test(palemoon): rewrite to use ci-images

Signed-off-by: Xe Iaso <me@xeiaso.net>

test/palemoon/Dockerfile

@@ -1,14 +0,0 @@
-FROM golang:alpine AS build
-
-RUN go install github.com/mattn/goreman@latest
-
-FROM debian:latest AS run
-RUN apt-get update -y && \
-  apt-get install -y tigervnc-standalone-server dwm xterm && \
-  rm -rf /var/lib/apt/lists
-ENV VNC_DESKTOP_NAME="Xtigervnc"
-ENV VNC_GEOMETRY=1280x800
-COPY app/ /app/
-COPY --from=build /go/bin/goreman /usr/bin/goreman
-
-CMD ["/app/main.sh"]

test/palemoon/Dockerfile.palemoon

@@ -1,8 +0,0 @@
-FROM debian:latest
-
-RUN apt-get update \
-  && apt-get -y install ca-certificates
-COPY palemoon.list /etc/apt/sources.list.d/palemoon.list
-COPY veit@kannegieser.net.gpg /usr/share/keyrings/veit@kannegieser.net.gpg
-RUN apt-get update \
-  && apt-get install -y palemoon veit-kannegieser-archive-keyring

test/palemoon/amd64/docker-compose.yml

@@ -0,0 +1,44 @@
+services:
+  display:
+    image: ghcr.io/techarohq/ci-images/xserver:latest
+    pull_policy: always
+    # ports:
+    #   - 5900:5900
+
+  anubis:
+    image: ko.local/anubis
+    environment:
+      BIND: ":3000"
+      TARGET: http://$TARGET
+      POLICY_FNAME: /cfg/anubis.yaml
+      SLOG_LEVEL: DEBUG
+    volumes:
+      - ../anubis:/cfg
+
+  relayd:
+    image: ghcr.io/xe/x/relayd
+    environment:
+      BIND: :443
+      CERT_DIR: /techaro/pki
+      CERT_FNAME: cert.pem
+      KEY_FNAME: key.pem
+      PROXY_TO: http://anubis:3000
+    volumes:
+      - ../../pki/relayd:/techaro/pki:ro
+
+  # novnc:
+  #   image: geek1011/easy-novnc
+  #   command: -a :5800 -h display --no-url-password
+  #   ports:
+  #     - 5800:5800
+
+  palemoon:
+    platform: linux/amd64
+    init: true
+    image: ghcr.io/techarohq/ci-images/palemoon:latest
+    command: sleep inf
+    environment:
+      DISPLAY: display:0
+    volumes:
+      - ../../pki:/usr/local/share/ca-certificates/minica:ro
+      - ../scripts:/hack/scripts:ro

test/palemoon/amd64/test.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source ../../lib/lib.sh
+
+build_anubis_ko
+mint_cert relayd
+
+go run ../../cmd/cipra/ --compose-name $(basename $(pwd))
+
+docker compose down -t 1 || :
+docker compose rm -f || :

test/palemoon/amd64/var/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

test/palemoon/anubis/anubis.yaml

@@ -3,8 +3,8 @@ bots:
     user_agent_regex: PaleMoon
     action: CHALLENGE
     challenge:
-      difficulty: 4
-      report_as: 4
+      difficulty: 2
+      report_as: 2
       algorithm: fast
 
 status_codes:

test/palemoon/app/Procfile

@@ -1,2 +0,0 @@
-xtigervnc: ./xtigervnc.sh
-dwm: ./dwm.sh

test/palemoon/app/dwm.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-export DISPLAY=:0
-while true; do
-    dwm
-    sleep 1
-done

test/palemoon/app/main.sh

@@ -1,3 +0,0 @@
-#!/bin/bash -e
-cd /app
-goreman start

test/palemoon/app/xtigervnc.sh

@@ -1,2 +0,0 @@
-#!/bin/bash -e
-exec Xtigervnc -desktop "$VNC_DESKTOP_NAME" -geometry "$VNC_GEOMETRY" -listen tcp -ac -SecurityTypes None -AlwaysShared -AcceptKeyEvents -AcceptPointerEvents -SendCutText -AcceptCutText :0

test/palemoon/docker-compose.yml

@@ -1,26 +0,0 @@
-services:
-  display:
-    build: .
-    volumes:
-      - ./app:/app:ro
-  novnc:
-    image: geek1011/easy-novnc
-    command: -a :5800 -h display --no-url-password
-    ports:
-      - 5800:5800
-  palemoon-386:
-    hostname: i386
-    platform: linux/386
-    build:
-      dockerfile: Dockerfile.palemoon
-    command: sleep inf
-    environment:
-      DISPLAY: display:0
-  palemoon-amd64:
-    hostname: amd64
-    platform: linux/amd64
-    build:
-      dockerfile: Dockerfile.palemoon
-    command: sleep inf
-    environment:
-      DISPLAY: display:0

test/palemoon/i386/docker-compose.yml

@@ -0,0 +1,44 @@
+services:
+  display:
+    image: ghcr.io/techarohq/ci-images/xserver:latest
+    pull_policy: always
+    # ports:
+    #   - 5900:5900
+
+  anubis:
+    image: ko.local/anubis
+    environment:
+      BIND: ":3000"
+      TARGET: http://$TARGET
+      POLICY_FNAME: /cfg/anubis.yaml
+      SLOG_LEVEL: DEBUG
+    volumes:
+      - ../anubis:/cfg
+
+  relayd:
+    image: ghcr.io/xe/x/relayd
+    environment:
+      BIND: :443
+      CERT_DIR: /techaro/pki
+      CERT_FNAME: cert.pem
+      KEY_FNAME: key.pem
+      PROXY_TO: http://anubis:3000
+    volumes:
+      - ../../pki/relayd:/techaro/pki:ro
+
+  # novnc:
+  #   image: geek1011/easy-novnc
+  #   command: -a :5800 -h display --no-url-password
+  #   ports:
+  #     - 5800:5800
+
+  palemoon:
+    platform: linux/386
+    init: true
+    image: ghcr.io/techarohq/ci-images/palemoon:latest
+    command: sleep inf
+    environment:
+      DISPLAY: display:0
+    volumes:
+      - ../../pki:/usr/local/share/ca-certificates/minica:ro
+      - ../scripts:/hack/scripts:ro

