stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	429cf85f87	fix(#363 ): rebuild gosu from source with Go 1.26 to fix CRITICAL CVEs The gosu 1.19 binary bundled in the postgres base image was compiled with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH severity Go stdlib vulnerabilities. Since upstream gosu has not released a version built with patched Go (1.24.13+ / 1.25.7+), this adds a multi-stage Docker build that recompiles gosu from source using Go 1.26. Changes: - Pin postgres base image to 17.7-alpine3.22 for reproducibility - Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19 - Replace bundled gosu binary with freshly built version - Pin all postgres:17-alpine references across compose files and CI CVEs fixed: - CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability - CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation - CVE-2025-61726 (HIGH): Go net/url memory exhaustion - CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion - CVE-2025-61729 (HIGH): Go crypto/x509 DoS - CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability Fixes #363 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 12:38:33 -06:00
Jason Woltje	6521cba735	feat: add flexible docker-compose architecture with profiles All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details - Add OpenBao services to docker-compose.yml with profiles (openbao, full) - Add docker-compose.build.yml for local builds vs registry pulls - Make PostgreSQL and Valkey optional via profiles (database, cache) - Create example compose files for common deployment scenarios: - docker/docker-compose.example.turnkey.yml (all bundled) - docker/docker-compose.example.external.yml (all external) - docker/docker.example.hybrid.yml (mixed deployment) - Update documentation: - Enhance .env.example with profiles and external service examples - Update README.md with deployment mode quick starts - Add deployment scenarios to docs/OPENBAO.md - Create docker/DOCKER-COMPOSE-GUIDE.md with comprehensive guide - Clean up repository structure: - Move shell scripts to scripts/ directory - Move documentation to docs/ directory - Move docker compose examples to docker/ directory - Configure for external Authentik with internal services: - Comment out Authentik services (using external OIDC) - Comment out unused volumes for disabled services - Keep postgres, valkey, openbao as internal services This provides a flexible deployment architecture supporting turnkey, production (all external), and hybrid configurations via Docker Compose profiles. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-08 16:55:33 -06:00

Author

SHA1

Message

Date

Jason Woltje

429cf85f87

fix(#363 ): rebuild gosu from source with Go 1.26 to fix CRITICAL CVEs

The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.

Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI

CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-12 12:38:33 -06:00

Jason Woltje

6521cba735

feat: add flexible docker-compose architecture with profiles

ci/woodpecker/push/woodpecker Pipeline was successful

Details

- Add OpenBao services to docker-compose.yml with profiles (openbao, full)
- Add docker-compose.build.yml for local builds vs registry pulls
- Make PostgreSQL and Valkey optional via profiles (database, cache)
- Create example compose files for common deployment scenarios:
  - docker/docker-compose.example.turnkey.yml (all bundled)
  - docker/docker-compose.example.external.yml (all external)
  - docker/docker.example.hybrid.yml (mixed deployment)
- Update documentation:
  - Enhance .env.example with profiles and external service examples
  - Update README.md with deployment mode quick starts
  - Add deployment scenarios to docs/OPENBAO.md
  - Create docker/DOCKER-COMPOSE-GUIDE.md with comprehensive guide
- Clean up repository structure:
  - Move shell scripts to scripts/ directory
  - Move documentation to docs/ directory
  - Move docker compose examples to docker/ directory
- Configure for external Authentik with internal services:
  - Comment out Authentik services (using external OIDC)
  - Comment out unused volumes for disabled services
  - Keep postgres, valkey, openbao as internal services

This provides a flexible deployment architecture supporting turnkey,
production (all external), and hybrid configurations via Docker Compose
profiles.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-08 16:55:33 -06:00

2 Commits