first commit

scripts/Dockerfile

@@ -0,0 +1,56 @@
+FROM --platform=$BUILDPLATFORM golang:1.25.7-alpine AS backend
+WORKDIR /backend-build
+
+# Install build dependencies
+RUN apk add --no-cache git ca-certificates
+
+# Copy go mod files and download dependencies (cached layer)
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+# Copy source code (use .dockerignore to exclude unnecessary files)
+COPY . .
+
+# Please build frontend first, so that the static files are available.
+# Refer to `pnpm release` in package.json for the build command.
+ARG TARGETOS TARGETARCH VERSION COMMIT
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
+    go build \
+      -trimpath \
+      -ldflags="-s -w -extldflags '-static'" \
+      -tags netgo,osusergo \
+      -o memos \
+      ./cmd/memos
+
+# Use minimal Alpine with security updates
+FROM alpine:3.21 AS monolithic
+
+# Install runtime dependencies and create non-root user in single layer
+RUN apk add --no-cache tzdata ca-certificates su-exec && \
+    addgroup -g 10001 -S nonroot && \
+    adduser -u 10001 -S -G nonroot -h /var/opt/memos nonroot && \
+    mkdir -p /var/opt/memos /usr/local/memos && \
+    chown -R nonroot:nonroot /var/opt/memos
+
+# Copy binary and entrypoint to /usr/local/memos
+COPY --from=backend /backend-build/memos /usr/local/memos/memos
+COPY --from=backend --chmod=755 /backend-build/scripts/entrypoint.sh /usr/local/memos/entrypoint.sh
+
+# Run as root to fix permissions, entrypoint will drop to nonroot
+USER root
+
+# Set working directory to the writable volume
+WORKDIR /var/opt/memos
+
+# Data directory
+VOLUME /var/opt/memos
+
+ENV TZ="UTC" \
+    MEMOS_PORT="5230"
+
+EXPOSE 5230
+
+ENTRYPOINT ["/usr/local/memos/entrypoint.sh", "/usr/local/memos/memos"]

