🔨: refactor some code

✨: add nginx
🐛: fix some bug

init.sh

@@ -16,9 +16,10 @@ _yellow() { echo -e "${yellow}$*${none}"; }
 _magenta() { echo -e "${magenta}$*${none}"; }
 _cyan() { echo -e "${cyan}$*${none}"; }
 
-domain_name="http://127.0.0.1"
+local_domain="localtest.me"
+domain_name="${local_domain}"
 modules=""
-meta_module="meta.sr.ht"
+#meta_module="meta.sr.ht"
 git_module="git.sr.ht"
 hg_module="hg.sr.ht"
 build_module="builds.sr.ht"
@@ -65,29 +66,10 @@ function build_base_image() {
   docker build -t sr.ht-base:dev ./base/ && echo
 }
 
-function generate_launch_shell() {
-  md="$(echo "$meta_module $1" | awk '{ gsub(/\./,""); print $0 }')"
-  md_count=$(echo "$md" | awk '{print NF}')
-  cp ./template/config.ini.template config.ini
-  echo "" >"start.sh"
-  for ((i = 1; i <= "$md_count"; i++)); do
-    m=$(echo "$md" | awk -v i="$i" '{print $i }')
-    mp="500$i"
-    echo "$m-initdb" >>"start.sh"
-    echo "/usr/bin/gunicorn $m.app:app -b 0.0.0.0:$mp -D" >>"start.sh"
-    m_domain="http://$m.$domain_name"
-
-    if [[ "$domain_name"  == "http://127.0.0.1" ]]; then
-         m_domain=$domain_name:$mp
-    fi
-
-    tp="{{"$m"_domain}}"
-    sed -i "s@$tp@$m_domain@" config.ini
-  done
-  sed "s/{{PORTS}}/5001-500$md_count:5001-500$md_count/" ./template/docker-compose.yml.template >docker-compose.yml
-  #  fix builds launch
-  sed -i "s/buildssrht/buildsrht/" start.sh
-  echo "tail -f /dev/null" >>start.sh
+
+function set_domain() {
+  sed "s@$local_domain@$domain_name@g" template/config.ini.template >config.ini
+  sed -i "s/$local_domain/srht/g" "grep -rl $local_domain nginx_conf"
 }
 
 function select_version_control() {
@@ -181,20 +163,30 @@ echo
 echo "domain_input :$domain_input"
 if [[ "$domain_input" == 's' || -z "$domain_input" ]]; then
   echo -e "$yellow skip${none}"
+  cp template/config.ini.template  config.ini
 else
   domain_name=$domain_input
+  set_domain
 fi
+
 echo "domain:  $domain_name"
 echo
 echo
-generate_launch_shell "$modules" &
-progress $! "🤖 Generate Launch Shell"
+#generate_launch_shell "$modules" &
+#progress $! "🤖 Generate Launch Shell"
+
 
 echo
 echo
 sed "s/{{MODULES}}/$modules/" ./template/Dockerfile.template >Dockerfile &
 progress $! "🐋 Generate Dockerfile"
 
+echo
+echo
+db_names=$(echo "$modules" | tr -d '.' | tr " " "," )
+sed "s/{{database_name}}/$db_names/" ./template/docker-compose.yml.template >docker-compose.yml &
+progress $! "🐋 Generate DockerCompose file"
+
 echo
 echo
 build_base_image &
@@ -218,5 +210,4 @@ progress $! "🔧 Generate Config"
 echo
 echo
 
-# TODO modules config
-# TODO Database secret
+

nginx_conf/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2020 Drew DeVault
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

nginx_conf/README.md

@@ -0,0 +1,16 @@
+# sr.ht-nginx
+
+This is the nginx configuration files used by sr.ht in production. They are
+designed to run on an Alpine Linux system using the official sourcehut Alpine
+packages. You may use them on your own servers, but your mileage may vary.
+Install the -nginx package (e.g. git.sr.ht-nginx) to pull in these files, then
+edit `/etc/nginx/domains.conf` (and `/etc/nginx/nginx.conf`, if necessary) to
+suit your particular installation.
+
+You should also write your own file, *-ssl.conf (e.g.
+`/etc/nginx/builds-ssl.conf`), which configures the SSL certificate, like so:
+
+    ssl_certificate /etc/ssl/uacme/builds.sr.ht/cert.pem;
+    ssl_certificate_key /etc/ssl/uacme/private/builds.sr.ht/key.pem;
+
+This is annoying. You can thank the nginx devs.

