Compare commits
16 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 0bc8c67e92 | |||
| 39e1037020 | |||
| 1f566cf8bf | |||
| 2046dd0983 | |||
| f788c3a132 | |||
| 9c20ba929a | |||
| 4b2c9268d9 | |||
| e1e84909f9 | |||
| 784cef2c74 | |||
| 568dd00554 | |||
| f5480a12dc | |||
| 3363c3725d | |||
| 69d5b8aeae | |||
| 26c809f746 | |||
| eb1cefe72e | |||
| f3c441db2b |
24
.gitea/workflows/cd.yaml
Normal file
24
.gitea/workflows/cd.yaml
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
name: Continuous Integration
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
tags:
|
||||||
|
- "v[0-9]+.[0-9]+.[0-9]+"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: linux
|
||||||
|
steps:
|
||||||
|
- name: Git checkout
|
||||||
|
uses: actions/checkout@v6
|
||||||
|
with:
|
||||||
|
fetch-tags: true
|
||||||
|
- name: Build tarball
|
||||||
|
run: make tarball
|
||||||
|
- name: Build rpm package
|
||||||
|
run: rpmbuild -ba "$(make name).spec"
|
||||||
|
- name: Upload rpm package
|
||||||
|
run: make upload
|
||||||
|
env:
|
||||||
|
PACKAGES_USERNAME: ${{ vars.PACKAGES_USERNAME }}
|
||||||
|
PACKAGES_TOKEN: ${{ secrets.PACKAGES_TOKEN }}
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
name: Continuous Integration
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
env:
|
|
||||||
runs-on: linux
|
|
||||||
steps:
|
|
||||||
- name: Show env
|
|
||||||
run: env | sort
|
|
||||||
34
Makefile
34
Makefile
@@ -1,12 +1,16 @@
|
|||||||
NAME = $(shell basename $(PWD))
|
NAME = netoik-rp
|
||||||
VERSION = $(shell git describe | sed 's/-/./g')
|
VERSION = $(shell git describe --always --tags --abbrev=0)
|
||||||
|
RELEASE = $(shell git rev-parse --short HEAD)
|
||||||
BRANCH = $(shell git branch --show-current)
|
BRANCH = $(shell git branch --show-current)
|
||||||
|
BUILD_ARCH = noarch
|
||||||
|
|
||||||
|
RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
|
||||||
RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
|
RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
|
||||||
RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
|
RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
|
||||||
RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
|
RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
|
||||||
RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
|
RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
|
||||||
RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
|
RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
|
||||||
|
RPM_BUILD_PATH = $(RPM_RPMDIR)/$(BUILD_ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(BUILD_ARCH).rpm
|
||||||
|
|
||||||
.PHONY: name
|
.PHONY: name
|
||||||
name:
|
name:
|
||||||
@@ -16,6 +20,22 @@ name:
|
|||||||
version:
|
version:
|
||||||
@echo "$(VERSION)"
|
@echo "$(VERSION)"
|
||||||
|
|
||||||
|
.PHONY: release
|
||||||
|
release:
|
||||||
|
@echo "$(RELEASE)"
|
||||||
|
|
||||||
|
.PHONY: build_arch
|
||||||
|
build_arch:
|
||||||
|
@echo "$(BUILD_ARCH)"
|
||||||
|
|
||||||
|
.PHONY: install
|
||||||
|
install:
|
||||||
|
install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
|
||||||
|
install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf
|
||||||
|
install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
|
||||||
|
install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
|
||||||
|
install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
|
||||||
|
|
||||||
$(RPM_TARBALL_PATH): *
|
$(RPM_TARBALL_PATH): *
|
||||||
git archive --format=tar.gz \
|
git archive --format=tar.gz \
|
||||||
--output="$@" \
|
--output="$@" \
|
||||||
@@ -26,10 +46,6 @@ $(RPM_TARBALL_PATH): *
|
|||||||
.PHONY: tarball
|
.PHONY: tarball
|
||||||
tarball: $(RPM_TARBALL_PATH)
|
tarball: $(RPM_TARBALL_PATH)
|
||||||
|
|
||||||
.PHONY: install
|
.PHONY: upload
|
||||||
install:
|
upload:
|
||||||
install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
|
curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(PACKAGES_USERNAME):$(PACKAGES_TOKEN)" https://git.netoik.io/api/packages/samuel/rpm/upload
|
||||||
install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/default.conf
|
|
||||||
install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
|
|
||||||
install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
|
|
||||||
install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
|
|
||||||
|
|||||||
@@ -14,14 +14,17 @@ resolver 127.0.0.1;
|
|||||||
|
|
||||||
# Add some basic security headers from OWASP
|
# Add some basic security headers from OWASP
|
||||||
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
|
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
|
||||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
|
# And Nextcloud doc
|
||||||
add_header X-Frame-Options "DENY" always;
|
# see: https://docs.nextcloud.com/server/31/admin_manual/installation/harden_server.html
|
||||||
add_header X-XSS-Protection "0" always;
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
add_header X-Frame-Options "sameorigin" always;
|
||||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
add_header X-XSS-Protection "1;mode=block" always;
|
||||||
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||||
add_header Cross-Origin-Resource-Policy "same-site" always;
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||||
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
|
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self';" always;
|
||||||
add_header Server "webserver" always;
|
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
||||||
add_header X-Robots-Tag "noindex, nofollow" always;
|
add_header Cross-Origin-Resource-Policy "same-site" always;
|
||||||
|
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
|
||||||
|
add_header Server "webserver" always;
|
||||||
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
||||||
|
|||||||
@@ -2,13 +2,13 @@
|
|||||||
|
|
||||||
Name: %(make name)
|
Name: %(make name)
|
||||||
Version: %(make version)
|
Version: %(make version)
|
||||||
Release: 1%{?dist}
|
Release: %(make release)
|
||||||
Summary: Netoik Reverse Proxy
|
Summary: Netoik Reverse Proxy
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://git.netoik.io/samuel/netoik-rp
|
URL: https://git.netoik.io/samuel/netoik-rp
|
||||||
|
|
||||||
Source0: %{name}-%{version}.tar.gz
|
Source0: %{name}-%{version}.tar.gz
|
||||||
Buildarch: noarch
|
Buildarch: %(make build_arch)
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
Requires: nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl
|
Requires: nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user