From e4f689ff8d10764d807f334fc59e54c244d88e54 Mon Sep 17 00:00:00 2001 From: clsr Date: Sun, 24 Nov 2019 03:14:32 +0100 Subject: Initial commit --- COPYING | 3 + docker-compose.yaml | 26 +++++++ gomf-modpanel.conf | 26 +++++++ gomf-modpanel/Dockerfile | 31 +++++++++ gomf-modpanel/run-gomf-modpanel.bash | 64 +++++++++++++++++ gomf.conf | 131 +++++++++++++++++++++++++++++++++++ gomf/Dockerfile | 31 +++++++++ gomf/run-gomf.bash | 90 ++++++++++++++++++++++++ 8 files changed, 402 insertions(+) create mode 100644 COPYING create mode 100644 docker-compose.yaml create mode 100644 gomf-modpanel.conf create mode 100644 gomf-modpanel/Dockerfile create mode 100644 gomf-modpanel/run-gomf-modpanel.bash create mode 100644 gomf.conf create mode 100644 gomf/Dockerfile create mode 100644 gomf/run-gomf.bash diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..fd08ffe --- /dev/null +++ b/COPYING @@ -0,0 +1,3 @@ +This software is released into the public domain. +It is provided "as is", without warranties or conditions of any kind. +Anyone is free to use, modify, redistribute and do anything with this software. diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..4bb1536 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,26 @@ +version: '3.7' + +services: + gomf: + container_name: gomf + restart: always + build: + context: ./gomf + volumes: + - ./gomf.conf:/gomf.conf:ro + - gomf-storage:/gomf/upload:rw + - gomf-log:/gomf/log:rw + + gomf-modpanel: + container_name: gomf-modpanel + restart: always + build: + context: ./gomf-modpanel + volumes: + - ./gomf-modpanel.conf:/gomf-modpanel.conf:ro + - gomf-storage:/gomf/upload:rw + - gomf-log:/gomf/log:rw + +volumes: + gomf-storage: + gomf-log: diff --git a/gomf-modpanel.conf b/gomf-modpanel.conf new file mode 100644 index 0000000..57b5827 --- /dev/null +++ b/gomf-modpanel.conf @@ -0,0 +1,26 @@ +# vim: set ft=sh: + +#shellcheck disable=SC2034 + +# Simple startup/configuration script for gomf-modpanel +# Leave options blank ("OPTION=", "OPTION=''") or comment them out to use +# gomf-modpanel defaults (see `gomf-modpanel --help`) + +# +# URL path prefix to serve modpanel under +#URL_PREFIX=/mod/ + +# URL path to deletion log +#DELETION_LOG=/deleted + +# The URL that Gomf serves uploaded files on +# +# Defaults to /u/ +#UPLOAD_URL=https://u.example.com/ + +# List of usernames and passwords that can access the mod panel +# +# Entries should be in the form "user:password" +ACCESS=( + test:test +) diff --git a/gomf-modpanel/Dockerfile b/gomf-modpanel/Dockerfile new file mode 100644 index 0000000..8601629 --- /dev/null +++ b/gomf-modpanel/Dockerfile @@ -0,0 +1,31 @@ +FROM golang:alpine AS builder + +RUN set -x \ + && apk add --no-cache git build-base file-dev \ + && git clone https://git.clsr.net/gomf/gomf-modpanel-web /gomf-modpanel-web \ + && rm -rf /gomf-modpanel-web/.git \ + && go get -v git.clsr.net/gomf/gomf-modpanel + + +FROM alpine + +RUN set -x \ + && apk add --no-cache libmagic bash + +COPY --from=builder /go/bin/gomf-modpanel /app/ +COPY --from=builder /gomf-modpanel-web /gomf-modpanel + +COPY run-gomf-modpanel.bash /app/ + +ARG UID=1000 +RUN set -x \ + && adduser -S -u $UID gomf \ + && mkdir -p /gomf/upload/ids /gomf/log \ + && chown -R gomf /gomf + +USER gomf +WORKDIR /gomf-modpanel +VOLUME /gomf/upload +VOLUME /gomf/log +EXPOSE 9001 +ENTRYPOINT ["bash", "/app/run-gomf-modpanel.bash"] diff --git a/gomf-modpanel/run-gomf-modpanel.bash b/gomf-modpanel/run-gomf-modpanel.bash new file mode 100644 index 0000000..bfa4385 --- /dev/null +++ b/gomf-modpanel/run-gomf-modpanel.bash @@ -0,0 +1,64 @@ +#!