upgrade and update patch

2025-11-08 17:15:14 -05:00
parent 0d0cb5a5fa 6060b4d3aa
commit 60d0a268e2
6 changed files with 263 additions and 253 deletions
--- a/modded.patch
+++ b/modded.patch
@@ -1,24 +1,26 @@
 diff --git a/example/config.yaml b/example/config.yaml
-index 17a57b857..bf645a364 100644
+index bf6be2573..a0b11392c 100644
 --- a/example/config.yaml
 +++ b/example/config.yaml
-@@ -105,13 +105,13 @@ account-domain: ""
+@@ -118,7 +118,7 @@ account-domain: ""
 protocol: "https"
 
- # String. Address to bind the GoToSocial server to.
-# This can be an IPv4 address or an IPv6 address (surrounded in square brackets), or a hostname.
-+# This can be an IPv4 address or an IPv6 address (surrounded in square brackets), or a hostname or unix socket
+ # String. Address to bind the GoToSocial HTTP server to.
+-# This can be an IPv4 address, an IPv6 address, or a hostname.
+# This can be an IPv4 address, an IPv6 address, or a hostname. or unix socket
+ #
 # The default value will bind to all interfaces, which makes the server
- # accessible by other machines. For most setups there is no need to change this.
- # If you are using GoToSocial in a reverse proxy setup with the proxy running on
- # the same machine, you will want to set this to "localhost" or an equivalent,
- # so that the proxy can't be bypassed.
-# Examples: ["0.0.0.0", "172.128.0.16", "localhost", "[::]", "[2001:db8::fed1]"]
-+# Examples: ["0.0.0.0", "172.128.0.16", "localhost", "[::]", "[2001:db8::fed1]", "unix//run/gts/sock]
+ # accessible by other machines. For most setups you won't need to change this.
+@@ -126,7 +126,7 @@ protocol: "https"
+ # running on the same machine, you may want to set this to "localhost" or equivalent,
+ # so that the proxy definitely can't be bypassed.
+ #
+-# Examples: ["0.0.0.0", "172.128.0.16", "localhost", "::1", "2001:db8::fed1"]
+# Examples: ["0.0.0.0", "172.128.0.16", "localhost", "::1", "2001:db8::fed1", "unix//run/gts/sock]
 # Default: "0.0.0.0"
 bind-address: "0.0.0.0"
 
-@@ -124,6 +124,13 @@ bind-address: "0.0.0.0"
+@@ -139,6 +139,13 @@ bind-address: "0.0.0.0"
 # Default: 8080
 port: 8080
 
@@ -32,77 +34,131 @@ index 17a57b857..bf645a364 100644
 # Array of string. CIDRs or IP addresses of proxies that should be trusted when determining real client IP from behind a reverse proxy.
 # If you're running inside a Docker container behind Traefik or Nginx, for example, add the subnet of your docker network,
 # or the gateway of the docker network, and/or the address of the reverse proxy (if it's not running on the host network).
-@@ -155,7 +162,7 @@ db-type: "postgres"
+@@ -170,7 +177,7 @@ db-type: "sqlite"
 # If address is set to :memory: then an in-memory database will be used (no file).
 # WARNING: :memory: should NOT BE USED except for testing purposes.
 #
 -# Examples: ["localhost","my.db.host","127.0.0.1","192.111.39.110",":memory:", "sqlite.db"]
 +# Examples: ["localhost","my.db.host","127.0.0.1","192.111.39.110",":memory:", "sqlite.db", "/run/postgresql/"]
 # Default: ""
- db-address: ""
+ db-address: "sqlite.db"
 
