initial commit

.gitignore

@@ -0,0 +1,2 @@
+/.mypy_cache/
+/.vscode/

Dockerfile

@@ -0,0 +1,198 @@
+ARG IMAGE_VERSION
+FROM docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-deps AS deps
+
+## ---
+
+FROM deps AS pycache
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /scripts-extra/*  /usr/local/sbin/
+
+COPY /j2cfg/ /usr/local/lib/j2cfg/
+
+ENV PYTHONDONTWRITEBYTECODE=''
+
+## Python cache preseed
+
+RUN python3 -m compileall -q -j 2 /usr/local/lib/j2cfg/
+
+RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
+    find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+    | sed -zEn \
+      -e '/^(collections|concurrent|encodings|importlib|json|logging|multiprocessing|re|urllib)$/p' \
+    | sort -zV \
+    | env -C "${libpython}" xargs -0r \
+      python3 -m compileall -q -j 2 ; \
+    find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+    | sed -zE \
+      -e '/\.(dist-info|pth|txt)$/d' \
+      -e '/^pip$/d' \
+    | sort -zV \
+    | env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \
+      python3 -m compileall -q -j 2
+
+## Python cache warmup
+RUN j2cfg-single /usr/local/lib/j2cfg/j2cfg/test.j2 /tmp/test ; \
+    cat /tmp/test ; echo ; echo ; \
+    rm -f /tmp/test
+
+WORKDIR /pycache
+RUN find /usr/local/ -type f -name '*.py[co]' -printf '%P\0' \
+    | sort -zV \
+    | tar -C /usr/local --null -T - -cf - \
+    | tar -xf -
+
+## Python cache adjustments
+RUN d="@$(date '+%s')" ; \
+    find /pycache/ -mindepth 1 -exec touch -m -d "$d" {} +
+
+## ---
+
+FROM deps
+SHELL [ "/bin/sh", "-ec" ]
+
+## NB: NGX_DEBUG is set via build script
+
+COPY /Dockerfile /usr/local/share/
+
+COPY /j2cfg/ /usr/local/lib/j2cfg/
+
+## RFC: Python cache
+COPY --from=pycache /pycache/  /usr/local/
+
+ENV ANGIE_MODULES_DIR=/usr/lib/angie/modules
+
+COPY /scripts/* /usr/local/bin/
+## fixup
+RUN mv /usr/local/bin/angie /usr/local/sbin/
+
+RUN _UID=333 _GID=333 ; \
+    echo "angie:x:${_UID}:${_GID}:Angie:/etc/angie:/bin/false" >> /etc/passwd ; \
+    echo "angie:x:${_GID}:" >> /etc/group ; \
+    echo 'angie:!:::::::' >> /etc/shadow
+
+COPY /apt/sources.angie  /etc/apt/sources.list.d/angie.sources
+
+RUN apt-install.sh \
+      angie \
+      angie-console-light \
+    ; \
+    apt-mark hold angie angie-console-light ; \
+    apt-clean.sh ; \
+    ## verify Angie layout
+    [ -d "${ANGIE_MODULES_DIR}" ] ; \
+    n='/usr/sbin/angie' ; \
+    [ -h "$n" ] ; \
+    [ -x "$n-debug" ] ; \
+    [ -x "$n-nodebug" ] ; \
+    ## adjust Angie binaries
+    rm -fv "$n" ; \
+    if [ "${NGX_DEBUG}" = 0 ] ; then \
+        rm -fv "$n-debug" ; \
+        mv -fv "$n-nodebug" "$n" ; \
+    else \
+        rm -fv "$n-nodebug" ; \
+        mv -fv "$n-debug" "$n" ; \
+    fi
+
+## copy directory structure
+COPY /angie/ /etc/angie.dist/
+RUN ln -sv "${ANGIE_MODULES_DIR}" /etc/angie.dist/modules
+
+## preserve snippets from Angie config directory
+## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.9.1/conf
+RUN d=/etc/angie ; \
+    tar -C "$d" -cf - \
+      fastcgi_params \
+      fastcgi.conf \
+      mime.types \
+      prometheus_all.conf \
+      scgi_params \
+      uwsgi_params \
+    | tar -C "$d.dist/snip" -xf -
+
+## flush default directory
+RUN rm -rf /etc/angie ; \
+    mkdir /etc/angie
+
+## /angie/ is persistence store (if any)
+## /run/ngx/ is runtime volume
+RUN install -d -o angie -g angie -m 03777 /angie /run/ngx
+VOLUME [ "/run/ngx" ]
+
+## adjust paths across filesystem
+RUN for d in cache lib log ; do \
+        rm -rfv "/var/$d/angie" ; \
+        ln -sv "/run/ngx/$d" "/var/$d/angie" ; \
+    done
+
+## special empty directory
+RUN d='/var/lib/empty' ; \
+    rm -rf "$d" ; \
+    if [ -d "$d" ] ; then ls -ld "$d" ; exit 1 ; fi ; \
+    install -d -m 0555 "$d"
+
+## prepare DH params for TLS
+## NB: disabled in pipeline for now
+## reason: too slow (and too much effort)
+# RUN cd /etc/angie.dist/tls || exit 1 ; \
+#     openssl-generate-dh-bundle.sh
+
+## future quirk for angie-module-modsecurity >:)
+## a bit better config is here:
+##   /etc/angie.dist/modsecurity/rules.conf
+RUN x='/etc/angie/modsecurity/rules.conf' ; \
+    dpkg-divert --divert "$x.dist" --rename "$x"
+
+## preseed builtin modules list
+RUN x='angie-builtin-modules.sh' ; \
+    "$x" ; \
+    rm -fv "$(which "$x")"
+
+## install relatively lightweight modules
+RUN mkdir -p /etc/angie/mod ; \
+    apt-install-angie-mod.sh \
+      brotli \
+      cache-purge \
+      echo \
+      geoip2 \
+      headers-more \
+      njs-light \
+      subs \
+      upload \
+      zip \
+      zstd \
+    ; \
+    apt-clean.sh ; \
+    ## move fresh configs to appropriate location
+    find /etc/angie/mod/ -mindepth 1 -exec mv -nvt /etc/angie.dist/mod {} + ; \
+    rm -rfv /etc/angie/mod
+
+## adjust permissions/ownership
+RUN chown -hR 0:0 /etc/angie.dist /etc/angie ; \
+    find /etc/angie.dist/ /etc/angie/ -name .gitkeep -type f -delete ; \
+    find /etc/angie.dist/ /etc/angie/ -type d -exec chmod 0755 {} + ; \
+    find /etc/angie.dist/ /etc/angie/ -type f -exec chmod 0644 {} +
+
+## image-entry.sh is placed into /usr/local/bin/ to allow custom entrypoint/chaining:
+## - there's no need to change ENTRYPOINT/CMD
+## - custom entrypoint should be placed in /usr/local/sbin/
+## - custom entrypoint should "exec" /usr/local/bin/image-entry.sh
+## hovewer, this is discouraged (and this trick may be removed in future)
+COPY /image-entry.sh  /usr/local/bin/
+COPY /image-entry.d/  /image-entry.dist/
+
+## further customization
+RUN install -d /image-entry
+
+## must be bind-mounted only for local customization/overrides!
+# RUN install -d /image-entry.local
+
+## misc defaults
+ENV MALLOC_ARENA_MAX=4
+
+STOPSIGNAL SIGQUIT
+
+ENTRYPOINT [ "image-entry.sh" ]
+CMD [ "angie" ]

