add alpine as base image + add cronie service

This commit is contained in:
Miraty 2024-07-24 18:30:48 +02:00
parent 4b387af85e
commit 2088d187d3
23 changed files with 46 additions and 263 deletions

1
.gitignore vendored
View file

@ -12,6 +12,7 @@
/servnest/tor-config/*
/sftpgo-logs/sftpgo.log
/php-logs/error.log
/cronie-logs/*.log
/nginx-logs/servnest-access.log
/nginx-logs/error.log
/apache-logs/error.log

View file

@ -10,6 +10,7 @@ no_hosts=true
wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-minirootfs-3.20.2-x86_64.tar.gz
wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.2.tar.gz -o sftpgo-v2.6.2.tar.gz
sha256sum -c sha256sums
podman-compose -f base.yaml build alpine
podman-compose up --build
podman-compose exec php php /srv/servnest/core/jobs/check.php
```

10
alpine.Containerfile Normal file
View file

@ -0,0 +1,10 @@
FROM scratch
ARG SYS
ADD $SYS /
RUN apk upgrade -U
RUN apk add shadow
RUN \
useradd --user-group --system --no-create-home --uid 500 servnest && \
useradd --user-group --system --no-create-home --uid 501 nginx && \
useradd --user-group --system --no-create-home --uid 505 sftpgo && \
useradd --user-group --system --no-create-home --uid 506 tor

View file

@ -1,7 +1,4 @@
FROM scratch
ARG SYS
ADD $SYS /
RUN apk upgrade -U
FROM servnest_alpine
RUN apk add apache2 apache2-brotli
RUN chown apache: /var/log/apache2/ /run/apache2/
USER apache

View file

@ -1,8 +1,10 @@
name: servnest
services:
base:
alpine:
build:
args:
SYS: $SYS
dockerfile: alpine.Containerfile
cpus: '0.5'
mem_limit: 16mb
security_opt:
@ -11,3 +13,9 @@ services:
- ALL
read_only: true
restart: "always"
base: # Reset "args" to avoid unused arg warning
extends:
service: alpine
build:
args: {}

View file

@ -101,6 +101,14 @@ services:
- SETUID
- SETGID
- CHOWN
cronie:
extends:
service: php
build:
dockerfile: cronie.Containerfile
volumes:
- ./install/cronie:/etc/cron.d/servnest:ro
- ./cronie-logs/:/var/log/cronie/:rw
nginx:
extends:
file: base.yaml

4
cronie.Containerfile Normal file
View file

@ -0,0 +1,4 @@
FROM servnest_php
USER root
RUN apk add cronie moreutils
CMD ["crond", "-n", "-s"]

View file

@ -1,43 +0,0 @@
#!/usr/bin/bash
mkdir /srv/servnest/ht
cp -r /install/http-messages /srv/servnest/ht/http-messages
chown -R root:root /srv/servnest/ht
chmod -R u=rX,g=rX,o=rX /srv/servnest/ht
mkdir /srv/servnest/ht/fs
chown -R $apache:$sftpgo /srv/servnest/ht/fs
chmod -R u=rX,g=rwX,o= /srv/servnest/ht/fs
mkdir /srv/servnest/ht/uri
mkdir /srv/servnest/ht/uri/ht.servnest.test
chown -R $servnest:$apache /srv/servnest/ht/uri
chmod -R u=rwX,g=rX,o= /srv/servnest/ht/uri
if [[ $OS = "arch" ]]; then
rm -r /etc/httpd/*
mkdir /etc/httpd/conf/
cp -r /install/apache/* /etc/httpd/
mv /etc/httpd/httpd.conf /etc/httpd/conf/httpd.conf
mkdir -m 0755 /srv/servnest/ht/usr
mkdir -m 0755 /srv/servnest/ht/usr/lib
ln /usr/lib/libc.so.6 /srv/servnest/ht/usr/lib/libc.so.6
fi
if [[ $OS = "debian" ]]; then
rm -r /etc/apache2/*
cp -r /install/apache/* /etc/apache2/
mv /etc/apache2/httpd.conf /etc/apache2/apache2.conf
sed -i 's#/usr/lib/httpd/modules/#/usr/lib/apache2/modules/#g' /etc/apache2/apache2.conf
sed -i 's#ServerRoot "/etc/httpd"#ServerRoot "/etc/apache2"#' /etc/apache2/apache2.conf
sed -i 's/LoadModule unixd_module/#LoadModule unixd_module/' /etc/apache2/apache2.conf
sed -i 's/LoadModule log_config_module/#LoadModule log_config_module/' /etc/apache2/apache2.conf
