Bump

.gitignore

@@ -2,3 +2,5 @@
 /.idea
 */cache/*
 cache
+*trace.json
+xxx-*

Dockerfile

@@ -1,10 +1,10 @@
 ARG           FROM_REGISTRY=docker.io/dubodubonduponey
 
-ARG           FROM_IMAGE_FETCHER=base:golang-bookworm-2023-09-01
-ARG           FROM_IMAGE_BUILDER=base:builder-bookworm-2023-09-01
-ARG           FROM_IMAGE_AUDITOR=base:auditor-bookworm-2023-09-01
-ARG           FROM_IMAGE_TOOLS=tools:linux-bookworm-2023-09-01
-ARG           FROM_IMAGE_RUNTIME=base:runtime-bookworm-2023-09-01
+ARG           FROM_IMAGE_FETCHER=base:golang-bookworm-2023-09-05
+ARG           FROM_IMAGE_BUILDER=base:builder-bookworm-2023-09-05
+ARG           FROM_IMAGE_AUDITOR=base:auditor-bookworm-2023-09-05
+ARG           FROM_IMAGE_TOOLS=tools:linux-bookworm-2023-09-05
+ARG           FROM_IMAGE_RUNTIME=base:runtime-bookworm-2023-09-05
 
 FROM          $FROM_REGISTRY/$FROM_IMAGE_TOOLS                                                                          AS builder-tools
 
@@ -257,63 +257,95 @@ ENV           _SERVICE_TYPE="http"
 
