Refactor

- Remove cgit files; pull cgit image from Docker Hub instead of building
locally
- Tidy up file hierarchy
- Minor fixes and edits

21 files changed, 58 insertions, 234 deletions

diff --git a/.gitignore b/.gitignore
index 41a9d3b..483a513 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-/.env
-**/fs.tar.gz
+.env
+fs.tar.gz
diff --git a/build.command b/build.command
deleted file mode 100755
index d307f88..0000000
--- a/build.command
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/usr/bin/bash
-
-for srv in nginx radicale; do
-	tar -czf services/"$srv"/fs.tar.gz -C services/"$srv"/fs .
-done
diff --git a/compose.yaml b/compose.yaml
index 9b148eb..3149e8c 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -2,9 +2,12 @@ name: net_services
 
 services:
   nginx:
-    image: nginx:${COMPOSE_PROJECT_NAME}
     build:
       context: services/nginx
+      dockerfile_inline: |
+        FROM nginx:1.29.4-trixie
+        ADD fs.tar.gz /
+        CMD ["/sbin/cmd.bash"]
     environment:
       - NGINX__HOST=${NGINX__HOST}
     networks:
@@ -16,15 +19,15 @@ services:
     tmpfs:
       - /run/secrets:mode=400
     volumes:
-      - ${HOST__CERT_DIR:?}:/run/host_secrets:ro
+      - ${HOST__SECRET_DIR:?}:/run/host_secrets:ro
     depends_on:
       - cgit
       - radicale
 
   cgit:
-    image: cgit:${COMPOSE_PROJECT_NAME}
     build:
-      context: services/cgit
+      dockerfile_inline: |
+        FROM tvanbesi/cgit:v1.0
     networks:
       - cgit
     volumes:
@@ -34,9 +37,12 @@ services:
       - ${HOST__GIT_REPO_DIR:?}:/srv/git:ro
 
   radicale:
-    image: tomsquest/docker-radicale:tvcloud
     build:
       context: services/radicale
+      dockerfile_inline: |
+        FROM tomsquest/docker-radicale:3.5.10.0
+        ADD fs.tar.gz /
+        CMD ["su-exec", "radicale", "/sbin/cmd.sh"]
     environment:
       - TAKE_FILE_OWNERSHIP=false
     init: true
diff --git a/create_radicale_user.command b/create_radicale_user.command
deleted file mode 100755
index 0b072e6..0000000
--- a/create_radicale_user.command
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/bash
-
-username=${1:?missing argument username}
-htpasswd -nBC 12 "$username"
diff --git a/example.env b/example.env
index 6bf613f..0ce131f 100644
--- a/example.env
+++ b/example.env
@@ -1,10 +1,23 @@
+# Hostname to access the device; e.g. localhost, tvcloud.fr
+NGINX__HOST=localhost
+# HTTP port published by the host
 HOST__HTTP_PORT=80
+# HTTPS port published by the host
 HOST__HTTPS_PORT=443
-HOST__CERT_DIR=/home/USER/.local/net_services/certs
+
+# Directory containing the TLS certificate/key pair named
+# `server.crt`/`server.key` as well as a `.htpasswd` file with the encrypted
+# credentials to access logseq
+HOST__SECRET_DIR=/home/USER/.local/net_services/certs
+
+# Directory containing Git repositories
 HOST__GIT_REPO_DIR=/home/USER/.local/net_services/git
+
+# https://git.tvcloud.fr/cgit/tree/readme.md
 HOST__CGITRC_DIR=/home/USER/.local/net_services/cgit/cgitrc
 HOST__CGIT_FILTER_DIR=/home/USER/.local/net_services/cgit/filter
 HOST__CGIT_ABOUT_DIR=/home/USER/.local/net_services/cgit/about
-HOST__RADICALE_USERS_DIR=/home/USER/.local/net_services/radicale
 
-NGINX__HOST=localhost
+# Directory containing the `.htpasswd` file with the encrypted credentials of the
+# Radicale users.
+HOST__RADICALE_USERS_DIR=/home/USER/.local/net_services/radicale
diff --git a/generate_self_signed_cert.bash b/generate_self_signed_cert.bash
deleted file mode 100755
index 379ea13..0000000
--- a/generate_self_signed_cert.bash
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/bash
-
-host=${1:?missing host argument}
-subdomains=(www git dav)
-
-mkcert -install
-mkcert "${subdomains[@]/%/.$host}" "$host"
diff --git a/readme.md b/readme.md
index 0e199b6..345e719 100644
--- a/readme.md
+++ b/readme.md
@@ -1,39 +1,26 @@
 # net_services
 
-This is personal project about services on the network I provide for myself.
+A stack of services exposed over the network.
 
