.env

@@ -1,4 +1,4 @@
-PLAKKEN_LISTEN=:5000
+PLAKKEN_LISTEN=:3000
 PLAKKEN_REDIS_ADDRESS=localhost:6379
 PLAKKEN_REDIS_USER=
 PLAKKEN_REDIS_PASSWORD=

.gitignore

@@ -22,3 +22,5 @@ plakken
 # Go workspace file
 go.work
 .idea/discord.xml
+
+dist/

.goreleaser.yaml

@@ -0,0 +1,69 @@
+gitea_urls:
+  api: https://git.gnous.eu/api/v1
+  download: https://git.gnous.eu
+  skip_tls_verify: false
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+
+builds:
+  -
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    binary: plakken
+    id: plakken
+
+archives:
+  - format: tar.gz
+    format_overrides:
+      -
+        goos: windows
+        format: zip
+
+nfpms:
+  -
+    id: plakken
+    package_name: plakken
+    file_name_template: "{{ .ConventionalFileName }}"
+    vendor: GnousEU
+    homepage: https://git.gnous.eu/plakken/
+    maintainer: GnousEU <contact@gnous.eu>
+    description: A light paste server
+    license: AGPLv3
+    formats:
+      - deb
+      - rpm
+      - archlinux
+    umask: 0o002
+    provides:
+      - plakken
+    suggests:
+      - redis
+    contents:
+      - src: .env
+        dst: /etc/plakken/env
+      - src: plakken.service
+        dst: /usr/lib/systemd/system/plakken.service
+    scripts:
+      preinstall: "deployment/goreleaser/preinstall.sh"
+      preremove: "deployment/goreleaser/preremove.sh"
+      postremove: "deployment/goreleaser/postremove.sh"
+
+checksum:
+  algorithm: sha256
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"

.woodpecker/build.yaml

@@ -4,9 +4,9 @@ steps:
     settings:
       repo: git.gnous.eu/${CI_REPO_OWNER}/plakken
       dockerfile: deployment/docker/Dockerfile
-      platforms: linux/amd64,linux/arm64/v8,linux/arm
+      platforms: linux/amd64,linux/arm64/v8
       registry: https://git.gnous.eu
-      tag: ${CI_COMMIT}
+      tag: ${CI_COMMIT_SHA}
       username:
           from_secret: docker_username
       password:
@@ -14,19 +14,4 @@ steps:
     when:
       branch: ${CI_REPO_DEFAULT_BRANCH}
       event: push
-  - name: publish_image_tag
+      repo: gnouseu/plakken
-    image: woodpeckerci/plugin-docker-buildx
-    settings:
-      repo: git.gnous.eu/${CI_REPO_OWNER}/plakken
-      dockerfile: deployment/docker/Dockerfile
-      platforms: linux/amd64,linux/arm64/v8,linux/arm
-      registry: https://git.gnous.eu
-      tags:
-        - ${CI_COMMIT_TAG##v} # Remove v from tag
-        - stable
-      username:
-        from_secret: docker_username
-      password:
-        from_secret: docker_password
-    when:
-      event: tag

.woodpecker/lint.yml

@@ -8,4 +8,4 @@ steps:
       - event: pull_request
         repo: gnouseu/plakken
       - event: push
-        branch: main
+        branch: ${CI_REPO_DEFAULT_BRANCH}

