chore: add configuration recipes

.github/workflows/docker.yml

@@ -2,7 +2,8 @@ name: Docker image
 
 on:
   push:
-    branches: [ master ]
+    branches:
+      - master
     tags:
       - '*'
       - '!*rc*'

.github/workflows/setup.yml

@@ -2,9 +2,11 @@ name: Setup
 
 on:
   push:
-    branches: [ master ]
+    branches:
+      - master
   pull_request:
-    branches: [ master ]
+    branches:
+      - master
 
 jobs:
   run-setup-minimal:

.github/workflows/tests.yml

@@ -2,9 +2,11 @@ name: Tests
 
 on:
   push:
-    branches: [ master ]
+    branches:
+      - master
   pull_request:
-    branches: [ master ]
+    branches:
+      - master
 
 jobs:
   run-tests:

docs/architecture.rst

@@ -319,7 +319,7 @@ There are several supported synchronization providers, currently they are ``rsyn
 
 ``rsync`` provider does not have any specific logic except for running external rsync application with configured arguments. The service does not handle SSH configuration, thus it has to be configured before running application manually.
 
-``s3`` provider uses ``boto3`` package and implements sync feature. The files are stored in architecture directory (e.g. if bucket is ``repository``, packages will be stored in ``repository/aur-clone/x86_64`` for the ``aur-clone`` repository ``x86_64`` architecture), bucket must be created before any action and API key must have permissions to write to the bucket. No external configuration required. In order to upload only changed files the service compares calculated hashes with the Amazon ETags, used realization is described `here <https://teppen.io/2018/10/23/aws_s3_verify_etags/>`_.
+``s3`` provider uses ``boto3`` package and implements sync feature. The files are stored in architecture directory (e.g. if bucket is ``repository``, packages will be stored in ``repository/aur-clone/x86_64`` for the ``aur-clone`` repository ``x86_64`` architecture), bucket must be created before any action and API key must have permissions to write to the bucket. No external configuration required. In order to upload only changed files the service compares calculated hashes with the Amazon ETags, used realization is described `here <https://teppen.io/2018/10/23/aws_s3_verify_etags/>`__.
 
 ``github`` provider authenticates through basic auth, API key with repository write permissions is required. There will be created a release with the name of the architecture in case if it does not exist; files will be uploaded to the release assets. It also stores array of files and their MD5 checksums in release body in order to upload only changed ones. According to the Github API in case if there is already uploaded asset with the same name (e.g. database files), asset will be removed first.
 

docs/configuration.rst

@@ -66,7 +66,7 @@ Base authorization settings. ``OAuth`` provider requires ``aioauth-client`` libr
 * ``client_secret`` - OAuth2 application client secret key, string, required in case if ``oauth`` is used.
 * ``cookie_secret_key`` - secret key which will be used for cookies encryption, string, optional. It must be 32 url-safe base64-encoded bytes and can be generated as following ``base64.urlsafe_b64encode(os.urandom(32)).decode("utf8")``. If not set, it will be generated automatically; note, however, that in this case, all sessions will be automatically expired during restart.
 * ``max_age`` - parameter which controls both cookie expiration and token expiration inside the service, integer, optional, default is 7 days.
-* ``oauth_icon`` - OAuth2 login button icon, string, optional, default is ``google``. Must be valid `Bootstrap icon <https://icons.getbootstrap.com/>`_ name.
+* ``oauth_icon`` - OAuth2 login button icon, string, optional, default is ``google``. Must be valid `Bootstrap icon <https://icons.getbootstrap.com/>`__ name.
 * ``oauth_provider`` - OAuth2 provider class name as is in ``aioauth-client`` (e.g. ``GoogleClient``, ``GithubClient`` etc), string, required in case if ``oauth`` is used.
 * ``oauth_scopes`` - scopes list for OAuth2 provider, which will allow retrieving user email (which is used for checking user permissions), e.g. ``https://www.googleapis.com/auth/userinfo.email`` for ``GoogleClient`` or ``user:email`` for ``GithubClient``, space separated list of strings, required in case if ``oauth`` is used.
 * ``salt`` - additional password hash salt, string, optional.
@@ -181,7 +181,7 @@ Remote git source synchronization settings. Unlike ``Upload`` triggers those tri
 It supports authorization; to do so you'd need to prefix the url with authorization part, e.g. ``https://key:token@github.com/arcan1s/ahriman.git``. It is highly recommended to use application tokens instead of your user authorization details. Alternatively, you can use any other option supported by git, e.g.:
 
 * by SSH key: generate SSH key as ``ahriman`` user and put public part of it to the repository keys.
-* by git credentials helper: consult with the `related man page <https://git-scm.com/docs/gitcredentials>`_.
+* by git credentials helper: consult with the `related man page <https://git-scm.com/docs/gitcredentials>`__.
 
 Available options are:
 
@@ -201,7 +201,7 @@ Remote git source synchronization settings. Same as remote pull triggers those t
 It supports authorization; to do so you'd need to prefix the url with authorization part, e.g. ``https://key:token@github.com/arcan1s/ahriman.git``. It is highly recommended to use application tokens instead of your user authorization details. Alternatively, you can use any other option supported by git, e.g.:
 
 * by SSH key: generate SSH key as ``ahriman`` user and put public part of it to the repository keys.
-* by git credentials helper: consult with the `related man page <https://git-scm.com/docs/gitcredentials>`_.
+* by git credentials helper: consult with the `related man page <https://git-scm.com/docs/gitcredentials>`__.
 
 Available options are:
 
@@ -316,9 +316,9 @@ This feature requires GitHub key creation (see below). Section name must be eith
 * ``owner`` - GitHub repository owner, string, required.
 * ``password`` - created GitHub API key. In order to create it do the following:
 
-  #. Go to `settings page <https://github.com/settings/profile>`_.
+  #. Go to `settings page <https://github.com/settings/profile>`__.
-  #. Switch to `developers settings <https://github.com/settings/apps>`_.
+  #. Switch to `developers settings <https://github.com/settings/apps>`__.
-  #. Switch to `personal access tokens <https://github.com/settings/tokens>`_.
+  #. Switch to `personal access tokens <https://github.com/settings/tokens>`__.
   #. Generate new token. Required scope is ``public_repo`` (or ``repo`` for private repository support).
 