 COPY          --from=assembly --chown=$BUILD_UID:root /dist /
 
-### Front server configuration
-## Advanced settings that usually should not be changed
-# Ports for http and https - recent changes in docker make it no longer necessary to have caps, plus we have our NET_BIND_SERVICE cap set anyhow - it's 2021, there is no reason to keep on venerating privileged ports
-ENV           ADVANCED_PORT_HTTPS=443
-ENV           ADVANCED_PORT_HTTP=80
-EXPOSE        443
-EXPOSE        80
-# By default, tls should be restricted to 1.3 - you may downgrade to 1.2+ for compatibility with older clients (webdav client on macos, older browsers)
-ENV           ADVANCED_TLS_MIN=1.3
-# Name advertised by Caddy in the server http header
-ENV           ADVANCED_SERVER_NAME="DuboDubonDuponey/1.0 (Caddy/2) [$_SERVICE_NICK]"
-# Root certificate to trust for mTLS - this is not used if MTLS is disabled
-ENV           ADVANCED_MTLS_TRUST="/certs/mtls_ca.crt"
-# Log verbosity for
+#####
+# Global
+#####
+# Log verbosity (debug, info, warn, error, fatal)
 ENV           LOG_LEVEL="warn"
-# Whether to start caddy at all or not
-ENV           PROXY_HTTPS_ENABLED=true
+
+#####
+# Mod mDNS
+#####
+# Whether to disable mDNS broadcasting or not
+ENV           MOD_MDNS_ENABLED=true
+# Name is used as a short description for the service
+ENV           MOD_MDNS_NAME="$_SERVICE_NICK display name"
+# The service will be annonced and reachable at MOD_MDNS_HOST.local
+ENV           MOD_MDNS_HOST="$_SERVICE_NICK"
+
+#####
+# Mod mTLS
+#####
+# Whether to enable client certificate validation or not
+ENV           MOD_MTLS_ENABLED=false
+# Either require_and_verify or verify_if_given
+ENV           MOD_MTLS_MODE="verify_if_given"
+
+#####
+# Mod Basic Auth
+#####
+# Whether to enable basic auth
+ENV           MOD_BASICAUTH_ENABLED=false
+# Realm displayed for auth
+ENV           MOD_BASICAUTH_REALM="My Precious Realm"
+# Provide username and password here (call the container with the "hash" command to generate a properly encrypted password, otherwise, a random one will be generated)
+ENV           MOD_BASICAUTH_USERNAME="dubo-dubon-duponey"
+ENV           MOD_BASICAUTH_PASSWORD="cmVwbGFjZV9tZV93aXRoX3NvbWV0aGluZwo="
+
+#####
+# Mod HTTP
+#####
+# Whether to disable the HTTP mod altogether
+ENV           MOD_HTTP_ENABLED=true
 # Domain name to serve
 ENV           DOMAIN="$_SERVICE_NICK.local"
-ENV           ADDITIONAL_DOMAINS="https://*.debian.org"
-# Control wether tls is going to be "internal" (eg: self-signed), or alternatively an email address to enable letsencrypt - use "" to disable TLS entirely
-ENV           TLS="internal"
-# Issuer name to appear in certificates
-#ENV           TLS_ISSUER="Dubo Dubon Duponey"
-# Either disable_redirects or ignore_loaded_certs if one wants the redirects
-ENV           TLS_AUTO=disable_redirects
+# Control wether tls is going to be "internal" (eg: self-signed), or alternatively an email address to enable letsencrypt
+ENV           MOD_HTTP_TLS_MODE="internal"
+
+#####
+# Advanced settings
+#####
+# Service type
+ENV           ADVANCED_MOD_MDNS_TYPE="_$_SERVICE_TYPE._tcp"
+# Also announce the service as a workstation (for example for the benefit of coreDNS mDNS)
+ENV           ADVANCED_MOD_MDNS_STATION=true
+# Root certificate to trust for client cert verification
+ENV           ADVANCED_MOD_MTLS_TRUST="/certs/pki/authorities/local/root.crt"
+# Ports for http and https - recent changes in docker make it no longer necessary to have caps, plus we have our NET_BIND_SERVICE cap set anyhow - it's 2021, there is no reason to keep on venerating privileged ports
+ENV           ADVANCED_MOD_HTTP_PORT=443
+ENV           ADVANCED_MOD_HTTP_PORT_INSECURE=80
+# By default, tls should be restricted to 1.3 - you may downgrade to 1.2+ for compatibility with older clients (webdav client on macos, older browsers)
+ENV           ADVANCED_MOD_HTTP_TLS_MIN=1.3
+# Name advertised by Caddy in the server http header
+ENV           ADVANCED_MOD_HTTP_SERVER_NAME="DuboDubonDuponey/1.0 (Caddy/2)"
+# ACME server to use (for testing)
 # Staging
 # https://acme-staging-v02.api.letsencrypt.org/directory
 # Plain
 # https://acme-v02.api.letsencrypt.org/directory
 # PKI
 # https://pki.local
-ENV           TLS_SERVER="https://acme-v02.api.letsencrypt.org/directory"
-# Either require_and_verify or verify_if_given, or "" to disable mTLS altogether
-ENV           MTLS="require_and_verify"
-# Realm for authentication - set to "" to disable authentication entirely
-ENV           AUTH="My Precious Realm"
-# Provide username and password here (call the container with the "hash" command to generate a properly encrypted password, otherwise, a random one will be generated)
-ENV           AUTH_USERNAME="dubo-dubon-duponey"
-ENV           AUTH_PASSWORD="cmVwbGFjZV9tZV93aXRoX3NvbWV0aGluZwo="
-### mDNS broadcasting
-# Whether to enable MDNS broadcasting or not
-ENV           MDNS_ENABLED=true
-# Type to advertise
-ENV           MDNS_TYPE="_$_SERVICE_TYPE._tcp"
-# Name is used as a short description for the service
-ENV           MDNS_NAME="$_SERVICE_NICK mDNS display name"
-# The service will be annonced and reachable at $MDNS_HOST.local (set to empty string to disable mDNS announces entirely)
-ENV           MDNS_HOST="$_SERVICE_NICK"
-# Also announce the service as a workstation (for example for the benefit of coreDNS mDNS)
-ENV           MDNS_STATION=true
+ENV           ADVANCED_MOD_HTTP_TLS_SERVER="https://acme-v02.api.letsencrypt.org/directory"
+# Either disable_redirects or ignore_loaded_certs if one wants the redirects
+ENV           ADVANCED_MOD_HTTP_TLS_AUTO=disable_redirects
+# Whether to disable TLS and serve only plain old http
+ENV           ADVANCED_MOD_HTTP_TLS_ENABLED=true
+# Additional domains aliases
+ENV           ADVANCED_MOD_HTTP_ADDITIONAL_DOMAINS=""
+
+#####
+# Wrap-up
+#####
+EXPOSE        443
+EXPOSE        80
+
 # Caddy certs will be stored here
 VOLUME        /certs
 # Caddy uses this
 VOLUME        /tmp
 # Used by the backend service
 VOLUME        /data
+
 ENV           HEALTHCHECK_URL="http://127.0.0.1:10000/?healthcheck"
 
