luketic.de

7. February 20257. February 2025

How to package your SPA or PWA without a Dockerfile using Go and ko

Writing Dockerfiles is a pain in the ass.
All you want to do is publish your SPA or PWA dist files in a docker container and maybe even push it to a private registry.

Instead of having to write a Dockerfile, pull some base OS, increase the size of the container image, add potential attack surfaces / vulnerabilities coming from those base OS images, you can wrap and embed it in a Go binary.

Install ko

Create a ko-build.sh in the project root

#!/bin/bash
ko login registry.domain.tld -u myuser -p mypassword
KO_DOCKER_REPO=registry.domain.tld/user/my-frontend ko build --platform=all

#!/bin/bash

ko login registry.domain.tld -u myuser -p mypassword

KO_DOCKER_REPO=registry.domain.tld/user/my-frontend ko build --platform=all

go mod init git.domain.tld/user/repo
touch main.go

1 2	go mod init git.domain.tld/user/repo touch main.go

and edit main.go and insert the following

package main

import (
	"embed"
	"io/fs"
	"log"
	"net/http"
	"strings"
)

//go:embed dist
var pwa embed.FS

//go:embed dist/index.html
var index embed.FS

var indexFile []byte

func init() {
	var e error
	indexFile, e = index.ReadFile("dist/index.html")
	if e != nil {
		log.Fatal(e.Error())
	}
}

func main() {
	root, e := fs.Sub(pwa, "dist")
	if e != nil {
		log.Fatal(e.Error())
	}
	log.Fatal(http.ListenAndServe(":8080", Handler(root)))
}

func Handler(root fs.FS) http.Handler {
	handler := http.FileServer(http.FS(root))

	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
		_path := req.URL.Path

		// static files
		if strings.Contains(_path, ".") || _path == "/" {
			handler.ServeHTTP(w, req)
			return
		}
		w.Write(indexFile)
	})
}

package main

import (

"embed"

"io/fs"

"log"

"net/http"

"strings"

)

//go:embed dist

var pwa embed.FS

//go:embed dist/index.html

var index embed.FS

var indexFile []byte

func init() {

var e error

indexFile, e = index.ReadFile("dist/index.html")

if e != nil {

log.Fatal(e.Error())

}

func main() {

root, e := fs.Sub(pwa, "dist")

if e != nil {

log.Fatal(e.Error())

}

log.Fatal(http.ListenAndServe(":8080", Handler(root)))

}

func Handler(root fs.FS) http.Handler {

handler := http.FileServer(http.FS(root))

return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

_path := req.URL.Path

// static files

if strings.Contains(_path, ".") || _path == "/" {

handler.ServeHTTP(w, req)

return

}

w.Write(indexFile)

})

}

assuming your bundler, e.g. vite, places dist files in your project root’s dist dir (vite default),

dist
├── assets
│   ├── index-D-1oofZ3.css
│   └── index-DMGf-fk6.js
├── index.html
└── vite.svg

dist

├── assets

│ ├── index-D-1oofZ3.css

│ └── index-DMGf-fk6.js

├── index.html

└── vite.svg

If your dist files are in dist/pwa and your index file is at dist/pwa/index.html edit the lines accordingly.

This is effectively what would be in nginx:

	location / {
		try_files $uri $uri/ /index.html;
	}

location / {

try_files $uri $uri/ /index.html;

}

Your container exposes port 8080

Build and publish

bash ko-build.sh

1	bash ko-build.sh

Since you only need to write this once, you can copy the main.go to every project that requires it and adjust the ko-build.sh script.

Yes, this survives CTRL+F5 reloads. It routes everything through index.html unless it’s a static file that exists on the filesystem.

#spa #pwa #go #ko #docker #registry #build #publish

4. February 2025

k8s delete pv or pvc first?

Short answer: Delete the pvc, then the pv.
From k8s v1.31 on if the external-csi-provisioner is installed (which it is with rook ceph) and the reclaim policy is Delete, if you delete the pvc, the pv is automatically deleted

#k8s #pv #pvc

18. January 202521. January 2025

Banned from entgo, why?

I wanted to create an issue, in github.com/ent/ent the size annotation doesn’t have any effect when used on a MySQL database.

I couldn’t create the issue, “unable to create issue”, and no further information.

So I said that I can’t create an issue in their discord.
Then I wrote, “So I’ve been banned. What for? Being to critical of Atlas?”