nginx_conf/graphql.conf

@@ -0,0 +1,20 @@
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+if ($request_method = 'OPTIONS') {
+	add_header 'Access-Control-Allow-Origin' '*';
+	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+	add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+	add_header 'Access-Control-Max-Age' 1728000;
+	add_header 'Content-Type' 'text/plain; charset=utf-8';
+	add_header 'Content-Length' 0;
+	return 204;
+}
+
+add_header 'Access-Control-Allow-Origin' '*';
+add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';

nginx_conf/headers.conf

@@ -0,0 +1,4 @@
+add_header X-Clacks-Overhead "GNU Terry Pratchett";
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+# Fuck you, Google, I don't spy on my users
+add_header Permissions-Policy interest-cohort=();

nginx_conf/http.d/builds.sr.ht.conf

@@ -0,0 +1,24 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name builds.localtest.me;
+
+	client_max_body_size 100M;
+
+	location / {
+		proxy_pass http://srhts:5002;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always;
+		include web.conf;
+	}
+
+	location /query {
+		proxy_pass http://srhts:5102;
+		include graphql.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/buildsrht;
+		expires 30d;
+	}
+}

nginx_conf/http.d/chat.sr.ht.conf

@@ -0,0 +1,46 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name chat.localtest.me;
+
+	client_max_body_size 100M;
+
+	location / {
+		# TODO: find a nicer way to do this
+		if ($http_cookie !~* "sr.ht.unified-login.v1") {
+			return 302 https://meta.sr.ht/login?return_to=$scheme://$host$request_uri;
+		}
+
+		root /usr/share/webapps/gamja;
+		include headers.conf;
+		# We have to use a weird connect-src because of a Safari bug
+		# https://bugs.webkit.org/show_bug.cgi?id=201591
+		add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; connect-src wss://chat.sr.ht https://chat.sr.ht" always;
+		# TODO: setup caching
+	}
+
+	# Manifests aren't requested with cookies by default,
+	# so it needs to be served in a location directive
+	# that doesn't perform the auth redirect.
+	location = /manifest.webmanifest {
+		root /usr/share/webapps/gamja;
+	}
+
+	location /socket {
+		proxy_pass http://srhts:8080;
+		proxy_read_timeout 600s;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "Upgrade";
+		include web.conf;
+	}
+
+	location /config.json {
+		proxy_pass http://srhts:8080;
+		include web.conf;
+	}
+
+	location /metrics {
+		proxy_pass http://srhts:6060;
+	}
+}

nginx_conf/http.d/dispatch.sr.ht.conf

@@ -0,0 +1,17 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name dispatch.localtest.me;
+
+	location / {
+		proxy_pass http://srhts:5005;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always;
+		include web.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/dispatchsrht;
+		expires 30d;
+	}
+}

nginx_conf/http.d/git.sr.ht.conf

@@ -0,0 +1,43 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name git.localtest.me;
+
+	client_max_body_size 100M;
+
+	location / {
+		proxy_pass http://srhts:5001;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
+		include web.conf;
+	}
+
+	location /query {
+		proxy_pass http://srhts:5101;
+		include graphql.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/gitsrht;
+		expires 30d;
+	}
+
+	location = /authorize {
+		proxy_pass http://srhts:5001;
+		proxy_pass_request_body off;
+		proxy_set_header Content-Length "";
+		proxy_set_header X-Original-URI $request_uri;
+	}
+
+	location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
+		auth_request /authorize;
+		root /var/lib/git;
+		fastcgi_pass unix:/run/fcgiwrap/fcgiwrap.sock;
+		fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
+		fastcgi_param PATH_INFO $uri;
+		fastcgi_param GIT_PROJECT_ROOT $document_root;
+		fastcgi_read_timeout 500s;
+		include fastcgi_params;
+		gzip off;
+	}
+}