 diff --git a/go.mod b/go.mod
-index 4169208ed..60b3a1281 100644
+index baa5d5ad7..3f7374598 100644
 --- a/go.mod
 +++ b/go.mod
-@@ -74,6 +74,7 @@ require (
- 	github.com/uptrace/bun/extra/bunotel v1.2.11
+@@ -73,6 +73,7 @@ require (
+ 	github.com/uptrace/bun/extra/bunotel v1.2.15
 	github.com/wagslane/go-password-validator v0.3.0
- 	github.com/yuin/goldmark v1.7.11
-+	go.balki.me/anyhttp v0.5.0
- 	go.opentelemetry.io/otel v1.35.0
- 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0
- 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0
+ 	github.com/yuin/goldmark v1.7.13
+	go.balki.me/anyhttp v0.5.2
+ 	go.opentelemetry.io/contrib/exporters/autoexport v0.63.0
+ 	go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0
+ 	go.opentelemetry.io/otel v1.38.0
 diff --git a/go.sum b/go.sum
-index 597cee716..532e99852 100644
+index 49451e55b..136678292 100644
 --- a/go.sum
 +++ b/go.sum
-@@ -489,6 +489,8 @@ github.com/yuin/goldmark v1.7.11 h1:ZCxLyDMtz0nT2HFfsYG8WZ47Trip2+JyLysKcMYE5bo=
- github.com/yuin/goldmark v1.7.11/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
- gitlab.com/NyaaaWhatsUpDoc/sqlite v1.37.0-concurrency-workaround h1:QbfrBqNKgAFSSK89fYf547vxDQuz8p6iJUzzAMrusNk=
- gitlab.com/NyaaaWhatsUpDoc/sqlite v1.37.0-concurrency-workaround/go.mod h1:5YiWv+YviqGMuGw4V+PNplcyaJ5v+vQd7TQOgkACoJM=
-+go.balki.me/anyhttp v0.5.0 h1:uys0oRciBpZfwtxXAevScKy6amIQBXyDrcV0EtGF5zo=
-+go.balki.me/anyhttp v0.5.0/go.mod h1:JhfekOIjgVODoVqUCficjpIgmB3wwlB7jhN0eN2EZ/s=
+@@ -505,6 +505,8 @@ github.com/yuin/goldmark v1.7.13 h1:GPddIs617DnBLFFVJFgpo1aBfe/4xcvMc3SB5t/D0pA=
+ github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
+ gitlab.com/NyaaaWhatsUpDoc/sqlite v1.39.1-concurrency-workaround h1:ptkkB4Z76pmpmLE7vmp5BVOfO5o5+Kt0eGFhNbvVxjA=
+ gitlab.com/NyaaaWhatsUpDoc/sqlite v1.39.1-concurrency-workaround/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
+go.balki.me/anyhttp v0.5.2 h1:et4tCDXLeXpWfMNvRKG7ojfrnlr3du7cEaG966MLSpA=
+go.balki.me/anyhttp v0.5.2/go.mod h1:JhfekOIjgVODoVqUCficjpIgmB3wwlB7jhN0eN2EZ/s=
 go.mongodb.org/mongo-driver v1.17.3 h1:TQyXhnsWfWtgAhMtOgtYHMTkZIfBTpMTsMnd9ZBeHxQ=
 go.mongodb.org/mongo-driver v1.17.3/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 diff --git a/internal/config/config.go b/internal/config/config.go
-index b9804d404..331d41139 100644
+index dfc919f11..b2cca1276 100644
 --- a/internal/config/config.go
 +++ b/internal/config/config.go
-@@ -58,6 +58,7 @@ type Configuration struct {
- 	BindAddress        string   `name:"bind-address" usage:"Bind address to use for the GoToSocial server (eg., 0.0.0.0, 172.138.0.9, [::], localhost). For ipv6, enclose the address in square brackets, eg [2001:db8::fed1]. Default binds to all interfaces."`
- 	Port               int      `name:"port" usage:"Port to use for GoToSocial. Change this to 443 if you're running the binary directly on the host machine."`
- 	TrustedProxies     []string `name:"trusted-proxies" usage:"Proxies to trust when parsing x-forwarded headers into real IPs."`
-+	TrustedPlatform    string   `name:"trusted-platform" usage:"HTTP header that contains the real client ip"`
- 	SoftwareVersion    string   `name:"software-version" usage:""`
- 
- 	DbType                     string        `name:"db-type" usage:"Database type: eg., postgres"`
-@@ -193,6 +194,8 @@ type Configuration struct {