-I want to handle as much of my data myself. For privacy and for the challenge. I also want to serve apps for my friends.
+The services run in Docker containers and are routed through Nginx.
 
-I set this up on a VPS with a static IP. I also bought a domain name `tvcloud.fr` to point to the VPS. Some services run on the VPS itself. Some others are run with Docker. Nginx is used as endpoint.
+Sensitive data is not stored on the disk when containers start. It is copied into a tmpfs within the container.
 
 ## How-to
 
-1. Create a `.env`. See `example.env`.
+1. Create a `.env`; see `example.env`
+
+1. Build and run the services
 
-1. Build and run the services.
-	
     ```
-    ./build.command
+    ./tools/build
     docker compose up
     ```
 
-## Handling data
-
-Data of various types has to be handled in different ways.
-
-* **Passwords**: A KeePassXC database shared with Syncthing.
-
-* **Git repositories**: A remote server accesible over SSH for push. And also a web front-end (cgit).
-
-* **Calendars, to-dos, journals, and contacts**: A Radicale server.  
-    I could just synchronize the `.ics`/`.vcf` files, but a CalDAV/CarDAV server is compatible with mobile applications.
+1. Add Radicale user
 
-* **Remote storage**: SFTP for large files. Syncthing for moderately large data that is better synchronized than downloaded manually.
+    You can add as many as you want.
 
-## Security
-
-TODO (sensitive data in tmpfs)
-
-### Firewalls
-
-TODO (OVH, iptables, docker+iptables+reboot bug)
+    ```
+    htpasswd ${HOST__RADICALE_USERS_DIR}/.htpasswd username
+    ```
diff --git a/services/cgit/Dockerfile b/services/cgit/Dockerfile
deleted file mode 100644
index 4c23eb2..0000000
--- a/services/cgit/Dockerfile
+++ /dev/null
@@ -1,40 +0,0 @@
-FROM debian:13.3-slim AS build
-
-ARG CGIT_COMMIT=09d24d7cd0b7e85633f2f43808b12871bb209d69
-
-# Install build dependencies
-RUN apt-get update \
-    && apt-get install --assume-yes --no-install-recommends \
-    make gcc pkg-config curl xz-utils ca-certificates libzip-dev libssl-dev liblua5.2-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-# Build cgit
-ADD --unpack=true https://git.zx2c4.com/cgit/snapshot/cgit-${CGIT_COMMIT}.tar.xz /usr/src
-WORKDIR /usr/src/cgit-${CGIT_COMMIT}
-COPY cgit.conf .
-RUN make get-git && make LUA_PKGCONFIG=lua5.2 && make install && rm -rf $(pwd)
-
-FROM httpd:2.4.66 AS final
-
-ARG UID=1000 GID=1000
-
-# Create cgit user (used by Apache)
-RUN groupadd --gid ${GID} cgit && useradd --uid ${UID} --groups cgit --no-user-group cgit
-
-# Copy cgit built in previous stage
-COPY --from=build /var/www/htdocs/cgit /var/www/htdocs
-COPY --from=build /usr/local/lib/cgit/filters /usr/local/lib/cgit/filters
-RUN mkdir /var/cache/cgit && chown cgit:cgit /var/cache/cgit
-
-# Install runtime dependencies
-RUN apt-get update \
-    && apt-get install --assume-yes --no-install-recommends \
-    python3 python3-pygments python3-markdown \
-    && rm -rf /var/lib/apt/lists/*
-
-# HTTP server configuration
-COPY httpd.conf /usr/local/apache2/conf/
-
-WORKDIR /var/www/htdocs
-EXPOSE 80
-VOLUME /srv/git /etc/cgit /usr/local/lib/cgit/filters/commit /srv/cgit
diff --git a/services/cgit/cgit.conf b/services/cgit/cgit.conf
deleted file mode 100644
index 446a846..0000000
--- a/services/cgit/cgit.conf
+++ /dev/null
@@ -1 +0,0 @@
-CGIT_CONFIG = /etc/cgit/cgitrc
diff --git a/services/cgit/httpd.conf b/services/cgit/httpd.conf
deleted file mode 100644
index 451603c..0000000
--- a/services/cgit/httpd.conf
+++ /dev/null
@@ -1,63 +0,0 @@
-#
-# Apache HTTP server configuration