/bin/bash + +set -eu + +############################################################################### + +# The gomf-modpanel binary +GOMF_MODPANEL_BIN=/app/gomf-modpanel + +# Root folder for Gomf containing gomf-modpanel-web files +# +# Defaults to current directory if not set. +GOMF_MODPANEL_ROOT=/gomf-modpanel + +# Root folder for Gomf containing gomf-web files +# +# Defaults to current directory if not set. +GOMF_ROOT=/gomf + +# The host to listen on for HTTP and/or HTTPS +# +# Use 'localhost' if using local reverse proxy, 0.0.0.0 to listen to any host +# or a specific hostname to only allow connections to that address. +LISTEN_HOST=0.0.0.0 + +# The port to listen on for HTTP +# +# 80 for a standard HTTP server, probably a higher port (e.g. 9000) if +# reverse-proxied. +HTTP_PORT=9001 + +# The port to listen on for HTTPS +# +# 443 for a standard HTTPS server. Requires TLS_CERT and TLS_KEY +#HTTPS_PORT=8443 + +# SSL certificate for HTTPS +#TLS_CERT=cert.pem + +# SSL certificate key for HTTPS +#TLS_KEY=key.pem + +source /gomf-modpanel.conf + +############################################################################### + +flags=() +[ -n "${GOMF_MODPANEL_ROOT:-}" ] && cd "$GOMF_MODPANEL_ROOT" +[ -n "${GOMF_ROOT:-}" ] && flags+=(--gomf-root "$GOMF_ROOT") +[ -n "${URL_PREFIX:-}" ] && flags+=(--prefix "$URL_PREFIX") +[ -n "${DELETION_LOG:-}" ] && flags+=(--deletion-log "$DELETION_LOG") +[ -n "${UPLOAD_URL:-}" ] && flags+=(--upload-url "$UPLOAD_URL") +[ -n "${HTTP_PORT:-}" ] && flags+=(--http "${LISTEN_HOST:-localhost}:$HTTP_PORT") +[ -n "${HTTPS_PORT:-}" ] && [ -n "${TLS_CERT:-}" ] && [ -n "${TLS_KEY:-}" ] && flags+=( + --https "${LISTEN_HOST:-localhost}:$HTTPS_PORT" + --cert "$TLS_CERT" --key "$TLS_KEY") +oldifs="$IFS" IFS=, +[ -n "${ACCESS[*]:-}" ] && flags+=(--access "${ACCESS[*]}") +IFS="$oldifs" + +printf "%s" "${GOMF_MODPANEL_BIN:-gomf-modpanel}" +[ "${#flags}" -gt 0 ] && printf " \"%s\"" "${flags[@]}" +printf "\n" +exec "${GOMF_MODPANEL_BIN:-gomf-modpanel}" "${flags[@]}" diff --git a/gomf.conf b/gomf.conf new file mode 100644 index 0000000..9a0dc47 --- /dev/null +++ b/gomf.conf @@ -0,0 +1,131 @@ +# vim: set ft=sh: + +#shellcheck disable=SC2034 + +# Simple startup/configuration script for Gomf +# Leave options blank ("OPTION=", "OPTION=''") or comment them out to use Gomf +# defaults (see `gomf --help`) + + +# The website name, appearing on web pages +#NAME='Gomf' + +# The hostname to serve uploaded files on +# +# By default, any connection can serve files on path /u/$file, but, if enabled, +# this host will serve them directly on /$file. +#UPLOAD_HOST=u.example.com + +# The URL to serve uploaded files on +# +# Generated URLs will be $UPLOAD_URL/$file.$ext. +# If not specified, it is generated depending on which variables are set: +# - $UPLOAD_HOST and $LISTEN_HTTPS: https://$UPLOAD_HOST/ +# - $UPLOAD_HOST and $LISTEN_HTTP: http://$UPLOAD_HOST/ +# - $LISTEN_HTTPS: https://$LISTEN_HTTPS/u/ +# - $LISTEN_HTTP: http://$LISTEN_HTTP/u/ +#UPLOAD_URL=https://u.example.com/ + +# The contact email address, appearing on web pages +#CONTACT_EMAIL=contact@example.com + +# The abuse contact email address, appearing on web pages +#ABUSE_EMAIL=abuse@example.com + +# Adds the HSTS header to responses +#HSTS=0 + +# Sets the Content-Security-Policy header +# +# Useful for disallowing script execution in XML-based formats (e.g. SVG). +# Gomf default is "default-src 