- 	AdminMediaListRemoteOnly bool   `name:"remote-only" usage:"list only remote attachments/emojis; if specified then local-only cannot also be true"`
- 
- 	RequestIDHeader string `name:"request-id-header" usage:"Header to extract the Request ID from. Eg.,'X-Request-Id'."`
+@@ -54,13 +54,13 @@ func fieldtag(field, tag string) string {
+ // You will need to have gofumpt installed in order for this to work:
+ // https://github.com/mvdan/gofumpt.
+ type Configuration struct {
+-	LogLevel           string `name:"log-level" usage:"Log level to run at: [trace, debug, info, warn, fatal]"`
+-	LogFormat          string `name:"log-format" usage:"Log output format: [logfmt, json]"`
+-	LogTimestampFormat string `name:"log-timestamp-format" usage:"Format to use for the log timestamp, as supported by Go's time.Layout"`
+-	LogDbQueries       bool   `name:"log-db-queries" usage:"Log database queries verbosely when log-level is trace or debug"`
+-	LogClientIP        bool   `name:"log-client-ip" usage:"Include the client IP in logs"`
+-	RequestIDHeader    string `name:"request-id-header" usage:"Header to extract the Request ID from. Eg.,'X-Request-Id'."`
+-
+	LogLevel                   string        `name:"log-level" usage:"Log level to run at: [trace, debug, info, warn, fatal]"`
+	LogFormat                  string        `name:"log-format" usage:"Log output format: [logfmt, json]"`
+	LogTimestampFormat         string        `name:"log-timestamp-format" usage:"Format to use for the log timestamp, as supported by Go's time.Layout"`
+	LogDbQueries               bool          `name:"log-db-queries" usage:"Log database queries verbosely when log-level is trace or debug"`
+	LogClientIP                bool          `name:"log-client-ip" usage:"Include the client IP in logs"`
+	RequestIDHeader            string        `name:"request-id-header" usage:"Header to extract the Request ID from. Eg.,'X-Request-Id'."`
+	TrustedPlatform            string        `name:"trusted-platform" usage:"HTTP header that contains the real client ip"`
+ 	ConfigPath                 string        `name:"config-path" usage:"Path to a file containing gotosocial configuration. Values set in this file will be overwritten by values set as env vars or arguments"`
+ 	ApplicationName            string        `name:"application-name" usage:"Name of the application, used in various places internally"`
+ 	LandingPageUser            string        `name:"landing-page-user" usage:"the user that should be shown on the instance's landing page"`
+@@ -188,6 +188,9 @@ type Configuration struct {
+ 	AdminMediaListRemoteOnly bool   `name:"remote-only" usage:"list only remote attachments/emojis; if specified then local-only cannot also be true" ephemeral:"yes"`
+ 	TestrigSkipDBSetup       bool   `name:"skip-db-setup" usage:"skip testrig database setup with population of test models" ephemeral:"yes"`
+ 	TestrigSkipDBTeardown    bool   `name:"skip-db-teardown" usage:"skip testrig database teardown (i.e. data deletion and tables dropped)" ephemeral:"yes"`
 +
-+	KalaclistaAllowedUnauthorizedGet bool `name:"kalaclista-allowed-unauthorized-get" usage:"unlock AUTHOZIED_FETCH (aka Secure mode in Mastodon) mode."`
+	// for kalaclista-flavoured
+	KalaclistaTurnOffAuthorizedFetch bool `name:"kalaclista-turnoff-authorized-fetch" usage:"skip authorization if another instance message doesn't have httpsig"`
 }
 
