info on qemu / multi-arch and buildx:
 # https://medium.com/@artur.klauser/building-multi-architecture-docker-images-with-buildx-27d80f7e2408

diff --git a/context/builder/main.go b/context/builder/main.go
diff --git a/context/runtime/boot/entrypoint.sh b/context/runtime/boot/entrypoint.sh
@@ -19,9 +19,12 @@ readonly SUITE=buster
 readonly DATE="$(date +%Y-%m-%d)"
 readonly LONG_DATE="$(date +%Y%m%dT000000Z)"
 
-readonly GPG_ARGS=(--no-default-keyring --homedir "$GPG_HOME/home" --keyring "$KEYRING_LOCATION")
+readonly GPG_ARGS=(--no-default-keyring --keyring "$KEYRING_LOCATION")
+
+mkdir -p "$GPG_HOME/home"
+chmod go-rwx "$GPG_HOME/home"
+export GNUPGHOME="$GPG_HOME/home"
 
-mkdir -p "$GPG_HOME"
 
 gpg::trust(){
   local server="$1"
@@ -34,62 +37,22 @@ gpg::initialize(){
   local mail="$2"
   shift
   shift
-  {
-  cat <<EOF
-     %echo Generating a gpg signing key
-     %no-protection
-     Key-Type: default
-     Subkey-Type: default
-     Name-Real: $name
-     Name-Comment: Snapshot signing key
-     Name-Email: $mail
-     Expire-Date: 0
-     $@
-     %commit
-     %echo done
-EOF
-  } | gpg "${GPG_ARGS[@]}" --batch --generate-key /dev/stdin >/dev/null 2>&1
+  echo "%echo Generating a gpg signing key
+%no-protection
+Key-Type: default
+Subkey-Type: default
+Name-Real: $name
+Name-Comment: Snapshot signing key
+Name-Email: $mail
+Expire-Date: 0
+$*
+%commit
+%echo done" | gpg "${GPG_ARGS[@]}" --batch --generate-key /dev/stdin >/dev/null 2>&1
   gpg "${GPG_ARGS[@]}" --output "$GPG_HOME"/snapshot-signing-public-key.pgp --armor --export "$mail"
-  gpg --no-default-keyring --homedir "$GPG_HOME/home" --keyring "$GPG_HOME"/trusted.gpg --import "$GPG_HOME"/snapshot-signing-public-key.pgp
-  >&2 printf "You need to gpg import %s to consume this repo - alternatively, copy over %s as /etc/apt/trusted.gpg\n" "$GPG_HOME/snapshot-signing-public-key.pgp" "$GPG_HOME/trusted.gpg"
+  gpg --no-default-keyring --keyring "$GPG_HOME"/trusted-export.gpg --import "$GPG_HOME"/snapshot-signing-public-key.pgp
+  >&2 printf "You need to gpg import %s to consume this repo - alternatively, copy over %s as /etc/apt/trusted.gpg\n" "$GPG_HOME/snapshot-signing-public-key.pgp" "$GPG_HOME/trusted-export.gpg"
 }
 
-com="${1:-}"
-shift || true
-case "$com" in
-"aptly")
-  # Typically create a new mirror with:
-  # aptly mirror create "$nickname" "$url" "$suite" "$component"
-  aptly -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" "$@"
-  exit
-  ;;
-"trust")
-  # Typically "key server" "keys...": keys.gnupg.net 04EE7237B7D453EC 648ACFD622F3D138 EF0F382A1A7B6500 DCC9EFBF77E11517 AA8E81B4331F7F50 112695A0E562B32A
-  gpg::trust "$@"
-  exit
-  ;;
-"init")
-  # Typically "My name" "My email"
-  gpg::initialize "$@"
-  exit
-  ;;
-"refresh")
-  mirros="$(aptly -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" mirror list -raw)"
-  for mir in $mirros; do
-    aptly -keyring="$KEYRING_LOCATION" -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" mirror update "$mir" > /dev/null
-
-    ! aptly -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" publish show "$mir" :"archive/$mir/$LONG_DATE" > /dev/null || \
-      aptly -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" publish drop "$mir" :"archive/$mir/$LONG_DATE" > /dev/null
-
-    ! aptly -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" snapshot show "$mir-$DATE" > /dev/null || \
-      aptly -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" snapshot drop "$mir-$DATE" > /dev/null
-
-    aptly -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" snapshot create "$mir-$DATE" from mirror "$mir" > /dev/null
-    aptly -keyring="$KEYRING_LOCATION" -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" publish snapshot "$mir-$DATE" :"archive/$mir/$LONG_DATE" > /dev/null
-  done
-  ;;
-esac
-
 aptly::refresh(){
   local mirros
   local mir
@@ -111,13 +74,47 @@ aptly::refresh(){
 
       # And publish
       >&2 printf "And... publish it\n"
-      aptly -keyring="$KEYRING_LOCATION" -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" publish snapshot "$mir-$DATE" :"archive/$mir/$LONG_DATE" > /dev/null
+      aptly -keyring="$KEYRING_LOCATION" -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" publish snapshot "$mir-$DATE" :"archive/$mir/$LONG_DATE" # > /dev/null
     done
     >&2 printf "Going to sleep for a day now\n"
     sleep 86400
   done
 }
 