-#
-
-LoadModule rewrite_module modules/mod_rewrite.so
-LoadModule mpm_event_module modules/mod_mpm_event.so
-LoadModule authn_file_module modules/mod_authn_file.so
-LoadModule authn_core_module modules/mod_authn_core.so
-LoadModule authz_host_module modules/mod_authz_host.so
-LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
-LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule authz_core_module modules/mod_authz_core.so
-LoadModule access_compat_module modules/mod_access_compat.so
-LoadModule auth_basic_module modules/mod_auth_basic.so
-LoadModule reqtimeout_module modules/mod_reqtimeout.so
-LoadModule filter_module modules/mod_filter.so
-LoadModule mime_module modules/mod_mime.so
-LoadModule log_config_module modules/mod_log_config.so
-LoadModule env_module modules/mod_env.so
-LoadModule headers_module modules/mod_headers.so
-LoadModule setenvif_module modules/mod_setenvif.so
-LoadModule version_module modules/mod_version.so
-LoadModule unixd_module modules/mod_unixd.so
-LoadModule status_module modules/mod_status.so
-LoadModule autoindex_module modules/mod_autoindex.so
-<IfModule !mpm_prefork_module>
-    LoadModule cgid_module modules/mod_cgid.so
-</IfModule>
-<IfModule mpm_prefork_module>
-    LoadModule cgi_module modules/mod_cgi.so
-</IfModule>
-LoadModule dir_module modules/mod_dir.so
-LoadModule alias_module modules/mod_alias.so
-
-ServerName localhost
-ServerRoot "/usr/local/apache2"
-Listen 80
-User cgit
-Group cgit
-
-DocumentRoot "/var/www/htdocs"
-<Directory "/var/www/htdocs">
-    Options +ExecCGI
-    AddHandler cgi-script .cgi
-    RewriteEngine on
-    # Serve regular files
-    RewriteCond %{REQUEST_FILENAME} -f
-    RewriteRule ^ - [L]
-    # URLs not starting with "cgit.cgi" are internally prefixed with it
-    RewriteRule "^(?!cgit\.cgi)(.*)" "/cgit.cgi/$1" [L]
-</Directory>
-
-<Files ".ht*">
-    Require all denied
-</Files>
-
-ErrorLog /proc/self/fd/2
-LogLevel warn
-# Uncomment to see rewrite module trace
-# LogLevel info rewrite_module:trace1
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-LogFormat "%h %l %u %t \"%r\" %>s %b" common
-CustomLog /proc/self/fd/1 common
diff --git a/services/cgit/readme.md b/services/cgit/readme.md
deleted file mode 100644
index bef4b9b..0000000
--- a/services/cgit/readme.md
+++ /dev/null
@@ -1,73 +0,0 @@
-# cgit
-
-This project is a [cgit](https://git.zx2c4.com/cgit/about/) docker image.
-
-It aims to be as simple as possible. No authentication, no SSH, just browsing repositories on a web page. The container doesn't write to the repositories so they can be read-only.
-
-# Build
-
-```
-docker build --tag cgit .
-```
-
-# Run
-
-## cgit configuration and runtime
-
-Examples are provided in the `examples` directory.
-
-* `CGITRC`: Host directory containing a `cgitrc` configuration, see [cgitrc manual](https://manpages.debian.org/trixie/cgit/cgitrc.5.en.html).
-* `COMMIT_FILTER`: Host directory containing an executable `commit-filter.sh`  script to format Git commit messages. See the `commit-filter` section of the [cgitrc manual](https://manpages.debian.org/trixie/cgit/cgitrc.5.en.html).
-* `ABOUT`: Host directory containing `about.md` for the front page "about" section.
-* `REPOSITORIES`: Host directory containing your Git repositories.
-
-## Run with `docker`
-
-```
-docker run \
-    --rm \
-    --name cgit \
-    --publish 8080:80 \
-    --mount type=bind,src=CGITRC,dst=/etc/cgit,ro \
-    --mount type=bind,src=COMMIT_FILTER,dst=/usr/local/lib/cgit/filters/commit \
-    --mount type=bind,src=ABOUT,dst=/srv/cgit,ro \
