build

.gitignore

@@ -2,6 +2,7 @@
 .idea/
 node_modules/
 .sass-cache/
+.npm/
 
 /auth/certs/
 /auth/js/auth.js.map
@@ -33,4 +34,4 @@ node_modules/
 /webpack/*.js
 /webpack/*.js.map
 
-/files_*.pem
+/files_*.pem

.npmrc

@@ -0,0 +1,4 @@
+audit=false
+fund=false
+update-notifier=false
+package-lock=true

.woodpecker/base.yaml

@@ -0,0 +1,89 @@
+when:
+  event: [push, deployment, manual, cron]
+
+labels:
+  platform: linux/amd64
+
+variables:
+  - &node_image 'node:14-bullseye'
+  - &buildx_image 'woodpeckerci/plugin-docker-buildx:2.2.1'
+  - &platforms 'linux/amd64'
+  - &dockerfile 'docker/Dockerfile.ci'
+    
+
+steps:
+  prepare-npm:
+    image: *node_image
+    secrets:
+      - npmconf
+    commands:
+      - git config --add safe.directory '*'
+      - if [ "$${NPMCONF:-}" != "" ]; then echo "$${NPMCONF}" >> "$${HOME}/.npmrc"; fi
+      - npm ci
+      - npx browserslist@latest --update-db
+
+  build-npm:
+    image: *node_image
+    commands:
+      - bash ./scripts/build.sh web rel
+
+  build-docker-next:
+    image: *buildx_image
+    pull: true
+    settings:
+      platforms: *platforms
+      dockerfile: *dockerfile
+      context: .
+      registry:
+        from_secret: registry_domain
+      repo:
+        from_secret: target_image_name
+      password:
+        from_secret: registry_token
+      username:
+        from_secret: registry_user
+      auto_tag: true
+      tag: [next, "next-${CI_COMMIT_SHA:0:8}"]
+    when:
+      branch: ${CI_REPO_DEFAULT_BRANCH}
+      event: push
+  
+  build-docker-branch:
+    image: *buildx_image
+    pull: true
+    settings:
+      platforms: *platforms
+      dockerfile: *dockerfile
+      context: .
+      registry:
+        from_secret: registry_domain
+      repo:
+        from_secret: target_image_name
+      password:
+        from_secret: registry_token
+      username:
+        from_secret: registry_user
+      auto_tag: true
+      tag: ["${CI_COMMIT_BRANCH}", "${CI_COMMIT_BRANCH}-${CI_COMMIT_SHA:0:8}"]
+    when:
+      event: [push, manual]
+
+  build-docker-tag:
+    image: *buildx_image
+    pull: true
+    settings:
+      platforms: *platforms
+      dockerfile: *dockerfile
+      context: .
+      registry:
+        from_secret: registry_domain
+      repo:
+        from_secret: target_image_name
+      password:
+        from_secret: registry_token
+      username:
+        from_secret: registry_user
+      auto_tag: true
+      tag: [latest, "${CI_COMMIT_TAG}", "tag-${CI_COMMIT_SHA:0:8}"]
+    when:
+      event: [tag]

docker/Dockerfile.base

@@ -0,0 +1,17 @@
+FROM nginx:mainline-alpine
+
+COPY ./docker/default.conf /etc/nginx/conf.d/default.conf
+COPY ./docker/nginx.conf /etc/nginx/nginx.conf
+COPY ./docker/entrypoint.sh /
+
+RUN apk update --no-cache && apk upgrade --no-cache \
+    && apk add --no-cache openssl tzdata \
+    && mkdir -p /var/www/TeaWeb /etc/ssl/certs \
+    && chmod +x /entrypoint.sh
+
+ENV TZ="Europe/Berlin"
+
+EXPOSE 80 443
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["nginx", "-g", "daemon off;"]

