sneak/pixa
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
149 Commits 7 Branches 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
clawbot 2f15340f26
All checks were successful
check / check (push) Successful in 5s
Details
Split Dockerfile: pre-built golangci-lint stage for faster CI (#23) 
## Summary

Splits the Dockerfile into a dedicated lint stage using the pre-built `golangci/golangci-lint:v2.10.1-alpine` Docker image, replacing the manual binary download with curl/sha256 verification.

## Changes

- **Lint stage** (`AS lint`): Uses `golangci/golangci-lint:v2.10.1-alpine` pinned by sha256. Runs `make fmt-check` + `make lint`. Includes CGO deps (`build-base`, `vips-dev`, `libheif-dev`, `pkgconfig`) needed for type-checking govips imports.
- **Build stage** (`AS builder`): Depends on lint stage via `COPY --from=lint /src/go.sum /dev/null`. Runs `make test` + builds the binary. Removes `curl` (no longer needed) and the manual golangci-lint download block.
- **Runtime stage**: Unchanged.

## Benefits

- Eliminates slow multi-arch binary download + sha256 verification step
- Lint and build stages can potentially run in parallel with BuildKit
- Better Docker layer caching — lint deps cached separately from build deps
- All images remain pinned by sha256 with version+date comments

## Verification

- `docker build .` passes: fmt-check , lint (0 issues) , all tests pass , binary builds 

Closes [#18](#18)

<!-- session: agent:sdlc-manager:subagent:7aac9c54-81c8-4494-94ab-0843f97a1e62 -->

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #23
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
2026-03-02 21:09:51 +01:00
.gitea/workflows
chore: add Gitea Actions CI workflow
2026-02-25 18:22:24 +07:00
cmd/pixad
Remove Buildarch from ldflags, use runtime.GOARCH instead
2026-01-08 12:38:24 -08:00
internal
fix: update Dockerfile to Go 1.25.4 and resolve gosec lint findings
2026-02-25 05:44:49 -08:00
scripts
Add manual test script for auth and encrypted URLs
2026-01-08 10:53:02 -08:00
.dockerignore
chore: update .dockerignore to policy standards
2026-02-25 18:22:35 +07:00
.editorconfig
chore: add .editorconfig
2026-02-25 18:18:06 +07:00
.gitignore
chore: update .gitignore to policy standards
2026-02-25 18:22:33 +07:00
.golangci.yml
Add project documentation and linter config
2026-01-08 02:18:45 -08:00
CLAUDE.md
Add no-silent-fallback rule to CLAUDE.md
2026-01-08 11:08:33 -08:00
config.example.yml
fix: restore original whitelist hosts in config.example.yml
2026-02-25 19:53:23 +07:00
CONVENTIONS.md
Add project documentation and linter config
2026-01-08 02:18:45 -08:00
Dockerfile
Split Dockerfile: pre-built golangci-lint stage for faster CI (#23)
2026-03-02 21:09:51 +01:00
go.mod
Switch to govips for native CGO image processing
2026-01-08 15:16:34 -08:00
go.sum
Switch to govips for native CGO image processing
2026-01-08 15:16:34 -08:00
LICENSE
chore: add GPL-3.0 LICENSE file
2026-02-25 18:22:13 +07:00
Makefile
fix: auto-detect native deps, skip nix-shell in Docker
2026-02-25 20:11:02 +07:00
README.md
chore: restructure README with required policy sections
2026-02-25 19:47:34 +07:00
REPO_POLICIES.md
chore: add REPO_POLICIES.md from prompts repo
2026-02-25 18:22:19 +07:00
TODO.md
Add WebP encoding support
2026-01-08 11:55:45 -08:00

README.md

pixa

pixa is a GPL-3.0-licensed Go web server by @sneak that proxies images from upstream sources, optionally resizing or transforming them, and serves the results. Both source and transformed images are cached to disk so that subsequent requests are served without origin fetches or additional processing.

Getting Started

# clone and build
git clone https://git.eeqj.de/sneak/pixa.git
cd pixa
make build

# run with a config file
./bin/pixad --config config.example.yml

# or build and run via Docker
make docker
docker run -p 8080:8080 pixad:latest

Rationale

Image-heavy web applications need a fast, caching reverse proxy that can resize and transcode images on the fly. pixa fills that role as a single, self-contained binary with no external runtime dependencies beyond libvips. It supports HMAC-SHA256 signed URLs with expiration to prevent abuse, and whitelisted source hosts for open access.

Design

Storage

  • Source content: <statedir>/cache/src-content/<ab>/<cd>/<sha256 of source content>
  • Source metadata: <statedir>/cache/src-metadata/<hostname>/<sha256 of path>.json (fetch time, original headers, request, content hash)
  • Database: <statedir>/state.sqlite3 (SQLite)
  • Output documents: <statedir>/cache/dst-content/<ab>/<cd>/<sha256 of output content>

Multiple source paths may reference the same content blob; the database tracks references rather than using filesystem refcounting. In-process caching of request-to-output mappings targets 1-5k r/s.

Routes

/v1/image/<host>/<path>/<size>.<format>?sig=<signature>&exp=<expiration>

Images are only fetched from origins using TLS with valid certificates.

  • <format>: one of orig, png, jpeg, webp
  • <size>: orig or <width>x<height> (e.g. 800x600)

Source Hosts

Source hosts may be whitelisted in the configuration. Non-whitelisted hosts require an HMAC-SHA256 signature.

Signature Specification

Signatures use HMAC-SHA256 and include an expiration timestamp to prevent replay attacks.

Signed data format (colon-separated):

HMAC-SHA256(secret, "host:path:query:width:height:format:expiration")

Where:

  • host — source origin hostname (e.g. cdn.example.com)
  • path — source path (e.g. /photos/cat.jpg)
  • query — source query string, empty string if none
  • width — requested width in pixels, 0 for original
  • height — requested height in pixels, 0 for original
  • format — output format (jpeg, png, webp, avif, gif, orig)
  • expiration — Unix timestamp when signature expires

Example: resize https://cdn.example.com/photos/cat.jpg to 800x600 WebP with expiration 1704067200:

  1. Build input: cdn.example.com:/photos/cat.jpg::800:600:webp:1704067200
  2. Compute HMAC-SHA256 with your secret key
  3. Base64URL-encode the result
  4. URL: /v1/image/cdn.example.com/photos/cat.jpg/800x600.webp?sig=<base64url>&exp=1704067200

Whitelist patterns:

  • Exact match: cdn.example.com — matches only that host
  • Suffix match: .example.com — matches cdn.example.com, images.example.com, and example.com

Configuration

Configured via YAML file (--config). Key settings:

  • access_control_allow_origin — CORS origin
  • source_host_whitelist — list of allowed upstream hosts
  • upstream_fetch_timeout — timeout for origin requests
  • upstream_max_response_size — max origin response size
  • downstream_timeout — client response timeout
  • signing_key — HMAC secret for URL signatures

See config.example.yml for all options with defaults.

Architecture

  • Dependency injection: Uber fx
  • HTTP router: go-chi
  • Image processing: govips (CGO wrapper for libvips)
  • Database: SQLite via modernc.org/sqlite
  • Static assets: embedded via //go:embed
  • Metrics: Prometheus
  • Logging: stdlib slog

TODO

See TODO.md for the full prioritized task list.

License

GPL-3.0. See LICENSE.

Author

@sneak

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 3.4 MiB
Languages
Go 92.9%
HTML 3.9%
Shell 1.7%
Makefile 0.8%
Dockerfile 0.7%