backports/signal-desktop: upgrade to 7.22.2

README.md

@@ -18,14 +18,14 @@ Affixed to each repository description is the appropriate link for use in
 
 #### Backports
 ```
-https://ayakael.net/api/packages/forge/alpine/edge/backports
+https://ayakael.net/api/packages/forge/alpine/v3.20/backports
 ```
 
 Aports from the official Alpine repositories backported from edge.
 
 #### User
 ```
-https://ayakael.net/api/packages/forge/alpine/edge/user
+https://ayakael.net/api/packages/forge/alpine/v3.20/backports
 ```
 
 Aports that have yet to be (or may never be) upstreamed to the official
@@ -37,7 +37,7 @@ Add security key of the apk repository to your /etc/apk/keys:
 
 ```shell
 cd /etc/apk/keys
-curl -JO https://ayakael.net/api/packages/forge/alpine/key
+wget https://ayakael.net/pkgs/apk/raw/branch/v3.20/antoine.martin@protonmail.com-5b3109ad.rsa.pub
 ```
 Add repositories that you want to use (see above) to `/etc/apk/repositories`.
 

backports/forgejo-runner/APKBUILD

@@ -0,0 +1,47 @@
+# Contributor: Patrycja Rosa <alpine@ptrcnull.me>
+# Maintainer: Patrycja Rosa <alpine@ptrcnull.me>
+pkgname=forgejo-runner
+pkgver=3.5.0
+pkgrel=2
+pkgdesc="CI/CD job runner for Forgejo"
+url="https://code.forgejo.org/forgejo/runner"
+arch="all"
+license="MIT"
+makedepends="go"
+install="$pkgname.pre-install $pkgname.pre-upgrade"
+subpackages="$pkgname-openrc"
+source="$pkgname-$pkgver.tar.gz::https://code.forgejo.org/forgejo/runner/archive/v$pkgver.tar.gz
+
+	forgejo-runner.logrotate
+	forgejo-runner.initd
+	forgejo-runner.confd
+	"
+builddir="$srcdir/runner"
+options="!check" # tests require running forgejo
+
+build() {
+	go build \
+		-o forgejo-runner \
+		-ldflags "-X gitea.com/gitea/act_runner/internal/pkg/ver.version=$pkgver"
+	./forgejo-runner generate-config > config.example.yaml
+}
+
+check() {
+	go test ./...
+}
+
+package() {
+	install -Dm755 forgejo-runner -t "$pkgdir"/usr/bin/
+	install -Dm644 config.example.yaml -t "$pkgdir"/etc/forgejo-runner/
+
+	install -Dm755 "$srcdir"/forgejo-runner.initd "$pkgdir"/etc/init.d/forgejo-runner
+	install -Dm644 "$srcdir"/forgejo-runner.confd "$pkgdir"/etc/conf.d/forgejo-runner
+	install -Dm644 "$srcdir"/forgejo-runner.logrotate "$pkgdir"/etc/logrotate.d/forgejo-runner
+}
+
+sha512sums="
+e78968a5f9b6e797fb759a5c8cbf46a5c2fef2083dabc88599c9017729faface963576c63a948b0add424cb267902e864fb1a1b619202660296976d93e670713  forgejo-runner-3.5.0.tar.gz
+a3c7238b0c63053325d31e09277edd88690ef5260854517f82d9042d6173fb5d24ebfe36e1d7363673dd8801972638a6e69b6af8ad43debb6057515c73655236  forgejo-runner.logrotate
+bb0c6fbe90109c77f9ef9cb0d35d20b8033be0e4b7a60839b596aa5528dfa24309ec894d8c04066bf8fb30143e63a5fd8cc6fc89aac364422b583e0f840e2da6  forgejo-runner.initd
+e11eab27f88f1181112389befa7de3aa0bac7c26841861918707ede53335535425c805e6682e25704e9c8a6aecba3dc13e20900a99df1183762b012b62f26d5f  forgejo-runner.confd
+"

backports/forgejo-runner/forgejo-runner.confd

@@ -0,0 +1,17 @@
+# Configuration for /etc/init.d/forgejo-runner
+
+# Path to the config file (--config).
+#cfgfile="/etc/forgejo-runner/config.yaml"
+
+# Path to the working directory (--working-directory).
+#datadir="/var/lib/forgejo-runner"
+
+# Path to the log file where stdout/stderr will be redirected.
+# Leave empty/commented out to use syslog instead.
+#output_log="/var/log/forgejo-runner.log"
+
+# You may change this to root, e.g. to run jobs in LXC
+#command_user="forgejo-runner"
+
+# Comment out to run without process supervisor.
+supervisor=supervise-daemon

backports/forgejo-runner/forgejo-runner.initd

@@ -0,0 +1,38 @@
+#!/sbin/openrc-run
+
+description="Forgejo CI Runner"
+name="Forgejo Runner"
+
+: ${cfgfile:="/etc/forgejo-runner/config.yaml"}
+: ${datadir:="/var/lib/forgejo-runner"}
+: ${command_user:="forgejo-runner"}
+
+command="/usr/bin/forgejo-runner"
+command_args="daemon --config $cfgfile"
+command_background="yes"
+directory="$datadir"
+pidfile="/run/$RC_SVCNAME.pid"
+
+depend() {
+	need net
+	use dns logger
+}
+
+start_pre() {
+	checkpath -d -o "$command_user" /etc/forgejo-runner
+	checkpath -d -o "$command_user" "$datadir"
+
+	if ! [ -e "$cfgfile" ]; then
+		eerror "Config file $cfgfile doesn't exist."
+		eerror "You can generate it with: forgejo-runner generate-config,"
+		eerror "or use the auto-generated one in /etc/forgejo-runner/config.example.yaml"
+		return 1
+	fi
+
+	if [ "$error_log" ]; then
+		output_log="$error_log"
+	else
+		output_logger="logger -t '${RC_SVCNAME}' -p daemon.info"
+		error_logger="logger -t '${RC_SVCNAME}' -p daemon.error"
+	fi
+}

backports/forgejo-runner/forgejo-runner.logrotate

@@ -0,0 +1,5 @@
+/var/log/forgejo-runner.log {
+	copytruncate
+	missingok
+	notifempty
+}

backports/forgejo-runner/forgejo-runner.pre-install

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+addgroup -S forgejo-runner 2>/dev/null
+adduser -S -D -H -h /var/lib/forgejo-runner -s /sbin/nologin -G forgejo-runner -g forgejo-runner forgejo-runner 2>/dev/null
+
+cat >&2 <<EOF
+* In order to setup the runner, create a config file
+* in /etc/forgejo-runner/config.yaml (either from .example.yaml,
+* or generating your own with 'forgejo-runner generate-config'),
+* then register it with 'doas -u forgejo-runner forgejo-runner register'
+* ran in the /var/lib/forgejo-runner directory.
+EOF
+
+exit 0

backports/forgejo-runner/forgejo-runner.pre-upgrade

@@ -0,0 +1 @@
+forgejo-runner.pre-install

backports/py3-pyqt6-sip/APKBUILD

@@ -1,36 +0,0 @@
-# Contributor: Rosie K Languet <rkl@rosiesworkshop.net>
-# Maintainer: Rosie K Languet <rkl@rosiesworkshop.net>
-pkgname=py3-pyqt6-sip
-pkgver=13.8.0
-pkgrel=0
-pkgdesc="The sip module support for PyQt6"
-url="https://riverbankcomputing.com/software/sip"
-arch="all"
-license="custom:sip"
-depends="python3"
-makedepends="
-	py3-gpep517
-	py3-setuptools
-	py3-wheel
-	python3-dev
-	"
-source="https://pypi.python.org/packages/source/P/PyQt6-sip/PyQt6_sip-$pkgver.tar.gz"
-options="!check" # No tests
-builddir="$srcdir/PyQt6_sip-$pkgver"
-
-build() {
-	export CFLAGS="$CFLAGS -O2 -flto=auto"
-	export CXXFLAGS="$CXXFLAGS -O2 -flto=auto"
-	gpep517 build-wheel \
-		--wheel-dir .dist \
-		--output-fd 3 3>&1 >&2
-}
-
-package() {
-	python3 -m installer -d "$pkgdir" \
-		.dist/*.whl
-}
-
-sha512sums="
-6947690e61fe65a21f61d034ae9de7b7adb001c59a4a362933c5441648fe27140b43666efa73f981b138cfc73fac72777bb7318b98accc3c7f808687e3fc5d81  PyQt6_sip-13.8.0.tar.gz
-"

backports/py3-qt6/APKBUILD

@@ -1,59 +0,0 @@
-# Contributor: Rosie K Languet <rkl@rosiesworkshop.net>
-# Maintainer: Rosie K Languet <rkl@rosiesworkshop.net>
-pkgname=py3-qt6
-pkgver=6.7.1
-pkgrel=0
-pkgdesc="Python 3 bindings for the Qt toolkit"
-url="https://www.riverbankcomputing.com/software/pyqt/"
-arch="all"
-license="GPL-3.0-only"
-depends="
-	py3-pyqt6-sip
-	python3
-	"
-makedepends="
-	libx11-dev
-	py3-dbus-dev
-	py3-opengl
-	py3-pyqt-builder
-	py3-sip
-	python3-dev
-	qt6-qtbase-dev
-	qt6-qtconnectivity-dev
-	qt6-qtdeclarative-dev
-	qt6-qtmultimedia-dev
-	qt6-qtserialport-dev
-	qt6-qtsvg-dev
-	qt6-qttools-dev
-	qt6-qtwebchannel-dev
-	qt6-qtwebsockets-dev
-	"
-
-subpackages="$pkgname-pyc"
-source="https://pypi.python.org/packages/source/P/PyQt6/PyQt6-$pkgver.tar.gz"
-builddir="$srcdir/PyQt6-$pkgver"
-
-build() {
-	export CFLAGS="$CFLAGS -O2 -flto=auto"
-	export CXXFLAGS="$CXXFLAGS -O2 -flto=auto"
-	sip-build \
-		--confirm-license \
-		--qmake /usr/lib/qt6/bin/qmake \
-		--api-dir /usr/share/qt6/qsci/api/python \
-		--pep484-pyi \
-		--no-make
-	make -C build
-}
-
-check() {
-	make -C build check
-}
-
-package() {
-	make DESTDIR="$pkgdir" INSTALL_ROOT="$pkgdir" -C build install -j1
-	python3 -m compileall -j 0 "$pkgdir"/usr/lib/python3*
-}
-
-sha512sums="
-1e0fec009e1823b06460fd96eddc00ed31388c20f6d832aa0ebaa130baf06d83514df43af7961c3cb2872570d27e539d6db7bf6143ccdfd61a19da7521be2c7e  PyQt6-6.7.1.tar.gz
-"

backports/py3-sip/APKBUILD

@@ -1,38 +0,0 @@
-# Contributor: Francesco Colista <fcolista@alpinelinux.org>
-# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
-pkgname=py3-sip
-pkgver=6.8.6
-pkgrel=0
-pkgdesc="A tool that makes it easy to create Python bindings for C and C++ libraries"
-options="!check" # No testsuite
-url="https://www.riverbankcomputing.com/software/sip/"
-arch="all"
-license="custom:sip"
-depends="
-	py3-packaging
-	py3-ply
-	py3-setuptools
-	py3-toml
-	"
-makedepends="python3-dev py3-gpep517 py3-wheel"
-subpackages="$pkgname-pyc"
-source="https://pypi.python.org/packages/source/s/sip/sip-$pkgver.tar.gz"
-builddir="$srcdir/sip-$pkgver"
-
-replaces="py-sip" # Backwards comptibility
-provides="py-sip=$pkgver-r$pkgrel" # Backwards comptibility
-
-build() {
-	gpep517 build-wheel \
-		--wheel-dir .dist \
-		--output-fd 3 3>&1 >&2
-}
-
-package() {
-	python3 -m installer -d "$pkgdir" \
-		.dist/sip-*.whl
-}
-
-sha512sums="
-c884c58fc51708e2dd247453f2214e6b01d7e1a9a0166b4228feb5d996310ace2665238dde26af34907e596a0a1c710fc130ae79297f430f73f639a3eb781a50  sip-6.8.6.tar.gz
-"

backports/signal-desktop/APKBUILD

@@ -1,7 +1,7 @@
 # Contributor: lauren n. liberda <lauren@selfisekai.rocks>
 # Maintainer: lauren n. liberda <lauren@selfisekai.rocks>
 pkgname=signal-desktop
-pkgver=7.25.0
+pkgver=7.22.2
 pkgrel=0
 pkgdesc="A messaging app for simple private communication with friends"
 url="https://github.com/signalapp/Signal-Desktop/"
@@ -64,17 +64,17 @@ makedepends="
 options="net !check"
 
 # follow signal-desktop package.json -> @signalapp/libsignal-client
-_libsignalver=0.56.1
+_libsignalver=0.55.1
 
 # follow signal-desktop package.json -> @signalapp/ringrtc
-_ringrtcver=2.47.0
+_ringrtcver=2.46.1
 
 # follow ringrtc (on version above) -> config/version.properties -> webrtc.version
 # downloading tarball generated with abuild snapshot (with gclient dependencies fetched)
-_webrtcver=6613a
+_webrtcver=6478j
 
 # follow @signalapp/better-sqlite3 (on version in package.json) -> deps/download.js -> TOKENIZER_VERSION
-# last bsqlite version: 8.8.0
+# last bsqlite version: 8.7.1
 _stokenizerver=0.2.1
 
 source="
@@ -93,6 +93,7 @@ source="
 	webrtc-shared-libs.patch
 	webrtc-compiler.patch
 	webrtc-gcc13.patch
+	webrtc-boringssl-c7019036-do-not-define-crypto_addc.patch
 
 	signal-desktop
 	"
@@ -237,7 +238,7 @@ prepare() {
 				\! -path "*third_party/$_lib/chromium/*" \
 				\! -path "*third_party/$_lib/google/*" \
 				\! -path './base/third_party/icu/*' \
-				\! -path './third_party/re2/*' \
+				\! -path './third_party/libxml/*' \
 				\! -path './third_party/pdfium/third_party/freetype/include/pstables.h' \
 				\! -path './third_party/harfbuzz-ng/utils/hb_scoped.h' \
 				\! -path './third_party/crashpad/crashpad/third_party/zlib/zlib_crashpad.h' \
@@ -463,10 +464,10 @@ package() {
 }
 
 sha512sums="
-ff7c2ad5aee387187e6f95e435f378f478c3b324d199b383677c8b1623af0eb0dec903769b14bce31cb47bbd70be23659ccc2168353bbf31076eb278d61855f4  Signal-Desktop-7.25.0.tar.gz
-d3bfab26254b52b0be12712a895b9bff6268cdb9a052eae0072c4fb2116af86de6e136e3678eb85ca0e0d0b9af8b8f6075f0e4a39bf66c84d16fd4c9cee22bda  libsignal-0.56.1.tar.gz
-7a4bde7723f96b81e87201b917872b0785aa874504d0056ba06ea0b0d693b0ded54774398b72b6027df499e85f54d862b4e11a190beb253810554e21115a4eae  ringrtc-2.47.0.tar.gz
-4d301d48181ef8b1aec5110e9efd0091626193be9e2f9f84169823687ecd443606188c1b95892e362764783f99951df32c02a245f9bb8570e0dd98eef1e04440  webrtc-6613a.tar.zst
+20d09f64ddb8e42f314aa1538df55e4fa18b1b1b647a1434bd38122fe26cbf18c699f81d415e751dbec1888d0eb5020fb366129bf293cd28e26eaacf456bcbfb  Signal-Desktop-7.22.2.tar.gz
+2179eb6862ceb9e3a1df04a4e9b9bb3d64ce84f017d3048f0aaafdd4960843230216443139ff1a8127b6901e9859a2f2ed59e12f2ba9ffc906f79107d7fc161f  libsignal-0.55.1.tar.gz
+c941e7016e96acbba615a9ba12d91882f83b64656b40b6de26e1dc21abf4aea29ed49459c5bd60e43df65a93103cb6878d3d7bb17c597fd88a807c3f6e71c41e  ringrtc-2.46.1.tar.gz
+0de4999800eea98bd38d785fcf6683a6f431f98483ca91dcf8ca721d5eecd197043db564bacd2dc583442fe3b43affda61c02230b044b4d4c05fbb6e11741ea5  webrtc-6478j.tar.zst
 84a1f2fc29262a12842e94698d124a85b823128e72a493b0be8ea92fbb72c5c268499f4a6827cdedaae06ec73cce4039a39fe5c5d536cbef330e59ba0183da28  stokenizer-0.2.1.tar.gz
 be5b4e823543b79175a12314f10c6326d9f0d59f470136962daed4665887006acc05b48b40dc1b67747396d8f6f7d23be298c1e110ccdd35ff9b09d5e6b80bab  bettersqlite-use-system-sqlcipher.patch
 2e5fadff725f1d62e7134c8929c672ec88cae602b065480f1b799d34160daa0cb1ad0f5511e60676f81464ae8752c3bec7b3d7bc5a432533be004b4d20ac32c2  libsignal-auditable.patch
@@ -474,8 +475,9 @@ be5b4e823543b79175a12314f10c6326d9f0d59f470136962daed4665887006acc05b48b40dc1b67
 d50eb5724502df9ea4d795db8cfc27af767c25168d7db2af512e615be7cc2ca290210a9ae78e1abb153c0198677e858ad3d74926c958099d0319295e7d9e7f1d  signal-update-links.patch
 bfc8acdd13aa48d29c7657311733cc9d33c4899782efbd1ef6d25ad1698be4de7cc67e829324bc0309715d69ae37ea9f782cf54887317e817213e110d73d68e7  signal-show-window-please.patch
 b11fdd930943ca327650e4738ed85cd6b5eea779455a5895bccebba98e449bafc6b0f09bcf4545f2b2e16644355664e9768dd6d4d62f87619207c430367f72c5  ringrtc-webrtc-renamed.patch
-0888673ba687747beda61cd50efbc25095f4a3d26f1dd58bf003e3a0bf1d302c3f2ebd1deecf630fbf04aedb7b8cd409e9efda4d1e6fda63234c9a9b9755bff4  webrtc-shared-libs.patch
+f4e80ed7e67b98d6988c69ab5025286be17db29dc90f90bf837133cd8ae737f46293e6a2432b02f98c300ed461653b5a66801ff957a418c6a7c33877e3fe0443  webrtc-shared-libs.patch
 e07ae8544988d402aaf0fbd95ea36a64c94c59566c561132578aa6dcf8ff11a34058530e64dc204e5cadc2482f1401e74b32384a144e5e08017c663d0cf7c2fc  webrtc-compiler.patch
 88515d8b8cc82355c9f9b0f44fac83b7ff149b13e9fb102fd46036ec5234cfb2385fa5ad58a0520ee604b93dc4ddd6ae18a7005978ef207841645724ef7a9749  webrtc-gcc13.patch
+2721dce75ed1b6cd8bff129cd90d05ea07ce61cafd9145913748cb1f4e58d4c042c3c43efc578ad84e15624937b7ed67b8d5fec3d764e7feb26ff28f86cacd77  webrtc-boringssl-c7019036-do-not-define-crypto_addc.patch
 87534e7b5ad7365509eab75629e6bd1a9ed61ee92f7e358405a0abaf0df57de14623fb3894eb082f8785422e5c087e1c50f9e2e5cafbb2529591fd7bf447f7f5  signal-desktop
 "

backports/signal-desktop/webrtc-boringssl-c7019036-do-not-define-crypto_addc.patch

@@ -0,0 +1,25 @@
+diff --git a/third_party/boringssl/src/crypto/internal.h b/third_party/boringssl/src/crypto/internal.h
+index a77102d76..a45f97bcc 100644
+--- a/third_party/boringssl/src/crypto/internal.h
++++ b/third_party/boringssl/src/crypto/internal.h
+@@ -1174,6 +1174,11 @@ static inline uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) {
+ 
+ // Arithmetic functions.
+ 
++// The most efficient versions of these functions on GCC and Clang depend on C11
++// |_Generic|. If we ever need to call these from C++, we'll need to add a
++// variant that uses C++ overloads instead.
++#if !defined(__cplusplus)
++
+ // CRYPTO_addc_* returns |x + y + carry|, and sets |*out_carry| to the carry
+ // bit. |carry| must be zero or one.
+ #if OPENSSL_HAS_BUILTIN(__builtin_addc)
+@@ -1275,6 +1280,8 @@ static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
+ #define CRYPTO_subc_w CRYPTO_subc_u32
+ #endif
+ 
++#endif  // !__cplusplus
++
+ 
+ // FIPS functions.
+ 

backports/signal-desktop/webrtc-shared-libs.patch

@@ -38,27 +38,3 @@ index 14089f0..b7dc621 100644
    ]
  }
  
-diff --git a/third_party/googletest/BUILD.gn.orig b/third_party/googletest/BUILD.gn
-index b7dc621..367f929 100644
---- a/third_party/googletest/BUILD.gn.orig
-+++ b/third_party/googletest/BUILD.gn
-@@ -133,7 +133,6 @@ source_set("gtest") {
- 
-   # googletest only needs `absl`, but this makes gn check happier.
-   deps = [ "//third_party/abseil-cpp:absl_full" ]
--  public_deps = [ "//third_party/re2" ]
-   if (is_nacl || !build_with_chromium) {
-     defines += [ "GTEST_DISABLE_PRINT_STACK_TRACE" ]
-     sources -= [
-diff --git a/third_party/fuzztest/BUILD.gn.orig b/third_party/fuzztest/BUILD.gn
-index 57ee790..ba1d297 100644
---- a/third_party/fuzztest/BUILD.gn.orig
-+++ b/third_party/fuzztest/BUILD.gn
-@@ -309,7 +309,6 @@ source_set("fuzztest_internal") {
-     # For RE2 mutators. It's questionable whether we want to pull this library
-     # into every fuzztest target, but this is the approach used in other
-     # fuzztest contexts so we'll do the same
--    "//third_party/re2",
- 
-     # For protobuf mutators
-     "$protobuf_target_prefix:protobuf_lite",