sed -i 's#/var/log/httpd/#/var/log/apache2/#g' /etc/apache2/apache2.conf
mkdir -m 0755 /srv/servnest/ht/lib
mkdir -m 0755 /srv/servnest/ht/lib/x86_64-linux-gnu
ln /lib/x86_64-linux-gnu/libgcc_s.so.1 /srv/servnest/ht/lib/x86_64-linux-gnu/libgcc_s.so.1
ln /lib/x86_64-linux-gnu/libc.so.6 /srv/servnest/ht/lib/x86_64-linux-gnu/libc.so.6
fi

View file

@ -1,13 +0,0 @@
mkdir /srv/servnest/acme
chown $nginx: /srv/servnest/acme
chmod u=rX,g=,o= /srv/servnest/acme
cp /install/certbot.ini /etc/letsencrypt/servnest.ini
cp /install/certbot-deploy-hook.sh /root/certbot-deploy-hook.sh
chmod +x /root/certbot-deploy-hook.sh
mkdir -p /etc/letsencrypt/archive/ /etc/letsencrypt/live/
chmod 710 /etc/letsencrypt/archive/ /etc/letsencrypt/live/
chown root:nginx /etc/letsencrypt/archive/ /etc/letsencrypt/live/
#/root/certbot-deploy-hook.sh

View file

@ -1,3 +1,4 @@
* */6 * * * root sudo -u servnest php /srv/servnest/core/jobs/ns-sync.php >> /var/log/servnest.log 2>&1
* */24 * * * root sudo -u servnest php /srv/servnest/core/jobs/reg-cds.php >> /var/log/servnest.log 2>&1
* */24 * * * root sudo -u servnest php /srv/servnest/core/jobs/reg-csync.php >> /var/log/servnest.log 2>&1
48 0,6,12,18 * * * root echo "ns-sync: $(sudo -u servnest php83 /srv/servnest/core/jobs/ns-sync.php)" | ts >> /var/log/cronie/ns-sync.log 2>&1
14 4 * * * root echo "reg-cds: $(sudo -u servnest php83 /srv/servnest/core/jobs/reg-cds.php)" | ts >> /var/log/cronie/reg-cds.log 2>&1
34 4 * * * root echo "reg-csync: $(sudo -u servnest php83 /srv/servnest/core/jobs/reg-csync.php)" | ts >> /var/log/cronie/reg-csync.log 2>&1
24 11 * * * root echo "certbot renew: $(certbot renew)" | ts >> /var/log/cronie/certbot-renew.log 2>&1

View file

@ -1,27 +0,0 @@
# Set users and groups names
export sftpgo='sftpgo'
export servnest='servnest'
export knot='knot'
export nginx='nginx'
export apache='apache'
export tor='tor'
if [[ $OS = "debian" ]]; then
export tor='debian-tor'
fi
# Create system users and groups
useradd -U -r -s $(which nologin) $nginx
useradd -U -r -s $(which nologin) $servnest
useradd -U -r -s $(which nologin) $sftpgo
useradd -U -r -s $(which nologin) $apache
# Execute installation steps
source /install/servnest.sh
source /install/sudo.sh
source /install/tor.sh
source /install/knot.sh
source /install/php.sh
source /install/nginx.sh
source /install/apache.sh
source /install/sftpgo.sh
source /install/certbot.sh

View file

@ -1,15 +0,0 @@
#!/usr/bin/bash
mkdir -p /var/lib/knot/confdb/
# Load configuration in Knot database
knotc conf-import /install/knot.conf
# We need servnest to be allowed to configure Knot
usermod -aG $knot $servnest # Add user $servnest to group $knot
chown -R $knot: /var/lib/knot/confdb
chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb
mkdir -p /srv/servnest/reg /srv/servnest/ns
chown -R $servnest:$knot /srv/servnest/reg /srv/servnest/ns
chmod -R u=rwX,g=rwX,o= /srv/servnest/reg /srv/servnest/ns

View file

@ -1,13 +0,0 @@
#!/usr/bin/bash
# Generate default self-signed TLS key pair
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt
openssl req -subj '/CN=servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.test.key -out /etc/ssl/certs/servnest.test.crt
openssl req -subj '/CN=ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/ht.servnest.test.key -out /etc/ssl/certs/ht.servnest.test.crt
openssl req -subj '/CN=*.ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/wildcard.ht.servnest.test.key -out /etc/ssl/certs/wildcard.ht.servnest.test.crt