nginx_conf/http.d/hg.sr.ht.conf

@@ -0,0 +1,31 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name hg.localtest.me;
+
+	client_max_body_size 100M;
+
+	location / {
+		proxy_pass http://srhts:5010;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
+		include web.conf;
+	}
+
+	location /query {
+		proxy_pass http://srhts:5110;
+		include graphql.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/hgsrht;
+		expires 30d;
+	}
+
+	# Let clients reach pull bundles. We don't really need to lock this down even for
+	# private repos because the bundles are named after the revision hashes... so someone 
+	# would need to guess a SHA value to download anything.
+	location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg/bundles/.*$ {
+		root /var/lib/mercurial;
+	}
+}

nginx_conf/http.d/lists.sr.ht.conf

@@ -0,0 +1,23 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name lists.localtest.me;
+	client_max_body_size 100M;
+
+	location / {
+		proxy_pass http://srhts:5006;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'";
+		include web.conf;
+	}
+
+	location /query {
+		proxy_pass http://srhts:5106;
+		include graphql.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/listssrht;
+		expires 30d;
+	}
+}

nginx_conf/http.d/man.sr.ht.conf

@@ -0,0 +1,19 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name man.localtest.me;
+
+	client_max_body_size 100M;
+
+	location / {
+		proxy_pass http://srhts:5004;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
+		include web.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/mansrht;
+		expires 30d;
+	}
+}

nginx_conf/http.d/meta.sr.ht.conf

@@ -0,0 +1,27 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name meta.localtest.me;
+
+	location / {
+		proxy_pass http://srhts:5000;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
+		include web.conf;
+	}
+
+	location /register {
+		proxy_pass http://srhts:5000;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
+	}
+
+	location /query {
+		proxy_pass http://srhts:5100;
+		include graphql.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/metasrht;
+		expires 30d;
+	}
+}

nginx_conf/http.d/paste.sr.ht.conf

@@ -0,0 +1,24 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name paste.sr.ht pasta.localtest.me;
+
+	client_max_body_size 10M;
+
+	location / {
+		proxy_pass http://srhts:5011;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
+		include web.conf;
+	}
+
+	location /query {
+		proxy_pass http://srhts:5111;
+		include graphql.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/pastesrht;
+		expires 30d;
+	}
+}

nginx_conf/http.d/todo.sr.ht.conf

@@ -0,0 +1,24 @@
+server {
+	include sourcehut.conf;
+	include port80.conf;
+	server_name todo.localtest.me;
+
+	client_max_body_size 100M;
+
+	location / {
+		proxy_pass http://srhts:5003;
+		include headers.conf;
+		add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
+		include web.conf;
+	}
+
+	location /query {
+		proxy_pass http://srhts:5103;
+		include graphql.conf;
+	}
+
+	location /static {
+		root /usr/lib/$python/site-packages/todosrht;
+		expires 30d;
+	}
+}

nginx_conf/nginx.conf

@@ -0,0 +1,32 @@
+user nginx;
+worker_processes auto;
+pcre_jit on;
+error_log /var/log/nginx/error.log warn;
+include /etc/nginx/modules/*.conf;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	default_type application/octet-stream;
+
+	server_tokens off;
+	client_max_body_size 1m;
+	sendfile on;
+	tcp_nopush on;
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+	ssl_session_cache shared:SSL:2m;
+	ssl_session_timeout 1h;
+	ssl_session_tickets off;
+	gzip_vary on;
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+		'$status $body_bytes_sent "$http_referer" '
+		'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+
+	include /etc/nginx/http.d/*.conf;
+}

nginx_conf/port443.conf

@@ -0,0 +1,13 @@
+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+
+gzip on;
+gzip_types text/css text/html;
+
+location ^~ /.well-known {
+	root /var/www;
+}
+
+location = /robots.txt {
+	root /var/www;
+}

nginx_conf/port80.conf

@@ -0,0 +1,10 @@
+listen 80;
+listen [::]:80;
+
+location ^~ /.well-known {
+	root /var/www;
+}
+
+location = /robots.txt {
+	root /var/www;
+}