user/authentik/APKBUILD

@@ -0,0 +1,258 @@
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+pkgname=authentik
+pkgver=2024.4.3
+pkgrel=1
+pkgdesc="An open-source Identity Provider focused on flexibility and versatility"
+url="https://github.com/goauthentik/authentik"
+# s390x: missing py3-celery py3-flower and py3-kombu
+# armhf/armv7/x86: out of memory error when building goauthentik
+# ppc64le: not supported by Rollup build
+arch="aarch64 x86_64"
+license="MIT"
+depends="
+	libcap-setcap
+	nginx
+	postgresql
+	procps
+	pwgen
+	py3-aiohttp
+	py3-aiosignal
+	py3-amqp
+	py3-anyio
+	py3-asgiref
+	py3-asn1
+	py3-asn1crypto
+	py3-async-timeout
+	py3-attrs
+	py3-autobahn
+	py3-automat
+	py3-bcrypt
+	py3-billiard
+	py3-cachetools
+	py3-cbor2
+	py3-celery
+	py3-certifi
+	py3-cffi
+	py3-channels
+	py3-channels_redis
+	py3-charset-normalizer
+	py3-click
+	py3-click-didyoumean
+	py3-click-plugins
+	py3-click-repl
+	py3-codespell
+	py3-colorama
+	py3-constantly
+	py3-cparser
+	py3-cryptography
+	py3-dacite
+	py3-daphne
+	py3-dateutil
+	py3-deepmerge
+	py3-defusedxml
+	py3-deprecated
+	py3-dnspython
+	py3-django
+	py3-django-filter
+	py3-django-guardian
+	py3-django-model-utils
+	py3-django-otp
+	py3-django-prometheus
+	py3-django-redis
+	py3-django-rest-framework~=3.14.0
+	py3-django-rest-framework-guardian
+	py3-django-storages
+	py3-django-tenants
+	py3-docker-py
+	py3-dotenv
+	py3-dumb-init
+	py3-duo_client
+	py3-drf-spectacular
+	py3-email-validator
+	py3-facebook-sdk
+	py3-fido2
+	py3-flower
+	py3-frozenlist
+	py3-geoip2
+	py3-google-auth
+	py3-gunicorn
+	py3-h11
+	py3-httptools
+	py3-humanize
+	py3-hyperlink
+	py3-idna
+	py3-incremental
+	py3-inflection
+	py3-jsonschema
+	py3-jsonpatch
+	py3-jwt
+	py3-kombu
+	py3-kubernetes
+	py3-ldap3
+	py3-lxml
+	py3-maxminddb
+	py3-msgpack
+	py3-multidict
+	py3-oauthlib
+	py3-opencontainers
+	py3-openssl
+	py3-packaging
+	py3-paramiko
+	py3-parsing
+	py3-prometheus-client
+	py3-prompt_toolkit
+	py3-psycopg
+	py3-psycopg-c
+	py3-pydantic-scim
+	py3-pynacl
+	py3-pyrsistent
+	py3-python-jwt
+	py3-redis
+	py3-requests
+	py3-requests-oauthlib
+	py3-rsa
+	py3-scim2-filter-parser
+	py3-setproctitle
+	py3-sentry-sdk
+	py3-service_identity
+	py3-setuptools
+	py3-six
+	py3-sniffio
+	py3-sqlparse
+	py3-structlog
+	py3-swagger-spec-validator
+	py3-tornado
+	py3-twilio
+	py3-twisted
+	py3-txaio
+	py3-tenant-schemas-celery
+	py3-typing-extensions
+	py3-tz
+	py3-ua-parser
+	py3-uritemplate
+	py3-urllib3-secure-extra
+	py3-uvloop
+	py3-vine
+	py3-watchdog
+	py3-watchfiles
+	py3-wcwidth
+	py3-webauthn
+	py3-websocket-client
+	py3-websockets
+	py3-wrapt
+	py3-wsproto
+	py3-xmlsec
+	py3-yaml
+	py3-yarl
+	py3-zope-interface
+	py3-zxcvbn
+	redis
+	uvicorn
+	"
+makedepends="go npm"
+# checkdepends scooped up by poetry due to number
+checkdepends="poetry py3-coverage"
+# tests disabled for now
+options="!check"
+install="$pkgname.post-install $pkgname.post-upgrade $pkgname.pre-install"
+source="
+	$pkgname-$pkgver.tar.gz::https://github.com/goauthentik/authentik/archive/refs/tags/version/$pkgver.tar.gz
+	authentik.openrc
+	authentik-worker.openrc
+	authentik-ldap.openrc
+	authentik-ldap.conf
+	authentik-manage.sh
+	fix-ak-bash.patch
+	root-settings-csrf_trusted_origins.patch
+	"
+builddir="$srcdir/"authentik-version-$pkgver
+subpackages="$pkgname-openrc $pkgname-doc"
+pkgusers="authentik"
+pkggroups="authentik"
+
+export GOPATH=$srcdir/go
+export GOCACHE=$srcdir/go-build
+export GOTMPDIR=$srcdir
+
+build() {
+	msg "Building authentik-ldap"
+	go build -o ldap cmd/ldap/main.go
+	msg "Building authentik-proxy"
+	go build -o proxy cmd/proxy/main.go
+	msg "Building authentik-radius"
+	go build -o radius cmd/proxy/main.go
+	msg "Building authentik-server"
+	go build -o server cmd/server/*.go
+
+	msg "Building authentik-web"
+	cd web
+	npm ci --no-audit
+	npm run build
+	cd ..
+
+	msg "Building website"
+	cd website
+	npm ci --no-audit
+	npm run build
+}
+
+package() {
+	msg "Packaging $pkgname"
+	mkdir -p "$pkgdir"/usr/share/webapps/authentik/web
+	mkdir -p "$pkgdir"/usr/share/webapps/authentik/website
+	mkdir -p "$pkgdir"/var/lib/authentik
+	mkdir -p "$pkgdir"/usr/share/doc
+	mkdir -p "$pkgdir"/usr/bin
+	cp -dr "$builddir"/authentik "$pkgdir"/usr/share/webapps/authentik
+	cp -dr "$builddir"/web/dist "$pkgdir"/usr/share/webapps/authentik/web/dist
+	cp -dr "$builddir"/web/authentik "$pkgdir"/usr/share/webapps/authentik/web/authentik
+	cp -dr "$builddir"/website/build "$pkgdir"/usr/share/doc/authentik
+	cp -dr "$builddir"/tests "$pkgdir"/usr/share/webapps/authentik/tests
+	cp -dr "$builddir"/lifecycle "$pkgdir"/usr/share/webapps/authentik/lifecycle
+	cp -dr "$builddir"/locale "$pkgdir"/usr/share/webapps/authentik/locale
+	cp -dr "$builddir"/blueprints "$pkgdir"/var/lib/authentik/blueprints
+	install -Dm755 "$builddir"/manage.py "$pkgdir"/usr/share/webapps/authentik/manage.py
+	install -Dm755 "$builddir"/server "$pkgdir"/usr/share/webapps/authentik/server
+	ln -s "/etc/authentik/config.yml" "$pkgdir"/usr/share/webapps/authentik/local.env.yml
+
+	install -Dm755 "$builddir"/proxy "$pkgdir"/usr/bin/authentik-proxy
+	install -Dm755 "$builddir"/ldap "$pkgdir"/usr/bin/authentik-ldap
+	install -Dm755 "$builddir"/radius "$pkgdir"/usr/bin/authentik-radius
+
+	install -Dm755 "$srcdir"/$pkgname.openrc \
+		"$pkgdir"/etc/init.d/$pkgname
+	install -Dm755 "$srcdir"/$pkgname-worker.openrc \
+		"$pkgdir"/etc/init.d/$pkgname-worker
+	install -Dm755 "$srcdir"/$pkgname-ldap.openrc \
+		"$pkgdir"/etc/init.d/$pkgname-ldap
+	install -Dm640 "$srcdir"/$pkgname-ldap.conf \
+		"$pkgdir"/etc/conf.d/$pkgname-ldap
+	install -Dm640 "$builddir"/authentik/lib/default.yml \
+		"$pkgdir"/etc/authentik/config.yml
+	chown root:www-data "$pkgdir"/etc/authentik/config.yml
+
+	mv "$pkgdir"/usr/share/webapps/authentik/web/dist/custom.css "$pkgdir"/etc/authentik/custom.css
+	ln -s "/etc/authentik/custom.css" "$pkgdir"/usr/share/webapps/authentik/web/dist/custom.css
+	chown root:www-data "$pkgdir"/etc/authentik/custom.css
+
+	sed -i 's|cert_discovery_dir.*|cert_discovery_dir: /var/lib/authentik/certs|' "$pkgdir"/etc/authentik/config.yml
+	sed -i 's|blueprints_dir.*|blueprints_dir: /var/lib/authentik/blueprints|' "$pkgdir"/etc/authentik/config.yml
+	sed -i 's|template_dir.*|template_dir: /var/lib/authentik/templates|' "$pkgdir"/etc/authentik/config.yml
+	printf "\ncsrf:\n  trusted_origins: ['auth.example.com']" >> "$pkgdir"/etc/authentik/config.yml
+	printf "\nsecret_key: '@@SECRET_KEY@@'" >> "$pkgdir"/etc/authentik/config.yml
+
+	# Install wrapper script to /usr/bin.
+	install -m755 -D "$srcdir"/authentik-manage.sh "$pkgdir"/usr/bin/authentik-manage
+}
+
+sha512sums="
+121ed925d81a5cb2a14fed8ec8b324352e40b1fcbba83573bfdc1d1f66a91d9670cd64d7ef752c8a2df6c34fc3e19e8aec5c6752d33e87b487a462a590212ab0  authentik-2024.4.3.tar.gz
+4defb4fe3a4230f4aa517fbecd5e5b8bcef2a64e1b40615660ae9eec33597310a09df5e126f4d39ce7764bd1716c0a7040637699135c103cbc1879593c6c06f1  authentik.openrc
+6cb03b9b69df39bb4539fe05c966536314d766b2e9307a92d87070ba5f5b7e7ab70f1b5ee1ab3c0c50c23454f9c5a4caec29e63fdf411bbb7a124ad687569b89  authentik-worker.openrc
+351e6920d987861f8bf0d7ab2f942db716a8dbdad1f690ac662a6ef29ac0fd46cf817cf557de08f1c024703503d36bc8b46f0d9eb1ecaeb399dce4c3bb527d17  authentik-ldap.openrc
+89ee5f0ffdade1c153f3a56ff75b25a7104aa81d8c7a97802a8f4b0eab34850cee39f874dabe0f3c6da3f71d6a0f938f5e8904169e8cdd34d407c8984adee6b0  authentik-ldap.conf
+f1a3cb215b6210fa7d857a452a9f2bc4dc0520e49b9fa7027547cff093d740a7e2548f1bf1f8831f7d5ccb80c8e523ee0c8bafcc4dc42d2788725f2137d21bee  authentik-manage.sh
+3e47db684a3f353dcecdb7bab8836b9d5198766735d77f676a51d952141a0cf9903fcb92e6306c48d2522d7a1f3028b37247fdc1dc74d4d6e043da7eb4f36d49  fix-ak-bash.patch
+5c60e54b6a7829d611af66f5cb8184a002b5ae927efbd024c054a7c176fcb9efcfbe5685279ffcf0390b0f0abb3bb03e02782c6867c2b38d1ad2d508aae83fa0  root-settings-csrf_trusted_origins.patch
+"

user/authentik/authentik-ldap.conf

@@ -0,0 +1,3 @@
+AUTHENTIK_HOST=https://example.com
+AUTHENTIK_TOKEN=your-authentik-token
+AUTHENTIK_INSECURE=true

user/authentik/authentik-ldap.openrc

@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/webapps/authentik"
+command="/usr/bin/authentik-ldap"
+command_user="authentik"
+command_group="authentik"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/authentik/$RC_SVCNAME.log"
+error_log="/var/log/authentik/$RC_SVCNAME.err"
+
+depend() {
+        need authentik
+}
+
+start_pre() {
+	cd "$working_directory"
+        checkpath --directory --owner $command_user:$command_group --mode 0775 \
+                /var/log/authentik
+	export AUTHENTIK_HOST AUTHENTIK_TOKEN AUTHENTIK_INSECURE AUTHENTIK_DEBUG
+}

user/authentik/authentik-manage.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+BUNDLE_DIR='/usr/share/webapps/authentik'
+
+cd $BUNDLE_DIR
+
+if [ "$(id -un)" != 'authentik' ]; then
+	exec su authentik -c '"$0" "$@"' -- ./manage.py "$@"
+else
+	exec ./manage.py "$@"
+fi

user/authentik/authentik-worker.openrc

@@ -0,0 +1,32 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME.conf"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/webapps/authentik"
+command="/usr/bin/authentik-manage"
+command_args="worker"
+command_user="authentik"
+command_group="authentik"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/authentik/$RC_SVCNAME.log"
+error_log="/var/log/authentik/$RC_SVCNAME.err"
+
+depend() {
+        need redis
+        need postgresql
+}
+
+start_pre() {
+	cd "$working_directory"
+        checkpath --directory --owner $command_user:$command_group --mode 0775 \
+                /var/log/authentik \
+                /var/lib/authentik/certs \
+                /var/lib/authentik/blueprints
+}
+
+stop_pre() {
+	ebegin "Killing child processes"
+	kill $(ps -o pid= --ppid $(cat $pidfile)) || true
+}

user/authentik/authentik.openrc

@@ -0,0 +1,30 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME.conf"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/webapps/authentik"
+command="/usr/share/webapps/authentik/server"
+command_user="authentik"
+command_group="authentik"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/authentik/$RC_SVCNAME.log"
+error_log="/var/log/authentik/$RC_SVCNAME.err"
+
+depend() {
+        need redis
+        need postgresql
+}
+
+start_pre() {
+	cd "$working_directory"
+        checkpath --directory --owner $command_user:$command_group --mode 0775 \
+                /var/log/authentik \
+                /var/lib/authentik/certs
+}
+
+stop_pre() {
+	ebegin "Killing child processes"
+	kill $(ps -o pid= --ppid $(cat $pidfile)) || true
+}

user/authentik/authentik.post-install

@@ -0,0 +1,39 @@
+#!/bin/sh
+set -eu
+
+group=authentik
+config_file='/etc/authentik/config.yml'
+
+setcap 'cap_net_bind_service=+ep' /usr/share/webapps/authentik/server
+
+if [ $(grep '@@SECRET_KEY@@' "$config_file") ]; then
+	echo "* Generating random secret in $config_file" >&2
+
+	secret_key="$(pwgen -s 50 1)"
+	sed -i "s|@@SECRET_KEY@@|$secret_key|" "$config_file"
+	chown root:$group "$config_file"
+fi
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish Authentik upgrade run:
+	*
+	*     authentik-manage migrate
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/authentik/config.yml.
+	*
+	* 2. Create database for Authentik:
+	*
+	*     psql -c "CREATE ROLE authentik PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE authentik OWNER authentik ENCODING 'UTF-8';"
+	*
+	* 3. Run "authentik-manage migrate"
+	* 4. Setup admin user at https://<your server>/if/flow/initial-setup/
+	*
+	EOF
+fi

user/authentik/authentik.post-upgrade

@@ -0,0 +1 @@
+authentik.post-install

user/authentik/authentik.pre-install

@@ -0,0 +1,26 @@
+#!/bin/sh
+# It's very important to set user/group correctly.
+
+authentik_dir='/var/lib/authentik'
+
+if ! getent group authentik 1>/dev/null; then
+	echo '* Creating group authentik' 1>&2
+
+	addgroup -S authentik
+fi
+
+if ! id authentik 2>/dev/null 1>&2; then
+	echo '* Creating user authentik' 1>&2
+
+	adduser -DHS -G authentik -h "$authentik_dir" -s /bin/sh  \
+		-g "added by apk for authentik" authentik
+	passwd -u authentik 1>/dev/null  # unlock
+fi
+
+if ! id -Gn authentik | grep -Fq redis; then
+	echo '* Adding user authentik to group redis' 1>&2
+
+	addgroup authentik redis
+fi
+
+exit 0

user/authentik/fix-ak-bash.patch

@@ -0,0 +1,10 @@
+diff --git a/lifecycle/ak.orig b/lifecycle/ak
+index 615bfe9..1646274 100755
+--- a/lifecycle/ak.orig
++++ b/lifecycle/ak
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env -S bash -e
++#!/usr/bin/env bash
+ MODE_FILE="${TMPDIR}/authentik-mode"
+ 
+ function log {

user/authentik/root-settings-csrf_trusted_origins.patch

@@ -0,0 +1,12 @@
+diff --git a/authentik/root/settings.py b/authentik/root/settings.py
+index 15e689b06..8b0c1d744 100644
+--- a/authentik/root/settings.py
++++ b/authentik/root/settings.py
+@@ -33,6 +33,7 @@ AUTH_USER_MODEL = "authentik_core.User"
+ 
+ CSRF_COOKIE_NAME = "authentik_csrf"
+ CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF"
++CSRF_TRUSTED_ORIGINS = CONFIG.get("csrf.trusted_origins")
+ LANGUAGE_COOKIE_NAME = "authentik_language"
+ SESSION_COOKIE_NAME = "authentik_session"
+ SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)

user/forgejo-aneksajo/APKBUILD

@@ -4,7 +4,7 @@
 # Contributor: Patrycja Rosa <alpine@ptrcnull.me>
 # Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
 pkgname=forgejo-aneksajo
-pkgver=8.0.1
+pkgver=8.0.0
 _gittag=v$pkgver-git-annex0
 pkgrel=0
 pkgdesc="Self-hosted Git service written in Go with git-annex support"
@@ -106,7 +106,7 @@ package() {
 }
 
 sha512sums="
-d8e273d369c934eec7ff84795cd0d896cda53bc1a2d17f610dd8476ff92dc50c4a24c4598366ef8aac3be52ddef6630489043183085334376c30bc5d4d5f15c2  forgejo-aneksajo-v8.0.1-git-annex0.tar.gz
+6836da3996a4bc51c88d82afcffbcd30965111a41d2cdf91d9539b0f0a4832496ed071b52e6eedf2eeaec7623a32aec3a3fdd1dedefedf5c2323690bd1f60937  forgejo-aneksajo-v8.0.0-git-annex0.tar.gz
 eb93a9f6c8f204de5c813f58727015f53f9feaab546589e016c60743131559f04fc1518f487b6d2a0e7fa8fab6d4a67cd0cd9713a7ccd9dec767a8c1ddebe129  forgejo-aneksajo.initd
 b537b41b6b3a945274a6028800f39787b48c318425a37cf5d40ace0d1b305444fd07f17b4acafcd31a629bedd7d008b0bb3e30f82ffeb3d7e7e947bdbe0ff4f3  forgejo-aneksajo.ini
 "

user/freescout/APKBUILD

@@ -0,0 +1,82 @@
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+pkgname=freescout
+pkgver=1.8.139
+pkgrel=0
+pkgdesc="Free self-hosted help desk & shared mailbox"
+arch="noarch"
+url="freescout.net"
+license="AGPL-3.0"
+_php=php83
+_php_mods="-fpm -mbstring -xml -imap -zip -gd -curl -intl -tokenizer -pdo_pgsql -openssl -session -iconv -fileinfo -dom -pcntl"
+depends="$_php ${_php_mods//-/$_php-} nginx postgresql pwgen"
+makedepends="composer pcre"
+install="$pkgname.post-install $pkgname.post-upgrade $pkgname.pre-install"
+source="
+	$pkgname-$pkgver.tar.gz::https://github.com/freescout-helpdesk/freescout/archive/refs/tags/$pkgver.tar.gz
+	freescout.nginx
+	freescout-manage.sh
+	rename-client-to-membre-fr-en.patch
+	"
+pkgusers="freescout"
+pkggroups="freescout"
+
+build() {
+	composer install --ignore-platform-reqs
+}
+
+package() {
+	local logdir="/var/log/$pkgname"
+	local datadir="/var/lib/$pkgname"
+	local wwwdir="/usr/share/webapps/$pkgname"
+	local confdir="/etc/$pkgname"
+
+	# Make directories
+	install -dm 755 \
+		"$pkgdir"/$wwwdir \
+		"$pkgdir"/$confdir \
+		"$pkgdir"/$logdir \
+		"$pkgdir"/$datadir
+
+	# Copy and ln operations
+	cp $builddir/* -R "$pkgdir"/$wwwdir/.
+	for i in storage/app storage/framework bootstrap/cache \
+		public/css/builds public/js/builds public/modules Modules; do
+
+		if [ -d "$pkgdir"$wwwdir/$i ]; then
+			if [ ! -d "$pkgdir"/$datadir/${i%/*} ]; then
+				mkdir -p "$pkgdir"/$datadir/${i%/*}
+			fi
+			mv "$pkgdir"$wwwdir/$i "$pkgdir"/$datadir/$i
+		else
+			mkdir -p "$pkgdir"/$datadir/$i
+		fi
+		ln -s $datadir/$i "$pkgdir"/$wwwdir/$i
+	done
+	ln -s /etc/freescout/freescout.conf "$pkgdir"/usr/share/webapps/freescout/.env
+	ln -s $wwwdir/storage/app/public "$pkgdir"/$wwwdir/public/storage
+
+	# log dir
+	rm -R "$pkgdir"/$wwwdir/storage/logs
+	ln -s "$logdir" "$pkgdir"/$wwwdir/storage/logs
+
+	# Permission settings
+	chown -R freescout:www-data "$pkgdir"/$datadir "$pkgdir"/$logdir
+
+	# config files
+	install -Dm644 "$srcdir"/freescout.nginx \
+		"$pkgdir"/etc/nginx/http.d/freescout.conf
+	install -Dm640 "$builddir"/.env.example \
+		"$pkgdir"/etc/freescout/freescout.conf
+	sed -i 's|APP_KEY.*|APP_KEY=@@SECRET_KEY@@|' "$pkgdir"/etc/freescout/freescout.conf
+	chown root:www-data "$pkgdir"/etc/freescout/freescout.conf
+
+	# Install wrapper script to /usr/bin.
+	install -m755 -D "$srcdir"/freescout-manage.sh "$pkgdir"/usr/bin/freescout-manage
+}
+sha512sums="
+11d81fa670bd67a7db9f5bff3a067a1d1cf3c812a34c805a3fc83edc978ded3accc8334581eca1e73cf0ad95f8e289278add57de096528728e2989135b3057a3  freescout-1.8.139.tar.gz
+e4af6c85dc12f694bef2a02e4664e31ed50b2c109914d7ffad5001c2bbd764ef25b17ecaa59ff55ef41bccf17169bf910d1a08888364bdedd0ecc54d310e661f  freescout.nginx
+7ce9b3ee3a979db44f5e6d7daa69431e04a5281f364ae7be23e5a0a0547f96abc858d2a8010346be2fb99bd2355fb529e7030ed20d54f310249e61ed5db4d0ba  freescout-manage.sh
+3416da98d71aea5a7093913ea34e783e21ff05dca90bdc5ff3d00c548db5889f6d0ec98441cd65ab9f590be5cd59fdd0d7f1c98b5deef7bb3adbc8db435ec9bf  rename-client-to-membre-fr-en.patch
+"

user/freescout/freescout-manage.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+BUNDLE_DIR='/usr/share/webapps/freescout'
+
+cd $BUNDLE_DIR
+
+if [ "$(id -un)" != 'freescout' ]; then
+	exec su freescout -c '"$0" "$@"' -- php artisan "$@"
+else
+	exec php artisan "$@"
+fi

user/freescout/freescout.nginx

@@ -0,0 +1,56 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name example.com www.example.com;
+
+    root /usr/share/webapps/freescout/public;
+
+    index index.php index.html index.htm;
+
+    error_log /var/www/html/storage/logs/web-server.log;
+
+    # Max. attachment size.
+    # It must be also set in PHP.ini via "upload_max_filesize" and "post_max_size" directives.
+    client_max_body_size 20M;
+
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    location ~ \.php$ {
+	fastcgi_split_path_info ^(.+\.php)(/.+)$;
+	fastcgi_pass unix:/run/php/php8.0-fpm.sock;
+	fastcgi_index index.php;
+	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	include fastcgi_params;
+    }
+    # Uncomment this location if you want to improve attachments downloading speed.
+    # Also make sure to set APP_DOWNLOAD_ATTACHMENTS_VIA=nginx in the .env file.
+    #location ^~ /storage/app/attachment/ {
+    #    internal;
+    #    alias /var/www/html/storage/app/attachment/;
+    #}
+    location ~* ^/storage/attachment/ {
+        expires 1M;
+        access_log off;
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
+        expires 2d;
+        access_log off;
+        add_header Cache-Control "public, must-revalidate";
+    }
+    # The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
+    location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
+        add_header Content-disposition "attachment; filename=$2";
+        default_type application/octet-stream;
+    }	
+    location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\]+\..*)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+    }
+    location ~ /\. {
+        deny  all;
+    }
+}

user/freescout/freescout.post-install

@@ -0,0 +1,48 @@
+#!/bin/sh
+set -eu
+
+group=www-data
+config_file='/etc/freescout/freescout.conf'
+
+if [ $(grep '@@SECRET_KEY@@' "$config_file") ]; then
+	echo "* Generating random secret in $config_file" >&2
+
+	secret_key="$(freescout-manage key:generate --show)"
+	sed -i "s|@@SECRET_KEY@@|$secret_key|" "$config_file"
+fi
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish Freescout upgrade run:
+	*
+	*     freescout-manage freescout:after-app-update
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/freescout/freescout.conf
+	*
+	* 2. Make sure cgi.fix_pathinfo=0 is set in /etc/php8x/php.ini is set
+	*
+	* 3. Create database for Freescout:
+	*
+	*     psql -c "CREATE ROLE freescout PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE freescout OWNER freescout ENCODING 'UTF-8';"
+	*
+	* 4. Clear application cache and apply .env file changes:
+	*    
+	*     freescout-manage freescout:clear-cache
+	* 
+	* 5. Create tables:
+	*
+	*     freescout-manage migrate
+	*
+	* 6. Create admin user
+	*
+	*     freescout-manage freescout:create-user
+	*
+	EOF
+fi
+

user/freescout/freescout.post-upgrade

@@ -0,0 +1 @@
+freescout.post-install

user/freescout/freescout.pre-install

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+freescout_dir='/var/lib/freescout'
+
+if ! getent group freescout 1>/dev/null; then
+	echo '* Creating group freescout' 1>&2
+
+	addgroup -S freescout
+fi
+
+if ! id freescout 2>/dev/null 1>&2; then
+	echo '* Creating user freescout' 1>&2
+
+	adduser -DHS -G freescout -h "$freescout_dir" -s /bin/sh  \
+		-g "added by apk for freescout" freescout
+	passwd -u freescout 1>/dev/null  # unlock
+fi
+
+if ! id -Gn freescout | grep -Fq www-data; then
+	echo '* Adding user freescout to group www-data' 1>&2
+
+	addgroup freescout www-data
+fi
+
+exit 0

