j2cfg: update requirements

NB: Angie repository for Debian 13 is coming soon.

Dockerfile.base

@@ -1,5 +1,5 @@
-# FROM docker.io/debian:bookworm-slim as base-upstream
-ARG PYTHONTAG=3.12.11-slim-bookworm
+# FROM docker.io/debian:trixie-slim as base-upstream
+ARG PYTHONTAG=3.12.11-slim-trixie
 FROM docker.io/python:${PYTHONTAG} AS base-upstream
 
 FROM base-upstream AS base-intermediate
@@ -19,7 +19,6 @@ ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
     PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1
 
-COPY /apt/prefs.backports  /etc/apt/preferences.d/backports
 COPY /apt/sources.debian   /etc/apt/sources.list.d/debian.sources
 
 ## prevent services from auto-starting, part 1
@@ -60,6 +59,7 @@ RUN apt-env.sh apt-get update ; \
       openssl \
       procps \
       psmisc \
+      systemd-standalone-sysusers \
       tzdata \
       zstd \
     ; \
@@ -272,8 +272,8 @@ RUN env -C /root rm -f .bash_history .python_history .wget-hsts
 FROM base-intermediate AS certs
 SHELL [ "/bin/sh", "-ec" ]
 
-## "2025.04.26"
-ENV CERTIFI_COMMIT=275c9eb55733a464589c15fb4566fddd4598e5b2
+## "2025.08.03"
+ENV CERTIFI_COMMIT=a97d9ad8f87c382378dddc0b0b33b9770932404e
 
 # ARG CERTIFI_BASE_URI='https://raw.githubusercontent.com/certifi/python-certifi'
 

angie/autoconf/http-buffers.conf

@@ -1,4 +1,6 @@
 subrequest_output_buffer_size     16k;
 client_body_buffer_size           16k;
+client_max_body_size              64k;
+
 client_header_buffer_size          4k;
 large_client_header_buffers    8  16k;

angie/autoconf/http-realip.conf.j2

@@ -0,0 +1,5 @@
+{%- set hdr = j2cfg.headers.real_ip_from or 'off' -%}
+{%- if hdr != 'off' %}
+real_ip_header {{ hdr | http_header }};
+{% include 'realip-set-from.j2inc' %}
+{%- endif %}

angie/autoconf/http-request-headers-forwarded.conf

@@ -17,8 +17,6 @@ map $remote_addr
 map $http_forwarded
     $proxy_add_forwarded
 {
-    volatile;
-
     ## if the incoming Forwarded header is syntactically valid, append to it
     "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
 

angie/autoconf/http-server-tokens.conf

@@ -0,0 +1 @@
+server_tokens off;

angie/autoconf/mail-realip.conf.j2

@@ -0,0 +1 @@
+{% include 'realip-set-from.j2inc' %}

angie/autoconf/realip-set-from.j2inc

@@ -0,0 +1,8 @@
+{%- set src = (j2cfg.trusted_sources or []) | any_to_str_list | uniq_str_list | ngx_esc -%}
+{%- if src %}
+  {%- for s in src %}
+set_real_ip_from {{ s }};
+  {%- endfor %}
+{%- else %}
+set_real_ip_from unix: ;
+{%- endif %}

angie/autoconf/stream-realip.conf.j2

@@ -0,0 +1 @@
+{% include 'realip-set-from.j2inc' %}

angie/j2cfg.yml

@@ -58,3 +58,15 @@ tls:
       dhparam: tls/dh1024.pem
       session_tickets: off
       session_timeout: 1d
+
+## well-known values are:
+## - 'off'             - don't use "realip" module
+## - 'proxy_protocol'  - get information from PROXY protocol if listen directive has "proxy_protocol" option
+## - 'X-Forwarded-For' - get information from 'X-Forwarded-For' header
+## - 'X-Real-IP'       - get information from 'X-Real-IP' header
+## any other value will be treated as uncommon (but valid?) header
+real_ip_from: off
+## list of trusted sources to be used in "realip" module
+## ref: https://en.angie.software/angie/docs/configuration/modules/http/http_realip/
+## if empty, defaults to "unix:"
+trusted_sources: []

apt/prefs.backports

@@ -1,27 +0,0 @@
-Package: src:curl
-Pin: release n=bookworm-backports
-Pin-Priority: 600
-
-Package: src:debhelper
-Pin: release n=bookworm-backports
-Pin-Priority: 600
-
-Package: src:elfutils
-Pin: release n=bookworm-backports
-Pin-Priority: 600
-
-Package: src:iproute2
-Pin: release n=bookworm-backports
-Pin-Priority: 600
-
-Package: src:libbpf
-Pin: release n=bookworm-backports
-Pin-Priority: 600
-
-Package: src:systemd
-Pin: release n=bookworm-backports
-Pin-Priority: 600
-
-Package: src:sysvinit
-Pin: release n=bookworm-backports
-Pin-Priority: 600

apt/sources.debian

@@ -1,11 +1,11 @@
 Types: deb
 URIs: http://deb.debian.org/debian
-Suites: bookworm bookworm-updates bookworm-proposed-updates bookworm-backports
+Suites: trixie trixie-updates trixie-proposed-updates trixie-backports
 Components: main
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 
 Types: deb
 URIs: http://deb.debian.org/debian-security
-Suites: bookworm-security
+Suites: trixie-security
 Components: main
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

build-scripts/image-base.sh

@@ -10,7 +10,7 @@ BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}"
 BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}"
 set +a
 
-PYTHONTAG="${PYTHONTAG:-3.12.11-slim-bookworm}"
+PYTHONTAG="${PYTHONTAG:-3.12.11-slim-trixie}"
 
 grab_site_packages() {
 	podman run \

requirements.txt

@@ -1,4 +1,4 @@
 jinja2==3.1.6
 psutil==7.0.0
 pyyaml==6.0.2
-wcmatch==10.0
+wcmatch==10.1