diff options
Diffstat (limited to 'ci')
-rw-r--r-- | ci/config/SessionProvider.json | 6 | ||||
-rw-r--r-- | ci/config/config.json | 2 | ||||
-rw-r--r-- | ci/container/Dockerfile | 9 | ||||
-rw-r--r-- | ci/container/Taskfile.yaml | 6 | ||||
-rw-r--r-- | ci/container/docker-compose.yaml | 11 | ||||
-rw-r--r-- | ci/container/run.sh | 7 | ||||
-rw-r--r-- | ci/install.ps1 | 4 | ||||
-rw-r--r-- | ci/install.taskfile.yaml | 5 | ||||
-rw-r--r-- | ci/plugins.taskfile.yaml | 17 | ||||
-rw-r--r-- | ci/taskfile.yaml | 111 |
10 files changed, 122 insertions, 56 deletions
diff --git a/ci/config/SessionProvider.json b/ci/config/SessionProvider.json index e281edf..6828114 100644 --- a/ci/config/SessionProvider.json +++ b/ci/config/SessionProvider.json @@ -16,6 +16,10 @@ //time (in seconds) a session is valid for "valid_for_sec": 3600, //The maxium number of connections waiting for the cache server responses - "max_waiting_connections": 100 + "max_waiting_connections": 100, + //Enforce strict cross-origin session checks + "strict_cors": true, + ///Enforces strict TLS to help prevent tls downgrades based on stored session variables (privacy note: this can be leaked through brute-forced if session id is stolen) + "strict_tls_protocol": true } }
\ No newline at end of file diff --git a/ci/config/config.json b/ci/config/config.json index 37b952a..f6b55e9 100644 --- a/ci/config/config.json +++ b/ci/config/config.json @@ -177,6 +177,6 @@ //Global secrets object, used by the host and pluings for a specialized secrets "secrets": { //"db_password": "" - "passwords": "yourbase64passwordsecret" + "passwords": "_yourbase64passwordsecret_" } } diff --git a/ci/container/Dockerfile b/ci/container/Dockerfile index a6d35d4..8787fa3 100644 --- a/ci/container/Dockerfile +++ b/ci/container/Dockerfile @@ -5,7 +5,7 @@ FROM alpine:3.19 as native-cont #install public libs and build tools -RUN apk update && apk add --no-cache build-base cmake npm git +RUN apk update && apk add --no-cache build-base cmake npm git openssl #most universal way to use Task is from NPM RUN npm install -g @go-task/cli @@ -20,7 +20,7 @@ RUN task build-libs #APP CONTAINER #move into a clean dotnet apline lean image -FROM mcr.microsoft.com/dotnet/runtime:8.0.2-alpine3.19-amd64 as app-cont +FROM mcr.microsoft.com/dotnet/runtime:8.0.3-alpine3.19-amd64 as app-cont LABEL name="vnuge/simple-bookmark" LABEL maintainer="Vaughn Nugent <vnpublic@proton.me>" @@ -31,6 +31,8 @@ COPY app/ /app #pull compiled libs from build container COPY --from=native-cont /build/out /app/lib +#copy self signed ssl certs for first startup +COPY --from=native-cont /build/ssl /app/ssl RUN apk update && apk add --no-cache gettext icu-libs dumb-init curl @@ -83,8 +85,9 @@ ENV VNCACHE_CACHE_PUBLIC_KEY="" #HTTP/PROXY Config ENV HTTP_DOWNSTREAM_SERVERS=[] -ENV SSL_JSON="{}" ENV HTTP_TRACE_ON=false +#set default certificate files to the self signed ones created in the build container +ENV SSL_JSON='{"cert": "ssl/cert.pem", "privkey":"ssl/key.pem"}' #run the init script within dumb-init