user/freescout/rename-client-to-membre-fr-en.patch

@@ -0,0 +1,220 @@
+diff --git a/resources/lang/en.json b/resources/lang/en.json
+new file mode 100644
+index 00000000..82d26052
+--- /dev/null
++++ b/resources/lang/en.json
+@@ -0,0 +1,32 @@
++{
++    ":person changed the customer to :customer": ":person changed the member to :customer",
++    ":person changed the customer to :customer in conversation #:conversation_number": ":person changed the member to :customer in conversation #:conversation_number",
++    "Auto reply to customer": "Auto reply to member",
++    "Change Customer": "Change Member",
++    "Change the customer to :customer_email?": "Change the member to :customer_email?",
++    "Create a new customer": "Create a new member",
++    "Customer": "Member",
++    "Customer Name": "Member Name",
++    "Customer Profile": "Member Profile",
++    "Customer changed": "Member changed",
++    "Customer saved successfully.": "Member saved successfully",
++    "Customer viewed :when": "Member viewed :when",
++    "Customers": "Members",
++    "Customers email this address for help (e.g. support@domain.com)": "Members email this address for help (e.g. support@domain.com)",
++    "Email :tag_email_begin:email:tag_email_end has been moved from another customer:  :a_begin:customer:a_end.": "Email :tag_email_begin:email:tag_email_end has been moved from another member: :a_begin:customer:a_end.",
++    "Email to customer": "Email to member",
++    "Emails to Customers": "Emails to Members",
++    "Error sending email to customer": "Error sending email to member",
++    "Message not sent to customer": "Message not sent to member",
++    "Name that will appear in the <strong>From<\/strong> field when a customer views your email.": "Name that will appear in the <strong>From<\/strong> field when a member views your email.",
++    "No customers found": "No members found",
++    "No customers found. Would you like to create one?": "No members found. Would you like to create one?",
++    "Notify :person when a customer replies…": "Notify :person when a member replies…",
++    "Notify me when a customer replies…": "Notify me when a member replies…",
++    "Search for a customer by name or email": "Search for a member by name or email",
++    "Sending emails need to be configured for the mailbox in order to send emails to customers and support agents": "Sending emails need to be configured for the mailbox in order to send emails to members and support agents",
++    "This number is not visible to customers. It is only used to track conversations within :app_name": "This number is not visible to members. It is only used to track conversations within :app_name",
++    "This reply will go to the customer. :%switch_start%Switch to a note:switch_end if you are replying to :user_name.": "This reply will go to the member. :%switch_start%Switch to a note:switch_end if you are replying to :user_name.",
++    "This text will be added to the beginning of each email reply sent to a customer.": "This text will be added to the beginning of each email reply sent to a member.",
++    "When a customer emails this mailbox, application can send an auto reply to the customer immediately.<br\/><br\/>Only one auto reply is sent per new conversation.": "When a member emails this mailbox, application can send an auto reply to the member immediately.<br\/><br\/>Only one auto reply is sent per new conversation."
++}
+\ No newline at end of file
+diff --git a/resources/lang/fr.json.orig b/resources/lang/fr.json
+index ff8d9d4..98d158f 100644
+--- a/resources/lang/fr.json.orig
++++ b/resources/lang/fr.json
+@@ -26,8 +26,8 @@
+     ":person added a note to conversation #:conversation_number": ":person a ajouté une note à la conversation #:conversation_number",
+     ":person assigned :assignee conversation #:conversation_number": ":person a assigné :assignee à la conversation #:conversation_number",
+     ":person assigned to :assignee": ":person a assigné :assignee",
+-    ":person changed the customer to :customer": ":person a changé le client en :customer",
+-    ":person changed the customer to :customer in conversation #:conversation_number": ":person a changé le client en :customer dans la conversation #:conversation_number",
++    ":person changed the customer to :customer": ":person a changé le membre en :customer",
++    ":person changed the customer to :customer in conversation #:conversation_number": ":person a changé le membre en :customer dans la conversation #:conversation_number",
+     ":person created a draft": ":person a créé un brouillon",
+     ":person deleted": ":person supprimée",
+     ":person edited :creator's draft": ":person a modifié brouillon de :creator",
+@@ -112,7 +112,7 @@
+     "Auto Reply": "Réponse Automatique",
+     "Auto Reply status saved": "Statut de réponse automatique enregistré",
+     "Auto replies don't include your mailbox signature, so be sure to add your contact information if necessary.": "Les réponses automatiques n'incluent pas la signature de votre boîte aux lettres, assurez-vous d'ajouter vos coordonnées si nécessaire.",
+-    "Auto reply to customer": "Réponse automatique au client",
++    "Auto reply to customer": "Réponse automatique au membre",
+     "Back": "Retour",
+     "Back to folder": "Retour au dossier",
+     "Background Jobs": "Emplois d'arrière-plan",
+@@ -123,10 +123,10 @@
+     "Cancel": "Annuler",
+     "Cc": "Cc",
+     "Change": "Modifier",
+-    "Change Customer": "Changer de client",
++    "Change Customer": "Changer de membre",
+     "Change address in mailbox settings": "Modifier l'adresse dans les paramètres de la boîte aux lettres",
+     "Change default redirect": "Modifier la redirection par défaut",
+-    "Change the customer to :customer_email?": "Changer le client en :customer_email ?",
++    "Change the customer to :customer_email?": "Changer le membre en :customer_email ?",
+     "Change your password": "Changer votre mot de passe",
+     "Chat": "Tchat",
+     "Check Connection": "Vérifier la connexion",
+@@ -182,7 +182,7 @@
+     "Create a New User": "Créer un nouvel utilisateur",
+     "Create a Password": "Créer un mot de passe",
+     "Create a mailbox": "Créer une boîte de réception",
+-    "Create a new customer": "Créer un nouveau client",
++    "Create a new customer": "Créer un nouveau membre",
+     "Create symlink manually": "Créer un lien symbolique manuellement",
+     "Created At": "Créé à",
+     "Created by :person": "Créé par :person",
+@@ -190,14 +190,14 @@
+     "Current Password": "Mot de passe actuel",
+     "Custom From Name": "Nom de l'expéditeur personnalisé",
+     "Custom Name": "Nom personnalisé",
+-    "Customer": "Client",
+-    "Customer Name": "Nom du client",
+-    "Customer Profile": "Profil client",
+-    "Customer changed": "Client changé",
+-    "Customer saved successfully.": "Client enregistré avec succès.",
+-    "Customer viewed :when": "Client vu :when",
+-    "Customers": "Clients",
+-    "Customers email this address for help (e.g. support@domain.com)": "Les clients utilisent cette adresse par e-mail pour obtenir de l'aide (par exemple, support@domain.com)",
++    "Customer": "Membre",
++    "Customer Name": "Nom du membre",
++    "Customer Profile": "Profil membre",
++    "Customer changed": "Membre changé",
++    "Customer saved successfully.": "Membre enregistré avec succès.",
++    "Customer viewed :when": "Membre vu :when",
++    "Customers": "Membres",
++    "Customers email this address for help (e.g. support@domain.com)": "Les membres utilisent cette adresse par e-mail pour obtenir de l'aide (par exemple, support@domain.com)",
+     "Daily": "Quotidien",
+     "Dashboard": "Tableau de bord",
+     "Date": "Date",
+@@ -247,15 +247,15 @@
+     "Edit User": "Modifier l'utilisateur",
+     "Edited by :whom :when": "Édité par :whom :when",
+     "Email": "Email",
+-    "Email :tag_email_begin:email:tag_email_end has been moved from another customer:  :a_begin:customer:a_end.": "Email :tag_email_begin:email:tag_email_end a été déplacé depuis un autre client : :a_begin:customer:a_end.",
++    "Email :tag_email_begin:email:tag_email_end has been moved from another customer:  :a_begin:customer:a_end.": "Email :tag_email_begin:email:tag_email_end a été déplacé depuis un autre membre : :a_begin:customer:a_end.",
+     "Email Address": "Adresse e-mail",
+     "Email Alerts For Administrators": "Envoyez des alertes par e-mail aux administrateurs",
+     "Email Header": "En-tête de l'e-mail",
+     "Email Signature": "Signature e-mail",
+     "Email Template": "Modèle d'e-mail",
+     "Email passed for delivery. If you don't receive a test email, check your mail server logs.": "E-mail transmis pour livraison. Si vous ne recevez pas d'e-mail de test, consultez les journaux de votre serveur de messagerie.",
+-    "Email to customer": "Courriel au client",
+-    "Emails to Customers": "Emails aux clients",
++    "Email to customer": "Courriel au membre",
++    "Emails to Customers": "Emails aux membres",
+     "Empty Trash": "Vider la corbeille",
+     "Empty license key": "Clé de licence vide",
+     "Enable Auto Reply": "Activer la réponse automatique",
+@@ -276,7 +276,7 @@
+     "Error occurred. Please try again later.": "Erreur est survenue. Veuillez réessayer plus tard.",
+     "Error occurred. Please try again or try another :%a_start%update method:%a_end%": "Erreur est survenue. Veuillez réessayer ou en essayer une autre :%a_start% méthode de mise à jour:%a_end%",
+     "Error sending alert": "Erreur lors de l'envoi de l'alerte",
+-    "Error sending email to customer": "Erreur lors de l'envoi d'un e-mail au client",
++    "Error sending email to customer": "Erreur lors de l'envoi d'un e-mail au membre",
+     "Error sending email to the user who replied to notification from wrong email": "Erreur lors de l'envoi d'un e-mail à l'utilisateur qui a répondu à la notification d'un mauvais e-mail",
+     "Error sending email to user": "Erreur lors de l'envoi d'un e-mail à l'utilisateur",
+     "Error sending invitation email to user": "Erreur lors de l'envoi d'un e-mail d'invitation à l'utilisateur",
+@@ -419,7 +419,7 @@
+     "Message bounced (:link)": "Message renvoyé (:link)",
+     "Message cannot be empty": "Le message ne peut pas être vide",
+     "Message has been already sent. Please discard this draft.": "Le message a déjà été envoyé. Veuillez effacer ce brouillon.",
+-    "Message not sent to customer": "Message non envoyé au client",
++    "Message not sent to customer": "Message non envoyé au membre",
+     "Method": "Méthode",
+     "Migrate DB": "Migrer la base de données",
+     "Mine": "Mes conversations",
+@@ -439,7 +439,7 @@
+     "My Apps": "Mes Applications",
+     "My open conversations": "Mes conversations ouvertes",
+     "Name": "Nom",
+-    "Name that will appear in the <strong>From<\/strong> field when a customer views your email.": "Nom qui apparaîtra dans le champ <strong>De<\/strong> lorsqu'un client consulte votre e-mail.",
++    "Name that will appear in the <strong>From<\/strong> field when a customer views your email.": "Nom qui apparaîtra dans le champ <strong>De<\/strong> lorsqu'un membre consulte votre e-mail.",
+     "New Conversation": "Nouvelle conversation",
+     "New Mailbox": "Nouvelle boîte de réception",
+     "New Password": "Nouveau mot de passe",
+@@ -451,8 +451,8 @@
+     "Next active conversation": "Conversation active suivante",
+     "No": "Non",
+     "No activations left for this license key": "Il ne reste aucune activation pour cette clé de licence",
+-    "No customers found": "Aucun client trouvé",
+-    "No customers found. Would you like to create one?": "Aucun client trouvé. Souhaitez-vous en créer un?",
++    "No customers found": "Aucun membre trouvé",
++    "No customers found. Would you like to create one?": "Aucun membre trouvé. Souhaitez-vous en créer un?",
+     "No invite was found. Please contact your administrator to have a new invite email sent.": "Aucune invitation trouvée. Veuillez contacter votre administrateur pour qu'il envoie une nouvelle invitation par email.",
+     "Non-writable files found": "Fichiers non-inscriptibles trouvés",
+     "None": "Aucun",
+@@ -471,10 +471,10 @@
+     "Notifications": "Notifications",
+     "Notifications saved successfully": "Notifications enregistrées",
+     "Notifications will start showing up here soon": "Les notifications commenceront bientôt à apparaître ici",
+-    "Notify :person when a customer replies…": "Avertir :person lorsqu'un client répond…",
++    "Notify :person when a customer replies…": "Avertir :person lorsqu'un membre répond…",
+     "Notify :person when another :app_name user replies or adds a note…": "Notifier :person quand un autre utilisateur :app_name répond ou ajoute une note…",
+     "Notify :person when…": "Avertir :person lorsque…",
+-    "Notify me when a customer replies…": "M'avertir lorsqu'un client répond…",
++    "Notify me when a customer replies…": "M'avertir lorsqu'un membre répond…",
+     "Notify me when another :app_name user replies or adds a note…": "M'avertir lorsqu'un autre utilisateur :app_name répond ou ajoute une note…",
+     "Notify me when…": "Prévenez-moi quand…",
+     "Number": "Numéro",
+@@ -587,7 +587,7 @@
+     "Search": "Recherche",
+     "Search Conversation by Number": "Rechercher une conversation par identifiant",
+     "Search Users": "Rechercher des utilisateurs",
+-    "Search for a customer by name or email": "Rechercher un client par nom ou par e-mail",
++    "Search for a customer by name or email": "Rechercher un membre par nom ou par e-mail",
+     "See logs": "Voir les journaux",
+     "Select Mailbox": "Sélectionnez une boîte aux lettres",
+     "Selected Users have access to this mailbox:": "Les utilisateurs sélectionnés ont accès à cette boîte aux lettres:",
+@@ -613,7 +613,7 @@
+     "Sending": "Envoi en cours",
+     "Sending Emails": "Sending Emails",
+     "Sending can not be undone": "L'envoie ne peut être annulé",
+-    "Sending emails need to be configured for the mailbox in order to send emails to customers and support agents": "L'envoi d'e-mails doit être configuré pour la boîte aux lettres afin d'envoyer des e-mails aux clients et aux agents de support",
++    "Sending emails need to be configured for the mailbox in order to send emails to customers and support agents": "L'envoi d'e-mails doit être configuré pour la boîte aux lettres afin d'envoyer des e-mails aux membre et aux agents de support",
+     "Sendmail": "Exécutable Sendmail",
+     "Separate each email with a comma.": "Séparez chaque e-mail par une virgule",
+     "Server": "Serveur",
+@@ -670,11 +670,11 @@
+     "This is a test mail sent by :app_name. It means that outgoing email settings of your :mailbox mailbox are fine.": "Il s'agit d'un mail de test envoyé par :app_name. Cela signifie que les paramètres de courrier électronique sortant de votre boîte aux lettres :mailbox sont corrects.",
+     "This is a test system mail sent by :app_name. It means that mail settings are fine.": "Il s'agit d'un e-mail du système de test envoyé par :app_name. Cela signifie que les paramètres de messagerie sont corrects.",
+     "This may take several minutes": "Cela peut prendre plusieurs minutes",
+-    "This number is not visible to customers. It is only used to track conversations within :app_name": "Ce numéro n'est pas visible pour les clients. Il est uniquement utilisé pour suivre les conversations dans :app_name",
++    "This number is not visible to customers. It is only used to track conversations within :app_name": "Ce numéro n'est pas visible pour les membres. Il est uniquement utilisé pour suivre les conversations dans :app_name",
+     "This password is incorrect.": "Ce mot de passe est incorrect.",
+-    "This reply will go to the customer. :%switch_start%Switch to a note:switch_end if you are replying to :user_name.": "Cette réponse ira au client. :%switch_start%Passez à une note:switch_end si vous répondez à :user_name.",
++    "This reply will go to the customer. :%switch_start%Switch to a note:switch_end if you are replying to :user_name.": "Cette réponse ira au membre. :%switch_start%Passez à une note:switch_end si vous répondez à :user_name.",
+     "This setting gives you control over what page loads after you perform an action (send a reply, add a note, change conversation status or assignee).": "Ce paramètre vous permet de contrôler la page qui se charge après avoir effectué une action (envoyer une réponse, ajouter une note, etc.).",
+-    "This text will be added to the beginning of each email reply sent to a customer.": "Ce texte sera ajouté au début de chaque réponse par e-mail envoyée à un client.",
++    "This text will be added to the beginning of each email reply sent to a customer.": "Ce texte sera ajouté au début de chaque réponse par e-mail envoyée à un membre.",
+     "Thread is not in a draft state": "Le fil n'est pas à l'état de brouillon",
+     "Thread not found": "Fil non trouvé",
+     "Time Format": "Format de l'heure",
+@@ -751,7 +751,7 @@
+     "Welcome to :company_name!": "Bienvenue chez :company_name !",
+     "Welcome to :company_name, :first_name!": "Bienvenue chez :company_name, :first_name!",
+     "Welcome to the team!": "Bienvenue dans l'équipe !",
+-    "When a customer emails this mailbox, application can send an auto reply to the customer immediately.<br\/><br\/>Only one auto reply is sent per new conversation.": "Lorsqu'un client envoie un e-mail à cette boîte aux lettres, l'application peut envoyer immédiatement une réponse automatique au client. <br\/> <br\/> Une seule réponse automatique est envoyée par nouvelle conversation.",
++    "When a customer emails this mailbox, application can send an auto reply to the customer immediately.<br\/><br\/>Only one auto reply is sent per new conversation.": "Lorsqu'un membre envoie un e-mail à cette boîte aux lettres, l'application peut envoyer immédiatement une réponse automatique au membre. <br\/> <br\/> Une seule réponse automatique est envoyée par nouvelle conversation.",
+     "Which mailboxes will user use?": "Quelles boîtes aux lettres l'utilisateur utilisera-t-il?",
+     "Who Else Will Use This Mailbox": "Qui d'autre utilisera cette boîte aux lettres",
+     "Work": "Professionnel",

user/gitaly/APKBUILD

@@ -0,0 +1,86 @@
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+pkgname=gitaly
+pkgver=17.0.4
+pkgrel=0
+pkgdesc="A Git RPC service for handling all the git calls made by GitLab"
+url="https://gitlab.com/gitlab-org/gitaly/"
+arch="all"
+# GPL-2.0-only WITH GCC-exception-2.0: bundled libgit2
+license="MIT AND GPL-2.0-only WITH GCC-exception-2.0"
+depends="
+	git>=2.42
+	"
+makedepends="
+	bash
+	cmake
+	go
+	icu-dev
+	libssh2-dev
+	libxml2-dev
+	libxslt-dev
+	"
+subpackages="
+	$pkgname-backup
+	$pkgname-blackbox
+	$pkgname-praefect
+	$pkgname-openrc
+	"
+source="https://gitlab.com/gitlab-org/gitaly/-/archive/v$pkgver/gitaly-v$pkgver.tar.gz
+	config.patch
+	$pkgname.initd
+	"
+builddir="$srcdir/$pkgname-v$pkgver"
+options="!check"
+
+build() {
+	make V=1 BUILD_TAGS="tracer_static tracer_static_jaeger"
+}
+
+package() {
+	## Go part
+
+	make install DESTDIR="$pkgdir" PREFIX=/usr
+
+	# Not very useful for us.
+	rm "$pkgdir"/usr/bin/gitaly-debug
+	rm "$pkgdir"/usr/bin/gitaly-wrapper
+
+	install -m644 -D config.toml.example "$pkgdir"/etc/gitlab/gitaly.toml
+	install -m644 -D config.praefect.toml.example "$pkgdir"/etc/gitlab/praefect.toml
+	install -m644 -D cmd/gitaly-blackbox/config.toml.example "$pkgdir"/etc/gitlab/gitaly-blackbox.toml
+
+	install -m755 -D "$srcdir"/gitaly.initd "$pkgdir"/etc/init.d/gitlab.gitaly
+}
+
+backup() {
+	pkgdesc="Utility used by the backup Rake task to create/restore repository backups from Gitaly"
+	depends=""
+
+	amove usr/bin/gitaly-backup
+}
+
+# TODO: Add init script.
+blackbox() {
+	pkgdesc="Prometheus exporter that measures GitLab server performance by performing a Git HTTP clone"
+	depends=""
+
+	amove etc/gitlab/gitaly-blackbox.toml
+	amove usr/bin/gitaly-blackbox
+}
+
+# TODO: Add init script.
+praefect() {
+	pkgdesc="A reverse-proxy for Gitaly to manage a cluster of Gitaly nodes for HA"
+	depends=""
+
+	amove etc/gitlab/praefect.toml
+	amove usr/bin/praefect
+}
+
+sha512sums="
+2d06498c519c20804dd592cac3214cf8124ece1dda0d15342f8ccc6d9c9d2715dad24f9940e4d87b824320483c9882004bcef3747a8de347c1d48ec983a9f5cb  gitaly-v17.0.4.tar.gz
+7685330e637c3a34db941c9e6b8776d0611ec16297e8be998a3eb4716c455d9f015d433a4d27720c24e520d489dd56bdab7c0e4264f2852b4b0bfd6ecaa7f773  config.patch
+c32105d921be16eaf559cf21d6840bc346cd92b5e37974cedecdb5a2d2ca1eb5e8fbb144f5fc8a1289bf9415102b313cf2d61ee510c80f08ab33a799f5ac7122  gitaly.initd
+"

user/gitaly/config.patch

@@ -0,0 +1,91 @@
+diff --git a/config.toml.example.orig b/config.toml.example
+index 82b8502..9982087 100644
+--- a/config.toml.example.orig
++++ b/config.toml.example
+@@ -2,19 +2,24 @@
+ # For Gitaly documentation, see https://docs.gitlab.com/ee/administration/gitaly/.
+ 
+ # A path which Gitaly should open a Unix socket.
+-socket_path = "/home/git/gitlab/tmp/sockets/private/gitaly.socket"
++socket_path = "/run/gitlab/gitaly.socket"
+ 
+ # Directory containing Gitaly executables.
+-bin_dir = "/home/git/gitaly/_build/bin"
++bin_dir = "/usr/bin"
+ 
+ # # Optional. The directory where Gitaly can create all files required to
+ # # properly operate at runtime. If not set, Gitaly will create a directory in
+ # # the global temporary directory. This directory must exist.
+-# runtime_dir = "/home/git/gitaly/run"
++runtime_dir = "/run/gitaly"
+ 
+ # # Optional if socket_path is set. TCP address for Gitaly to listen on. This is insecure (unencrypted connection).
+ # listen_addr = "localhost:9999"
+ 
++# # Optional: configure where the Gitaly creates the sockets for internal connections. If unset, Gitaly will create a randomly
++# # named temp directory each time it boots.
++# # Non Gitaly clients should never connect to these sockets.
++internal_socket_dir = "/run/gitaly/internal"
++
+ # # Optional. TCP over TLS address for Gitaly to listen on.
+ # tls_listen_addr = "localhost:8888"
+ 
+@@ -35,9 +40,9 @@ bin_dir = "/home/git/gitaly/_build/bin"
+ # # Gitaly supports TLS encryption. You must bring your own certificates because this isn’t provided automatically.
+ # [tls]
+ # # Path to the certificate.
+-# certificate_path = '/home/git/cert.cert'
++# certificate_path = '/etc/gitlab/ssl/gitaly.crt'
+ # # Path to the key.
+-# key_path = '/home/git/key.pem'
++# key_path = '/etc/gitlab/ssl/gitaly.key'
+ 
+ # # Git settings
+ # [git]
+@@ -58,7 +63,7 @@ bin_dir = "/home/git/gitaly/_build/bin"
+ # # The name of the storage
+ name = "default"
+ # # The path to the storage.
+-path = "/home/git/repositories"
++path = "/var/lib/gitlab/repositories"
+ 
+ # # You can optionally configure more storages for this Gitaly instance to serve up
+ #
+@@ -70,12 +75,12 @@ path = "/home/git/repositories"
+ # # Optional. Configure Gitaly to output JSON-formatted log messages to stdout.
+ # [logging]
+ # # Directory where Gitaly stores extra log files.
+-dir = "/home/git/gitlab/log"
++dir = "/vat/log/gitlab"
+ # # Log format. Either 'text' or 'json'.
+-# format = "json"
++format = "text"
+ # # Optional. Set log level to only log entries with that severity or above.
+ # # Valid values are, in order, 'debug', 'info', 'warn', 'error', 'fatal', and 'panic'. Defaults to 'info'.
+-# level = "warn"
++level = "warn"
+ # # Additionally, exceptions from the Go server can be reported to Sentry. Sentry DSN (Data Source Name)
+ # # for exception monitoring.
+ # sentry_dsn = "https://<key>:<secret>@sentry.io/<project>"
+@@ -91,18 +96,18 @@ sentry_environment = ""
+ # # Custom Git hooks that are used to perform tasks based on changes performed in any repository.
+ [hooks]
+ # # Directory where custom Git hooks are installed. If left unset, no custom hooks are used.
+-custom_hooks_dir = "/home/git/custom_hooks"
++custom_hooks_dir = "/etc/gitlab/custom_hooks"
+ 
+ # # Gitaly must connect to the GitLab application to perform access checks when a user performs a change.
+ [gitlab]
+ # # URL of the GitLab server.
+-url = "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket"
++url = "http+unix://%2Frun%2Fgitlab%2Fworkhorse.socket"
+ # # 'relative_url_root' is only needed if a UNIX socket is used in 'url' and GitLab is configured to
+ # # use a relative path. For example, '/gitlab'.
+ # relative_url_root = '/'
+ # # Path of the file containing the secret token used to authenticate with GitLab. Use either 'secret_token' or 'secret'
+ # # but not both.
+-secret_file = "/home/git/gitlab-shell/.gitlab_shell_secret"
++secret_file = "/etc/gitlab/gitlab_shell_secret"
+ # # Secret token used to authenticate with GitLab.
+ # secret = ""
+ 

user/gitaly/gitaly.initd

@@ -0,0 +1,39 @@
+#!/sbin/openrc-run
+
+name="Gitaly"
+description="A Git RPC service for handling all the git calls made by GitLab"
+
+: ${gitaly_config:="/etc/gitlab/gitaly.toml"}
+: ${gitaly_logfile:="/var/log/gitlab/gitaly.log"}
+
+command="/usr/bin/gitaly"
+command_args="$gitaly_config"
+command_background="yes"
+command_user="git"
+
+output_log="$gitaly_logfile"
+error_log="$gitaly_logfile"
+pidfile="/run/gitaly.pid"
+supervise_daemon_args="--env TZ=:/etc/localtime"
+start_stop_daemon_args="$supervise_daemon_args"
+
+rc_ulimit="-n 15000"
+
+required_files="$gitaly_config"
+
+depend() {
+	use net
+}
+
+start_pre() {
+	local socket_path=$(sed -En "s/^\s*socket_path\s*=\s*[\"']([^\"']+)[\"']/\1/p" "$gitaly_config")
+	local runtime_dir=$(sed -En "s/^\s*runtime_dir\s*=\s*[\"']([^\"']+)[\"']/\1/p" "$gitaly_config")
+
+	if [ "$socket_path" ]; then
+		checkpath -q -d -m 755 -o $command_user "${socket_path%/*}" || return 1
+	fi
+	if [ "$runtime_dir" ]; then
+		checkpath -q -d -m 750 -o $command_user "$runtime_dir" || return 1
+	fi
+	checkpath -f -m 640 -o $command_user "$gitaly_logfile"
+}

