From 01beb230aa6773a0896909a092f5c2c5dd1611a4 Mon Sep 17 00:00:00 2001 From: dubo-dubon-duponey Date: Mon, 18 Sep 2023 19:47:02 -0700 Subject: [PATCH] Bump --- .gitignore | 2 + Dockerfile | 126 +++++++++++------- context/build/main.go | 3 - context/runtime/boot/entrypoint.sh | 24 ++-- context/runtime/boot/helpers.sh | 82 ------------ context/runtime/boot/http.sh | 74 ++++++++++ context/runtime/boot/mdns.sh | 92 +++++++++++-- context/runtime/config/caddy/conf.d/auth.conf | 4 +- .../runtime/config/caddy/conf.d/headers.conf | 2 +- context/runtime/config/caddy/conf.d/log.conf | 2 +- context/runtime/config/caddy/conf.d/mtls.conf | 6 +- context/runtime/config/caddy/conf.d/tls.conf | 4 +- hack/recipe.cue | 1 - 13 files changed, 262 insertions(+), 160 deletions(-) mode change 100755 => 100644 context/runtime/boot/helpers.sh create mode 100755 context/runtime/boot/http.sh mode change 100644 => 100755 context/runtime/boot/mdns.sh diff --git a/.gitignore b/.gitignore index 10b083a..507266e 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ /.idea */cache/* cache +*trace.json +xxx-* diff --git a/Dockerfile b/Dockerfile index fd1a0a4..0fd6150 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ ARG FROM_REGISTRY=docker.io/dubodubonduponey -ARG FROM_IMAGE_FETCHER=base:golang-bookworm-2023-09-01 -ARG FROM_IMAGE_BUILDER=base:builder-bookworm-2023-09-01 -ARG FROM_IMAGE_AUDITOR=base:auditor-bookworm-2023-09-01 -ARG FROM_IMAGE_TOOLS=tools:linux-bookworm-2023-09-01 -ARG FROM_IMAGE_RUNTIME=base:runtime-bookworm-2023-09-01 +ARG FROM_IMAGE_FETCHER=base:golang-bookworm-2023-09-05 +ARG FROM_IMAGE_BUILDER=base:builder-bookworm-2023-09-05 +ARG FROM_IMAGE_AUDITOR=base:auditor-bookworm-2023-09-05 +ARG FROM_IMAGE_TOOLS=tools:linux-bookworm-2023-09-05 +ARG FROM_IMAGE_RUNTIME=base:runtime-bookworm-2023-09-05 FROM $FROM_REGISTRY/$FROM_IMAGE_TOOLS AS builder-tools @@ -257,63 +257,95 @@ ENV _SERVICE_TYPE="http" COPY --from=assembly --chown=$BUILD_UID:root /dist / -### Front server configuration -## Advanced settings that usually should not be changed -# Ports for http and https - recent changes in docker make it no longer necessary to have caps, plus we have our NET_BIND_SERVICE cap set anyhow - it's 2021, there is no reason to keep on venerating privileged ports -ENV ADVANCED_PORT_HTTPS=443 -ENV ADVANCED_PORT_HTTP=80 -EXPOSE 443 -EXPOSE 80 -# By default, tls should be restricted to 1.3 - you may downgrade to 1.2+ for compatibility with older clients (webdav client on macos, older browsers) -ENV ADVANCED_TLS_MIN=1.3 -# Name advertised by Caddy in the server http header -ENV ADVANCED_SERVER_NAME="DuboDubonDuponey/1.0 (Caddy/2) [$_SERVICE_NICK]" -# Root certificate to trust for mTLS - this is not used if MTLS is disabled -ENV ADVANCED_MTLS_TRUST="/certs/mtls_ca.crt" -# Log verbosity for +##### +# Global +##### +# Log verbosity (debug, info, warn, error, fatal) ENV LOG_LEVEL="warn" -# Whether to start caddy at all or not -ENV PROXY_HTTPS_ENABLED=true + +##### +# Mod mDNS +##### +# Whether to disable mDNS broadcasting or not +ENV MOD_MDNS_ENABLED=true +# Name is used as a short description for the service +ENV MOD_MDNS_NAME="$_SERVICE_NICK display name" +# The service will be annonced and reachable at MOD_MDNS_HOST.local +ENV MOD_MDNS_HOST="$_SERVICE_NICK" + +##### +# Mod mTLS +##### +# Whether to enable client certificate validation or not +ENV MOD_MTLS_ENABLED=false +# Either require_and_verify or verify_if_given +ENV MOD_MTLS_MODE="verify_if_given" + +##### +# Mod Basic Auth +##### +# Whether to enable basic auth +ENV MOD_BASICAUTH_ENABLED=false +# Realm displayed for auth +ENV MOD_BASICAUTH_REALM="My Precious Realm" +# Provide username and password here (call the container with the "hash" command to generate a properly encrypted password, otherwise, a random one will be generated) +ENV MOD_BASICAUTH_USERNAME="dubo-dubon-duponey" +ENV MOD_BASICAUTH_PASSWORD="cmVwbGFjZV9tZV93aXRoX3NvbWV0aGluZwo=" + +##### +# Mod HTTP +##### +# Whether to disable the HTTP mod altogether +ENV MOD_HTTP_ENABLED=true # Domain name to serve ENV DOMAIN="$_SERVICE_NICK.local" -ENV ADDITIONAL_DOMAINS="https://*.debian.org" -# Control wether tls is going to be "internal" (eg: self-signed), or alternatively an email address to enable letsencrypt - use "" to disable TLS entirely -ENV TLS="internal" -# Issuer name to appear in certificates -#ENV TLS_ISSUER="Dubo Dubon Duponey" -# Either disable_redirects or ignore_loaded_certs if one wants the redirects -ENV TLS_AUTO=disable_redirects +# Control wether tls is going to be "internal" (eg: self-signed), or alternatively an email address to enable letsencrypt +ENV MOD_HTTP_TLS_MODE="internal" + +##### +# Advanced settings +##### +# Service type +ENV ADVANCED_MOD_MDNS_TYPE="_$_SERVICE_TYPE._tcp" +# Also announce the service as a workstation (for example for the benefit of coreDNS mDNS) +ENV ADVANCED_MOD_MDNS_STATION=true +# Root certificate to trust for client cert verification +ENV ADVANCED_MOD_MTLS_TRUST="/certs/pki/authorities/local/root.crt" +# Ports for http and https - recent changes in docker make it no longer necessary to have caps, plus we have our NET_BIND_SERVICE cap set anyhow - it's 2021, there is no reason to keep on venerating privileged ports +ENV ADVANCED_MOD_HTTP_PORT=443 +ENV ADVANCED_MOD_HTTP_PORT_INSECURE=80 +# By default, tls should be restricted to 1.3 - you may downgrade to 1.2+ for compatibility with older clients (webdav client on macos, older browsers) +ENV ADVANCED_MOD_HTTP_TLS_MIN=1.3 +# Name advertised by Caddy in the server http header +ENV ADVANCED_MOD_HTTP_SERVER_NAME="DuboDubonDuponey/1.0 (Caddy/2)" +# ACME server to use (for testing) # Staging # https://acme-staging-v02.api.letsencrypt.org/directory # Plain # https://acme-v02.api.letsencrypt.org/directory # PKI # https://pki.local -ENV TLS_SERVER="https://acme-v02.api.letsencrypt.org/directory" -# Either require_and_verify or verify_if_given, or "" to disable mTLS altogether -ENV MTLS="require_and_verify" -# Realm for authentication - set to "" to disable authentication entirely -ENV AUTH="My Precious Realm" -# Provide username and password here (call the container