docker/Dockerfile.ci

@@ -0,0 +1,19 @@
+FROM nginx:mainline-alpine
+
+COPY ./docker/default.conf /etc/nginx/conf.d/default.conf
+COPY ./docker/nginx.conf /etc/nginx/nginx.conf
+COPY ./docker/entrypoint.sh /
+
+RUN apk update --no-cache && apk upgrade --no-cache \
+    && apk add --no-cache openssl tzdata \
+    && mkdir -p /var/www/TeaWeb /etc/ssl/certs \
+    && chmod +x /entrypoint.sh
+
+ENV TZ="Europe/Berlin"
+
+EXPOSE 80 443
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["nginx", "-g", "daemon off;"]
+
+COPY ./dist/ /var/www/TeaWeb/

docker/default.conf

@@ -0,0 +1,36 @@
+server {
+    listen       80;
+    server_name  _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen       443 default_server ssl http2;
+    server_name  _;
+
+    ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_dhparam         /etc/ssl/certs/dhparam.pem;
+    ssl_ecdh_curve      secp384r1;
+    ssl_certificate     /etc/ssl/certs/tea_bundle.crt;
+    ssl_certificate_key /etc/ssl/certs/tea.key;
+    ssl_session_cache   shared:MozSSL:10m;
+    ssl_session_timeout 1d;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        root   /var/www/TeaWeb;
+        index  index.html;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    gzip          off;
+}

docker/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env sh
+set -e
+
+gen_self_signed() {
+  echo "[WRN] No certificates found, generating self signed cert with key"
+  openssl req -x509 -nodes -days 1780 -newkey rsa:4096 \
+    -keyout /etc/ssl/certs/tea.key \
+    -out /etc/ssl/certs/tea_bundle.crt \
+    -subj "/C=DE/ST=Berlin/L=Germany/O=TeaSpeak/OU=TeaWeb/CN=localhost/emailAddress=noreply@teaspeak.de"
+}
+
+gen_diffie_hellman() {
+  echo "[INF] No Diffie-Hellman pem found, generating new with 2048 byte"
+  openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
+}
+
+if [ "$1" = "nginx" ]; then
+  if [ ! -f /etc/ssl/certs/tea.key ] && [ ! -f /etc/ssl/certs/tea_bundle.crt ]; then
+    gen_self_signed
+  elif [ ! -f /etc/ssl/certs/tea.key ] || [ ! -f /etc/ssl/certs/tea_bundle.crt ]; then
+    echo "[ERR] Only found a key or crt-bundle file but both files are REQUIRED!"
+    exit 1
+  fi
+  if [ ! -f /etc/ssl/certs/dhparam.pem ]; then
+    gen_diffie_hellman
+  fi
+fi
+
+exec "$@"

docker/nginx.conf

@@ -0,0 +1,32 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    server_tokens      off;
+    keepalive_timeout  75;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

scripts/build_in_docker.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+SCRIPT=$(realpath "$0")
+SCRIPTPATH=$(dirname "$SCRIPT")
+BASEPATH="$(realpath "${SCRIPTPATH}/../")"
+
+NPM_DIR="${BASEPATH}/.npm"
+
+if [[ ! -d "${NPM_DIR}" ]]; then
+    mkdir "${NPM_DIR}" || exit 1
+fi
+
+if [[ "${BUILDINDOCKER:-}" != "yes" ]]; then
+    docker run --rm --workdir "/work" -v "${NPM_DIR}:/home/" -v "${BASEPATH}:/work" -e BUILDINDOCKER=yes node:14-bullseye /bin/bash -c 'chmod +x /work/scripts/build_in_docker.sh && /work/scripts/build_in_docker.sh'
+    exit
+fi
+
+## in docker
+
+echo "adding npmrc"
+cat >>"${HOME}/.npmrc" <<'EOF'
+cache=/work/.npm
+fund=false
+EOF
+
+echo "adding secure git dir"
+git config --global --add safe.directory /work
+
+echo "running chmods"
+find "${BASEPATH}" -iname "*.sh" -exec chmod +x {} +
+
+echo "Cleaning up old files"
+"${BASEPATH}/scripts/cleanup.sh" full >/dev/null 2>&1 || exit 1
+
+echo "Installing npm packages"
+npm i || exit 1
+
+echo "Updating browser list"
+npx browserslist@latest --update-db || exit 1
+
+echo "running build"
+"${BASEPATH}/scripts/build.sh" web rel
+
+echo "fixing perms"
+chown -R 1000:1000 /work