scripts/build-arm.sh

@@ -0,0 +1,134 @@
+#!/bin/bash
+
+set -e
+
+# Change to repo root
+cd "$(dirname "$0")/../"
+
+# Default values
+TARGET_OS="linux"
+TARGET_ARCH=""
+OUTPUT_DIR="./build"
+BUILD_TAGS=""
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --arch)
+            TARGET_ARCH="$2"
+            shift 2
+            ;;
+        --os)
+            TARGET_OS="$2"
+            shift 2
+            ;;
+        --output)
+            OUTPUT_DIR="$2"
+            shift 2
+            ;;
+        --tags)
+            BUILD_TAGS="$2"
+            shift 2
+            ;;
+        --help|-h)
+            echo "Usage: $0 [OPTIONS]"
+            echo "Build Memos for ARM architecture"
+            echo ""
+            echo "Options:"
+            echo "  --arch ARCH     Target architecture (arm, arm64, etc.)"
+            echo "  --os OS         Target OS (linux, darwin, windows, etc.)"
+            echo "  --output DIR    Output directory (default: ./build)"
+            echo "  --tags TAGS     Build tags to use"
+            echo "  --help          Show this help message"
+            echo ""
+            echo "Examples:"
+            echo "  $0 --arch arm64 --os linux"
+            echo "  $0 --arch arm --os linux"
+            echo "  $0 --arch arm64 --os darwin"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+# Validate required parameters
+if [ -z "$TARGET_ARCH" ]; then
+    echo "Error: --arch is required"
+    echo "Supported architectures: arm, arm64"
+    exit 1
+fi
+
+# Set output filename based on target
+case "$TARGET_OS-$TARGET_ARCH" in
+    linux-arm)
+        OUTPUT_NAME="memos-linux-arm"
+        ;;
+    linux-arm64)
+        OUTPUT_NAME="memos-linux-arm64"
+        ;;
+    darwin-arm64)
+        OUTPUT_NAME="memos-darwin-arm64"
+        ;;
+    windows-arm64)
+        OUTPUT_NAME="memos-windows-arm64.exe"
+        ;;
+    *)
+        OUTPUT_NAME="memos-$TARGET_OS-$TARGET_ARCH"
+        ;;
+esac
+
+OUTPUT_PATH="$OUTPUT_DIR/$OUTPUT_NAME"
+
+echo "Building Memos for $TARGET_OS/$TARGET_ARCH..."
+echo "Output: $OUTPUT_PATH"
+
+# Ensure build directories exist
+mkdir -p "$OUTPUT_DIR"
+mkdir -p "$OUTPUT_DIR/.gocache"
+mkdir -p "$OUTPUT_DIR/.gomodcache"
+
+# Set Go environment variables for cross-compilation
+export GOOS="$TARGET_OS"
+export GOARCH="$TARGET_ARCH"
+export GOCACHE="$(pwd)/$OUTPUT_DIR/.gocache"
+export GOMODCACHE="$(pwd)/$OUTPUT_DIR/.gomodcache"
+export CGO_ENABLED=0  # Disable CGO for pure Go build
+
+# Build flags
+BUILD_FLAGS="-o $OUTPUT_PATH"
+if [ -n "$BUILD_TAGS" ]; then
+    BUILD_FLAGS="$BUILD_FLAGS -tags $BUILD_TAGS"
+fi
+
+# Add ldflags for smaller binary (disabled due to quoting issues)
+# BUILD_FLAGS="$BUILD_FLAGS -ldflags \"-s -w\""
+
+echo "GOOS=$GOOS GOARCH=$GOARCH CGO_ENABLED=$CGO_ENABLED"
+echo "Build flags: $BUILD_FLAGS"
+
+# Build the executable
+go build $BUILD_FLAGS ./cmd/memos
+
+# Verify the build
+if [ -f "$OUTPUT_PATH" ]; then
+    echo "Build successful!"
+    echo "Binary size: $(du -h "$OUTPUT_PATH" | cut -f1)"
+    echo "File type: $(file "$OUTPUT_PATH")"
+    
+    # Show checksum
+    if command -v sha256sum >/dev/null 2>&1; then
+        echo "SHA256: $(sha256sum "$OUTPUT_PATH" | cut -d' ' -f1)"
+    fi
+    
+    echo ""
+    echo "To run on target system:"
+    echo "  scp $OUTPUT_PATH user@target:/path/to/memos"
+    echo "  chmod +x /path/to/memos/$OUTPUT_NAME"
+    echo "  /path/to/memos/$OUTPUT_NAME --port 8081"
+else
+    echo "Build failed: Output file not found"
+    exit 1
+fi

