diff --git a/.gitignore b/.gitignore index 5eae834..f495b90 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,7 @@ /servnest/tor-config/* /sftpgo-logs/sftpgo.log /php-logs/error.log +/cronie-logs/*.log /nginx-logs/servnest-access.log /nginx-logs/error.log /apache-logs/error.log diff --git a/README.md b/README.md index c923002..0fd7ead 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ no_hosts=true wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-minirootfs-3.20.2-x86_64.tar.gz wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.2.tar.gz -o sftpgo-v2.6.2.tar.gz sha256sum -c sha256sums +podman-compose -f base.yaml build alpine podman-compose up --build podman-compose exec php php /srv/servnest/core/jobs/check.php ``` diff --git a/alpine.Containerfile b/alpine.Containerfile new file mode 100644 index 0000000..d79b931 --- /dev/null +++ b/alpine.Containerfile @@ -0,0 +1,10 @@ +FROM scratch +ARG SYS +ADD $SYS / +RUN apk upgrade -U +RUN apk add shadow +RUN \ + useradd --user-group --system --no-create-home --uid 500 servnest && \ + useradd --user-group --system --no-create-home --uid 501 nginx && \ + useradd --user-group --system --no-create-home --uid 505 sftpgo && \ + useradd --user-group --system --no-create-home --uid 506 tor diff --git a/apache.Containerfile b/apache.Containerfile index 28adadd..2f7eba1 100644 --- a/apache.Containerfile +++ b/apache.Containerfile @@ -1,7 +1,4 @@ -FROM scratch -ARG SYS -ADD $SYS / -RUN apk upgrade -U +FROM servnest_alpine RUN apk add apache2 apache2-brotli RUN chown apache: /var/log/apache2/ /run/apache2/ USER apache diff --git a/base.yaml b/base.yaml index 5238fbc..2bcb636 100644 --- a/base.yaml +++ b/base.yaml @@ -1,8 +1,10 @@ +name: servnest services: - base: + alpine: build: args: SYS: $SYS + dockerfile: alpine.Containerfile cpus: '0.5' mem_limit: 16mb security_opt: @@ -11,3 +13,9 @@ services: - ALL read_only: true restart: "always" + base: # Reset "args" to avoid unused arg warning + extends: + service: alpine + build: + args: {} + diff --git a/compose.yaml b/compose.yaml index 4ae2f68..dc94a8a 100644 --- a/compose.yaml +++ b/compose.yaml @@ -101,6 +101,14 @@ services: - SETUID - SETGID - CHOWN + cronie: + extends: + service: php + build: + dockerfile: cronie.Containerfile + volumes: + - ./install/cronie:/etc/cron.d/servnest:ro + - ./cronie-logs/:/var/log/cronie/:rw nginx: extends: file: base.yaml diff --git a/cronie.Containerfile b/cronie.Containerfile new file mode 100644 index 0000000..6662993 --- /dev/null +++ b/cronie.Containerfile @@ -0,0 +1,4 @@ +FROM servnest_php +USER root +RUN apk add cronie moreutils +CMD ["crond", "-n", "-s"] diff --git a/install/apache.sh b/install/apache.sh deleted file mode 100644 index 808f38c..0000000 --- a/install/apache.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/bash - -mkdir /srv/servnest/ht -cp -r /install/http-messages /srv/servnest/ht/http-messages -chown -R root:root /srv/servnest/ht -chmod -R u=rX,g=rX,o=rX /srv/servnest/ht - -mkdir /srv/servnest/ht/fs -chown -R $apache:$sftpgo /srv/servnest/ht/fs -chmod -R u=rX,g=rwX,o= /srv/servnest/ht/fs - -mkdir /srv/servnest/ht/uri -mkdir /srv/servnest/ht/uri/ht.servnest.test -chown -R $servnest:$apache /srv/servnest/ht/uri -chmod -R u=rwX,g=rX,o= /srv/servnest/ht/uri - -if [[ $OS = "arch" ]]; then - rm -r /etc/httpd/* - mkdir /etc/httpd/conf/ - cp -r /install/apache/* /etc/httpd/ - mv /etc/httpd/httpd.conf /etc/httpd/conf/httpd.conf - - mkdir -m 0755 /srv/servnest/ht/usr - mkdir -m 0755 /srv/servnest/ht/usr/lib - ln /usr/lib/libc.so.6 /srv/servnest/ht/usr/lib/libc.so.6 -fi - -if [[ $OS = "debian" ]]; then - rm -r /etc/apache2/* - cp -r /install/apache/* /etc/apache2/ - mv /etc/apache2/httpd.conf /etc/apache2/apache2.conf - sed -i 's#/usr/lib/httpd/modules/#/usr/lib/apache2/modules/#g' /etc/apache2/apache2.conf - sed -i 's#ServerRoot "/etc/httpd"#ServerRoot "/etc/apache2"#' /etc/apache2/apache2.conf - sed -i 's/LoadModule unixd_module/#LoadModule unixd_module/' /etc/apache2/apache2.conf - sed -i 's/LoadModule log_config_module/#LoadModule log_config_module/' /etc/apache2/apache2.conf - sed -i 's#/var/log/httpd/#/var/log/apache2/#g' /etc/apache2/apache2.conf - - mkdir -m 0755 /srv/servnest/ht/lib - mkdir -m 0755 /srv/servnest/ht/lib/x86_64-linux-gnu - ln /lib/x86_64-linux-gnu/libgcc_s.so.1 /srv/servnest/ht/lib/x86_64-linux-gnu/libgcc_s.so.1 - ln /lib/x86_64-linux-gnu/libc.so.6 /srv/servnest/ht/lib/x86_64-linux-gnu/libc.so.6 -fi - diff --git a/install/certbot.sh b/install/certbot.sh deleted file mode 100644 index 7a21d3a..0000000 --- a/install/certbot.sh +++ /dev/null @@ -1,13 +0,0 @@ -mkdir /srv/servnest/acme -chown $nginx: /srv/servnest/acme -chmod u=rX,g=,o= /srv/servnest/acme - -cp /install/certbot.ini /etc/letsencrypt/servnest.ini - -cp /install/certbot-deploy-hook.sh /root/certbot-deploy-hook.sh -chmod +x /root/certbot-deploy-hook.sh - -mkdir -p /etc/letsencrypt/archive/ /etc/letsencrypt/live/ -chmod 710 /etc/letsencrypt/archive/ /etc/letsencrypt/live/ -chown root:nginx /etc/letsencrypt/archive/ /etc/letsencrypt/live/ -#/root/certbot-deploy-hook.sh diff --git a/install/cronie b/install/cronie index 63294bd..ff17294 100644 --- a/install/cronie +++ b/install/cronie @@ -1,3 +1,4 @@ -* */6 * * * root sudo -u servnest php /srv/servnest/core/jobs/ns-sync.php >> /var/log/servnest.log 2>&1 -* */24 * * * root sudo -u servnest php /srv/servnest/core/jobs/reg-cds.php >> /var/log/servnest.log 2>&1 -* */24 * * * root sudo -u servnest php /srv/servnest/core/jobs/reg-csync.php >> /var/log/servnest.log 2>&1 +48 0,6,12,18 * * * root echo "ns-sync: $(sudo -u servnest php83 /srv/servnest/core/jobs/ns-sync.php)" | ts >> /var/log/cronie/ns-sync.log 2>&1 +14 4 * * * root echo "reg-cds: $(sudo -u servnest php83 /srv/servnest/core/jobs/reg-cds.php)" | ts >> /var/log/cronie/reg-cds.log 2>&1 +34 4 * * * root echo "reg-csync: $(sudo -u servnest php83 /srv/servnest/core/jobs/reg-csync.php)" | ts >> /var/log/cronie/reg-csync.log 2>&1 +24 11 * * * root echo "certbot renew: $(certbot renew)" | ts >> /var/log/cronie/certbot-renew.log 2>&1 diff --git a/install/install.sh b/install/install.sh deleted file mode 100644 index 6475cf4..0000000 --- a/install/install.sh +++ /dev/null @@ -1,27 +0,0 @@ -# Set users and groups names -export sftpgo='sftpgo' -export servnest='servnest' -export knot='knot' -export nginx='nginx' -export apache='apache' -export tor='tor' -if [[ $OS = "debian" ]]; then - export tor='debian-tor' -fi - -# Create system users and groups -useradd -U -r -s $(which nologin) $nginx -useradd -U -r -s $(which nologin) $servnest -useradd -U -r -s $(which nologin) $sftpgo -useradd -U -r -s $(which nologin) $apache - -# Execute installation steps -source /install/servnest.sh -source /install/sudo.sh -source /install/tor.sh -source /install/knot.sh -source /install/php.sh -source /install/nginx.sh -source /install/apache.sh -source /install/sftpgo.sh -source /install/certbot.sh diff --git a/install/knot.sh b/install/knot.sh deleted file mode 100644 index 41d6c9d..0000000 --- a/install/knot.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/bash - -mkdir -p /var/lib/knot/confdb/ - -# Load configuration in Knot database -knotc conf-import /install/knot.conf - -# We need servnest to be allowed to configure Knot -usermod -aG $knot $servnest # Add user $servnest to group $knot -chown -R $knot: /var/lib/knot/confdb -chmod -R u=rwX,g=rwX,o= /var/lib/knot/confdb - -mkdir -p /srv/servnest/reg /srv/servnest/ns -chown -R $servnest:$knot /srv/servnest/reg /srv/servnest/ns -chmod -R u=rwX,g=rwX,o= /srv/servnest/reg /srv/servnest/ns diff --git a/install/nginx.sh b/install/nginx.sh deleted file mode 100644 index a601903..0000000 --- a/install/nginx.