test/palemoon/i386/test.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source ../../lib/lib.sh
+
+build_anubis_ko
+mint_cert relayd
+
+go run ../../cmd/cipra/ --compose-name $(basename $(pwd))
+
+docker compose down -t 1 || :
+docker compose rm -f || :

test/palemoon/palemoon.list

@@ -1 +0,0 @@
-deb [           signed-by=/usr/share/keyrings/veit@kannegieser.net.gpg] https://kannegieser.net/palemoon mx23_gtk3 main

test/palemoon/scripts/install-cert.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+CERT_PATH="/usr/local/share/ca-certificates/minica/minica.pem"
+CERT_NAME="minica"
+TRUST_FLAGS="C,,"
+
+FIREFOX_DIR="$HOME/.mozilla/firefox"
+PALEMOON_DIR="$HOME/.moonchild productions/pale moon"
+
+echo "🔄 Updating system CA certificates..."
+update-ca-certificates
+
+# 🌀 Trigger Pale Moon to create its profile if needed
+if command -v palemoon &>/dev/null; then
+  echo "🚀 Launching Pale Moon to initialize profile..."
+  palemoon &>/dev/null &
+  PALEMOON_PID=$!
+
+  # Wait up to 20 seconds for prefs.js to be created
+  for i in {1..20}; do
+    set +e
+    PROFILE_DIR=$(grep Path ~/.moonchild\ productions/pale\ moon/profiles.ini | cut -d= -f2)
+    PREFS_FILE="$HOME/.moonchild productions/pale moon/$PROFILE_DIR/prefs.js"
+
+    if [[ -f "$PREFS_FILE" ]]; then
+      set -e
+      echo "✅ prefs.js found at: $PREFS_FILE"
+      break
+    fi
+
+    sleep 5
+  done
+
+  kill $PALEMOON_PID 2>/dev/null || true
+  wait $PALEMOON_PID 2>/dev/null || true
+
+  if [[ ! -f "$PREFS_FILE" ]]; then
+    echo "❌ prefs.js not found. Pale Moon did not fully initialize."
+    exit 1
+  fi
+else
+  echo "⚠️ Pale Moon is not installed or not in PATH. Skipping profile bootstrap."
+fi
+
+echo 'user_pref("security.cert_pinning.enforcement_level", 0);' >>"$PREFS_FILE"
+
+echo "✅ TLS cert validation disabled in Pale Moon profile: $PROFILE_DIR"
+
+# 🔧 Ensure certutil is installed
+if ! command -v certutil &>/dev/null; then
+  if [ -f /etc/debian_version ]; then
+    echo "🔧 'certutil' not found. Installing via apt..."
+    apt-get update
+    apt-get install -y libnss3-tools
+  else
+    echo "❌ 'certutil' not found and install is only supported on Debian-based systems."
+    exit 1
+  fi
+fi
+
+import_cert_to_profiles() {
+  local base_dir="$1"
+  local browser_name="$2"
+  local profile_glob="$3"
+
+  if [ ! -d "$base_dir" ]; then
+    echo "⚠️  $browser_name profile directory not found: $base_dir"
+    return
+  fi
+
+  echo "📌 Searching for $browser_name profiles in: $base_dir"
+
+  local found=0
+
+  for profile in "$base_dir"/$profile_glob; do
+    if [ ! -d "$profile" ]; then
+      continue
+    fi
+
+    found=1
+    local db_path="sql:$profile"
+    echo "🔍 Processing $browser_name profile: $profile"
+
+    if certutil -L -d "$db_path" | grep -q "^$CERT_NAME"; then
+      echo "  ✅ Certificate '$CERT_NAME' already exists in profile."
+      continue
+    fi
+
+    certutil -A -n "$CERT_NAME" -t "$TRUST_FLAGS" -i "$CERT_PATH" -d "$db_path"
+    echo "  ➕ Added certificate '$CERT_NAME' to $browser_name profile."
+  done
+
+  if [ "$found" -eq 0 ]; then
+    echo "⚠️  No $browser_name profiles found in: $base_dir"
+  fi
+}
+
+import_cert_to_profiles "$FIREFOX_DIR" "Firefox" "*.default*"
+import_cert_to_profiles "$PALEMOON_DIR" "Pale Moon" "*.*"
+
+echo "✅ Done. Firefox and Pale Moon profiles updated with '$CERT_NAME' certificate."

test/palemoon/test.sh

@@ -1,9 +1,7 @@
-export VERSION=$GITHUB_COMMIT-test
-export KO_DOCKER_REPO=ko.local
+#!/usr/bin/env bash
 
-set -u
+set -euo pipefail
+set -x
 
-(
-  cd ../.. &&
-    ko build --platform=all --base-import-paths --tags="latest" --image-user=1000 --image-annotation="" --image-label="" ./cmd/anubis -L
-)
+(cd amd64 && ./test.sh && docker compose down -t0 && docker compose rm)
+(cd i386 && ./test.sh && docker compose down -t0 && docker compose rm)