Healthchecks is a cron job monitoring service. It listens for HTTP
requests and email messages ("pings") from your cron jobs and
scheduled tasks ("checks"). When a ping does not arrive on time,
Healthchecks sends out alerts.
Healthchecks comes with a web dashboard, API, 25+ integrations for
delivering notifications, monthly email reports, WebAuthn 2FA
support, team management features: projects, team members, read-only
access.
Approved by: acm (mentor)
- Add dedicated beam user (UID/GID 372) for non-root execution
- Use daemon(8) for epmd process supervision and auto-restart
This addresses security concerns with epmd running as root by
providing privilege separation and automatic restart capability.
PR: 213001
Reviewed by: dch
Differential Revision: https://reviews.freebsd.org/D50874
Tinyauth is a simple authentication middleware that adds a simple
login screen or OAuth with Google, Github and any provider to all
of your docker apps. It supports all the popular proxies like
Traefik, Nginx and Caddy.
Approved by: acm (mentor)
Pocket ID is a simple OIDC provider that allows users to authenticate
with their passkeys to your services.
The goal of Pocket ID is to be a simple and easy-to-use. There are
other self-hosted OIDC providers like Keycloak or ORY Hydra but
they are often too complex for simple use cases.
Additionally, what makes Pocket ID special is that it only supports
passkey authentication, which means you don't need a password. Some
people might not like this idea at first, but I believe passkeys
are the future, and once you try them, you'll love them. For example,
you can now use a physical Yubikey to sign in to all your self-hosted
services easily and securely
Approved by: acm (mentor)
File Browser provides a file managing interface within a specified
directory and it can be used to upload, delete, preview, rename and
edit your files. It allows the creation of multiple users and each
user can have its own directory. It can be used as a standalone
app.
Approved by: acm (mentor)
tlsrpt-reporter is a TLSRPT reporting service for SMTP TLS Reporting
as defined in RFC 8460. It receives TLSRPT datagrams from a MTA,
collects them, creates a report in conformance with the TLSRPT
Reporting Schema and finally delivers the report either via SMTP,
indirectly by submitting it to a local MTA which ultimately will be
responsible for delivering the report, or directly via HTTP POST.
PR: 285012
Reported by: Yusuf Yaman
- Assign UID and GIT to neo4j (both 369)
- Instruct neo4j to run as neo4j user
- Move config directory to PREFIX/etc/neo4j
- Move certificates base directory to PREFIX/etc/neo4j/certificates
- Move data directory to /var/db/neo4j/data
- Move metrics directory to /var/db/neo4j/metrics
- Move import directory to /var/db/neo4j/import
- Fix rc.d script accordingly
Partially based on information from [1] and [2]
PR: 268526 [1]
PR: 228532 [2]
Sponsored by: resulta.sk
Software Supply Chain Transparency Log
Rekor's goals are to provide an immutable tamper resistant ledger of
metadata generated within a software projects supply chain. Rekor will
enable software maintainers and build systems to record signed metadata
to an immutable record. Other parties can then query said metadata to
enable them to make informed decisions on trust and non-repudiation of
an object's lifecycle.
The Rekor project provides a restful API based server for validation and
a transparency log for storage. A CLI application is available to make
and verify entries, query the transparency log for inclusion proof,
integrity verification of the transparency log or retrieval of entries
by either public key or artifact.
Rekor fulfils the signature transparency role of sigstore's software
signing infrastructure. However, Rekor can be run on its own and is
designed to be extensible to working with different manifest schemas and
PKI tooling.
WWW: https://www.sigstore.dev/
Service for issuing RFC 3161 timestamps
Trusted timestamping is a process that has been around for some time. It
provides a timestamp record of when a document was created or modified.
A timestamp authority creates signed timestamps using public key
infrastructure. The operator of the timestamp authority must secure the
signing key material to prevent unauthorized timestamp signing.
A timestamp authority should also verify its own clock. We provide a
configuration to periodically check the current time against well-known
NTP sources.