user/gitlab-foss/APKBUILD

@@ -0,0 +1,375 @@
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+pkgname=gitlab-foss
+_pkgname=${pkgname%-foss}
+pkgver=17.0.4
+_gittag=v$pkgver
+pkgrel=0
+pkgdesc="A version control for your server"
+url="https://gitlab.com/gitlab-org/gitlab-foss"
+arch="x86_64 aarch64"
+license="MIT"
+# ruby-irb is needed only for Rails console (gitlab-rails console)
+depends="
+	$pkgname-assets=$pkgver-r$pkgrel
+	ca-certificates
+	cmd:dpkg-deb
+	exiftool
+	git>=2.42.0
+	gitaly~=17.0
+	gitlab-shell>=14.35
+	graphicsmagick
+	http-parser
+	procps
+	py-docutils
+	python3
+	redis>=2.8
+	ruby3.2
+	ruby3.2-bigdecimal
+	ruby3.2-bundler
+	ruby3.2-fiddle
+	ruby3.2-io-console
+	ruby3.2-irb
+	ruby3.2-json
+	ruby3.2-rake
+	ruby3.2-rdoc
+	ruby3.2-webrick
+	shared-mime-info
+	tzdata
+	"
+makedepends="
+	cargo
+	clang-dev
+	cmd:chrpath
+	cmake
+	file-dev
+	go
+	gpgme-dev
+	icu-dev
+	libffi-dev
+	libgcrypt-dev
+	libpq-dev
+	libxml2-dev
+	libxslt-dev
+	linux-headers
+	llvm
+	nodejs
+	openssl-dev
+	protobuf-dev
+	re2-dev
+	ruby3.2-dev
+	rust
+	yarn>=1.2.0
+	"
+pkgusers="git"
+pkggroups="git www-data"
+install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade"
+subpackages="$pkgname-assets::noarch $pkgname-openrc"
+source="https://gitlab.com/gitlab-org/gitlab-foss/-/archive/$_gittag/gitlab-foss-$_gittag.tar.gz
+	database-config.patch
+	$_pkgname.initd
+	$_pkgname.mailroom.initd
+	$_pkgname.rails.initd
+	$_pkgname.sidekiq.initd
+	$_pkgname.workhorse.initd
+	$_pkgname.confd
+	$_pkgname.logrotate
+	bin-wrapper.in
+	upgrade-sys-filesystem-depend.patch
+	"
+builddir="$srcdir/gitlab-foss-$_gittag"
+
+_prefix="usr/lib/bundles/$_pkgname"
+
+export BUNDLE_DEPLOYMENT=true
+export BUNDLE_FORCE_RUBY_PLATFORM=true
+export BUNDLE_FROZEN=true
+# Should be tied to $JOBS, but rust native code fails to build
+export BUNDLE_JOBS=1
+
+prepare() {
+	default_prepare
+
+	# The default log level is very chatty.
+	sed -i 's/^\(\s*config.log_level\s*=\).*$/\1 :warn/' \
+		config/environments/production.rb
+
+	# This is not needed, the secret_token is generated by the
+	# gitlab-shell package. It also makes problems in the build phase.
+	rm config/initializers/gitlab_shell_secret_token.rb
+
+	# Remove all locale files except en.
+	find locale -type d -mindepth 1 ! -name en -exec rm -rf {} +
+
+	# Allow use of any bundler
+	sed -i -e '/BUNDLED/,+1d' Gemfile.lock
+}
+
+build() {
+	local bundle_without='exclude development kerberos mysql test'
+
+	cd "$builddir"/workhorse
+
+	make
+
+	cd "$builddir"
+
+	msg "Installing Ruby gems..."
+	bundle config --local without "$bundle_without"
+	bundle config --local build.ffi --enable-system-libffi
+	bundle config --local build.gpgme --use-system-libraries
+	bundle config --local build.re2 --enable-system-libraries
+	bundle config --local build.nokogiri --use-system-libraries \
+		--with-xml2-include=/usr/include/libxml2 \
+		--with-xslt-include=/usr/include/libxslt
+	bundle config --local build.ruby-magic --enable-system-libraries
+	bundle config --local build.google-protobuf '-- --with-cflags=-D__va_copy=va_copy'
+	bundle config --local path "vendor/bundle"
+
+	bundle install --no-cache
+
+	# Replace bundled CA bundle with symlink.
+	(
+		cd vendor/bundle/ruby/*/gems/aws-sdk-core-*/
+		rm ca-bundle.crt
+		ln -s /etc/ssl/certs/ca-certificates.crt ca-bundle.crt
+	)
+
+	# Remove faulty RPATH.
+	chrpath -d vendor/bundle/ruby/*/extensions/*/*/ruby-magic-*/magic/magic.so
+
+	# Patch installed gem gitlab-markup to use python3.
+	# Option "-S" causes that Python cannot find docutils module.
+	sed -i 's/python2 -S/python3/g' \
+		vendor/bundle/ruby/*/gems/gitlab-markup-*/lib/github/markups.rb
+
+	# Remove non-sense require of code for tests from top-level module
+	# (we're gonna delete tests from the package).
+	sed -i '/require .carrierwave\/test\/matchers./d' \
+		vendor/bundle/ruby/*/gems/carrierwave-*/lib/carrierwave.rb
+
+	msg "Installing npm modules..."
+	yarn install --production --frozen-lockfile
+
+	# Since we have moved assets gems into a group, they are not implicitly
+	# loaded by default. This will be reverted after compiling assets.
+	sed -i.bak '/Bundler.require(\*Rails.groups/s/)/, :assets)/' \
+		config/application.rb
+
+	# assets:precompile and gettext:compile bootstraps the app,
+	# so they needs configs.
+	cp config/gitlab.yml.example config/gitlab.yml
+	cp config/database.yml.postgresql config/database.yml
+	cp config/secrets.yml.example config/secrets.yml
+
+	# The configured path is not readable for the user building
+	# the package, so we must remove it; GitLab will use the default path.
+	sed -i '/^\s*secret_file:.*/d' config/gitlab.yml
+
+	(
+		export NODE_ENV=production
+		export RAILS_ENV=production
+		export SKIP_STORAGE_VALIDATION=true
+		export USE_DB=false
+		export NO_SOURCEMAPS=true
+		export NODE_OPTIONS="--max_old_space_size=3584"
+
+		msg "Compiling GetText PO files..."
+		bundle exec rake gettext:compile
+
+		msg "Compiling assets (this will take few minutes)..."
+		bundle exec rake gitlab:assets:compile
+	)
+
+	# Revert changes.
+	mv config/application.rb.bak config/application.rb
+
+	msg "Cleaning assets gems..."
+	bundle config --local without 'exclude development kerberos mysql test assets'
+	bundle clean
+
+	# Create executables in bin/*.
+	# See also https://github.com/bundler/bundler/issues/6149.
+	bundle binstubs --force bundler gitlab-mail_room puma sidekiq
+
+	# Cleanup
+	rm config/database.yml config/gitlab.yml config/secrets.yml
+}
+
+package() {
+	local destdir="$pkgdir/$_prefix"
+	local datadir="$pkgdir/var/lib/gitlab"
+	local file dest
+
+	install -d -m755 "$destdir" "$destdir"/bin
+
+	install -d -m755 -o git -g git \
+		"$datadir" \
+		"$pkgdir"/etc/gitlab \
+		"$pkgdir"/var/log/gitlab \
+		"$datadir"/pages
+
+	install -d -m700 -o git -g git \
+		"$datadir"/artifacts \
+		"$datadir"/builds \
+		"$datadir"/ci_secure_files \
+		"$datadir"/dependency_proxy \
+		"$datadir"/encrypted_settings \
+		"$datadir"/external-diffs \
+		"$datadir"/lfs-objects \
+		"$datadir"/packages \
+		"$datadir"/pages \
+		"$datadir"/terraform_state \
+		"$datadir"/uploads
+
+	install -d -m0750 -o git -g www-data \
+		"$datadir"/pages
+
+	install -d -m02770 -o git -g git \
+		"$datadir"/repositories
+
+	# Install application files.
+	# Note: *VERSION files and doc directory are required (Help in GitLab
+	# menu refers to the doc directory).
+	cp -rl .bundle config.ru Gemfile* INSTALLATION_TYPE Rakefile ./*VERSION \
+		app data db doc fixtures config lib locale metrics_server public sidekiq_cluster vendor gems \
+		"$destdir"/
+
+	install -m755 -t "$destdir"/bin/ \
+		bin/bundle \
+		bin/mail_room \
+		bin/metrics-server \
+		bin/rails \
+		bin/rake \
+		bin/sidekiq \
+		bin/sidekiq-cluster \
+		bin/sidekiqmon \
+		bin/puma
+
+	cd "$destdir"
+
+	# Not needed in runtime since we have already compiled all assets.
+	rm -r app/assets
+	rm -r vendor/assets
+	find public/assets -name '*.vue' -delete
+	find public/assets -type d -exec rmdir --ignore-fail-on-non-empty '{}' \;
+	# These load gems in the assets group.
+	rm config/initializers/sprockets.rb
+
+	# Remove more stuff not neeeded in production.
+	rm -r lib/support
+	rm -r db/fixtures/development
+	find lib/tasks -maxdepth 1 -type f ! -name cache.rake ! -name setup.rake -delete
+	find lib/tasks/gitlab \( -name 'generate_docs.*' \
+	                      -o -name 'shell.*' \
+	                      -o -name 'test.*' \) -delete
+
+
+	cd "$destdir"/vendor/bundle/ruby/*/
+
+	# Remove tests, documentations and other useless files.
+	find gems/ \( -name 'doc' \
+	           -o -name 'spec' \
+	           -o -name 'test' \) \
+		-type d -maxdepth 2 -exec rm -fr "{}" +
+	find gems/ \( -name 'README*' \
+	           -o -name 'CHANGELOG*' \
+	           -o -name 'CONTRIBUT*' \
+	           -o -name '*LICENSE*' \
+	           -o -name 'Rakefile' \
+	           -o -name '.*' \) \
+		-type f -delete
+
+	# Remove bundled libgit2 sources.
+	rm -r gems/rugged-*/vendor/libgit2
+
+	# Remove assets, they are already compiled.
+	rm -r gems/tanuki_emoji-*/app/assets
+
+	# Remove build logs and cache.
+	rm -rf build_info/ cache/
+	find extensions/ \( -name gem_make.out -o -name mkmf.log \) -delete
+
+
+	cd "$destdir"
+
+	# Install and symlink config files.
+	for file in cable.yml.example \
+			database.yml.postgresql \
+			gitlab.yml.example \
+			puma.rb.example \
+			resque.yml.example \
+			sidekiq.yml.example \
+			initializers/smtp_settings.rb.sample
+	do
+		dest="$(basename "${file%.*}")"
+		install -m640 -g git -D config/$file "$pkgdir"/etc/gitlab/$dest
+		ln -sf /etc/gitlab/$dest "$pkgdir"/$_prefix/config/${file%.*}
+	done
+
+	# This file will be generated by the post-install script, just prepare symlink.
+	ln -sf /etc/gitlab/secrets.yml config/secrets.yml
+	# These shouldn't be necessary, they are all configurable, but OmniBus
+	# creates them too, so just to be sure...
+	ln -sf /etc/gitlab/gitlab_kas_secret .gitlab_kas_secret
+	ln -sf /etc/gitlab/gitlab_pages_secret .gitlab_pages_secret
+	ln -sf /etc/gitlab/gitlab_shell_secret .gitlab_shell_secret
+	ln -sf /etc/gitlab/gitlab_workhorse_secret .gitlab_workhorse_secret
+
+	# Some paths are hard-coded in GitLab, so we must make symlinks. :(
+	ln -sf /var/lib/gitlab/uploads public/uploads
+	ln -sf /var/log/gitlab log
+	ln -sf /var/tmp/gitlab tmp
+
+	cat > "$datadir"/.profile <<-EOF
+		export RAILS_ENV=production
+		export NODE_ENV=production
+		export EXECJS_RUNTIME=Disabled
+	EOF
+
+	# Install wrapper scripts to /usr/bin.
+	local name; for name in rake rails; do
+		sed "s/__COMMAND__/$name/g" "$srcdir"/bin-wrapper.in \
+			> "$builddir"/gitlab-$name
+		install -m755 -D "$builddir"/gitlab-$name "$pkgdir"/usr/bin/gitlab-$name
+	done
+
+
+	cd "$builddir"/workhorse
+
+	# Install workhorse.
+	make install DESTDIR="$pkgdir" PREFIX=/usr
+	install -m644 config.toml.example "$pkgdir"/etc/gitlab/workhorse.toml
+
+
+	for file in $_pkgname $_pkgname.rails $_pkgname.sidekiq $_pkgname.mailroom $_pkgname.workhorse; do
+		install -m755 -D "$srcdir"/$file.initd "$pkgdir"/etc/init.d/$file
+	done
+
+	install -m644 -D "$srcdir"/$_pkgname.confd \
+		"$pkgdir"/etc/conf.d/$_pkgname
+
+	install -m644 -D "$srcdir"/$_pkgname.logrotate \
+		"$pkgdir"/etc/logrotate.d/$_pkgname
+}
+
+assets() {
+	depends=""
+
+	amove $_prefix/public/assets
+}
+
+sha512sums="
+e09cfbbe4237f42bd8509c551031fd3526b75762beae7dac5164ecc4056ae07890a3ddb8500f1573f0ca9d697150654d1fcab3b3d0a3b93e5382addcee298c5b  gitlab-foss-v17.0.4.tar.gz
+daa496f3d9146f9dbddff62477bf49d5c7bd2f2a4cdbadc70ee51c8230f3ef01dc950ef157154b31c7e7bef0beecc5cbac50fbac65a79d6d9099b27bcba8b2ab  database-config.patch
+80d9bf2d064c1d4310566e087e14220e075430c46d9a6c4641c1141fbdc05381ae14a3ae7dfcb7dcb75dbf7af17a136f81764c7a4d109f248a81033782dce23b  gitlab.initd
+1f451b67a5d5e58650b0fe862a2b65cfb8bff5502b37d94ae90619c1ff9affbecf24428303a2849bebce5f94bef37078f0e5710e344bbab616134e910938384a  gitlab.mailroom.initd
+d8cdeb54c46f8204936bf5750833649e4586d3dd1942eed45955ed1661ae5f5080f59184fcb59a8f73c1405faccbf02b3db3d2c12fc2a4a81424cd35ce390768  gitlab.rails.initd
+cb4ec100f0ea7ffcbb37aead8423e636629e2f4848b2974a7b2468e96cb1081ca732ac336417b08dd943afb961df888c73af1334dcbe054dfd361e74f492fd86  gitlab.sidekiq.initd
+85c4e257a030832bd70ad1e257ae7cb568b31e01201fc845abac02d00f02492ca694be1fa2bf743dd8c8623e6a79d36adee3f4de02040134c11158a6001c064b  gitlab.workhorse.initd
+4dc00b16462f30591297fcb535fc364185d3ed76e9956597f0423a8dfd8a9a351f6ac29d9f0c73052c11324fba4768eb89a21c6bef4da99f15baaea8c9ab8407  gitlab.confd
+57f258246925fbef0780caebdf005983c72fe3db1ab3242a1e00137bd322f5ec6c0fd958db7178b8fc22103d071f550d6f71f08422bcd9e859d2a734b2ecef00  gitlab.logrotate
+a944c3886388ba1574bf8c96b6de4d9f24ef4a83f553c31a224e17a3b01f2a5c65b60c59b7ed7ca4b25670c60ea8dd41b96a8a623d909d2bb09bdf2520ed7f23  bin-wrapper.in
+0eaa7de9a906ddb0fe84b7afbaec893a134bbbdb9e71da75cf4095ef40404643e51447aee88d3cad6e565bc709b34ffd8901cc93061e4a2a410838aed42d3644  upgrade-sys-filesystem-depend.patch
+"

user/gitlab-foss/bin-wrapper.in

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+BUNDLE_DIR='/usr/lib/bundles/gitlab'
+export RAILS_ENV='production'
+export NODE_ENV='production'
+export EXECJS_RUNTIME='Disabled'
+
+cd $BUNDLE_DIR
+install -m 700 -o git -g git -d "$(readlink ./tmp)"
+
+if [ "$(id -un)" != 'git' ]; then
+	exec su git -c '"$0" "$@"' -- bin/__COMMAND__ "$@"
+else
+	exec bin/__COMMAND__ "$@"
+fi

user/gitlab-foss/database-config.patch

@@ -0,0 +1,66 @@
+diff --git a/config/database.yml.postgresql.orig b/config/database.yml.postgresql
+index da9f458..2d6d44e 100644
+--- a/config/database.yml.postgresql.orig
++++ b/config/database.yml.postgresql
+@@ -26,13 +26,6 @@ production:
+     username: git
+     password: "secure password"
+     host: localhost
+-  geo:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_geo_production
+-    username: git
+-    password: "secure password"
+-    host: localhost
+ 
+ #
+ # Development specific
+@@ -57,13 +50,6 @@ development:
+     host: localhost
+     variables:
+       statement_timeout: 15s
+-  geo:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_geo_development
+-    username: postgres
+-    password: "secure password"
+-    host: localhost
+ 
+ #
+ # Staging specific
+@@ -84,13 +70,6 @@ staging:
+     username: git
+     password: "secure password"
+     host: localhost
+-  geo:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_geo_staging
+-    username: git
+-    password: "secure password"
+-    host: localhost
+ 
+ # Warning: The database defined as "test" will be erased and
+ # re-generated from your development database when you run "rake".
+@@ -119,19 +98,3 @@ test: &test
+     reaping_frequency: nil
+     variables:
+       statement_timeout: 15s
+-  geo:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_geo_test
+-    username: postgres
+-    password:
+-    host: localhost
+-    reaping_frequency: nil
+-  embedding:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_embedding_test
+-    username: postgres
+-    password:
+-    host: localhost
+-    reaping_frequency: nil

user/gitlab-foss/gitlab-foss.post-install

@@ -0,0 +1,108 @@
+#!/bin/sh
+set -eu
+
+group='git'
+data_dir='/var/lib/gitlab'
+secrets_file='/etc/gitlab/secrets.yml'
+shell_secret_file='/etc/gitlab/gitlab_shell_secret'
+workhorse_secret_file='/etc/gitlab/gitlab_workhorse_secret'
+kas_secret_file='/etc/gitlab/gitlab_kas_secret'
+
+gen_random_b64() {
+	local bits="$1"
+	ruby <<-EOF
+		require 'securerandom'
+		require 'base64'
+		puts Base64.strict_encode64(SecureRandom.random_bytes($bits))
+	EOF
+}
+
+
+echo "* Checking $secrets_file" >&2
+
+ruby <<-EOF
+	require 'openssl'
+	require 'securerandom'
+	require 'yaml'
+
+	secrets_file = '$secrets_file'
+	changed = false
+
+	secrets = YAML.load_file(secrets_file) if File.exist?(secrets_file)
+	secrets ||= {}
+	prod = secrets['production'] ||= {}
+	prod['db_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
+	prod['secret_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
+	prod['otp_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
+	prod['encrypted_settings_key_base'] ||= ( changed = true; SecureRandom.hex(64) )
+	prod['openid_connect_signing_key'] ||= begin
+	  changed = true
+	  prod.delete('jws_private_key') || OpenSSL::PKey::RSA.new(2048).to_pem
+	end
+	# db/fixtures/production/010_settings.rb
+	prod['ci_jwt_signing_key'] ||= ( changed = true; OpenSSL::PKey::RSA.new(2048).to_pem )
+
+	if changed
+	  STDERR.puts "* Generating random secrets into #{secrets_file}"
+	  File.write(secrets_file, YAML.dump(secrets), mode: 'w', perm: 0640)
+	end
+EOF
+chown root:$group "$secrets_file"
+
+if [ ! -f "$shell_secret_file" ]; then
+	echo "* Generating random secret in $shell_secret_file" >&2
+
+	head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64 > "$shell_secret_file"
+	chown root:$group "$shell_secret_file"
+	chmod 0640 "$shell_secret_file"
+fi
+
+if [ ! -f "$workhorse_secret_file" ]; then
+	echo "* Generating random secret in $workhorse_secret_file" >&2
+
+	# Sync with lib/gitlab/workhorse.rb.
+	gen_random_b64 32 > "$workhorse_secret_file"
+	chown root:$group "$workhorse_secret_file"
+	chmod 0640 "$workhorse_secret_file"
+fi
+
+if [ ! -f "$kas_secret_file" ]; then
+	echo "* Generating random secret in $kas_secret_file" >&2
+
+	# Sync with lib/gitlab/workhorse.rb.
+	gen_random_b64 32 > "$kas_secret_file"
+	chown root:$group "$kas_secret_file"
+	chmod 0640 "$kas_secret_file"
+fi
+
+# NOTE: We create this symlink in post-install script instead of APKBULD,
+# so user can decide to have tmp dir inside $data_dir (e.g. it's on bigger disk).
+if [ ! -e "$data_dir"/tmp ]; then
+	ln -s /var/tmp/gitlab "$data_dir"/tmp
+fi
+
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish GitLab upgrade run:
+	*
+	*     gitlab-rake gitlab:db:configure
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/gitlab/database.yml and gitlab.yml.
+	*
+	* 2. Create database for GitLab:
+	*
+	*     psql -c "CREATE ROLE gitlab PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE gitlab OWNER gitlab ENCODING 'UTF-8';"
+	*     psql -d gitlab -c "CREATE EXTENSION pg_trgm; CREATE EXTENSION btree_gist;"
+	*
+	* 3. Run "gitlab-rake gitlab:setup", or "gitlab-rake gitlab:db:configure" if
+	*    you are updating existing database.
+	*
+	EOF
+fi

user/gitlab-foss/gitlab-foss.post-upgrade

@@ -0,0 +1 @@
+gitlab-foss.post-install

user/gitlab-foss/gitlab-foss.pre-install

@@ -0,0 +1,53 @@
+#!/bin/sh
+# It's very important to set user/group correctly.
+
+git_dir='/var/lib/gitlab'
+
+if ! getent group git 1>/dev/null; then
+	echo '* Creating group git' 1>&2
+
+	addgroup -S git
+fi
+
+if ! id git 2>/dev/null 1>&2; then
+	echo '* Creating user git' 1>&2
+
+	adduser -DHS -G git -h "$git_dir" -s /bin/sh  \
+		-g "added by apk for gitlab-foss" git
+	passwd -u git 1>/dev/null  # unlock
+fi
+
+if ! id -Gn git | grep -Fq redis; then
+	echo '* Adding user git to group redis' 1>&2
+
+	addgroup git redis
+fi
+
+if [ "$(id -gn git)" != 'git' ]; then
+	cat >&2 <<-EOF
+	!!
+	!! User git has primary group $(id -gn git). We strongly recommend to change
+	!! git's primary group to git, otherwise GitLab may not work correctly.
+	!!
+	EOF
+
+	# Add it at least as a supplementary group.
+	adduser git git
+fi
+
+user_home="$(getent passwd git | cut -d: -f6)"
+
+if [ "$user_home" != "$git_dir" ]; then
+	cat >&2 <<-EOF
+	!!
+	!! User git has home directory in $user_home, but this package assumes
+	!! $git_dir. Although it's possible to use a different directory,
+	!! it's really not easy.
+	!!
+	!! Please change git's home directory to $git_dir, or adjust settings
+	!! and move files yourself. Otherwise GitLab will not work!
+	!!
+	EOF
+fi
+
+exit 0

user/gitlab-foss/gitlab-rails.confd

@@ -0,0 +1,20 @@
+# Configuration for /etc/init.d/gitlab.rails
+
+# Path to the Puma configuration file.
+#puma_config="/etc/gitlab/puma.rb"
+
+# IP address and port for Puma server to listen on.
+#puma_listen_tcp="127.0.0.1:8080"
+
+# Absolute path of unix socket for Puma server to listen on.
+#puma_listen_unix="/run/gitlab/gitlab.socket"
+
+# Path to the file to redirect stdout from Puma server to.
+#puma_stdout_file="/var/log/gitlab/puma_stdout.log"
+
+# Path to the file to redirect stderr from Puma server to.
+#puma_stderr_file="/var/log/gitlab/puma_stderr.log"
+
+# Action Cable uses a separate thread pool per Puma worker. This configures
+# number of threads in the pool.
+#action_cable_worker_pool_size=4

user/gitlab-foss/gitlab.confd

@@ -0,0 +1,85 @@
+# Configuration file for /etc/init.d/gitlab and
+# /etc/init.d/gitlab.{mailroom,rails,sidekiq,workhorse}
+
+
+# Path to the base directory for the Prometheus metrics used by Puma and
+# Sidekiq.
+#metrics_dir=/dev/shm/gitlab
+
+
+# How many Puma worker processes to create (0 to disable cluster mode).
+#puma_workers=3
+
+# IP address and port for Puma server to listen on.
+#puma_listen_tcp="127.0.0.1:8080"
+
+# Absolute path of unix socket for Puma server to listen on.
+#puma_listen_unix="/run/gitlab/gitlab.socket"
+
+# Action Cable uses a separate thread pool per Puma worker. This configures
+# number of threads in the pool.
+#action_cable_worker_pool_size=4
+
+
+# IP address and port, or absolute path of the unix socket, where should
+# Workhorse listen on for connections from a web server.
+#workhorse_listen="/run/gitlab/workhorse.socket"
+
+# How long to wait for response headers when proxying the request.
+#workhorse_proxy_header_timeout="1m0s"
+
+# Number of API requests allowed at single time.
+#workhorse_api_limit=
+
+# Maximum queueing duration of requests (default 30s).
+#workhorse_api_queue_duration=
+
+# Number of API requests allowed to be queued.
+#workhorse_api_queue_limit=
+
+# Long polling duration for job requesting for runners (default 0s - disabled)
+#workhorse_ci_long_polling_duration=
+
+# Log format to use: text, json, structured, none. Defaults to "text".
+#workhorse_log_format=
+
+# Prometheus listening address.
+#workhorse_prometheus_listen=
+
+# Sentry DSN for Workhorse.
+#workhorse_sentry_dsn=
+
+
+# Specify how many processes to create using sidekiq-cluster and which queue
+# they should handle. Each whitespace-separated item equates to one additional
+# Sidekiq process, and comma-separated values in each item determine the queues
+# it works on. The special queue name "*" means all queues.
+# Example: "* gitlab_shell process_commit,post_receive"
+# See https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html.
+#sidekiq_queue_groups="*"
+
+# Maximum threads to use with Sidekiq (default: 50, 0 to disable).
+#sidekiq_max_concurrency=
+
+# Minimum threads to use with Sidekiq (default: 0).
+#sidekiq_min_concurrency=
+
+# The number of seconds to wait between worker checks.
+#sidekiq_interval=
+
+# Graceful timeout for all running processes.
+#sidekiq_shutdown_timeout=
+
+# Run workers for all queues in sidekiq_queues.yml except the given ones.
+#sidekiq_negate=no
+
+# Run workers based on the provided selector.
+#sidekiq_queue_selector=no
+
+# Memory limit (in MiB) for the Sidekiq process. If the RSS (Resident Set Size)
+# of the Sidekiq process exceeds this limit, a delayed shutdown is triggered.
+#sidekiq_memkiller_max_rss=2000
+
+
+# Enable mail_room to handle incoming mails?
+#mailroom_enabled="no"

user/gitlab-foss/gitlab.initd

@@ -0,0 +1,50 @@
+#!/sbin/openrc-run
+
+name="GitLab"
+description="Meta script for starting/stopping all the GitLab components"
+
+: ${mailroom_enabled:="no"}
+: ${pages_enabled:="yes"}
+
+subservices="gitlab.rails gitlab.gitaly gitlab.sidekiq gitlab.workhorse"
+if yesno "$mailroom_enabled"; then
+	subservices="$subservices gitlab.mailroom"
+fi
+if yesno "$pages_enabled" && [ -e /etc/init.d/gitlab.pages ]; then
+	subservices="$subservices gitlab.pages"
+fi
+
+depend() {
+	need redis postgresql
+	use net
+}
+
+start() {
+	local ret=0
+
+	ebegin "Starting all GitLab components"
+	local svc; for svc in $subservices; do
+		service $svc start || ret=1
+	done
+	eend $ret
+}
+
+stop() {
+	local ret=0
+
+	ebegin "Stopping all GitLab components"
+	local svc; for svc in $subservices; do
+		service $svc stop || ret=1
+	done
+	eend $ret
+}
+
+status() {
+	local ret=0
+
+	local svc; for svc in $subservices; do
+		echo "$svc:"
+		service $svc status || ret=1
+	done
+	eend $ret
+}

user/gitlab-foss/gitlab.logrotate

@@ -0,0 +1,24 @@
+/var/log/gitlab/workhorse.log {
+	compress
+	maxsize 10M
+	minsize 1M
+	missingok
+	postrotate
+		/etc/init.d/gitlab.workhorse --quiet --ifstarted reopen
+	endscript
+	sharedscripts
+	rotate 5
+	weekly
+}
+
+/var/log/gitlab/*.log {
+	compress
+	copytruncate
+	delaycompress
+	maxsize 10M
+	minsize 1M
+	missingok
+	sharedscripts
+	rotate 10
+	weekly
+}