'none'; media-src 'self'", which blocks all +# scripts but allows inline video playback. +# Set to "0" to disable the CSP header. +#CSP="default-src 'none'; media-src 'self'" + +# Allows serving HTML/XHTML files with their actual MIME types +# +# If disabled, text/html and application/xhtml+xml will be served as types +# text/plain to prevent rendering thme in browser and to keep services such as +# CloudFlare from modifying them to insert its tracking JavaScript. +#ALLOW_HTML=0 + +# Sets Access-Control-Allow-Origin header to "*" +# +# This enables CORS and allows other sites' JavaScript applications to upload +# files using XMLHttpRequest. +#CORS=1 + +# Enables grills +# +# With this enabled, the path /grill.php will serve a redirect to a random file +# from the static/grill/ directory. This is used as a background-image in the +# bottom right corner in the default gomf-web style. +#GRILL=1 + +# The charset used to generate file IDs +# +# Should only contain URL-safe characters. Must not contain / and _. +#ID_CHARSET='abcdefghijklmnopqrstuvwxyz' + +# The length of generated file IDs +#ID_LENGTH=6 + +# Maximum allowed size in MiB +# +# When blank/commented, no maximum upload size is enforced. +#MAX_SIZE_MIB=50 + +# Enable whitelist mode instead of blacklist for filters +# +# When enabled, only the file extensions/types specified in filters are allowed +# and all others are blocked. When disabled, the extensions/types in filters +# are blocked and all others are allowed. +#WHITELIST=0 + +# The file extensions (without leading dot) to filter +# +# Set to an empty array to disable. +#FILTER_EXT=(exe dll msi scr com pif) + +# The file MIME types to filter +# +# Set to an empty array to disable. +#FILTER_MIME=( +# application/x-dosexec +# application/x-msdos-program +#) + +# Enable logging +# +# When set to 1, all uploads are logged to $GOMF_ROOT/log/. +LOG=1 + +# Enable logging of IP addresses +#LOG_IP=0 + +# Enable logging of hashed IP addresses +#LOG_IP_HASH=0 + +# Enable logging of User-Agent headers +#LOG_UA=0 + +# Enable logging of hashed User-Agent headers +#LOG_UA_HASH=0 + +# Enable logging of Referer headers +#LOG_REFERER=0 + +# Enable logging of hashed Referer headers +#LOG_REFERER_HASH=0 + +# Salt for hashed log entries +# +# Used to obfuscate entries when LOG_*_HASH option is enabled for privacy. +#LOG_HASH_SALT='put some unique string here' + +# Count of trusted reverse proxies +# +# Used to determine which, if any, X-Forwarded-For or X-Real-IP to trust when +# logging or hashing the uploaders' IP addresses +PROXY_COUNT=1 diff --git a/gomf/Dockerfile b/gomf/Dockerfile new file mode 100644 index 0000000..4775fea --- /dev/null +++ b/gomf/Dockerfile @@ -0,0 +1,31 @@ +FROM golang:alpine AS builder + +RUN set -x \ + && apk add --no-cache git build-base file-dev \ + && git clone https://git.clsr.net/gomf/gomf-web /gomf-web \ + && rm -rf /gomf-web/.git \ + && go get -v git.clsr.net/gomf/gomf + + +FROM alpine + +RUN set -x \ + && apk add --no-cache libmagic bash + +COPY --from=builder /go/bin/gomf /app/ +COPY --from=builder /gomf-web /gomf + +COPY run-gomf.bash /app/ + +ARG UID=1000 +RUN set -x \ + && adduser -S -u $UID gomf \ + && mkdir -p /gomf/upload/ids /gomf/log \ + && chown -R gomf /gomf + +USER gomf +WORKDIR /gomf +VOLUME /gomf/upload +VOLUME /gomf/log +EXPOSE 9000 +ENTRYPOINT ["bash", "/app/run-gomf.bash"] diff --git a/gomf/run-gomf.bash b/gomf/run-gomf.bash new file mode 100644 index 0000000..b4acd88 --- /dev/null +++ b/gomf/run-gomf.bash @@ -0,0 +1,90 @@ +#!