with the "hash" command to generate a properly encrypted password, otherwise, a random one will be generated) -ENV AUTH_USERNAME="dubo-dubon-duponey" -ENV AUTH_PASSWORD="cmVwbGFjZV9tZV93aXRoX3NvbWV0aGluZwo=" -### mDNS broadcasting -# Whether to enable MDNS broadcasting or not -ENV MDNS_ENABLED=true -# Type to advertise -ENV MDNS_TYPE="_$_SERVICE_TYPE._tcp" -# Name is used as a short description for the service -ENV MDNS_NAME="$_SERVICE_NICK mDNS display name" -# The service will be annonced and reachable at $MDNS_HOST.local (set to empty string to disable mDNS announces entirely) -ENV MDNS_HOST="$_SERVICE_NICK" -# Also announce the service as a workstation (for example for the benefit of coreDNS mDNS) -ENV MDNS_STATION=true +ENV ADVANCED_MOD_HTTP_TLS_SERVER="https://acme-v02.api.letsencrypt.org/directory" +# Either disable_redirects or ignore_loaded_certs if one wants the redirects +ENV ADVANCED_MOD_HTTP_TLS_AUTO=disable_redirects +# Whether to disable TLS and serve only plain old http +ENV ADVANCED_MOD_HTTP_TLS_ENABLED=true +# Additional domains aliases +ENV ADVANCED_MOD_HTTP_ADDITIONAL_DOMAINS="" + +##### +# Wrap-up +##### +EXPOSE 443 +EXPOSE 80 + # Caddy certs will be stored here VOLUME /certs # Caddy uses this VOLUME /tmp # Used by the backend service VOLUME /data + ENV HEALTHCHECK_URL="http://127.0.0.1:10000/?healthcheck" HEALTHCHECK --interval=120s --timeout=30s --start-period=10s --retries=1 CMD http-health || exit 1 diff --git a/context/build/main.go b/context/build/main.go index 8d8d6b2..b50cf6c 100644 --- a/context/build/main.go +++ b/context/build/main.go @@ -2,10 +2,7 @@ package main import ( caddycmd "github.com/caddyserver/caddy/v2/cmd" - - // plug in Caddy modules here _ "github.com/caddyserver/caddy/v2/modules/standard" - _ "github.com/caddyserver/replace-response" ) diff --git a/context/runtime/boot/entrypoint.sh b/context/runtime/boot/entrypoint.sh index 4cb3a9c..ca9f780 100755 --- a/context/runtime/boot/entrypoint.sh +++ b/context/runtime/boot/entrypoint.sh @@ -7,9 +7,14 @@ readonly root source "$root/helpers.sh" # shellcheck source=/dev/null source "$root/mdns.sh" +# shellcheck source=/dev/null +source "$root/http.sh" helpers::dir::writable "/tmp" -helpers::dir::writable "/data" + +helpers::dir::writable "$XDG_DATA_HOME" create +helpers::dir::writable "$XDG_DATA_DIRS" create + helpers::dir::writable "$ROON_ID_DIR" create helpers::dir::writable "$ROON_DATAROOT" create @@ -43,16 +48,17 @@ helpers::dir::writable "$XDG_RUNTIME_DIR" create helpers::dir::writable "$XDG_STATE_HOME" create helpers::dir::writable "$XDG_CACHE_HOME" create -# mDNS blast if asked to -[ "${MDNS_ENABLED:-}" != true ] || { - _mdns_port="$([ "$TLS" != "" ] && printf "%s" "${ADVANCED_PORT_HTTPS:-443}" || printf "%s" "${ADVANCED_PORT_HTTP:-80}")" - [ ! "${MDNS_STATION:-}" ] || mdns::records::add "_workstation._tcp" "$MDNS_HOST" "${MDNS_NAME:-}" "$_mdns_port" - mdns::records::add "${MDNS_TYPE:-_http._tcp}" "$MDNS_HOST" "${MDNS_NAME:-}" "$_mdns_port" - mdns::records::broadcast & +# mDNS +[ "${MOD_MDNS_ENABLED:-}" != true ] || { + _mdns_type="${ADVANCED_MOD_MDNS_TYPE:-_http._tcp}" + _mdns_port="$([ "${MOD_HTTP_TLS_ENABLED:-}" == true ] && printf "%s" "${ADVANCED_MOD_HTTP_PORT:-443}" || printf "%s" "${ADVANCED_MOD_HTTP_PORT_INSECURE:-80}")" + [ "${ADVANCED_MOD_MDNS_STATION:-}" != true ] || mdns::records::add "_workstation._tcp" "${MOD_MDNS_HOST}" "${MOD_MDNS_NAME:-}" "$_mdns_port" + mdns::records::add "$_mdns_type" "${MOD_MDNS_HOST:-}" "${MOD_MDNS_NAME:-}" "$_mdns_port" + mdns::start::broadcaster & } -# Start the sidecar -[ "${PROXY_HTTPS_ENABLED:-}" != true ] || start::sidecar & +# TLS and HTTP +[ "${MOD_HTTP_ENABLED:-}" != true ] || http::start & # error”, “critical”, “warning”, “message”, “info”, and “debug” # Looks like ROON ignore these diff --git a/context/runtime/boot/helpers.sh b/context/runtime/boot/helpers.sh old mode 100755 new mode 100644 index dfa9f90..ceb987e --- a/context/runtime/boot/helpers.sh +++ b/context/runtime/boot/helpers.sh @@ -10,85 +10,3 @@ helpers::dir::writable(){ exit 1 } } - -run::hash(){ - printf >&2 "Generating password hash\n" - caddy hash-password -algorithm bcrypt "$@" -} - -run::certificate(){ - local tls_mode="$1" - printf >&2 "Displaying root certificate to trust\n" - if [ "$tls_mode" == "" ]; then - printf >&2 "Your container is not configured for TLS termination - there is no local CA in that case." - exit 1 - fi - if [ "$tls_mode" != "internal" ]; then - printf >&2 "Your container uses letsencrypt - there is no local CA in that case." - exit 1 - fi - if [ ! -e /certs/pki/authorities/local/root.crt ]; then - printf >&2 "No root certificate installed or generated. Run the container so that a cert is generated, or provide one at runtime." - exit 1 - fi - cat /certs/pki/authorities/local/root.crt -} - -start::sidecar(){ - local disable_tls="" - local disable_mtls="" - local disable_auth="" - - AUTH="${AUTH:-}" - TLS="${TLS:-}" - MTLS="${MTLS:-}" - - local secure=s - - [ "$MTLS" != "" ] || disable_mtls=true; - [ "$AUTH" != "" ] || disable_auth=true; - [ "$TLS" != "" ] || { - disable_tls=true - secure= - } - - XDG_CONFIG_HOME=/tmp/config \ - CDY_SERVER_NAME=${ADVANCED_SERVER_NAME:-DuboDubonDuponey/1.0} \ - CDY_LOG_LEVEL=${LOG_LEVEL:-error} \ - CDY_SCHEME="http${secure:-}" \ - CDY_DOMAIN="${DOMAIN:-}" \ - CDY_ADDITIONAL_DOMAINS="${ADDITIONAL_DOMAINS:-}" \ - CDY_AUTH_DISABLE="$disable_auth" \ - CDY_AUTH_REALM="$AUTH" \ - CDY_AUTH_USERNAME="${AUTH_USERNAME:-}" \ - CDY_AUTH_PASSWORD="${AUTH_PASSWORD:-}" \ - CDY_TLS_DISABLE="$disable_tls" \ - CDY_TLS_MODE="$TLS" \ - CDY_TLS_MIN="${ADVANCED_TLS_MIN:-1.3}" \ - CDY_TLS_AUTO="${TLS_AUTO:-disable_redirects}" \ - CDY_MTLS_DISABLE="$disable_mtls" \ - CDY_MTLS_MODE="$MTLS" \ - CDY_MTLS_TRUST="${ADVANCED_MTLS_TRUST:-}" \ - CDY_HEALTHCHECK_URL="$HEALTHCHECK_URL" \ - CDY_PORT_HTTP="${ADVANCED_PORT_HTTP:-80}" \ - CDY_PORT_HTTPS="${ADVANCED_PORT_HTTPS:-443}" \ - CDY_ACME_CA="$TLS_SERVER" \ - caddy run --config /config/caddy/main.conf --adapter caddyfile "$@" -} - -# Helpers -case "${1:-}" in - # Short hand helper to generate password hash - "hash") - shift - run::hash "$@" - exit - ;; - # Helper to get the ca.crt out (once initialized) - "cert") - shift - run::certificate "${TLS:-}" "$@" - exit - ;; -esac - diff --git a/context/runtime/boot/http.sh b/context/runtime/boot/http.sh new file mode 100755 index 0000000..dd309de --- /dev/null +++ b/context/runtime/boot/http.sh @@ -0,0 +1,74 @@ +#!