 HEALTHCHECK   --interval=120s --timeout=30s --start-period=10s --retries=1 CMD http-health || exit 1

context/build/main.go

@@ -2,10 +2,7 @@ package main
 
 import (
 	caddycmd "github.com/caddyserver/caddy/v2/cmd"
-
-	// plug in Caddy modules here
 	_ "github.com/caddyserver/caddy/v2/modules/standard"
-
 	_ "github.com/caddyserver/replace-response"
 )
 

context/runtime/boot/entrypoint.sh

@@ -7,9 +7,14 @@ readonly root
 source "$root/helpers.sh"
 # shellcheck source=/dev/null
 source "$root/mdns.sh"
+# shellcheck source=/dev/null
+source "$root/http.sh"
 
 helpers::dir::writable "/tmp"
-helpers::dir::writable "/data"
+
+helpers::dir::writable "$XDG_DATA_HOME" create
+helpers::dir::writable "$XDG_DATA_DIRS" create
+
 helpers::dir::writable "$ROON_ID_DIR" create
 helpers::dir::writable "$ROON_DATAROOT" create
 
@@ -43,16 +48,17 @@ helpers::dir::writable "$XDG_RUNTIME_DIR" create
 helpers::dir::writable "$XDG_STATE_HOME" create
 helpers::dir::writable "$XDG_CACHE_HOME" create
 
-# mDNS blast if asked to
-[ "${MDNS_ENABLED:-}" != true ] || {
-  _mdns_port="$([ "$TLS" != "" ] && printf "%s" "${ADVANCED_PORT_HTTPS:-443}" || printf "%s" "${ADVANCED_PORT_HTTP:-80}")"
-  [ ! "${MDNS_STATION:-}" ] || mdns::records::add "_workstation._tcp" "$MDNS_HOST" "${MDNS_NAME:-}" "$_mdns_port"
-  mdns::records::add "${MDNS_TYPE:-_http._tcp}" "$MDNS_HOST" "${MDNS_NAME:-}" "$_mdns_port"
-  mdns::records::broadcast &
+# mDNS
+[ "${MOD_MDNS_ENABLED:-}" != true ] || {
+  _mdns_type="${ADVANCED_MOD_MDNS_TYPE:-_http._tcp}"
+  _mdns_port="$([ "${MOD_HTTP_TLS_ENABLED:-}" == true ] && printf "%s" "${ADVANCED_MOD_HTTP_PORT:-443}" || printf "%s" "${ADVANCED_MOD_HTTP_PORT_INSECURE:-80}")"
+  [ "${ADVANCED_MOD_MDNS_STATION:-}" != true ] || mdns::records::add "_workstation._tcp" "${MOD_MDNS_HOST}" "${MOD_MDNS_NAME:-}" "$_mdns_port"
+  mdns::records::add "$_mdns_type" "${MOD_MDNS_HOST:-}" "${MOD_MDNS_NAME:-}" "$_mdns_port"
+  mdns::start::broadcaster &
 }
 
-# Start the sidecar
-[ "${PROXY_HTTPS_ENABLED:-}" != true ] || start::sidecar &
+# TLS and HTTP
+[ "${MOD_HTTP_ENABLED:-}" != true ] || http::start &
 
