wn/minimal-setups
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' of gitea.hottis.de:wn/minimal-setups
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2025-09-14 18:46:54 +02:00
parent 7a932996ba 5bd8d05103
commit fa33f12a76
7 changed files with 61 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.woodpecker.yml
View File

@@ -5,7 +5,7 @@ steps:
repo: ${FORGE_NAME}/${CI_REPO} repo: ${FORGE_NAME}/${CI_REPO}
registry: registry:
from_secret: container_registry from_secret: container_registry
tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG} tags: latest,${CI_COMMIT_SHA}
username: username:
from_secret: container_registry_username from_secret: container_registry_username
password: password:
@@ -30,7 +30,7 @@ steps:
commands: commands:
- export GOPATH=/woodpecker/go # the export is required, otherwise trivy will not consider the variable - export GOPATH=/woodpecker/go # the export is required, otherwise trivy will not consider the variable
- HOME=/home/`id -nu` - HOME=/home/`id -nu`
- TAG="${CI_COMMIT_TAG:-$CI_COMMIT_SHA}" - TAG=${CI_COMMIT_SHA}
- | - |
trivy image \ trivy image \
--server $TRIVY_URL \ --server $TRIVY_URL \

3
Dockerfile
View File

@@ -8,7 +8,8 @@ RUN \
chown -R nobody:nobody /var/cache/nginx /var/log/nginx && \ chown -R nobody:nobody /var/cache/nginx /var/log/nginx && \
sed -i 's/listen\s\+80;/listen 8080;/' /etc/nginx/conf.d/default.conf && \ sed -i 's/listen\s\+80;/listen 8080;/' /etc/nginx/conf.d/default.conf && \
sed -i 's/index index.html index.htm;/index mdwiki.html;/' /etc/nginx/conf.d/default.conf && \ sed -i 's/index index.html index.htm;/index mdwiki.html;/' /etc/nginx/conf.d/default.conf && \
sed -i 's,pid\s\+/run/nginx.pid;,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf sed -i 's,pid\s\+/run/nginx.pid;,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf && \
dd if=/dev/random of=/usr/share/nginx/html/numbers bs=1024 count=1000000
USER nobody USER nobody
# ------------ # ------------
EXPOSE 8080 EXPOSE 8080

2
content/index.md
View File

@@ -1,4 +1,4 @@
# Minimal Setups # Minimal Setups
![](/static/IMG_3019.png) ![](/static/IMG_3019.jpg)

17
content/keys.md
View File

@@ -1,21 +1,6 @@
## My Public GPG and SSH Keys ## My Public GPG and SSH Keys
### SSH Keys
* [My SSH Keys](/static/mysshkeys.txt) The overview on keys is at [static.hottis.de](https://static.hottis.de)
### Public SSH Keys for Signing Purposes
* [`0ca69636d28c45bc99e4ac5b40785e8c`](/static/0ca69636d28c45bc99e4ac5b40785e8c.txt)
* [`8bf09b3cc425c12c482b03fb45dbee57`](/static/8bf09b3cc425c12c482b03fb45dbee57.txt)
### GPG Keys
* [`2306AA47A6D7A534B1B7446C836E9E1192A6B132`](/static/2306AA47A6D7A534B1B7446C836E9E1192A6B132.txt)
* [`082071E0415E0A2D87A2385B5159E88B93B67538`](/static/082071E0415E0A2D87A2385B5159E88B93B67538.txt)
* [`7B5C0BB6AFCADDC8E3435746B76E53073EE19643`](/static/7B5C0BB6AFCADDC8E3435746B76E53073EE19643.txt)
* [`90E1D1E935FC6AB94444B15B18FDFA577A8871AD`](/static/90E1D1E935FC6AB94444B15B18FDFA577A8871AD.txt)
* [`BDB9F424842252FB4D8EEDDCE49AF3B9EF6DD469`](/static/BDB9F424842252FB4D8EEDDCE49AF3B9EF6DD469.txt) (Dell Laptop, USB-A nano)
* [`F53691B26F457823DF3E954BB3E461281CF3CE5D`](/static/F53691B26F457823DF3E954BB3E461281CF3CE5D.txt) (Keychain, USB-C)

2
content/snippets/0270-docker-on-apple-silicon.md
View File

@@ -42,7 +42,7 @@ Here also
``` ```
finch vm init finch vm init
finch vm stop finch vm start
``` ```
is required and afterwards containers can be executed: is required and afterwards containers can be executed:

54
content/snippets/0290-secrets-in-repos.md Normal file
View File

@@ -0,0 +1,54 @@
<!--
title: Secrets in Repos
date: 2025-05-22
-->
# Secrets in Repos
Storing secrets in cleartext in a repo is forbidden, obviously.
I use this approach to store secrets in ciphertext in a repo.
The secrets shall be in a file, for instance `secrets.txt`. To encrypt this file I use
```
gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
```
The passphrase for the encryption must be entered on the prompt from gpg.
To decrypt the file, in a CI script I use
```
gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output secrets.txt secrets.asc
```
The passphrase must be set in the environment variable `GPG_PASSPHRASE`.
To decrypt interactively the commandline
```
gpg --decrypt --output secrets.txt secrets.asc
```
can be used.
Make sure to store the passphrase safely and securely in a password manager or so, otherwise you can not get to your data any longer or everyone can do so.
## Remark: Problems with passphrase input
Sometimes, gpg tries to ask for the passphrase via the configured pinentry app, which sometimes fails. In those cases add
```
--pinentry-mode loopback
```
to the commandline:
```
gpg --pinentry-mode=loopback --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
gpg --pinentry-mode=loopback --decrypt --output secrets.txt secrets.asc
```

BIN
content/static/IMG_3019.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB