Increase security and reformat

2026-03-07 20:52:13 +00:00
parent 10588a18b9
commit bca4d6898f
144 changed files with 6735 additions and 3960 deletions
--- a/scripts/quadlet/render_units.py
+++ b/scripts/quadlet/render_units.py
@@ -1,10 +1,10 @@
 #!/usr/bin/env python3
 from __future__ import annotations

-from pathlib import Path
 import argparse
 import os
 import shutil
+from pathlib import Path


 def parse_env(path: Path) -> dict[str, str]:
@@ -39,14 +39,18 @@ def write_unit(path: Path, content: str) -> None:
 def main() -> int:
    parser = argparse.ArgumentParser()
    parser.add_argument("--stack-env", default="stack.env")
-    parser.add_argument("--output-dir", default=str(Path.home() / ".config/containers/systemd"))
+    parser.add_argument(
+        "--output-dir", default=str(Path.home() / ".config/containers/systemd")
+    )
    args = parser.parse_args()

    repo_root = Path(__file__).resolve().parents[2]
    stack_env_path = abs_from(repo_root, args.stack_env, "stack.env")
    env = parse_env(stack_env_path)
    stack_id = str(env.get("GIA_STACK_ID") or env.get("STACK_ID") or "").strip()
-    stack_id = "".join(ch if (ch.isalnum() or ch in "._-") else "-" for ch in stack_id).strip("-")
+    stack_id = "".join(
+        ch if (ch.isalnum() or ch in "._-") else "-" for ch in stack_id
+    ).strip("-")

    def with_stack(base: str) -> str:
        return f"{base}_{stack_id}" if stack_id else base
@@ -65,12 +69,16 @@ def main() -> int:
    else:
        stack_port_offset = 0
    app_port = int(env.get("APP_PORT") or (5006 + stack_port_offset))
-    signal_public_port = int(env.get("SIGNAL_PUBLIC_PORT") or (8080 + stack_port_offset))
+    signal_public_port = int(
+        env.get("SIGNAL_PUBLIC_PORT") or (8080 + stack_port_offset)
+    )

    repo_dir = abs_from(repo_root, env.get("REPO_DIR", "."), ".")
    host_uid = int(os.getuid())
    host_gid = int(os.getgid())
-    app_db_file = abs_from(repo_root, env.get("APP_DATABASE_FILE", "./db.sqlite3"), "./db.sqlite3")
+    app_db_file = abs_from(
+        repo_root, env.get("APP_DATABASE_FILE", "./db.sqlite3"), "./db.sqlite3"
+    )
    app_db_basename = app_db_file.name
    sqlite_data_dir = abs_from(
        repo_root,
@@ -80,18 +88,36 @@ def main() -> int:
    host_db_file = (sqlite_data_dir / app_db_basename).resolve()
    app_db_path_in_container = f"/conf/{app_db_basename}"

-    redis_data_dir = abs_from(repo_root, env.get("QUADLET_REDIS_DATA_DIR", "./.podman/gia_redis_data"), "./.podman/gia_redis_data")
-    whatsapp_data_dir = abs_from(repo_root, env.get("QUADLET_WHATSAPP_DATA_DIR", "./.podman/gia_whatsapp_data"), "./.podman/gia_whatsapp_data")
+    redis_data_dir = abs_from(
+        repo_root,
+        env.get("QUADLET_REDIS_DATA_DIR", "./.podman/gia_redis_data"),
+        "./.podman/gia_redis_data",
+    )
+    whatsapp_data_dir = abs_from(
+        repo_root,
+        env.get("QUADLET_WHATSAPP_DATA_DIR", "./.podman/gia_whatsapp_data"),
+        "./.podman/gia_whatsapp_data",
+    )

    vrun_dir = Path("/code/vrun") / stack_id if stack_id else Path("/code/vrun")
    signal_cli_dir = (repo_dir / "signal-cli-config").resolve()
    uwsgi_ini = (repo_dir / "docker" / "uwsgi.ini").resolve()
    redis_conf = (repo_dir / "docker" / "redis.conf").resolve()

