Remove Woodpecker configuration.

Signed-off-by: Kellen Renshaw <kellen@bluequartz.xyz>

.gitea/workflows/docker.yaml

@@ -0,0 +1,33 @@
+name: Docker Image Creation
+run-name: ${{ gitea.actor }} building Docker image
+on: [push]
+
+jobs:
+  build-docker:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v4
+
+      - name: Login to Gitea Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.bluequartz.xyz
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: git.bluequartz.xyz/kellen/bin
+
+      - name: Build and Push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+

.github/workflows/docker-publish.yml

@@ -0,0 +1,93 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  schedule:
+    - cron: '45 20 * * *'
+  push:
+    branches: [ master ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+  pull_request:
+    branches: [ master ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422
+        with:
+          cosign-release: 'v1.4.0'
+
+
+      # Workaround: https://github.com/docker/build-push-action/issues/461
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

.gitignore

@@ -7,3 +7,4 @@
 
 # These are backup files generated by rustfmt
 **/*.rs.bk
+result

Cargo.lock

@@ -510,9 +510,9 @@ checksum = "0e851ca7c24871e7336801608a4797d7376545b6928a10d32d75685687141ead"
 
 [[package]]
 name = "bytes"
-version = "1.1.0"
+version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8"
+checksum = "ec8a7b6a70fde80372154c65702f00a0f56f3e1c36abbc6c440484be248856db"
 dependencies = [
  "serde",
 ]
@@ -1272,9 +1272,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.14"
+version = "0.4.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51b9bbe6c47d51fc3e1a9b945965946b4c44142ab8792c50835a980d362c2710"
+checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
 dependencies = [
  "cfg-if",
 ]
@@ -1428,9 +1428,9 @@ dependencies = [
 
 [[package]]
 name = "once_cell"
-version = "1.10.0"
+version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87f3e037eac156d1775da914196f0f37741a274155e34a0b7e427c35d2a2ecb9"
+checksum = "2f7254b99e31cad77da24b08ebf628882739a608578bb1bcdfc1f9c21260d7c0"
 
 [[package]]
 name = "onig"
@@ -1456,9 +1456,9 @@ dependencies = [
 
 [[package]]
 name = "parking_lot"
-version = "0.12.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87f5ec2493a61ac0506c0f4199f99070cbe83857b0337006a30f3e6719b8ef58"
+checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
 dependencies = [
  "lock_api",
  "parking_lot_core",
@@ -1991,10 +1991,11 @@ checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c"
 
 [[package]]
 name = "tokio"
-version = "1.17.0"
+version = "1.20.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2af73ac49756f3f7c01172e34a23e5d0216f6c32333757c2c61feb2bbff5a5ee"
+checksum = "7a8325f63a7d4774dd041e363b2409ed1c5cbbd0f867795e661df066b2b0a581"
 dependencies = [
+ "autocfg",
  "bytes",
  "libc",
  "memchr",

Cargo.toml

@@ -12,9 +12,9 @@ argh = "0.1"
 log = "0.4"
 pretty_env_logger = "0.4"
 linked-hash-map = "0.5"
-once_cell = "1.10"
+once_cell = "1.14"
 parking_lot = "0.12"
-bytes = { version = "1.1", features = ["serde"] }
+bytes = { version = "1.2", features = ["serde"] }
 serde = { version = "1.0", features = ["derive"] }
 rand = { version = "0.8" }
 gpw = "0.1"
@@ -24,7 +24,7 @@ htmlescape = "0.3"
 askama = "0.11"
 bat = "0.20"
 syntect = "4.6"
-tokio = { version = "1.17", features = ["sync"] }
+tokio = { version = "1.20", features = ["sync"] }
 futures = "0.3"
 
 [profile.release]

Dockerfile

@@ -1,4 +1,4 @@
-FROM rust:1-slim AS builder
+FROM rust:1-slim-bookworm AS builder
 
 RUN apt update && apt install -y libclang-dev
 
@@ -7,8 +7,7 @@ WORKDIR /sources
 RUN cargo build --release
 RUN chown nobody:nogroup /sources/target/release/bin
 
-
-FROM debian:bullseye-slim
+FROM gcr.io/distroless/cc-debian12
 COPY --from=builder /sources/target/release/bin /pastebin
 