 type HTTPClientConfiguration struct {
 diff --git a/internal/config/defaults.go b/internal/config/defaults.go
-index 57c64db44..c19864002 100644
+index a4996e5c6..695adbcb4 100644
 --- a/internal/config/defaults.go
 +++ b/internal/config/defaults.go
-@@ -234,4 +234,6 @@
+@@ -251,4 +251,7 @@
 	RequestIDHeader: "X-Request-Id",
 
 	LogClientIP: true,
 +
-+	KalaclistaAllowedUnauthorizedGet: false,
+	// for kalaclista-flavoured
+	KalaclistaTurnOffAuthorizedFetch: true,
 }
 diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go
-index f063cbf93..cdb5a663f 100644
+index 217917bcf..e194e842e 100644
 --- a/internal/config/helpers.gen.go
 +++ b/internal/config/helpers.gen.go
-@@ -350,6 +350,31 @@ func GetTrustedProxies() []string { return global.GetTrustedProxies() }
+@@ -225,6 +225,7 @@
+ 	AdminMediaListRemoteOnlyFlag                   = "remote-only"
+ 	TestrigSkipDBSetupFlag                         = "skip-db-setup"
+ 	TestrigSkipDBTeardownFlag                      = "skip-db-teardown"
+	KalaclistaTurnOffAuthorizedFetchFlag           = "kalaclista-turnoff-authorized-fetch"
+ )
+ 
+ func (cfg *Configuration) RegisterFlags(flags *pflag.FlagSet) {
+@@ -415,6 +416,7 @@ func (cfg *Configuration) RegisterFlags(flags *pflag.FlagSet) {
+ 	flags.Float64("cache-mutes-mem-ratio", cfg.Cache.MutesMemRatio, "")
+ 	flags.Float64("cache-status-filter-mem-ratio", cfg.Cache.StatusFilterMemRatio, "")
+ 	flags.Float64("cache-visibility-mem-ratio", cfg.Cache.VisibilityMemRatio, "")
+	flags.Bool("kalaclista-turnoff-authorized-fetch", cfg.KalaclistaTurnOffAuthorizedFetch, "skip authorization if another instance message doesn't have httpsig")
+ }
+ 
+ func (cfg *Configuration) MarshalMap() map[string]any {
+@@ -615,6 +617,7 @@ func (cfg *Configuration) MarshalMap() map[string]any {
+ 	cfgmap["remote-only"] = cfg.AdminMediaListRemoteOnly
+ 	cfgmap["skip-db-setup"] = cfg.TestrigSkipDBSetup
+ 	cfgmap["skip-db-teardown"] = cfg.TestrigSkipDBTeardown
+	cfgmap["kalaclista-turnoff-authorized-fetch"] = cfg.KalaclistaTurnOffAuthorizedFetch
+ 	return cfgmap
+ }
+ 
+@@ -2226,6 +2229,14 @@ func (cfg *Configuration) UnmarshalMap(cfgmap map[string]any) error {
+ 		}
+ 	}
+ 
+	if ival, ok := cfgmap["kalaclista-turnoff-authorized-fetch"]; ok {
+		var err error
+		cfg.KalaclistaTurnOffAuthorizedFetch, err = cast.ToBoolE(ival)
+		if err != nil {
+			return fmt.Errorf("error casting %#v -> bool for 'kalaclista-turnoff-authorized-fetch': %w", ival, err)
+		}
+	}
+
+ 	return nil
+ }
+ 
+@@ -2559,6 +2570,31 @@ func GetTrustedProxies() []string { return global.GetTrustedProxies() }
 // SetTrustedProxies safely sets the value for global configuration 'TrustedProxies' field
 func SetTrustedProxies(v []string) { global.SetTrustedProxies(v) }
 
@@ -134,37 +190,37 @@ index f063cbf93..cdb5a663f 100644
 // GetSoftwareVersion safely fetches the Configuration value for state's 'SoftwareVersion' field
 func (st *ConfigState) GetSoftwareVersion() (v string) {
 	st.mutex.RLock()
-@@ -4681,3 +4706,28 @@ func GetRequestIDHeader() string { return global.GetRequestIDHeader() }
+@@ -6565,6 +6601,28 @@ func GetTestrigSkipDBTeardown() bool { return global.GetTestrigSkipDBTeardown()
+ // SetTestrigSkipDBTeardown safely sets the value for global configuration 'TestrigSkipDBTeardown' field
+ func SetTestrigSkipDBTeardown(v bool) { global.SetTestrigSkipDBTeardown(v) }
 