.woodpecker/release.yaml

@@ -1,24 +1,29 @@
 steps:
-  - name: Build
+  - name: Release
     image: golang:1.22
     commands:
-      - go mod download
+      - go install github.com/goreleaser/goreleaser@latest
-      - CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-w -s" -o plakken-linux-amd64 # Enable static binary, target Linux, remove debug information and strip binary
+      - goreleaser release
-      - CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "-w -s" -o plakken-linux-arm64
+    secrets: [ gitea_token ]
-      - CGO_ENABLED=0 GOOS=linux GOARCH=arm go build -ldflags "-w -s" -o plakken-linux-arm
-      - CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-w -s" -o plakken-windows-amd64.exe
-      - CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "-w -s" -o plakken-windows-arm64.exe
-      - CGO_ENABLED=0 GOOS=linux GOARCH=arm go build -ldflags "-w -s" -o plakken-windows-arm.exe
     when:
       event: tag
-  - name: Release
+      repo: gnouseu/plakken
-    image: woodpeckerci/plugin-gitea-release
+    depends_on: []
+  - name: publish_image_tag
+    image: woodpeckerci/plugin-docker-buildx
     settings:
-      base_url: https://git.gnous.eu
+      repo: git.gnous.eu/${CI_REPO_OWNER}/plakken
-      files:
+      dockerfile: deployment/docker/Dockerfile
-        - "plakken*"
+      platforms: linux/amd64,linux/arm64/v8
-      api_key:
+      registry: https://git.gnous.eu
-        from_secret: release_token
+      tags:
-      target: main
+        - ${CI_COMMIT_TAG##v} # Remove v from tag
+        - stable
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
     when:
-      event: tag
+      event: tag
+      repo: gnouseu/plakken
+    depends_on: []

deployment/docker/docker-compose.dev.yaml

@@ -1,5 +1,3 @@
-version: "3"
-
 networks:
   plakken:
     external: false
@@ -7,8 +5,8 @@ networks:
 services:
   server:
     build:
-      context: ../
+      context: ../../
-      dockerfile: docker/Dockerfile
+      dockerfile: deployment/docker/Dockerfile
     restart: always
     container_name: plakken
     networks:

deployment/docker/docker-compose.yaml

@@ -1,5 +1,3 @@
-version: "3"
-
 networks:
   plakken:
     external: false
@@ -20,7 +18,6 @@ services:
       - "3000:3000"
     environment:
       - PLAKKEN_REDIS_ADDRESS=redis:6379
-      - POSTGRES_PASSWORD=gitea
       - PLAKKEN_REDIS_DB=0
       - PLAKKEN_URL_LENGTH=5
     depends_on:

deployment/goreleaser/postremove.sh

@@ -0,0 +1,7 @@
+if getent passwd plakken > /dev/null; then
+  userdel -r plakken
+fi
+
+if getent group plakken > /dev/null; then
+  groupdel plakken
+fi

deployment/goreleaser/preinstall.sh

@@ -0,0 +1,12 @@
+if ! getent group plakken > /dev/null; then
+  groupadd -r plakken
+fi
+
+if ! getent passwd plakken > /dev/null; then
+    useradd -r -d /var/lib/plakken -s /sbin/nologin -g plakken -c "Plakken server" plakken
+fi
+if ! test -d /var/lib/plakken; then
+    mkdir -p /var/lib/plakken
+    chmod 0750 /var/lib/plakken
+    chown -R plakken:plakken /var/lib/plakken
+fi

deployment/goreleaser/preremove.sh

@@ -0,0 +1 @@
+systemctl stop plakken

plakken.service

@@ -0,0 +1,54 @@
+# /usr/lib/systemd/system/plakken.service
+[Unit]
+Description=A paste server
+After=network.target
+
+[Service]
+Type=simple
+User=plakken
+
+ExecStart=/usr/bin/plakken
+
+
+EnvironmentFile=/etc/plakken/env
+
+ProtectSystem=strict
+ProtectHome=true
+NoNewPrivileges=yes
+RestrictNamespaces=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+LockPersonality=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+UMask=177 
+ProtectProc=invisible
+CapabilityBoundingSet=
+ProtectHostname=true
+RestrictAddressFamilies=~AF_(INET|INET6)
+RestrictAddressFamilies=~…
+RestrictAddressFamilies=~AF_UNIX
+RestrictAddressFamilies=~AF_NETLINK
+RestrictAddressFamilies=~AF_PACKET
+SystemCallFilter=~@reboot
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@mount
+SystemCallFilter=~@module
+SystemCallFilter=~@debug
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@clock
+SystemCallFilter=~@swap
+SystemCallFilter=~@privileged
+ProcSubset=pid
+
+[Install]
+WantedBy=multi-user.target