Dockerfile.base

@@ -0,0 +1,365 @@
+# FROM docker.io/debian:bookworm-slim as base-upstream
+ARG PYTHONTAG=3.12.11-slim-bookworm
+FROM docker.io/python:${PYTHONTAG} AS base-upstream
+
+FROM base-upstream AS base-intermediate
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /scripts-extra/*  /usr/local/sbin/
+
+## PATH: remove /sbin and /bin (/usr is merged for Debian 12 and newer)
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
+    TMPDIR=/tmp \
+    LANG=C.UTF-8 \
+    LC_ALL=C.UTF-8 \
+    TERM=linux \
+    TZ=Etc/UTC \
+    MALLOC_ARENA_MAX=2 \
+    PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1
+
+COPY /apt/prefs.backports  /etc/apt/preferences.d/backports
+COPY /apt/sources.debian   /etc/apt/sources.list.d/debian.sources
+
+## prevent services from auto-starting, part 1
+RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
+    rm -f "$s" "$b" ; \
+    echo '#!/bin/sh' > "$b" ; \
+    echo 'exit 101' >> "$b" ; \
+    chmod 0755 "$b" ; \
+    ln -s "$b" "$s"
+
+RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
+    ## prevent services from auto-starting, part 2
+    divert_true /sbin/start-stop-daemon ; \
+    ## always report that we're in chroot
+    divert_true /usr/bin/ischroot ; \
+    ## hide systemd helpers
+    divert_true /usr/bin/deb-systemd-helper ; \
+    divert_true /usr/bin/deb-systemd-invoke
+
+RUN apt-env.sh apt-get update ; \
+    apt-remove.sh \
+      ca-certificates \
+      e2fsprogs \
+    ; \
+    apt-env.sh apt-get upgrade -y ; \
+    apt-install.sh \
+      apt-utils \
+      brotli \
+      cron \
+      curl \
+      gettext-base \
+      jdupes \
+      jq \
+      libcap2-bin \
+      libjemalloc2 \
+      logrotate \
+      netbase \
+      netcat-openbsd \
+      openssl \
+      procps \
+      psmisc \
+      tzdata \
+      zstd \
+    ; \
+    apt-clean.sh ; \
+    ## remove broken symlinks
+    find /etc/ -xdev -follow -type l -ls -delete
+
+## perl-base: hardlink->symlink
+RUN set +e ; \
+    d=/usr/bin ; \
+    ls -li "$d/perl" ; \
+    find "$d/" -xdev -samefile "$d/perl" 2>/dev/null \
+    | grep -Fxv -e "$d/perl" \
+    | while read -r p ; do \
+        [ -n "$p" ] || continue ; \
+        [ -e "$p" ] || continue ; \
+        ls -li "$p" ; \
+        rm -fv "$p" ; \
+        ln -fsv perl "$p" ; \
+        ls -li "$p" ; \
+        echo ; \
+    done
+
+## remove unwanted binaries
+RUN set -f ; \
+    for i in \
+      addgroup \
+      addpart \
+      adduser \
+      apt-ftparchive \
+      agetty \
+      badblocks \
+      blkdiscard \
+      blkid \
+      blkzone \
+      blockdev \
+      bsd-write \
+      chage \
+      chcpu \
+      chfn \
+      chgpasswd \
+      chmem \
+      chpasswd \
+      chsh \
+      cpgr \
+      cppw \
+      crontab \
+      ctrlaltdel \
+      debugfs \
+      delgroup \
+      delpart \
+      deluser \
+      dmesg \
+      dumpe2fs \
+      e2freefrag \
+      e2fsck \
+      e2image \
+      e2label \
+      e2mmpstatus \
+      e2scrub \
+     'e2scrub*' \
+      e2undo \
+      e4crypt \
+      e4defrag \
+      expiry \
+      faillock \
+      fdformat \
+      fincore \
+      findfs \
+      fsck \
+     'fsck.*' \
+      fsfreeze \
+      fstrim \
+      getty \
+      gpasswd \
+      groupadd \
+      groupdel \
+      groupmems \
+      groupmod \
+      grpck \
+      grpconv \
+      grpunconv \
+      hwclock \
+      isosize \
+      last \
+      lastb \
+      ldattach \
+      losetup \
+      lsblk \
+      lsirq \
+      lslogins \
+      mcookie \
+      mesg \
+      mke2fs \
+      mkfs \
+     'mkfs.*' \
+      mkhomedir_helper \
+      mklost+found \
+      mkswap \
+      mount \
+      newgrp \
+      newusers \
+      pam-auth-update \
+      pam_getenv \
+      pam_namespace_helper \
+      pam_timestamp_check \
+      partx \
+      passwd \
+      pivot_root \
+      pwck \
+      pwconv \
+      pwhistory_helper \
+      pwunconv \
+      raw \
+      readprofile \
+      resize2fs \
+      resizepart \
+      rtcwake \
+      sg \
+      shadowconfig \
+      su \
+      sulogin \
+      swaplabel \
+      swapoff \
+      swapon \
+      switch_root \
+      tune2fs \
+      umount \
+      unix_chkpwd \
+      unix_update \
+      update-passwd \
+      useradd \
+      userdel \
+      usermod \
+      utmpdump \
+      vigr \
+      vipw \
+      wall \
+      wdctl \
+      wipefs \
+      write \
+     'write.*' \
+      zramctl \
+    ; do \
+        ## try dpkg-divert first
+        for d in /usr/sbin /usr/bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" ; \
+        done \
+        | while read -r p ; do \
+            [ -n "$p" ] || continue ; \
+            [ -e "$p" ] || continue ; \
+            dpkg-search.sh "$p" || continue ; \
+        done \
+        | sed -E '/^diversion by/d' \