 * ``repository`` - GitHub repository name, string, required. Repository must be created before any action and must have active branch (e.g. with readme).

docs/faq.rst

@@ -34,7 +34,7 @@ There is special command which can be used in order to validate current configur
 
    ahriman service-config-validate --exit-code
 
-This command will print found errors, based on `cerberus <https://docs.python-cerberus.org/>`_, e.g.:
+This command will print found errors, based on `cerberus <https://docs.python-cerberus.org/>`__, e.g.:
 
 .. code-block:: shell
 
@@ -155,6 +155,8 @@ For that purpose you could use ``RemotePullTrigger`` trigger. To do so you will
 
 During the next application run it will fetch repository from the specified url and will try to find packages there which can be used as local sources.
 
+This feature can be also used to build packages which are not listed in AUR, the example of feature use can be found `here <https://github.com/arcan1s/ahriman/tree/master/recipes/pull>`__.
+
 How to push updated PKGBUILDs to remote repository
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -168,7 +170,7 @@ For that purpose you'd need to use another trigger called ``RemotePushTrigger``.
    [gitremote]
    push_url = https://github.com/username/repository
 
-Unlike ``RemotePullTrigger`` trigger, the ``RemotePushTrigger`` more likely will require authorization. It is highly recommended to use application tokens for that instead of using your password (e.g. for Github you can generate tokens `here <https://github.com/settings/tokens>`_ with scope ``public_repo``). Authorization can be supplied by using authorization part of the url, e.g. ``https://key:token@github.com/username/repository``.
+Unlike ``RemotePullTrigger`` trigger, the ``RemotePushTrigger`` more likely will require authorization. It is highly recommended to use application tokens for that instead of using your password (e.g. for Github you can generate tokens `here <https://github.com/settings/tokens>`__ with scope ``public_repo``). Authorization can be supplied by using authorization part of the url, e.g. ``https://key:token@github.com/username/repository``.
 
 How to change PKGBUILDs before build
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -502,10 +504,12 @@ Non-x86_64 architecture setup
 
 The following section describes how to setup ahriman with architecture different from x86_64, as example i686. For most cases you have base repository available, e.g. archlinux32 repositories for i686 architecture; in case if base repository is not available, steps are a bit different, however, idea remains the same.
 
+The example of setup with docker compose can be found `here <https://github.com/arcan1s/ahriman/tree/master/recipes/i686>`__.
+
 Physical server setup
 ^^^^^^^^^^^^^^^^^^^^^
 
-In this example we are going to use files and packages which are provided by official repositories of the used architecture. Note, that versions might be different, thus you need to find correct versions on the distribution web site, e.g. `archlinux32 packages <https://www.archlinux32.org/packages/>`_.
+In this example we are going to use files and packages which are provided by official repositories of the used architecture. Note, that versions might be different, thus you need to find correct versions on the distribution web site, e.g. `archlinux32 packages <https://www.archlinux32.org/packages/>`__.
 
 #.
    First, considering having base Arch Linux system, we need to install keyring for the specified repositories, e.g.:
@@ -710,7 +714,7 @@ How to sync to Github releases
 #. 
    Create a repository.
 #. 
-   `Create API key <https://github.com/settings/tokens>`_ with scope ``public_repo``.
+   `Create API key <https://github.com/settings/tokens>`__ with scope ``public_repo``.
 #. 
    Configure the service as following:
 
@@ -790,7 +794,7 @@ How to post build report to telegram
       yay -S --asdeps python-jinja
 
 #. 
-   Register bot in telegram. You can do it by talking with `@BotFather <https://t.me/botfather>`_. For more details please refer to `official documentation <https://core.telegram.org/bots>`_.
+   Register bot in telegram. You can do it by talking with `@BotFather <https://t.me/botfather>`__. For more details please refer to `official documentation <https://core.telegram.org/bots>`__.
 
 #. 
    Optionally (if you want to post message in chat):
@@ -800,7 +804,7 @@ How to post build report to telegram
    #. Make your channel public
 
 #. 
-   Get chat id if you want to use by numerical id or just use id prefixed with ``@`` (e.g. ``@ahriman``). If you are not using chat the chat id is your user id. If you don't want to make channel public you can use `this guide <https://stackoverflow.com/a/33862907>`_.
+   Get chat id if you want to use by numerical id or just use id prefixed with ``@`` (e.g. ``@ahriman``). If you are not using chat the chat id is your user id. If you don't want to make channel public you can use `this guide <https://stackoverflow.com/a/33862907>`__.
 
 #. 
    Configure the service:
@@ -815,7 +819,7 @@ How to post build report to telegram
       chat_id = @ahriman
       link_path = http://example.com/aur-clone/x86_64
 
-   ``api_key`` is the one sent by `@BotFather <https://t.me/botfather>`_, ``chat_id`` is the value retrieved from previous step.
+   ``api_key`` is the one sent by `@BotFather <https://t.me/botfather>`__, ``chat_id`` is the value retrieved from previous step.
 
 If you did everything fine you should receive the message with the next update. Quick credentials check can be done by using the following command:
 
@@ -1009,6 +1013,8 @@ Command to run worker node:
 
 The command above will successfully build ``ahriman`` package, upload it on master node and, finally, will update master node repository.
 
+Check proof-of-concept setup `here <https://github.com/arcan1s/ahriman/tree/master/recipes/distributed-manual>`__.
+
 Addition of new package and repository update
 """""""""""""""""""""""""""""""""""""""""""""
 
@@ -1122,6 +1128,8 @@ Command to run worker nodes (considering there will be two workers, one is on ``
 
 Unlike the previous setup, it doesn't require to mount repository root for ``worker`` nodes, because ``worker`` nodes don't use it anyway.
 
