use ssh certificates

.gitignore

@@ -1,3 +1,4 @@
 gitolite/.env
 ansible/.env
 ansible/known_hosts
+*/out/image-id

Makefile

@@ -1,7 +1,7 @@
 REGISTRY=registry.monotremata.xyz
 PLATFORMS=linux/amd64,linux/arm64
 
-IMAGES=agate buildx-qemu mpd pleroma rainloop tor transmission webdav
+IMAGES=agate buildx-qemu mpd pleroma rainloop rsync xmpp-ci static-page-builder tor transmission webdav
 
 .PHONY: all $(IMAGES)
 
@@ -24,6 +24,15 @@ pleroma:
 rainloop:
 	$(BUILDX)
 
+rsync:
+	$(BUILDX)
+
+xmpp-ci:
+	$(BUILDX)
+
+static-page-builder:
+	$(BUILDX)
+
 tor:
 	$(BUILDX)
 

agate/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/amd64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile
+out/image-id: Dockerfile
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile
@@ -17,3 +19,6 @@ buildx: Dockerfile
 		--tag $(IMG) \
 		--push \
 		.
+
+clean:
+	rm -rf out

buildx-qemu/Makefile

@@ -3,7 +3,7 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/amd64,linux/arm64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
 ARCH=$(shell uname -m)
 
@@ -15,10 +15,12 @@ else
   TARGETARCH=amd64
 endif
 
-build: Dockerfile entrypoint.sh
+out/image-id: Dockerfile entrypoint.sh
+	mkdir -p $(@D)
 	docker build -t $(IMG) --build-arg TARGETARCH=$(TARGETARCH) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile entrypoint.sh
@@ -27,3 +29,6 @@ buildx: Dockerfile entrypoint.sh
 	    --tag $(IMG) \
 	    --push \
 	    .
+
+clean:
+	rm -rf out

gitleaks/Dockerfile

@@ -0,0 +1,8 @@
+# Kind of sad that I need to make this trivial image. But the gitleaks docker
+# image by default uses a user named `gitleaks` with uid 1000, and it doesn't
+# work correctly unless the gitleaks is run with the user that owns the files
+# in the repo. And in my CI (woodpecker) the files in the repo are owned by
+# root and I can't configure the user running the container in its yaml config.
+# So yeah...
+FROM zricethezav/gitleaks
+USER root

gitleaks/Makefile

@@ -0,0 +1,24 @@
+IMG_NAME=gitleaks
+REGISTRY=registry.monotremata.xyz
+IMG=$(REGISTRY)/$(IMG_NAME)
+PLATFORMS=linux/amd64,linux/arm64
+
+.PHONY: push buildx clean
+
+out/image-id: Dockerfile
+	mkdir -p $(@D)
+	docker build -t $(IMG) .
+	echo $(IMG) > $@
+
+push: out/image-id
+	docker image push $(IMG)
+
+buildx: Dockerfile
+	docker buildx build \
+		--platform $(PLATFORMS) \
+		--tag $(IMG) \
+		--push \
+		.
+
+clean:
+	rm -rf out

mpd/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/arm64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile
+out/image-id: Dockerfile
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile
@@ -17,3 +19,6 @@ buildx: Dockerfile
 	    --tag $(IMG) \
 	    --push \
 	    .
+
+clean:
+	rm -rf out

pleroma/Dockerfile

@@ -15,8 +15,9 @@ RUN apk add \
         https://git.pleroma.social/pleroma/pleroma.git \
         /pleroma
 
+WORKDIR /pleroma
+
 RUN echo "import Mix.Config" > /pleroma/config/prod.secret.exs && \
-    cd /pleroma && \
     mix local.hex --force && \
     mix local.rebar --force && \
     mix deps.get --only prod && \

pleroma/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/amd64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile entrypoint.sh
+out/image-id: Dockerfile entrypoint.sh
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile entrypoint.sh
@@ -17,3 +19,6 @@ buildx: Dockerfile entrypoint.sh
 		--tag $(IMG) \
 		--push \
 		.
+
+clean:
+	rm -rf out

rainloop/Dockerfile

@@ -13,9 +13,12 @@ RUN addgroup \
         --shell /sbin/nologin \
         rainloop
 
