BunkerWeb is an open-source next-generation web application firewall
(WAF) and security platform designed to protect and manage web services.
It provides integrated security features such as request filtering,
rate limiting, TLS management, GeoIP support and a web management
interface.
As this is a newly introduced port, users are encouraged to validate
their deployment before using it in production environments.
WWW: https://github.com/bunkerity/bunkerweb
Sponsored by: Netzkommune GmbH
- Create a ttrssd user and group to run ttrssd.
- Move log file to /var/log/tt-rss directorie.
- Move pid files to /var/run/tt-rss directorie.
- Move on disk data to /var/tt-rss/.
PR: 282245
Approved by: maintainer
Differential Revision: https://reviews.freebsd.org/D49128
www/zoraxy: Add Zoraxy reverse proxy
Zoraxy is a general-purpose HTTP reverse proxy and forwarding tool
written in Go. It provides a web-based interface for managing
reverse proxy rules, routing, and access control.
Features:
- Web-based management interface
- Reverse proxy and forwarding capabilities
- Plugin support
- Lightweight and self-contained (no external web server required)
WWW: https://github.com/tobychui/zoraxy
Sponsored by: Netzkommune GmbH
* Take MAINTAINERSHIP.
* Pet portclippy/portfmt.
* Run garage as a unprivileged user.
* Create a sample configuration file to use /var/db/garage as default
meta and data directory.
* Add DOCS option.
* Fix pkg-message formatting.
ChangeLog: https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v2.2.0
PR: 293011
Reported by: yds@Necessitu.de
Approved by: ashish@ (email)
Vinyl Cache, formerly known as Varnish Cache, is a web application accelerator
also known as a caching HTTP reverse proxy. You install it in front of any
server that speaks HTTP and configure it to cache the contents. Vinyl Cache is
really, really fast. It typically speeds up delivery by a factor of 300-1000x,
depending on your architecture.
Documentation and additional information about vinyl is available on
https://vinyl-cache.org/docs/index.html
Technical questions about vinyl and this release should be addressed
to <vinyl-dev@vinyl-cache.org>
An automated scanning tool that bridges media organizers
such as Sonarr and Radarr with media servers
such as Plex and Jellyfin.
The goal is to provide a simple, efficient, and reliable way to update
your media library reducing full library scans.
A key feature is the ability to provide a hash of the file to the API,
which will then wait for the file to match that hash before updating targets.
Another benefit over autoscan is support for PostgreSQL as backend.
WWW: https://github.com/dan-online/autopulse
PR: 282175
mtail is a tool for extracting metrics from application logs to be
exported into a timeseries database or timeseries calculator for
alerting and dashboarding.
It fills a monitoring niche by being the glue between applications that
do not export their own internal state (other than via logs) and
existing monitoring systems, such that system operators do not need to
patch those applications to instrument them or writing custom extraction
code for every such application.
opkssh is a tool which enables ssh to be used with OpenID Connect
allowing SSH access to be managed via identities like alice@example.com
instead of long-lived SSH keys. It does not replace SSH, but instead
generates SSH public keys containing PK Tokens and configures sshd
to verify them. These PK Tokens contain standard OpenID Connect ID
Tokens. This protocol builds on the OpenPubkey which adds user
public keys to OpenID Connect without breaking compatibility with
existing OpenID Provider.
Stalwart Mail Server is an open-source mail server solution with
JMAP, IMAP4, POP3, and SMTP support and a wide range of modern
features. It is written in Rust and designed to be secure, fast,
robust and scalable.
WWW: https://stalw.art/
PR: 286326
Submitted by: Orville Song <orville@anislet.dev>
Cascade is a purpose-built, standalone DNSSEC signer, shaped by the
real-world demands of TLD operators. People for whom safety, stability
and speed aren’t features — they’re the foundation.
WWW: https://github.com/NLnetLabs/cascade
Unpackerr is an application that runs on Windows, macOS, Linux, FreeBSD
and in Docker. You can use it to watch a download folder and extract new
items. The more common use is to watch starr apps (radarr, sonarr,
readarr, lidarr, whisparr) and extract items they download. It can do
both, at the same time even.