scripts/build-embedded.sh

@@ -0,0 +1,173 @@
+#!/bin/bash
+
+set -e
+
+# Change to repo root
+cd "$(dirname "$0")/../"
+
+# Default values
+TARGET_OS=""
+TARGET_ARCH=""
+OUTPUT_NAME="memos"
+OUTPUT_DIR="./build"
+BUILD_TAGS=""
+EMBED_FRONTEND=true
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --arch)
+            TARGET_ARCH="$2"
+            shift 2
+            ;;
+        --os)
+            TARGET_OS="$2"
+            shift 2
+            ;;
+        --output)
+            OUTPUT_DIR="$2"
+            shift 2
+            ;;
+        --name)
+            OUTPUT_NAME="$2"
+            shift 2
+            ;;
+        --tags)
+            BUILD_TAGS="$2"
+            shift 2
+            ;;
+        --no-frontend)
+            EMBED_FRONTEND=false
+            shift 1
+            ;;
+        --help|-h)
+            echo "Usage: $0 [OPTIONS]"
+            echo "Build Memos with embedded frontend"
+            echo ""
+            echo "Options:"
+            echo "  --arch ARCH        Target architecture (arm, arm64, amd64, etc.)"
+            echo "  --os OS            Target OS (linux, darwin, windows, etc.)"
+            echo "  --output DIR       Output directory (default: ./build)"
+            echo "  --name NAME        Output binary name (default: memos)"
+            echo "  --tags TAGS        Build tags to use"
+            echo "  --no-frontend      Build without embedding frontend"
+            echo "  --help             Show this help message"
+            echo ""
+            echo "Examples:"
+            echo "  $0                          # Build for current platform with embedded frontend"
+            echo "  $0 --arch arm64 --os linux  # Cross-compile for ARM64 Linux"
+            echo "  $0 --no-frontend            # Build backend only"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+# Set output path
+if [ -n "$TARGET_OS" ] && [ -n "$TARGET_ARCH" ]; then
+    OUTPUT_PATH="$OUTPUT_DIR/${OUTPUT_NAME}-${TARGET_OS}-${TARGET_ARCH}"
+    if [ "$TARGET_OS" = "windows" ]; then
+        OUTPUT_PATH="${OUTPUT_PATH}.exe"
+    fi
+else
+    OUTPUT_PATH="$OUTPUT_DIR/$OUTPUT_NAME"
+    if [ "$(uname -s)" = "Windows_NT" ] || [ "${OSTYPE:-}" = "msys" ]; then
+        OUTPUT_PATH="${OUTPUT_PATH}.exe"
+    fi
+fi
+
+echo "Building Memos..."
+if [ "$EMBED_FRONTEND" = true ]; then
+    echo "With embedded frontend"
+else
+    echo "Backend only (no frontend)"
+fi
+
+if [ -n "$TARGET_OS" ] && [ -n "$TARGET_ARCH" ]; then
+    echo "Target: $TARGET_OS/$TARGET_ARCH"
+fi
+echo "Output: $OUTPUT_PATH"
+
+# Ensure build directories exist
+mkdir -p "$OUTPUT_DIR"
+mkdir -p "$OUTPUT_DIR/.gocache"
+mkdir -p "$OUTPUT_DIR/.gomodcache"
+
+# Set Go environment variables
+export GOCACHE="$(pwd)/$OUTPUT_DIR/.gocache"
+export GOMODCACHE="$(pwd)/$OUTPUT_DIR/.gomodcache"
+
+BUILD_ENV=""
+if [ -n "$TARGET_OS" ]; then
+    BUILD_ENV="$BUILD_ENV GOOS=$TARGET_OS"
+fi
+if [ -n "$TARGET_ARCH" ]; then
+    BUILD_ENV="$BUILD_ENV GOARCH=$TARGET_ARCH"
+fi
+BUILD_ENV="$BUILD_ENV CGO_ENABLED=0"
+
+# Build flags
+BUILD_FLAGS="-o $OUTPUT_PATH"
+if [ -n "$BUILD_TAGS" ]; then
+    BUILD_FLAGS="$BUILD_FLAGS -tags $BUILD_TAGS"
+fi
+BUILD_FLAGS="$BUILD_FLAGS -ldflags '-s -w'"
+
+echo "Build environment: $BUILD_ENV"
+echo "Build flags: $BUILD_FLAGS"
+
+# Build frontend if requested
+if [ "$EMBED_FRONTEND" = true ]; then
+    echo "Building frontend..."
+    
+    # Check if pnpm is available
+    if ! command -v pnpm >/dev/null 2>&1; then
+        echo "Error: pnpm not found. Please install pnpm first."
+        echo "Install with: npm install -g pnpm"
+        exit 1
+    fi
+    
+    # Build frontend
+    cd web
+    pnpm build
+    cd ..
+    
+    echo "Copying frontend assets..."
+    
+    # Remove old embedded files
+    rm -rf server/router/frontend/dist
+    
+    # Copy new build to embedded location
+    cp -r web/dist server/router/frontend/dist
+    
+    echo "Frontend embedded successfully"
+fi
+
+# Build the Go executable
+echo "Building Go backend..."
+eval "$BUILD_ENV go build $BUILD_FLAGS ./cmd/memos"
+
+# Verify the build
+if [ -f "$OUTPUT_PATH" ]; then
+    echo "Build successful!"
+    echo "Binary size: $(du -h "$OUTPUT_PATH" | cut -f1)"
+    
+    if [ -n "$TARGET_OS" ] && [ -n "$TARGET_ARCH" ]; then
+        echo "File type: $(file "$OUTPUT_PATH")"
+    fi
+    
+    # Show checksum
+    if command -v sha256sum >/dev/null 2>&1; then
+        echo "SHA256: $(sha256sum "$OUTPUT_PATH" | cut -d' ' -f1)"
+    fi
+    
+    echo ""
+    echo "To run:"
+    echo "  $OUTPUT_PATH --port 8081"
+else
+    echo "Build failed: Output file not found"
+    exit 1
+fi

