theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ubuntu 26.04 Release
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Successful in 3m10s
Details
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Successful in 3m26s
Details

Browse Source
This commit is contained in:
root
2026-04-26 05:26:09 +00:00
parent be3fb4a68f
commit 8a14911502
4 changed files with 0 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/build-publish.yml
-9
View File
@@ -72,21 +72,12 @@ jobs:
cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true cp -R /hostdata/default "${PKG_DIR}/hostdata/" || true
cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true cp -R /usr/nginx_lua "${PKG_DIR}/usr/" || true
# Preserve compile-time rpath paths so the dynamic loader resolves
# AWS-LC, LuaJIT, libinjection, and libmodsecurity correctly on the
# target host. Flattening these into /usr/lib (the old behaviour)
# made the loader fall back to the host's system libssl/libcrypto
# which have a different ABI from AWS-LC -> "undefined symbol"
# crashes at runtime.
for d in /usr/local/aws-lc /usr/local/LuaJIT /usr/local/modsecurity; do for d in /usr/local/aws-lc /usr/local/LuaJIT /usr/local/modsecurity; do
[ -d "$d" ] && cp -R "$d" "${PKG_DIR}/usr/local/" || true [ -d "$d" ] && cp -R "$d" "${PKG_DIR}/usr/local/" || true
done done
mkdir -p "${PKG_DIR}/usr/local/lib" mkdir -p "${PKG_DIR}/usr/local/lib"
cp -R /usr/local/lib/. "${PKG_DIR}/usr/local/lib/" 2>/dev/null || true cp -R /usr/local/lib/. "${PKG_DIR}/usr/local/lib/" 2>/dev/null || true
# Other libs nginx links against (system glibc deps, libpcre2, etc.)
# go to /usr/lib. Skip anything under /usr/local — it's already
# shipped at its original path above.
for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do for lib in $(ldd /usr/sbin/nginx | grep '=> /' | awk '{print $3}'); do
case "$lib" in case "$lib" in
/usr/local/*) continue ;; /usr/local/*) continue ;;
static/Raccoon/nginx.service
-40
View File
@@ -6,52 +6,12 @@ Wants=network-online.target
[Service] [Service]
Type=forking Type=forking
PIDFile=/run/nginx.pid PIDFile=/run/nginx.pid
# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
# guaranteed present. Removing this line falls back to glibc malloc cleanly.
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2 Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# Self-heal: nginx was compiled without --http-*-temp-path so it expects
# these dirs under /usr/local/nginx; install -d is idempotent and fixes any
# missing/wrong ownership on every restart.
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID ExecStop=/bin/kill -s QUIT $MAINPID
# ---- systemd hardening (systemd 257+ on Debian 13 / Ubuntu 26.04) ----
# Each line shrinks the worker's blast radius without affecting throughput.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
SystemCallErrorNumber=EPERM
# Paths nginx legitimately writes to. ProtectSystem=strict makes everything
# else read-only; these carve out the exceptions.
ReadWritePaths=/var/log/nginx /usr/local/nginx /run /nginx /hostdata
# NOTE on MemoryDenyWriteExecute: LuaJIT does runtime JIT compilation and
# therefore needs writable+executable pages — enabling MDWE breaks Lua. Left
# off intentionally.
LimitNOFILE=65535 LimitNOFILE=65535
[Install] [Install]
static/Trixie/nginx.service
-40
View File
@@ -6,52 +6,12 @@ Wants=network-online.target
[Service] [Service]
Type=forking Type=forking
PIDFile=/run/nginx.pid PIDFile=/run/nginx.pid
# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
# guaranteed present. Removing this line falls back to glibc malloc cleanly.
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2 Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
# Self-heal: nginx was compiled without --http-*-temp-path so it expects
# these dirs under /usr/local/nginx; install -d is idempotent and fixes any
# missing/wrong ownership on every restart.
ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
ExecStartPre=/usr/sbin/nginx -t ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID ExecStop=/bin/kill -s QUIT $MAINPID
# ---- systemd hardening (systemd 257+ on Debian 13 / Ubuntu 26.04) ----
# Each line shrinks the worker's blast radius without affecting throughput.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
PrivateDevices=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
SystemCallErrorNumber=EPERM
# Paths nginx legitimately writes to. ProtectSystem=strict makes everything
# else read-only; these carve out the exceptions.
ReadWritePaths=/var/log/nginx /usr/local/nginx /run /nginx /hostdata
# NOTE on MemoryDenyWriteExecute: LuaJIT does runtime JIT compilation and
# therefore needs writable+executable pages — enabling MDWE breaks Lua. Left
# off intentionally.
LimitNOFILE=65535 LimitNOFILE=65535
[Install] [Install]
static/nginx/nginx.conf
-7
View File
@@ -1,10 +1,3 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
#
# Tuned for shared hosting at 5,000+ vhost scale.
# Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this
# file only contains the global event/http settings.
user nginx; user nginx;
pid /var/run/nginx.pid; pid /var/run/nginx.pid;
worker_processes auto; worker_processes auto;