Merge branch 'master' into extend_courses

.github/workflows/deploy.yml

@@ -28,9 +28,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      # Workaround: https://github.com/docker/build-push-action/issues/461
-      - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
@@ -61,7 +63,9 @@ jobs:
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
+          build-args: version=${{ github.sha }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max

Dockerfile

@@ -1,18 +1,32 @@
-FROM golang:1.21-alpine3.17 as builder
+FROM golang:1.22-alpine3.19 as builder
 
 # Ca-certificates are required to call HTTPS endpoints.
 RUN apk update && apk add --no-cache ca-certificates tzdata alpine-sdk bash && update-ca-certificates
 
+# Create appuser
+RUN adduser -D -g '' appuser
 WORKDIR /app
-COPY . .
+# Copy go mod and sum files and download dependencies
+COPY go.mod go.sum ./
+RUN go mod download
 
-RUN CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /proxy cmd/proxy/proxy.go
+# compile the app
+COPY cmd cmd
+COPY internal internal
+
+# bundle version into binary if specified in build-args, dev otherwise.
+ARG version=dev
+# Compile statically
+RUN CGO_ENABLED=0 go build -ldflags "-w -extldflags '-static' -X internal/app.Version=${version}" -o /proxy cmd/proxy/proxy.go
+RUN CGO_ENABLED=0 go build -ldflags "-w -extldflags '-static'" -o /healthcheck cmd/healthcheck/healthcheck.go
 
 FROM scratch
 
 COPY --from=builder /proxy /proxy
+COPY --from=builder /healthcheck /healthcheck
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-EXPOSE 80
+EXPOSE 4321
+HEALTHCHECK --interval=1s --timeout=1s --start-period=2s --retries=3 CMD [ "/healthcheck" ]
 
 CMD ["/proxy"]

README.md

@@ -1,15 +1,40 @@
-# Calendar-Proxy
+# TUM Calendar Proxy
 
+![Alt text](image.png)
 
-Proxy for the TUM iCal export to remove clutter from it and optimize the output
+This is a proxy service that simplifies and enhances the iCal export from TUM Online. It allows you to:
 
-You can find more information on the about page: https://cal.tum.sexy/
+- Shorten long lesson names, such as 'Grundlagen Betriebssysteme und Systemsoftware' → 'GBS'
+- Add locations that are recognized by Google / Apple Maps
+- Filter out unwanted events, such as cancelled, duplicate or optional ones
+
+You can use the proxy service by visiting <https://cal.tum.app/> and following the instructions there.
 
 ## Development
-To run locally:
- - run `go run cmd/proxy/proxy.go` to install dependencies and run a local server for testing on port 8081
+If you want to run the proxy service locally or contribute to the project, you will need:
+
+- Go 1.22 or higher
+- Docker (optional)
+
+To run the service locally, follow these steps:
+
+- Clone this repository
+  ```sh
+  git clone https://github.com/tum-calendar-proxy/tum-calendar-proxy.git
+  ```
+- Navigate to the project directory: 
+  ```sh
+  cd tum-calendar-proxy
+  ```
+- Run the proxy server:
+  ```sh
+  go run cmd/proxy/proxy.go
+  ```
+- The service will be available at <http://localhost:4321>
+
+To build an image using Docker, follow these steps:
 
-To build a production image:
-- run `docker build -t tumcalproxy .`
-- run `docker run -p 8081:8081 tumcalproxy`
-- open http://127.0.0.1:8081 in your browser
+- ```sh
+  docker compose -f docker-compose.local.yaml up --build
+  ```
+- The service will be available at <http://localhost:4321>

SECURITY.md

@@ -0,0 +1,8 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report any and all security vulnerabilitys you found, or you think you found at app (at-symbol) tum.de .  
+We will diagnose the issue internally and propose a fix.
+The timeline of a fix depends on how severe the problem is and what impacts it has.
+As a reward for reporting such vulnerabilitys you can get exclusive stickers or other small things.

cmd/healthcheck/healthcheck.go

@@ -0,0 +1,15 @@
+package main
+
+import (
+	"log"
+	"net/http"
+	"os"
+)
+
+func main() {
+	_, err := http.Get("http://127.0.0.1:4321/health")
+	if err != nil {
+		log.Printf("Healthcheck failed: %s\n", err)
+		os.Exit(1)
+	}
+}

docker-compose.local.yaml

@@ -0,0 +1,12 @@
+services:
+  cal-proxy:
+    build: .
+    ports:
+      - 4321:4321
+    restart: always
+    # security
+    read_only: true
+    user: "1000:3000"
+    privileged: false
+    cap_drop:
+      - ALL

docker-compose.yml

@@ -0,0 +1,28 @@
+version: "3.8"
+services:
+  calendarproxy:
+    image: ghcr.io/tum-dev/calendarproxy/server:latest
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.calendarproxy.entrypoints=web"
+      - "traefik.http.routers.calendarproxy.rule=Host(`cal.tum.app`) || Host(`cal.tum.sexy`) || Host(`cal.bruck.me`)"
+      - "traefik.http.routers.calendarproxy.middlewares=webs-redirectscheme"
+
+      - "traefik.http.routers.calendarproxy-secure.entrypoints=webs"
+      - "traefik.http.routers.calendarproxy-secure.tls.certresolver=leacme"
+      - "traefik.http.routers.calendarproxy-secure.rule=Host(`cal.tum.app`) || Host(`cal.tum.sexy`) || Host(`cal.bruck.me`)"
+      - "traefik.http.services.calendarproxy-secure.loadbalancer.server.port=4321"
+
+    networks:
+      - traefik_traefik
+    # security
+    read_only: true
+    user: "1000:3000"
+    privileged: false
+    cap_drop:
+      - ALL
+
+networks:
+  traefik_traefik:
+    external: true # comment out for local use