Initial working version

Adds the initial version of libravatar-nginx an container image, that provides a libravatar implementation using nginx config files. The minimal setup should allow secure and static avatar shipping.

Initial working version
Adds the initial version of libravatar-nginx an container image, that provides a libravatar implementation using nginx config files. The minimal setup should allow secure and static avatar shipping.
6085ff65 · Sheogorath · 6085ff65 · 6085ff65 · 6085ff65 · 6085ff65
Verified Commit 6085ff65 authored Feb 19, 2020 by Sheogorath 🛫
8 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+image: quay.io/sheogorath/build-ah-engine
+
+before_script:
+  - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+
+build-master:
+  stage: build
+  script:
+    - podman build --pull -t "CI_REGISTRY_IMAGE" .
+    - podman push "$CI_REGISTRY_IMAGE"
+  only:
+    - master
+
+build:
+  stage: build
+  script:
+    - podman build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
+    - podman push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
+  except:
+    - master
+
--- a/Dockerfile
+++ b/Dockerfile
+FROM nginx:alpine
+
+RUN true \
+    && apk add --no-cache imagemagick \
+    && mkdir /var/libravatar.d/ \
+    && true
+
+COPY ./default.conf /etc/nginx/conf.d/
+
+COPY ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
+CMD ["nginx", "-g", "daemon off;"]
--- a/LICENSE
+++ b/LICENSE
--- a/README.md
+++ b/README.md
+Libravatar-nginx
+===
+
+Libravatar-nginx is a project that aims to provide an easy and static way to provide your avatars using not more than nginx. This provides a massively reduced attack surface and maxium performance since all images are pre-genrated and no further code has to run on the server-side.
+
+To achive this the image uses a shell script, imagemagick's `convert` command and an extended nginx config.
+
+Supported features:
+
+|Feature                |Support                         |
+|-----------------------|--------------------------------|
+|size parameter         | ✔                              |
+|default parameter      | ✔                              |
+|forcedefault parameter | ✖                              |
+|SHA256 hash            | ✔                              |
+|MD5 hash               | ✔                              |
+|Gravatar fallback      | ✔ (implicit through libravatar)|
+|Libravatar fallback    | ✔                              |
+|Generated default icons| ✔ (implicit through libravatar)|
+|XMLRPC API             | ✖                              |
+|WebFrontend            | ✖                              |
+|OpenID                 | ✖                              |
+
+How to use
+---
+
+Here is a minimal `docker-compose.yml` to run the container:
+
+```yaml
+---
+version: '2'
+services:
+  libravatar:
+    image: quay.io/shivering-isles/libravatar-nginx:latest
+    mem_limit: 50mb
+    memswap_limit: 100mb
+    volumes:
+      - ./avatars:/var/libravatar.d/
+    ports:
+      - 80:80
+    restart: always
+```
+
+Before starting the image using `docker-compose up -d`, drop your avatar into the ./avatars directory. The avatars should have your email address as image name followed by their file extension (currently only JPG is supported). Example: `me@example.com.jpg`
+
+Finally you have to setup SRV records for your domain (`example.com`), so that libravatar libraries are able to find you. Those should have the following format:
+
+```
+_avatars._tcp.example.com.     IN SRV 0 0 80  avatars.example.com
+_avatars-sec._tcp.example.com. IN SRV 0 0 443 avatars.example.com
+```
+
+`avatars.example.com` should be DNS name where the libravatar-nginx is available on. For `_avatars-sec._tcp.example.com` it's required to add a reverse-proxy in front of libravatar-nginx that does the HTTPS handling.
+
+Further details can be found in the [libravatar wiki](https://wiki.libravatar.org/running_your_own/).
--- a/avatar/me@example.com.jpg
+++ b/avatar/me@example.com.jpg
--- a/avatar/me@example.org.jpg
+++ b/avatar/me@example.org.jpg
--- a/default.conf
+++ b/default.conf
+# Expires map
+map $sent_http_content_type $expires {
+    default                    off;
+    text/html                  epoch;
+    text/css                   max;
+    application/javascript     max;
+    ~image/                    max;
+    ~font/                     max;
+}
+
+proxy_cache_path  /tmp/nginx-cache  levels=1:2 keys_zone=STATIC:10m inactive=24h  max_size=1g;
+
+server {
+
+    root /usr/share/nginx/html;
+    listen       80;
+    server_name  shivering-isles.com;
+
+    expires $expires;
+    charset UTF-8;
+
+    set_real_ip_from  172.16.0.0/12;
+    add_header Allow "GET, HEAD" always;
+
+    if ( $request_method !~ ^(GET|HEAD)$ ) {
+      return 405;
+    }
+
+    location /avatar/ {
+        root   /usr/share/nginx/html;
+        autoindex off;
+        expires 30d;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+        #if ($arg_s) {
+        #    set $size $arg_s;
+        #}
+        #if ($arg_size) {
+        #    set $size $arg_size;
+        #}
+        #if ($arg_d) {
+        #    set $default_image $arg_d;
+        #}
+        #if ($arg_default) {
+        #    set $default_image $arg_default;
+        #}
+        #if ($arg_default) {}
+        try_files $uri/$arg_size.jpg $uri/$arg_s.jpg $uri/$arg_size.png $uri/$arg_s.png $uri/80.jpg $uri/80.png @defaultimage;
+    }
+
+    location @defaultimage {
+        if ($arg_default = 404) {
+            return 404;
+        }
+        if ($arg_default) {
+            return 302 $arg_default;
+        }
+        if ($arg_default = 404) {
+            return 404;
+        }
+        if ($arg_d) {
+            return 302 $arg_d;
+        }
+        return 302 https://seccdn.libravatar.org$request_uri;
+    }
+
+    location / {
+      root   /usr/share/nginx/html;
+      index  index.html index.htm;
+      try_files  $uri $uri/index.html $uri.html =404;
+    }
+
+    error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
+#!/bin/sh
+
+set -e
+
+SCALE_START=${SCALE_START:-10}
+SCALE_STEP=${SCALE_STEP:-2}
+SCALE_STOP=${SCALE_STOP:-512}
+
+IMAGE_TYPE=${IMAGE_TYPE:-jpg}
+
+WWW_BASE=/usr/share/nginx/html
+
+for picture in /var/libravatar.d/*."${IMAGE_TYPE}"; do
+    HASH_MD5=$(echo -n "$(basename "$picture" .${IMAGE_TYPE})"  | md5sum | awk '{print $1}')
+    HASH_SHA256=$(echo -n "$(basename "$picture" .${IMAGE_TYPE})"  | sha256sum | awk '{print $1}')
+    HASH_MD5_PATH="$WWW_BASE/avatar/$HASH_MD5"
+    HASH_SHA256_PATH="$WWW_BASE/avatar/$HASH_SHA256"
+    mkdir -p "$HASH_MD5_PATH" "$HASH_SHA256_PATH"
+    for s in $(seq $SCALE_START $SCALE_STEP $SCALE_STOP); do
+        convert  -resize "${s}x${s}" $picture "$HASH_MD5_PATH/${s}.${IMAGE_TYPE}"
+        ln "$HASH_MD5_PATH/${s}.${IMAGE_TYPE}" "$HASH_SHA256_PATH/${s}.${IMAGE_TYPE}"
+    done
+done
+
+exec "$@"