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/bash - -# Generate default self-signed TLS key pair -openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt - -openssl req -subj '/CN=servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.test.key -out /etc/ssl/certs/servnest.test.crt - -openssl req -subj '/CN=ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/ht.servnest.test.key -out /etc/ssl/certs/ht.servnest.test.crt - -openssl req -subj '/CN=*.ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/wildcard.ht.servnest.test.key -out /etc/ssl/certs/wildcard.ht.servnest.test.crt - -rm -r /etc/nginx/* -cp -r /install/nginx/* /etc/nginx/ diff --git a/install/php.sh b/install/php.sh deleted file mode 100644 index 8548d68..0000000 --- a/install/php.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/bash - -rm -r /etc/php/* -cp /install/php-fpm.conf /etc/php/ - -export PHP_INI=/etc/php/php.ini - -if [[ $OS = "debian" ]]; then - mkdir -p /etc/php/8.2/fpm/ - ln -s /etc/php/8.2/fpm/ /etc/php/8.2/cli - mv /etc/php/php-fpm.conf /etc/php/8.2/fpm/ - export PHP_INI=/etc/php/8.2/fpm/php.ini -fi - -cp /etc/php.ini-development $PHP_INI - -if [[ $OS = "debian" ]]; then - echo "extension = pdo" >> $PHP_INI -fi - -if [[ $OS = "arch" ]]; then - echo "extension = sodium" >> $PHP_INI -fi - -cat /install/php.ini >> $PHP_INI - -# For systemd -mkdir /etc/systemd/system/php-fpm.service.d -cp /install/php-fpm.service.override.conf /etc/systemd/system/php-fpm.service.d/ diff --git a/install/servnest.sh b/install/servnest.sh deleted file mode 100644 index f241e8e..0000000 --- a/install/servnest.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/bash - -# Initialize configuration -cp /srv/servnest/core/config.template.ini /srv/servnest/core/config.ini - -# Create database -sqlite3 /srv/servnest/core/db/servnest.db < /srv/servnest/core/db/schema.sql - -echo "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';" | sqlite3 /srv/servnest/core/db/servnest.db - -for i in $(seq 50) -do - echo "INSERT INTO 'approval-keys'(key) VALUES('$(openssl rand -hex 16)');" | sqlite3 /srv/servnest/core/db/servnest.db -done - -# Create translation Machine Objects files -msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo - -chmod u=rX,g=rX,o=rX /srv/servnest /srv/servnest/core -chown root:root /srv/servnest /srv/servnest/core - -chmod -R u=rX,g=rX,o= $(find /srv/servnest/core -mindepth 1 -maxdepth 1 ! -name .git ! -name db) -chown -R $servnest:$nginx $(find /srv/servnest/core -mindepth 1 -maxdepth 1 ! -name .git ! -name db) - -chown -R $servnest: /srv/servnest/core/db -chmod -R u=rwX,g=,o= /srv/servnest/core/db diff --git a/install/sftpgo.sh b/install/sftpgo.sh deleted file mode 100644 index bff02d9..0000000 --- a/install/sftpgo.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/bash - -mkdir /etc/sftpgo - -# Generate SFTPGo key pair -ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C "" -# Generate fingerprints -fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519)) -echo ${fp[1]} > /etc/sftpgo/ed25519.fp -ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart -# Generate SSHFP record -echo ht.servnest.test. 86400 SSHFP 4 2 $(cut -d ' ' -f 2 /etc/sftpgo/ed25519.pub | base64 -d | sha256sum | cut -d ' ' -f 1) >> /srv/servnest/reg/servnest.test.zone - -cp /install/sftpgo.toml /etc/sftpgo/ -touch /etc/sftpgo/banner.txt - -usermod -aG $sftpgo $servnest # Add user servnest to group sftpgo - -chown -R $sftpgo: /etc/sftpgo -chmod -R u=rX,g=rX,o= /etc/sftpgo -chmod u=r,g=,o= /etc/sftpgo/ed25519 - -# For systemd -cp /install/sftpgo.service /etc/systemd/system/ - -# Allow listening on privileged ports -setcap 'cap_net_bind_service=+ep' /usr/local/bin/sftpgo diff --git a/install/sudo.sh b/install/sudo.sh deleted file mode 100644 index 70d794e..0000000 --- a/install/sudo.