 # error”, “critical”, “warning”, “message”, “info”, and “debug”
 # Looks like ROON ignore these

context/runtime/boot/helpers.sh

@@ -10,85 +10,3 @@ helpers::dir::writable(){
     exit 1
   }
 }
-
-run::hash(){
-  printf >&2 "Generating password hash\n"
-  caddy hash-password -algorithm bcrypt "$@"
-}
-
-run::certificate(){
-  local tls_mode="$1"
-  printf >&2 "Displaying root certificate to trust\n"
-  if [ "$tls_mode" == "" ]; then
-    printf >&2 "Your container is not configured for TLS termination - there is no local CA in that case."
-    exit 1
-  fi
-  if [ "$tls_mode" != "internal" ]; then
-    printf >&2 "Your container uses letsencrypt - there is no local CA in that case."
-    exit 1
-  fi
-  if [ ! -e /certs/pki/authorities/local/root.crt ]; then
-    printf >&2 "No root certificate installed or generated. Run the container so that a cert is generated, or provide one at runtime."
-    exit 1
-  fi
-  cat /certs/pki/authorities/local/root.crt
-}
-
-start::sidecar(){
-  local disable_tls=""
-  local disable_mtls=""
-  local disable_auth=""
-
-  AUTH="${AUTH:-}"
-  TLS="${TLS:-}"
-  MTLS="${MTLS:-}"
-
-  local secure=s
-
-  [ "$MTLS" != "" ] || disable_mtls=true;
-  [ "$AUTH" != "" ] || disable_auth=true;
-  [ "$TLS" != "" ] || {
-    disable_tls=true
-    secure=
-  }
-
-  XDG_CONFIG_HOME=/tmp/config \
-  CDY_SERVER_NAME=${ADVANCED_SERVER_NAME:-DuboDubonDuponey/1.0} \
-  CDY_LOG_LEVEL=${LOG_LEVEL:-error} \
-  CDY_SCHEME="http${secure:-}" \
-  CDY_DOMAIN="${DOMAIN:-}" \
-  CDY_ADDITIONAL_DOMAINS="${ADDITIONAL_DOMAINS:-}" \
-  CDY_AUTH_DISABLE="$disable_auth" \
-  CDY_AUTH_REALM="$AUTH" \
-  CDY_AUTH_USERNAME="${AUTH_USERNAME:-}" \
-  CDY_AUTH_PASSWORD="${AUTH_PASSWORD:-}" \
-  CDY_TLS_DISABLE="$disable_tls" \
-  CDY_TLS_MODE="$TLS" \
-  CDY_TLS_MIN="${ADVANCED_TLS_MIN:-1.3}" \
-  CDY_TLS_AUTO="${TLS_AUTO:-disable_redirects}" \
-  CDY_MTLS_DISABLE="$disable_mtls" \
-  CDY_MTLS_MODE="$MTLS" \
-  CDY_MTLS_TRUST="${ADVANCED_MTLS_TRUST:-}" \
-  CDY_HEALTHCHECK_URL="$HEALTHCHECK_URL" \
-  CDY_PORT_HTTP="${ADVANCED_PORT_HTTP:-80}" \
-  CDY_PORT_HTTPS="${ADVANCED_PORT_HTTPS:-443}" \
-  CDY_ACME_CA="$TLS_SERVER" \
-    caddy run --config /config/caddy/main.conf --adapter caddyfile "$@"
-}
-
-# Helpers
-case "${1:-}" in
-  # Short hand helper to generate password hash
-  "hash")
-    shift
-    run::hash "$@"
-    exit
-  ;;
-  # Helper to get the ca.crt out (once initialized)
-  "cert")
-    shift
-    run::certificate "${TLS:-}" "$@"
-    exit
-  ;;
-esac
-