+Check proof-of-concept setup `here <https://github.com/arcan1s/ahriman/tree/master/recipes/distributed>`__.
+
 Addition of new package, package removal, repository update
 """""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 
@@ -1171,7 +1179,7 @@ The application provides special plugin which generates keyring package. This pl
 
    where ``aur-clone`` is your repository name.
 
-This plugin might have some issues, in case of any of them, kindly create `new issue <https://github.com/arcan1s/ahriman/issues/new/choose>`_.
+This plugin might have some issues, in case of any of them, kindly create `new issue <https://github.com/arcan1s/ahriman/issues/new/choose>`__.
 
 Generate mirrorlist package
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -1377,21 +1385,34 @@ The service provides several commands aim to do easy repository backup and resto
 
       sudo -u ahriman ahriman repo-rebuild --from-database
 
+Use cases
+---------
+
+There is collection of some specific recipes which can be found in `the repository <https://github.com/arcan1s/ahriman/tree/master/recipes>`__.
+
+Most of them can be run (``AHRIMAN_PASSWORD`` environment variable is required in the most setups) as simple as:
+
+.. code-block:: shell
+
+   AHRIMAN_PASSWORD=demo docker compose up
+
+Note, however, they are just an examples of specific configuration for specific cases and they are never intended to be used as is in real environment.
+
 Other topics
 ------------
 
 How does it differ from %another-manager%?
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Short answer - I do not know. Also for some references credits to `Alad <https://github.com/AladW>`_, he `did <https://wiki.archlinux.org/title/User:Alad/Local_repo_tools>`_ really good investigation of existing alternatives.
+Short answer - I do not know. Also for some references credits to `Alad <https://github.com/AladW>`__, he `did <https://wiki.archlinux.org/title/User:Alad/Local_repo_tools>`__ really good investigation of existing alternatives.
 
-`arch-repo-manager <https://github.com/Martchus/arch-repo-manager>`_
+`arch-repo-manager <https://github.com/Martchus/arch-repo-manager>`__
-""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 
 Looks actually pretty good, in case if I would find it, I would probably didn't start this project, most of features (like web interface or additional helpers) are already implemented or planned to be. However, this project seems to be at early alpha stage (as for Nov 2022), written in C++ (not pro or con) and misses code documentation.
 
-`archrepo2 <https://github.com/lilydjwg/archrepo2>`_
+`archrepo2 <https://github.com/lilydjwg/archrepo2>`__
-""""""""""""""""""""""""""""""""""""""""""""""""""""
+"""""""""""""""""""""""""""""""""""""""""""""""""""""
 
 Don't know, haven't tried it. But it lacks of documentation at least.
 
@@ -1400,8 +1421,8 @@ Don't know, haven't tried it. But it lacks of documentation at least.
 * ``archrepo2`` actively uses direct shell calls and ``yaourt`` components.
 * ``archrepo2`` has constantly running process instead of timer process (it is not pro or con).
 
-`repoctl <https://github.com/cassava/repoctl>`_
+`repoctl <https://github.com/cassava/repoctl>`__
-"""""""""""""""""""""""""""""""""""""""""""""""
+""""""""""""""""""""""""""""""""""""""""""""""""
 
 * ``ahriman`` has web interface.
 * ``repoctl`` does not have reporting feature.
@@ -1412,13 +1433,13 @@ Don't know, haven't tried it. But it lacks of documentation at least.
 * ``repoctl`` is able to store old packages.
 * Ability to host repository from same command in ``repoctl`` vs external services (e.g. nginx) in ``ahriman``.
 
-`repod <https://gitlab.archlinux.org/archlinux/repod>`_
+`repod <https://gitlab.archlinux.org/archlinux/repod>`__
-"""""""""""""""""""""""""""""""""""""""""""""""""""""""
+""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 
 Official tool provided by distribution, has clean logic, but it is just a helper for ``repo-add``, e.g. it doesn't work with AUR and all packages builds have to be handled separately.
 
-`repo-scripts <https://github.com/arcan1s/repo-scripts>`_
+`repo-scripts <https://github.com/arcan1s/repo-scripts>`__
-"""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
 
 Though originally I've created ahriman by trying to improve the project, it still lacks a lot of features:
 
@@ -1430,8 +1451,8 @@ Though originally I've created ahriman by trying to improve the project, it stil
 
 ...and so on. ``repo-scripts`` also has bad architecture and bad quality code and uses out-of-dated ``yaourt`` and ``package-query``.
 
-`toolbox <https://github.com/chaotic-aur/toolbox>`_
+`toolbox <https://github.com/chaotic-aur/toolbox>`__
-"""""""""""""""""""""""""""""""""""""""""""""""""""
+""""""""""""""""""""""""""""""""""""""""""""""""""""
 
 It is automation tools for ``repoctl`` mentioned above. Except for using shell it looks pretty cool and also offers some additional features like patches, remote synchronization (isn't it?) and reporting.
 
@@ -1450,7 +1471,7 @@ You can also ask to forward logs to ``stderr``, just set ``--log-handler`` flag,
 
    ahriman --log-handler console ...
 
-You can even configure logging as you wish, but kindly refer to python ``logging`` module `configuration <https://docs.python.org/3/library/logging.config.html>`_.
+You can even configure logging as you wish, but kindly refer to python ``logging`` module `configuration <https://docs.python.org/3/library/logging.config.html>`__.
 
 The application uses java concept to log messages, e.g. class ``Application`` imported from ``ahriman.application.application`` package will have logger called ``ahriman.application.application.Application``. In order to e.g. change logger name for whole application package it is possible to change values for ``ahriman.application`` package; thus editing ``ahriman`` logger configuration will change logging for whole application (unless there are overrides for another logger).
 
@@ -1471,9 +1492,9 @@ The application loads web views dynamically, so it is possible relatively easy e
 #. Put file into ``ahriman.web.views`` package.
 #. Restart application.
 