/usr/bin/env bash +set -o errexit -o errtrace -o functrace -o nounset -o pipefail + +readonly _default_mod_mtls_trust="/certs/pki/authorities/local/root.crt" +readonly _default_mod_mtls_mode="verify_if_given" + +readonly _default_realm="My Precious Realm" +readonly _default_http_port=80 +readonly _default_https_port=443 +readonly _default_tls_min="1.3" +readonly _default_server_name="DuboDubonDuponey/1.0 (Caddy/2)" +readonly _default_acme_server="https://acme-v02.api.letsencrypt.org/directory" + +http::hash(){ + printf >&2 "Generating password hash\n" + caddy hash-password -algorithm bcrypt "$@" +} + +http::certificate(){ + local tls_mode="$1" + printf >&2 "Displaying root certificate to trust\n" + if [ "$tls_mode" == "" ]; then + printf >&2 "Your container is not configured for TLS termination - there is no local CA in that case." + exit 1 + fi + if [ "$tls_mode" != "internal" ]; then + printf >&2 "Your container uses letsencrypt - there is no local CA in that case." + exit 1 + fi + if [ ! -e /certs/pki/authorities/local/root.crt ]; then + printf >&2 "No root certificate installed or generated. Run the container so that a cert is generated, or provide one at runtime." + exit 1 + fi + cat /certs/pki/authorities/local/root.crt +} + +http::start(){ + local disable_tls="" + local disable_mtls="" + local disable_auth="" + + [ "${MOD_MTLS_ENABLED:-}" == true ] || disable_mtls=true; + [ "${MOD_BASICAUTH_ENABLED:-}" == true ] || disable_auth=true; + + local secure=s + + [ "$ADVANCED_MOD_HTTP_TLS_ENABLED" != true ] || { + disable_tls=true + secure= + } + + CDY_LOG_LEVEL=${LOG_LEVEL:-warn} \ + CDY_MTLS_DISABLE="$disable_mtls" \ + CDY_MTLS_MODE="${MOD_MTLS_MODE:-$_default_mod_mtls_mode}" \ + CDY_MTLS_TRUST="${ADVANCED_MOD_MTLS_TRUST:-$_default_mod_mtls_trust}" \ + CDY_AUTH_DISABLE="$disable_auth" \ + CDY_AUTH_REALM="${MOD_BASICAUTH_REALM:-$_default_realm}" \ + CDY_AUTH_USERNAME="${MOD_BASICAUTH_USERNAME:-}" \ + CDY_AUTH_PASSWORD="${MOD_BASICAUTH_PASSWORD:-}" \ + CDY_SCHEME="http${secure:-}" \ + CDY_DOMAIN="${DOMAIN:-}" \ + CDY_ADDITIONAL_DOMAINS="${ADVANCED_MOD_HTTP_ADDITIONAL_DOMAINS:-}" \ + CDY_TLS_DISABLE="$disable_tls" \ + CDY_TLS_MODE="${MOD_HTTP_TLS_MODE:-internal}" \ + CDY_TLS_AUTO="${ADVANCED_MOD_HTTP_TLS_AUTO:-disable_redirects}" \ + CDY_HEALTHCHECK_URL="$HEALTHCHECK_URL" \ + CDY_ACME_CA="${ADVANCED_MOD_HTTP_TLS_SERVER:-$_default_acme_server}" \ + CDY_PORT_HTTP="${ADVANCED_MOD_HTTP_PORT_INSECURE:-$_default_http_port}" \ + CDY_PORT_HTTPS="${ADVANCED_MOD_HTTP_PORT:-$_default_https_port}" \ + CDY_TLS_MIN="${ADVANCED_MOD_HTTP_TLS_MIN:-$_default_tls_min}" \ + CDY_SERVER_NAME="${ADVANCED_MOD_HTTP_SERVER_NAME:-$_default_server_name}" \ + caddy run --config /config/caddy/main.conf --adapter caddyfile "$@" +} + diff --git a/context/runtime/boot/mdns.sh b/context/runtime/boot/mdns.sh old mode 100644 new mode 100755 index 4d60fba..6f1b027 --- a/context/runtime/boot/mdns.sh +++ b/context/runtime/boot/mdns.sh @@ -1,7 +1,8 @@ #!