-    for p in (redis_data_dir, whatsapp_data_dir, sqlite_data_dir, vrun_dir, signal_cli_dir):
+    for p in (
+        redis_data_dir,
+        whatsapp_data_dir,
+        sqlite_data_dir,
+        vrun_dir,
+        signal_cli_dir,
+    ):
        p.mkdir(parents=True, exist_ok=True)
    sqlite_data_dir.chmod(0o777)
-    if app_db_file.resolve() != host_db_file and app_db_file.exists() and not host_db_file.exists():
+    if (
+        app_db_file.resolve() != host_db_file
+        and app_db_file.exists()
+        and not host_db_file.exists()
+    ):
        shutil.copy2(app_db_file, host_db_file)
    host_db_file.touch(exist_ok=True)
    host_db_file.chmod(0o666)
@@ -170,7 +196,16 @@ RestartSec=2
 WantedBy={target_ref}
 """

-    def gia_container(name: str, container_name: str, command: str, include_uwsgi: bool, include_whatsapp: bool, after: str, requires: str, one_shot: bool = False) -> str:
+    def gia_container(
+        name: str,
+        container_name: str,
+        command: str,
+        include_uwsgi: bool,
+        include_whatsapp: bool,
+        after: str,
+        requires: str,
+        one_shot: bool = False,
+    ) -> str:
        lines = [
            "[Unit]",
            f"Description={name}",
@@ -193,21 +228,27 @@ WantedBy={target_ref}
        if include_uwsgi:
            lines.append(f"Volume={uwsgi_ini}:/conf/uwsgi.ini")
        if include_whatsapp:
-            lines.append(f"Volume={whatsapp_data_dir}:{env.get('WHATSAPP_DB_DIR', '/var/tmp/whatsapp')}")
+            lines.append(
+                f"Volume={whatsapp_data_dir}:{env.get('WHATSAPP_DB_DIR', '/var/tmp/whatsapp')}"
+            )
        lines.append(f"Exec={command}")
        lines.extend(["", "[Service]"])
        if one_shot:
-            lines.extend([
-                "Type=oneshot",
-                "RemainAfterExit=yes",
-                "TimeoutStartSec=0",
-                f"ExecStartPre=/bin/sh -c 'for i in $(seq 1 60); do [ -S {vrun_dir}/gia-redis.sock ] && exit 0; sleep 1; done; exit 1'",
-            ])
+            lines.extend(
+                [
+                    "Type=oneshot",
+                    "RemainAfterExit=yes",
+                    "TimeoutStartSec=0",
+                    f"ExecStartPre=/bin/sh -c 'for i in $(seq 1 60); do [ -S {vrun_dir}/gia-redis.sock ] && exit 0; sleep 1; done; exit 1'",
+                ]
+            )
        else:
-            lines.extend([
-                "Restart=always",
-                "RestartSec=2",
-            ])
+            lines.extend(
+                [
+                    "Restart=always",
+                    "RestartSec=2",
+                ]
+            )
        lines.extend(["", "[Install]", "WantedBy=gia.target"])
        lines[-1] = f"WantedBy={target_ref}"
        return "\n".join(lines)
@@ -237,7 +278,7 @@ WantedBy={target_ref}
    app_unit = gia_container(
        "GIA App",
        with_stack("gia"),
-        "sh -c 'if [ \\\"$OPERATION\\\" = \\\"uwsgi\\\" ] ; then . /venv/bin/activate && uwsgi --ini /conf/uwsgi.ini ; else . /venv/bin/activate && exec python manage.py runserver 0.0.0.0:8000; fi'",
+        'sh -c \'if [ \\"$OPERATION\\" = \\"uwsgi\\" ] ; then . /venv/bin/activate && uwsgi --ini /conf/uwsgi.ini ; else . /venv/bin/activate && exec python manage.py runserver 0.0.0.0:8000; fi\'',
        include_uwsgi=True,
        include_whatsapp=True,
        after=f"{unit_prefix}-collectstatic.service {unit_prefix}-redis.service {unit_prefix}-signal.service",