ENTRYPOINT ["dumb-init", "--"] diff --git a/ci/container/Taskfile.yaml b/ci/container/Taskfile.yaml index 69dff71..9f486ef 100644 --- a/ci/container/Taskfile.yaml +++ b/ci/container/Taskfile.yaml @@ -8,6 +8,7 @@ version: "3" vars: INCLUDE_FILES: "Dockerfile, docker-compose.yaml" + CERT_KEY_PARAMS: "ec -pkeyopt ec_paramgen_curve:secp384r1" includes: install: @@ -19,6 +20,7 @@ tasks: build-libs: vars: OUT_DIR: "{{.USER_WORKING_DIR}}/out" + SSL_DIR: "{{.USER_WORKING_DIR}}/ssl" #build stage generates the following libraries generates: @@ -36,6 +38,10 @@ tasks: #build native compression lib and put in lib dir - cd lib/vnlib_compress && cmake -B./build && cmake --build build/ --config Release && cp build/libvn_compress.so {{.OUT_DIR}}/libvn_compress.so + #create a fresh self-signed cert for the container during build + - openssl req -new -x509 -days 365 -keyout {{.SSL_DIR}}/key.pem -out {{.SSL_DIR}}/cert.pem -newkey {{.CERT_KEY_PARAMS}} --nodes + - echo "WARNING Self signed certificate created during build stage, DO NOT COPY THIS IMAGE" + #called from ci pipline to build the package build: cmds: diff --git a/ci/container/docker-compose.yaml b/ci/container/docker-compose.yaml index 465615d..63de647 100644 --- a/ci/container/docker-compose.yaml +++ b/ci/container/docker-compose.yaml @@ -11,7 +11,9 @@ services: volumes: - ./data:/app/data - ./assets:/app/usr/assets:ro - - ./ssl:/app/ssl:ro + #uncomment to use your own ssl certs, otherwise a build-time cert will be used + #- ./ssl/cert.pem:/app/ssl/cert.pem:ro + #- ./ssl/key.pem:/app/ssl/key.pem:ro ports: - 8080:8080 environment: @@ -34,7 +36,7 @@ services: MAX_LOGIN_ATTEMPS: "10" #SECRETS - PASSWORD_PEPPER: "" + PASSWORD_PEPPER: "" #A base64 encoded secret is required. raw string, vault://, file:// allowed DATABASE_PASSWORD: "" REDIS_PASSWORD: "" #if MEMCACHE_ONLY is false, then the following keys are required to connect to a VNCACHE cluster @@ -44,7 +46,6 @@ services: #HTTP HTTP_DOWNSTREAM_SERVERS: '[]' HTTP_TRACE_ON: "false" - #SSL_JSON: '{"cert": "ssl/cert.pem", "privkey":"ssl/priv.pem"}' - - SERVER_ARGS: "" + + SERVER_ARGS: "--setup" #remove the setup flag after you are done setting up the server diff --git a/ci/container/run.sh b/ci/container/run.sh index c780929..b452f2a 100644 --- a/ci/container/run.sh +++ b/ci/container/run.sh @@ -2,6 +2,8 @@ #this script will be invoked by dumb-init in the container on statup and is located at /app +echo "Generating configuration files" + rm -rf config && mkdir config #substitude all -template files in the config-templates dir and write them to the config dir @@ -9,7 +11,12 @@ for file in config-templates/*-template.json; do envsubst < $file > config/$(basename $file -template.json).json done +echo "Complete" + +echo "Merging your asset files" cp usr/assets/* plugins/assets/ -rf +echo "Complete" #start the server +echo "Starting the server" dotnet webserver/VNLib.WebServer.dll --config config/config.json --input-off $SERVER_ARGS