user/gitlab-foss/gitlab.mailroom.initd

@@ -0,0 +1,40 @@
+#!/sbin/openrc-run
+
+supervisor=supervise-daemon
+
+name="GitLab (mailroom)"
+description="GitLab service for processing incoming mails."
+
+: ${gitlab_base:="/usr/lib/bundles/gitlab"}
+: ${gitlab_config:="/etc/gitlab/gitlab.yml"}
+: ${mailroom_logfile:="/var/log/gitlab/mail_room.log"}
+: ${mailroom_config:="$gitlab_base/config/mail_room.yml"}
+
+command="$gitlab_base/bin/mail_room"
+command_args="-c $mailroom_config"
+command_background="yes"
+command_user="git"
+
+directory="$gitlab_base"
+error_log="$mailroom_logfile"
+output_log="$mailroom_logfile"
+
+supervise_daemon_args="
+	--env RAILS_ENV=production
+	--env TZ=:/etc/localtime
+	--env MAIL_ROOM_GITLAB_CONFIG_FILE=$gitlab_config
+	"
+start_stop_daemon_args="--interpreted $supervise_daemon_args"
+pidfile="/run/gitlab/mail_room.pid"
+
+required_files="$mailroom_config $gitlab_config"
+
+depend() {
+	need redis
+	use net
+}
+
+start_pre() {
+	checkpath -d -m 755 -o $command_user -q "${pidfile%/*}" || return 1
+	checkpath -f -m 640 -o $command_user "$mailroom_logfile"
+}

user/gitlab-foss/gitlab.rails.initd

@@ -0,0 +1,119 @@
+#!/sbin/openrc-run
+
+name="GitLab Rails"
+description="GitLab application"
+
+extra_started_commands="reload reopen"
+description_reload="Reload configuration"
+description_reopen="Reopen log files"
+
+: ${gitlab_base:="/usr/lib/bundles/gitlab"}
+: ${metrics_dir:="/dev/shm/gitlab"}
+
+: ${action_cable_worker_pool_size:=4}
+: ${gitlab_config:="/etc/gitlab/gitlab.yml"}
+: ${puma_workers:=3}
+: ${puma_listen_unix:="/run/gitlab/gitlab.socket"}
+: ${puma_listen_tcp:="127.0.0.1:8080"}
+: ${puma_stdout_file:="/var/log/gitlab/puma_stdout.log"}
+: ${puma_stderr_file:="/var/log/gitlab/puma_stderr.log"}
+: ${puma_config:="/etc/gitlab/puma.rb"}
+: ${puma_metrics_dir:="$metrics_dir/puma"}
+
+command="$gitlab_base/bin/puma"
+command_args="
+	--config $puma_config
+	--workers $puma_workers
+	--bind tcp://$puma_listen_tcp
+	--bind unix://$puma_listen_unix
+	--redirect-stdout $puma_stdout_file
+	--redirect-stderr $puma_stderr_file
+	--redirect-append
+	--state /run/gitlab/puma.state
+	"
+command_background="yes"
+command_user="git"
+directory="$gitlab_base"
+
+supervise_daemon_args="
+	--env ACTION_CABLE_WORKER_POOL_SIZE=$action_cable_worker_pool_size
+	--env RAILS_ENV=production
+	--env NODE_ENV=production
+	--env EXECJS_RUNTIME=Disabled
+	--env GITLAB_BASE=$gitlab_base
+	--env TZ=:/etc/localtime
+	--env prometheus_multiproc_dir=$puma_metrics_dir
+	${supervise_daemon_args:-}
+	"
+start_stop_daemon_args="
+	--interpreted
+	$supervise_daemon_args
+	$start_stop_daemon_args
+	"
+pidfile="/run/gitlab/puma.pid"
+
+required_files="$gitlab_config $puma_config"
+
+depend() {
+	need redis
+	want sshd postgresql docker-registry
+	use net
+}
+
+start_pre() {
+	checkpath -d -m 755 -o $command_user -q "${pidfile%/*}" || return 1
+	checkpath -d -m 700 -o $command_user -q "$(readlink -f "$gitlab_base"/tmp)" || return 1
+	checkpath -d -m 700 -o $command_user -q "$metrics_dir" || return 1
+	checkpath -d -m 700 -o $command_user --directory-truncate "$puma_metrics_dir" || return 1
+	checkpath -f -m 644 -o $command_user "$puma_stdout_file" || return 1
+	checkpath -f -m 644 -o $command_user "$puma_stderr_file" || return 1
+
+	# Ruby requires sticky bit on TMP directory.
+	checkpath -d -m 1777 /tmp
+
+	local downloads_path="$(_parse_yaml "$gitlab_config" \
+		production.gitlab.repository_downloads_path)"
+
+	if [ -n "$downloads_path" ]; then
+		checkpath -d -m 700 -o $command_user -q "$downloads_path"
+	fi
+
+	checkpath --directory --owner $command_user --mode 0775 \
+		/var/tmp/gitlab/downloads \
+		/var/tmp/gitlab/backups
+
+}
+
+reload() {
+	ebegin "Reloading $name"
+
+	if [ "$supervisor" ]; then
+		$supervisor "$RC_SVCNAME" --signal USR2
+	else
+		start-stop-daemon --pidfile "$pidfile" --signal USR2
+	fi
+	eend $?
+}
+
+reopen() {
+	ebegin "Telling $name to reopen log files"
+
+	if [ "$supervisor" ]; then
+		$supervisor "$RC_SVCNAME" --signal USR1
+	else
+		start-stop-daemon --pidfile "$pidfile" --signal USR1
+	fi
+	eend $?
+}
+
+_parse_yaml() {
+	local file="$1"
+	local key="$2"
+	local default="${3:-}"
+	local key_path="$(echo "[\"$key\"]" | sed 's/\./"]["/g')"
+
+	ruby <<-EOF
+	require "yaml"
+	puts YAML.load_file("$file")$key_path rescue puts "$default"
+	EOF
+}

user/gitlab-foss/gitlab.sidekiq.initd

@@ -0,0 +1,76 @@
+#!/sbin/openrc-run
+
+extra_started_commands="finish"
+
+name="GitLab Sidekiq"
+description="GitLab backgroud workers"
+description_finish="Stop fetching new jobs and finish current ones"
+
+: ${gitlab_base:="/usr/lib/bundles/gitlab"}
+: ${metrics_dir:="/dev/shm/gitlab"}
+
+: ${sidekiq_logfile:="/var/log/gitlab/sidekiq.log"}
+: ${sidekiq_memkiller_max_rss:="2000"}  # default per Omnibus
+: ${sidekiq_metrics_dir:="$metrics_dir/sidekiq"}
+: ${sidekiq_negate:="no"}
+: ${sidekiq_queue_groups:="*"}
+: ${sidekiq_queue_selector:="no"}
+
+command="$gitlab_base/bin/sidekiq-cluster"
+# Note: The rest of the options is set in start_pre().
+command_args="-r $gitlab_base -e production ${command_args:-}"
+command_background="yes"
+command_user="git"
+
+directory="$gitlab_base"
+error_log="$sidekiq_logfile"
+output_log="$sidekiq_logfile"
+
+supervise_daemon_args="
+	--env RAILS_ENV=production
+	--env NODE_ENV=production
+	--env EXECJS_RUNTIME=Disabled
+	--env TZ=:/etc/localtime
+	--env SIDEKIQ_MEMORY_KILLER_MAX_RSS=$(( sidekiq_memkiller_max_rss * 1024 ))
+	--env prometheus_multiproc_dir=$sidekiq_metrics_dir
+	"
+start_stop_daemon_args="--interpreted $supervise_daemon_args"
+pidfile="/run/gitlab/sidekiq.pid"
+
+depend() {
+	need redis
+	use net postgresql
+}
+
+start_pre() {
+	yesno "$sidekiq_queue_selector" && command_args="$command_args --queue-selector"
+
+	command_args="$command_args
+		$(optif --max-concurrency ${sidekiq_max_concurrency:-})
+		$(optif --min-concurrency ${sidekiq_min_concurrency:-})
+		$(optif --interval ${sidekiq_interval:-})
+		$(optif --timeout ${sidekiq_shutdown_timeout:-})
+		$(set -f; printf "'%s' " $sidekiq_queue_groups)
+		"
+	yesno "$sidekiq_negate" && command_args="$command_args --negate"
+
+	checkpath -d -m 755 -o $command_user -q "${pidfile%/*}" || return 1
+	checkpath -d -m 700 -o $command_user -q "$metrics_dir" || return 1
+	checkpath -d -m 700 -o $command_user --directory-truncate "$sidekiq_metrics_dir" || return 1
+	checkpath -f -m 644 -o $command_user "$sidekiq_logfile"
+}
+
+finish() {
+	ebegin "Telling $name to stop fetching new jobs"
+
+	if [ "$supervisor" ]; then
+		$supervisor "$RC_SVCNAME" --signal TSTP
+	else
+		start-stop-daemon --pidfile "$pidfile" --signal TSTP
+	fi
+	eend $?
+}
+
+optif() {
+	test -n "$2" && printf '%s/n' "$1=$2" || true
+}

user/gitlab-foss/gitlab.workhorse.initd

@@ -0,0 +1,75 @@
+#!/sbin/openrc-run
+
+extra_started_commands="reopen"
+
+name="GitLab Workhorse"
+description="A reverse proxy for GitLab."
+description_reopen="Reopen log files"
+
+: ${gitlab_base:="/usr/lib/bundles/gitlab"}
+: ${workhorse_logfile:="/var/log/gitlab/workhorse.log"}
+: ${workhorse_access_log:="no"}
+
+command="/usr/bin/gitlab-workhorse"
+# Note: The rest of the options is set in start_pre().
+command_args="
+	-authBackend=http://${puma_listen_tcp:="127.0.0.1:8080"}
+	-config=${workhorse_config:="/etc/gitlab/workhorse.toml"}
+	-documentRoot=${gitlab_public_dir:="$gitlab_base/public"}
+	-listenAddr=${workhorse_listen:="/run/gitlab/workhorse.socket"}
+	-listenUmask=${workhorse_listen_umask:="000"}
+	-logFile=$workhorse_logfile
+	-secretPath=${workhorse_secret_path:="/etc/gitlab/gitlab_workhorse_secret"}
+	"
+command_background="yes"
+command_user="git"
+directory="$gitlab_base"
+pidfile="/run/gitlab/workhorse.pid"
+
+depend() {
+	use net
+}
+
+start_pre() {
+	local listen_net="tcp"
+	[ "${workhorse_listen:0:1}" = '/' ] && listen_net="unix"
+
+	command_args="$command_args
+		-listenNetwork=$listen_net
+		$(optif -apiCiLongPollingDuration "$workhorse_ci_long_polling_duration")
+		$(optif -apiLimit "$workhorse_api_limit")
+		$(optif -apiQueueDuration "$workhorse_api_queue_duration")
+		$(optif -apiQueueLimit "$workhorse_api_queue_limit")
+		$(optif -authSocket "$puma_listen_unix")
+		$(optif -logFormat "$workhorse_log_format")
+		$(optif -prometheusListenAddr "$workhorse_prometheus_listen_addr")
+		$(optif -proxyHeadersTimeout "$workhorse_proxy_header_timeout")"
+	# FIXME: not implemented
+	#yesno "$workhorse_access_log" || command_args="$command_args -disableAccessLog"
+
+	start_stop_daemon_args="$start_stop_daemon_args
+		$(optif '--env GITLAB_WORKHORSE_SENTRY_DSN' "$workhorse_sentry_dns")"
+	supervise_daemon_args="$supervise_daemon_args
+		$(optif '--env GITLAB_WORKHORSE_SENTRY_DSN' "$workhorse_sentry_dns")"
+
+	checkpath -d -m 755 -o $command_user -q "${pidfile%/*}" || return 1
+	if [ "$listen_net" = "unix" ]; then
+		checkpath -d -m 755 -o $command_user -q "${workhorse_listen%/*}" || return 1
+	fi
+	checkpath -f -m 640 -o $command_user "$workhorse_logfile"
+}
+
+reopen() {
+	ebegin "Telling $name to reopen log files"
+
+	if [ "$supervisor" ]; then
+		$supervisor "$RC_SVCNAME" --signal HUP
+	else
+		start-stop-daemon --pidfile "$pidfile" --signal HUP
+	fi
+	eend $?
+}
+
+optif() {
+	test -n "$2" && printf '%s/n' "$1=$2" || true
+}

user/gitlab-foss/upgrade-sys-filesystem-depend.patch

@@ -0,0 +1,35 @@
+diff --git a/Gemfile.orig b/Gemfile
+index c1e9e34..a4448b7 100644
+--- a/Gemfile.orig
++++ b/Gemfile
+@@ -525,7 +525,7 @@ gem 'health_check', '~> 3.0' # rubocop:todo Gemfile/MissingFeatureCategory
+ 
+ # System information
+ gem 'vmstat', '~> 2.3.0' # rubocop:todo Gemfile/MissingFeatureCategory
+-gem 'sys-filesystem', '~> 1.4.3' # rubocop:todo Gemfile/MissingFeatureCategory
++gem 'sys-filesystem', '~> 1.4.5' # rubocop:todo Gemfile/MissingFeatureCategory
+ 
+ # NTP client
+ gem 'net-ntp' # rubocop:todo Gemfile/MissingFeatureCategory
+diff --git a/Gemfile.lock.orig b/Gemfile.lock
+index bb66169..a4da10b 100644
+--- a/Gemfile.lock.orig
++++ b/Gemfile.lock
+@@ -1657,7 +1657,7 @@ GEM
+       attr_required (>= 0.0.5)
+       httpclient (>= 2.4)
+     sync (0.5.0)
+-    sys-filesystem (1.4.3)
++    sys-filesystem (1.4.5)
+       ffi (~> 1.1)
+     sysexits (1.2.0)
+     table_print (1.5.7)
+@@ -2123,7 +2123,7 @@ DEPENDENCIES
+   stackprof (~> 0.2.25)
+   state_machines-activerecord (~> 0.8.0)
+   static_holmes (~> 0.7.7)
+-  sys-filesystem (~> 1.4.3)
++  sys-filesystem (~> 1.4.5)
+   tanuki_emoji (~> 0.9)
+   telesignenterprise (~> 2.2)
+   terser (= 1.0.2)

user/gitlab-pages/APKBUILD

@@ -0,0 +1,35 @@
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+pkgname=gitlab-pages
+pkgver=17.0.4
+_gittag="v$pkgver"
+pkgrel=0
+pkgdesc="A daemon used to serve static websites for GitLab users"
+url="https://gitlab.com/gitlab-org/gitlab-pages/"
+arch="all"
+license="MIT"
+makedepends="go>=1.5"
+source="
+	https://gitlab.com/gitlab-org/gitlab-pages/-/archive/$_gittag/gitlab-pages-$_gittag.tar.gz
+	ungit-makefile.patch
+	$pkgname.initd
+	"
+subpackages="$pkgname-openrc"
+builddir="$srcdir"/$pkgname-$_gittag
+
+build() {
+	make VERSION=$pkgver REVISION=$pkgrel GOPATH="$srcdir" CGO_ENABLED=0
+}
+
+package() {
+	install -D -m 755 $pkgname "$pkgdir"/usr/bin/$pkgname
+	install -m755 -D "$srcdir"/$pkgname.initd \
+		"$pkgdir"/etc/init.d/gitlab.pages
+}
+
+sha512sums="
+fde33d01f7b3810a9a094c09fce19976c41a2ccc9eaf720a0f4dd285eb2d0f35de8d2d607cdbaa670221711919043d681fd3fda6e14d67ae1454619746c1e453  gitlab-pages-v17.0.4.tar.gz
+710a9b652327e57e620c2bdb02bf912a6f61044eaaf61d36c6612284e9b951d2ac6f5eef77dfea16a0cde328bd4c556d9e47791c560139c27cb9659076f809b1  ungit-makefile.patch
+20bc66c1c3548568ed353ca8d584f9108b9688f9375f212a18efc7b8386fdaafb3b2dc9e865f21c7f8fd31ada6e91842a8bb8d397f64851d853bb0de3e0e60bb  gitlab-pages.initd
+"

user/gitlab-pages/gitlab-pages.initd

@@ -0,0 +1,55 @@
+#!/sbin/openrc-run
+
+name="GitLab Pages"
+description="A daemon used to serve static websites for GitLab users"
+
+: ${pages_user:=${user:-"git"}}
+: ${pages_root:="/var/lib/gitlab/pages"}
+: ${pages_logfile:="/var/log/gitlab/pages.log"}
+
+command="/usr/bin/gitlab-pages"
+# Note: The rest of the options is set in start_pre().
+command_args="
+	-pages-domain=$pages_domain
+	-pages-root=$pages_root
+	-redirect-http=${pages_redirect_http:-true}
+	-use-http2=${pages_use_http2:-true}
+	"
+command_background="yes"
+
+start_stop_daemon_args="
+	--chdir $pages_root
+	--user $pages_user
+	--stdout $pages_logfile
+	--stderr $pages_logfile"
+pidfile="/run/gitlab-pages.pid"
+
+
+depend() {
+	use net
+}
+
+start_pre() {
+	local item
+
+	for item in $pages_listen_http; do
+		command_args="$command_args -listen-http=$item"
+	done
+	for item in $pages_listen_https; do
+		command_args="$command_args -listen-https=$item"
+	done
+	for item in $pages_listen_proxy; do
+		command_args="$command_args -listen-proxy=$item"
+	done
+
+	command_args="$command_args
+		$(optif -metrics-address "$pages_metrics_address")
+		$(optif -root-cert "$pages_root_cert")
+		$(optif -root-key "$pages_root_key")"
+
+	checkpath -m 640 -o $pages_user -f "$pages_logfile"
+}
+
+optif() {
+	test -n "$2" && printf '%s/n' "$1=$2" || true
+}

user/gitlab-pages/ungit-makefile.patch

@@ -0,0 +1,18 @@
+diff --git a/Makefile.internal.mk.orig b/Makefile.internal.mk
+index 6dfaa1b..207bdaf 100644
+--- a/Makefile.internal.mk.orig
++++ b/Makefile.internal.mk
+@@ -1,13 +1,3 @@
+-REVISION := $(shell git rev-parse --short HEAD || echo unknown)
+-LAST_TAG := $(shell git describe --tags --abbrev=0)
+-COMMITS := $(shell echo `git log --oneline $(LAST_TAG)..HEAD | wc -l`)
+-VERSION := $(shell cat VERSION)
+-BRANCH := $(shell git rev-parse --abbrev-ref HEAD)
+-
+-ifneq (v$(VERSION),$(LAST_TAG))
+-	VERSION := $(shell echo $(VERSION)~beta.$(COMMITS).g$(REVISION))
+-endif
+-
+ VERSION_FLAGS :=-X "main.VERSION=$(VERSION)" -X "main.REVISION=$(REVISION)"
+ 
+ export GOBIN := $(CURDIR)/bin

user/gitlab-shell/APKBUILD

@@ -0,0 +1,66 @@
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+pkgname=gitlab-shell
+pkgver=14.36.0
+pkgrel=0
+pkgdesc="GitLab Shell handles git SSH sessions for GitLab"
+url="https://gitlab.com/gitlab-org/gitlab-shell"
+arch="all"
+license="MIT"
+depends="git openssh"
+makedepends="go krb5-dev"
+pkgusers="git"
+pkggroups="git"
+install="$pkgname.pre-install $pkgname.post-install"
+# NOTE: user vs system gitconfig, see https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6166
+source="https://gitlab.com/gitlab-org/gitlab-shell/-/archive/v$pkgver/gitlab-shell-v$pkgver.tar.gz
+	config.patch
+	change-config-path.patch
+	gitconfig
+	"
+builddir="$srcdir/$pkgname-v$pkgver"
+options="!check"
+
+build() {
+	# BUILD_TAGS - build without tracing libs,
+	#   see https://gitlab.com/gitlab-org/labkit/-/merge_requests/2
+	make build \
+		VERSION_STRING="$pkgver" \
+		BUILD_TAGS=""
+}
+
+package() {
+	local datadir="$pkgdir/var/lib/gitlab"
+	local libdir="$pkgdir/usr/lib/gitlab-shell"
+
+	# XXX: I couldn't figure out how/where is gitlab-shell called,
+	#  so I kept /usr/lib/gitlab-shell. It should be changed to /usr.
+	make install DESTDIR="$pkgdir" PREFIX=/usr/lib/gitlab-shell
+
+	install -m644 VERSION "$libdir"/
+	install -m644 -D config.yml.example "$pkgdir"/etc/gitlab/gitlab-shell.yml
+
+	cd "$pkgdir"
+
+	rm "$libdir"/bin/gitlab-sshd
+
+	install -d -m755 -o git -g git \
+		"$pkgdir"/var/log/gitlab \
+		"$datadir"
+
+	install -d -m02770 -o git -g git \
+		"$datadir"/repositories
+
+	install -m644 -o git -g git "$srcdir"/gitconfig "$datadir"/.gitconfig
+
+	ln -s /etc/gitlab/gitlab-shell.yml "$libdir"/config.yml
+	ln -s /etc/gitlab/gitlab_shell_secret "$libdir"/.gitlab_shell_secret
+}
+
+sha512sums="
+6b302be3630e60e3c9f76e58c61674bf08c3fe1395c9af5f354b9a557ecd1ddb43d27c9a995f868c4e4e2e734dd424a37c73e78d26b00f1f6a78f8670b45c371  gitlab-shell-v14.36.0.tar.gz
+e9dd69c57c65197493f75bdde682075c6ab22892ed07d37c7a73129fb42a8349a676d5986bfd17f1df331645334248383845f21ce08d1e9664c38e4bbf5343ba  config.patch
+499b3a46ea94a33a23b01f6a7509d74f5a6781b930619b3b8ae42bdeae8a052cc636578744d7992b4ae4f9b9f72b11ee3d3c0f5e50986fa3f7e35b979b08aada  change-config-path.patch
+c53da7f145593693392d9fa880ad5a1909bfc7504fd1c93d94a468c3e0f5cc80f712f41ee1dc8bf38105b410c1165658f208bd88a70c4674104c78af33d8d09c  gitconfig
+"

user/gitlab-shell/change-config-path.patch

@@ -0,0 +1,11 @@
+--- a/support/gitlab_config.rb
++++ b/support/gitlab_config.rb
+@@ -4,7 +4,7 @@ class GitlabConfig
+   attr_reader :config
+ 
+   def initialize
+-    @config = YAML.load_file(File.join(ROOT_PATH, 'config.yml'))
++    @config = YAML.load_file(ENV.fetch('GITLAB_SHELL_CONFIG', '/etc/gitlab/gitlab-shell.yml'))
+   end
+ 
+   def home

user/gitlab-shell/config.patch

@@ -0,0 +1,112 @@
+diff --git a/config.yml.example.orig b/config.yml.example
+index fb147c4..98eb0e3 100644
+--- a/config.yml.example.orig
++++ b/config.yml.example
+@@ -13,7 +13,7 @@ user: git
+ # only listen on a Unix domain socket. For Unix domain sockets use
+ # "http+unix://<urlquoted-path-to-socket>", e.g.
+ # "http+unix://%2Fpath%2Fto%2Fsocket"
+-gitlab_url: "http+unix://%2Fhome%2Fgit%2Fgitlab%2Ftmp%2Fsockets%2Fgitlab-workhorse.socket"
++gitlab_url: "http+unix://%2Frun%2Fgitlab%2Fworkhorse.socket"
+ 
+ # When a http+unix:// is used in gitlab_url, this is the relative URL root to GitLab.
+ # Not used if gitlab_url is http:// or https://.
+@@ -29,15 +29,15 @@ http_settings:
+ #
+ 
+ # File used as authorized_keys for gitlab user
+-auth_file: "/home/git/.ssh/authorized_keys"
++auth_file: "/var/lib/gitlab/.ssh/authorized_keys"
+ 
+ # SSL certificate dir where custom certificates can be placed
+ # https://golang.org/pkg/crypto/x509/
+-# ssl_cert_dir: /opt/gitlab/embedded/ssl/certs/
++# ssl_cert_dir: /etc/gitlab/ssl/certs/
+ 
+ # File that contains the secret key for verifying access to GitLab.
+ # Default is .gitlab_shell_secret in the gitlab-shell directory.
+-# secret_file: "/home/git/gitlab-shell/.gitlab_shell_secret"
++secret_file: "/etc/gitlab/gitlab_shell_secret"
+ #
+ # The secret field supersedes the secret_file, and if set that
+ # file will not be read.
+@@ -45,13 +45,13 @@ auth_file: "/home/git/.ssh/authorized_keys"
+ 
+ # Log file.
+ # Default is gitlab-shell.log in the root directory.
+-# log_file: "/home/git/gitlab-shell/gitlab-shell.log"
++log_file: "/var/log/gitlab/gitlab-shell.log"
+ 
+ # Log level. INFO by default
+-log_level: INFO
++log_level: WARN
+ 
+ # Log format. 'json' by default, can be changed to 'text' if needed
+-# log_format: json
++log_format: text
+ 
+ # Audit usernames.
+ # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
+@@ -62,62 +62,6 @@ audit_usernames: false
+ # For more details, visit https://docs.gitlab.com/ee/development/distributed_tracing.html
+ # gitlab_tracing: opentracing://driver
+ 
+-# This section configures the built-in SSH server. Ignored when running on OpenSSH.
+-sshd:
+-  # Address which the SSH server listens on. Defaults to [::]:22.
+-  listen: "[::]:22"
+-  # Set to true if gitlab-sshd is being fronted by a load balancer that implements
+-  # the PROXY protocol.
+-  proxy_protocol: false
+-  # Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value
+-  # Values: https://github.com/pires/go-proxyproto/blob/195fedcfbfc1be163f3a0d507fac1709e9d81fed/policy.go#L20
+-  proxy_policy: "use"
+-  # Proxy allowed IP addresses. Takes precedent over proxy_policy. Disabled by default.
+-  # proxy_allowed:
+-  #  - "192.168.0.1"
+-  #  - "192.168.1.0/24"
+-  # Address which the server listens on HTTP for monitoring/health checks. Defaults to localhost:9122.
+-  web_listen: "localhost:9122"
+-  # Maximum number of concurrent sessions allowed on a single SSH connection. Defaults to 10.
+-  concurrent_sessions_limit: 10
+-  # Sets an interval after which server will send keepalive message to a client. Defaults to 15s.
+-  client_alive_interval: 15
+-  # The server waits for this time for the ongoing connections to complete before shutting down. Defaults to 10s.
+-  grace_period: 10
+-  # The server disconnects after this time if the user has not successfully logged in. Defaults to 60s.
+-  login_grace_time: 60
+-  # A short timeout to decide to abort the connection if the protocol header is not seen within it. Defaults to 500ms
+-  proxy_header_timeout: 500ms
+-  # The endpoint that returns 200 OK if the server is ready to receive incoming connections; otherwise, it returns 503 Service Unavailable. Defaults to "/start".
+-  readiness_probe: "/start"
+-  # The endpoint that returns 200 OK if the server is alive. Defaults to "/health".
+-  liveness_probe: "/health"
+-  # Specifies the available message authentication code algorithms that are used for protecting data integrity
+-  macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1]
+-  # Specifies the available Key Exchange algorithms
+-  kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
+-  # Specified the ciphers allowed
+-  ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr]
+-  # Specified the available Public Key algorithms
+-  public_key_algorithms: [ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ssh-ed25519@openssh.com, rsa-sha2-256, rsa-sha2-512]
+-  # SSH host key files.
+-  host_key_files:
+-    - /run/secrets/ssh-hostkeys/ssh_host_rsa_key
+-    - /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key
+-    - /run/secrets/ssh-hostkeys/ssh_host_ed25519_key
+-  host_key_certs:
+-    - /run/secrets/ssh-hostkeys/ssh_host_rsa_key-cert.pub
+-    - /run/secrets/ssh-hostkeys/ssh_host_ecdsa_key-cert.pub
+-    - /run/secrets/ssh-hostkeys/ssh_host_ed25519_key-cert.pub
+-  # GSSAPI-related settings
+-  gssapi:
+-    # Enable the gssapi-with-mic authentication method. Defaults to false.
+-    enabled: false
+-    # Keytab path. Defaults to "", system default (usually /etc/krb5.keytab).
+-    keytab: ""
+-    # The Kerberos service name to be used by sshd. Defaults to "", accepts any service name in keytab file.
+-    service_principal_name: ""
+-
+ lfs:
+   # https://gitlab.com/groups/gitlab-org/-/epics/11872, disabled by default.
+   pure_ssh_protocol: false