+        | sort -uV \
+        | while read -r pkg path ; do \
+            [ -n "${pkg}" ] || continue ; \
+            [ -e "${path}" ] || continue ; \
+            divert-rm.sh "${path}" ; \
+        done ; \
+        ## remove if still exists
+        for d in /usr/sbin /usr/bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" ; \
+        done \
+        | while read -r p ; do \
+            [ -n "$p" ] || continue ; \
+            [ -e "$p" ] || continue ; \
+            rm -fv "$p" ; \
+        done ; \
+    done ; \
+    ## remove broken symlinks
+    find /bin/ /sbin/ -xdev -follow -type l -ls -delete
+
+## remove excessive privileges from binaries: setuid/setgid
+RUN find / -xdev -type f -perm /7000 \
+    | sort -V \
+    | while read -r p ; do \
+        [ -n "$p" ] || continue ; \
+        ## clear setuid/setgid bit
+        m=$(env stat -c '0%a' "$p") ; \
+        m=$(printf '0%o\n' $((m & 00777)) ) ; \
+        ## try to lookup in dpkg database
+        n=$(set +e ; dpkg-search.sh "$p" | sed -E '/^diversion by/d' | cut -d ' ' -f2-) ; \
+        if [ "$p" = "$n" ] ; then \
+            o=$(env stat -c '%U' "$n") ; \
+            g=$(env stat -c '%G' "$n") ; \
+            dpkg-statoverride --force --update --add "$o" "$g" "$m" "$n" ; \
+        else \
+            env printf 'unable to find in dpkg database: %q\n' "$n" ; \
+            chmod "$m" "$p" ; \
+        fi ; \
+        ls -l "$p" ; \
+    done
+
+## remove excessive privileges from binaries: setcap
+RUN find / -xdev -type f -executable -exec getcap {} + \
+    | sort -V \
+    | while read -r path caps ; do \
+        [ -n "${path}" ] || continue ; \
+        getcap -v "${path}" ; \
+        setcap -r "${path}" "${caps}" 2>/dev/null || : ; \
+        getcap -v "${path}" ; \
+    done
+
+## "docker.io/python"-specific cleanup
+RUN env -C /root rm -f .bash_history .python_history .wget-hsts
+
+## ---
+
+FROM base-intermediate AS certs
+SHELL [ "/bin/sh", "-ec" ]
+
+## "2025.04.26"
+ENV CERTIFI_COMMIT=275c9eb55733a464589c15fb4566fddd4598e5b2
+
+# ARG CERTIFI_BASE_URI='https://raw.githubusercontent.com/certifi/python-certifi'
+
+ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'
+ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"
+
+# hadolint ignore=DL3020
+ADD "${CERTIFI_URI}"  /tmp/certifi.crt
+
+RUN apt-install.sh ca-certificates ; \
+    apt-clean.sh ; \
+    ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
+    ls -l "${ca_file}" ; \
+    ## process certifi
+    certifi-extras.sh /tmp/certifi.crt ; \
+    openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \
+    mv -f "${ca_file}.new" "${ca_file}" ; \
+    chmod 0444 "${ca_file}" "${ca_file}.fp" ; \
+    ls -l "${ca_file}" "${ca_file}.fp"
+
+## ---
+
+FROM base-intermediate AS apt-gpg
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY --from=certs  /etc/ssl/certs/ca-certificates.*  /etc/ssl/certs/
+
+ADD https://angie.software/keys/angie-signing.gpg  /tmp/angie.gpg.bin
+
+COPY /apt/sources.angie  /etc/apt/angie.sources
+
+RUN pkg='gnupg' ; \
+    apt-install.sh ${pkg} ; \
+    ## process Angie GPG keyring / APT sources
+    gpg-export.sh /tmp/angie.gpg.bin /etc/apt/keyrings/angie.gpg.asc ; \
+    rm -f /tmp/angie.gpg.bin ; \
+    env -C /etc/apt mv angie.sources sources.list.d/ ; \
+    ## verify sources!
+    apt-env.sh apt-get update ; \
+    apt-remove.sh ${pkg} ; \
+    apt-clean.sh
+
+## ---
+
+FROM base-intermediate AS base
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /Dockerfile.base  /usr/local/share/
+
+COPY --from=certs    /etc/ssl/certs/ca-certificates.*  /etc/ssl/certs/
+COPY --from=apt-gpg  /etc/apt/keyrings/                /etc/apt/keyrings/
+
+RUN python-rm-cache.sh /usr/local
+
+RUN pip-env.sh pip list --format freeze \
+    | grep -F '==' | mawk -F= '{print $1}' \
+    | xargs -r pip-env.sh pip install -U ; \
+    python-rm-cache.sh /usr/local
+
+RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
+    rm -rfv \
+      /usr/local/bin/idle* \
+      /usr/local/bin/pydoc* \
+      "${libpython}/ensurepip/_bundled" \
+      "${libpython}/idlelib" \
+      "${libpython}/pydoc.py" \
+      "${libpython}/pydoc_data" \
+      "${libpython}/tkinter" \
+      "${libpython}/turtle.py" \
+      "${libpython}/turtledemo" \
+    ; \
+    find "${PYTHON_SITE_PACKAGES}/" -iname '*.exe' -ls -delete
+
+## adjust pip/certifi
+RUN certifi_pem="${PYTHON_SITE_PACKAGES}/pip/_vendor/certifi/cacert.pem" ; \
+    [ -d "${certifi_pem%/*}" ] || exit 0 ; \
+    rm -f "${certifi_pem}" ; \
+    ln -sv /etc/ssl/certs/ca-certificates.crt "${certifi_pem}"
+
+RUN apt-clean.sh
+
+RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
+    find /run/ -mindepth 1 -ls -delete || : ; \
+    install -d -m 01777 /run/lock ; \
+    jdupes -1LSpr /usr/
+
+ENTRYPOINT [ ]
+CMD [ "bash" ]