- // SetRequestIDHeader safely sets the value for global configuration 'RequestIDHeader' field
- func SetRequestIDHeader(v string) { global.SetRequestIDHeader(v) }
-+
-+// GetKalaclistaAllowedUnauthorizedGet safely fetches the Configuration value for state's 'KalaclistaAllowedUnauthorizedGet' field
-+func (st *ConfigState) GetKalaclistaAllowedUnauthorizedGet() (v bool) {
+// GetKalaclistaTurnOffAuthorizedFetch safely fetches the Configuration value for state's 'KalaclistaTurnOffAuthorizedFetch' field
+func (st *ConfigState) GetKalaclistaTurnOffAuthorizedFetch() (v bool) {
 +	st.mutex.RLock()
-+	v = st.config.KalaclistaAllowedUnauthorizedGet
+	v = st.config.KalaclistaTurnOffAuthorizedFetch
 +	st.mutex.RUnlock()
-+	return
+	return v
 +}
 +
-+// SetKalaclistaAllowedUnauthorizedGet safely sets the Configuration value for state's 'KalaclistaAllowedUnauthorizedGet' field
-+func (st *ConfigState) SetKalaclistaAllowedUnauthorizedGet(v bool) {
+// SetKalaclistaTurnOffAuthorizedFetch safely sets the Configuration value for state's 'KalaclistaTurnOffAuthorizedFetch' field
+func (st *ConfigState) SetKalaclistaTurnOffAuthorizedFetch(v bool) {
 +	st.mutex.Lock()
 +	defer st.mutex.Unlock()
-+	st.config.KalaclistaAllowedUnauthorizedGet = v
+	st.config.KalaclistaTurnOffAuthorizedFetch = v
 +	st.reloadToViper()
 +}
 +
-+// KalaclistaAllowedUnauthorizedGetFlag returns the flag name for the 'KalaclistaAllowedUnauthorizedGet' field
-+func KalaclistaAllowedUnauthorizedGetFlag() string { return "kalaclista-allowed-unauthorized-get" }
+// GetKalaclistaTurnOffAuthorizedFetch safely fetches the value for global configuration 'KalaclistaTurnOffAuthorizedFetch' field
+func GetKalaclistaTurnOffAuthorizedFetch() bool { return global.GetKalaclistaTurnOffAuthorizedFetch() }
 +
-+// GetKalaclistaAllowedUnauthorizedGet safely fetches the value for global configuration 'KalaclistaAllowedUnauthorizedGet' field
-+func GetKalaclistaAllowedUnauthorizedGet() bool { return global.GetKalaclistaAllowedUnauthorizedGet() }
+// SetKalaclistaTurnOffAuthorizedFetch safely sets the value for global configuration 'KalaclistaTurnOffAuthorizedFetch' field
+func SetKalaclistaTurnOffAuthorizedFetch(v bool) { global.SetKalaclistaTurnOffAuthorizedFetch(v) }
 +
-+// SetKalaclistaAllowedUnauthorizedGet safely sets the value for global configuration 'KalaclistaAllowedUnauthorizedGet' field
-+func SetKalaclistaAllowedUnauthorizedGet(v bool) { global.SetKalaclistaAllowedUnauthorizedGet(v) }
+ // GetTotalOfMemRatios safely fetches the combined value for all the state's mem ratio fields
+ func (st *ConfigState) GetTotalOfMemRatios() (total float64) {
+ 	st.mutex.RLock()
 diff --git a/internal/processing/fedi/common.go b/internal/processing/fedi/common.go
-index 9059aef39..6e9a22b59 100644
+index ff6ed6fd4..01b3037f1 100644
 --- a/internal/processing/fedi/common.go
 +++ b/internal/processing/fedi/common.go
@@ -20,8 +20,10 @@
@@ -178,89 +234,30 @@ index 9059aef39..6e9a22b59 100644
 	"code.superseriousbusiness.org/gotosocial/internal/db"
 	"code.superseriousbusiness.org/gotosocial/internal/gtserror"
 	"code.superseriousbusiness.org/gotosocial/internal/gtsmodel"
-@@ -51,6 +53,12 @@ func (p *Processor) authenticate(ctx context.Context, requestedUser string) (*co
+@@ -53,6 +55,10 @@ func (p *Processor) authenticate(ctx context.Context, requestedUser string) (*co
 	// get requesting account, dereferencing if necessary.
 	pubKeyAuth, errWithCode := p.federator.AuthenticateFederatedRequest(ctx, requestedUser)
 	if errWithCode != nil {
-+		if config.GetKalaclistaAllowedUnauthorizedGet() && errWithCode.Code() == http.StatusUnauthorized {
-+			return &commonAuth{
-+				receivingAcct: receiver,
-+			}, nil
+		if config.GetKalaclistaTurnOffAuthorizedFetch() && errWithCode.Code() == http.StatusUnauthorized {
+			return &commonAuth{receiver: receiver}, nil
 +		}
 +
 		return nil, errWithCode
 	}
 