user/gitlab-shell/gitconfig

@@ -0,0 +1,17 @@
+# Based on files/gitlab-cookbooks/gitlab/templates/default/gitconfig.erb
+# in omnibus-gitlab.
+
+[user]
+name = GitLab
+email = gitlab@local.host
+
+[core]
+# Needed for the web editor.
+autocrlf = input
+alternateRefsCommand="exit 0 #"
+# This option is unnecessary on journaled file systems and it's not recognized
+# by git >= 2.36.
+# fsyncObjectFiles = true
+
+[gc]
+auto = 0

user/gitlab-shell/gitlab-shell.post-install

@@ -0,0 +1,23 @@
+#!/bin/sh
+set -eu
+
+keys_file='/var/lib/gitlab/.ssh/authorized_keys'
+
+if [ ! -f "$keys_file" ]; then
+	keys_dir="$(dirname "$keys_file")"
+	echo "* Initializing authorized_keys file in $keys_dir" 1>&2
+
+	mkdir -m0700 -p "$keys_dir"
+	chown git:git "$keys_dir"
+
+	touch "$keys_file"
+	chmod 0600 "$keys_file"
+	chown git:git "$keys_file"
+fi
+
+cat <<EOF >&2
+*
+* GitLab Shell has been initialized. Read /etc/gitlab/gitlab-shell.yml and
+* modify settings as need.
+*
+EOF

user/gitlab-shell/gitlab-shell.pre-install

@@ -0,0 +1,41 @@
+#!/bin/sh
+# It's very important to set user/group correctly.
+
+git_dir='/var/lib/gitlab'
+
+if ! getent group git >/dev/null; then
+	echo '* Creating group git' >&2
+
+	addgroup -S git
+fi
+
+if ! id git 2>/dev/null 1>&2; then
+	echo '* Creating user git' >&2
+
+	adduser -DHS -G git -h "$git_dir" -s /bin/sh  \
+		-g "added by apk for gitlab-shell" git
+	passwd -u git >/dev/null  # unlock
+fi
+
+if ! id -Gn git | grep -Fq redis; then
+	echo '* Adding user git to group redis' >&2
+
+	addgroup git redis
+fi
+
+user_home="$(getent passwd git | cut -d: -f6)"
+
+if [ "$user_home" != "$git_dir" ]; then
+	cat >&2 <<-EOF
+	!!
+	!! User git has home directory in $user_home, but this package and gitlab-ce
+	!! package assumes $git_dir. Although it's possible to use a different
+	!! directory, it's really not easy.
+	!!
+	!! Please change git's home directory to $git_dir, or adjust settings
+	!! and move files yourself. Otherwise GitLab will not work!
+	!!
+	EOF
+fi
+
+exit 0

user/grpc/01-chttp2-maybe-uninitialized.patch

@@ -0,0 +1,10 @@
+--- a/src/core/ext/transport/chttp2/transport/chttp2_transport.cc
++++ b/src/core/ext/transport/chttp2/transport/chttp2_transport.cc
+@@ -978,6 +978,7 @@
+   } else {
+     r = grpc_chttp2_begin_write(t);
+   }
++  #pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
+   if (r.writing) {
+     if (r.partial) {
+       GRPC_STATS_INC_HTTP2_PARTIAL_WRITES();

user/grpc/APKBUILD

@@ -0,0 +1,273 @@
+# Contributor: Keith Maxwell <keith.maxwell@gmail.com>
+# Contributor: wener <wenermail@gmail.com>
+# Maintainer: wener <wenermail@gmail.com>
+pkgname=grpc
+pkgver=1.58.0
+pkgrel=2
+pkgdesc="The C based gRPC"
+url="https://grpc.io/"
+arch="all"
+# BSD-3-Clause: third_party/upb, third_party/address_sorting
+# MIT: third_party/upb/third_party/utf8_range
+license="Apache-2.0 AND BSD-3-Clause AND MIT"
+depends="ca-certificates"
+depends_dev="
+	$pkgname-cpp=$pkgver-r$pkgrel
+	$pkgname-plugins=$pkgver-r$pkgrel
+	"
+_pythondepends="
+	cython
+	python3-dev
+	py3-setuptools
+	"
+_rubydepends="
+	$pkgname=$pkgver-r$pkgrel
+	ruby3.2-google-protobuf>=3.19
+	"
+makedepends="
+	abseil-cpp-dev
+	autoconf
+	automake
+	benchmark-dev
+	c-ares-dev
+	chrpath
+	cmake
+	libstdc++
+	libtool
+	linux-headers
+	openssl-dev>3
+	protobuf-dev
+	re2-dev
+	ruby3.2-dev
+	samurai
+	yaml-dev
+	xxhash-dev
+	zlib-dev
+	$_pythondepends
+	$_rubydepends
+	"
+checkdepends="coreutils python3 py3-six"
+subpackages="
+	$pkgname-dev
+	$pkgname-cpp
+	$pkgname-plugins
+	$pkgname-doc
+	py3-grpcio-pyc
+	py3-grpcio:grpcio
+	ruby3.2-grpc:_ruby
+	libaddress_sorting:lib
+	libgpr:lib
+	libgrpc:lib
+	libgrpc_authorization_provider:lib
+	libgrpc_unsecure:lib
+	libupb:lib
+	"
+_googletest_rev=0e402173c97aea7a00749e825b194bfede4f2e45
+
+# ruby-dont-strip-library.patch: abuild will dot the strip
+source="https://github.com/grpc/grpc/archive/v$pkgver/grpc-v$pkgver.tar.gz
+	googletest-$_googletest_rev.tar.gz::https://github.com/google/googletest/archive/$_googletest_rev.tar.gz
+	01-chttp2-maybe-uninitialized.patch
+	find-dependency.patch
+	ruby-fix-protoc-path.patch
+	ruby-use-shared-libs.patch
+	ruby-use-system-certs.patch
+	makefile-use-system-abseil.patch
+	cython3.patch
+	"
+options="net !check" # sometimes hang indefinitely on builders
+
+prepare() {
+	rm -r third_party/googletest
+	mv "$srcdir"/googletest-$_googletest_rev third_party/googletest
+
+	# Remove bundled xxhash.
+	# Since grpc sets XXH_INCLUDE_ALL wherever it uses xxhash, it is using xxhash
+	# as a header-only library. This means we can replace it with the system copy
+	# by doing nothing further; xxhash.h is in the system include path and will be
+	# found instead, and there are no linker flags to add. See also
+	# https://github.com/grpc/grpc/issues/25945.
+	rm -rvf third_party/xxhash/*
+
+	# This will be replaced with a symlink to system certs.
+	echo '' > etc/roots.pem
+
+	default_prepare
+
+	# Remove some bundled dependencies from the gem's files list.
+	sed -i \
+		-e '/etc\/roots.pem/d' \
+		-e '/third_party\/abseil/d' \
+		-e '/third_party\/boringssl/d' \
+		-e '/third_party\/cares/d' \
+		-e '/third_party\/re2/d' \
+		-e '/third_party\/xxhash/d' \
+		-e '/third_party\/zlib/d' \
+		grpc.gemspec
+
+	# Remove unused dependency from gemspec - it's not required anyhwere,
+	# it's just Google pushing their crap everywhere...
+	sed -i '/add_dependency.*googleapis-common-protos-types/d' \
+		grpc.gemspec
+}
+
+build() {
+	export CFLAGS="$CFLAGS -flto=auto -DNDEBUG -O2"
+	export CXXFLAGS="$CXXFLAGS -flto=auto -DNDEBUG -O2"
+	cmake -B _build -G Ninja \
+		-DCMAKE_BUILD_TYPE=None \
+		-DCMAKE_INSTALL_PREFIX=/usr \
+		-DCMAKE_CXX_STANDARD=17 \
+		-DBUILD_SHARED_LIBS=True \
+		-DgRPC_INSTALL=ON \
+		-DgRPC_CARES_PROVIDER=package \
+		-DgRPC_PROTOBUF_PROVIDER=package \
+		-DgRPC_SSL_PROVIDER=package \
+		-DgRPC_ZLIB_PROVIDER=package \
+		-DgRPC_ABSL_PROVIDER=package \
+		-DgRPC_BENCHMARK_PROVIDER=package \
+		-DgRPC_RE2_PROVIDER=package \
+		-DgRPC_BACKWARDS_COMPATIBILITY_MODE=OFF \
+		-DgRPC_BUILD_TESTS="$(want_check && echo ON || echo OFF)"
+	cmake --build _build
+
+	GRPC_PYTHON_CFLAGS="-std=c++17" \
+	GRPC_PYTHON_DISABLE_LIBC_COMPATIBILITY=1 \
+	GRPC_PYTHON_BUILD_SYSTEM_CARES=1 \
+	GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=1 \
+	GRPC_PYTHON_BUILD_SYSTEM_ZLIB=1 \
+	GRPC_PYTHON_BUILD_SYSTEM_RE2=1 \
+	GRPC_PYTHON_BUILD_SYSTEM_ABSL=1 \
+	python3 setup.py build
+
+	# grpcio-tools
+	cd tools/distrib/python
+	python3 make_grpcio_tools.py
+
+	cd "$builddir"
+	gem build grpc.gemspec
+	TOPDIR="$PWD/_build" gem install \
+		--local \
+		--install-dir _build/ruby \
+		--ignore-dependencies \
+		--no-document \
+		--verbose \
+		grpc-$pkgver.gem
+}
+
+check() {
+	# delete times out in ci or broken for ci tests
+	rm -f _build/spinlock_test _build/resolve_address_using_ares_resolver_posix_test build/resolve_address_using_native_resolver_posix_test
+	rm -f _build/flaky_network_test _build/unknown_frame_bad_client_test _build/ssl_transport_security_test _build/httpscli_test
+	rm -f _build/headers_bad_client_test _build/httpcli_test
+	case $CARCH in
+		aarch64|ppc64le) rm -f _build/server_test _build/grpc_tool_test ;;
+		s390x) rm -f _build/client_lb_end2end_test _build/alts_frame_protector_test _build/alts_iovec_record_protocol_test ;;
+		armv7) rm -f _build/initial_settings_frame_bad_client_test ;;
+		x86) rm -f _build/time_jump_test _build/connection_prefix_bad_client_test ;;
+	esac
+
+	# start helper
+	./tools/run_tests/start_port_server.py &
+	find build/ -maxdepth 1 -type f -executable -name "*_test" -exec {} \;
+	# kill helper
+	pkill -9 python3
+}
+
+package() {
+	DESTDIR="$pkgdir" cmake --install _build
+	python3 setup.py install --skip-build --root="$pkgdir"
+
+	cd doc
+	find ./ -type f -print -exec install -Dm644 {} "$pkgdir"/usr/share/doc/grpc/{} \;
+	rm "$pkgdir"/usr/share/doc/grpc/.gitignore
+
+	find "$pkgdir" -type f -name roots.pem -exec \
+		sh -c 'rm $0 && ln -s /etc/ssl/certs/ca-certificates.crt $0' "{}" \;
+}
+
+cpp() {
+	pkgdesc="C++ language bindings for gRPC"
+	depends="$pkgname=$pkgver-r$pkgrel"
+
+	amove usr/lib/libgrpc++*.so.*
+	amove usr/lib/libgrpc_plugin_support.so.*
+	amove usr/lib/libgrpcpp*.so.*
+}
+
+plugins() {
+	pkgdesc="Protocol buffers compiler plugins for gRPC"
+	depends="$pkgname-cpp=$pkgver-r$pkgrel protobuf"
+
+	amove usr/bin/grpc_*_plugin
+}
+
+cli() {
+	pkgdesc="gRPC command line tool"
+
+	install -Dm644 -t "$subpkgdir"/usr/lib "$builddir"/_build/libgrpc++_test_config.so.$pkgver
+	install -Dm755 -t "$subpkgdir"/usr/bin "$builddir"/_build/grpc_cli
+
+	# Fix "Has /home/... in rpath"
+	chrpath -d "$subpkgdir"/usr/lib/libgrpc++_test_config.so.$pkgver
+	chrpath -d "$subpkgdir"/usr/bin/grpc_cli
+}
+
+grpcio() {
+	pkgdesc="gRPC Python HTTP/2-based RPC framework"
+	depends="py3-six"
+
+	amove usr/lib/python3*
+}
+
+_ruby() {
+	pkgdesc="Send RPCs from Ruby using GRPC"
+	depends="$_rubydepends"
+
+	local gemdir="$subpkgdir/$(ruby -e 'puts Gem.default_dir')"
+
+	cd "$builddir"/_build/ruby
+
+	mkdir -p "$gemdir"
+	cp -r extensions gems specifications "$gemdir"/
+
+	# Remove unnecessary files and rubbish...
+	cd "$gemdir"/extensions/*/*/grpc-$pkgver
+	rm gem_make.out mkmf.log || true
+
+	cd "$gemdir"/gems/grpc-$pkgver
+	rm -rf .yardopts \
+		Makefile \
+		include/ \
+		src/core/ \
+		third_party/
+
+	cd src/ruby
+	rm -rf bin/ \
+		ext/ \
+		lib/grpc/*.so \
+		pb/generate_proto_ruby.sh \
+		pb/README.md \
+		pb/src/ \
+		pb/test/ \
+		spec/
+}
+
+lib() {
+	pkgdesc="$pkgdesc ($subpkgname library)"
+	depends="$pkgname=$pkgver-r$pkgrel"
+
+	amove usr/lib/$subpkgname.so.*
+}
+
+sha512sums="
+fb2fd211a22dd777cf4df39a9dd72e5c8014f1546a89d3910b006503aac80a74d5797705e02911e9c07316ed973f71110b94cc0e86225f648d4ff91773748a43  grpc-v1.58.0.tar.gz
+5c5eaf6ff9f3c1bca025b7ef0234ba97232ba85b43e6354a92f49b7208f5c47581ebaf18bf58618498e5d264f2620c2b6676e81bb0f7df77112b96ba271ececf  googletest-0e402173c97aea7a00749e825b194bfede4f2e45.tar.gz
+7fa146ce86ddd4f160bb1ca9ff01cb7aca6b2b8c9aa50e4fa6b84504b9117b104be0d1e31ccb452d846549dfe1e9012ceccfcdc1f2357ed567621d71fb8b08c5  01-chttp2-maybe-uninitialized.patch
+6702e39c6a3c065fe4ff5ae48898057135c09bf6851e35fc958cf95ee5d77e9dd34e8c34d978efe60682384e46c4c4b2e51156d546b06a0eb1feed89adcc024b  find-dependency.patch
+4ea72d2acd8bee9c9022a4412aa0af0477faca7b0810d14decb3ad5d4da044247f51189512323bfee855b9b260a7f82b812310391451e5d8ee718297800d7a73  ruby-fix-protoc-path.patch
+7123bf1bbc48ceb303ce1e9820ea45a06dabd25e20e3c1c116ef68e629e80f229cf20314c415d74f0c5c1725f23a00b446656e0cffba3dcd3cc766ae29d8fb2f  ruby-use-shared-libs.patch
+631af4b9ac29c1ebabb2c88394ea2993e36cec1beda38195e1587dbd9d3c8c9eef75a17d2326d3cd2e682de551401216075ba08fdc501c098b8092d718ded381  ruby-use-system-certs.patch
+89e260934da83eb45fa6b73884cba1b1c30f99c0eb883a726e2d36ee4788246f4c6fa1b201077038af956bcb58e625f83bedba4f186c711785ec240373ce4fc5  makefile-use-system-abseil.patch
+896d2771fbb726db97efc7a76687a8fddfae18b0492977fc1f7cec4002803f7aed29e8276c94c6b60a06ecfe3ee7795d4ec3f8f90031dd3eda32d3e23dc9c98c  cython3.patch
+"

user/grpc/cython3.patch

@@ -0,0 +1,172 @@
+From b3277bac1585ddee88a170b0a95c260d909cce9c Mon Sep 17 00:00:00 2001
+From: Atri Bhattacharya <A.Bhattacharya@uliege.be>
+Date: Sat, 24 Feb 2024 04:06:08 +0530
+Subject: [PATCH] [python] Cython 3 compatibility: declare functions noexcept.
+
+In Cython 3, cdef functions that really will not raise exceptions must
+be declared as `noexcept`. Fixed by this commit.
+
+Update requirements to `cython >= 3.0` in requirements*.txt and
+setup.py.
+
+Fixes issue #33918.
+---
+ requirements.bazel.txt                                      | 2 +-
+ requirements.txt                                            | 2 +-
+ setup.py                                                    | 2 +-
+ .../grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi | 2 +-
+ .../grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi | 2 +-
+ src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi  | 2 +-
+ src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi   | 6 +++---
+ src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi   | 6 +++---
+ src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi       | 6 +++---
+ 9 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/requirements.bazel.txt b/requirements.bazel.txt
+index f46432cc88891..905c092ce4c33 100644
+--- a/requirements.bazel.txt
++++ b/requirements.bazel.txt
+@@ -1,6 +1,6 @@
+ # GRPC Python setup requirements
+ coverage==4.5.4
+-cython==0.29.21
++cython==3.0.0
+ protobuf>=3.5.0.post1, < 4.0dev
+ wheel==0.38.1
+ oauth2client==4.1.0
+diff --git a/requirements.txt b/requirements.txt
+index 05390850559f1..56169434b1b78 100644
+--- a/requirements.txt
++++ b/requirements.txt
+@@ -1,5 +1,5 @@
+ # GRPC Python setup requirements
+ coverage>=4.0
+-cython>=0.29.8,<3.0.0rc1
++cython>=3.0.0
+ protobuf>=4.21.3,<5.0dev
+ wheel>=0.29
+diff --git a/setup.py b/setup.py
+index 2ce5fef422316..8b4ce5c16736a 100644
+--- a/setup.py
++++ b/setup.py
+@@ -539,7 +539,7 @@ def cython_extensions_and_necessity():
+         sys.stderr.write(
+             "We could not find Cython. Setup may take 10-20 minutes.\n"
+         )
+-        SETUP_REQUIRES += ("cython>=0.23,<3.0.0rc1",)
++        SETUP_REQUIRES += ("cython>=3.0.0",)
+ 
+ COMMAND_CLASS = {
+     "doc": commands.SphinxDocumentation,
+diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi
+index e54e5107547c1..26edbdb917b10 100644
+--- a/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi
++++ b/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pxd.pxi
+@@ -48,7 +48,7 @@ cdef class CallbackWrapper:
+     @staticmethod
+     cdef void functor_run(
+             grpc_completion_queue_functor* functor,
+-            int succeed)
++            int succeed) noexcept
+ 
+     cdef grpc_completion_queue_functor *c_functor(self)
+ 
+diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi
+index 14a0098fc2041..2b0df0e5ce7f7 100644
+--- a/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi
++++ b/src/python/grpcio/grpc/_cython/_cygrpc/aio/callback_common.pyx.pxi
+@@ -50,7 +50,7 @@ cdef class CallbackWrapper:
+     @staticmethod
+     cdef void functor_run(
+             grpc_completion_queue_functor* functor,
+-            int success):
++            int success) noexcept:
+         cdef CallbackContext *context = <CallbackContext *>functor
+         cdef object waiter = <object>context.waiter
+         if not waiter.cancelled():
+diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
+index 74a3f16d72dbb..600c0f304e067 100644
+--- a/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
++++ b/src/python/grpcio/grpc/_cython/_cygrpc/credentials.pyx.pxi
+@@ -316,7 +316,7 @@ def server_credentials_ssl_dynamic_cert_config(initial_cert_config,
+   return credentials
+ 
+ cdef grpc_ssl_certificate_config_reload_status _server_cert_config_fetcher_wrapper(
+-        void* user_data, grpc_ssl_server_certificate_config **config) with gil:
++        void* user_data, grpc_ssl_server_certificate_config **config) noexcept with gil:
+   # This is a credentials.ServerCertificateConfig
+   cdef ServerCertificateConfig cert_config = None
+   if not user_data:
+diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi
+index 13a02434787ba..b300883abae81 100644
+--- a/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi
++++ b/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pxd.pxi
+@@ -12,10 +12,10 @@
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ 
+-cdef void __prefork() nogil
++cdef void __prefork() noexcept nogil
+ 
+ 
+-cdef void __postfork_parent() nogil
++cdef void __postfork_parent() noexcept nogil
+ 
+ 
+-cdef void __postfork_child() nogil
+\ No newline at end of file
++cdef void __postfork_child() noexcept nogil
+diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi
+index 565f483b2ae00..d901cfddf4321 100644
+--- a/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi
++++ b/src/python/grpcio/grpc/_cython/_cygrpc/fork_posix.pyx.pxi
+@@ -35,7 +35,7 @@ _GRPC_ENABLE_FORK_SUPPORT = (
+ 
+ _fork_handler_failed = False
+ 
+-cdef void __prefork() nogil:
++cdef void __prefork() noexcept nogil:
+     with gil:
+         global _fork_handler_failed
+         _fork_handler_failed = False
+@@ -49,14 +49,14 @@ cdef void __prefork() nogil:
+             _fork_handler_failed = True
+ 
+ 
+-cdef void __postfork_parent() nogil:
++cdef void __postfork_parent() noexcept nogil:
+     with gil:
+         with _fork_state.fork_in_progress_condition:
+             _fork_state.fork_in_progress = False
+             _fork_state.fork_in_progress_condition.notify_all()
+ 
+ 
+-cdef void __postfork_child() nogil:
++cdef void __postfork_child() noexcept nogil:
+     with gil:
+         try:
+             if _fork_handler_failed:
+diff --git a/src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi b/src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi
+index da4b81bd97e65..f59410073b736 100644
+--- a/src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi
++++ b/src/python/grpcio/grpc/_cython/_cygrpc/vtable.pyx.pxi
+@@ -13,16 +13,16 @@
+ # limitations under the License.
+ 
+ # TODO(https://github.com/grpc/grpc/issues/15662): Reform this.
+-cdef void* _copy_pointer(void* pointer):
++cdef void* _copy_pointer(void* pointer) noexcept:
+   return pointer
+ 
+ 
+ # TODO(https://github.com/grpc/grpc/issues/15662): Reform this.
+-cdef void _destroy_pointer(void* pointer):
++cdef void _destroy_pointer(void* pointer) noexcept:
+   pass
+ 
+ 
+-cdef int _compare_pointer(void* first_pointer, void* second_pointer):
++cdef int _compare_pointer(void* first_pointer, void* second_pointer) noexcept:
+   if first_pointer < second_pointer:
+     return -1
+   elif first_pointer > second_pointer:

user/grpc/find-dependency.patch

@@ -0,0 +1,13 @@
+without this find_dependency() doesn't exist
+--
+diff --git a/cmake/gRPCConfig.cmake.in b/cmake/gRPCConfig.cmake.in
+index 98d8c6d..5500ca2 100644
+--- a/cmake/gRPCConfig.cmake.in
++++ b/cmake/gRPCConfig.cmake.in
+@@ -1,5 +1,6 @@
+ # Module path
+ list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}/modules)
++include(CMakeFindDependencyMacro)
+ 
+ # Depend packages
+ @_gRPC_FIND_ZLIB@

user/grpc/makefile-use-system-abseil.patch

@@ -0,0 +1,22 @@
+--- a/Makefile
++++ b/Makefile
+@@ -575,8 +575,8 @@
+ 
+ # Setup abseil dependency
+ 
+-GRPC_ABSEIL_DEP = $(LIBDIR)/$(CONFIG)/libgrpc_abseil.a
+-GRPC_ABSEIL_MERGE_LIBS = $(LIBDIR)/$(CONFIG)/libgrpc_abseil.a
++GRPC_ABSEIL_DEP = -labsl_base -labsl_int128 -labsl_strings -labsl_time -labsl_bad_optional_access -labsl_throw_delegate -labsl_str_format_internal
++GRPC_ABSEIL_MERGE_LIBS = -labsl_base -labsl_int128 -labsl_strings -labsl_time -labsl_bad_optional_access -labsl_throw_delegate -labsl_str_format_internal
+ 
+ # Setup re2 dependency
+ 
+@@ -2809,7 +2809,7 @@
+     third_party/abseil-cpp/absl/types/bad_variant_access.cc \
+ 
+ 
+-LIBGRPC_ABSEIL_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(LIBGRPC_ABSEIL_SRC))))
++LIBGRPC_ABSEIL_OBJS =
+ 
+ $(LIBGRPC_ABSEIL_OBJS): CPPFLAGS += -g -Ithird_party/abseil-cpp
+ 