Dockerfile.deps

@@ -0,0 +1,196 @@
+ARG IMAGE_VERSION
+FROM docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-base AS base
+
+## ---
+
+FROM base AS tools
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /scripts-extra/*  /usr/local/sbin/
+
+## current HEAD: "main: don't use secure_getenv", December 14, 2024
+ENV CATATONIT_COMMIT=56579adbb42c0c7ad94fc12d844b38fc5b37b3ce
+
+# ARG CATATONIT_BASE_URI='https://codeload.github.com/openSUSE/catatonit/tar.gz'
+# ARG CATATONIT_URI="${CATATONIT_BASE_URI}/${CATATONIT_COMMIT}"
+
+ARG CATATONIT_BASE_URI='https://github.com/openSUSE/catatonit/archive'
+ARG CATATONIT_URI="${CATATONIT_BASE_URI}/${CATATONIT_COMMIT}.tar.gz"
+
+## current HEAD: "initial commit ", May 27, 2025
+ENV OVERLAYDIRS_COMMIT=4ba42acfea72bbb378808bbf033396cd6a0e3d22
+
+ARG OVERLAYDIRS_BASE_URI='https://git.krd.sh/krd/overlaydirs/archive'
+ARG OVERLAYDIRS_URI="${OVERLAYDIRS_BASE_URI}/${OVERLAYDIRS_COMMIT}.tar.gz"
+
+# hadolint ignore=DL3020
+ADD "${CATATONIT_URI}"    /tmp/catatonit.tar.gz
+# hadolint ignore=DL3020
+ADD "${OVERLAYDIRS_URI}"  /tmp/overlaydirs.tar.gz
+
+RUN pkg='build-essential debhelper musl-dev autoconf autoconf-archive libxxhash-dev' ; \
+    apt-install.sh ${pkg} ; \
+    DEB_HOST_GNU_TYPE=$(dpkg-architecture -q DEB_HOST_GNU_TYPE) ; \
+    export HOSTCC="${DEB_HOST_GNU_TYPE}-gcc" ; \
+    DEB_TARGET_GNU_TYPE=$(dpkg-architecture -q DEB_TARGET_GNU_TYPE) ; \
+    DEB_TARGET_MUSL_TYPE=$(printf '%s' "${DEB_TARGET_GNU_TYPE}" | sed -E 's/-gnu$/-musl/') ; \
+    CFLAGS_LTO="-flto=2 -fuse-linker-plugin -ffat-lto-objects -flto-partition=none" ; \
+    CFLAGS_COMMON="-O2 -g -pipe -fPIE -fstack-protector-strong -fstack-clash-protection -fcf-protection" ; \
+    CPPFLAGS="-Wall -Wextra -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" ; \
+    ## build catatonit
+    d=/tmp/catatonit ; \
+    rm -rf "$d" ; \
+    mkdir -p "$d" ; \
+    ( \
+        cd "$d" ; \
+        tar --strip-components=1 -xf /tmp/catatonit.tar.gz ; \
+        commit_abbrev=$(printf '%s' "${CATATONIT_COMMIT}" | cut -c1-8) ; \
+        sed -i "s/+dev/+git.${commit_abbrev}/" configure.ac ; \
+        export CC="${DEB_TARGET_MUSL_TYPE}-gcc" ; \
+        export CFLAGS="${CFLAGS_LTO} ${CFLAGS_COMMON} ${CPPFLAGS}" ; \
+        export LDFLAGS="-static-pie -Wl,-z,relro -Wl,-z,now" ; \
+        autoreconf -fiv ; \
+        ./configure ; \
+        make -j1 ; \
+        ls -l catatonit ; \
+        # "${DEB_TARGET_GNU_TYPE}-strip" --strip-debug --strip-unneeded catatonit ; \
+        strip --strip-debug --strip-unneeded catatonit ; \
+        ls -l catatonit ; \
+        cp catatonit /usr/local/bin/ ; \
+    ) ; \
+    rm -rf "$d" ; \
+    ## build overlaydirs
+    d=/tmp/overlaydirs ; \
+    rm -rf "$d" ; \
+    mkdir -p "$d" ; \
+    ( \
+        cd "$d" ; \
+        tar --strip-components=1 -xf /tmp/overlaydirs.tar.gz ; \
+        export CROSS="${DEB_TARGET_GNU_TYPE}-" ; \
+        export CFLAGS_COMMON CPPFLAGS ; \
+        make -j1 clean build RELMODE=1 ; \
+        ls -l overlaydirs ; \
+        cp overlaydirs /usr/local/bin/ ; \
+    ) ; \
+    rm -rf "$d" ; \
+    ## cleanup
+    apt-remove.sh ${pkg} ; \
+    apt-clean.sh
+
+## ---
+
+## not actually used; only for reference
+
+FROM base AS python-ext-no-binary
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /scripts-extra/*  /usr/local/sbin/
+
+COPY /requirements.txt  /tmp/
+
+ENV DEV_PACKAGES='libyaml-dev'
+# markupsafe, psutil
+ENV CIBUILDWHEEL=1
+# pyyaml
+ENV PYYAML_FORCE_CYTHON=1
+
+RUN w=$(mktemp -d) ; : "${w:?}" ; \
+    { apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t0" ; \
+    printf '%s\n' ${DEV_PACKAGES} | sort -uV > "$w/t1" ; \
+    apt-install.sh ${DEV_PACKAGES} ; \
+    { apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t2" ; \
+    set +e ; \
+    grep -Fxv -f "$w/t0" "$w/t2" > "$w/t3" ; \
+    grep -Fxv -f "$w/t1" "$w/t3" > "$w/t4" ; \
+    grep -Ev -e '-(dev|doc)$' "$w/t4" > "${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
+    set -e ; \
+    rm -rf "$w/" ; unset w ; \
+    apt-install.sh build-essential ; \
+    pip-env.sh pip install 'cython~=3.0.12' ; \
+    pip-env.sh pip install --no-binary :all: -r /tmp/requirements.txt ; \
+    pip-env.sh pip uninstall -y 'cython' ; \
+    python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" ; \
+    rm -rf \
+      "${PYTHON_SITE_PACKAGES}/psutil/tests" \
+    ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
+    echo ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -printf '%p\0' \
+    | sed -zE '/rust/d' \
+    | xargs -0r strip --strip-debug --strip-unneeded ; \
+    echo ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
+    apt-remove.sh build-essential ; \
+    apt-clean.sh
+
+## avoid changing already present packages
+RUN rm -rfv \
+      /usr/local/bin/pip \
+      /usr/local/bin/pip3* \
+    ; \
+    find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+    | sed -zEn \
+      -e '/^pip(|-.+\.dist-info)$/p' \
+    | env -C "${PYTHON_SITE_PACKAGES}" xargs -0r rm -rf
+
+## ---
+
+FROM base AS python-ext
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /scripts-extra/*  /usr/local/sbin/
+
+COPY /requirements.txt  /tmp/
+
+RUN apt-install.sh binutils ; \
+    pip-env.sh pip install -r /tmp/requirements.txt ; \
+    python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" ; \
+    rm -rf \
+      "${PYTHON_SITE_PACKAGES}/psutil/tests" \
+    ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
+    echo ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -printf '%p\0' \
+    | sed -zE '/rust/d' \
+    | xargs -0r strip --strip-debug --strip-unneeded ; \
+    echo ; \
+    find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
+    apt-remove.sh binutils ; \
+    apt-clean.sh
+
+## avoid changing already present packages
+RUN rm -rfv \
+      /usr/local/bin/pip \
+      /usr/local/bin/pip3* \
+    ; \
+    find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+    | sed -zEn \
+      -e '/^pip(|-.+\.dist-info)$/p' \
+    | env -C "${PYTHON_SITE_PACKAGES}" xargs -0r rm -rf
+
+## ---
+
+FROM base AS deps
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /Dockerfile.deps  /usr/local/share/
+
+COPY --from=tools  /usr/local/bin/catatonit    /usr/local/bin/
+COPY --from=tools  /usr/local/bin/overlaydirs  /usr/local/bin/
+
+## Python: site-packages
+COPY --from=python-ext  /usr/local/bin/            /usr/local/bin/
+COPY --from=python-ext  /${PYTHON_SITE_PACKAGES}/  /${PYTHON_SITE_PACKAGES}/
+
+COPY /scripts/* /usr/local/sbin/
+
+## install missing dependencies for Python site-packages
+RUN f="${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
+    [ -s "$f" ] || exit 0 ; \
+    xargs -a "$f" apt-install.sh ; \
+    apt-clean.sh
+
+RUN find /usr/local/sbin/ ! -type d -ls -delete