nginx_conf/robots.txt

@@ -0,0 +1,77 @@
+# Our policy
+#
+# Allowed:
+# - Search engine indexers
+# - Archival services (e.g. IA)
+#
+# Disallowed:
+# - Marketing or SEO crawlers
+# - Bots which are too agressive by default. This is subjective, if you annoy
+#   our sysadmins you'll be blocked.
+#
+# Reach out to sir@cmpwn.com if you have questions.
+
+# It doesn't make sense to index these and/or it's expensive:
+User-agent: *
+Disallow: /*?*
+Disallow: /*.tar.gz$
+Disallow: /metrics
+Disallow: /*/*/blame/*
+Disallow: /*/*/log/*
+Disallow: /*/*/tree/*
+Disallow: /*/*/item/*
+
+# Too aggressive, marketing/SEO
+User-agent: SemrushBot
+Disallow: /
+
+# Too aggressive, marketing/SEO
+User-agent: SemrushBot-SA
+Disallow: /
+
+# Marketing/SEO
+User-agent: AhrefsBot
+Disallow: /
+
+# Marketing/SEO
+User-agent: dotbot
+Disallow: /
+
+# Marketing/SEO
+User-agent: rogerbot
+Disallow: /
+
+User-agent: BLEXBot
+Disallow: /
+
+# Huwei something or another, badly behaved
+User-agent: AspiegelBot
+Disallow: /
+
+# Marketing/SEO
+User-agent: ZoominfoBot
+Disallow: /
+
+# YandexBot is a dickhead, too aggressive
+User-agent: Yandex
+Disallow: /
+
+# Marketing/SEO
+User-agent: MJ12bot
+Disallow: /
+
+# Marketing/SEO
+User-agent: DataForSeoBot
+Disallow: /
+
+# Used for Alexa, I guess, who cares
+User-agent: Amazonbot
+Disallow: /
+
+# No
+User-agent: turnitinbot
+Disallow: /
+
+# Does not respect * directives
+User-agent: Seekport Crawler
+Disallow: /

nginx_conf/sourcehut.conf

@@ -0,0 +1,3 @@
+set $python "python3.9";
+set_real_ip_from 127.0.0.0/16;
+set_real_ip_from 173.195.146.128/25;

nginx_conf/web.conf

@@ -0,0 +1,5 @@
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

postgres_sh/create-multiple-postgresql-databases.sh

@@ -0,0 +1,21 @@
+
+set -e
+set -u
+
+function create_user_and_database() {
+	local database=$1
+	echo "  Creating user and database '$database'"
+	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+	    CREATE USER $database;
+	    CREATE DATABASE $database;
+	    GRANT ALL PRIVILEGES ON DATABASE $database TO $database;
+EOSQL
+}
+
+if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
+	echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
+	for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
+		create_user_and_database $db
+	done
+	echo "Multiple databases created"
+fi

