Automated update: 2026-06-06 13:00:48

apps/authentik/postgres/postmaster.opts

@@ -0,0 +1 @@
+/usr/local/bin/postgres

apps/bookstack/bookstack/nginx/nginx.conf

@@ -0,0 +1,98 @@
+## Version 2025/12/26 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/nginx.conf.sample
+
+### Based on alpine defaults
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.23-stable
+
+user abc;
+
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
+}
+
+http {
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
+    include /config/nginx/resolver.conf;
+
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;
+
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;
+
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;
+
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;
+
+    # all ssl related config moved to ssl.conf
+    # included in server blocks where listen 443 is defined
+
+    # Enable gzipping of responses.
+    #gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Enable http2 by default for all servers
+    http2 on;
+
+    http3 on;
+    quic_retry on;
+
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;
+
+    client_body_temp_path /tmp/nginx 1 2;
+    proxy_temp_path /tmp/nginx-proxy;
+    fastcgi_temp_path /tmp/nginx-fastcgi;
+    uwsgi_temp_path /tmp/nginx-uwsgi;
+    scgi_temp_path /tmp/nginx-scgi;
+
+    proxy_cache_path /tmp/nginx-proxy-cache keys_zone=lsio-proxy:10m;
+    fastcgi_cache_path /tmp/nginx-fcgi-cache keys_zone=lsio-fcgi:10m;
+    scgi_cache_path /tmp/nginx-scgi-cache keys_zone=lsio-scgi:10m;
+    uwsgi_cache_path /tmp/nginx-uwsgi-cache keys_zone=lsio-uwsgi:10m;
+
+    # Includes virtual hosts configs.
+    include /etc/nginx/http.d/*.conf;
+    include /config/nginx/site-confs/*.conf;
+}
+
+daemon off;
+pid /run/nginx.pid;

apps/bookstack/bookstack/nginx/nginx.conf.sample

@@ -0,0 +1,98 @@
+## Version 2025/12/26 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/nginx.conf.sample
+
+### Based on alpine defaults
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.23-stable
+
+user abc;
+
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
+}
+
+http {
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
+    include /config/nginx/resolver.conf;
+
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;
+
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;
+
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;
+
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;
+
+    # all ssl related config moved to ssl.conf
+    # included in server blocks where listen 443 is defined
+
+    # Enable gzipping of responses.
+    #gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Enable http2 by default for all servers
+    http2 on;
+
+    http3 on;
+    quic_retry on;
+
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;
+
+    client_body_temp_path /tmp/nginx 1 2;
+    proxy_temp_path /tmp/nginx-proxy;
+    fastcgi_temp_path /tmp/nginx-fastcgi;
+    uwsgi_temp_path /tmp/nginx-uwsgi;
+    scgi_temp_path /tmp/nginx-scgi;
+
+    proxy_cache_path /tmp/nginx-proxy-cache keys_zone=lsio-proxy:10m;
+    fastcgi_cache_path /tmp/nginx-fcgi-cache keys_zone=lsio-fcgi:10m;
+    scgi_cache_path /tmp/nginx-scgi-cache keys_zone=lsio-scgi:10m;
+    uwsgi_cache_path /tmp/nginx-uwsgi-cache keys_zone=lsio-uwsgi:10m;
+
+    # Includes virtual hosts configs.
+    include /etc/nginx/http.d/*.conf;
+    include /config/nginx/site-confs/*.conf;
+}
+
+daemon off;
+pid /run/nginx.pid;

apps/bookstack/bookstack/nginx/site-confs/default.conf.sample

@@ -0,0 +1,46 @@
+## Version 2025/12/26 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/site-confs/default.conf.sample
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+    set $root /app/www/public;
+    if (!-d /app/www/public) {
+        set $root /config/www;
+    }
+    root $root;
+    index index.html index.htm index.php;
+
+    location / {
+        # enable for basic auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    }
+
+    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny all;
+    }
+}

apps/bookstack/bookstack/nginx/ssl.conf.sample

@@ -0,0 +1,36 @@
+## Version 2026/05/04 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/3.23/root/defaults/nginx/ssl.conf.sample
+
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+### Mozilla SSL Configuration Generator
+# generated 2026-05-04, Mozilla Guideline v6.0, nginx 1.28.3, OpenSSL 3.5.6, intermediate config, HSTS
+# https://ssl-config.mozilla.org/#server=nginx&version=1.28.3&config=intermediate&openssl=3.5.6&hsts&guideline=6.0
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;
+
+# see also ssl_session_ticket_key alternative to stateful session cache
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+
+### Mozilla Practical security implementation
+# https://developer.mozilla.org/en-US/docs/Web/Security
+#add_header Access-Control-Allow-Origin $http_origin always;
+#add_header Content-Security-Policy "upgrade-insecure-requests; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always;
+#add_header Cross-Origin-Resource-Policy "same-origin" always;
+#add_header Referrer-Policy "same-origin" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-Frame-Options "SAMEORIGIN" always;
+
+### Optional additional headers
+#add_header Alt-Svc 'h3=":443"' always;
+#add_header Cache-Control "no-transform" always;
+#add_header Permissions-Policy "interest-cohort=()" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header X-XSS-Protection "1; mode=block" always;