LICENSE

@@ -0,0 +1,175 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.

TODO

@@ -0,0 +1,6 @@
+- documentation
+- examples
+- convenient response headers:
+  - CORS / CORP / COOP / COEP
+  - Content-Security-Policy
+  - Permissions-Policy

angie/angie.conf

@@ -0,0 +1,15 @@
+daemon off;
+pid /run/ngx/angie.pid;
+
+include mod-core.conf;
+# mod-http.conf
+# mod-mail.conf
+# mod-stream.conf
+include /run/ngx/conf.ctx/mod-*.conf;
+
+include ctx-core_ev.conf;
+include ctx-core.conf;
+# ctx-http.conf
+# ctx-mail.conf
+# ctx-stream.conf
+include /run/ngx/conf.ctx/ctx-*.conf;

angie/autoconf/core-error-log.conf.j2

@@ -0,0 +1,4 @@
+{%- import 'snip/log.j2mod' as ngx_log -%}
+
+{# {{ ngx_log.error_log(dest='error.log', level=env.NGX_LOGLEVEL) }} #}
+{{ ngx_log.error_log(level=env.NGX_LOGLEVEL) }}

angie/autoconf/core-lock-file.conf

@@ -0,0 +1,2 @@
+## not a real file but prefix for filenames
+lock_file  /run/ngx/lock/a;

angie/autoconf/core-pcre-jit.conf

@@ -0,0 +1 @@
+pcre_jit on;

angie/autoconf/core-user.conf.in

@@ -0,0 +1,3 @@
+## if container is running in non-privileged mode,
+## then this file is going to be removed by /image-entry/75-adjust-core-user.sh
+user ${NGX_USER} ${NGX_GROUP};

angie/autoconf/core-worker-env.conf.j2

@@ -0,0 +1,31 @@
+{# TODO: investigate error with "include" #}
+{# {%- include 'core-worker-env.j2inc' -%} #}
+{%- set w_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
+{#- NB: "TZ" is always provided by Angie itself -#}
+{%- set w_vars_passthrough = w_env | dict_empty_keys | list_diff(env_vars_preserve + ['TZ']) -%}
+{%- set vars_passthrough = (env_vars_passthrough + w_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
+
+## NB: "TZ" is always provided by Angie itself
+
+## preserve
+{%- for k in env_vars_preserve %}
+env {{ k | ngx_esc }};
+{%- endfor %}
+
+## passthrough
+{%- for k in vars_passthrough %}
+env {{ k | ngx_esc }};
+{%- endfor %}
+
+{%- set w_vars_override = w_env | dict_non_empty_keys -%}
+{% if w_vars_override %}
+## WARNING!
+## explicit environment variables are NOT implemented
+## reason: envs are supported only for http_perl but not for http_js/stream_js
+## solution: provide environment variables explicitly
+##   and then list them in "core_worker_env" key in config
+##
+  {%- for k in w_vars_override %}
+## env {{ "{}={}".format(k, w_env[k]) | ngx_esc }}
+  {%- endfor %}
+{%- endif %}

angie/autoconf/core-worker-env.j2inc

@@ -0,0 +1,4 @@
+{%- set w_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
+{#- NB: "TZ" is always provided by Angie itself -#}
+{%- set w_vars_passthrough = w_env | dict_empty_keys | list_diff(env_vars_preserve + ['TZ']) -%}
+{%- set vars_passthrough = (env_vars_passthrough + w_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}

angie/autoconf/core-worker-env.txt.j2

@@ -0,0 +1,12 @@
+{# TODO: investigate error with "include" #}
+{# {%- include 'core-worker-env.j2inc' -%} #}
+{%- set w_env = ( j2cfg.core_worker_env or [] ) | any_to_env_dict -%}
+{#- NB: "TZ" is always provided by Angie itself -#}
+{%- set w_vars_passthrough = w_env | dict_empty_keys | list_diff(env_vars_preserve + ['TZ']) -%}
+{%- set vars_passthrough = (env_vars_passthrough + w_vars_passthrough) | uniq | list_intersect(env | dict_keys) -%}
+
+{#- NB: "TZ" is always provided by Angie itself -#}
+{%- set all_vars = (env_vars_preserve + vars_passthrough + ['TZ']) | uniq -%}
+{%- for k in all_vars %}
+{{ k | ngx_esc }}
+{%- endfor %}

angie/autoconf/core-worker.conf.j2

@@ -0,0 +1,10 @@
+worker_processes {{ env.NGX_WORKER_PROCESSES }};
+{%- if env.NGX_WORKER_CPU_AFFINITY %}
+worker_cpu_affinity {{ env.NGX_WORKER_CPU_AFFINITY }};
+{%- endif %}
+{%- if env.NGX_WORKER_PRIORITY %}
+worker_priority {{ env.NGX_WORKER_PRIORITY }};
+{%- endif %}
+{%- if env.NGX_WORKER_RLIMIT_NOFILE %}
+worker_rlimit_nofile {{ env.NGX_WORKER_RLIMIT_NOFILE }};
+{%- endif %}