rm -r /etc/nginx/*
cp -r /install/nginx/* /etc/nginx/

View file

@ -1,29 +0,0 @@
#!/usr/bin/bash
rm -r /etc/php/*
cp /install/php-fpm.conf /etc/php/
export PHP_INI=/etc/php/php.ini
if [[ $OS = "debian" ]]; then
mkdir -p /etc/php/8.2/fpm/
ln -s /etc/php/8.2/fpm/ /etc/php/8.2/cli
mv /etc/php/php-fpm.conf /etc/php/8.2/fpm/
export PHP_INI=/etc/php/8.2/fpm/php.ini
fi
cp /etc/php.ini-development $PHP_INI
if [[ $OS = "debian" ]]; then
echo "extension = pdo" >> $PHP_INI
fi
if [[ $OS = "arch" ]]; then
echo "extension = sodium" >> $PHP_INI
fi
cat /install/php.ini >> $PHP_INI
# For systemd
mkdir /etc/systemd/system/php-fpm.service.d
cp /install/php-fpm.service.override.conf /etc/systemd/system/php-fpm.service.d/

View file

@ -1,26 +0,0 @@
#!/usr/bin/bash
# Initialize configuration
cp /srv/servnest/core/config.template.ini /srv/servnest/core/config.ini
# Create database
sqlite3 /srv/servnest/core/db/servnest.db < /srv/servnest/core/db/schema.sql
echo "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';" | sqlite3 /srv/servnest/core/db/servnest.db
for i in $(seq 50)
do
echo "INSERT INTO 'approval-keys'(key) VALUES('$(openssl rand -hex 16)');" | sqlite3 /srv/servnest/core/db/servnest.db
done
# Create translation Machine Objects files
msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo
chmod u=rX,g=rX,o=rX /srv/servnest /srv/servnest/core
chown root:root /srv/servnest /srv/servnest/core
chmod -R u=rX,g=rX,o= $(find /srv/servnest/core -mindepth 1 -maxdepth 1 ! -name .git ! -name db)
chown -R $servnest:$nginx $(find /srv/servnest/core -mindepth 1 -maxdepth 1 ! -name .git ! -name db)
chown -R $servnest: /srv/servnest/core/db
chmod -R u=rwX,g=,o= /srv/servnest/core/db

View file

@ -1,27 +0,0 @@
#!/usr/bin/bash
mkdir /etc/sftpgo
# Generate SFTPGo key pair
ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C ""
# Generate fingerprints
fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519))
echo ${fp[1]} > /etc/sftpgo/ed25519.fp
ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart
# Generate SSHFP record
echo ht.servnest.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/servnest/reg/servnest.test.zone
cp /install/sftpgo.toml /etc/sftpgo/
touch /etc/sftpgo/banner.txt
usermod -aG $sftpgo $servnest # Add user servnest to group sftpgo
chown -R $sftpgo: /etc/sftpgo
chmod -R u=rX,g=rX,o= /etc/sftpgo
chmod u=r,g=,o= /etc/sftpgo/ed25519
# For systemd
cp /install/sftpgo.service /etc/systemd/system/
# Allow listening on privileged ports
setcap 'cap_net_bind_service=+ep' /usr/local/bin/sftpgo

View file

@ -1,3 +0,0 @@
#!/usr/bin/bash
cp /install/sudoers /etc/sudoers.d/servnest

View file

@ -1,23 +0,0 @@
rm -r /etc/tor/*
cp /install/torrc /etc/tor/
mkdir /srv/servnest/tor-config
chown -R $servnest:$tor /srv/servnest/tor-config
chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
mkdir /srv/servnest/tor-keys
chown -R $tor: /srv/servnest/tor-keys
chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
# For systemd
mkdir /etc/systemd/system/tor.service.d
cp /install/tor.service.override.conf /etc/systemd/system/tor.service.d/
if [[ $OS = "debian" ]]; then
mv /etc/systemd/system/tor.service.d/ /etc/systemd/system/tor@default.service.d/
sed -i 's/User tor/User debian-tor/' /etc/tor/torrc
sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/servnest
sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/servnest
