hyperbola-mirror/entrypoint.bash

#!/bin/bash
#

if [ ! -f /root/mirror.bash ]; then
    cat > /root/mirror.bash <<-EOF
#!/bin/bash

# Directory where the repo is stored locally. Example: /srv/repo
target="/srv/repo"

# Lockfile path
lock="/var/lock/syncrepo.lck"

# If you want to limit the bandwidth used by rsync set this.
# Use 0 to disable the limit.
# The default unit is KiB (see man rsync /--bwlimit for more)
bwlimit="${BWLIMIT:-0}"

# The source URL of the mirror you want to sync from.
# If you choose a tier 1 mirror from this list and use its rsync URL:
# https://www.hyperbola.info/mirrors/
source_url='${SOURCE_URL:-rsync://mirror.fsf.org/hyperbola/gnu-plus-linux-libre}'

# An HTTP(S) URL pointing to the 'lastupdate' file on your chosen mirror.
# If you are a tier 1 mirror use: https://rsync.hyperbola.info/lastupdate
# Otherwise use the HTTP(S) URL from your chosen mirror.
lastupdate_url=''

[ ! -d "\${target}" ] && install -d -m755 "\${target}"

# Set permission owner
chown -R http:http "\${target}"

exec 9>"\${lock}"
/usr/bin/flock -n 9 || exit

# Cleanup any temporary files from old run that might remain.
# Note: You can skip this if you have rsync newer than 3.2.3
# not affected by https://github.com/WayneD/rsync/issues/192
find "\${target}" -name '.~tmp~' -exec rm -r {} +

rsync_cmd() {
    local -a cmd=(rsync -rlptH --safe-links --delete-delay --delay-updates --timeout=600 --no-motd)

    if stty &>/dev/null; then
	cmd+=(-h -v --progress)
    else
	cmd+=(--quiet)
    fi

    if ((bwlimit>0)); then
	cmd+=("--bwlimit=\$bwlimit")
    fi

    "\${cmd[@]}" "\$@"
}


# if we are called without a tty (cronjob) only run when there are changes
if ! tty -s && [[ -f "\$target/lastupdate" ]] && diff -b <(curl -Ls "\$lastupdate_url") "\$target/lastupdate" >/dev/null; then
    # keep lastsync file in sync for statistics generated by Hyperbola GNU/Linux-libre website
    rsync_cmd "\$source_url/lastsync" "\$target/lastsync"
    exit 0
fi

rsync_cmd \
    ${RSYNC_OPTIONS:---exclude='*.links.tar.gz*'} \
    "\${source_url}" \
    "\${target}"

# Re-check permission
chown -R http:http "\${target}"

# Cleanup
/bin/rm -f "\$lock"
exit 0

EOF
fi

/bin/rm -f /etc/nginx/nginx.conf || true

if [ ! -f /etc/nginx/nginx.conf ]; then
cat > /etc/nginx/nginx.conf <<- EOF
#user http;
worker_processes  auto;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '\$remote_addr - \$remote_user [\$time_local] "\$request" '
    #                  '\$status \$body_bytes_sent "\$http_referer" '
    #                  '"\$http_user_agent" "\$http_x_forwarded_for"';

    # hidden version
    server_tokens off;

    disable_symlinks off;

    server {
        listen 80 default_server;
        server_name localhost;

        # Logs
        #access_log  logs/access.log  main;
        access_log /dev/null;
        error_log /dev/null;

        root /srv/repo;

        location / {
            autoindex on;
            autoindex_exact_size off;
        }

        location ~ /\.ht {
            deny  all;
        }

        location ~ /.well-known {
            allow all;
        }

        # Enable compression for JS/CSS/HTML, for improved client load times.
        # It might be nice to compress JSON/XML as returned by the API, but
        # leaving that out to protect against potential BREACH attack.
        gzip              on;
        gzip_vary         on;

        gzip_types        # text/html is always compressed by HttpGzipModule
                          text/css
                          application/javascript
                          font/truetype
                          font/opentype
                          application/vnd.ms-fontobject
                          image/svg+xml;

        gzip_min_length 1000; # default is 20 bytes
        gzip_buffers 16 8k;
        gzip_comp_level 2; # default is 1

        client_body_timeout       30s; # default is 60
        client_header_timeout     10s; # default is 60
        send_timeout              10s; # default is 60
        keepalive_timeout         10s; # default is 75
        resolver_timeout          10s; # default is 30
        reset_timedout_connection on;
        proxy_ignore_client_abort on;

        tcp_nopush on; # send headers in one piece
        tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time

        # Enabling the sendfile directive eliminates the step of copying the data into the buffer
        # and enables direct copying data from one file descriptor to another.
        sendfile on;
        sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
        aio threads;
    }
}
EOF
fi

SET_CRON="${CRONTAB:-0 */6 * * *}"

if [ ! -f /root/repo-task.sh ] ;then
    cat > /root/repo-task.sh <<- EOF
$SET_CRON /bin/sh /root/mirror.bash >/dev/null 2>&1
EOF
fi

# Start mirror
/bin/bash /root/mirror.bash &

# Set cronie
/usr/bin/crontab /root/repo-task.sh

# Start nginx
exec nginx -g "daemon off;"