/usr/bin/env bash set -o errexit -o errtrace -o functrace -o nounset -o pipefail -_mdns_records=() +readonly _default_mod_mdns_configuration_path="$XDG_CONFIG_DIRS/goello/main.json" +_internal_mod_mdns_records=() mdns::records::add(){ local type="$1" @@ -9,12 +10,18 @@ mdns::records::add(){ local name="${3:-$host}" local port="${4:-9}" local text="${5:-[]}" - _mdns_records+=("$(printf '{"Type": "%s", "Host": "%s", "Name": "%s", "Port": %s, "Text": %s}' "$type" "$host" "$name" "$port" "$text")") + _internal_mod_mdns_records+=("$(printf '{"Type": "%s", "Host": "%s", "Name": "%s", "Port": %s, "Text": %s}' "$type" "$host" "$name" "$port" "$text")") } -mdns::records::broadcast(){ - local IFS="," - goello-server-ng -json "[${_mdns_records[*]}]" +mdns::records::load(){ + local file="$1" + local records="" + while read line -r; do + records+="$line" + done < "$file" + records="${records%]*}" + records="${records#*[}" + _internal_mod_mdns_records+=("$records") } mdns::records::resolve(){ @@ -28,8 +35,75 @@ mdns::records::resolve(){ printf "%s %s" "$server" "$port" } -mdns::resolver::start(){ - helpers::dir::writable "$XDG_STATE_HOME/avahi-daemon" create - rm -f /run/avahi-daemon/pid - avahi-daemon -f /config/avahi/main.conf --daemonize --no-drop-root --no-chroot --debug +mdns::start::broadcaster(){ + [ ! -e "$_default_mod_mdns_configuration_path" ] || mdns::records::load "$_default_mod_mdns_configuration_path" + local IFS="," + goello-server-ng -json "[${_internal_mod_mdns_records[*]}]" +} + +mdns::start::avahi(){ + # Current issues with Avahi: + # - no way to change /run/avahi-daemon to another location - symlink works though + # - daemonization writing to syslog is a problem + # - avahi insists that /run/avahi-daemon must belong to avahi:avahi + # which is absolutely ridiculous - https://github.com/lathiat/avahi/blob/778fadb71cb923eee74f3f1967db88b8c2586830/avahi-daemon/main.c#L1434 + # Some variant of it: https://github.com/lathiat/avahi/issues/349 + # - project is half-dead: https://github.com/lathiat/avahi/issues/388 + + local args=() + local avahisocket="$XDG_STATE_HOME/avahi-daemon/socket" + + # Make sure we can write it + helpers::dir::writable "$(dirname "$avahisocket")" + + # Cleanup leftovers on container restart + rm -f "$(dirname "$avahisocket")/pid" + + [ "$(printf "%s" "$LOG_LEVEL" | tr '[:upper:]' '[:lower:]')" != "debug" ] || args+=(--debug) + + # -D/--daemonize implies -s/--syslog that we do not want, so, just background it + avahi-daemon -f /config/avahi/main.conf --no-drop-root --no-chroot "${args[@]}" & + + local tries=1 + # Wait until the socket is there + until [ -e "$avahisocket" ]; do + sleep 1s + tries=$(( tries + 1)) + [ $tries -lt 10 ] || { + printf >&2 "Failed starting avahi in a reasonable time. Something is quite wrong\n" + return 1 + } + done +} + +mdns::start::dbus(){ + # https://linux.die.net/man/1/dbus-daemon-1 + # https://man7.org/linux/man-pages/man3/sd_bus_default.3.html + # https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html + + # $XDG_STATE_HOME=/tmp/state + # Configuration file also has that ^ hardcoded, so, cannot use the variable... + + local dbussocket=/tmp/state/dbus/system_bus_socket + + # Ensure directory exists + helpers::dir::writable "$(dirname "$dbussocket")" create + + # Point it there for other systems + export DBUS_SYSTEM_BUS_ADDRESS=unix:path="$dbussocket" + export DBUS_SESSION_BUS_ADDRESS=unix:path="$dbussocket" + + # Start it, without a PID file + dbus-daemon --nopidfile --config-file /config/dbus/main.conf + + local tries=1 + # Wait until the socket is there + until [ -e "$dbussocket" ]; do + sleep 1s + tries=$(( tries + 1)) + [ $tries -lt 10 ] || { + printf >&2 "Failed starting dbus in a reasonable time. Something is quite wrong\n" + return 1 + } + done } diff --git a/context/runtime/config/caddy/conf.d/auth.conf b/context/runtime/config/caddy/conf.d/auth.conf index 4af1ca5..b3b1e63 100644 --- a/context/runtime/config/caddy/conf.d/auth.conf +++ b/context/runtime/config/caddy/conf.d/auth.conf @@ -1,4 +1,4 @@ # XXX to be replaced by SSO / something better than this garbage -basicauth bcrypt "{args.0}" { - "{args.1}" "{args.2}" +basicauth bcrypt "{args[0]}" { + "{args[1]}" "{args[2]}" } diff --git a/context/runtime/config/caddy/conf.d/headers.conf b/context/runtime/config/caddy/conf.d/headers.conf index ef08ac2..10a6648 100644 --- a/context/runtime/config/caddy/conf.d/headers.conf +++ b/context/runtime/config/caddy/conf.d/headers.conf @@ -21,4 +21,4 @@ header ?Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Signature -header Server "{args.0}" +header Server "{args[0]}" diff --git a/context/runtime/config/caddy/conf.d/log.conf b/context/runtime/config/caddy/conf.d/log.conf index 67b7993..0400371 100644 --- a/context/runtime/config/caddy/conf.d/log.conf +++ b/context/runtime/config/caddy/conf.d/log.conf @@ -1,5 +1,5 @@ log { output stdout format json - level "{args.0}" + level "{args[0]}" } diff --git a/context/runtime/config/caddy/conf.d/mtls.conf b/context/runtime/config/caddy/conf.d/mtls.conf index fe68e39..a987863 100644 --- a/context/runtime/config/caddy/conf.d/mtls.conf +++ b/context/runtime/config/caddy/conf.d/mtls.conf @@ -1,6 +1,6 @@ -tls "{args.0}" { +tls "{args[0]}" { client_auth { - mode "{args.1}" - trusted_ca_cert_file "{args.2}" + mode "{args[1]}" + trusted_ca_cert_file "{args[2]}" } } diff --git a/context/runtime/config/caddy/conf.d/tls.conf b/context/runtime/config/caddy/conf.d/tls.conf index 29197da..527ce16 100644 --- a/context/runtime/config/caddy/conf.d/tls.conf +++ b/context/runtime/config/caddy/conf.d/tls.conf @@ -1,3 +1,3 @@ -tls "{args.0}" { - protocols "tls{args.1}" +tls "{args[0]}" { + protocols "tls{args[1]}" } diff --git a/hack/recipe.cue b/hack/recipe.cue index 6f415b1..d868546 100644 --- a/hack/recipe.cue +++ b/hack/recipe.cue @@ -20,7 +20,6 @@ cakes: { platforms: [ types.#Platforms.#AMD64, types.#Platforms.#ARM64, - // types.#Platforms.#V7, ] }