michael_dileo/Keybard-Vagabond-Demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

redaction (#1)

Browse Source 
Add the redacted source file for demo purposes

Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1
Co-authored-by: Michael DiLeo <michael_dileo@proton.me>
Co-committed-by: Michael DiLeo <michael_dileo@proton.me>
This commit was merged in pull request #1.
This commit is contained in:
Michael DiLeo
2025-12-24 13:40:47 +00:00
committed by michael_dileo
parent 612235d52b
commit 7327d77dcd
333 changed files with 39286 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
build/pixelfed/pixelfed-web/Dockerfile Normal file
View File

@@ -0,0 +1,46 @@
FROM pixelfed-base AS pixelfed-web
# Install Nginx and supervisor for the web container
RUN apk add --no-cache nginx supervisor
# Configure PHP-FPM for web workload
RUN sed -i 's/user = www-data/user = pixelfed/' /usr/local/etc/php-fpm.d/www.conf \
&& sed -i 's/group = www-data/group = pixelfed/' /usr/local/etc/php-fpm.d/www.conf \
&& sed -i 's/listen = 127.0.0.1:9000/listen = 9000/' /usr/local/etc/php-fpm.d/www.conf \
&& sed -i 's/;listen.allowed_clients = 127.0.0.1/listen.allowed_clients = 127.0.0.1/' /usr/local/etc/php-fpm.d/www.conf
# Web-specific PHP configuration for better performance
RUN echo "pm = dynamic" >> /usr/local/etc/php-fpm.d/www.conf \
&& echo "pm.max_children = 50" >> /usr/local/etc/php-fpm.d/www.conf \
&& echo "pm.start_servers = 5" >> /usr/local/etc/php-fpm.d/www.conf \
&& echo "pm.min_spare_servers = 5" >> /usr/local/etc/php-fpm.d/www.conf \
&& echo "pm.max_spare_servers = 35" >> /usr/local/etc/php-fpm.d/www.conf \
&& echo "pm.max_requests = 500" >> /usr/local/etc/php-fpm.d/www.conf
# Copy web-specific configuration files
COPY nginx.conf /etc/nginx/nginx.conf
COPY supervisord-web.conf /etc/supervisor/conf.d/supervisord.conf
COPY entrypoint-web.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
# Create nginx directories and set permissions
RUN mkdir -p /var/log/nginx \
&& mkdir -p /var/log/supervisor \
&& chown -R nginx:nginx /var/log/nginx
# Create SSL directories for cert-manager mounted certificates
RUN mkdir -p /etc/ssl/certs /etc/ssl/private \
&& chown -R nginx:nginx /etc/ssl
# Health check optimized for web container (check both HTTP and HTTPS)
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
CMD curl -f http://localhost:80/api/v1/instance || curl -k -f https://localhost:443/api/v1/instance || exit 1
# Expose HTTP and HTTPS ports
EXPOSE 80 443
# Run as root to manage nginx and php-fpm
USER root
ENTRYPOINT ["/entrypoint.sh"]
CMD ["supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

36
build/pixelfed/pixelfed-web/entrypoint-web.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/sh
set -e
# Source common functions
. /usr/local/bin/entrypoint-common.sh
echo "Starting Pixelfed Web Container..."
# Create web-specific directories
mkdir -p /var/log/nginx
mkdir -p /var/log/supervisor
mkdir -p /var/www/pixelfed/storage/nginx_temp/client_body
mkdir -p /var/www/pixelfed/storage/nginx_temp/proxy
mkdir -p /var/www/pixelfed/storage/nginx_temp/fastcgi
mkdir -p /var/www/pixelfed/storage/nginx_temp/uwsgi
mkdir -p /var/www/pixelfed/storage/nginx_temp/scgi
# Skip database initialization - handled by init-job
# Just set up basic directory structure and cache
echo "Setting up web container..."
setup_directories
# Cache configuration (Laravel needs this to run)
echo "Loading configuration cache..."
cd /var/www/pixelfed
php artisan config:cache || echo "Config cache failed, continuing..."
# Create storage symlink (needs to happen after every restart)
echo "Creating storage symlink..."
php artisan storage:link || echo "Storage link already exists or failed, continuing..."
echo "Web container initialization complete!"
echo "Starting Nginx and PHP-FPM..."
# Execute the main command (supervisord)
exec "$@"