-RUN mkdir -p /var/www/rainloop && \
-    cd /var/www/rainloop && \
-    curl -sL https://repository.rainloop.net/installer.php | php && \
+
+RUN mkdir -p /var/www/rainloop
+
+WORKDIR /var/www/rainloop
+
+RUN curl -sL https://repository.rainloop.net/installer.php | php && \
     mkdir -p /run/nginx /var/run && \
     touch /var/run/nginx.pid && \
     chown -R rainloop:rainloop /var/www/rainloop
@@ -28,6 +31,4 @@ COPY nginx.conf /etc/nginx/nginx.conf
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
-WORKDIR /var/www/rainloop
-
 ENTRYPOINT ["/entrypoint.sh"]

rainloop/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/arm64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile entrypoint.sh nginx.conf
+out/image-id: Dockerfile entrypoint.sh nginx.conf
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile entrypoint.sh nginx.conf
@@ -17,3 +19,6 @@ buildx: Dockerfile entrypoint.sh nginx.conf
 		--tag $(IMG) \
 		--push \
 		.
+
+clean:
+	rm -rf out

rsync/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/amd64,linux/arm64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile entrypoint.sh
+out/image-id: Dockerfile entrypoint.sh
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile entrypoint.sh
@@ -17,3 +19,6 @@ buildx: Dockerfile entrypoint.sh
 		--tag $(IMG) \
 		--push \
 		.
+
+clean:
+	rm -rf out

rsync/entrypoint.sh

@@ -18,11 +18,14 @@ if [ -z "$SSH_KEY" ]; then
     exit 1
 fi
 
+SSH_KEY_CERT="${SSH_KEY_CERT:-${PLUGIN_KEY_CERT}}"
+
 KNOWN_HOSTS="${KNOWN_HOSTS:=${PLUGIN_KNOWN_HOSTS}}"
 
-SOURCE="${SOURCE:-${PLUGIN_SOURCE}}"
-if [ -z "$SOURCE" ]; then
-    echo "'source' must be specified"
+SOURCES="${SOURCES:-${PLUGIN_SOURCES}}"
+SOURCES=$(echo "$SOURCES" | tr ',' ' ')
+if [ -z "$SOURCES" ]; then
+    echo "specify at least one source"
     exit 1
 fi
 
@@ -37,10 +40,19 @@ ARGS=${ARGS:-${PLUGIN_ARGS}}
 # prepare SSH
 
 mkdir -p "$HOME/.ssh"
-keyfile="$HOME/.ssh/id_rsa"
+keyfile="$HOME/.ssh/user_key"
 echo "$SSH_KEY" > "$keyfile"
 chmod 0600 "$keyfile"
 
+echo 'Host *' > "$HOME/.ssh/config"
+echo "  IdentityFile $keyfile" >> "$HOME/.ssh/config"
+
+if [ -n "${SSH_KEY_CERT}" ]; then
+    certfile="$HOME/.ssh/user_key-cert.pub"
+    echo "${SSH_KEY_CERT}" > "$certfile"
+    echo "  CertificateFile $certfile" >> "$HOME/.ssh/config"
+fi
+
 known_hosts_file="${HOME}/.ssh/known_hosts"
 [ -n "${KNOWN_HOSTS}" ] && echo "${KNOWN_HOSTS}" >> "$known_hosts_file"
 [ -f "${known_hosts_file}" ] && chmod 0600 "$known_hosts_file"
@@ -48,4 +60,7 @@ known_hosts_file="${HOME}/.ssh/known_hosts"
 # run rsync
 