+com="${1:-}"
+shift || true
+case "$com" in
+"aptly")
+  # Typically create a new mirror with:
+  # aptly mirror create "$nickname" "$url" "$suite" "$component"
+  aptly -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" "$@"
+  exit
+  ;;
+"aptly-with-keyring")
+  # Typically create a new mirror with:
+  # aptly mirror create "$nickname" "$url" "$suite" "$component"
+  aptly -keyring="$KEYRING_LOCATION" -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" "$@"
+  exit
+  ;;
+"create")
+  # Example: my-buster-updates-mirror http://deb.debian.org/debian buster-updates main contrib non-free
+  aptly -keyring="$KEYRING_LOCATION" -config="$CONFIG_LOCATION" -architectures="$ARCHITECTURES" mirror create "$@"
+  ;;
+"trust")
+  # Typically "key server" "keys...": keys.gnupg.net 04EE7237B7D453EC 648ACFD622F3D138 EF0F382A1A7B6500 DCC9EFBF77E11517 AA8E81B4331F7F50 112695A0E562B32A
+  gpg::trust "$@"
+  exit
+  ;;
+"init")
+  # Typically "My name" "My email"
+  gpg::initialize "$@"
+  exit
+  ;;
+"refresh")
+  aptly::refresh
+  ;;
+esac
+
 dnssd::advertize() {
   local name="$1"
   local type="$2"
@@ -137,9 +134,7 @@ dnssd::advertize() {
 #aptly::refresh &
 #dnssd::advertize "apt" "_apt._tcp" "$PORT" &
 
-args=(caddy -conf /config/caddy/main.conf -agree -http-port "$PORT")
-
-exec "${args[@]}" "$@"
+exec caddy run -config /config/caddy/main.conf --adapter caddyfile "$@"
 
 #############################
 # Key generation part
@@ -177,7 +172,7 @@ exec "${args[@]}" "$@"
 # Publish snaps
 # gpg --no-default-keyring --keyring /data/aptly/gpg/trustedkeys.gpg --import /data/aptly/gpg/private.pgp
 # Just force gpg to preconfig
-# gpg --no-default-keyring --keyring /data/aptly/gpg/trustedkeys.gpg --list-keys
+# gpg --no-default-keyring --keyring /data/gpg/trustedkeys.gpg --list-keys
 
 # aptly -keyring=/data/aptly/gpg/trustedkeys.gpg -config /config/aptly.conf publish snapshot $SUITE-$DATE :archive/debian/$LONG_DATE
 # aptly -keyring=/data/aptly/gpg/trustedkeys.gpg -config /config/aptly.conf publish snapshot $SUITE-updates-$DATE :archive/debian/$LONG_DATE

diff --git a/context/runtime/config/caddy/healthcheck/healthcheck b/context/runtime/config/caddy/healthcheck/healthcheck
diff --git a/context/runtime/config/caddy/main.conf b/context/runtime/config/caddy/main.conf
@@ -1,6 +1,9 @@
-# Healthcheck
-http://127.0.0.1:10042 {
-  root /config/healthcheck
+{
+#	{$debug}
+#	default_sni {$SNI}
+	admin   off
+#	local_certs
+	auto_https off
 }
 
 # Import all sites config

diff --git a/context/runtime/config/caddy/sites.d/aptly.conf b/context/runtime/config/caddy/sites.d/aptly.conf
@@ -1,16 +1,40 @@
 http://:{$PORT} {
-  basicauth / {$USERNAME} {$PASSWORD}
+  @proxy {
+    header Proxy-Authorization Basic*
+  }
+
+  @noproxy {
+    not {
+      header Proxy-Authorization Basic*
+    }
+  }
 
-  log / /dev/stdout "{hostonly} {combined}"
-  errors /dev/stderr
+  request_header @proxy Authorization {http.request.header.Proxy-Authorization}
+  request_header @proxy -Proxy-Authorization
+
+  log {
+    output stdout
+    format json
+    level {$LOG_LEVEL}
+  }
 
-  header / {
+  header {
     X-Xss-Protection "1; mode=block"
     X-Content-Type-Options "nosniff"
     X-Frame-Options "DENY"
     Referrer-Policy "strict-origin-when-cross-origin"
   }
 
-  root /data/aptly/public
-  browse
+  reverse_proxy @proxy http://127.0.0.1:{$PORT}
+
+  basicauth @noproxy bcrypt "{$REALM}" {
+    {$USERNAME} {$PASSWORD}
+  }
+
+  file_server @noproxy browse {
+    root   /data/aptly/public
+  #  hide   <files...>
+  #  index  <filenames...>
+  #  browse [<template_file>]
+  }
 }
diff --git a/context/runtime/config/caddy/sites.d/healthcheck.conf b/context/runtime/config/caddy/sites.d/healthcheck.conf
@@ -0,0 +1,7 @@
+# Healthcheck
+http://127.0.0.1:10042 {
+  respond 200 {
+    body {}
+    close
+  }
+}
diff --git a/docker-bake.override.hcl b/docker-bake.override.hcl
@@ -7,4 +7,13 @@ target "default" {
   tags = [
     "dubodubonduponey/aptly",
   ]
+  platforms = [
+    "linux/amd64",
+    "linux/arm64",
+    "linux/arm/v7",
+    "linux/arm/v6",
+    "linux/386",
+    "linux/s390x",
+    "linux/ppc64el",
+  ]
 }