- Secure
- Efficient on mobile devices in regards to data comsumption and processing power
- Low Latency
- Low Resource usage on the server
cargo local-registry --sync Cargo.lock registry
cargo lightningcss --bundle --minify --sourcemap --output-file frontend/bundle.css frontend/index.css
http_body::Body
should always have a + 'static
annotation to avoid errors occuring at the wrong place.
Using Forgejo Actions
systemctl --user enable --now podman
# you need to enable actions on the repository and then add it to the repository itself
podman run --userns=keep-id --env DOCKER_HOST="unix://$XDG_RUNTIME_DIR/podman/podman.sock" -v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock --name forgejo --rm code.forgejo.org/forgejo/runner:3.3.0 bash -c "forgejo-runner register --no-interactive --token XXX --name runner --instance https://codeberg.org && forgejo-runner daemon"
podman exec forgejo forgejo-runner cache-server
# broken
podman run --userns=keep-id --env DOCKER_HOST="unix://$XDG_RUNTIME_DIR/podman/podman.sock" -v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock -v .:/data --rm code.forgejo.org/forgejo/runner:3.3.0 forgejo-runner exec
cargo install --locked cargo-edit
cargo upgrade --verbose --incompatible allow --pinned allow
https://www.keycloak.org/docs/latest/server_admin/index.html#admin-cli
podman exec -it perfect-group-allocation_keycloak_1 bash cd /tmp export PATH=$PATH:/opt/keycloak/bin #kc.sh export --dir test kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin #kcadm.sh delete realms/pga kcadm.sh create realms -s realm=pga -s enabled=true kcadm.sh create users -r pga -s username=test -s email=[email protected] -s enabled=true kcadm.sh set-password -r pga --username test --new-password test CID=$(kcadm.sh create clients -r pga -s clientId=pga -s 'redirectUris=["https://h3.selfmade4u.de/*"]' -i) CID=$(kcadm.sh get clients -r pga --fields id -q clientId=pga --format csv --noquotes) CLIENT_SECRET=$(kcadm.sh get clients/$CID/client-secret -r pga --fields value --format csv --noquotes) echo $CLIENT_SECRET
http://localhost:8080/admin/master/console/ admin admin
https://www.keycloak.org/docs/23.0.4/server_admin/#configuring-realms
Create Realm "pga" Import file from deployment/pga.json
http://localhost:8080/admin/master/console/#/pga/realm-settings/localization
Internationalization -> Deutsch
Create test user, add password
Impersonate user for testing
https://www.keycloak.org/docs/23.0.4/server_admin/#_identity_broker
https://www.keycloak.org/docs/23.0.4/server_admin/#_client_suggested_idp
https://www.keycloak.org/docs/23.0.4/securing_apps/#_java_adapter_logout
https://www.keycloak.org/docs/23.0.4/server_admin/#sso-protocols
https://www.keycloak.org/docs/23.0.4/server_admin/#_oidc-logout
Create an OpenID client
Clients -> Create Client -> ...
Client Authentication On
Only enable Standard Flow
Valid redirect urls: https://h3.selfmade4u.de
https://www.keycloak.org/docs/23.0.4/server_admin/#configuring-auditing-to-track-events
https://www.keycloak.org/docs/23.0.4/server_admin/#auditing-admin-events
CRITIAL SECURITY NOTES:
https://www.keycloak.org/docs/23.0.4/server_admin/#host
https://www.keycloak.org/docs/23.0.4/server_admin/#admin-cli
http://localhost:8080/realms/pga/account/
/realms/{realm-name}/.well-known/openid-configuration
Add GitHub as identity provider for demo
Identity Providers -> Manage display order
cargo test
cargo +stable install cargo-hack --locked
mkcert -install
cp $(mkcert -CAROOT)/rootCA.pem .