Without any response I was banned from the discord as well.

?!?

Because I don’t agree with giving them my schema information when I need to use it in a k8s context?

I don’t know because I never received a reason.

Seriously, I’ve had enough of those emotionally and mentally unstable mini dictators, banning people for personal entertainment or satisfying their inferiority complex.

Absolutely unacceptable behavior banning someone from their discord only for asking what’s wrong.

Ariel Mashraki need his head examined.

Update 21. Jan. 2025:
I created an issue with Atlas where I demanded the ban lifted or my contributions, issues, discussions and comments deleted.
That issue was deleted and I was banned from the Atlas repository.
I’m now going to file copyright and intellectural property violations with Github, also find a lawyer to sue them.

#go #golang #ent #dictator #banning #powermonger

14. January 2025

Looking back

Looking back, I feel the current point in time is like the beginning of a new chapter.
I was very hurt and angry since my Ex cheated on me in 2010 and that created a lot of pain and unusual behavior which lead to mostly bad things happening in my life.

I’m not saying everything is different, but things have changed.

I feel like I’m slowly getting my inner balance back.

3. January 20253. January 2025

Secure OBS Websocket with nginx

The OBS websocket developer has a pretty weird point of view regarding listening on private network addresses vs the current state of it listening on a public IP or IPs.
What OBS websocket currently does is listening on 0.0.0.0 which is an alias for all available IP addresses.
But if you’re controlling OBS via Websocket from the outside, it’s no one’s business what you do there.

I will explain how to turn the ws:0.0.0.0:4455 into a wss:domain.tld:443 .

It’s very simple. You need to have nginx installed and somewhere “production ready” configured.
You probably have your config files in /etc/nginx/conf.d or similar.
Create a vhost there.

server {
        listen 80;
        listen [::]:80;
        server_name domain.tld;
        include /etc/nginx/acme.conf;
        error_log /var/log/nginx/domain.tld.error.log;
        access_log /var/log/nginx/domain.tld.access.log;
        location / {
                return 301 https://domain.tld$request_uri;
        }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;

        server_name domain.tld;

        ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

        error_log /var/log/nginx/domain.tld.error.log;
        access_log /var/log/nginx/domain.tld.access.log;

        location / {
                proxy_pass http://127.0.0.1:4455;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header Host $host;
                proxy_read_timeout 10;
                proxy_connect_timeout 10;
                proxy_redirect off;
        }
}

server {

listen 80;

listen [::]:80;

server_name domain.tld;

include /etc/nginx/acme.conf;

error_log /var/log/nginx/domain.tld.error.log;

access_log /var/log/nginx/domain.tld.access.log;

location / {

return 301 https://domain.tld$request_uri;

}

server {

listen 443 ssl;

listen [::]:443 ssl;

http2 on;

server_name domain.tld;

ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

error_log /var/log/nginx/domain.tld.error.log;

access_log /var/log/nginx/domain.tld.access.log;

location / {

proxy_pass http://127.0.0.1:4455;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "Upgrade";

proxy_set_header Host $host;

proxy_read_timeout 10;

proxy_connect_timeout 10;

proxy_redirect off;

}

save it as /etc/nginx/conf.d/domain.tld.conf

Replace all instances of domain.tld with your domain and/or subdomain combination/name.

/etc/nginx/acme.conf

location /.well-known {
        alias /var/www/acme/.well-known;

        location ~ /.well-known/(.*) {
                default_type text/plain;
        }
}

location /.well-known {

alias /var/www/acme/.well-known;

location ~ /.well-known/(.*) {

default_type text/plain;

}

mkdir -p /var/www/acme/.well-known
chown nginx:nginx /var/www/acme/.well-known

1 2	mkdir -p /var/www/acme/.well-known chown nginx:nginx /var/www/acme/.well-known

request a new certificate from letsencrypt

certbot certonly -d domain.tld -w /var/www/acme/ --webroot

1	certbot certonly -d domain.tld -w /var/www/acme/ --webroot

and restart nginx

systemctl restart nginx

1	systemctl restart nginx

If you can’t generate a certificate, or nginx fails to start,
comment everything in the 2nd server block, aka add a # at the beginning of each line there, restart nginx, request a cert, uncomment again, restart nginx.

Connect to OBS websocket via wss://domain.tld:443

Ideally you would have a firewall on your obs server, but this is out of scope.# of this post.

Any questions, comments are below.

#obs #websocket #nginx #ws #wss