Quote from https://www.freedesktop.org/software/systemd/man/systemd.exec.html
> DynamicUser= takes a boolean parameter. If set, a UNIX user and group
pair is allocated dynamically when the unit is started, and released as
soon as it is stopped. The user and group will not be added to
/etc/passwd or /etc/group, but are managed transiently during runtime.
`DynamicUser` creates dynamically a new user `whoogle` with limited
priviliges which are handled by systemd every time whoogle.service is
started. I think this is more secure and easier rather than letting the
admin deal with the user and its priviliges under which whoogle should
run. Its certainly a big security improvement compared to the root-user
which was used to run whoogle not that long ago.
I changed my `whoogle.service` file accordingly and running `ps u -U
whoogle` shows me that systemd automatically runs whoogle with the user
`whoogle` which systemd created automatically because I never created
the user myself.
```
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
whoogle 6299 0.0 0.7 363884 58808 ? Ssl 20:14 0:01 /opt/whoogle-search/venv/bin/python3 -um app --host 0.0.0.0 --port 5000
```
Used in header templates for navigating back to the home page when
behind a reverse proxy config where the app is running from a subpath of
a domain (i.e. "https://something/whoogle/")
Fixes#403
Buildx workflow now waits for tests to pass before building/uploading
new images.
There's also a separate step for building a properly formatted tag image
if triggered by a new tag.
There doesn't really need to be a 'develop' branch anymore, since all
work is committed directly to 'main', with tags to indicate
production-ready builds.
As a result, the buildx-dev workflow is pretty pointless.
There are a few conventional choices but this one should be friendly
and generally accepted by local reader.
Previous version is still comprehensible but lesser users (perhaps
used in Japanese documents) and may give local users a pause.
Regular commits are all built and publish to TestPyPI, tagged commits
are published to PyPI.
This should finish the process of moving away from Travis CI, now that
both testing and PyPI deployments are handled in github actions.
Restricting form-action to 'self' in the content security policy
prevented Chrome (and likely other browsers) from using !bangs on the
home page.
Fixes#408
The Travis CI folks are updating stuff and broke my tests, so I'm moving
over to github actions instead since that is (hopefully) less likely to
change moving forward.
Will need to move PyPi deployment to github actions as well.
Since Docker Hub no longer allows automated builds for free tier users,
the build process for new images needs to be moved to GitHub Actions.
The existing buildx workflow has worked pretty well for the most part,
but was only enabled for the develop branch and only pushed the
buildx-experimental tag. This addition allows pushes to the main branch
to build updates for the "latest" tag as well, which is more commonly
used I think.
* Make replit install all requirements first
This should install all requirements from requirements.txt. It makes this a one click experience, without the user having to run `pip install -r requirements.txt` and then tap the run button. I myself had to first run that command in my repl, so I have made this change so others don't have to do the same.
repl.it also runs on linux based systems, so `&&` is the correct bash syntax.
* Running in Bash
I applied the same change I made on onBoot to the run variable, and made the language bash as the syntax `./` and `&&` belong to bash.
Previously if a result element marked for collapsing didn't have a valid
"parent" element, the collapsing was skipped altogether. This loops
through child elements until a valid parent is found (or if one isn't
found, the element will not be collapsed).