user/grpc/ruby-fix-protoc-path.patch

@@ -0,0 +1,25 @@
+Patch-Source: https://sources.debian.org/src/grpc/1.44.0-3/debian/patches/fix-protoc-path.patch (modified)
+
+--- a/src/ruby/end2end/package_with_underscore_test.rb
++++ b/src/ruby/end2end/package_with_underscore_test.rb
+@@ -20,8 +20,8 @@ def main
+   pb_dir = File.join(root_dir, 'src', 'ruby', 'end2end', 'protos')
+ 
+-  bins_dir = File.join(root_dir, 'cmake', 'build')
++  bins_dir = '/usr/bin'
+   plugin = File.join(bins_dir, 'grpc_ruby_plugin')
+-  protoc = File.join(bins_dir, 'third_party', 'protobuf', 'protoc')
++  protoc = File.join(bins_dir, 'protoc')
+ 
+   got = nil
+ 
+--- a/src/ruby/tools/bin/grpc_tools_ruby_protoc
++++ b/src/ruby/tools/bin/grpc_tools_ruby_protoc
+@@ -25,6 +25,5 @@ plugin_name = 'grpc_ruby_plugin' + ext
+ 
+-protoc_dir = File.join(File.dirname(__FILE__),
+-                       PLATFORM.architecture + '-' + PLATFORM.os_name)
++protoc_dir = '/usr/bin'
+ 
+ protoc_path = File.join(protoc_dir, protoc_name)
+ 

user/grpc/ruby-use-shared-libs.patch

@@ -0,0 +1,81 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Wed, 24 Aug 2022 21:20:22 +0200
+Subject: [PATCH] Link with shared libraries, don't embed anything
+
+- Don't statically link openssl, zlib and cares.
+- Don't build and statically link libgrpc, link shared libgrpc.
+- Don't statically link libgcc and libstdc++.
+
+diff --git a/src/ruby/ext/grpc/extconf.rb b/src/ruby/ext/grpc/extconf.rb
+index 98a8876..808ecfe 100644
+--- a/src/ruby/ext/grpc/extconf.rb
++++ b/src/ruby/ext/grpc/extconf.rb
+@@ -69,11 +69,11 @@ if apple_toolchain && !cross_compiling
+ end
+ 
+ # Don't embed on TruffleRuby (constant-time crypto is unsafe with Sulong, slow build times)
+-ENV['EMBED_OPENSSL'] = (RUBY_ENGINE != 'truffleruby').to_s
++ENV['EMBED_OPENSSL'] = 'false'
+ # Don't embed on TruffleRuby (the system zlib is already linked for the zlib C extension, slow build times)
+-ENV['EMBED_ZLIB'] = (RUBY_ENGINE != 'truffleruby').to_s
++ENV['EMBED_ZLIB'] = 'false'
+ 
+-ENV['EMBED_CARES'] = 'true'
++ENV['EMBED_CARES'] = 'false'
+ 
+ ENV['ARCH_FLAGS'] = RbConfig::CONFIG['ARCH_FLAG']
+ if apple_toolchain && !cross_compiling
+@@ -97,32 +97,7 @@
+ strip_tool = RbConfig::CONFIG['STRIP']
+ strip_tool += ' -x' if apple_toolchain
+ 
+-unless windows
+-  puts 'Building internal gRPC into ' + grpc_lib_dir
+-  nproc = 4
+-  nproc = Etc.nprocessors if Etc.respond_to? :nprocessors
+-  nproc_override = ENV['GRPC_RUBY_BUILD_PROCS']
+-  unless nproc_override.nil? or nproc_override.size == 0
+-    nproc = nproc_override
+-    puts "Overriding make parallelism to #{nproc}"
+-  end
+-  make = bsd ? 'gmake' : 'make'
+-  cmd = "#{make} -j#{nproc} -C #{grpc_root} #{grpc_lib_dir}/libgrpc.a CONFIG=#{grpc_config} Q="
+-  puts "Building grpc native library: #{cmd}"
+-  system(cmd)
+-  exit 1 unless $? == 0
+-
+-  if grpc_config == 'opt'
+-    rm_obj_cmd = "rm -rf #{File.join(output_dir, 'objs')}"
+-    puts "Removing grpc object files: #{rm_obj_cmd}"
+-    system(rm_obj_cmd)
+-    exit 1 unless $? == 0
+-    strip_cmd = "#{strip_tool} #{grpc_lib_dir}/*.a"
+-    puts "Stripping grpc native library: #{strip_cmd}"
+-    system(strip_cmd)
+-    exit 1 unless $? == 0
+-  end
+-end
++$LDFLAGS << ' -L' + ENV.fetch('TOPDIR', '.')
+ 
+ $CFLAGS << ' -DGRPC_RUBY_WINDOWS_UCRT' if windows_ucrt
+ $CFLAGS << ' -I' + File.join(grpc_root, 'include')
+@@ -118,7 +103,7 @@ ext_export_file += '-truffleruby' if RUBY_ENGINE == 'truffleruby'
+ $LDFLAGS << ' -Wl,--version-script="' + ext_export_file + '.gcc"' if linux
+ $LDFLAGS << ' -Wl,-exported_symbols_list,"' + ext_export_file + '.clang"' if apple_toolchain
+ 
+-$LDFLAGS << ' ' + File.join(grpc_lib_dir, 'libgrpc.a') unless windows
++$LDFLAGS << ' -Wl,-wrap,memcpy -lgrpc' unless windows
+ if grpc_config == 'gcov'
+   $CFLAGS << ' -O0 -fprofile-arcs -ftest-coverage'
+   $LDFLAGS << ' -fprofile-arcs -ftest-coverage -rdynamic'
+@@ -129,10 +114,6 @@ if grpc_config == 'dbg'
+ end
+ 
+ $LDFLAGS << ' -Wl,-wrap,memcpy' if linux
+-# Do not statically link standard libraries on TruffleRuby as this does not work when compiling to bitcode
+-if linux && RUBY_ENGINE != 'truffleruby'
+-  $LDFLAGS << ' -static-libgcc -static-libstdc++'
+-end
+ $LDFLAGS << ' -static' if windows
+ 
+ $CFLAGS << ' -std=c11 '

user/grpc/ruby-use-system-certs.patch

@@ -0,0 +1,15 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Fri, 20 May 2017 01:35:00 +0200
+Subject: [PATCH] Use system CA certificates
+
+--- a/src/ruby/lib/grpc.rb
++++ b/src/ruby/lib/grpc.rb
+@@ -12,7 +12,7 @@
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ 
+-ssl_roots_path = File.expand_path('../../../../etc/roots.pem', __FILE__)
++ssl_roots_path = '/etc/ssl/certs/ca-certificates.crt'
+ 
+ require_relative 'grpc/errors'
+ require_relative 'grpc/structs'

user/i18nspector/APKBUILD

@@ -1,31 +0,0 @@
-# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
-# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
-pkgname=i18nspector
-pkgver=0.27.1
-pkgrel=0
-pkgdesc="checking tool for gettext POT, PO and MO files"
-url="https://jwilk.net/software/i18nspector"
-arch="noarch"
-license="MIT"
-depends="py3-polib py3-rply"
-checkdepends="python3-dev py3-pytest"
-makedepends="py3-docutils py3-setuptools py3-gpep517 py3-wheel perl"
-source="$pkgname-$pkgver.tar.gz::https://github.com/jwilk/i18nspector/archive/refs/tags/$pkgver.tar.gz"
-subpackages="$pkgname-doc"
-options="!check" # test failure
-
-build() {
-	make -C doc
-}
-
-check() {
-	pytest -v
-}
-
-package() {
-	make PREFIX=/usr DESTDIR="$pkgdir" install
-}
-
-sha512sums="
-b6b3d68ba03ead88393d6fff7233ec6d67196496f3eaaba8fe036ac9976746370885f72ec3c4e6b4dbf892f3d04c505a306900fafade1623e90ec9c1ad546166  i18nspector-0.27.1.tar.gz
-"

user/listmonk/APKBUILD

@@ -0,0 +1,71 @@
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+pkgname=listmonk
+pkgver=3.0.0
+pkgrel=0
+pkgdesc='Self-hosted newsletter and mailing list manager with a modern dashboard'
+arch="all"
+url=https://listmonk.app
+license="AGPL3"
+depends="
+	libcap-setcap
+	postgresql
+	procps
+	"
+makedepends="go npm nodejs yarn"
+source="
+	$pkgname-$pkgver.tar.gz::https://github.com/knadh/listmonk/archive/v$pkgver.tar.gz
+	listmonk.sh
+	listmonk.openrc
+	"
+install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade"
+subpackages="$pkgname-openrc"
+pkgusers="listmonk"
+pkggroups="listmonk"
+
+build() {
+	go build \
+		-trimpath \
+		-buildmode=pie \
+		-mod=readonly \
+		-modcacherw \
+		-ldflags "-extldflags '$LDFLAGS' -X 'main.buildString=Alpine Linux v$pkgver-$pkgrel' -X 'main.versionString=v$pkgver'" \
+		-o $pkgname \
+		cmd/*.go
+
+	(
+		cd frontend
+		export YARN_CACHE_FOLDER="$srcdir/node_modules"
+		export VUE_APP_VERSION="v$pkgver"
+		yarn install --frozen-lockfile
+		yarn build
+	)
+}
+
+check() {
+	go test ./...
+}
+
+package() {
+	install -Dm755 "$srcdir"/listmonk.sh "$pkgdir"/usr/bin/listmonk
+	install -Dm644 config.toml.sample "$pkgdir"/etc/listmonk/config.toml
+	install -Dm644 -t "$pkgdir"/usr/share/webapps/listmonk/ \
+		schema.sql \
+		queries.sql \
+		config.toml.sample
+	install -Dm755 listmonk "$pkgdir"/usr/share/webapps/listmonk/
+	install -Dm644 -t "$pkgdir"/usr/share/webapps/listmonk/frontend/dist/ \
+		frontend/dist/static/favicon.png
+	cp -a frontend/dist/static "$pkgdir"/usr/share/webapps/listmonk/frontend/dist/static
+	cp -a frontend/dist/index.html "$pkgdir"/usr/share/webapps/listmonk/frontend/dist/index.html
+	cp -a static "$pkgdir"/usr/share/webapps/listmonk/
+	cp -a i18n "$pkgdir"/usr/share/webapps/listmonk/
+	install -Dm755 "$srcdir"/$pkgname.openrc \
+		"$pkgdir"/etc/init.d/$pkgname
+	ln -s /etc/listmonk/config.toml "$pkgdir"/usr/share/webapps/listmonk/config.toml
+}
+sha512sums="
+afd0ea1d4d2b2753c3043526590cf09c45a541a2d818f5d1581644ffd10818326fd553a3b04bca59494860a7bb6e96364b08afd33d337a9fc5c71bedd1a5ee6c  listmonk-3.0.0.tar.gz
+939450af4b23708e3d23a5a88fad4c24b957090bdd21351a6dd520959e52e45e5fcac117a3eafa280d9506616dae39ad3943589571f008cac5abe1ffd8062424  listmonk.sh
+8e9c0b1f335c295fb741418246eb17c7566e5e4200a284c6483433e8ddbf5250aa692435211cf062ad1dfcdce3fae9148def28f03f2492d33fe5e66cbeebd4bd  listmonk.openrc
+"

user/listmonk/listmonk.openrc

@@ -0,0 +1,29 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME.conf"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/webapps/listmonk"
+command="/usr/share/webapps/listmonk/listmonk"
+command_user="listmonk"
+command_group="listmonk"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/listmonk/$RC_SVCNAME.log"
+error_log="/var/log/listmonk/$RC_SVCNAME.err"
+
+depend() {
+        need postgresql
+}
+
+start_pre() {
+	cd "$working_directory"
+        checkpath --directory --owner $command_user:$command_group --mode 0775 \
+                /var/log/listmonk \
+				/var/lib/listmonk
+}
+
+stop_pre() {
+	ebegin "Killing child processes"
+	kill $(ps -o pid= --ppid $(cat $pidfile)) || true
+}

user/listmonk/listmonk.post-install

@@ -0,0 +1,27 @@
+#!/bin/sh
+set -eu
+
+setcap 'cap_net_bind_service=+ep' /usr/share/webapps/listmonk/listmonk
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish Listmonk upgrade run:
+	*
+	*     listmonk --upgrade
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/listmonk/config.toml.
+	*
+	* 2. Create database for Listmonk:
+	*
+	*     psql -c "CREATE ROLE listmonk PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE listmonk OWNER listmonk ENCODING 'UTF-8';"
+	*
+	* 3. Run "listmonk --install"
+	*
+	EOF
+fi

user/listmonk/listmonk.post-upgrade

@@ -0,0 +1 @@
+listmonk.post-install

user/listmonk/listmonk.pre-install

@@ -0,0 +1,21 @@
+#!/bin/sh
+# It's very important to set user/group correctly.
+
+listmonk_dir='/var/lib/listmonk'
+
+if ! getent group listmonk 1>/dev/null; then
+	echo '* Creating group listmonk' 1>&2
+
+	addgroup -S listmonk
+fi
+
+if ! id listmonk 2>/dev/null 1>&2; then
+	echo '* Creating user listmonk' 1>&2
+
+	adduser -DHS -G listmonk -h "$listmonk_dir" -s /bin/sh  \
+		-g "added by apk for listmonk" listmonk
+	passwd -u listmonk 1>/dev/null  # unlock
+fi
+
+
+exit 0

user/listmonk/listmonk.sh

@@ -0,0 +1,12 @@
+
+#!/bin/sh
+
+BUNDLE_DIR='/usr/share/webapps/listmonk'
+
+cd $BUNDLE_DIR
+
+if [ "$(id -un)" != 'listmonk' ]; then
+	exec su listmonk -c '"$0" "$@"' -- ./listmonk "$@"
+else
+	exec ./listmonk "$@"
+fi

user/loomio/APKBUILD

@@ -0,0 +1,196 @@
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+pkgname=loomio
+pkgver=2.21.4
+_gittag=v$pkgver
+pkgrel=0
+pkgdesc="A collaborative decision making tool"
+url="https://github.com/loomio/loomio"
+arch="x86_64"
+license="MIT"
+depends="
+	postgresql
+	postgresql-contrib
+	python3
+	redis
+	ruby3.2
+	ruby3.2-bundler
+	ruby3.2-grpc
+	vips
+	npm
+	procps-ng
+	"
+makedepends="
+	cmd:chrpath
+	ruby3.2-dev
+	nodejs
+	openssl-dev
+	readline-dev
+	zlib-dev
+	libpq-dev
+	libffi-dev
+	imagemagick-dev
+	"
+pkgusers="loomio"
+pkggroups="loomio www-data"
+install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade"
+subpackages="$pkgname-openrc"
+source="
+	$pkgname-$pkgver.tar.gz::https://github.com/loomio/loomio/archive/refs/tags/v$pkgver.tar.gz
+	bin-wrapper.in
+	loomio.confd
+	loomio.logrotate
+	loomio.sidekiq.initd
+	loomio.vue.initd
+	loomio.initd
+	"
+_prefix="usr/lib/webapps/loomio"
+
+export BUNDLE_DEPLOYMENT=true
+export BUNDLE_FORCE_RUBY_PLATFORM=true
+export BUNDLE_FROZEN=true
+export BUNDLE_JOBS=${JOBS:-2}
+
+prepare() {
+	local sysgemdir=$(ruby -e 'puts Gem.default_dir')
+
+	default_prepare
+
+	# Allow use of any bundler
+	sed -i -e '/BUNDLED/,+1d' Gemfile.lock
+
+	# Allow use of any platform
+	sed -i -e 's/PLATFORMS/PLATFORMS\n  ruby/' Gemfile.lock
+
+	# Some gems are broken, so we copy our fixed version
+	# instead of installing it from RubyGems using Bundler.
+	mkdir -p vendor/gems/grpc/src/ruby/lib/grpc
+	cp -r "$sysgemdir"/gems/grpc-*/* vendor/gems/grpc/
+	cp "$sysgemdir"/specifications/grpc-*.gemspec \
+		vendor/gems/grpc/grpc.gemspec
+	cp "$sysgemdir"/extensions/*/*/grpc-*/grpc/*.so \
+		vendor/gems/grpc/src/ruby/lib/grpc/
+}
+
+build() {
+	local bundle_without='exclude development test'
+
+	bundle config --local build.ffi --enable-system-libffi
+	bundle config --local build.vips --enable-system-libraries
+	bundle config --local build.nokogiri --use-system-libraries \
+		--with-xml2-include=/usr/include/libxml2 \
+		--with-xslt-include=/usr/include/libxslt
+	bundle config --local build.google-protobuf '-- --with-cflags=-D__va_copy=va_copy'
+
+	msg "Installing Ruby gems..."
+	bundle config --local without "$bundle_without"
+	bundle config --local path "vendor/bundle"
+
+	bundle install --no-cache
+
+	msg "Precompiling static assets..."
+	bundle exec bootsnap precompile --gemfile app/ lib/
+
+	# Create executables in bin/*.
+	# See also https://github.com/bundler/bundler/issues/6149.
+	bundle binstubs --force bundler puma sidekiq
+
+	# Remove faulty RPATH.
+	chrpath -d vendor/bundle/ruby/*/gems/*/lib/nokogiri/*/nokogiri.so
+
+	# cp grpc so
+	cp vendor/gems/grpc/src/ruby/lib/grpc/grpc_c.so vendor/bundle/ruby/*/gems/grpc*/src/ruby/lib/grpc/.
+	rm -R vendor/bundle/ruby/*/gems/grpc*/src/ruby/lib/grpc/3* vendor/bundle/ruby/*/gems/grpc*/src/ruby/lib/grpc/2*
+
+	msg "Installing npm modules..."
+	cd vue
+	# force as vite-plugin-yaml hasn't updated their peerDependencies list yet
+	npm ci --force
+	npm run build
+}
+
+package() {
+	local destdir="$pkgdir/$_prefix"
+	local datadir="$pkgdir/var/lib/loomio"
+	local file dest
+
+	# Make directories
+	install -dm 755 \
+		"$(dirname $destdir)" \
+		"$datadir"
+
+	mkdir -p "$(dirname $destdir)"
+	cp -R "$builddir" "$destdir"
+
+	cd "$destdir"/vendor/bundle/ruby/*/
+
+	# Remove tests, documentations and other useless files.
+	find gems/ \( -name 'doc' \
+	           -o -name 'spec' \
+	           -o -name 'test' \) \
+		-type d -maxdepth 2 -exec rm -fr "{}" +
+	find gems/ \( -name 'README*' \
+	           -o -name 'CHANGELOG*' \
+	           -o -name 'CONTRIBUT*' \
+	           -o -name '*LICENSE*' \
+	           -o -name 'Rakefile' \
+	           -o -name '.*' \) \
+		-type f -delete
+
+	# Remove build logs and cache.
+	rm -rf build_info/ cache/
+	find extensions/ \( -name gem_make.out -o -name mkmf.log \) -delete
+
+	cd "$destdir"
+
+	# Install and symlink config files.
+	for file in	database.yml.postgresql puma.rb	sidekiq.yml; do
+		dest="$(basename "${file/.postgresql/}")"
+		install -m640 -g loomio -D config/$file "$pkgdir"/etc/loomio/$dest
+		ln -sf /etc/loomio/$dest "$pkgdir"/$_prefix/config/${file/.postgrewsql/}
+	done
+
+	# This file will be generated by the post-install script, just prepare symlink.
+	ln -sf /etc/loomio/secrets.yml config/secrets.yml
+	# These shouldn't be necessary, they are all configurable, but OmniBus
+
+	cat > "$datadir"/.profile <<-EOF
+		export RAILS_ENV=production
+		export NODE_ENV=production
+		export EXECJS_RUNTIME=Disabled
+	EOF
+
+	# Install wrapper scripts to /usr/bin.
+	local name; for name in rake rails; do
+		sed "s/__COMMAND__/$name/g" "$srcdir"/bin-wrapper.in \
+			> "$builddir"/loomio-$name
+		install -m755 -D "$builddir"/loomio-$name "$pkgdir"/usr/bin/loomio-$name
+	done
+
+	for file in $pkgname $pkgname.sidekiq $pkgname.vue; do
+		install -m755 -D "$srcdir"/$file.initd "$pkgdir"/etc/init.d/$file
+	done
+
+	install -m644 -D "$srcdir"/loomio.confd \
+		"$pkgdir"/etc/conf.d/loomio
+
+	install -m644 -D "$srcdir"/loomio.logrotate \
+		"$pkgdir"/etc/logrotate.d/loomio
+}
+
+assets() {
+	depends=""
+
+	amove $_prefix/public/assets
+}
+
+sha512sums="
+72a1238c1eaa3b963bd20a09d4fc2e52798264779bdf06d3f32891f2880d246059c77381329d1274bfa5979a35740017f0ced324f88b205369e77335b403ffba  loomio-2.21.4.tar.gz
+6cd4bb030660a9f4697eeb7c6de3f7509558aab3651e68218583dfeea56634f3b9f58acb50c7c9a4188a38c19434a815dd6c347e30207c4c0ae028c8dcb6ccaf  bin-wrapper.in
+0f1c91fbd4b8099f0a115705d5af799e4492fa2a0fd54175f3bfbfb5be1122bd7fd73a7709695c7caf2dcc667f3b8715051c24f424472e1115753e43a38fdf50  loomio.confd
+1ecb0717cd5f04b894467b21d226b98d8f83b8f62afbf8da7edd57973aeabb13d121e9061cc48aec7572b1c710e82c8b44a1cedc0a924efd4bc4a124b3afe9a8  loomio.logrotate
+c5dae2b6f9a23853c3c7ac068d97a7b0269b1775f6e0169c3d8999ec67c2baf3545515ea21037e882d900b15a7abf9061dd5a584bdc82c347b54d8c134f6d7a4  loomio.sidekiq.initd
+f774954d8b06aacab27af9593b1b12fbe18ec2d0593dd4f82e4d3dfbc7e325fb1a423347fd974a2ec6665776a6cfe85f255f4fd7493c97eb840f34eb7fbdb329  loomio.vue.initd
+645637c4112ec91ec2ea6022713e77a8ee76c0f0a81f9adf1f9210b52a578e94b5b02f0b6244b173905f580f72dc362b5434c714aae11e3619f73af223891bb8  loomio.initd
+"

user/loomio/bin-wrapper.in

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+BUNDLE_DIR='/usr/lib/webapps/loomio'
+export RAILS_ENV='production'
+export NODE_ENV='production'
+export EXECJS_RUNTIME='Disabled'
+
+cd $BUNDLE_DIR
+install -m 700 -o loomio -g loomio -d "$(readlink ./tmp)"
+
+if [ "$(id -un)" != 'loomio' ]; then
+	exec su loomio -c '"$0" "$@"' -- bin/__COMMAND__ "$@"
+else
+	exec bin/__COMMAND__ "$@"
+fi

user/loomio/loomio.confd

@@ -0,0 +1,32 @@
+# Configuration file for /etc/init.d/loomio and
+# /etc/init.d/loomio.{vue,sidekiq}
+
+# Specify how many processes to create using sidekiq-cluster and which queue
+# they should handle. Each whitespace-separated item equates to one additional
+# Sidekiq process, and comma-separated values in each item determine the queues
+# it works on. The special queue name "*" means all queues.
+# Example: "* gitlab_shell process_commit,post_receive"
+# See https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html.
+#sidekiq_queue_groups="*"
+
+# Maximum threads to use with Sidekiq (default: 50, 0 to disable).
+#sidekiq_max_concurrency=
+
+# Minimum threads to use with Sidekiq (default: 0).
+#sidekiq_min_concurrency=
+
+# The number of seconds to wait between worker checks.
+#sidekiq_interval=
+
+# Graceful timeout for all running processes.
+#sidekiq_shutdown_timeout=
+
+# Run workers for all queues in sidekiq_queues.yml except the given ones.
+#sidekiq_negate=no
+
+# Run workers based on the provided selector.
+#sidekiq_queue_selector=no
+
+# Memory limit (in MiB) for the Sidekiq process. If the RSS (Resident Set Size)
+# of the Sidekiq process exceeds this limit, a delayed shutdown is triggered.
+#sidekiq_memkiller_max_rss=2000

user/loomio/loomio.initd

@@ -0,0 +1,39 @@
+#!/sbin/openrc-run
+
+name="Loomio"
+description="Meta script for starting/stopping all the Loomio components"
+subservices="loomio.sidekiq loomio.vue"
+
+depend() {
+	use net
+}
+
+start() {
+	local ret=0
+
+	ebegin "Starting all Loomio components"
+	local svc; for svc in $subservices; do
+		service $svc start || ret=1
+	done
+	eend $ret
+}
+
+stop() {
+	local ret=0
+
+	ebegin "Stopping all Loomio components"
+	local svc; for svc in $subservices; do
+		service $svc stop || ret=1
+	done
+	eend $ret
+}
+
+status() {
+	local ret=0
+
+	local svc; for svc in $subservices; do
+		echo "$svc:"
+		service $svc status || ret=1
+	done
+	eend $ret
+}

user/loomio/loomio.logrotate

@@ -0,0 +1,11 @@
+/var/log/loomio/*.log {
+	compress
+	copytruncate
+	delaycompress
+	maxsize 10M
+	minsize 1M
+	missingok
+	sharedscripts
+	rotate 10
+	weekly
+}

user/loomio/loomio.post-install

@@ -0,0 +1,32 @@
+#!/bin/sh
+set -eu
+
+group=loomio
+config_file='/etc/loomio/config.yml'
+
+#if [ $(grep '@@SECRET_KEY@@' "$config_file") ]; then
+#	echo "* Generating random secret in $config_file" >&2
+
+#	secret_key="$(pwgen -s 50 1)"
+#	sed -i "s|@@SECRET_KEY@@|$secret_key|" "$config_file"
+#fi
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish Loomio upgrade run:
+	*
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/loomio/config.yml.
+	*
+	* 2. Create database for loomio:
+	*
+	*     psql -c "CREATE ROLE loomio PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE loomio OWNER loomio ENCODING 'UTF-8';"
+	*
+	EOF
+fi