mkcert h3.selfmade4u.de
cargo install diesel_cli --no-default-features --features postgres
export DATABASE_URL="postgres://postgres@localhost/pga?sslmode=disable"
cd perfect-group-allocation-database/
diesel database reset
# for chrome and h3 you need to listen on a port < 1024 AND you need a certificate with a public root
HETZNER_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx lego --email [email protected] --dns hetzner --domains h3.selfmade4u.de run
export PGA_DATABASE_URL="postgres://postgres@localhost/pga?sslmode=disable"
sudo sysctl net.ipv4.ip_unprivileged_port_start=0
cargo build --bin server && sudo setcap 'cap_net_bind_service=+ep' target/debug/server && ./target/debug/server
SSLKEYLOGFILE=/tmp/sslkeylogfile.txt firefox
sudo nano /etc/sysctl.conf
vm.max_map_count=262144
sudo sysctl -p
#pipx install https://github.com/containers/podman-compose/archive/devel.tar.gz # profile support not yet in 1.0.6
# install docker-compose as that is a much better implementation. podman compose will then automatically use it.
clear && podman compose down && podman compose up
# clear && podman compose --profile opensearch up
# jaeger http://localhost:16686
# opensearch http://localhost:5601
# prometheus http://localhost:9090
# grafana http://localhost:3001
# add prometheus source to grafana: http://prometheus:9090, SET INTERVAL TO THE SAME AS OTEL_METRIC_EXPORT_INTERVAL in seconds
# https://github.com/google/re2/wiki/Syntax
# {__name__=~"tokio_runtime_metrics_.*",__name__!~"tokio_runtime_metrics_.*_nanoseconds"}
# {__name__=~"tokio_runtime_metrics_.*_nanoseconds"}
# {__name__=~"tokio_task_metrics_.*_nanoseconds"}
# {__name__=~"tokio_task_metrics_.*",__name__!~"tokio_task_metrics_.*_nanoseconds"}
# Grafana: Export for sharing externally
# otel-v1-apm-span-*
psql postgres://postgres:password@localhost/pga?sslmode=disable
DATABASE_URL="postgres://postgres:password@localhost/pga?sslmode=disable" cargo run --release --bin server
https://valgrind.org/docs/manual/cl-manual.html Callgrind
DO NOT USE TRUST AUTHENTICATION IN PRODUCTION! For profiling we don't want to measure sha2 hashing overhead
podman run --rm --detach --name postgres-profiling --env POSTGRES_HOST_AUTH_METHOD=trust --publish 5432:5432 docker.io/postgres
https://nnethercote.github.io/perf-book/profiling.html
cargo build --features profiling --target=x86_64-unknown-linux-gnu -Z build-std --profile=release-with-debug --bin server
WARNING: Only connect without ssl over localhost. This makes the profiling better as there is not countless ssl stuff in there.
DATABASE_URL="postgres://postgres@localhost/pga?sslmode=disable" valgrind --trace-symtab=yes --tool=callgrind --cache-sim=yes --simulate-wb=yes --simulate-hwpref=yes --branch-sim=yes --dump-instr=yes --collect-jumps=yes --collect-bus=yes --collect-systime=nsec ./target/x86_64-unknown-linux-gnu/debug/server
use zed attack proxy to create some requests
export DEBUGINFOD_URLS="https://debuginfod.archlinux.org" kcachegrind callgrind.out.110536
podman inspect quay.io/podman/stable podman run -it --rm --privileged quay.io/podman/stable podman run -it --rm quay.io/podman/stable # this creates a warning
so I can reproduce with our test image and sudo which is interesting
podman run --security-opt label=disable --user podman --device /dev/fuse -it ghcr.io/projektwahl/perfect-group-allocation:1 podman run -it --rm debian:sid
podman run --security-opt label=disable --user podman --device /dev/fuse quay.io/podman/stable podman run alpine echo hello
IMPORTANT: podman in podman needs more than 2*65k uids because the build needs 65k and the container itself 65k
sudo usermod --add-subuids 1000000-2000000 --add-subgids 1000000-2000000 $USER
podman run -it --privileged --userns=keep-id -v $PWD:$PWD --workdir=$PWD ghcr.io/projektwahl/perfect-group-allocation:1 bash ./github/run.sh
sudo podman run -v $PWD:$PWD --workdir=$PWD --userns=keep-id -it ghcr.io/projektwahl/perfect-group-allocation:1 podman run -it --rm debian:sid
podman run --rm --privileged -u podman:podman quay.io/podman/stable podman run --rm -it quay.io/podman/stable bash
winpr-makecert -rdp -n rdp-security -path rdp-security weston --backend=rdp-backend.so --rdp4-key rdp-security/rdp-security.key /run/user/1000/wayland-1 xfreerdp localhost:3389
if it doesnt have external connectivity it doesn't break down on network changes? (because my wifi is buggy and it's not needed)
podman network create --internal pga