conduwuit source builds

servers/containers/conduwuit-limited-federation.container

@@ -0,0 +1,92 @@
+
+
+[Unit]
+Description=Conduwuit limited federation (matrix)
+Wants=network-online.target
+Wants=traefik.service
+After=network-online.target
+Documentation=https://conduwuit.puppyirl.gay/
+
+[Container]
+ContainerName=conduwuit-limited-federation
+NoNewPrivileges=true
+Image=ghcr.io/jadedblueeyes/conduwuit:federation-allow-list
+ReadOnly=true
+Volume=/var/opt/conduwuit-limited-federation:/var/lib/conduwuit:z,U
+AutoUpdate=registry
+
+# conduwuit uses quite a few file descriptors, and on some systems it defaults to 1024
+Ulimit=nofile=1048567:1048567
+
+Label="traefik.enable=true"
+Label="traefik.http.routers.conduwuit-limited-federation.rule=(Host(`matrix-limited-federation.pissing.dev`))"
+
+Label="traefik.http.services.conduwuit-limited-federation.loadbalancer.server.port=6168"
+Environment="CONDUWUIT_PORT=6168"
+
+Network=web.network:ip=10.89.0.246,ip6=fd76:6f6d:f45e:ea1a::f10
+Label="traefik.docker.network=systemd-web"
+Environment="CONDUWUIT_ADDRESS=[\"10.89.0.246\", \"fd76:6f6d:f45e:ea1a::f10\"]"
+
+Label="traefik.http.routers.conduwuit-limited-federation.entrypoints=https,matrix"
+
+Label="traefik.http.routers.conduwuit-limited-federation.middlewares=default@file"
+
+Label="homepage.group=Public"
+Label="homepage.name=Conduwuit (limited federation)"
+# https://github.com/girlbossceo/conduwuit/blob/032b199129f8648a77bde285f755a78e9ec349a7/src/api/client/unversioned.rs#L142
+# Endpoint provided by sliding sync proxy used by some clients such as Element Web as a non-standard health check.
+Label="homepage.siteMonitor=https://matrix-limited-federation.pissing.dev/client/server.json" 
+Label="homepage.description=Matrix homeserver (matrix-limited-federation.pissing.dev)"
+Label=kuma.__monitor=''
+Environment='CONDUWUIT_ALLOWED_REMOTE_SERVER_NAMES=["pissing.dev"]'
+
+Environment="CONDUWUIT_SERVER_NAME=matrix-limited-federation.pissing.dev"
+
+Environment="CONDUWUIT_DATABASE_PATH=/var/lib/conduwuit"
+Environment="CONDUWUIT_DATABASE_BACKEND=rocksdb"
+# in bytes, ~20 MB
+Environment="CONDUWUIT_MAX_REQUEST_SIZE=20000000"
+
+Environment="CONDUWUIT_ALLOW_REGISTRATION=true"
+Environment="CONDUWUIT_REGISTRATION_TOKEN=pissing-atlantic-proclaim-canine-drivable"
+Environment='CONDUWUIT_AUTO_JOIN_ROOMS=["!UgUxfVZAEj2pcBRRdv:ellis.link", "!C8jPKMPkMsnd1wmm5j:ellis.link"]'
+Environment="CONDUWUIT_ALLOW_FEDERATION=true"
+Environment="CONDUWUIT_ALLOW_PUBLIC_ROOM_DIRECTORY_OVER_FEDERATION=true"
+
+Environment="CONDUWUIT_ALLOW_LEGACY_MEDIA=false"
+
+Environment="CONDUWUIT_TRUSTED_SERVERS=[\"matrix.org\", \"matrix.pissing.dev\", \"matrix.ellis.link\", "tchncs.de", "envs.net"]"
+Environment="CONDUWUIT_LOG=info,hickory_proto::xfer::dns_exchange=error"
+Environment="CONDUWUIT_WELL_KNOWN={ \
+client=https://matrix-limited-federation.pissing.dev, \
+server=matrix-limited-federation.pissing.dev:443 \
+}"
+
+Environment="CONDUWUIT_TURN_URIS=[\"turns:coturn.ellis.link?transport=udp\",\"turns:coturn.ellis.link?transport=tcp\",\"turn:coturn.ellis.link?transport=udp\",\"turn:coturn.ellis.link?transport=tcp\"]"
+Environment="CONDUWUIT_TURN_SECRET=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx"
+
+Network=conduwuit-url.network:interface_name=pub
+Environment="CONDUWUIT_URL_PREVIEW_DOMAIN_EXPLICIT_ALLOWLIST=[\"*\"]"
+Environment="CONDUWUIT_URL_PREVIEW_BOUND_INTERFACE=pub"
+
+# Environment="CONDUWUIT_SENTRY=true"
+# Environment="CONDUWUIT_SENTRY_ENDPOINT=https://c885d1475cef5c54bbd32b1512e0ae20@o4507835405369344.ingest.de.sentry.io/4508059491696720"
+
+# Environment="CONDUWUIT_EMERGENCY_PASSWORD="
+
+StopTimeout=100
+
+[Service]
+
+Restart=on-failure
+RestartSec=5
+
+TimeoutStopSec=2m
+TimeoutStartSec=2m
+
+# StartLimitInterval=1m
+StartLimitBurst=5
+
+[Install]
+WantedBy=default.target