start.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+set -e
+
+service_list="$*"
+echo "service list: $service_list"
+
+metasrht-initdb
+#metasrht-manageuser  -p  -e admin@test.com  -t admin admin
+/usr/bin/gunicorn metasrht.app:app -c /etc/sr.ht/meta.sr.ht.gunicorn.conf.py -b 0.0.0.0:5000 -D
+#/usr/bin/metasrht-api -b 0.0.0.0:5100 &
+/usr/bin/celery -A metasrht.webhooks worker --loglevel=info &
+echo "0	2	*	*	*  /usr/bin/metasrht-daily" >>/etc/crontab
+
+if [[ "$service_list" == *"git"* ]]; then
+  gitsrht-initdb
+  /usr/bin/gunicorn gitsrht.app:app -b 0.0.0.0:5001 -c /etc/sr.ht/git.sr.ht.gunicorn.conf.py -D
+  #  /usr/bin/gitsrht-api -b 0.0.0.0:5101
+  /usr/bin/celery -A gitsrht.webhooks worker --loglevel=info &
+  echo "*/20 * * * *  /usr/bin/gitsrht-periodic" >>/etc/crontab
+fi
+
+if [[ "$service_list" == *"hg"* ]]; then
+  hgsrht-initdb
+  /usr/bin/gunicorn hgsrht.app:app -b 0.0.0.0:5010 -c /etc/sr.ht/git.sr.ht.gunicorn.conf.py -D
+#  /usr/bin/hgsrht-api -b 0.0.0.0:5110 &
+  /usr/bin/celery -A hgsrht.webhooks worker --loglevel=info &
+  echo "*/20 * * * *  /usr/bin/hgsrht-periodic" >>/etc/crontab
+fi
+
+if [[ "$service_list" == *"builds"* ]]; then
+  buildsrht-initdb
+  /usr/bin/gunicorn buildsrht.app:app -b 0.0.0.0:5002 -c /etc/sr.ht/builds.sr.ht.gunicorn.conf.py -D
+
+fi
+
+#if [[ "$service_list" == *"lists"* ]]; then
+#  listssrht-initdb
+#  /usr/bin/gunicorn listsrht.app:app -b 0.0.0.0:5006 -c /etc/sr.ht/lists.sr.ht.gunicorn.conf.py -D
+#  /usr/bin/listssrht-api -b 0.0.0.0:5106 &
+#  /usr/bin/listssrht-lmtp &
+#  /usr/bin/celery -A listssrht.webhooks worker --loglevel=info &
+#
+#fi
+
+if [[ "$service_list" == *"man"* ]]; then
+  mansrht-initdb
+  /usr/bin/gunicorn mansrht.app:app -b 0.0.0.0:5004 -c /etc/sr.ht/man.sr.ht.gunicorn.conf.py -D
+fi
+
+if [[ "$service_list" == *"todo"* ]]; then
+  todosrht-initdb
+  /usr/bin/gunicorn todosrht.app:app -b 0.0.0.0:5003 -c /etc/sr.ht/todo.sr.ht.gunicorn.conf.py -D
+#  /usr/bin/todosrht-api -b 0.0.0.0:5103
+  #  /usr/bin/todosrht-lmtp &
+  /usr/bin/celery -A todosrht.webhooks worker --loglevel=info &
+fi
+
+if [[ "$service_list" == *"paste"* ]]; then
+  pastesrht-initdb
+  /usr/bin/gunicorn pastesrht.app:app -b 0.0.0.0:5011 -c /etc/sr.ht/paste.sr.ht.gunicorn.conf.py -D
+fi
+
+tail -f /dev/null

template/Dockerfile.template

@@ -2,7 +2,7 @@ FROM sr.ht-base:dev
 COPY ./start.sh /
 RUN chmod +x /start.sh
 RUN apk add  {{MODULES}}
-CMD ["/bin/sh", "start.sh"]
+CMD ["/bin/sh", "start.sh","{{MODULES}}"]
 
 
 

template/config.ini.template

@@ -94,14 +94,14 @@ private-key={{WEBHOOK_KEY}}
 [git.sr.ht]
 #
 # URL git.sr.ht is being served at (protocol://domain)
-origin={{gitsrht_domain}}
+origin=http://gitsrht.localtest.me
 #
 # Address and port to bind the debug server to
 debug-host=0.0.0.0
 debug-port=5001
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://sourcehut:sourcehut@database/sourcehut
+connection-string=postgresql://sourcehut:sourcehut@database/gitsrht?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
@@ -169,14 +169,14 @@ internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
 #/usr/bin/buildsrht-keys=builds:builds
 