315
build/pixelfed/pixelfed-web/nginx.conf Normal file
View File

@@ -0,0 +1,315 @@
worker_processes auto;
error_log /dev/stderr warn;
pid /var/www/pixelfed/storage/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Configure temp paths that pixelfed user can write to
client_body_temp_path /var/www/pixelfed/storage/nginx_temp/client_body;
proxy_temp_path /var/www/pixelfed/storage/nginx_temp/proxy;
fastcgi_temp_path /var/www/pixelfed/storage/nginx_temp/fastcgi;
uwsgi_temp_path /var/www/pixelfed/storage/nginx_temp/uwsgi;
scgi_temp_path /var/www/pixelfed/storage/nginx_temp/scgi;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /dev/stdout main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 20M;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/atom+xml
application/activity+json
application/ld+json
image/svg+xml;
# HTTP server block (port 80)
server {
listen 80;
server_name _;
root /var/www/pixelfed/public;
index index.php;
charset utf-8;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.hcaptcha.com https://hcaptcha.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com; img-src 'self' data: blob: https: http: https://imgs.hcaptcha.com; media-src 'self' https: http:; connect-src 'self' https://hcaptcha.com; font-src 'self' data:; frame-src https://hcaptcha.com https://*.hcaptcha.com; frame-ancestors 'none';" always;
# Hide nginx version
server_tokens off;
# Main location block
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# Error handling - pass 404s to Laravel/Pixelfed (CRITICAL for routing)
error_page 404 /index.php;
# Favicon and robots
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
# PHP-FPM processing - simplified like official Pixelfed
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Let nginx ingress and Laravel config handle HTTPS detection
# Optimized for web workload
fastcgi_buffering on;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_read_timeout 300;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 300;
}
# CSS and JS files - shorter cache for updates
location ~* \.(css|js) {
expires 7d;
add_header Cache-Control "public, max-age=604800";
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
# Font files - medium cache
location ~* \.(woff|woff2|ttf|eot) {
expires 30d;
add_header Cache-Control "public, max-age=2592000";
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
# Media files - long cache (user uploads don't change)
location ~* \.(jpg|jpeg|png|gif|webp|avif|heic|mp4|webm|mov)$ {
expires 1y;
add_header Cache-Control "public, max-age=31536000";
access_log off;
# Try local first, fallback to S3 CDN for media
try_files $uri @media_fallback;
}
# Icons and SVG - medium cache
location ~* \.(ico|svg) {
expires 30d;
add_header Cache-Control "public, max-age=2592000";
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
# ActivityPub and federation endpoints
location ~* ^/(\.well-known|api|oauth|outbox|following|followers) {
try_files $uri $uri/ /index.php?$query_string;
}
# Health check endpoint
location = /api/v1/instance {
try_files $uri $uri/ /index.php?$query_string;
}
# Pixelfed mobile app endpoints
location ~* ^/api/v1/(accounts|statuses|timelines|notifications) {
try_files $uri $uri/ /index.php?$query_string;
}
# Pixelfed discover and search
location ~* ^/(discover|search) {
try_files $uri $uri/ /index.php?$query_string;
}
# Media fallback to CDN (if using S3)
location @media_fallback {
return 302 https://pm.keyboardvagabond.com$uri;
}
# Deny access to hidden files
location ~ /\.(?!well-known).* {
deny all;
}
# Block common bot/scanner requests
location ~* (wp-admin|wp-login|phpMyAdmin|phpmyadmin) {
return 444;
}
}
# HTTPS server block (port 443) - for Cloudflare tunnel internal TLS
server {
listen 443 ssl;