\ No newline at end of file diff --git a/ci/install.ps1 b/ci/install.ps1 index 7a5c455..b15dfc2 100644 --- a/ci/install.ps1 +++ b/ci/install.ps1 @@ -1,5 +1,9 @@ param([String] $BaseUrl, [String] $ModuleName, [String] $ProjectName, [String]$FileName, [String]$Version) +#random delays to space out the downloads +$randomDelay = Get-Random -Minimum 300 -Maximum 1000 +Start-Sleep -Milliseconds $randomDelay + $_src = "$BaseUrl/$ModuleName/$Version/$ProjectName/$FileName" #download the latest version diff --git a/ci/install.taskfile.yaml b/ci/install.taskfile.yaml index 898958b..587ac86 100644 --- a/ci/install.taskfile.yaml +++ b/ci/install.taskfile.yaml @@ -16,4 +16,7 @@ tasks: - cd {{.DIR}} && powershell "{{ .PROJECT_DIR }}/install.ps1" -BaseUrl {{.BUILDS_URL}} -ModuleName {{.MODULE_NAME}} -ProjectName {{.PROJECT_NAME}} -FileName {{.FILE_NAME}} -Version {{.VERSION}} - cd {{.DIR}} && tar -xzf {{.FILE_NAME}} #remove the archive file - - cd {{.DIR}} && powershell -Command "rm {{.FILE_NAME}}"
\ No newline at end of file + - cd {{.DIR}} && powershell -Command "rm {{.FILE_NAME}}" + #remove all pckage.json files that could cause build issues + - cmd: cd {{.DIR}} && powershell 'Get-ChildItem -Path . -Recurse -File -Filter "package.json" | Remove-Item -Force' + ignore_error: true
\ No newline at end of file diff --git a/ci/plugins.taskfile.yaml b/ci/plugins.taskfile.yaml index df930db..7cb508c 100644 --- a/ci/plugins.taskfile.yaml +++ b/ci/plugins.taskfile.yaml @@ -26,13 +26,14 @@ tasks: - install-argon2-lib - install-compression - install-sqlite + - install-router + - install-accounts + - install-sessions + - install-vncache + - install-vncache-sessions + - install-users cmds: - - task: install-accounts - - task: install-router - - task: install-sessions - - task: install-vncache - - task: install-vncache-sessions - - task: install-users + - echo "Installing and configuring plugins and UI" - task: build-bookmarks @@ -157,8 +158,6 @@ tasks: DIR: './lib/vnlib_compress' VERSION: '{{.CORE_VERSION}}' - - cd 'lib/vnlib_compress' && powershell rm package.json - install-argon2-lib: cmds: #install the argon2 binary for Windows @@ -180,7 +179,7 @@ tasks: VERSION: '{{.CORE_VERSION}}' #remove unneeded files - - for: [ man, latex, kats, argon2-specs.pdf, package.json ] + - for: [ man, latex, kats, argon2-specs.pdf ] cmd: powershell -Command "rm ./lib/argon2/{{.ITEM}} -Recurse" ignore_error: true diff --git a/ci/taskfile.yaml b/ci/taskfile.yaml index c35b226..e808d39 100644 --- a/ci/taskfile.yaml +++ b/ci/taskfile.yaml @@ -36,7 +36,11 @@ tasks: ignore_error: true - task: plugins:all + #remove runtime-shared libs before they are copied + - task: prune-plugin-libs - task: install-webserver + + #runtimes must be pruned for specific targets - task: prune-runtimes #run container build last @@ -59,20 +63,38 @@ tasks: #remove the executable since its not needed - cmd: cd webserver/ && powershell -Command "rm VNlib.WebServer" - - for: [ windows-x86_64, linux-x86_64, osx-x86_64, windows-arm, linux-arm, osx-arm ] - task: create-env - vars: - TARGET_OS: '{{.ITEM}}' + - task: parallel-envs + + parallel-envs: + deps: + - task: create-env + vars: { TARGET_OS: 'windows-x86_64' } + - task: create-env + vars: { TARGET_OS: 'linux-x86_64' } + - task: create-env + vars: { TARGET_OS: 'osx-x86_64' } + - task: create-env + vars: { TARGET_OS: 'windows-arm' } + - task: create-env + vars: { TARGET_OS: 'linux-arm' } + - task: create-env + vars: { TARGET_OS: 'osx-arm' } postbuild_success: + deps: + - task: pack + vars: { TARGET_OS: 'windows-x86_64' } + - task: pack + vars: { TARGET_OS: 'linux-x86_64' } + - task: pack + vars: { TARGET_OS: 'osx-x86_64' } + - task: pack + vars: { TARGET_OS: 'windows-arm' } + - task: pack + vars: { TARGET_OS: 'linux-arm' } + - task: pack + vars: { TARGET_OS: 'osx-arm' } cmds: - #make bin dir - - cmd: powershell -Command "mkdir bin -Force" - ignore_error: true - - for: [ windows-x86_64, linux-x86_64, osx-x86_64, windows-arm, linux-arm, osx-arm ] - task: pack - vars: - TARGET_OS: '{{.ITEM}}' #cleanup unnecessary build files that clog up the pipeline - for: [ build, plugins, dist, lib, webserver ] @@ -80,11 +102,7 @@ tasks: ignore_error: true - task: container:postbuild_success - - build-container: - cmds: - - task: container:build - + create-env: vars: BUILD_DIR: './build/{{.TARGET_OS}}' @@ -107,38 +125,59 @@ tasks: ignore_error: true - cd build/{{.TARGET_OS}} && tar -czf ../../bin/{{.TARGET_OS}}-release.tgz . - prune-runtimes: + prune-plugin-libs: cmds: + - for: ['vnlib.utils.dll' , 'vnlib.net.http.dll', 'VNLib.Hashing.Portable.dll', 'VNLib.Plugins.Essentials.dll', 'VNLib.Plugins.dll', 'Serilog.dll', 'Serilog.Sinks.Console.dll', 'Serilog.Sinks.File.dll'] + cmd: cd plugins && powershell 'Get-ChildItem -Path . -Recurse -File -Filter "{{.ITEM}}" | Remove-Item -Force' + + prune-runtimes: + deps: #prune sqlite runtime native libraries that Im not targeting #windows - - for: ['browser-wasm', 'linux-arm', 'linux-arm64', 'linux-armel', 'linux-mips64', 'linux-musl-arm', 'linux-musl-arm64', 'linux-musl-x64', 'linux-ppc64le', 'linux-s390x', 'linux-x64', 'linux-x86', 'maccatalyst-arm64', 'maccatalyst-x64', 'osx-arm64', 'osx-x64', 'win-arm', 'win-arm64' ] - cmd: cd build/windows-x86_64/{{.SQLITE_OUT_DIR}}/runtimes && powershell -Command "rm {{.ITEM}} -Recurse -Force" - ignore_error: true - + - task: prune-files + vars: + ITEMS: 'browser-wasm,linux-arm,linux-arm64,linux-armel,linux-mips64,linux-musl-arm,linux-musl-arm64,linux-musl-x64,linux-ppc64le,linux-s390x,linux-x64,linux-x86,maccatalyst-arm64,maccatalyst-x64,osx-arm64,osx-x64,win-arm,win-arm64' + DIR: 'windows-x86_64' + #windows arm - - for: ['browser-wasm', 'linux-arm', 'linux-arm64', 'linux-armel', 'linux-mips64', 'linux-musl-arm', 'linux-musl-arm64', 'linux-musl-x64', 'linux-ppc64le', 'linux-s390x', 'linux-x64', 'linux-x86', 'maccatalyst-arm64', 'maccatalyst-x64', 'osx-arm64', 'osx-x64', 'win-x86', 'win-x64' ] - cmd: cd build/windows-arm/{{.SQLITE_OUT_DIR}}/runtimes && powershell -Command "rm {{.ITEM}} -Recurse -Force" - ignore_error: true + - task: prune-files + vars: + ITEMS: 