user/loomio/loomio.post-upgrade

@@ -0,0 +1 @@
+loomio.post-install

user/loomio/loomio.pre-install

@@ -0,0 +1,26 @@
+#!/bin/sh
+# It's very important to set user/group correctly.
+
+loomio_dir='/var/lib/loomio'
+
+if ! getent group loomio 1>/dev/null; then
+	echo '* Creating group loomio' 1>&2
+
+	addgroup -S loomio
+fi
+
+if ! id loomio 2>/dev/null 1>&2; then
+	echo '* Creating user loomio' 1>&2
+
+	adduser -DHS -G loomio -h "$loomio_dir" -s /bin/sh  \
+		-g "added by apk for loomio" loomio
+	passwd -u loomio 1>/dev/null  # unlock
+fi
+
+if ! id -Gn loomio | grep -Fq redis; then
+	echo '* Adding user loomio to group www-data' 1>&2
+
+	addgroup loomio www-data
+fi
+
+exit 0

user/loomio/loomio.sidekiq.initd

@@ -0,0 +1,32 @@
+#!/sbin/openrc-run
+
+name="Loomio background workers Service"
+root="/usr/share/webapps/loomio"
+pidfile="/run/loomio-sidekiq.pid"
+logfile="/var/log/loomio/sidekiq.log"
+
+depend() {
+    use net
+    need redis
+}
+
+start() {
+    ebegin "Starting Loomio background workers"
+
+    cd $root
+
+    start-stop-daemon --start --background \
+        --chdir "${root}" \
+        --user="loomio" \
+        --make-pidfile --pidfile="${pidfile}" \
+	-1 "${logfile}" -2 "${logfile}" \
+        --exec /usr/bin/env -- RAILS_ENV=production bundle exec rails s
+    eend $?
+}
+
+stop() {
+    ebegin "Stopping Loomio background workers"
+    start-stop-daemon --stop \
+        --pidfile=${pidfile} \
+    eend $?
+}

user/loomio/loomio.vue.initd

@@ -0,0 +1,31 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME.conf"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/bundles/loomio"
+command="npm"
+command_args="run serve"
+command_user="loomio"
+command_group="loomio"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/loomio/$RC_SVCNAME.log"
+error_log="/var/log/loomio/$RC_SVCNAME.err"
+
+depend() {
+        need redis
+        need postgresql
+}
+
+start_pre() {
+	cd "$working_directory"
+        checkpath --directory --owner $command_user:$command_group --mode 0775 \
+                /var/log/loomio \
+                /var/lib/loomio
+}
+
+stop_pre() {
+	ebegin "Killing child processes"
+	kill $(ps -o pid= --ppid $(cat $pidfile)) || true
+}

user/mastodon/APKBUILD

@@ -0,0 +1,202 @@
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+pkgname=mastodon
+_pkgname=$pkgname
+pkgver=4.2.10
+_gittag=v$pkgver
+pkgrel=1
+pkgdesc="Self-hosted social media and network server based on ActivityPub and OStatus"
+arch="x86_64"
+url="https://github.com/mastodon/mastodon"
+license="AGPL-3.0-only"
+depends="
+	$pkgname-assets=$pkgver-r$pkgrel
+	ffmpeg
+	file
+	gcompat
+	imagemagick
+	nodejs
+	npm
+	protobuf
+	py3-elasticsearch
+	redis
+	ruby3.2
+	ruby3.2-bundler
+	yarn
+	"
+makedepends="
+	gnu-libiconv-dev
+	icu-dev
+	libffi-dev
+	libidn-dev
+	libxml2-dev
+	libxslt-dev
+	openssl-dev
+	postgresql-dev
+	protobuf-dev
+	ruby3.2-dev
+	yaml-dev
+	zlib-dev
+	"
+install="
+	$pkgname.pre-install
+	$pkgname.post-upgrade
+	$pkgname.post-install
+	"
+source="
+	mastodon-$_gittag.tar.gz::https://github.com/mastodon/mastodon/archive/$_gittag.tar.gz
+	mastodon.initd
+	mastodon.web.initd
+	mastodon.sidekiq.initd
+	mastodon.streaming.initd
+	mastodon.logrotate
+	bin-wrapper.in
+	"
+subpackages="$pkgname-openrc $pkgname-assets::noarch"
+options="!check" # No test suite
+
+_prefix="usr/lib/bundles/$_pkgname"
+
+export BUNDLE_DEPLOYMENT=true
+export BUNDLE_FORCE_RUBY_PLATFORM=true
+export BUNDLE_FROZEN=true
+export BUNDLE_JOBS=${JOBS:-2}
+
+prepare() {
+	default_prepare
+
+	# Allow use of any bundler
+	sed -i -e '/BUNDLED/,+1d' Gemfile.lock
+
+	# Allow use of higher Node versions
+	sed -i 's/"node": .*"/"node": ">=14.15"/' package.json
+
+	mkdir -p "$srcdir"/gem-cache
+}
+
+build() {
+	local bundle_without='exclude development'
+
+	msg "Installing Ruby gems..."
+	bundle config --local build.nokogiri --use-system-libraries \
+		--with-xml2-include=/usr/include/libxml2 \
+		--with-xslt-include=/usr/include/libxslt
+	bundle config --local build.ffi --enable-system-libffi
+	bundle config --local build.idn --enable-system-libidn
+	bundle config --local path "vendor/bundle"
+	bundle config --local set deployment 'false'
+	bundle config --local set without "$bundle_without"
+
+	bundle install --no-cache -j"$(getconf _NPROCESSORS_ONLN)"
+
+	msg "Installing npm modules..."
+	yarn install --production --frozen-lockfile
+
+	(
+		msg "Compiling assets..."
+		export NODE_ENV=production
+		export RAILS_ENV=production
+		export NODE_OPTIONS="--openssl-legacy-provider"
+
+		OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder bundle exec rails assets:precompile
+	)
+
+	msg "Cleaning assets gems..."
+	bundle config --local without "$bundle_without"
+	bundle clean
+
+	# Create executables in bin/*.
+	# See also https://github.com/bundler/bundler/issues/6149.
+	bundle binstubs --force bundler puma sidekiq
+}
+
+package() {
+	local destdir="$pkgdir"/$_prefix
+	local datadir="$pkgdir/var/lib/gitlab"
+	# directory creation
+	install -dm 755 \
+		"$destdir" \
+		"$datadir" \
+		"$pkgdir"/etc/init.d
+
+
+	# Install application files.
+	rmdir "$destdir"
+	cp -a "$builddir" "$destdir"
+
+	install -m755 -t "$destdir"/bin/ \
+		bin/bundle \
+		bin/rails \
+		bin/rake \
+		bin/sidekiq \
+		bin/sidekiqmon \
+		bin/tootctl \
+		bin/puma
+
+	cd "$destdir"/vendor/bundle/ruby/*/
+
+	# Remove tests, documentations and other useless files.
+	find gems/ \( -name 'doc' \
+	           -o -name 'spec' \
+	           -o -name 'test' \) \
+		-type d -maxdepth 2 -exec rm -fr "{}" +
+	find gems/ \( -name 'README*' \
+	           -o -name 'CHANGELOG*' \
+	           -o -name 'CONTRIBUT*' \
+	           -o -name '*LICENSE*' \
+	           -o -name 'Rakefile' \
+	           -o -name '.*' \) \
+		-type f -delete
+
+	# Remove assets, they are already compiled.
+	rm -r gems/doorkeeper-*/app/assets
+	rm -r gems/pghero-*/app/assets
+
+	# Remove build logs and cache.
+	rm -rf build_info/ cache/
+	find extensions/ \( -name gem_make.out -o -name mkmf.log \) -delete
+
+	cat > "$datadir"/.profile <<-EOF
+		export RAILS_ENV=production
+		export NODE_ENV=production
+		export EXECJS_RUNTIME=Disabled
+	EOF
+
+	# Install wrapper scripts to /usr/bin.
+	local name; for name in rake rails tootctl; do
+		sed "s/__COMMAND__/$name/g" "$srcdir"/bin-wrapper.in \
+			> "$builddir"/mastodon-$name
+		install -m755 -D "$builddir"/mastodon-$name "$pkgdir"/usr/bin/mastodon-$name
+	done
+
+	# Put the config file in /etc and link to it
+	touch "$pkgdir"/etc/mastodon.conf
+	ln -s /etc/mastodon.conf "$destdir"/.env.production
+	ln -s /usr/bin/node "$destdir"/node
+
+	for file in $_pkgname $_pkgname.sidekiq $_pkgname.web $_pkgname.streaming; do
+		install -m755 -D "$srcdir"/$file.initd "$pkgdir"/etc/init.d/$file
+	done
+
+	# Removing all prebuilt artifacts
+	rm -R "$destdir"/node_modules/*/prebuilds 2>&1 || true
+
+	install -m644 -D "$srcdir"/$_pkgname.logrotate \
+		"$pkgdir"/etc/logrotate.d/$_pkgname
+}
+
+assets() {
+	depends=""
+
+	amove $_prefix/public/assets
+}
+
+sha512sums="
+1fe5417136bc020a83b83eaccef7f1f46c13fc8318681f12ba556b1b6b03e25ef7b6335c28f4e6722101e97b63020cbd0d3fbacdaf9b3b5a4b73c3cf3e230813  mastodon-v4.2.10.tar.gz
+d49fea9451c97ccefe5e35b68e4274aeb427f9d1e910b89c1f6c810489c3bec1ccff72952fdaef95abf944b8aff0da84a52347540d36ff1fba5ccc19e1d935c6  mastodon.initd
+eefe12a31268245f802222c0001dac884e03adb0d301e53a1512a3cd204836ca03ad083908cd14d146cf0dce99e3a4366570efd0e40a9a490ccd381d4c63c32f  mastodon.web.initd
+8fc9249c01693bb02b8d1a6177288d5d3549addde8c03eb35cc7a32dde669171872ebc2b5deb8019dc7a12970098f1af707171fa41129be31b04e1dc1651a777  mastodon.sidekiq.initd
+03433a2f58600ca0d58e7c3713df2146ccdfc92033ccfe801dbd38bac39b66d6297f2b5ca02300caa36455b484eab2caa68c912c2f72150203bfa0e106c375fc  mastodon.streaming.initd
+83b3bae5b6fdb4d0dbc1cbe546c62c0aa77397b97d1a5d5377af032466677de188065b556710c0d96576bbae89cc76800f1ffb8cd718155eb2784da818f27619  mastodon.logrotate
+dfd0e43ac6c28387bd4aa57fd98ae41aeb5a098b6deb3e44b89f07818e2470773b025364afee7ef6fd0f664cb86bbbbe8796c9f222f5436c256a787282fbe3e1  bin-wrapper.in
+"

user/mastodon/bin-wrapper.in

@@ -0,0 +1,15 @@
+
+#!/bin/sh
+
+BUNDLE_DIR='/usr/lib/bundles/mastodon'
+export RAILS_ENV='production'
+export NODE_ENV='production'
+export EXECJS_RUNTIME='Disabled'
+
+cd $BUNDLE_DIR
+
+if [ "$(id -un)" != 'mastodon' ]; then
+	exec su mastodon -c '"$0" "$@"' -- bin/__COMMAND__ "$@"
+else
+	exec bin/__COMMAND__ "$@"
+fi

user/mastodon/mastodon.initd

@@ -0,0 +1,41 @@
+#!/sbin/openrc-run
+
+name="Mastodon"
+description="Meta script for starting/stopping all the Mastodon components"
+
+subservices="mastodon.sidekiq mastodon.streaming mastodon.web"
+
+depend() {
+	need redis postgresql
+	use net
+}
+
+start() {
+	local ret=0
+
+	ebegin "Starting all Mastodon components"
+	local svc; for svc in $subservices; do
+		service $svc start || ret=1
+	done
+	eend $ret
+}
+
+stop() {
+	local ret=0
+
+	ebegin "Stopping all Mastodon components"
+	local svc; for svc in $subservices; do
+		service $svc stop || ret=1
+	done
+	eend $ret
+}
+
+status() {
+	local ret=0
+
+	local svc; for svc in $subservices; do
+		echo "$svc:"
+		service $svc status || ret=1
+	done
+	eend $ret
+}

user/mastodon/mastodon.logrotate

@@ -0,0 +1,11 @@
+/var/log/mastodon/*.log {
+	compress
+	copytruncate
+	delaycompress
+	maxsize 10M
+	minsize 1M
+	missingok
+	sharedscripts
+	rotate 10
+	weekly
+}

user/mastodon/mastodon.post-install

@@ -0,0 +1,27 @@
+#!/bin/sh
+set -eu
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish Mastodon upgrade run:
+	*
+	*     mastodon-rails db:migrate
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/mastodon.conf
+	*
+	* 2. Create database for Mastodon:
+	*
+	*     psql -c "CREATE ROLE mastodon PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE mastodon OWNER mastodon ENCODING 'UTF-8';"
+	*     psql -d mastodon -c "CREATE EXTENSION pg_trgm; CREATE EXTENSION btree_gist;"
+	*     psql -c "ALTER DATABASE name OWNER TO new_owner;"
+	*
+	* 3. Run "mastodon-rake db:migrate"
+	*
+	EOF
+fi

user/mastodon/mastodon.post-upgrade

@@ -0,0 +1 @@
+mastodon.post-install

user/mastodon/mastodon.pre-install

@@ -0,0 +1,54 @@
+#!/bin/sh
+# It's very important to set user/group correctly.
+
+mastodon_dir='/var/lib/mastodon'
+
+if ! getent group mastodon 1>/dev/null; then
+	echo '* Creating group mastodon' 1>&2
+
+	addgroup -S mastodon
+fi
+
+if ! id mastodon 2>/dev/null 1>&2; then
+	echo '* Creating user mastodon' 1>&2
+
+	adduser -DHS -G mastodon -h "$mastodon_dir" -s /bin/sh  \
+		-g "added by apk for mastodon" mastodon
+	passwd -u mastodon 1>/dev/null  # unlock
+fi
+
+if ! id -Gn mastodon | grep -Fq redis; then
+	echo '* Adding user mastodon to group redis' 1>&2
+
+	addgroup mastodon redis
+fi
+
+if [ "$(id -gn mastodon)" != 'mastodon' ]; then
+	cat >&2 <<-EOF
+	!!
+	!! User mastodon has primary group $(id -gn mastodon). We strongly recommend to change
+	!! mastodon's primary group to mastodon.
+	!!
+	EOF
+
+	# Add it at least as a supplementary group.
+	adduser mastodon mastodon
+fi
+
+user_home="$(getent passwd mastodon | cut -d: -f6)"
+
+if [ "$user_home" != "$mastodon_dir" ]; then
+	cat >&2 <<-EOF
+	!!
+	!! User mastodon has home directory in $user_home, but this package assumes
+	!! $mastodon_dir. Although it's possible to use a different directory,
+	!! it's really not easy.
+	!!
+	!! Please change mastodon's home directory to $mastodon_dir, or adjust settings
+	!! and move files yourself. Otherwise Mastodon will not work!
+	!!
+	EOF
+fi
+
+exit 0
+

user/mastodon/mastodon.sidekiq.initd

@@ -0,0 +1,32 @@
+#!/sbin/openrc-run
+
+name="Mastodon background workers Service"
+root="/usr/lib/bundles/mastodon"
+pidfile="/run/mastodon-sidekiq.pid"
+logfile="/var/log/mastodon/sidekiq.log"
+
+depend() {
+    use net
+    need redis
+}
+
+start() {
+    ebegin "Starting Mastodon background workers"
+
+    cd $root
+
+    start-stop-daemon --start --background \
+        --chdir "${root}" \
+        --user="mastodon" \
+        --make-pidfile --pidfile="${pidfile}" \
+	-1 "${logfile}" -2 "${logfile}" \
+        --exec /usr/bin/env -- RAILS_ENV=production DB_POOL=25 MALLOC_ARENA_MAX=2 bundle exec sidekiq -c 25
+    eend $?
+}
+
+stop() {
+    ebegin "Stopping Mastodon background workers"
+    start-stop-daemon --stop \
+        --pidfile=${pidfile} \
+    eend $?
+}

user/mastodon/mastodon.streaming.initd

@@ -0,0 +1,33 @@
+#!/sbin/openrc-run
+
+name="Mastodon streaming API service"
+root="/usr/lib/bundles/mastodon"
+pidfile="/run/mastodon-streaming.pid"
+logfile="/var/log/mastodon/streaming.log"
+
+depend() {
+    use net
+}
+
+start() {
+    ebegin "Starting Mastodon streaming API"
+
+    cd $root
+
+    start-stop-daemon --start \
+        --background --quiet \
+        --chdir "${root}" \
+        --user="mastodon" \
+        --make-pidfile --pidfile="${pidfile}" \
+        --stdout "${logfile}" --stderr "${logfile}" \
+        --exec /usr/bin/env -- NODE_ENV=production PORT=4000 /usr/bin/node ./streaming/index.js
+    eend $?
+}
+
+stop() {
+    ebegin "Stopping Mastodon streaming API"
+    start-stop-daemon --stop \
+        --pidfile="${pidfile}" \
+    eend $?
+}
+

user/mastodon/mastodon.web.initd

@@ -0,0 +1,29 @@
+#!/sbin/openrc-run
+
+name="Mastodon Web Service"
+root="/usr/lib/bundles/mastodon"
+pidfile="/run/mastodon-web.pid"
+logfile="/var/log/mastodon/web.log"
+
+depend() {
+    use net
+}
+
+start() {
+    ebegin "Starting Mastodon web workers"
+    cd $root
+    start-stop-daemon --start --background \
+        --chdir "${root}" \
+        --user="mastodon" \
+        --pidfile="${pidfile}" --make-pidfile \
+	--stdout="${logfile}" --stderr="${logfile}" \
+        --exec /usr/bin/env -- RAILS_ENV=production PORT=3000 bundle exec puma -C config/puma.rb
+    eend $?
+}
+
+stop() {
+    ebegin "Stopping Mastodon web workers"
+    start-stop-daemon --stop \
+        --pidfile=${pidfile} \
+    eend $?
+}

user/mathjax2/APKBUILD

@@ -3,7 +3,7 @@
 
 pkgname=mathjax2
 pkgver=2.7.9
-pkgrel=1
+pkgrel=0
 pkgdesc="An open source JavaScript display engine for mathematics that works in all modern browsers"
 url="https://www.mathjax.org/"
 arch=noarch

user/peertube/APKBUILD

@@ -0,0 +1,81 @@
+# Maintainer: Antoine Martin (ayakael) <dev@ayakael.net>
+# Contributor: Antoine Martin (ayakael) <dev@ayakael.net>
+pkgname=peertube
+pkgver=6.0.2
+pkgrel=0
+pkgdesc="ActivityPub-federated video streaming platform using P2P directly in your web browser"
+arch="x86_64"
+url="https://joinpeertube.org/"
+license="AGPL"
+depends="
+	nodejs
+	ffmpeg
+	postgresql
+	openssl
+	redis
+	npm
+	procps-ng
+	"
+makedepends="
+	yarn
+	"
+source="
+	$pkgname-$pkgver.tar.gz::https://github.com/Chocobozzz/PeerTube/archive/refs/tags/v$pkgver.tar.gz
+	peertube-manage.sh
+	peertube.conf
+	peertube.openrc
+	"
+builddir="$srcdir"/PeerTube-$pkgver
+install="$pkgname.post-install $pkgname.pre-install $pkgname.post-upgrade"
+subpackages="$pkgname-doc $pkgname-openrc"
+
+build() {
+	# need to fetch devel depencencies to build
+	yarn install --pure-lockfile
+	npm run build
+	rm -Rf "$builddir"/node_modules
+	yarn install --production --pure-lockfile
+}
+
+package() {
+	install -dm 755 \
+		"$pkgdir"/usr/share/webapps \
+		"$pkgdir"/usr/share/doc \
+		"$pkgdir"/usr/share/licenses/peertube \
+		"$pkgdir"/etc/init.d \
+		"$pkgdir"/etc/conf.d
+
+	# install
+	cp -a "$builddir" "$pkgdir/usr/share/webapps/peertube"
+
+	# wrapper script
+	install -Dm755 "$srcdir"/peertube-manage.sh "$pkgdir"/usr/bin/peertube-manage
+
+	# openrc
+	install -Dm755 "$srcdir"/peertube.openrc "$pkgdir"/etc/init.d/peertube
+	install -Dm644 "$srcdir"/peertube.conf "$pkgdir"/etc/conf.d/peertube
+
+	# config file setup
+	rm -R "$pkgdir"/usr/share/webapps/peertube/config
+	install -Dm644 "$builddir"/config/production.yaml.example "$pkgdir"/etc/peertube/production.yaml
+	install -Dm644 "$builddir"/config/default.yaml "$pkgdir"/etc/peertube/default.yaml
+	sed -i "s|/var/www/peertube/storage|/var/lib/peertube|g" "$pkgdir"/etc/peertube/production.yaml "$pkgdir"/etc/peertube/default.yaml
+	sed -i "s| tmp:.*| tmp: '/tmp/peertube/'|" "$pkgdir"/etc/peertube/production.yaml "$pkgdir"/etc/peertube/default.yaml
+	sed -i "s|tmp_persistent:.*|tmp_persistent: '/var/tmp/peertube/'|" "$pkgdir"/etc/peertube/production.yaml "$pkgdir"/etc/peertube/default.yaml
+	sed -i "s|logs:.*|logs: '/var/log/peertube/'|" "$pkgdir"/etc/peertube/production.yaml "$pkgdir"/etc/peertube/default.yaml
+	sed -i "s|  peertube: ''|  peertube: '@@SECRET_KEY@@'|" "$pkgdir"/etc/peertube/production.yaml
+
+	# docs and licenses
+	mv "$pkgdir"/usr/share/webapps/peertube/support/doc "$pkgdir"/usr/share/doc/$pkgname
+	mv "$pkgdir"/usr/share/webapps/peertube/*.md "$pkgdir"/usr/share/doc/peertube/.
+	mv "$pkgdir"/usr/share/webapps/peertube/LICENSE "$pkgdir"/usr/share/licenses/peertube/.
+
+	# delete arm64 prebuild
+	rm "$pkgdir"/usr/share/webapps/$pkgname/node_modules/fs-native-extensions/prebuilds/linux-arm64/node.napi.node
+}
+sha512sums="
+91bcec34902f171ffe9ab3f27ab4422319f91430cab22965a5cf9887c5293152f7f85c6fc0f355820000daea0a49327aa66f20bb4cff3850e5e3d192f347c926  peertube-6.0.2.tar.gz
+92de1155410848937eeff3bef480c4a074875b4236ce0b6bf4cd7213d00173e7766d130408419c85c4432a8445a03f5d4525e4283384d906d781510cc4fd8fc0  peertube-manage.sh
+494bb4daf98fcd62b354eb6fae18ccff19bef1243de083a93e438680deef1d9039e30eff8870b6955c3c7b10638e6df6cbeb4fbdb7539979466f502bcc72c843  peertube.conf
+5b4d3f47d0dc2ce991971ff61c604a1566811612cff91f7e6ed19b65d0830695649ddef9afff474d916a5e6764d74bb4fa6b5c12eb5e753d8fc381cdd38ab179  peertube.openrc
+"

user/peertube/peertube-manage.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+BUNDLE_DIR='/usr/share/webapps/peertube'
+
+cd $BUNDLE_DIR
+
+if [ "$(id -un)" != 'peertube' ]; then
+	source /etc/conf.d/peertube
+	export NODE_ENV NODE_CONFIG_DIR
+	exec su peertube -c '"$0" "$@"' -- npm run "$@"
+else
+	source /etc/conf.d/peertube
+	export NODE_ENV NODE_CONFIG_DIR
+	exec npm run "$@"
+fi

user/peertube/peertube.conf

@@ -0,0 +1,2 @@
+NODE_CONFIG_DIR=/etc/peertube
+NODE_ENV=production

user/peertube/peertube.openrc

@@ -0,0 +1,34 @@
+#!/sbin/openrc-run
+  
+name="$RC_SVCNAME"
+cfgfile="/etc/conf.d/$RC_SVCNAME.conf"
+pidfile="/run/$RC_SVCNAME.pid"
+working_directory="/usr/share/webapps/peertube"
+command="/usr/bin/node"
+command_args="dist/server.js"
+command_user="peertube"
+command_group="peertube"
+start_stop_daemon_args=""
+command_background="yes"
+output_log="/var/log/peertube/$RC_SVCNAME.log"
+
+depend() {
+        need redis
+        need postgresql
+}
+
+start_pre() {
+	cd "$working_directory"
+    checkpath --directory --owner $command_user:$command_group --mode 0775 \
+        /var/log/peertube \
+        /var/lib/peertube \
+		/var/tmp/peertube \
+		/tmp/peertube
+
+	export NODE_ENV NODE_CONFIG_DIR
+}
+
+stop_pre() {
+	ebegin "Killing child processes"
+	kill $(ps -o pid= --ppid $(cat $pidfile)) || true
+}

user/peertube/peertube.post-install

@@ -0,0 +1,41 @@
+#!/bin/sh
+set -eu
+
+group=www-data
+config_file='/etc/peertube/production.yaml'
+
+if grep '@@SECRET_KEY@@' "$config_file" >/dev/null; then
+	echo "* Generating random secret in $config_file" >&2
+
+	secret_key="$(openssl rand -hex 32)"
+	sed -i "s|@@SECRET_KEY@@|$secret_key|" "$config_file"
+fi
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* To finish Peertube upgrade run:
+	*
+	*
+	EOF
+else
+	cat >&2 <<-EOF
+	*
+	* 1. Adjust settings in /etc/peertube/production.yaml
+	*
+	* 2. Create database for Peertube:
+	*
+	*     psql -c "CREATE ROLE peertube PASSWORD 'top-secret' INHERIT LOGIN;"
+	*     psql -c "CREATE DATABASE peertube OWNER peertube ENCODING 'UTF-8';"
+	*
+	* 3. Start Peertube
+	*    
+	*     service peertube start
+	* 
+	* 4. Create admin user
+	*
+	*     peertube-manage reset-password -- -u root
+	*
+	EOF
+fi
+