servers/containers/conduwuit-source.build

@@ -0,0 +1,19 @@
+
+
+[Unit]
+Description=Conduwuit image build
+Wants=network-online.target
+After=network-online.target
+
+
+[Build]
+
+ImageTag=localhost/conduwuit:git
+
+# File=https://gist.githubusercontent.com/JadedBlueEyes/01848fc7388ab5bc0b0fbd552e075a67/raw/Containerfile
+File=/etc/containers/systemd/conduwuit.Containerfile
+
+SetWorkingDirectory=https://github.com/girlbossceo/conduwuit.git
+PodmanArgs=--build-arg TARGET_CPU=native
+        #    --build-arg COMMIT_SHA=
+Annotation=org.opencontainers.image.title=Conduwuit (custom build)

servers/containers/conduwuit-testing.container

@@ -10,7 +10,8 @@ Documentation=https://conduwuit.puppyirl.gay/
 [Container]
 ContainerName=conduwuit-testing
 NoNewPrivileges=true
-Image=ghcr.io/girlbossceo/conduwuit:main
+# Image=ghcr.io/girlbossceo/conduwuit:main
+Image=conduwuit-source.build
 ReadOnly=true
 Volume=/var/opt/conduwuit-testing:/var/lib/conduwuit:z,U
 AutoUpdate=registry