angie/autoconf/core_ev-worker.conf.j2

@@ -0,0 +1,7 @@
+worker_connections {{ env.NGX_WORKER_CONNECTIONS }};
+{%- if env.NGX_WORKER_AIO_REQUESTS %}
+worker_aio_requests {{ env.NGX_WORKER_AIO_REQUESTS }};
+{%- endif %}
+{%- if env.NGX_WORKER_PRIORITY %}
+worker_priority {{ env.NGX_WORKER_PRIORITY }};
+{%- endif %}

angie/autoconf/http-access-log.conf

@@ -0,0 +1,2 @@
+include autoconf/http-access-log/format/*.conf;
+include autoconf/http-access-log/*.conf;

angie/autoconf/http-access-log/default.conf.j2

@@ -0,0 +1,4 @@
+{%- import 'snip/log.j2mod' as ngx_log -%}
+
+{# {{ ngx_log.access_log(dest='access.log', format='main') }} #}
+{{ ngx_log.access_log(format='main') }}

angie/autoconf/http-access-log/format/extended.conf

@@ -0,0 +1,7 @@
+log_format  extended
+    '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" rt="$request_time" '
+    '"$http_user_agent" "$http_x_forwarded_for" '
+    'h="$host" sn="$server_name" ru="$request_uri" u="$uri" '
+    'ucs="$upstream_cache_status" ua="$upstream_addr" us="$upstream_status" '
+    'uct="$upstream_connect_time" urt="$upstream_response_time"';

angie/autoconf/http-access-log/format/main.conf

@@ -0,0 +1,4 @@
+log_format  main
+    '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';

angie/autoconf/http-alt-svc.conf

@@ -0,0 +1 @@
+include snip/http-alt-svc;

angie/autoconf/http-buffers.conf

@@ -0,0 +1,4 @@
+subrequest_output_buffer_size     16k;
+client_body_buffer_size           16k;
+client_header_buffer_size          4k;
+large_client_header_buffers    8  16k;

angie/autoconf/http-client-body-temp.conf

@@ -0,0 +1 @@
+client_body_temp_path /run/ngx/cache/temp_client_body 2 2;

angie/autoconf/http-max-ranges.conf.j2

@@ -0,0 +1,3 @@
+{%- if env.NGX_HTTP_MAX_RANGES %}
+max_ranges {{ env.NGX_HTTP_MAX_RANGES }};
+{%- endif %}

angie/autoconf/http-mime-types.conf

@@ -0,0 +1,8 @@
+include snip/mime.types;
+
+types {
+    font/ttf               ttf;
+    application/font-sfnt  otf;
+}
+
+default_type  application/octet-stream;

angie/autoconf/http-request-headers-basic.conf.j2

@@ -0,0 +1,26 @@
+map $http_upgrade
+    $req_connection
+{
+    default  upgrade;
+    ""       "";
+}
+
+map $http_user_agent
+    $req_user_agent
+{
+    default  $http_user_agent;
+{%- if env.NGX_HTTP_FAKE_UA %}
+    ## merely fake
+    ""  {{ env.NGX_HTTP_FAKE_UA | ngx_esc }};
+{%- else %}
+    ""  "Angie/$angie_version";
+{%- endif %}
+}
+
+map $http_accept
+    $req_accept
+{
+    volatile;
+    default  $http_accept;
+    ""       "*/*";
+}

angie/autoconf/http-request-headers-forwarded.conf

@@ -0,0 +1,27 @@
+## ref:
+## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
+map $remote_addr
+    $proxy_forwarded_elem
+{
+    ## IPv4 addresses can be sent as-is
+    ~^[0-9.]+$         "for=$remote_addr";
+    ## IPv6 addresses need to be bracketed and quoted
+    ~^[0-9A-Fa-f:.]+$  "for=\"[$remote_addr]\"";
+    ## Unix domain socket names cannot be represented in RFC 7239 syntax
+    default            "for=unknown";
+}
+
+## ref:
+## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
+## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+map $http_forwarded
+    $proxy_add_forwarded
+{
+    volatile;
+
+    ## if the incoming Forwarded header is syntactically valid, append to it
+    "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+    ## otherwise, replace it
+    default  "$proxy_forwarded_elem";
+}

angie/autoconf/http-resolver.conf.j2

@@ -0,0 +1,2 @@
+{%- set resolver_status_zone = 'http_resolver' -%}
+{% include 'snip/resolver.j2inc' %}

angie/autoconf/http-response-headers.conf

@@ -0,0 +1 @@
+include snip/http-response-headers;

angie/autoconf/http-v2.conf.j2

@@ -0,0 +1,3 @@
+{%- if env.NGX_HTTP_V2 == '0' %}
+http2 off;
+{%- endif %}

angie/autoconf/http-v3.conf.j2

@@ -0,0 +1,3 @@
+{%- if env.NGX_HTTP_V3 == '0' %}
+http3 off;
+{%- endif %}

angie/autoconf/http-webroot.conf

@@ -0,0 +1 @@
+root static;

angie/autoconf/mail-resolver.conf.j2

@@ -0,0 +1,2 @@
+{%- set resolver_status_zone = 'mail_resolver' -%}
+{% include 'snip/resolver.j2inc' %}

angie/autoconf/stream-resolver.conf.j2

@@ -0,0 +1,2 @@
+{%- set resolver_status_zone = 'stream_resolver' -%}
+{% include 'snip/resolver.j2inc' %}

angie/conf/acme/path.conf

@@ -0,0 +1 @@
+acme_client_path /run/ngx/lib/acme;

angie/conf/brotli/buffers.conf

@@ -0,0 +1,5 @@
+brotli_comp_level  5; # default: 6
+brotli_window      128k; # default: 512k
+
+brotli_min_length  1024;
+brotli_buffers     32  16k;

angie/conf/brotli/types.conf.j2

@@ -0,0 +1,9 @@
+{%- set mime_types = j2cfg.compress_types or [] -%}
+{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
+{%- if mime_types -%}
+brotli_types
+{%- for t in mime_types %}
+    {{ t }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf/core-quic-bpf.conf