'browser-wasm,linux-arm,linux-arm64,linux-armel,linux-mips64,linux-musl-arm,linux-musl-arm64,linux-musl-x64,linux-ppc64le,linux-s390x,linux-x64,linux-x86,maccatalyst-arm64,maccatalyst-x64,osx-arm64,osx-x64,win-x86,win-x64' + DIR: 'windows-arm' #linux x64 - - for: ['browser-wasm', 'linux-arm', 'linux-arm64', 'linux-armel', 'linux-musl-arm', 'linux-musl-arm64', 'maccatalyst-arm64', 'maccatalyst-x64', 'osx-arm64', 'osx-x64', 'win-arm', 'win-arm64', 'win-x86', 'win-x64' ] - cmd: cd build/linux-x86_64/{{.SQLITE_OUT_DIR}}/runtimes && powershell -Command "rm {{.ITEM}} -Recurse -Force" - ignore_error: true + - task: prune-files + vars: + ITEMS: 'browser-wasm,linux-arm,linux-arm64,linux-armel,linux-musl-arm,linux-musl-arm64,maccatalyst-arm64,maccatalyst-x64,osx-arm64,osx-x64,win-arm,win-arm64,win-x86,win-x64' + DIR: 'linux-x86_64' #linux arm - - for: ['browser-wasm', 'linux-mips64', 'linux-musl-x64', 'linux-ppc64le', 'linux-s390x', 'linux-x64', 'linux-x86', 'maccatalyst-arm64', 'maccatalyst-x64', 'osx-arm64', 'osx-x64', 'win-arm', 'win-arm64', 'win-x86', 'win-x64' ] - cmd: cd build/linux-arm/{{.SQLITE_OUT_DIR}}/runtimes && powershell -Command "rm {{.ITEM}} -Recurse -Force" - ignore_error: true + - task: prune-files + vars: + ITEMS: 'browser-wasm,linux-mips64,linux-musl-x64,linux-ppc64le,linux-s390x,linux-x64,linux-x86,maccatalyst-arm64,maccatalyst-x64,osx-arm64,osx-x64,win-arm,win-arm64,win-x86,win-x64' + DIR: 'linux-arm' #osx x64 - - for: ['browser-wasm', 'linux-arm', 'linux-arm64', 'linux-armel', 'linux-mips64', 'linux-musl-arm', 'linux-musl-arm64', 'linux-musl-x64', 'linux-ppc64le', 'linux-s390x', 'linux-x64', 'linux-x86', 'maccatalyst-arm64', 'win-arm', 'win-arm64', 'win-x86', 'win-x64' ] - cmd: cd build/osx-x86_64/{{.SQLITE_OUT_DIR}}/runtimes && powershell -Command "rm {{.ITEM}} -Recurse -Force" - ignore_error: true + - task: prune-files + vars: + ITEMS: 'browser-wasm,linux-arm,linux-arm64,linux-armel,linux-mips64,linux-musl-arm,linux-musl-arm64,linux-musl-x64,linux-ppc64le,linux-s390x,linux-x64,linux-x86,maccatalyst-arm64,win-arm,win-arm64,win-x86,win-x64' + DIR: 'osx-x86_64' #osx arm - - for: ['browser-wasm', 'linux-arm', 'linux-arm64', 'linux-armel', 'linux-mips64', 'linux-musl-arm', 'linux-musl-arm64', 'linux-musl-x64', 'linux-ppc64le', 'linux-s390x', 'linux-x64', 'linux-x86', 'maccatalyst-x64', 'osx-x64', 'win-arm', 'win-arm64', 'win-x86', 'win-x64' ] - cmd: cd build/osx-arm/{{.SQLITE_OUT_DIR}}/runtimes && powershell -Command "rm {{.ITEM}} -Recurse -Force" - ignore_error: true + - task: prune-files + vars: + ITEMS: 'browser-wasm,linux-arm,linux-arm64,linux-armel,linux-mips64,linux-musl-arm,linux-musl-arm64,linux-musl-x64,linux-ppc64le,linux-s390x,linux-x64,linux-x86,maccatalyst-x64,osx-x64,win-arm,win-arm64,win-x86,win-x64' + DIR: 'osx-arm' + + cmds: + - echo "Pruning runtime files" + + prune-files: + internal: true + cmds: + - for: { var: ITEMS, split: ','} + cmd: cd build/{{.DIR}}/{{.SQLITE_OUT_DIR}}/runtimes && powershell -Command "rm {{.ITEM}} -Recurse -Force" + ignore_error: true clean: ignore_error: true |