-For more details about implementation and possibilities, kindly refer to module documentation and source code and `aiohttp documentation <https://docs.aiohttp.org/en/stable/>`_.
+For more details about implementation and possibilities, kindly refer to module documentation and source code and `aiohttp documentation <https://docs.aiohttp.org/en/stable/>`__.
 
 I did not find my question
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-`Create an issue <https://github.com/arcan1s/ahriman/issues>`_ with type **Question**.
+`Create an issue <https://github.com/arcan1s/ahriman/issues>`__ with type **Question**.

docs/index.rst

@@ -1,7 +1,7 @@
 Welcome to ahriman's documentation!
 ===================================
 
-Wrapper for managing custom repository inspired by `repo-scripts <https://github.com/arcan1s/repo-scripts>`_.
+Wrapper for managing custom repository inspired by `repo-scripts <https://github.com/arcan1s/repo-scripts>`__.
 
 Features
 --------
@@ -20,9 +20,9 @@ Features
 Live demos
 ----------
 
-* `Build status page <https://ahriman-demo.arcanis.me>`_. You can login as ``demo`` user by using ``demo`` password. Note, however, you will not be able to run tasks. `HTTP API documentation <https://ahriman-demo.arcanis.me/api-docs>`_ is also available.
+* `Build status page <https://ahriman-demo.arcanis.me>`__. You can login as ``demo`` user by using ``demo`` password. Note, however, you will not be able to run tasks. `HTTP API documentation <https://ahriman-demo.arcanis.me/api-docs>`__ is also available.
-* `Repository index <https://repo.arcanis.me/x86_64/index.html>`_.
+* `Repository index <https://repo.arcanis.me/x86_64/index.html>`__.
-* `Telegram feed <https://t.me/arcanisrepo>`_.
+* `Telegram feed <https://t.me/arcanisrepo>`__.
 
 Contents
 --------

docs/triggers.rst

@@ -83,7 +83,7 @@ The ``context`` also implements collection methods such as ``__iter__`` and ``__
 Trigger example
 ---------------
 
-Lets consider example of reporting trigger (e.g. `slack <https://slack.com/>`_, which provides easy HTTP API for integration triggers).
+Lets consider example of reporting trigger (e.g. `slack <https://slack.com/>`__, which provides easy HTTP API for integration triggers).
 
 In order to post message to slack we will need a specific trigger url (something like ``https://hooks.slack.com/services/company_id/trigger_id``), channel (e.g. ``#archrepo``) and username (``repo-bot``).
 
@@ -139,4 +139,4 @@ After that run application as usual and receive notification in your slack chann
 Trigger configuration schema
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Triggers can expose their configuration schema. It can be achieved by implementing ``CONFIGURATION_SCHEMA`` class variable according to `cerberus <https://docs.python-cerberus.org/>`_ documentation. For more details and examples, please refer to built-in triggers implementations.
+Triggers can expose their configuration schema. It can be achieved by implementing ``CONFIGURATION_SCHEMA`` class variable according to `cerberus <https://docs.python-cerberus.org/>`__ documentation. For more details and examples, please refer to built-in triggers implementations.

recipes/README.md

@@ -0,0 +1,15 @@
+# Recipes
+
+Collection of the examples of docker compose configuration files, which covers some specific cases. Not for production use.
+
+## Configurations
+
+* [Check](check): double process service; one with periodic checks (automatic build disabled) and other one is with the web service.
+* [Daemon](daemon): service with periodic repository checks.
+* [Distributed](distributed): cluster of three nodes, one with web interface and two workers which are responsible for build process.
+* [Distrubuted manual](distributed-manual): same as [distributed](distributed), but two nodes and update process must be run on worker node manually.
+* [i686](i686): non-x86_64 architecture setup.
+* [Multi repo](multirepo): run web service with two separated repositories.
+* [Pull](pull): normal service, but in addition with pulling packages from another source (e.g. GitHub repository).
+* [Sign](sign): create repository with database signing.
+* [Web](web): simple web service with authentication enabled.

recipes/check/README.md

@@ -0,0 +1,7 @@
+# Check
+
+1. Create user `demo` with password from `AHRIMAN_PASSWORD` environment variable.
+2. Setup repository named `ahriman-demo` with architecture `x86_64`.
+3. Start web server at port `8080`.
+4. Start periodic updates check as separated container without building.
+5. Repository is available at `http://localhost:8080/repo`.

recipes/check/compose.yml

@@ -0,0 +1,79 @@
+services:
+  backend:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PASSWORD: ${AHRIMAN_PASSWORD}
+      AHRIMAN_PORT: 8080
+      AHRIMAN_PRESETUP_COMMAND: (cat /run/secrets/password; echo; cat /run/secrets/password) | sudo -u ahriman ahriman user-add demo -R full
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_UNIX_SOCKET: /var/lib/ahriman/ahriman/ahriman.sock
+
+    configs:
+      - source: service
+        target: /etc/ahriman.ini.d/99-settings.ini
+    secrets:
+      - password
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: web
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+  worker:
+    image: arcan1s/ahriman:edge
+    depends_on:
+      - backend
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_UNIX_SOCKET: /var/lib/ahriman/ahriman/ahriman.sock
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: repo-daemon --dry-run
+
+configs:
+  nginx:
+    file: nginx.conf
+  service:
+    file: service.ini
+
+secrets:
+  password:
+    environment: AHRIMAN_PASSWORD
+
+volumes:
+  repository:

recipes/check/nginx.conf

@@ -0,0 +1,18 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarder-Proto $scheme;
+
+        proxy_pass http://backend:8080;
+    }
+}

recipes/check/service.ini

@@ -0,0 +1,2 @@
+[auth]
+target = configuration

recipes/daemon/README.md

@@ -0,0 +1,5 @@
+# Daemon
+
+1. Setup repository named `ahriman-demo` with architecture `x86_64`.
+2. Start service in daemon mode with periodic (once per day) repository update.
+3. Repository is available at `http://localhost:8080/repo`.