server_name _;
root /var/www/pixelfed/public;
index index.php;
charset utf-8;
# cert-manager generated SSL certificate for internal communication
ssl_certificate /etc/ssl/certs/tls.crt;
ssl_certificate_key /etc/ssl/private/tls.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Security headers (same as HTTP block)
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.hcaptcha.com https://hcaptcha.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com; img-src 'self' data: blob: https: http: https://imgs.hcaptcha.com; media-src 'self' https: http:; connect-src 'self' https://hcaptcha.com; font-src 'self' data:; frame-src https://hcaptcha.com https://*.hcaptcha.com; frame-ancestors 'none';" always;
# Hide nginx version
server_tokens off;
# Main location block
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# Error handling - pass 404s to Laravel/Pixelfed (CRITICAL for routing)
error_page 404 /index.php;
# Favicon and robots
location = /favicon.ico {
access_log off;
log_not_found off;
}
location = /robots.txt {
access_log off;
log_not_found off;
}
# PHP-FPM processing - same as HTTP block
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Set HTTPS environment for Laravel
fastcgi_param HTTPS on;
fastcgi_param SERVER_PORT 443;
# Optimized for web workload
fastcgi_buffering on;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_read_timeout 300;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 300;
}
# Static file handling (same as HTTP block)
location ~* \.(css|js) {
expires 7d;
add_header Cache-Control "public, max-age=604800";
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
location ~* \.(woff|woff2|ttf|eot) {
expires 30d;
add_header Cache-Control "public, max-age=2592000";
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
location ~* \.(jpg|jpeg|png|gif|webp|avif|heic|mp4|webm|mov)$ {
expires 1y;
add_header Cache-Control "public, max-age=31536000";
access_log off;
try_files $uri @media_fallback;
}
location ~* \.(ico|svg) {
expires 30d;
add_header Cache-Control "public, max-age=2592000";
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
# ActivityPub and federation endpoints
location ~* ^/(\.well-known|api|oauth|outbox|following|followers) {
try_files $uri $uri/ /index.php?$query_string;
}
# Health check endpoint
location = /api/v1/instance {
try_files $uri $uri/ /index.php?$query_string;
}
# Pixelfed mobile app endpoints
location ~* ^/api/v1/(accounts|statuses|timelines|notifications) {
try_files $uri $uri/ /index.php?$query_string;
}
# Pixelfed discover and search
location ~* ^/(discover|search) {
try_files $uri $uri/ /index.php?$query_string;
}
# Media fallback to CDN (if using S3)
location @media_fallback {
return 302 https://pm.keyboardvagabond.com$uri;
}
# Deny access to hidden files
location ~ /\.(?!well-known).* {
deny all;
}
# Block common bot/scanner requests
location ~* (wp-admin|wp-login|phpMyAdmin|phpmyadmin) {
return 444;
}
}
}

43
build/pixelfed/pixelfed-web/supervisord-web.conf Normal file
View File

@@ -0,0 +1,43 @@
[supervisord]
nodaemon=true
logfile=/dev/stdout
logfile_maxbytes=0
pidfile=/tmp/supervisord.pid
[unix_http_server]
file=/tmp/supervisor.sock
chmod=0700
[supervisorctl]
serverurl=unix:///tmp/supervisor.sock
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[program:nginx]
command=nginx -g "daemon off;"
autostart=true
autorestart=true
startretries=5
numprocs=1
startsecs=0
process_name=%(program_name)s_%(process_num)02d
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
priority=100
[program:php-fpm]
command=php-fpm --nodaemonize
autostart=true
autorestart=true
startretries=5
numprocs=1
startsecs=0
process_name=%(program_name)s_%(process_num)02d
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
priority=200