sed -i 's/systemctl reload tor"/systemctl reload tor@default"/' /srv/servnest/core/config.ini
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/servnest/core/config.ini
fi

View file

@ -1,7 +1,4 @@
FROM scratch
ARG SYS
ADD $SYS /
RUN apk upgrade -U
FROM servnest_alpine
RUN apk add knot
COPY install/knot.conf /
RUN mkdir /run/knot /var/log/knot/ && chown -R knot:knot /run/knot/ /var/log/knot/

View file

@ -1,14 +1,9 @@
FROM scratch
ARG SYS
ADD $SYS /
RUN apk upgrade -U
RUN apk add shadow && useradd -U -r --uid 501 nginx
FROM servnest_alpine
RUN apk add nginx nginx-mod-http-headers-more openssl
RUN openssl req -quiet -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt \
&& openssl req -quiet -subj '/CN=servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.test.key -out /etc/ssl/certs/servnest.test.crt \
&& openssl req -quiet -subj '/CN=ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/ht.servnest.test.key -out /etc/ssl/certs/ht.servnest.test.crt \
&& openssl req -quiet -subj '/CN=*.ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/wildcard.ht.servnest.test.key -out /etc/ssl/certs/wildcard.ht.servnest.test.crt
RUN chmod -R u=rwX,g=rX,o= /etc/ssl/
RUN chown -R root:nginx /etc/ssl/
RUN chmod -R u=rwX,g=rX,o= /etc/ssl/ && chown -R root:nginx /etc/ssl/
USER nginx
CMD ["nginx", "-g", "daemon off;"]

View file

@ -1,7 +1,4 @@
FROM scratch
ARG SYS
ADD $SYS /
RUN apk upgrade -U
FROM servnest_alpine
RUN apk add \
php83 \
php83-fpm \
@ -20,7 +17,6 @@ RUN apk add \
openssh-client \
knot \
knot-utils \
shadow \
sqlite \
gettext
#RUN cp /srv/servnest/core/config.template.ini /srv/servnest/core/config.ini
@ -28,9 +24,5 @@ RUN apk add \
#RUN echo "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';" | sqlite3 /srv/servnest/core/db/servnest.db
#RUN msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo
RUN rm /etc/php83/php-fpm.d/www.conf
RUN useradd -U -r --uid 500 servnest
RUN useradd -U -r --uid 501 nginx
RUN useradd -U -r --uid 505 sftpgo
RUN useradd -U -r --uid 506 tor
USER servnest:knot
CMD ["php-fpm83", "--nodaemonize"]

View file

@ -1,7 +1,4 @@
FROM scratch AS builder
ARG SYS
ADD $SYS /
RUN apk upgrade -U
FROM servnest_alpine AS builder
RUN apk add go
ARG SFTPGO
ADD $SFTPGO /
@ -11,17 +8,12 @@ RUN cp -r openapi ./internal/bundle/openapi && \
cp -r static ./internal/bundle/static
RUN go build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo && strip /usr/local/bin/sftpgo
FROM scratch
ARG SYS
ADD $SYS /
RUN apk upgrade -U
RUN apk add openssh-keygen bash shadow
FROM servnest_alpine
RUN apk add openssh-keygen bash
RUN mkdir /etc/sftpgo/ && ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C ""
RUN touch /etc/sftpgo/banner.txt
RUN ["/bin/bash", "-c", "fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519)) && echo ${fp[1]} > /etc/sftpgo/ed25519.fp"]
RUN ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart
RUN useradd -U -r --uid 500 servnest
RUN useradd -U -r --uid 505 sftpgo
RUN mkdir /var/log/sftpgo/ && chown sftpgo: /var/log/sftpgo/ && chmod -R u=rwX,g=rX,o= /etc/sftpgo/ && chown -R root:sftpgo /etc/sftpgo/
COPY --from=builder /usr/local/bin/sftpgo /usr/local/bin/sftpgo
USER sftpgo

View file

@ -1,8 +1,4 @@
FROM scratch
ARG SYS
ADD $SYS /
RUN apk upgrade -U
RUN apk add shadow && useradd -U -r --uid 506 tor
FROM servnest_alpine
RUN apk add tor && chmod 700 /var/lib/tor
USER tor
CMD ["tor", "--hush"]