 # shellcheck disable=SC2086
-exec rsync $ARGS "${SOURCE}" "${USER}"@"${HOST}":"${TARGET}"
+for SOURCE in $SOURCES; do
+    echo "copying '$SOURCE' to '$TARGET'"
+    rsync $ARGS "${SOURCE}" "${USER}"@"${HOST}":"${TARGET}"
+done

ssh-ci/Dockerfile

@@ -0,0 +1,8 @@
+FROM alpine:3.16
+
+COPY entrypoint.sh /entrypoint
+
+RUN chmod +x /entrypoint && \
+    apk add --no-cache openssh-client
+
+ENTRYPOINT ["/entrypoint"]

ssh-ci/Makefile

@@ -0,0 +1,24 @@
+IMG_NAME=ssh-ci
+REGISTRY=registry.monotremata.xyz
+IMG=$(REGISTRY)/$(IMG_NAME)
+PLATFORMS=linux/amd64,linux/arm64
+
+.PHONY: push buildx clean
+
+out/image-id: Dockerfile entrypoint.sh
+	mkdir -p $(@D)
+	docker build -t $(IMG) .
+	echo $(IMG) > $@
+
+push: out/image-id
+	docker image push $(IMG)
+
+buildx: Dockerfile entrypoint.sh
+	docker buildx build \
+		--platform $(PLATFORMS) \
+		--tag $(IMG) \
+		--push \
+		.
+
+clean:
+	rm -rf out

ssh-ci/entrypoint.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+set -e
+
+# check settings
+
+HOST="${HOST:-${PLUGIN_HOST}}"
+if [ -z "$HOST" ]; then
+    echo "'host' must be specified"
+    exit 1
+fi
+
+USER="${USER:-${PLUGIN_USER:-root}}"
+PORT="${PORT:-${PLUGIN_PORT:-22}}"
+
+SSH_KEY="${SSH_KEY:-${PLUGIN_KEY}}"
+if [ -z "$SSH_KEY" ]; then
+    echo "ssh_key must be specified"
+    exit 1
+fi
+
+KNOWN_HOSTS="${KNOWN_HOSTS:=${PLUGIN_KNOWN_HOSTS}}"
+
+COMMANDS="${COMMANDS:-${PLUGIN_COMMANDS}}"
+if [ -z "$COMMANDS" ]; then
+    echo "specify at least one command to run"
+    exit 1
+fi
+
+ARGS=${ARGS:-${PLUGIN_ARGS}}
+
+# prepare SSH
+
+mkdir -p "$HOME/.ssh"
+keyfile="$HOME/.ssh/id_rsa"
+echo "$SSH_KEY" > "$keyfile"
+chmod 0600 "$keyfile"
+
+known_hosts_file="${HOME}/.ssh/known_hosts"
+[ -n "${KNOWN_HOSTS}" ] && echo "${KNOWN_HOSTS}" >> "$known_hosts_file"
+[ -f "${known_hosts_file}" ] && chmod 0600 "$known_hosts_file"
+
+# run commands
+
+IFS=","
+for COMMAND in $COMMANDS; do
+    echo "running '$COMMAND' remotely"
+    # shellcheck disable=SC2086,SC2029
+    ssh -p "${PORT}" $ARGS "$USER"@"${HOST}" "$COMMAND"
+done

static-page-builder/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/amd64,linux/arm64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile
+out/image-id: Dockerfile
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile
@@ -17,3 +19,6 @@ buildx: Dockerfile
 		--tag $(IMG) \
 		--push \
 		.
+
+clean:
+	rm -rf out

terraform/Dockerfile

@@ -0,0 +1,5 @@
+FROM alpine:3.16
+
+RUN apk add --no-cache terraform
+
+ENTRYPOINT ["terraform"]

terraform/Makefile

@@ -0,0 +1,24 @@
+IMG_NAME=terraform
+REGISTRY=registry.monotremata.xyz
+IMG=$(REGISTRY)/$(IMG_NAME)
+PLATFORMS=linux/amd64,linux/arm64
+
+.PHONY: push buildx clean
+
+out/image-id: Dockerfile
+	mkdir -p $(@D)
+	docker build -t $(IMG) .
+	echo $(IMG) > $@
+
+push: out/image-id
+	docker image push $(IMG)
+
+buildx: Dockerfile
+	docker buildx build \
+		--platform $(PLATFORMS) \
+		--tag $(IMG) \
+		--push \
+		.
+
+clean:
+	rm -rf out