context/runtime/boot/http.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+set -o errexit -o errtrace -o functrace -o nounset -o pipefail
+
+readonly _default_mod_mtls_trust="/certs/pki/authorities/local/root.crt"
+readonly _default_mod_mtls_mode="verify_if_given"
+
+readonly _default_realm="My Precious Realm"
+readonly _default_http_port=80
+readonly _default_https_port=443
+readonly _default_tls_min="1.3"
+readonly _default_server_name="DuboDubonDuponey/1.0 (Caddy/2)"
+readonly _default_acme_server="https://acme-v02.api.letsencrypt.org/directory"
+
+http::hash(){
+  printf >&2 "Generating password hash\n"
+  caddy hash-password -algorithm bcrypt "$@"
+}
+
+http::certificate(){
+  local tls_mode="$1"
+  printf >&2 "Displaying root certificate to trust\n"
+  if [ "$tls_mode" == "" ]; then
+    printf >&2 "Your container is not configured for TLS termination - there is no local CA in that case."
+    exit 1
+  fi
+  if [ "$tls_mode" != "internal" ]; then
+    printf >&2 "Your container uses letsencrypt - there is no local CA in that case."
+    exit 1
+  fi
+  if [ ! -e /certs/pki/authorities/local/root.crt ]; then
+    printf >&2 "No root certificate installed or generated. Run the container so that a cert is generated, or provide one at runtime."
+    exit 1
+  fi
+  cat /certs/pki/authorities/local/root.crt
+}
+
+http::start(){
+  local disable_tls=""
+  local disable_mtls=""
+  local disable_auth=""
+
+  [ "${MOD_MTLS_ENABLED:-}" == true ] || disable_mtls=true;
+  [ "${MOD_BASICAUTH_ENABLED:-}" == true ] || disable_auth=true;
+
+  local secure=s
+
+  [ "$ADVANCED_MOD_HTTP_TLS_ENABLED" != true ] || {
+    disable_tls=true
+    secure=
+  }
+
+  CDY_LOG_LEVEL=${LOG_LEVEL:-warn} \
+  CDY_MTLS_DISABLE="$disable_mtls" \
+  CDY_MTLS_MODE="${MOD_MTLS_MODE:-$_default_mod_mtls_mode}" \
+  CDY_MTLS_TRUST="${ADVANCED_MOD_MTLS_TRUST:-$_default_mod_mtls_trust}" \
+  CDY_AUTH_DISABLE="$disable_auth" \
+  CDY_AUTH_REALM="${MOD_BASICAUTH_REALM:-$_default_realm}" \
+  CDY_AUTH_USERNAME="${MOD_BASICAUTH_USERNAME:-}" \
+  CDY_AUTH_PASSWORD="${MOD_BASICAUTH_PASSWORD:-}" \
+  CDY_SCHEME="http${secure:-}" \
+  CDY_DOMAIN="${DOMAIN:-}" \
+  CDY_ADDITIONAL_DOMAINS="${ADVANCED_MOD_HTTP_ADDITIONAL_DOMAINS:-}" \
+  CDY_TLS_DISABLE="$disable_tls" \
+  CDY_TLS_MODE="${MOD_HTTP_TLS_MODE:-internal}" \
+  CDY_TLS_AUTO="${ADVANCED_MOD_HTTP_TLS_AUTO:-disable_redirects}" \
+  CDY_HEALTHCHECK_URL="$HEALTHCHECK_URL" \
+  CDY_ACME_CA="${ADVANCED_MOD_HTTP_TLS_SERVER:-$_default_acme_server}" \
+  CDY_PORT_HTTP="${ADVANCED_MOD_HTTP_PORT_INSECURE:-$_default_http_port}" \
+  CDY_PORT_HTTPS="${ADVANCED_MOD_HTTP_PORT:-$_default_https_port}" \
+  CDY_TLS_MIN="${ADVANCED_MOD_HTTP_TLS_MIN:-$_default_tls_min}" \
+  CDY_SERVER_NAME="${ADVANCED_MOD_HTTP_SERVER_NAME:-$_default_server_name}" \
+    caddy run --config /config/caddy/main.conf --adapter caddyfile "$@"
+}
+