/bin/bash + +set -eu + +############################################################################### + +# The Gomf binary +GOMF_BIN=/app/gomf + +# Root folder for Gomf containing gomf-web files +# +# All paths in other options are relative to this. +# Defaults to current directory if not set. +GOMF_ROOT=/gomf + +# The host to listen on for HTTP and/or HTTPS +# +# Use 'localhost' if using local reverse proxy, 0.0.0.0 to listen to any host +# or a specific hostname to only allow connections to that address. +LISTEN_HOST=0.0.0.0 + +# The port to listen on for HTTP +# +# 80 for a standard HTTP server, probably a higher port (e.g. 9000) if +# reverse-proxied. +HTTP_PORT=9000 + +# The port to listen on for HTTPS +# +# 443 for a standard HTTPS server. Requires TLS_CERT and TLS_KEY +#HTTPS_PORT=443 + +# SSL certificate for HTTPS +#TLS_CERT=cert.pem + +# SSL certificate key for HTTPS +#TLS_KEY=key.pem + +# Redirect traffic accepted with the HTTP handler to HTTOS +# +# Uses the same host, path and query as the incomming request, just rewrites +# the scheme to https://. +# Only works when serving directly. If a reverse proxy is used, it should be +# also used to set up this redirect instead. +#REDIRECT_HTTPS=0 + +source /gomf.conf + +############################################################################### + +flags=() +[ -n "${GOMF_ROOT:-}" ] && cd "$GOMF_ROOT" +[ -n "${NAME:-}" ] && flags+=(--name "$NAME") +[ -n "${UPLOAD_HOST:-}" ] && flags+=(--upload-host "$UPLOAD_HOST") +[ -n "${UPLOAD_URL:-}" ] && flags+=(--upload-url "$UPLOAD_URL") +[ -n "${CONTACT_EMAIL:-}" ] && flags+=(--contact "$CONTACT_EMAIL") +[ -n "${ABUSE_EMAIL:-}" ] && flags+=(--abuse "$ABUSE_EMAIL") +[ -n "${HTTP_PORT:-}" ] && flags+=(--http "${LISTEN_HOST:-localhost}:$HTTP_PORT") +[ -n "${HTTPS_PORT:-}" ] && [ -n "${TLS_CERT:-}" ] && [ -n "${TLS_KEY:-}" ] && flags+=( + --https "${LISTEN_HOST:-localhost}:$HTTPS_PORT" + --cert "$TLS_CERT" --key "$TLS_KEY") +[ "${REDIRECT_HTTPS:-0}" -ne 0 ] && flags+=(--redirect-https) +[ "${HSTS:-0}" -ne 0 ] && flags+=(--hsts) +[ -n "${ID_CHARSET:-}" ] && flags+=(--id-charset "$ID_CHARSET") +[ -n "${ID_LENGTH:-}" ] && flags+=(--id-length "$ID_LENGTH") +[ -n "${MAX_SIZE_MIB:-}" ] && flags+=(--max-size "$((MAX_SIZE_MIB*1024*1024))") +[ "${WHITELIST:-0}" -ne 0 ] && flags+=(--whitelist) +oldifs="$IFS" IFS=, +[ -n "$(declare -p FILTER_EXT 2>/dev/null)" ] && flags+=(--filter-ext "${FILTER_EXT[*]}") +[ -n "$(declare -p FILTER_MIME 2>/dev/null)" ] && flags+=(--filter-mime "${FILTER_MIME[*]}") +IFS="$oldifs" +[ "${ALLOW_HTML:-0}" -ne 0 ] && flags+=(--allow-html) +[ "${CORS:-0}" -ne 0 ] && flags+=(--cors) +[ "${GRILL:-0}" -ne 0 ] && flags+=(--grill) +[ -n "${CSP:-}" ] && [ "$CSP" = 0 ] && flags+=(--csp '') +[ -n "${CSP:-}" ] && ! [ "$CSP" = 0 ] && flags+=(--csp "$CSP") +[ "${LOG:-0}" -ne 0 ] && flags+=(--log) +[ "${LOG_IP:-0}" -ne 0 ] && flags+=(--log-ip) +[ "${LOG_IP_HASH:-0}" -ne 0 ] && flags+=(--log-ip-hash) +[ "${LOG_UA:-0}" -ne 0 ] && flags+=(--log-ua) +[ "${LOG_UA_HASH:-0}" -ne 0 ] && flags+=(--log-ua-hash) +[ "${LOG_REFERER:-0}" -ne 0 ] && flags+=(--log-referer) +[ "${LOG_REFERER_HASH:-0}" -ne 0 ] && flags+=(--log-referer-hash) +[ -n "${LOG_HASH_SALT:-}" ] && flags+=(--log-hash-salt "$LOG_HASH_SALT") +[ -n "${PROXY_COUNT:-}" ] && flags+=(--proxy-count "$PROXY_COUNT") + +printf "%s" "${GOMF_BIN:-gomf}" +[ "${#flags}" -gt 0 ] && printf " \"%s\"" "${flags[@]}" +printf "\n" +exec "${GOMF_BIN:-gomf}" "${flags[@]}" -- cgit