 USER nobody

docker-compose.yml

@@ -0,0 +1,8 @@
+version: '3'
+services:
+  bin:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    ports:
+      - "8000:8000"

flake.lock

@@ -0,0 +1,77 @@
+{
+  "nodes": {
+    "naersk": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1662220400,
+        "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "master",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1670118144,
+        "narHash": "sha256-tdh9H4oomljZaKpCkZox8jmwt8p78oGLpK9cjFBy3Qk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "95f1ec721652d91a2993311d6cf537d3724690be",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1670118144,
+        "narHash": "sha256-tdh9H4oomljZaKpCkZox8jmwt8p78oGLpK9cjFBy3Qk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "95f1ec721652d91a2993311d6cf537d3724690be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs_2",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,83 @@
+{
+  inputs = {
+    naersk.url = "github:nix-community/naersk/master";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, utils, naersk }:
+    utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        naersk-lib = pkgs.callPackage naersk { };
+      in
+      {
+        defaultPackage = naersk-lib.buildPackage ./.;
+        devShell = with pkgs; mkShell {
+          buildInputs = [ cargo rustc rustfmt pre-commit rustPackages.clippy ];
+          RUST_SRC_PATH = rustPlatform.rustLibSrc;
+        };
+
+        nixosModules.default = { config, lib, pkgs, ... }:
+          with lib;
+          let
+            cfg = config.services.paste-bin;
+          in
+          {
+            options.services.paste-bin = {
+              enable = mkEnableOption "paste-bin";
+              bindAddress = mkOption {
+                default = "[::]:8000";
+                description = "Address and port to listen on";
+                type = types.str;
+              };
+              maxPasteSize = mkOption {
+                default = 32768;
+                description = "Max allowed size of an individual paste";
+                type = types.int;
+              };
+              bufferSize = mkOption {
+                default = 1000;
+                description = "Maximum amount of pastes to store at a time";
+                type = types.int;
+              };
+            };
+
+            config = mkIf cfg.enable {
+              systemd.services.bin = {
+                enable = true;
+                wantedBy = [ "multi-user.target" ];
+                after = [ "network-online.target" ];
+                serviceConfig = {
+                  Type = "exec";
+                  ExecStart = "${self.defaultPackage."${system}"}/bin/bin --buffer-size ${toString cfg.bufferSize} --max-paste-size ${toString cfg.maxPasteSize} ${cfg.bindAddress}";
+                  Restart = "on-failure";
+
+                  CapabilityBoundingSet = "";
+                  NoNewPrivileges = true;
+                  PrivateDevices = true;
+                  PrivateTmp = true;
+                  PrivateUsers = true;
+                  PrivateMounts = true;
+                  ProtectHome = true;
+                  ProtectClock = true;
+                  ProtectProc = "noaccess";
+                  ProcSubset = "pid";
+                  ProtectKernelLogs = true;
+                  ProtectKernelModules = true;
+                  ProtectKernelTunables = true;
+                  ProtectControlGroups = true;
+                  ProtectHostname = true;
+                  RestrictSUIDSGID = true;
+                  RestrictRealtime = true;
+                  RestrictNamespaces = true;
+                  LockPersonality = true;
+                  RemoveIPC = true;
+                  RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+                  SystemCallFilter = [ "@system-service" "~@privileged" ];
+                };
+              };
+            };
+          };
+      });
+}

templates/base.html

@@ -3,7 +3,6 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1">
-    
     <title>bin.</title>
     <link rel="help" href="https://github.com/w4/bin">
     <style>
@@ -14,10 +13,13 @@
             padding: 2rem;
             background: #263238;
             color: #B0BEC5;
-            font-family: 'Courier New', Courier, monospace;
             line-height: 1.1;
             display: flex;
         }
+        body, code, textarea { font-family: Monaco, Menlo, Courier, Courier New, Andale Mono, monospace; }
+        code {
+          display: block;
+        }
         {% block styles %}{% endblock styles %}
     </style>
     {% block head %}{% endblock head %}

templates/index.html

@@ -9,6 +9,7 @@
 
         background: none;
         border: none;
+        outline: 0;
 
         resize: none;
         overflow: auto;