recipes/daemon/compose.yml

@@ -0,0 +1,42 @@
+services:
+  backend:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_REPOSITORY: ahriman-demo
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: repo-daemon
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+configs:
+  nginx:
+    file: nginx.conf
+
+volumes:
+  repository:

recipes/daemon/nginx.conf

@@ -0,0 +1,9 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+}

recipes/distributed-manual/README.md

@@ -0,0 +1,8 @@
+# Distributed manual
+
+1. Create user `demo` with password from `AHRIMAN_PASSWORD` environment variable.
+2. Setup repository named `ahriman-demo` with architecture `x86_64`.
+3. Start web server at port `8080`.
+4. Start service in daemon mode with periodic (once per day) repository update.
+5. All updates from worker daemon instance are uploaded to the web service.
+6. Repository is available at `http://localhost:8080/repo`.

recipes/distributed-manual/compose.yml

@@ -0,0 +1,77 @@
+services:
+  backend:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PASSWORD: ${AHRIMAN_PASSWORD}
+      AHRIMAN_PORT: 8080
+      AHRIMAN_PRESETUP_COMMAND: (cat /run/secrets/password; echo; cat /run/secrets/password) | sudo -u ahriman ahriman user-add demo -R full
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_UNIX_SOCKET: /var/lib/ahriman/ahriman/ahriman.sock
+
+    configs:
+      - source: service
+        target: /etc/ahriman.ini.d/99-settings.ini
+    secrets:
+      - password
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: web
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+  worker:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PASSWORD: ${AHRIMAN_PASSWORD}
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_REPOSITORY_SERVER: http://frontend/repo/$$repo/$$arch
+
+    configs:
+      - source: worker
+        target: /etc/ahriman.ini.d/99-settings.ini
+
+    command: daemon
+
+configs:
+  nginx:
+    file: nginx.conf
+  service:
+    file: service.ini
+  worker:
+    file: worker.ini
+
+secrets:
+  password:
+    environment: AHRIMAN_PASSWORD
+
+volumes:
+  repository:

recipes/distributed-manual/nginx.conf

@@ -0,0 +1,18 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarder-Proto $scheme;
+
+        proxy_pass http://backend:8080;
+    }
+}

recipes/distributed-manual/service.ini

@@ -0,0 +1,6 @@
+[auth]
+target = mapping
+
+[web]
+enable_archive_upload = yes
+wait_timeout = 0

recipes/distributed-manual/worker.ini

@@ -0,0 +1,19 @@
+[build]
+triggers = ahriman.core.gitremote.RemotePullTrigger ahriman.core.upload.UploadTrigger ahriman.core.report.ReportTrigger ahriman.core.gitremote.RemotePushTrigger
+
+[status]
+address = http://backend:8080
+username = demo
+password = $AHRIMAN_PASSWORD
+
+[report]
+target = remote-call
+
+[remote-call]
+manual = yes
+wait_timeout = 0
+
+[upload]
+target = remote-service
+
+[remote-service]

recipes/distributed/README.md

@@ -0,0 +1,11 @@
+# Distributed
+
+1. Create user `demo` with password from `AHRIMAN_PASSWORD` environment variable.
+2. Setup repository named `ahriman-demo` with architecture `x86_64`.
+3. Start web server at port `8080`.
+4. Start two workers.
+5. All updates triggered by the web server will be passed to workers.
+6. All updates from worker instances are uploaded to the web service.
+7. Repository is available at `http://localhost:8080/repo`.
+
+Note, in this configuration, workers are spawned in replicated mode, thus the backend accesses them in round-robin-like manner.

recipes/distributed/compose.yml

@@ -0,0 +1,85 @@
+services:
+  backend:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PASSWORD: ${AHRIMAN_PASSWORD}
+      AHRIMAN_PORT: 8080
+      AHRIMAN_PRESETUP_COMMAND: (cat /run/secrets/password; echo; cat /run/secrets/password) | sudo -u ahriman ahriman user-add demo -R full
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_UNIX_SOCKET: /var/lib/ahriman/ahriman/ahriman.sock
+
+    configs:
+      - source: service
+        target: /etc/ahriman.ini.d/99-settings.ini
+    secrets:
+      - password
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: web
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+  worker:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    deploy:
+      mode: replicated
+      replicas: 2
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PASSWORD: ${AHRIMAN_PASSWORD}
+      AHRIMAN_PORT: 8080
+      AHRIMAN_PRESETUP_COMMAND: (cat /run/secrets/password; echo; cat /run/secrets/password) | sudo -u ahriman ahriman user-add demo -R full
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_REPOSITORY_SERVER: http://frontend/repo/$$repo/$$arch
+
+    configs:
+      - source: worker
+        target: /etc/ahriman.ini.d/99-settings.ini
+    secrets:
+      - password
+
+    command: web
+
+configs:
+  nginx:
+    file: nginx.conf
+  service:
+    file: service.ini
+  worker:
+    file: worker.ini
+
+secrets:
+  password:
+    environment: AHRIMAN_PASSWORD
+
+volumes:
+  repository:

recipes/distributed/nginx.conf

@@ -0,0 +1,18 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarder-Proto $scheme;
+
+        proxy_pass http://backend:8080;
+    }
+}

recipes/distributed/service.ini

@@ -0,0 +1,13 @@
+[auth]
+target = mapping
+
+[build]
+workers = http://worker:8080 http://worker:8080
+
+[status]
+username = demo
+password = $AHRIMAN_PASSWORD
+
+[web]
+enable_archive_upload = yes
+wait_timeout = 0

recipes/distributed/worker.ini

@@ -0,0 +1,22 @@
+[auth]
+target = mapping
+
+[build]
+triggers = ahriman.core.upload.UploadTrigger ahriman.core.report.ReportTrigger
+
+[status]
+address = http://backend:8080
+username = demo
+password = $AHRIMAN_PASSWORD
+
+[report]
+target = remote-call
+
+[remote-call]
+manual = yes
+wait_timeout = 0
+
+[upload]
+target = remote-service
+
+[remote-service]