-diff --git a/internal/processing/fedi/emoji.go b/internal/processing/fedi/emoji.go
-index 8db8b48ea..d7e503f7d 100644
--- a/internal/processing/fedi/emoji.go
-+++ b/internal/processing/fedi/emoji.go
-@@ -20,14 +20,20 @@
- import (
- 	"context"
- 	"fmt"
-+	"net/http"
- 
- 	"code.superseriousbusiness.org/gotosocial/internal/ap"
-+	"code.superseriousbusiness.org/gotosocial/internal/config"
- 	"code.superseriousbusiness.org/gotosocial/internal/gtserror"
- )
- 
- // EmojiGet handles the GET for a federated emoji originating from this instance.
- func (p *Processor) EmojiGet(ctx context.Context, requestedEmojiID string) (interface{}, gtserror.WithCode) {
- 	if _, errWithCode := p.federator.AuthenticateFederatedRequest(ctx, ""); errWithCode != nil {
-+		if !(config.GetKalaclistaAllowedUnauthorizedGet() && errWithCode.Code() == http.StatusUnauthorized) {
-+			return nil, errWithCode
-+		}
-+
- 		return nil, errWithCode
- 	}
- 
-diff --git a/internal/processing/fedi/user.go b/internal/processing/fedi/user.go
-index 53dfd6022..7d976a523 100644
--- a/internal/processing/fedi/user.go
-+++ b/internal/processing/fedi/user.go
-@@ -21,9 +21,11 @@
- 	"context"
- 	"errors"
- 	"fmt"
-+	"net/http"
- 	"net/url"
- 
- 	"code.superseriousbusiness.org/gotosocial/internal/ap"
-+	"code.superseriousbusiness.org/gotosocial/internal/config"
- 	"code.superseriousbusiness.org/gotosocial/internal/db"
- 	"code.superseriousbusiness.org/gotosocial/internal/gtserror"
- 	"code.superseriousbusiness.org/gotosocial/internal/uris"
-@@ -67,6 +69,15 @@ func (p *Processor) UserGet(ctx context.Context, requestedUsername string, reque
- 	// we can serve a more complete profile.
- 	pubKeyAuth, errWithCode := p.federator.AuthenticateFederatedRequest(ctx, requestedUsername)
- 	if errWithCode != nil {
-+		if config.GetKalaclistaAllowedUnauthorizedGet() && errWithCode.Code() == http.StatusUnauthorized {
-+			person, err := p.converter.AccountToAS(ctx, receiver)
-+			if err != nil {
-+				err := gtserror.Newf("error converting account: %w", err)
-+				return nil, gtserror.NewErrorInternalError(err)
-+			}
-+
-+			return data(person)
-+		}
- 		return nil, errWithCode // likely 401
- 	}
- 
 diff --git a/internal/router/router.go b/internal/router/router.go
-index 45419807d..7ef90e297 100644
+index fd7a18ebe..8ee62dc89 100644
 --- a/internal/router/router.go
 +++ b/internal/router/router.go
-@@ -23,6 +23,7 @@
- 	"fmt"
+@@ -24,6 +24,7 @@
 	"net"
 	"net/http"
+ 	"strconv"
 +	"strings"
 	"time"
 
 	"code.superseriousbusiness.org/gotosocial/internal/config"
-@@ -31,6 +32,7 @@
+@@ -32,6 +33,7 @@
 	"codeberg.org/gruf/go-bytesize"
 	"codeberg.org/gruf/go-debug"
 	"github.com/gin-gonic/gin"
@@ -268,7 +265,7 @@ index 45419807d..7ef90e297 100644
 	"golang.org/x/crypto/acme/autocert"
 )
 
-@@ -75,6 +77,11 @@ func New(ctx context.Context) (*Router, error) {
+@@ -76,6 +78,11 @@ func New(ctx context.Context) (*Router, error) {
 	engine.MaxMultipartMemory = maxMultipartMemory
 	engine.HandleMethodNotAllowed = true
 
@@ -280,7 +277,7 @@ index 45419807d..7ef90e297 100644
 	// Set up client IP forwarding via
 	// trusted x-forwarded-* headers.
 	trustedProxies := config.GetTrustedProxies()
-@@ -135,6 +142,7 @@ func (r *Router) Start() error {
+@@ -138,6 +145,7 @@ func (r *Router) Start() error {
 		certFile  = config.GetTLSCertificateChain()
 		keyFile   = config.GetTLSCertificateKey()
 		leEnabled = config.GetLetsEncryptEnabled()
@@ -288,7 +285,7 @@ index 45419807d..7ef90e297 100644
 	)
 
 	switch {
-@@ -155,6 +163,18 @@ func (r *Router) Start() error {
+@@ -158,6 +166,18 @@ func (r *Router) Start() error {
 			return err
 		}
 