WWW: https://sigstore.dev/
General transparency
Trillian is an implementation of the concepts described in the
Verifiable Data Structures white paper, which in turn is an extension
and generalisation of the ideas which underpin Certificate Transparency.
Trillian implements a Merkle tree whose contents are served from a data
storage layer, to allow scalability to extremely large trees. On top of
this Merkle tree, Trillian provides the following:
- An append-only Log mode, analogous to the original Certificate
Transparency logs. In this mode, the Merkle tree is effectively filled
up from the left, giving a dense Merkle tree.
Note that Trillian requires particular applications to provide their own
personalities on top of the core transparent data store functionality.
WWW: https://github.com/google/trillian
An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in
and logs their activity. sshesame accepts and logs SSH connections and activity
(channels, requests), without doing anything on the host (e.g. executing
commands, making network requests).
renterd is an advanced Sia renter engineered by the Sia
Foundation. Designed to cater to both casual users seeking
straightforward data storage and developers requiring a robust API for
building apps on Sia.
hostd is an advanced Sia host solution created by the Sia Foundation,
designed to enhance the experience for storage providers within the
Sia network. Tailored for both individual and large-scale storage
providers, hostd boasts a user-friendly interface and a robust API,
empowering providers to efficiently manage their storage resources and
revenue. hostd incorporates an embedded web-UI, simplifying deployment
and enabling remote management capabilities, ensuring a smooth user
experience across a diverse range of devices.
walletd is the flagship Sia wallet, suitable for miners, exchanges,
and everyday hodlers. Its client-server architecture gives you the
flexibility to access your funds from anywhere, on any device, without
compromising the security of your private keys. The server is
agnostic, so you can derive those keys from a 12-word seed phrase, a
legacy (siad) 28-word phrase, a Ledger hardware wallet, or another
preferred method. Like other Foundation node software, walletd ships
with a slick embedded UI, but developers can easily build headless
integrations leveraging its powerful JSON API. Whether you're using a
single address or millions, walletd scales to your needs.
WWW: https://sia.tech/software/hostd
WWW: https://sia.tech/software/renterd
WWW: https://sia.tech/software/walletd
PR: 285367
un-break arm64 by installing both esbuild arches
- stop lang/go from fetching newer toolchains during build
- pet port with portfmt & portclippy, fix pkg-plist
run under non-root user by default
- add UID, GID for opengist user
- amend rc script to support user
PR: 285179
Reviewed by: fox
Sponsored by: SkunkWerks, GmbH
Remove rpicamera support, patch obtained from Alpine Linux
MediaMTX is a ready-to-use and zero-dependency real-time media server and
media proxy that allows to publish, read, proxy, record and playback video and
audio streams. It supports multiple protocols such as SRT, WebRTC, RTSP, RTMP,
HLS, UDP/MPEG-TS and also able to record and serve media on demand.
WWW: https://github.com/bluenviron/mediamtx
Source:
https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/79233
This is a FUSE file system driver that allows mounting a
WebDAV server as a local file system, like a disk drive.
PR: 267518 (heavily modified)
Submitted by: Ali Abdallah (current main developer)
zigbee2mqtt allows you to use your Zigbee devices without the vendor's
bridge or gateway.
It bridges events and allows you to control your Zigbee devices via
MQTT. In this way you can integrate your Zigbee devices with whatever
smart home infrastructure you are using.
Snac is a simple, minimalistic ActivityPub instance.
It features:
- Lightweight, minimal dependencies
- Extensive support of ActivityPub operations.
- Multiuser
- Mastodon API support, so Mastodon-compatible apps can be used
- Simple but effective web interface
- Easily-accessed MUTE button
- Tested interoperability with related software
- No database needed
- Totally JavaScript-free
PR: 278385
Reviewed by: bofh
Supysonic is a Python implementation of the Subsonic server API.
