Remove xattr config and alpine tools dependency

* Remove the old way of handling configuration via xattrs
	* this seemed clever at the time and it worked fine, but it was
		finicky and there really aren't great tools for copying that around
		(despite what some utils say, they just didn't work as expected)
	* move to a new way of keeping config in separate directory structure
	* static files are still separate, so they can still be served via
		any web server
* Remove alpine tools dependency
	* we now use the alpine go package to handle generating apkindexes
	* no longer requires having apk and abuild-sign binaries available
* Reorganize the directory and URL structure
	* the above changes requires some minor changes to the dir/url
		structure
	* you know me, while I was there...

.github/workflows/lint.yaml

@@ -45,10 +45,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DISABLE_LINTERS: SPELL_CSPELL
           DISABLE_ERRORS_LINTERS: SPELL_LYCHEE
-          # GO_GOLANGCI_LINT_CLI_LINT_MODE: project
-          # GO_REVIVE_CLI_LINT_MODE: project
+          GO_GOLANGCI_LINT_CLI_LINT_MODE: project
+          GO_REVIVE_CLI_LINT_MODE: project
           REPOSITORY_GRYPE_DISABLE_ERRORS: true
-          # GO_GOLANGCI_LINT_ARGUMENTS: "--verbose --timeout 5m"
+          GO_GOLANGCI_LINT_ARGUMENTS: "--verbose --timeout 5m ./..."
 
       # Upload MegaLinter artifacts
       - name: Archive production artifacts

Dockerfile

@@ -10,13 +10,14 @@ COPY ./go.* /app/
 RUN ["go", "mod", "download"]
 
 COPY ./ /app/
-RUN ["go", "build", "./cmd/api"]
+ENV CGO_ENABLED=0
+RUN ["go", "build", "-ldflags='-extldflags=-static'", "./cmd/api/"]
 # RUN ["find", "."]
 
 # we need edge because we built packages for edge
 FROM alpine:edge
 
-LABEL maintainer="iggy@atlascloud.xyz"
+LABEL maintainer="packages@atlascloud.xyz"
 LABEL org.opencontainers.image.source=https://github.com/atlascloud/packages
 LABEL org.opencontainers.image.description="API for managing packages service"
 

README.md

@@ -4,23 +4,22 @@
 
 host packages for distributions
 
-## Notes
-
-Currently we call out to apk, so you either need to run this in an alpine container/host or have a
-standalone apk binary in your path
-
 ## Functionality
+
 ### Implemented
 
+* organizations
+  * support for multiple orgs per server
+  * organization level tokens
 * distributions
   * get info
   * get versions
   * NOTE: only alpine is currently supported
-* organizations
-  * support for multiple orgs per server
-  * organization level tokens
-* repos
-  * support for multiple repos per org
+* repository versions
+* repositories
+  * support for multiple repos per distribution/version
+* architectures
+* packages
 
 
 ### Planned
@@ -34,5 +33,72 @@ standalone apk binary in your path
 * aliases
   * version aliases
     * 10.0 -> buster
-    * 20.04 -> bionic
-  *
+    * 20.04 -> focal
+
+## directory layout
+
+### conceptual
+* root
+  * static
+    * orgs
+      * distros - public keys
+        * distroversion
+          * repos
+            * packages (.apk/.deb/.rpm/etc)
+  * config
+    * orgs - pkg/repo signing private keys / tokens
+      * tokens - org level tokens
+      * distros - pkg/repo signing private keys / tokens
+        * distroversion - pkg/repo signing private keys / tokens
+          * repos - pkg/repo signing private keys / tokens
+
+### examples
+* /srv/packages
+  * /static
+    * /atlascloud
+      * /alpine
+        * /somekey.pub
+        * /edge
+          * /key.pub
+          * /main
+          * /community
+        * /3.19
+          * /main
+      * /ubuntu
+        * /repokey.pub
+        * /dists
+          * /24.04 -> noble
+            * /main
+            * /universe
+            * /multiverse
+            * /restricted
+        * /pool
+          * /main
+            * /a,/b,/c... - debs
+          * /multiverse
+            * /a,/b,/c...
+      * /fedora
+        * /linux
+          * /releases
+            * /39
+              * /Server
+                * x86_64
+                  * /os
+                    * /Packages
+                      * /a,/b,/c - rpms
+  * /config
+    * /atlascloud
+      * /tokens
+      * /alpine
+        * /privkey.key
+        * /tokens
+          * /name
+          * /2
+        * /edge
+          * /privkey.key
+          * /main
+            * /priv.key
+
+### TODO
+* server wide tokens for doing things like creating orgs, etc
+

Taskfile.yml

@@ -20,6 +20,8 @@ tasks:
       # -o /local/gen/packages
 
   build:
+    env:
+      CGO_ENABLED: 0
     cmds:
       - go build ./cmd/api
 

cmd/api/main.go

@@ -1,3 +1,4 @@
+// package main is this really necessary
 package main
 
 import (
@@ -17,7 +18,7 @@ import (
 )
 
 func main() {
-	var port = flag.Int("port", 8888, "Port for test HTTP server")
+	var port = flag.Int("port", 8888, "Port for HTTP server")
 	flag.Parse()
 
 	swagger, err := repoApi.GetSwagger()
@@ -36,7 +37,7 @@ func main() {
 	// This is how you set up a basic Echo router
 	e := echo.New()
 	// Enable metrics middleware
-	p := prometheus.NewPrometheus("echo", nil)
+	p := prometheus.NewPrometheus("packages", nil)
 	p.Use(e)
 
