entrypoint.bash


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

#!/bin/bash
#

if [ ! -f /root/mirror.bash ]; then
    cat > /root/mirror.bash <<-EOF
#!/bin/bash

# Directory where the repo is stored locally. Example: /srv/repo
target="/srv/repo"

# Lockfile path
lock="/var/lock/syncrepo.lck"

# If you want to limit the bandwidth used by rsync set this.
# Use 0 to disable the limit.
# The default unit is KiB (see man rsync /--bwlimit for more)
bwlimit="${BWLIMIT:-0}"

# The source URL of the mirror you want to sync from.
# If you choose a tier 1 mirror from this list and use its rsync URL:
# https://www.hyperbola.info/mirrors/
source_url='${SOURCE_URL:-rsync://mirror.fsf.org/hyperbola/gnu-plus-linux-libre}'

# An HTTP(S) URL pointing to the 'lastupdate' file on your chosen mirror.
# If you are a tier 1 mirror use: https://rsync.hyperbola.info/lastupdate
# Otherwise use the HTTP(S) URL from your chosen mirror.
lastupdate_url=''

[ ! -d "\${target}" ] && install -d -m755 "\${target}"

# Set permission owner
chown -R http:http "\${target}"

exec 9>"\${lock}"
/usr/bin/flock -n 9 || exit

# Cleanup any temporary files from old run that might remain.
# Note: You can skip this if you have rsync newer than 3.2.3
# not affected by https://github.com/WayneD/rsync/issues/192
find "\${target}" -name '.~tmp~' -exec rm -r {} +

rsync_cmd() {
    local -a cmd=(rsync -rlptH --safe-links --delete-delay --delay-updates --timeout=600 --no-motd)

    if stty &>/dev/null; then
	cmd+=(-h -v --progress)
    else
	cmd+=(--quiet)
    fi

    if ((bwlimit>0)); then
	cmd+=("--bwlimit=\$bwlimit")
    fi

    "\${cmd[@]}" "\$@"
}


# if we are called without a tty (cronjob) only run when there are changes
if ! tty -s && [[ -f "\$target/lastupdate" ]] && diff -b <(curl -Ls "\$lastupdate_url") "\$target/lastupdate" >/dev/null; then
    # keep lastsync file in sync for statistics generated by Hyperbola GNU/Linux-libre website
    rsync_cmd "\$source_url/lastsync" "\$target/lastsync"
    exit 0
fi

rsync_cmd \
    ${RSYNC_OPTIONS:---exclude='*.links.tar.gz*'} \
    "\${source_url}" \
    "\${target}"

# Re-check permission
chown -R http:http "\${target}"

# Cleanup
/bin/rm -f "\$lock"
exit 0

EOF
fi

/bin/rm -f /etc/nginx/nginx.conf || true

if [ ! -f /etc/nginx/nginx.conf ]; then
cat > /etc/nginx/nginx.conf <<- EOF
#user http;
worker_processes  auto;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '\$remote_addr - \$remote_user [\$time_local] "\$request" '
    #                  '\$status \$body_bytes_sent "\$http_referer" '
    #                  '"\$http_user_agent" "\$http_x_forwarded_for"';

    # hidden version
    server_tokens off;

    disable_symlinks off;

    server {
        listen 80 default_server;
        server_name localhost;

        # Logs
        #access_log  logs/access.log  main;
        access_log /dev/null;
        error_log /dev/null;

        root /srv/repo;

        location / {
            autoindex on;
            autoindex_exact_size off;
        }

        location ~ /\.ht {
            deny  all;
        }

        location ~ /.well-known {
            allow all;
        }

        # Enable compression for JS/CSS/HTML, for improved client load times.
        # It might be nice to compress JSON/XML as returned by the API, but
        # leaving that out to protect against potential BREACH attack.
        gzip              on;
        gzip_vary         on;

        gzip_types        # text/html is always compressed by HttpGzipModule
                          text/css
                          application/javascript
                          font/truetype
                          font/opentype
                          application/vnd.ms-fontobject
                          image/svg+xml;

        gzip_min_length 1000; # default is 20 bytes
        gzip_buffers 16 8k;
        gzip_comp_level 2; # default is 1

        client_body_timeout       30s; # default is 60
        client_header_timeout     10s; # default is 60
        send_timeout              10s; # default is 60
        keepalive_timeout         10s; # default is 75
        resolver_timeout          10s; # default is 30
        reset_timedout_connection on;
        proxy_ignore_client_abort on;

        tcp_nopush on; # send headers in one piece
        tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time

        # Enabling the sendfile directive eliminates the step of copying the data into the buffer
        # and enables direct copying data from one file descriptor to another.
        sendfile on;
        sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
        aio threads;
    }
}
EOF
fi

SET_CRON="${CRONTAB:-0 */6 * * *}"

if [ ! -f /root/repo-task.sh ] ;then
    cat > /root/repo-task.sh <<- EOF
$SET_CRON /bin/sh /root/mirror.bash >/dev/null 2>&1
EOF
fi

# Start mirror
/bin/bash /root/mirror.bash &

# Set cronie
/usr/bin/crontab /root/repo-task.sh

# Start nginx
exec nginx -g "daemon off;"