Current supported features are:
* browsing (by folders or tags)
* streaming of various audio files formats
* transcoding
* user or random playlists
* cover art
* starred tracks/albums and ratings
* lastfm scrobbling
* Jukebox mode
WWW: https://supysonic.readthedocs.io/
PR: 270751
OpenBao exists to provide a software solution to manage, store, and
distribute sensitive data including secrets, certificates, and keys.
The OpenBao community intends to provide this software under an
OSI-approved open-source license, led by a community run under open
governance principles.
https://openbao.orghttps://github.com/openbao/openbao
PR: 280619
The Electronic Logbook (ELOG) provides a Web interface to manage notes.
Its general purpose is to make it easy for people to put and access
information online; in the form of short, time stamped text messages
with optional HTML markup for presentation, and optional file
attachments.
WWW: https://elog.psi.ch/elog/
PR: 274813
Changelog:
https://github.com/ngircd/ngircd/releases/tag/rel-27
Change maintainership:
* all commits from 2017 are "maintainer timeout" or "portmgr blanket":
https://cgit.freebsd.org/ports/log/irc/ngircdhttps://www.freshports.org/irc/ngircd/
* fgsch@lodoss.net - no user in bugzilla with this email
Port changes:
* Add a dedicated system user/group pair for better daemon permissions
* Move PLIST files into pkg-plist for better conditional installation
of files
* Fix installation of documentation files to %%DOCSDIR%%
* Put configuration file (and sample) into %%ETCDIR%%
* Run a --configtest before starting daemon for sanity check
* Replace PORTVERSION with DISTVERSION
* Remove GNU_CONFIGURE_MANPREFIX
* Sort options to make happy portclippy
PR: 278919
- hydroxide does want to store some files and users were running
"hydroxide auth" with normal user. Now, hydroxide user has a home
directory, and it does store them there now.
- Change upstream.
PR: 280886
Changes:
* Add rc.d script to run as daemon because users had to run the port
somehow in the background on terminal.
* Minor changes to Makefile.
PR: 280754
SpoofDPI is a simple and fast anti-censorship tool written in Go that
bypasses Deep Packet Inspection (DPI) by splitting HTTPS requests
into chunks and sending the first byte separately.
It can be run as daemon via rc.d script spoofdpi.
https://github.com/xvzc/SpoofDPI
PR: 280591
VictoriaLogs is a fast and easy-to-use, open source logs solution. It can accept
logs from popular log collectors. It provides easy yet powerful query language
with full-text search capabilities across all the log fields via LogsQL query
language and supports fast full-text search over high-cardinality log fields.
Promxy is a prometheus proxy that makes many shards of prometheus appear
as a single API endpoint to the user. This significantly simplifies
operations and use of prometheus at scale (when you have more than one
prometheus host). Promxy delivers this unified access endpoint without
requiring any sidecars, custom-builds, or other changes to your
prometheus infrastructure.
PR: 269195
Update FoundationDB to both main supported versions, and also split
between server and client builds for convenience.
PR: 277262
Reviewed by: dch
Sponsored by: SkunkWerks, GmbH
- Compile without /dev/kmem access. This requires a small patch which
opens libkvm in a dummy mode which uses sysctls to implement most of
its interfaces rather than /dev/kmem access. This way we can drop the
dependency on /dev/kmem without rewriting existing code.
- Add a new snmpd user. Configure snmpd to drop privileges once it's
finished initialization.
- Remove the JAIL option. Now that snmpd avoids using /dev/kmem,
there's no need to have a special mode for running snmpd in jails.
The patch has been proposed upstream here:
https://sourceforge.net/p/net-snmp/mailman/net-snmp-coders/thread/ZjEwNV5BiTOQ-Adi%40nuc/#msg58766857
Approved by: zi
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45031
Benthos solves common data engineering tasks such as transformations,
integrations, and multiplexing with declarative and unit testable
configuration. This allows you to easily and incrementally adapt your data
pipelines as requirements change, letting you focus on the more exciting stuff.
Benthos is able to glue a wide range of sources and sinks together and hook
into a variety of databases, caches, HTTP APIs, lambdas and more, enabling you
to seamlessly drop it into your existing infrastructure.