@@ -0,0 +1 @@
+quic_bpf on;

angie/conf/core_ev-accept-mutex-delay.conf

@@ -0,0 +1 @@
+accept_mutex_delay 200ms;

angie/conf/core_ev-accept-mutex.conf

@@ -0,0 +1 @@
+accept_mutex on;

angie/conf/core_ev-multi-accept.conf

@@ -0,0 +1 @@
+multi_accept on;

angie/conf/fastcgi/buffers.conf

@@ -0,0 +1,4 @@
+fastcgi_buffers           16  16k;
+fastcgi_buffer_size           16k;
+fastcgi_busy_buffers_size     32k;
+fastcgi_temp_file_write_size  32k;

angie/conf/fastcgi/cache-bypass.conf.j2

@@ -0,0 +1,14 @@
+{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
+{%- if cache_bypass -%}
+## disable (response) cache under following conditions
+fastcgi_cache_bypass
+{%- for v in cache_bypass %}
+    {{ v | ngx_esc }}
+{%- endfor %}
+;
+fastcgi_no_cache
+{%- for v in cache_bypass %}
+    {{ v | ngx_esc }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf/fastcgi/headers.conf

@@ -0,0 +1,2 @@
+include snip/fastcgi-request-headers;
+include snip/fastcgi-response-headers;

angie/conf/fastcgi/param.conf

@@ -0,0 +1,7 @@
+include snip/fastcgi.conf;
+
+fastcgi_param  PATH_INFO    $path_info;
+
+fastcgi_param  AUTH_USER    $remote_user;
+fastcgi_param  REMOTE_USER  $remote_user;
+fastcgi_param  HTTP_HOST    $host;

angie/conf/fastcgi/temp.conf

@@ -0,0 +1 @@
+fastcgi_temp_path /run/ngx/cache/temp_fastcgi 2 2;

angie/conf/grpc/buffers.conf

@@ -0,0 +1 @@
+grpc_buffer_size  16k;

angie/conf/grpc/headers.conf

@@ -0,0 +1,2 @@
+include snip/grpc-request-headers;
+include snip/grpc-response-headers;

angie/conf/grpc/ssl.conf.j2

@@ -0,0 +1,7 @@
+{%- for k, v in j2cfg.tls.conf_cmd|dictsort %}
+grpc_ssl_conf_command  {{ k }}  {{ v | ngx_esc }};
+{%- endfor %}
+
+grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
+grpc_ssl_verify on;
+grpc_ssl_server_name on;

angie/conf/gzip/buffers.conf

@@ -0,0 +1,4 @@
+gzip_comp_level  2; # default: 1
+
+gzip_min_length  1024;
+gzip_buffers     32  16k;

angie/conf/gzip/proxied.conf

@@ -0,0 +1 @@
+gzip_proxied any;

angie/conf/gzip/types.conf.j2

@@ -0,0 +1,9 @@
+{%- set mime_types = j2cfg.compress_types or [] -%}
+{%- set mime_types = mime_types | any_to_str_list | uniq_str_list -%}
+{%- if mime_types -%}
+gzip_types
+{%- for t in mime_types %}
+    {{ t }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf/gzip/vary.conf

@@ -0,0 +1 @@
+gzip_vary on;

angie/conf/http-acme.conf

@@ -0,0 +1 @@
+include conf/acme/*.conf;

angie/conf/http-brotli-static.conf

@@ -0,0 +1 @@
+brotli_static on;

angie/conf/http-brotli.conf

@@ -0,0 +1,2 @@
+include conf/brotli/*.conf;
+brotli on;

angie/conf/http-fastcgi.conf

@@ -0,0 +1 @@
+include conf/fastcgi/*.conf;

angie/conf/http-grpc.conf

@@ -0,0 +1 @@
+include conf/grpc/*.conf;

angie/conf/http-gunzip.conf

@@ -0,0 +1,2 @@
+gunzip_buffers  16  16k;
+gunzip on;

angie/conf/http-gzip-static.conf

@@ -0,0 +1 @@
+gzip_static on;

angie/conf/http-gzip.conf

@@ -0,0 +1,2 @@
+include conf/gzip/*.conf;
+gzip on;

angie/conf/http-modsecurity.conf

@@ -0,0 +1,4 @@
+modsecurity_rules_file modsecurity/rules.conf;
+
+## NOT enabling ModSecurity by default!
+# modsecurity on;

angie/conf/http-njs.conf

@@ -0,0 +1 @@
+include conf/njs/*.conf;

angie/conf/http-perl.conf

@@ -0,0 +1 @@
+include conf/perl/*.conf;

angie/conf/http-proxy.conf

@@ -0,0 +1,2 @@
+include conf/proxy/*.conf;
+include conf/proxy-http/*.conf;

angie/conf/http-quic-gso.conf.j2

@@ -0,0 +1,5 @@
+quic_gso on;
+
+{%- if env.NGX_HTTP_PROXY == '1' %}
+proxy_quic_gso on;
+{%- endif %}

angie/conf/http-scgi.conf

@@ -0,0 +1 @@
+include conf/scgi/*.conf;

angie/conf/http-ssl.conf.j2

@@ -0,0 +1,25 @@
+include conf/ssl/*.conf;
+
+## lowering from 16k to 4k to improve time-to-first-byte
+ssl_buffer_size  4k;
+
+{%- if env.NGX_HTTP_SSL_PROFILE %}
+include snip/ssl-{{ env.NGX_HTTP_SSL_PROFILE }};
+{%- endif %}
+
+{%- if j2cfg.tls.stapling.enable %}
+ssl_stapling on;
+  {%- if j2cfg.tls.stapling.verify %}
+ssl_stapling_verify on;
+  {%- else %}
+ssl_stapling_verify off;
+  {%- endif %}
+  {%- if j2cfg.tls.stapling.file %}
+ssl_stapling_file {{ j2cfg.tls.stapling.file | ngx_esc }};
+  {%- endif %}
+  {%- if j2cfg.tls.stapling.responder %}
+ssl_stapling_responder {{ j2cfg.tls.stapling.responder | ngx_esc }};
+  {%- endif %}
+{%- else %}
+ssl_stapling off;
+{%- endif %}

angie/conf/http-uwsgi.conf

@@ -0,0 +1 @@
+include conf/uwsgi/*.conf;

angie/conf/http-v2.conf

@@ -0,0 +1,2 @@
+include conf/http2/*.conf;
+http2 on;

angie/conf/http-v3.conf

@@ -0,0 +1,2 @@
+include conf/http3/*.conf;
+http3 on;

angie/conf/http-zstd-static.conf

@@ -0,0 +1 @@
+zstd_static on;

angie/conf/http-zstd.conf

@@ -0,0 +1,2 @@
+include conf/zstd/*.conf;
+zstd on;

angie/conf/http2/param.conf

@@ -0,0 +1,2 @@
+http2_chunk_size 16k;
+http2_body_preread_size 64k;