scripts/build.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+set -e
+
+# Change to repo root
+cd "$(dirname "$0")/../"
+
+OS=$(uname -s)
+
+# Determine output binary name
+case "$OS" in
+  *CYGWIN*|*MINGW*|*MSYS*)
+    OUTPUT="./build/memos.exe"
+    ;;
+  *)
+    OUTPUT="./build/memos"
+    ;;
+esac
+
+echo "Building for $OS..."
+
+# Ensure build directories exist and configure a writable Go build cache
+mkdir -p ./build/.gocache ./build/.gomodcache
+export GOCACHE="$(pwd)/build/.gocache"
+export GOMODCACHE="$(pwd)/build/.gomodcache"
+
+# Build the executable
+go build -o "$OUTPUT" ./cmd/memos
+
+echo "Build successful!"
+echo "To run the application, execute the following command:"
+echo "$OUTPUT"

scripts/compose.yaml

@@ -0,0 +1,12 @@
+services:
+  memos:
+    image: neosmemo/memos:stable
+    container_name: memos
+    dns:
+      - 8.8.8.8
+      - 8.8.4.4
+      - 1.1.1.1
+    volumes:
+      - ~/.memos/:/var/opt/memos
+    ports:
+      - 5230:5230

scripts/entrypoint.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env sh
+
+# Fix ownership of data directory for users upgrading from older versions
+# where files were created as root
+MEMOS_UID=${MEMOS_UID:-10001}
+MEMOS_GID=${MEMOS_GID:-10001}
+DATA_DIR="/var/opt/memos"
+
+if [ "$(id -u)" = "0" ]; then
+    # Running as root, fix permissions and drop to nonroot
+    if [ -d "$DATA_DIR" ]; then
+        chown -R "$MEMOS_UID:$MEMOS_GID" "$DATA_DIR" 2>/dev/null || true
+    fi
+    exec su-exec "$MEMOS_UID:$MEMOS_GID" "$0" "$@"
+fi
+
+file_env() {
+   var="$1"
+   fileVar="${var}_FILE"
+
+   val_var="$(printenv "$var")"
+   val_fileVar="$(printenv "$fileVar")"
+
+   if [ -n "$val_var" ] && [ -n "$val_fileVar" ]; then
+      echo "error: both $var and $fileVar are set (but are exclusive)" >&2
+      exit 1
+   fi
+
+   if [ -n "$val_var" ]; then
+      val="$val_var"
+   elif [ -n "$val_fileVar" ]; then
+      if [ ! -r "$val_fileVar" ]; then
+         echo "error: file '$val_fileVar' does not exist or is not readable" >&2
+         exit 1
+      fi
+      val="$(cat "$val_fileVar")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+file_env "MEMOS_DSN"
+
+exec "$@"