tor/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/amd64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile entrypoint.sh
+out/image-id: Dockerfile entrypoint.sh
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile entrypoint.sh
@@ -17,3 +19,6 @@ buildx: Dockerfile entrypoint.sh
 		--tag $(IMG) \
 		--push \
 		.
+
+clean:
+	rm -rf out

transmission/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/amd64,linux/arm64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile
+out/image-id: Dockerfile
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile
@@ -17,3 +19,6 @@ buildx: Dockerfile
 		--tag $(IMG) \
 		--push \
 		.
+
+clean:
+	rm -rf out

webdav/Makefile

@@ -3,12 +3,14 @@ REGISTRY=registry.monotremata.xyz
 IMG=$(REGISTRY)/$(IMG_NAME)
 PLATFORMS=linux/amd64,linux/arm64
 
-.PHONY: build push buildx
+.PHONY: push buildx clean
 
-build: Dockerfile nginx.conf
+out/image-id: Dockerfile nginx.conf
+	mkdir -p $(@D)
 	docker build -t $(IMG) .
+	echo $(IMG) > $@
 
-push: build
+push: out/image-id
 	docker image push $(IMG)
 
 buildx: Dockerfile nginx.conf
@@ -17,3 +19,6 @@ buildx: Dockerfile nginx.conf
 	    --tag $(IMG) \
 	    --push \
 	    .
+
+clean:
+	rm -rf out

xmpp-ci/Dockerfile

@@ -0,0 +1,18 @@
+FROM alpine:3.16
+
+COPY entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /entrypoint.sh && \
+    apk add --no-cache go-sendxmpp && \
+    addgroup \
+        --gid 10001 \
+        sendxmpp && \
+    adduser \
+        --uid 10000 \
+        --ingroup sendxmpp \
+        --disabled-password \
+        --shell /sbin/nologin \
+        sendxmpp
+
+USER sendxmpp
+ENTRYPOINT ["/entrypoint.sh"]

xmpp-ci/Makefile

@@ -0,0 +1,24 @@
+IMG_NAME=xmpp-ci
+REGISTRY=registry.monotremata.xyz
+IMG=$(REGISTRY)/$(IMG_NAME)
+PLATFORMS=linux/amd64,linux/arm64
+
+.PHONY: push buildx clean
+
+out/image-id: Dockerfile entrypoint.sh
+	mkdir -p $(@D)
+	docker build -t $(IMG) .
+	echo $(IMG) > $@
+
+push: out/image-id
+	docker image push $(IMG)
+
+buildx: Dockerfile entrypoint.sh
+	docker buildx build \
+		--platform $(PLATFORMS) \
+		--tag $(IMG) \
+		--push \
+		.
+
+clean:
+	rm -rf out

xmpp-ci/entrypoint.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+USERNAME="${USERNAME:-${PLUGIN_USERNAME}}"
+if [ -z "$USERNAME" ]; then
+    echo "'username' must specified"
+    exit 1
+fi
+
+PASSWORD="${PASSWORD:-${PLUGIN_PASSWORD}}"
+if [ -z "$PASSWORD" ]; then
+    echo "'password' must specified"
+    exit 1
+fi
+
+RECIPIENT="${RECIPIENT:-${PLUGIN_RECIPIENT}}"
+if [ -z "$RECIPIENT" ]; then
+    echo "'recipient' must specified"
+    exit 1
+fi
+
+em () {
+    echo "_${1}_"
+}
+
+monospace () {
+    echo '`'"${1}"'`'
+}
+
+strong () {
+    echo "*${1}*"
+}
+
+strike () {
+    echo "~${1}~"
+}
+
+build_line () {
+    echo "$1: $2"
+}
+
+message () {
+    echo status: "${CI_BUILD_STATUS}"
+    echo repo: "${CI_REPO_NAME}"
+    echo branch: "${CI_REPO_DEFAULT_BRANCH}"
+    echo ""
+    echo commit msg:
+    echo "${CI_COMMIT_MESSAGE}"
+}
+
+message
+message | \
+    go-sendxmpp \
+        --username="${USERNAME}"\
+        --password="${PASSWORD}" \
+        "${RECIPIENT}"