-    --mount type=bind,src=REPOSITORIES,dst=/srv/git,ro \
-    cgit
-```
-
-Browse the website [here](http://localhost:8080).
-
-## Run with `docker compose`
-
-*Example `compose.yaml`:*
-
-```
-services:
-  cgit:
-    build: .
-    image: cgit
-    container_name: cgit
-    ports:
-      - 8080:80
-    volumes:
-      - CGITRC:/etc/cgit:ro
-      - COMMIT_FILTER:/usr/local/lib/cgit/filters/commit
-      - ABOUT:/srv/cgit:ro
-      - REPOSITORIES:/srv/git:ro
-```
-
-Browse the website [here](http://localhost:8080).
-
-# Configuration
-
-## Repository specific `cgitrc`
-
-Add a `cgitrc` file at the root of a repository to configure it for cgit. Note that this only works with the `scan-path` setting.
-
-*Example `cgitrc`:*
-
-```
-desc=Repository description
-owner=Repository owner
-section=Repository section
-```
diff --git a/services/nginx/Dockerfile b/services/nginx/Dockerfile
deleted file mode 100644
index bb8e645..0000000
--- a/services/nginx/Dockerfile
+++ /dev/null
@@ -1,3 +0,0 @@
-FROM nginx:1.29.4-trixie
-ADD fs.tar.gz /
-CMD ["/sbin/cmd.bash"]
diff --git a/services/nginx/fs/etc/nginx/templates/default.conf.template b/services/nginx/etc/nginx/templates/default.conf.template
index 306a074..306a074 100644
--- a/services/nginx/fs/etc/nginx/templates/default.conf.template
+++ b/services/nginx/etc/nginx/templates/default.conf.template
diff --git a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template b/services/nginx/etc/nginx/templates/services/cgit.conf.template
index c0fa070..c0fa070 100644
--- a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
+++ b/services/nginx/etc/nginx/templates/services/cgit.conf.template
diff --git a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template b/services/nginx/etc/nginx/templates/services/radicale.conf.template
index d6e4617..d6e4617 100644
--- a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
+++ b/services/nginx/etc/nginx/templates/services/radicale.conf.template
diff --git a/services/nginx/fs/sbin/cmd.bash b/services/nginx/sbin/cmd.bash
index e024b4f..e024b4f 100755
--- a/services/nginx/fs/sbin/cmd.bash
+++ b/services/nginx/sbin/cmd.bash
diff --git a/services/radicale/Dockerfile b/services/radicale/Dockerfile
deleted file mode 100644
index d6e850b..0000000
--- a/services/radicale/Dockerfile
+++ /dev/null
@@ -1,3 +0,0 @@
-FROM tomsquest/docker-radicale:3.5.10.0
-ADD fs.tar.gz /
-CMD su-exec radicale /sbin/cmd.sh
diff --git a/services/radicale/fs/etc/radicale/conf.ini b/services/radicale/etc/radicale/conf.ini
index 2af4af9..2af4af9 100644
--- a/services/radicale/fs/etc/radicale/conf.ini
+++ b/services/radicale/etc/radicale/conf.ini
diff --git a/services/radicale/fs/sbin/cmd.sh b/services/radicale/sbin/cmd.sh
index 4d09e75..4d09e75 100755
--- a/services/radicale/fs/sbin/cmd.sh
+++ b/services/radicale/sbin/cmd.sh
diff --git a/tools/build b/tools/build
new file mode 100755
index 0000000..09d7734
--- /dev/null
+++ b/tools/build
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+for srv in nginx radicale; do
+	tar -czf services/"$srv"/fs.tar.gz -C services/"$srv" .
+done
diff --git a/tools/generate_self_signed_cert b/tools/generate_self_signed_cert
new file mode 100755
index 0000000..b25cdb3
--- /dev/null
+++ b/tools/generate_self_signed_cert
@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+
+# Creates a self-signed key/certificate pair for a domain and subdomain(s)
+# Usage:
+#	build <domain> [<subdomains>...]
+
+domain=${1:?missing domain argument}
+shift
+subdomains=("$@")
+
+mkcert -install
+mkcert "${subdomains[@]/%/.$domain}" "$domain"