servers/containers/conduwuit.Containerfile

@@ -0,0 +1,169 @@
+ARG RUST_VERSION=1.84
+
+FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS base
+FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS builder
+
+# Prevent deletion of apt cache
+RUN rm -f /etc/apt/apt.conf.d/docker-clean
+
+# Match Rustc version as close as possible
+# rustc -vV
+ARG LLVM_VERSION=19
+ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}
+
+# Install repo tools
+# Line one: compiler tools
+# Line two: curl, for downloading binaries
+# Line three: for xx-verify
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked <<EOF
+apt-get update && apt-get install -y \
+    clang-${LLVM_VERSION} lld-${LLVM_VERSION} pkg-config make \
+    curl git \
+    file
+EOF
+
+# Create symlinks for LLVM tools
+RUN <<EOF
+    ln -s /usr/bin/clang-${LLVM_VERSION} /usr/bin/clang
+    ln -s "/usr/bin/clang-${LLVM_VERSION}++" "/usr/bin/clang++"
+    ln -s /usr/bin/lld-${LLVM_VERSION} /usr/bin/lld
+EOF
+
+# Developer tool versions
+# renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
+ENV BINSTALL_VERSION=1.10.21
+# renovate: datasource=github-releases depName=psastras/sbom-rs
+ENV CARGO_SBOM_VERSION=0.9.1
+# renovate: datasource=crate depName=lddtree
+ENV LDDTREE_VERSION=0.3.7
+
+# Install unpackaged tools
+RUN <<EOF
+    curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
+    cargo binstall --no-confirm cargo-sbom --version $CARGO_SBOM_VERSION
+    cargo binstall --no-confirm lddtree --version $LDDTREE_VERSION
+EOF
+
+# Set up xx (cross-compilation scripts)
+COPY --from=xx / /
+ARG TARGETPLATFORM
+
+# Install libraries linked by the binary
+# xx-* are xx-specific meta-packages
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked <<EOF
+xx-apt-get install -y \
+    xx-c-essentials xx-cxx-essentials \
+    liburing-dev
+EOF
+
+# Set up Rust toolchain
+WORKDIR /app
+COPY ./rust-toolchain.toml .
+RUN rustc --version \
+    && rustup target add $(xx-cargo --print-target-triple)
+
+# Get source
+COPY . .
+
+# Build binary
+# We disable incremental compilation to save disk space, as it only produces a minimal speedup for this case.
+ENV CARGO_INCREMENTAL=0
+
+# Configure pkg-config
+RUN <<EOF
+    echo "PKG_CONFIG_LIBDIR=/usr/lib/$(xx-info)/pkgconfig" >> /etc/environment
+    echo "PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config"
+    echo "PKG_CONFIG_ALLOW_CROSS=true" >> /etc/environment
+EOF
+
+# Configure cc to use clang version
+RUN <<EOF
+    echo "CC=clang" >> /etc/environment
+    echo "CXX=clang++" >> /etc/environment    
+EOF
+
+# Cross-language LTO
+RUN <<EOF
+    echo "CFLAGS=-flto" >> /etc/environment
+    echo "CXXFLAGS=-flto" >> /etc/environment
+    echo "RUSTFLAGS='-Clinker-plugin-lto -Clinker=clang -Clink-arg=-fuse-ld=lld'" >> /etc/environment
+EOF
+
+# Apply CPU-specific optimizations if TARGET_CPU is provided
+ARG TARGET_CPU=
+ARG TARGET_CPU
+RUN <<EOF
+  set -o allexport
+  . /etc/environment
+  if [ -n "${TARGET_CPU}" ]; then
+    echo "CFLAGS='${CFLAGS} -march=${TARGET_CPU}'" >> /etc/environment
+    echo "CXXFLAGS='${CXXFLAGS} -march=${TARGET_CPU}'" >> /etc/environment
+    echo "RUSTFLAGS='${RUSTFLAGS} -C target-cpu=${TARGET_CPU}'" >> /etc/environment
+  fi
+EOF
+
+# Conduwuit version info
+ARG COMMIT_SHA=
+ARG CONDUWUIT_VERSION_EXTRA=
+ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
+RUN <<EOF
+if [ -z "${CONDUWUIT_VERSION_EXTRA}" ]; then
+    echo "CONDUWUIT_VERSION_EXTRA='$(set -e; git rev-parse --short ${COMMIT_SHA:-HEAD} || echo unknown) Jade Build'" >> /etc/environment
+fi
+EOF
+
+# Verify environment configuration
+RUN cat /etc/environment
+
+# Prepare output directories
+RUN mkdir /out
+
+# Build the binary
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git/db \
+    --mount=type=cache,target=/app/target \
+    bash <<EOF
+  set -o allexport
+  . /etc/environment
+  xx-cargo build --locked --release
+  xx-verify ./target/$(xx-cargo --print-target-triple)/release/conduwuit
+  cp ./target/$(xx-cargo --print-target-triple)/release/conduwuit /out/app
+EOF
+
+# Generate Software Bill of Materials (SBOM)
+RUN cargo sbom > /out/sbom.spdx.json
+
+# Extract dynamically linked dependencies
+# RUN lddtree /out/app
+RUN lddtree /out/app | awk '{print $(NF-0) " " $1}' | sort -u -k 1,1 | awk '{print "install", "-D", $1, (($2 ~ /^\//) ? "/out/libs-root" $2 : "/out/libs/" $2)}'
+RUN <<EOF
+    mkdir /out/libs
+    mkdir /out/libs-root
+    lddtree /out/app | awk '{print $(NF-0) " " $1}' | sort -u -k 1,1 | awk '{print "install", "-D", $1, (($2 ~ /^\//) ? "/out/libs-root" $2 : "/out/libs/" $2)}' | xargs -I {} sh -c {}
+EOF
+
+FROM scratch
+
+WORKDIR /
+
+# Copy root certs for tls into image
+# You can also mount the certs from the host
+# --volume /etc/ssl/certs:/etc/ssl/certs:ro
+COPY --from=base /etc/ssl/certs /etc/ssl/certs
+
+# Copy our build
+COPY --from=builder /out/app ./app
+# Copy SBOM
+COPY --from=builder /out/sbom.spdx.json ./sbom.spdx.json
+
+# Copy dynamic libraries to root
+COPY --from=builder /out/libs-root/ /
+COPY --from=builder /out/libs/ /usr/lib/
+
+# Inform linker where to find libraries
+ENV LD_LIBRARY_PATH=/usr/lib
+
+CMD ["/app"]

servers/containers/conduwuit.container

@@ -10,7 +10,8 @@ Documentation=https://conduwuit.puppyirl.gay/
 [Container]
 ContainerName=conduwuit
 NoNewPrivileges=true
-Image=ghcr.io/girlbossceo/conduwuit:main
+# Image=ghcr.io/girlbossceo/conduwuit:main
+Image=conduwuit-source.build
 ReadOnly=true
 Volume=/var/opt/conduwuit:/var/lib/conduwuit:z,U
 AutoUpdate=registry