angie/conf/http3/param.conf.j2

@@ -0,0 +1,9 @@
+http3_max_concurrent_streams 128; #default
+http3_stream_buffer_size 64k; #default
+quic_active_connection_id_limit 3;
+
+{%- if env.NGX_HTTP_PROXY == '1' %}
+proxy_http3_max_concurrent_streams 128; #default
+proxy_http3_stream_buffer_size 64k; #default
+proxy_quic_active_connection_id_limit 3;
+{%- endif %}

angie/conf/mail-ssl.conf.j2

@@ -0,0 +1,5 @@
+include conf/ssl/*.conf;
+
+{%- if env.NGX_MAIL_SSL_PROFILE %}
+include snip/ssl-{{ env.NGX_MAIL_SSL_PROFILE }};
+{%- endif %}

angie/conf/njs/path.conf

@@ -0,0 +1 @@
+js_path site;

angie/conf/njs/tls-ca-file.conf.in

@@ -0,0 +1 @@
+js_fetch_trusted_certificate ${NGX_SSL_CERT_FILE};

angie/conf/perl/path.conf

@@ -0,0 +1 @@
+perl_modules site;

angie/conf/proxy-http/buffers.conf

@@ -0,0 +1,4 @@
+proxy_buffers           16  16k;
+proxy_buffer_size           16k;
+proxy_busy_buffers_size     32k;
+proxy_temp_file_write_size  32k;

angie/conf/proxy-http/cache-bypass.conf.j2

@@ -0,0 +1,14 @@
+{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
+{%- if cache_bypass -%}
+## disable (response) cache under following conditions
+proxy_cache_bypass
+{%- for v in cache_bypass %}
+    {{ v | ngx_esc }}
+{%- endfor %}
+;
+proxy_no_cache
+{%- for v in cache_bypass %}
+    {{ v | ngx_esc }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf/proxy-http/headers.conf

@@ -0,0 +1,2 @@
+include snip/proxy-request-headers;
+include snip/proxy-response-headers;

angie/conf/proxy-http/temp.conf

@@ -0,0 +1 @@
+proxy_temp_path /run/ngx/cache/temp_proxy 2 2;

angie/conf/proxy-http/version.conf

@@ -0,0 +1 @@
+proxy_http_version 1.1;

angie/conf/proxy/ssl.conf.j2

@@ -0,0 +1,7 @@
+{%- for k, v in j2cfg.tls.conf_cmd|dictsort %}
+proxy_ssl_conf_command  {{ k }}  {{ v | ngx_esc }};
+{%- endfor %}
+
+proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
+proxy_ssl_verify on;
+proxy_ssl_server_name on;

angie/conf/scgi/buffers.conf

@@ -0,0 +1,4 @@
+scgi_buffers           16  16k;
+scgi_buffer_size           16k;
+scgi_busy_buffers_size     32k;
+scgi_temp_file_write_size  32k;

angie/conf/scgi/cache-bypass.conf.j2

@@ -0,0 +1,14 @@
+{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
+{%- if cache_bypass -%}
+## disable (response) cache under following conditions
+scgi_cache_bypass
+{%- for v in cache_bypass %}
+    {{ v | ngx_esc }}
+{%- endfor %}
+;
+scgi_no_cache
+{%- for v in cache_bypass %}
+    {{ v | ngx_esc }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf/scgi/headers.conf

@@ -0,0 +1,2 @@
+include snip/scgi-request-headers;
+include snip/scgi-response-headers;

angie/conf/scgi/param.conf

@@ -0,0 +1,7 @@
+include snip/scgi_params;
+
+scgi_param  PATH_INFO    $path_info;
+
+scgi_param  AUTH_USER    $remote_user;
+scgi_param  REMOTE_USER  $remote_user;
+scgi_param  HTTP_HOST    $host;

angie/conf/scgi/temp.conf

@@ -0,0 +1 @@
+scgi_temp_path /run/ngx/cache/temp_scgi 2 2;

angie/conf/ssl/cmd.conf.j2

@@ -0,0 +1,3 @@
+{%- for k, v in j2cfg.tls.conf_cmd|dictsort %}
+ssl_conf_command  {{ k }}  {{ v | ngx_esc }};
+{%- endfor %}

angie/conf/stream-njs.conf

@@ -0,0 +1 @@
+include conf/njs/*.conf;

angie/conf/stream-proxy.conf

@@ -0,0 +1,2 @@
+include conf/proxy/*.conf;
+include conf/proxy-stream/*.conf;

angie/conf/stream-ssl.conf.j2

@@ -0,0 +1,5 @@
+include conf/ssl/*.conf;
+
+{%- if env.NGX_STREAM_SSL_PROFILE %}
+include snip/ssl-{{ env.NGX_STREAM_SSL_PROFILE }};
+{%- endif %}

angie/conf/uwsgi/buffers.conf

@@ -0,0 +1,4 @@
+uwsgi_buffers           16  16k;
+uwsgi_buffer_size           16k;
+uwsgi_busy_buffers_size     32k;
+uwsgi_temp_file_write_size  32k;

angie/conf/uwsgi/cache-bypass.conf.j2

@@ -0,0 +1,14 @@
+{%- set cache_bypass = j2cfg.cache_bypass or [] -%}
+{%- if cache_bypass -%}
+## disable (response) cache under following conditions
+uwsgi_cache_bypass
+{%- for v in cache_bypass %}
+    {{ v | ngx_esc }}
+{%- endfor %}
+;
+uwsgi_no_cache
+{%- for v in cache_bypass %}
+    {{ v | ngx_esc }}
+{%- endfor %}
+;
+{%- endif -%}

angie/conf/uwsgi/headers.conf

@@ -0,0 +1,2 @@
+include snip/uwsgi-request-headers;
+include snip/uwsgi-response-headers;

angie/conf/uwsgi/param.conf

@@ -0,0 +1,7 @@
+include snip/uwsgi_params;
+
+uwsgi_param  PATH_INFO    $path_info;
+
+uwsgi_param  AUTH_USER    $remote_user;
+uwsgi_param  REMOTE_USER  $remote_user;
+uwsgi_param  HTTP_HOST    $host;

angie/conf/uwsgi/ssl.conf.j2

@@ -0,0 +1,7 @@
+{%- for k, v in j2cfg.tls.conf_cmd|dictsort %}
+uwsgi_ssl_conf_command  {{ k }}  {{ v | ngx_esc }};
+{%- endfor %}
+
+uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }};
+uwsgi_ssl_verify on;
+uwsgi_ssl_server_name on;