 [meta.sr.ht]
-origin={{metasrht_domain}}
+origin=http://metasrht.localtest.me
 #
 # Address and port to bind the debug server to
 debug-host=0.0.0.0
 debug-port=5000
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://sourcehut:sourcehut@database/sourcehut
+connection-string=postgresql://sourcehut:sourcehut@database/metasrht?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
@@ -222,7 +222,7 @@ internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
 registration=yes
 #
 # Where to redirect new users upon registration
-onboarding-redirect={{DOMAIN}}:5000
+onboarding-redirect=http://gitsrht.localtest.me/
 #
 # How many invites each user is issued upon registration (only applicable if
 # open registration is disabled)
@@ -249,14 +249,14 @@ stripe-secret-key=
 [paste.sr.ht]
 #
 # URL paste.sr.ht is being served at (protocol://domain)
-origin={{pastesrht_domain}}
+origin=http://pastesrht.localtest.me
 #
 # Address and port to bind the debug server to
 debug-host=0.0.0.0
 debug-port=5011
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://sourcehut:sourcehut@database/sourcehut
+connection-string=postgresql://sourcehut:sourcehut@database/pastesrht?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
@@ -274,14 +274,14 @@ oauth-client-secret=
 [lists.sr.ht]
 #
 # URL lists.sr.ht is being served at (protocol://domain)
-origin={{listssrht_domain}}
+origin=http://listssrht.localtest.me
 #
 # Address and port to bind the debug server to
 debug-host=0.0.0.0
 debug-port=5006
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://sourcehut:sourcehut@database/sourcehut
+connection-string=postgresql://sourcehut:sourcehut@database/listssrht?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
@@ -295,7 +295,7 @@ redis=redis://redis-kv:6379/0
 #
 # The domain that incoming email should be sent to. Forward mail sent here to
 # the LTMP socket.
-posting-domain={{listsrht_domain}}
+posting-domain=http://listssrht.localtest.me
 #
 # lists.sr.ht's OAuth client ID and secret for meta.sr.ht
 # Register your client at meta.example.org/oauth
@@ -369,14 +369,14 @@ internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
 [todo.sr.ht]
 #
 # URL todo.sr.ht is being served at (protocol://domain)
-origin={{todosrht_domain}}
+origin=http://todosrht.localtest.me
 #
 # Address and port to bind the debug server to
 debug-host=0.0.0.0
 debug-port=5003
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://sourcehut:sourcehut@database/sourcehut
+connection-string=postgresql://sourcehut:sourcehut@database/todosrht?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
@@ -414,14 +414,14 @@ posting-domain=
 [builds.sr.ht]
 #
 # URL builds.sr.ht is being served at (protocol://domain)
-origin={{buildssrht_domain}}
+origin=http://buildssrht.localtest.me
 #
 # Address and port to bind the debug server to
 debug-host=0.0.0.0
 debug-port=5002
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://sourcehut:sourcehut@database/sourcehut
+connection-string=postgresql://sourcehut:sourcehut@database/buildssrht?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes
@@ -495,14 +495,14 @@ s3-prefix=
 [hg.sr.ht]
 #
 # URL hg.sr.ht is being served at (protocol://domain)
-origin={{hgsrht_domain}}
+origin=http://hgsrht.localtest.me
 #
 # Address and port to bind the debug server to
 debug-host=0.0.0.0
 debug-port=5010
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://sourcehut:sourcehut@database/sourcehut
+connection-string=postgresql://sourcehut:sourcehut@database/hgsrht?sslmode=disable
 #
 # The redis connection used for the webhooks worker
 webhooks=redis://redis-kv:6379/1
@@ -564,14 +564,14 @@ internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
 [man.sr.ht]
 #
 # URL man.sr.ht is being served at (protocol://domain)
-origin={{mansrht_domain}}
+origin=http://mansrht.localtest.me
 #
 # Address and port to bind the debug server to
 debug-host=0.0.0.0
 debug-port=5004
 #
 # Configures the SQLAlchemy connection string for the database.
-connection-string=postgresql://sourcehut:sourcehut@database/sourcehut
+connection-string=postgresql://sourcehut:sourcehut@database/mansrht?sslmode=disable
 #
 # Set to "yes" to automatically run migrations on package upgrade.
 migrate-on-upgrade=yes

template/docker-compose.yml.template

@@ -3,25 +3,46 @@ version: '3.4'
 services:
   redis-kv:
     image: redis:latest
+    networks:
+      - srht-net
   database:
     image: postgres:latest
+    volumes:
+      - db-data:/var/lib/postgresql/data
+      - ./postgres_sh:/docker-entrypoint-initdb.d
     environment:
       POSTGRES_USER: sourcehut
-      POSTGRES_DB: sourcehut
       POSTGRES_PASSWORD: sourcehut
-    volumes:
-      - db-data:/var/lib/postgresql/data
+      POSTGRES_MULTIPLE_DATABASES: metasrht,{{database_name}}
+    networks:
+      - srht-net
   srhts:
     build: ./
-    ports:
-      - {{PORTS}}
     volumes:
       - git-data:/var/lib/git
       - ./config.ini:/etc/sr.ht/config.ini
-    links:
+    networks:
+      - srht-net
+    depends_on:
       - database
       - redis-kv
 
+  nginx:
+    image: nginx:alpine
+    ports:
+      - '80:80'
+    volumes:
+      - ./nginx_conf/:/etc/nginx/
+    networks:
+      - srht-net
+    depends_on:
+      - srhts
+
 volumes:
   db-data:
   git-data:
+
+
+networks:
+  srht-net:
+    driver: bridge