WWW: https://unpackerr.zip
Readur is a powerful, modern document management system built with
Rust and React. Readur provides intelligent document processing
with OCR capabilities, full-text search, and a beautiful web interface
designed for 2026 tech standards.
Approved by: acm (mentor)
HomeBox is the inventory and organization system built for the Home
User! With a focus on simplicity and ease of use, Homebox is the
perfect solution for your home inventory, organization, and management
needs. While developing this project, I've tried to keep the following
principles in mind:
- Simple - Homebox is designed to be simple and easy to use. No
complicated setup or configuration required. Use either a single
docker container, or deploy yourself by compiling the binary for
your platform of choice.
- Blazingly Fast - Homebox is written in Go, which makes it extremely
fast and requires minimal resources to deploy. In general, idle
memory usage is less than 50MB for the whole container.
- Portable - Homebox is designed to be portable and run on anywhere.
We use SQLite and an embedded Web UI to make it easy to deploy,
use, and backup.
Approved by: acm (mentor)
Healthchecks is a cron job monitoring service. It listens for HTTP
requests and email messages ("pings") from your cron jobs and
scheduled tasks ("checks"). When a ping does not arrive on time,
Healthchecks sends out alerts.
Healthchecks comes with a web dashboard, API, 25+ integrations for
delivering notifications, monthly email reports, WebAuthn 2FA
support, team management features: projects, team members, read-only
access.
Approved by: acm (mentor)
- Add dedicated beam user (UID/GID 372) for non-root execution
- Use daemon(8) for epmd process supervision and auto-restart
This addresses security concerns with epmd running as root by
providing privilege separation and automatic restart capability.
PR: 213001
Reviewed by: dch
Differential Revision: https://reviews.freebsd.org/D50874
Tinyauth is a simple authentication middleware that adds a simple
login screen or OAuth with Google, Github and any provider to all
of your docker apps. It supports all the popular proxies like
Traefik, Nginx and Caddy.
Approved by: acm (mentor)
Pocket ID is a simple OIDC provider that allows users to authenticate
with their passkeys to your services.
The goal of Pocket ID is to be a simple and easy-to-use. There are
other self-hosted OIDC providers like Keycloak or ORY Hydra but
they are often too complex for simple use cases.
Additionally, what makes Pocket ID special is that it only supports
passkey authentication, which means you don't need a password. Some
people might not like this idea at first, but I believe passkeys
are the future, and once you try them, you'll love them. For example,
you can now use a physical Yubikey to sign in to all your self-hosted
services easily and securely
Approved by: acm (mentor)
File Browser provides a file managing interface within a specified
directory and it can be used to upload, delete, preview, rename and
edit your files. It allows the creation of multiple users and each
user can have its own directory. It can be used as a standalone
app.
Approved by: acm (mentor)
tlsrpt-reporter is a TLSRPT reporting service for SMTP TLS Reporting
as defined in RFC 8460. It receives TLSRPT datagrams from a MTA,
collects them, creates a report in conformance with the TLSRPT
Reporting Schema and finally delivers the report either via SMTP,
indirectly by submitting it to a local MTA which ultimately will be
responsible for delivering the report, or directly via HTTP POST.
PR: 285012
Reported by: Yusuf Yaman
- Assign UID and GIT to neo4j (both 369)
- Instruct neo4j to run as neo4j user
- Move config directory to PREFIX/etc/neo4j
- Move certificates base directory to PREFIX/etc/neo4j/certificates
- Move data directory to /var/db/neo4j/data
- Move metrics directory to /var/db/neo4j/metrics
- Move import directory to /var/db/neo4j/import
- Fix rc.d script accordingly
Partially based on information from [1] and [2]
PR: 268526 [1]
PR: 228532 [2]
Sponsored by: resulta.sk
Software Supply Chain Transparency Log
Rekor's goals are to provide an immutable tamper resistant ledger of
metadata generated within a software projects supply chain. Rekor will
enable software maintainers and build systems to record signed metadata
to an immutable record. Other parties can then query said metadata to
enable them to make informed decisions on trust and non-repudiation of
an object's lifecycle.