 	// Log all requests
@@ -50,14 +51,11 @@ func main() {
 	validatorOptions := &echomiddleware.Options{}
 
 	validatorOptions.Options.AuthenticationFunc = func(ctx context.Context, input *openapi3filter.AuthenticationInput) error {
-		// log.Debug().
-		// 	Interface("ctx", ctx).
-		// 	Interface("input.PathParams", input.RequestValidationInput.PathParams).
-		// 	Interface("input.Route", input.RequestValidationInput.Route).
-		// 	Msg("authenticator input")
 		orgName := input.RequestValidationInput.PathParams["org"]
-		repoName := input.RequestValidationInput.PathParams["slug"]
-		validTokens := repoApi.GetValidTokens(orgName, repoName)
+		validTokens := repoApi.GetValidTokens(orgName)
+		if input.RequestValidationInput.Request.Header.Get("Authorization") == "" {
+			return errors.New("no auth token")
+		}
 		token := strings.Split(input.RequestValidationInput.Request.Header["Authorization"][0], " ")[1]
 		for _, t := range validTokens {
 			if token == t {

cmd/cli/main.go

@@ -1 +1,2 @@
+// package main is this really necessary
 package main

go.mod

@@ -2,98 +2,57 @@ module github.com/iggy/packages
 
 go 1.20
 
+// replace gitlab.alpinelinux.org/alpine/go => /home/iggy/projects/gitlab.alpinelinux.org/iggy/go
+
 require (
-	github.com/deepmap/oapi-codegen v1.16.2
 	github.com/getkin/kin-openapi v0.123.0
 	github.com/labstack/echo-contrib v0.15.0
 	github.com/labstack/echo/v4 v4.11.4
 	github.com/oapi-codegen/echo-middleware v1.0.1
-	github.com/pkg/xattr v0.4.9
-	github.com/rs/zerolog v1.31.0
+	github.com/oapi-codegen/runtime v1.1.1
+	github.com/rs/zerolog v1.32.0
 	github.com/steinfletcher/apitest v1.5.15
+	github.com/viant/afs v1.25.0
+	gitlab.alpinelinux.org/alpine/go v0.9.0
 )
 
 require (
-	github.com/BurntSushi/toml v1.3.2 // indirect
-	github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53 // indirect
-	github.com/CloudyKit/jet/v6 v6.2.0 // indirect
-	github.com/Joker/jade v1.1.3 // indirect
-	github.com/Shopify/goreferrer v0.0.0-20220729165902-8cddb4f5de06 // indirect
-	github.com/andybalholm/brotli v1.0.6 // indirect
+	github.com/MakeNowJust/heredoc/v2 v2.0.1 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
-	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytedance/sonic v1.10.2 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/chenzhuoyu/base64x v0.0.0-20230717121745-296ad89f973d // indirect
-	github.com/chenzhuoyu/iasm v0.9.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fatih/structs v1.1.0 // indirect
-	github.com/flosch/pongo2/v4 v4.0.2 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
-	github.com/gin-gonic/gin v1.9.1 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-openapi/jsonpointer v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.8 // indirect
-	github.com/go-playground/locales v0.14.1 // indirect
-	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.15.5 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/go-openapi/swag v0.22.9 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang/snappy v0.0.4 // indirect
-	github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386 // indirect
-	github.com/google/uuid v1.4.0 // indirect
-	github.com/gorilla/css v1.0.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/invopop/yaml v0.2.0 // indirect
-	github.com/iris-contrib/schema v0.0.6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kataras/blocks v0.0.8 // indirect
-	github.com/kataras/golog v0.1.9 // indirect
-	github.com/kataras/iris/v12 v12.2.7 // indirect
-	github.com/kataras/pio v0.0.12 // indirect
-	github.com/kataras/sitemap v0.0.6 // indirect
-	github.com/kataras/tunnel v0.0.4 // indirect
-	github.com/klauspost/compress v1.17.2 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/labstack/gommon v0.4.2 // indirect
-	github.com/leodido/go-urn v1.2.4 // indirect
-	github.com/mailgun/raymond/v2 v2.0.48 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
-	github.com/microcosm-cc/bluemonday v1.0.26 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
-	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
-	github.com/prometheus/client_golang v1.17.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.18.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/common v0.46.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/schollz/closestmatch v2.1.0+incompatible // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/tdewolff/minify/v2 v2.19.10 // indirect
-	github.com/tdewolff/parse/v2 v2.6.8 // indirect
-	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
-	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
-	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
-	github.com/yosssi/ace v0.0.5 // indirect
-	golang.org/x/arch v0.5.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
-	golang.org/x/net v0.19.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/crypto v0.18.0 // indirect
+	golang.org/x/net v0.20.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.32.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
+
+// replace gitlab.alpinelinux.org/alpine/go => gitlab.alpinelinux.org/abemedia/go v0.8.1-0.20231202003941-ea851dc19408