scripts/entrypoint_test.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env sh
+
+# Test script for entrypoint.sh file_env function
+# Run: ./scripts/entrypoint_test.sh
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+TEMP_DIR=$(mktemp -d)
+trap "rm -rf $TEMP_DIR" EXIT
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+pass_count=0
+fail_count=0
+
+pass() {
+    echo "${GREEN}PASS${NC}: $1"
+    pass_count=$((pass_count + 1))
+}
+
+fail() {
+    echo "${RED}FAIL${NC}: $1"
+    fail_count=$((fail_count + 1))
+}
+
+# Test 1: Direct env var works
+test_direct_env_var() {
+    unset MEMOS_DSN MEMOS_DSN_FILE
+    export MEMOS_DSN="direct_value"
+
+    result=$("$SCRIPT_DIR/entrypoint.sh" sh -c 'echo $MEMOS_DSN' 2>&1)
+    if [ "$result" = "direct_value" ]; then
+        pass "Direct env var works"
+    else
+        fail "Direct env var: expected 'direct_value', got '$result'"
+    fi
+    unset MEMOS_DSN
+}
+
+# Test 2: File env var works with readable file
+test_file_env_var_readable() {
+    unset MEMOS_DSN MEMOS_DSN_FILE
+    echo "file_value" > "$TEMP_DIR/dsn_file"
+    export MEMOS_DSN_FILE="$TEMP_DIR/dsn_file"
+
+    result=$("$SCRIPT_DIR/entrypoint.sh" sh -c 'echo $MEMOS_DSN' 2>&1)
+    if [ "$result" = "file_value" ]; then
+        pass "File env var with readable file works"
+    else
+        fail "File env var readable: expected 'file_value', got '$result'"
+    fi
+    unset MEMOS_DSN_FILE
+}
+
+# Test 3: Error when file doesn't exist
+test_file_env_var_missing() {
+    unset MEMOS_DSN MEMOS_DSN_FILE
+    export MEMOS_DSN_FILE="$TEMP_DIR/nonexistent_file"
+
+    if result=$("$SCRIPT_DIR/entrypoint.sh" sh -c 'echo $MEMOS_DSN' 2>&1); then
+        fail "Missing file should fail, but succeeded with: $result"
+    else
+        if echo "$result" | grep -q "does not exist or is not readable"; then
+            pass "Missing file returns error"
+        else
+            fail "Missing file error message unexpected: $result"
+        fi
+    fi
+    unset MEMOS_DSN_FILE
+}
+
+# Test 4: Error when file is not readable
+test_file_env_var_unreadable() {
+    unset MEMOS_DSN MEMOS_DSN_FILE
+    echo "secret" > "$TEMP_DIR/unreadable_file"
+    chmod 000 "$TEMP_DIR/unreadable_file"
+    export MEMOS_DSN_FILE="$TEMP_DIR/unreadable_file"
+
+    if result=$("$SCRIPT_DIR/entrypoint.sh" sh -c 'echo $MEMOS_DSN' 2>&1); then
+        fail "Unreadable file should fail, but succeeded with: $result"
+    else
+        if echo "$result" | grep -q "does not exist or is not readable"; then
+            pass "Unreadable file returns error"
+        else
+            fail "Unreadable file error message unexpected: $result"
+        fi
+    fi
+    chmod 644 "$TEMP_DIR/unreadable_file" 2>/dev/null || true
+    unset MEMOS_DSN_FILE
+}
+
+# Test 5: Error when both var and file are set
+test_both_set_error() {
+    unset MEMOS_DSN MEMOS_DSN_FILE
+    echo "file_value" > "$TEMP_DIR/dsn_file"
+    export MEMOS_DSN="direct_value"
+    export MEMOS_DSN_FILE="$TEMP_DIR/dsn_file"
+
+    if result=$("$SCRIPT_DIR/entrypoint.sh" sh -c 'echo $MEMOS_DSN' 2>&1); then
+        fail "Both set should fail, but succeeded with: $result"
+    else
+        if echo "$result" | grep -q "are set (but are exclusive)"; then
+            pass "Both var and file set returns error"
+        else
+            fail "Both set error message unexpected: $result"
+        fi
+    fi
+    unset MEMOS_DSN MEMOS_DSN_FILE
+}
+
+# Run all tests
+echo "Running entrypoint.sh tests..."
+echo "================================"
+
+test_direct_env_var
+test_file_env_var_readable
+test_file_env_var_missing
+test_file_env_var_unreadable
+test_both_set_error
+
+echo "================================"
+echo "Tests completed: ${GREEN}$pass_count passed${NC}, ${RED}$fail_count failed${NC}"
+
+if [ $fail_count -gt 0 ]; then
+    exit 1
+fi
+exit 0