The Rekor project provides a restful API based server for validation and
a transparency log for storage. A CLI application is available to make
and verify entries, query the transparency log for inclusion proof,
integrity verification of the transparency log or retrieval of entries
by either public key or artifact.
Rekor fulfils the signature transparency role of sigstore's software
signing infrastructure. However, Rekor can be run on its own and is
designed to be extensible to working with different manifest schemas and
PKI tooling.
WWW: https://www.sigstore.dev/
Service for issuing RFC 3161 timestamps
Trusted timestamping is a process that has been around for some time. It
provides a timestamp record of when a document was created or modified.
A timestamp authority creates signed timestamps using public key
infrastructure. The operator of the timestamp authority must secure the
signing key material to prevent unauthorized timestamp signing.
A timestamp authority should also verify its own clock. We provide a
configuration to periodically check the current time against well-known
NTP sources.
WWW: https://sigstore.dev/
General transparency
Trillian is an implementation of the concepts described in the
Verifiable Data Structures white paper, which in turn is an extension
and generalisation of the ideas which underpin Certificate Transparency.
Trillian implements a Merkle tree whose contents are served from a data
storage layer, to allow scalability to extremely large trees. On top of
this Merkle tree, Trillian provides the following:
- An append-only Log mode, analogous to the original Certificate
Transparency logs. In this mode, the Merkle tree is effectively filled
up from the left, giving a dense Merkle tree.
Note that Trillian requires particular applications to provide their own
personalities on top of the core transparent data store functionality.
WWW: https://github.com/google/trillian
An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in
and logs their activity. sshesame accepts and logs SSH connections and activity
(channels, requests), without doing anything on the host (e.g. executing
commands, making network requests).
renterd is an advanced Sia renter engineered by the Sia
Foundation. Designed to cater to both casual users seeking
straightforward data storage and developers requiring a robust API for
building apps on Sia.
hostd is an advanced Sia host solution created by the Sia Foundation,
designed to enhance the experience for storage providers within the
Sia network. Tailored for both individual and large-scale storage
providers, hostd boasts a user-friendly interface and a robust API,
empowering providers to efficiently manage their storage resources and
revenue. hostd incorporates an embedded web-UI, simplifying deployment
and enabling remote management capabilities, ensuring a smooth user
experience across a diverse range of devices.
walletd is the flagship Sia wallet, suitable for miners, exchanges,
and everyday hodlers. Its client-server architecture gives you the
flexibility to access your funds from anywhere, on any device, without
compromising the security of your private keys. The server is
agnostic, so you can derive those keys from a 12-word seed phrase, a
legacy (siad) 28-word phrase, a Ledger hardware wallet, or another
preferred method. Like other Foundation node software, walletd ships
with a slick embedded UI, but developers can easily build headless
integrations leveraging its powerful JSON API. Whether you're using a
single address or millions, walletd scales to your needs.
WWW: https://sia.tech/software/hostd
WWW: https://sia.tech/software/renterd
WWW: https://sia.tech/software/walletd
PR: 285367
un-break arm64 by installing both esbuild arches
- stop lang/go from fetching newer toolchains during build
- pet port with portfmt & portclippy, fix pkg-plist
run under non-root user by default
- add UID, GID for opengist user
- amend rc script to support user
PR: 285179
Reviewed by: fox
Sponsored by: SkunkWerks, GmbH
Remove rpicamera support, patch obtained from Alpine Linux
MediaMTX is a ready-to-use and zero-dependency real-time media server and
media proxy that allows to publish, read, proxy, record and playback video and
audio streams. It supports multiple protocols such as SRT, WebRTC, RTSP, RTMP,
HLS, UDP/MPEG-TS and also able to record and serve media on demand.
WWW: https://github.com/bluenviron/mediamtx
Source:
https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/79233
Jochen Neumeister