apps/forgejo/data/gitea/queues/common/CURRENT

@@ -0,0 +1 @@
+MANIFEST-000013

apps/forgejo/data/gitea/queues/common/LOG

@@ -0,0 +1,57 @@
+=============== Jun 4, 2026 (UTC) ===============
+17:30:25.434670 log@legend F·NumFile S·FileSize N·Entry C·BadEntry B·BadBlock Ke·KeyError D·DroppedEntry L·Level Q·SeqNum T·TimeElapsed
+17:30:25.448528 db@open opening
+17:30:25.448935 version@stat F·[] S·0B[] Sc·[]
+17:30:25.452069 db@janitor F·2 G·0
+17:30:25.452104 db@open done T·3.534849ms
+=============== Jun 4, 2026 (UTC) ===============
+17:36:09.641101 log@legend F·NumFile S·FileSize N·Entry C·BadEntry B·BadBlock Ke·KeyError D·DroppedEntry L·Level Q·SeqNum T·TimeElapsed
+17:36:09.641279 version@stat F·[] S·0B[] Sc·[]
+17:36:09.641289 db@open opening
+17:36:09.641343 journal@recovery F·1
+17:36:09.641653 journal@recovery recovering @1
+17:36:09.652421 memdb@flush created L0@2 N·26 S·542B "act..igh,v26":"web..low,v17"
+17:36:09.653247 version@stat F·[1] S·542B[542B] Sc·[0.25]
+17:36:09.663251 db@janitor F·3 G·0
+17:36:09.663284 db@open done T·21.982652ms
+=============== Jun 5, 2026 (UTC) ===============
+06:07:10.051042 log@legend F·NumFile S·FileSize N·Entry C·BadEntry B·BadBlock Ke·KeyError D·DroppedEntry L·Level Q·SeqNum T·TimeElapsed
+06:07:10.053360 version@stat F·[1] S·542B[542B] Sc·[0.25]
+06:07:10.053390 db@open opening
+06:07:10.053638 journal@recovery F·1
+06:07:10.074206 journal@recovery recovering @3
+06:07:10.086117 memdb@flush created L0@5 N·10 S·481B "pus..\x00\x00\x00,d31":"rep..e-1,v32"
+06:07:10.086458 version@stat F·[2] S·1023B[1023B] Sc·[0.50]
+06:07:10.101789 db@janitor F·4 G·0
+06:07:10.101835 db@open done T·48.431544ms
+06:08:02.871379 table@compaction L0·2 -> L1·0 S·1023B Q·38
+06:08:02.881473 table@build created L1@8 N·26 S·540B "act..igh,v26":"web..low,v17"
+06:08:02.881540 version@stat F·[0 1] S·540B[0B 540B] Sc·[0.00 0.00]
+06:08:02.884588 table@compaction committed F-1 S-483B Ke·0 D·10 T·6.475575ms
+06:08:02.884685 table@remove removed @5
+06:08:02.884742 table@remove removed @2
+=============== Jun 5, 2026 (UTC) ===============
+06:15:41.517608 log@legend F·NumFile S·FileSize N·Entry C·BadEntry B·BadBlock Ke·KeyError D·DroppedEntry L·Level Q·SeqNum T·TimeElapsed
+06:15:41.518329 version@stat F·[0 1] S·540B[0B 540B] Sc·[0.00 0.00]
+06:15:41.518347 db@open opening
+06:15:41.518566 journal@recovery F·1
+06:15:41.518698 journal@recovery recovering @6
+06:15:41.519169 version@stat F·[0 1] S·540B[0B 540B] Sc·[0.00 0.00]
+06:15:41.530709 db@janitor F·3 G·0
+06:15:41.530767 db@open done T·12.394865ms
+=============== Jun 6, 2026 (UTC) ===============
+17:59:29.033764 log@legend F·NumFile S·FileSize N·Entry C·BadEntry B·BadBlock Ke·KeyError D·DroppedEntry L·Level Q·SeqNum T·TimeElapsed
+17:59:29.039672 version@stat F·[0 1] S·540B[0B 540B] Sc·[0.00 0.00]
+17:59:29.039722 db@open opening
+17:59:29.039998 journal@recovery F·1
+17:59:29.047748 journal@recovery recovering @9
+17:59:29.135240 memdb@flush created L0@11 N·8192 S·161KiB "pus..\x00\x00\x00,d42":"tas..low,v127"
+17:59:29.135554 version@stat F·[1 1] S·162KiB[161KiB 540B] Sc·[0.25 0.00]
+17:59:29.145907 db@janitor F·4 G·0
+17:59:29.145957 db@open done T·106.219042ms
+17:59:59.040390 table@compaction L0·1 -> L1·1 S·162KiB Q·8231
+17:59:59.050857 table@build created L1@14 N·26 S·553B "act..igh,v26":"web..low,v17"
+17:59:59.051123 version@stat F·[0 1] S·553B[0B 553B] Sc·[0.00 0.00]
+17:59:59.061638 table@compaction committed F-1 S-161KiB Ke·0 D·8192 T·20.524711ms
+17:59:59.062513 table@remove removed @11
+17:59:59.062801 table@remove removed @8