@@ -602,10 +599,10 @@ index 000000000..85bce6fc3
 +[0]: https://pkg.go.dev/time#ParseDuration
 diff --git a/vendor/go.balki.me/anyhttp/anyhttp.go b/vendor/go.balki.me/anyhttp/anyhttp.go
 new file mode 100644
-index 000000000..8d316a78f
+index 000000000..fac5046e8
 --- /dev/null
 +++ b/vendor/go.balki.me/anyhttp/anyhttp.go
-@@ -0,0 +1,440 @@
+@@ -0,0 +1,429 @@
 +// Package anyhttp has helpers to serve http from unix sockets and systemd socket activated fds
 +package anyhttp
 +
@@ -621,7 +618,6 @@ index 000000000..8d316a78f
 +	"strconv"
 +	"strings"
 +	"sync"
-+	"syscall"
 +	"time"
 +
 +	"go.balki.me/anyhttp/idle"
@@ -758,16 +754,6 @@ index 000000000..8d316a78f
 +// StartFD is the starting file descriptor number
 +const StartFD = 3
 +
-+func makeFdListener(fd int, name string) (net.Listener, error) {
-+	fdFile := os.NewFile(uintptr(fd), name)
-+	l, err := net.FileListener(fdFile)
-+	if err != nil {
-+		return nil, err
-+	}
-+	syscall.CloseOnExec(fd)
-+	return l, nil
-+}
-+
 +// GetListener returns the FileListener created with socketed activated fd
 +func (s *SysdConfig) GetListener() (net.Listener, error) {
 +
@@ -1046,6 +1032,47 @@ index 000000000..8d316a78f
 +	}
 +	return &ctx, nil
 +}
+diff --git a/vendor/go.balki.me/anyhttp/fd_unix.go b/vendor/go.balki.me/anyhttp/fd_unix.go
+new file mode 100644
+index 000000000..83a94fce4
+--- /dev/null
+++ b/vendor/go.balki.me/anyhttp/fd_unix.go
+@@ -0,0 +1,19 @@
+//go:build unix
+
+package anyhttp
+
+import (
+	"net"
+	"os"
+	"syscall"
+)
+
+func makeFdListener(fd int, name string) (net.Listener, error) {
+	fdFile := os.NewFile(uintptr(fd), name)
+	l, err := net.FileListener(fdFile)
+	if err != nil {
+		return nil, err
+	}
+	syscall.CloseOnExec(fd)
+	return l, nil
+}
+diff --git a/vendor/go.balki.me/anyhttp/fd_windows.go b/vendor/go.balki.me/anyhttp/fd_windows.go
+new file mode 100644
+index 000000000..f1d6bca12
+--- /dev/null
+++ b/vendor/go.balki.me/anyhttp/fd_windows.go
+@@ -0,0 +1,10 @@
+package anyhttp
+
+import (
+	"errors"
+	"net"
+)
+
+func makeFdListener(fd int, name string) (net.Listener, error) {
+	return nil, errors.New("windows not supported")
+}
 diff --git a/vendor/go.balki.me/anyhttp/idle/idle.go b/vendor/go.balki.me/anyhttp/idle/idle.go
 new file mode 100644
 index 000000000..ee3d81ff1
@@ -1180,14 +1207,14 @@ index 000000000..ee3d81ff1
 +	return i.c
 +}
 diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 276f0f17c..ec3ecb43d 100644
+index 19b2ef773..3d418ee33 100644
 --- a/vendor/modules.txt
 +++ b/vendor/modules.txt
-@@ -968,6 +968,10 @@ github.com/yuin/goldmark/renderer
+@@ -1002,6 +1002,10 @@ github.com/yuin/goldmark/renderer
 github.com/yuin/goldmark/renderer/html
 github.com/yuin/goldmark/text
 github.com/yuin/goldmark/util
-+# go.balki.me/anyhttp v0.5.0
+# go.balki.me/anyhttp v0.5.2
 +## explicit; go 1.20
 +go.balki.me/anyhttp
 +go.balki.me/anyhttp/idle