From 7452617aa7edef13c6723badcccf98b8b62ff4f3 Mon Sep 17 00:00:00 2001 From: Thomas Miceli Date: Mon, 10 Apr 2023 22:52:52 +0200 Subject: [PATCH] Improve Dockerfile, docker build CI, Readme --- .github/workflows/docker.yml | 52 +++++++++++ Dockerfile | 46 ++++----- README.md | 175 +++++++++++++++++++++++++++++++++++ 3 files changed, 251 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/docker.yml create mode 100644 README.md diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 0000000..e568d11 --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,52 @@ +name: Docker + +on: + release: + types: [published] + workflow_dispatch: + +jobs: + docker: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + images: | + ghcr.io/thomiceli/opengist + tags: | + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + type=semver,pattern={{major}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{version}} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push + uses: docker/build-push-action@v4 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/Dockerfile b/Dockerfile index 2e6dc44..eba90a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,28 @@ +FROM alpine:3.17 AS build + +RUN apk update && \ + apk add --no-cache \ + make \ + gcc \ + musl-dev \ + libstdc++ + +COPY --from=golang:1.19-alpine /usr/local/go/ /usr/local/go/ +ENV PATH="/usr/local/go/bin:${PATH}" + +COPY --from=node:18-alpine /usr/local/ /usr/local/ +ENV NODE_PATH="/usr/local/lib/node_modules" +ENV PATH="/usr/local/bin:${PATH}" + +WORKDIR /opengist + +COPY . . + +RUN make + + FROM alpine:3.17 -# Install required dependencies RUN apk update && \ apk add --no-cache \ openssl \ @@ -9,35 +31,15 @@ RUN apk update && \ wget \ git \ gnupg \ - make \ xz \ gcc \ musl-dev \ libstdc++ -# Install Golang -COPY --from=golang:1.19-alpine /usr/local/go/ /usr/local/go/ -ENV PATH="/usr/local/go/bin:${PATH}" - -# Install Node.js -COPY --from=node:18-alpine /usr/local/ /usr/local/ -ENV NODE_PATH="/usr/local/lib/node_modules" -ENV PATH="/usr/local/bin:${PATH}" - -# Set the working directory WORKDIR /opengist -# Copy all source files -COPY . . +COPY --from=build /opengist/opengist . -# Build the application -RUN make - -# Expose the ports EXPOSE 6157 2222 - -# Mount the .opengist volume VOLUME /root/.opengist - -# Run the webserver CMD ["./opengist"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..148218d --- /dev/null +++ b/README.md @@ -0,0 +1,175 @@ +# Opengist + +![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/thomiceli/opengist?sort=semver) +![License](https://img.shields.io/github/license/thomiceli/opengist?color=blue) + +A self-hosted pastebin **powered by Git**. [Try it here](https://opengist.thomice.li). + +* [Features](#features) +* [Install](#install) + * [With Docker](#with-docker) + * [From source](#from-source) +* [Configuration](#configuration) +* [Administration](#administration) + * [Use Nginx as a reverse proxy](#use-nginx-as-a-reverse-proxy) + * [Use Fail2ban](#use-fail2ban) +* [License](#license) + +## Features + +* Create public or unlisted snippets +* Clone / Pull / Push snippets **via Git** over HTTP or SSH +* Revisions history +* Syntax highlighting ; markdown & CSV support +* Like / Fork snippets +* Search for all snippets or for certain users snippets +* Editor with indentation mode & size ; drag and drop files +* Download raw files or as a ZIP archive +* Avatars +* Responsive UI +* Enable or disable signups +* Admin panel : delete users/gists; clean database/filesystem by syncing gists +* SQLite database +* Logging +* Docker support + +#### Todo + +- [ ] Light mode +- [ ] Tests +- [ ] Search for snippets +- [ ] Embed snippets +- [ ] Filesystem/Redis support for user sessions +- [ ] Have a cool logo + +## Install + +### With Docker + +A Docker [image](https://github.com/users/thomiceli/packages/container/package/opengist), available for each release, can be pulled + +``` +docker pull ghcr.io/thomiceli/opengist:1 +``` + +It can be used in a `docker-compose.yml` file : + +1. Create a `docker-compose.yml` file with the following content +2. Run `docker-compose up -d` +3. Opengist is now running on port 6157, you can browse http://localhost:6157 + +```yml +version: "3" + +services: + opengist: + image: ghcr.io/thomiceli/opengist:1 + container_name: opengist + restart: unless-stopped + ports: + - "6157:6157" # HTTP port + - "2222:2222" # SSH port, can be removed if you don't use SSH + volumes: + - "$HOME/.opengist:/root/.opengist" + environment: + CONFIG: | + log-level: info +``` + +### From source + +Requirements : [Git](https://git-scm.com/downloads) (2.20+), [Go](https://go.dev/doc/install) (1.19+), [Node.js](https://nodejs.org/en/download/) (16+) + +```shell +git clone https://github.com/thomiceli/opengist +cd opengist +make +./opengist +``` + +Opengist is now running on port 6157, you can browse http://localhost:6157 + +## Configuration + +Opengist can be configured using YAML. The full configuration file is [config.yml](config.yml), each default key/value +pair can be overridden. + +### With docker + +Add a `CONFIG` environment variable in the `docker-compose.yml` file to the `opengist` service : + +```diff +environment: + CONFIG: | + log-level: info + ssh.git-enabled: false + disable-signup: true + # ... +``` + +### With binary + +Create a `config.yml` file (you can reuse this [one](config.yml)) and run Opengist binary with the `--config` flag : + +```shell +./opengist --config /path/to/config.yml +``` + + +## Administration + +### Use Nginx as a reverse proxy + +Configure Nginx to proxy requests to Opengist. Here is an example configuration file : +``` +server { + listen 80; + server_name opengist.example.com; + + location / { + proxy_pass http://127.0.0.1:6157; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} +``` + +Then run : +```shell +service nginx restart +``` + +### Use Fail2ban + +Fail2ban can be used to ban IPs that try to bruteforce the login page. +Log level must be set at least to `warn`. + +Add this filter in `etc/fail2ban/filter.d/opengist.conf` : +```ini +[Definition] +failregex = Invalid .* authentication attempt from +ignoreregex = +``` + +Add this jail in `etc/fail2ban/jail.d/opengist.conf` : +```ini +[opengist] +enabled = true +filter = opengist +logpath = /home/*/.opengist/log/opengist.log +maxretry = 10 +findtime = 3600 +bantime = 600 +banaction = iptables-allports +port = anyport +``` + +Then run +```shell +service fail2ban restart +``` +## License + +Opengist is licensed under the [AGPL-3.0 license](LICENSE).