recipes/i686/Dockerfile

@@ -0,0 +1,9 @@
+FROM arcan1s/ahriman:edge
+
+ENV ARCH32_KEYRING_VERSION="20231126-1.0"
+
+RUN pacman-key --init
+
+RUN pacman -Sy --noconfirm wget && \
+    wget -nv http://pool.mirror.archlinux32.org/i686/core/archlinux32-keyring-${ARCH32_KEYRING_VERSION}-any.pkg.tar.zst && \
+    pacman -U --noconfirm archlinux32-keyring-${ARCH32_KEYRING_VERSION}-any.pkg.tar.zst

recipes/i686/README.md

@@ -0,0 +1,9 @@
+# i686
+
+This example uses hybrid setup from FAQ, because archlinux32 has outdated devtools package. So it distributes custom `makepkg.conf` and `pacman.conf` (which are copied from archlinux32 package) and builds custom image with archlinux32 keyring.
+
+1. Create user `demo` with password from `AHRIMAN_PASSWORD` environment variable.
+2. Build image from distributed `Dockerfile`.
+3. Setup repository named `ahriman-demo` with architecture `i686`.
+4. Start web server at port `8080`.
+5. Repository is available at `http://localhost:8080/repo`.

recipes/i686/compose.yml

@@ -0,0 +1,70 @@
+services:
+  backend:
+    image: ahriman-i686
+    build: .
+    privileged: true
+
+    environment:
+      AHRIMAN_ARCHITECTURE: i686
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_MULTILIB:
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PACMAN_MIRROR: https://de.mirror.archlinux32.org/$$arch/$$repo
+      AHRIMAN_PASSWORD: ${AHRIMAN_PASSWORD}
+      AHRIMAN_PORT: 8080
+      AHRIMAN_PRESETUP_COMMAND: (cat /run/secrets/password; echo; cat /run/secrets/password) | sudo -u ahriman ahriman user-add demo -R full
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_UNIX_SOCKET: /var/lib/ahriman/ahriman/ahriman.sock
+
+    configs:
+      - source: makepkg
+        target: /usr/share/devtools/makepkg.conf.d/i686.conf
+      - source: pacman
+        target: /usr/share/devtools/pacman.conf.d/extra-i686.conf
+      - source: service
+        target: /etc/ahriman.ini.d/99-settings.ini
+    secrets:
+      - password
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: web
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+configs:
+  makepkg:
+    file: makepkg.conf
+  nginx:
+    file: nginx.conf
+  pacman:
+    file: pacman.conf
+  service:
+    file: service.ini
+
+secrets:
+  password:
+    environment: AHRIMAN_PASSWORD
+
+volumes:
+  repository:

recipes/i686/makepkg.conf

@@ -0,0 +1,162 @@
+#!/hint/bash
+# shellcheck disable=2034
+
+#
+# /etc/makepkg.conf
+#
+
+#########################################################################
+# SOURCE ACQUISITION
+#########################################################################
+#
+#-- The download utilities that makepkg should use to acquire sources
+#  Format: 'protocol::agent'
+DLAGENTS=('file::/usr/bin/curl -qgC - -o %o %u'
+          'ftp::/usr/bin/curl -qgfC - --ftp-pasv --retry 3 --retry-delay 3 -o %o %u'
+          'http::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'https::/usr/bin/curl -qgb "" -fLC - --retry 3 --retry-delay 3 -o %o %u'
+          'rsync::/usr/bin/rsync --no-motd -z %u %o'
+          'scp::/usr/bin/scp -C %u %o')
+
+# Other common tools:
+# /usr/bin/snarf
+# /usr/bin/lftpget -c
+# /usr/bin/wget
+
+#-- The package required by makepkg to download VCS sources
+#  Format: 'protocol::package'
+VCSCLIENTS=('bzr::bzr'
+            'fossil::fossil'
+            'git::git'
+            'hg::mercurial'
+            'svn::subversion')
+
+#########################################################################
+# ARCHITECTURE, COMPILE FLAGS
+#########################################################################
+#
+CARCH="i686"
+CHOST="i686-pc-linux-gnu"
+
+#-- Compiler and Linker Flags
+#CPPFLAGS=""
+CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
+        -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security \
+        -fstack-clash-protection "
+CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
+LTOFLAGS="-flto=auto"
+#RUSTFLAGS="-C opt-level=2"
+#-- Make Flags: change this for DistCC/SMP systems
+#MAKEFLAGS="-j2"
+#-- Debugging flags
+DEBUG_CFLAGS="-g"
+DEBUG_CXXFLAGS="$DEBUG_CFLAGS"
+#DEBUG_RUSTFLAGS="-C debuginfo=2"
+
+#########################################################################
+# BUILD ENVIRONMENT
+#########################################################################
+#
+# Makepkg defaults: BUILDENV=(!distcc !color !ccache check !sign)
+#  A negated environment option will do the opposite of the comments below.
+#
+#-- distcc:   Use the Distributed C/C++/ObjC compiler
+#-- color:    Colorize output messages
+#-- ccache:   Use ccache to cache compilation
+#-- check:    Run the check() function if present in the PKGBUILD
+#-- sign:     Generate PGP signature file
+#
+BUILDENV=(!distcc color !ccache check !sign)
+#
+#-- If using DistCC, your MAKEFLAGS will also need modification. In addition,
+#-- specify a space-delimited list of hosts running in the DistCC cluster.
+#DISTCC_HOSTS=""
+#
+#-- Specify a directory for package building.
+#BUILDDIR=/tmp/makepkg
+
+#########################################################################
+# GLOBAL PACKAGE OPTIONS
+#   These are default values for the options=() settings
+#########################################################################
+#
+# Makepkg defaults: OPTIONS=(!strip docs libtool staticlibs emptydirs !zipman !purge !debug !lto)
+#  A negated option will do the opposite of the comments below.
+#
+#-- strip:      Strip symbols from binaries/libraries
+#-- docs:       Save doc directories specified by DOC_DIRS
+#-- libtool:    Leave libtool (.la) files in packages
+#-- staticlibs: Leave static library (.a) files in packages
+#-- emptydirs:  Leave empty directories in packages
+#-- zipman:     Compress manual (man and info) pages in MAN_DIRS with gzip
+#-- purge:      Remove files specified by PURGE_TARGETS
+#-- debug:      Add debugging flags as specified in DEBUG_* variables
+#-- lto:        Add compile flags for building with link time optimization
+#
+OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge debug lto)
+
+#-- File integrity checks to use. Valid: md5, sha1, sha224, sha256, sha384, sha512, b2
+INTEGRITY_CHECK=(sha256)
+#-- Options to be used when stripping binaries. See `man strip' for details.
+STRIP_BINARIES="--strip-all"
+#-- Options to be used when stripping shared libraries. See `man strip' for details.
+STRIP_SHARED="--strip-unneeded"
+#-- Options to be used when stripping static libraries. See `man strip' for details.
+STRIP_STATIC="--strip-debug"
+#-- Manual (man and info) directories to compress (if zipman is specified)
+MAN_DIRS=({usr{,/local}{,/share},opt/*}/{man,info})
+#-- Doc directories to remove (if !docs is specified)
+DOC_DIRS=(usr/{,local/}{,share/}{doc,gtk-doc} opt/*/{doc,gtk-doc})
+#-- Files to be removed from all packages (if purge is specified)
+PURGE_TARGETS=(usr/{,share}/info/dir .packlist *.pod)
+#-- Directory to store source code in for debug packages
+DBGSRCDIR="/usr/src/debug"
+
+#########################################################################
+# PACKAGE OUTPUT
+#########################################################################
+#
+# Default: put built package and cached source in build directory
+#
+#-- Destination: specify a fixed directory where all packages will be placed
+#PKGDEST=/home/packages
+#-- Source cache: specify a fixed directory where source files will be cached
+#SRCDEST=/home/sources
+#-- Source packages: specify a fixed directory where all src packages will be placed
+#SRCPKGDEST=/home/srcpackages
+#-- Log files: specify a fixed directory where all log files will be placed
+#LOGDEST=/home/makepkglogs
+#-- Packager: name/email of the person or organization building packages
+#PACKAGER="John Doe <john@doe.com>"
+#-- Specify a key to use for package signing
+#GPGKEY=""
+
+#########################################################################
+# COMPRESSION DEFAULTS
+#########################################################################
+#
+COMPRESSGZ=(gzip -c -f -n)
+COMPRESSBZ2=(bzip2 -c -f)
+COMPRESSXZ=(xz -c -z -)
+COMPRESSZST=(zstd -c -T0 --ultra -20 -)
+COMPRESSLRZ=(lrzip -q)
+COMPRESSLZO=(lzop -q)
+COMPRESSZ=(compress -c -f)
+COMPRESSLZ4=(lz4 -q)
+COMPRESSLZ=(lzip -c -f)
+
+#########################################################################
+# EXTENSION DEFAULTS
+#########################################################################
+#
+PKGEXT='.pkg.tar.zst'
+SRCEXT='.src.tar.gz'
+
+#########################################################################
+# OTHER
+#########################################################################
+#
+#-- Command used to run pacman as root, instead of trying sudo and su
+#PACMAN_AUTH=()
+# vim: set ft=sh ts=2 sw=2 et:

recipes/i686/nginx.conf

@@ -0,0 +1,18 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarder-Proto $scheme;
+
+        proxy_pass http://backend:8080;
+    }
+}

recipes/i686/pacman.conf

@@ -0,0 +1,92 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+#HookDir     = /etc/pacman.d/hooks/
+HoldPkg     = pacman glibc
+#XferCommand = /usr/bin/curl -L -C - -f -o %o %u
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+Architecture = i686
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#Color
+NoProgressBar
+# We cannot check disk space from within a chroot environment
+#CheckSpace
+VerbosePkgLists
+ParallelDownloads = 5
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel    = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository.  See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs

recipes/i686/service.ini

@@ -0,0 +1,2 @@
+[auth]
+target = mapping

recipes/multirepo/README.md

@@ -0,0 +1,7 @@
+# Multirepo
+
+1. Create user `demo` with password from `AHRIMAN_PASSWORD` environment variable.
+2. Setup repository named `ahriman-demo` with architecture `x86_64`.
+3. Setup additional repository named `another-demo` with architecture `x86_64`.
+4. Start web server at port `8080`.
+5. Repository is available at `http://localhost:8080/repo`.

recipes/multirepo/compose.yml

@@ -0,0 +1,59 @@
+services:
+  backend:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PASSWORD: ${AHRIMAN_PASSWORD}
+      AHRIMAN_PORT: 8080
+      AHRIMAN_POSTSETUP_COMMAND: ahriman --architecture x86_64 --repository another-demo service-setup --build-as-user ahriman --packager 'ahriman bot <ahriman@example.com>'
+      AHRIMAN_PRESETUP_COMMAND: (cat /run/secrets/password; echo; cat /run/secrets/password) | sudo -u ahriman ahriman user-add demo -R full
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_UNIX_SOCKET: /var/lib/ahriman/ahriman/ahriman.sock
+
+    configs:
+      - source: service
+        target: /etc/ahriman.ini.d/99-settings.ini
+    secrets:
+      - password
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: web
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+configs:
+  nginx:
+    file: nginx.conf
+  service:
+    file: service.ini
+
+secrets:
+  password:
+    environment: AHRIMAN_PASSWORD
+
+volumes:
+  repository:

recipes/multirepo/nginx.conf

@@ -0,0 +1,18 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarder-Proto $scheme;
+
+        proxy_pass http://backend:8080;
+    }
+}

recipes/multirepo/service.ini

@@ -0,0 +1,2 @@
+[auth]
+target = mapping

recipes/pull/README.md

@@ -0,0 +1,6 @@
+# Pull
+
+1. Setup repository named `ahriman-demo` with architecture `x86_64`.
+2. Pull repository with custom packages.
+3. Run update process.
+4. Repository is available at `http://localhost:8080/repo`.

recipes/pull/compose.yml

@@ -0,0 +1,46 @@
+services:
+  backend:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_REPOSITORY: ahriman-demo
+
+    configs:
+      - source: service
+        target: /etc/ahriman.ini.d/99-settings.ini
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+configs:
+  nginx:
+    file: nginx.conf
+  service:
+    file: service.ini
+
+volumes:
+  repository:

recipes/pull/nginx.conf

@@ -0,0 +1,9 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+}

recipes/pull/service.ini

@@ -0,0 +1,5 @@
+[remote-pull]
+target = gitremote
+
+[gitremote]
+pull_url = https://git.arcanis.me/arcanis/ahriman-local-packages.git

recipes/sign/README.md

@@ -0,0 +1,13 @@
+# Sign
+
+This example uses generated key. It can be generated as:
+
+```shell
+gpg --full-generate-key
+gpg --export-secret-keys -a <...> > repository-sign.gpg
+```
+
+1. Setup repository named `ahriman-demo` with architecture `x86_64`.
+2. Sing repository database with the distributed key.
+3. Start service in daemon mode with periodic (once per day) repository update.
+4. Repository is available at `http://localhost:8080/repo`.

recipes/sign/compose.yml

@@ -0,0 +1,55 @@
+services:
+  backend:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PRESETUP_COMMAND: sudo -u ahriman gpg --import /run/secrets/key
+      AHRIMAN_REPOSITORY: ahriman-demo
+
+    configs:
+      - source: service
+        target: /etc/ahriman.ini.d/99-settings.ini
+    secrets:
+      - key
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: repo-daemon
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+configs:
+  nginx:
+    file: nginx.conf
+  service:
+    file: service.ini
+
+secrets:
+  key:
+    file: repository-sign.gpg
+
+volumes:
+  repository:

recipes/sign/nginx.conf

@@ -0,0 +1,9 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+}

recipes/sign/repository-sign.gpg

@@ -0,0 +1,14 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lFgEZYDhoBYJKwYBBAHaRw8BAQdAj6NB6KZNuIEtyAomhtSaBEHNBKL9j1Q/3pty
+Z7ILVLIAAP4sVdcqyyNHfxBiuBF6GH67TWyzJYSwfshjVFesqJ6gjQ9ytAxhaHJp
+bWFuIGRlbW+IkwQTFgoAOxYhBDaZYVtNEHBeJbQ7hUFQtEGM2DWPBQJlgOGgAhsD
+BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEEFQtEGM2DWPo4oBAKbLc6Pa
+zB6iwg/BQ6VHYhCmUWIU5pGo0qukmCxfKCRvAP4hwyzdWJUTB5hiCcUSUdxgIvd7
+7+LArvBMDPru9gQ1B5xdBGWA4aASCisGAQQBl1UBBQEBB0C3lWSLfqGFD9H7Ln7W
+/aOz/pEA76jYGOKKtfCkHeUDAAMBCAcAAP9BpoFLN8lDiUW80SLJ/ooJZK6ddEqC
+78npLEPipG4B4BGgiHgEGBYKACAWIQQ2mWFbTRBwXiW0O4VBULRBjNg1jwUCZYDh
+oAIbDAAKCRBBULRBjNg1jz9sAP4hujMGjeKqCphAzQQ4EU3076e1fm6Gn9gBmDAh
+zIjTHAEA2/ErVTd0UDY5ApJE/IPXoxfVrOZnEsUvMsRDAEExPw4=
+=1cOP
+-----END PGP PRIVATE KEY BLOCK-----

recipes/sign/service.ini

@@ -0,0 +1,3 @@
+[sign]
+target = repository
+key = 3699615B4D10705E25B43B854150B4418CD8358F

recipes/web/README.md

@@ -0,0 +1,6 @@
+# Web
+
+1. Create user `demo` with password from `AHRIMAN_PASSWORD` environment variable.
+2. Setup repository named `ahriman-demo` with architecture `x86_64`.
+3. Start web server at port `8080`.
+4. Repository is available at `http://localhost:8080/repo`.

recipes/web/compose.yml

@@ -0,0 +1,58 @@
+services:
+  backend:
+    image: arcan1s/ahriman:edge
+    privileged: true
+
+    environment:
+      AHRIMAN_DEBUG: yes
+      AHRIMAN_OUTPUT: console
+      AHRIMAN_PASSWORD: ${AHRIMAN_PASSWORD}
+      AHRIMAN_PORT: 8080
+      AHRIMAN_PRESETUP_COMMAND: (cat /run/secrets/password; echo; cat /run/secrets/password) | sudo -u ahriman ahriman user-add demo -R full
+      AHRIMAN_REPOSITORY: ahriman-demo
+      AHRIMAN_UNIX_SOCKET: /var/lib/ahriman/ahriman/ahriman.sock
+
+    configs:
+      - source: service
+        target: /etc/ahriman.ini.d/99-settings.ini
+    secrets:
+      - password
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /var/lib/ahriman
+        volume:
+          nocopy: true
+
+    command: web
+
+  frontend:
+    image: nginx
+    ports:
+      - 8080:80
+
+    configs:
+      - source: nginx
+        target: /etc/nginx/conf.d/default.conf
+
+    volumes:
+      - type: volume
+        source: repository
+        target: /srv
+        read_only: true
+        volume:
+          nocopy: true
+
+configs:
+  nginx:
+    file: nginx.conf
+  service:
+    file: service.ini
+
+secrets:
+  password:
+    environment: AHRIMAN_PASSWORD
+
+volumes:
+  repository:

recipes/web/nginx.conf

@@ -0,0 +1,18 @@
+server {
+    listen 80;
+
+    location /repo {
+        rewrite ^/repo/(.*) /$1 break;
+        autoindex on;
+        root /srv/ahriman/repository;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarder-Proto $scheme;
+
+        proxy_pass http://backend:8080;
+    }
+}

recipes/web/service.ini

@@ -0,0 +1,2 @@
+[auth]
+target = mapping