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/bash - -cp /install/sudoers /etc/sudoers.d/servnest diff --git a/install/tor.sh b/install/tor.sh deleted file mode 100644 index 4323953..0000000 --- a/install/tor.sh +++ /dev/null @@ -1,23 +0,0 @@ -rm -r /etc/tor/* -cp /install/torrc /etc/tor/ - -mkdir /srv/servnest/tor-config -chown -R $servnest:$tor /srv/servnest/tor-config -chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config - -mkdir /srv/servnest/tor-keys -chown -R $tor: /srv/servnest/tor-keys -chmod -R u=rwX,g=,o= /srv/servnest/tor-keys - -# For systemd -mkdir /etc/systemd/system/tor.service.d -cp /install/tor.service.override.conf /etc/systemd/system/tor.service.d/ - -if [[ $OS = "debian" ]]; then - mv /etc/systemd/system/tor.service.d/ /etc/systemd/system/tor@default.service.d/ - sed -i 's/User tor/User debian-tor/' /etc/tor/torrc - sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/servnest - sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/servnest - sed -i 's/systemctl reload tor"/systemctl reload tor@default"/' /srv/servnest/core/config.ini - sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/servnest/core/config.ini -fi diff --git a/knot.Containerfile b/knot.Containerfile index 5027a28..58f2178 100644 --- a/knot.Containerfile +++ b/knot.Containerfile @@ -1,7 +1,4 @@ -FROM scratch -ARG SYS -ADD $SYS / -RUN apk upgrade -U +FROM servnest_alpine RUN apk add knot COPY install/knot.conf / RUN mkdir /run/knot /var/log/knot/ && chown -R knot:knot /run/knot/ /var/log/knot/ diff --git a/nginx.Containerfile b/nginx.Containerfile index 25f0b2e..334632f 100644 --- a/nginx.Containerfile +++ b/nginx.Containerfile @@ -1,14 +1,9 @@ -FROM scratch -ARG SYS -ADD $SYS / -RUN apk upgrade -U -RUN apk add shadow && useradd -U -r --uid 501 nginx +FROM servnest_alpine RUN apk add nginx nginx-mod-http-headers-more openssl RUN openssl req -quiet -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt \ && openssl req -quiet -subj '/CN=servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.test.key -out /etc/ssl/certs/servnest.test.crt \ && openssl req -quiet -subj '/CN=ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/ht.servnest.test.key -out /etc/ssl/certs/ht.servnest.test.crt \ && openssl req -quiet -subj '/CN=*.ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/wildcard.ht.servnest.test.key -out /etc/ssl/certs/wildcard.ht.servnest.test.crt -RUN chmod -R u=rwX,g=rX,o= /etc/ssl/ -RUN chown -R root:nginx /etc/ssl/ +RUN chmod -R u=rwX,g=rX,o= /etc/ssl/ && chown -R root:nginx /etc/ssl/ USER nginx CMD ["nginx", "-g", "daemon off;"] diff --git a/php.Containerfile b/php.Containerfile index 2130b2b..e637dbe 100644 --- a/php.Containerfile +++ b/php.Containerfile @@ -1,7 +1,4 @@ -FROM scratch -ARG SYS -ADD $SYS / -RUN apk upgrade -U +FROM servnest_alpine RUN apk add \ php83 \ php83-fpm \ @@ -20,7 +17,6 @@ RUN apk add \ openssh-client \ knot \ knot-utils \ - shadow \ sqlite \ gettext #RUN cp /srv/servnest/core/config.template.ini /srv/servnest/core/config.ini @@ -28,9 +24,5 @@ RUN apk add \ #RUN echo "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';" | sqlite3 /srv/servnest/core/db/servnest.db #RUN msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo RUN rm /etc/php83/php-fpm.d/www.conf -RUN useradd -U -r --uid 500 servnest -RUN useradd -U -r --uid 501 nginx -RUN useradd -U -r --uid 505 sftpgo -RUN useradd -U -r --uid 506 tor USER servnest:knot CMD ["php-fpm83", "--nodaemonize"] diff --git a/sftpgo.Containerfile b/sftpgo.Containerfile index fd6b8fd..59802b5 100644 --- a/sftpgo.Containerfile +++ b/sftpgo.Containerfile @@ -1,7 +1,4 @@ -FROM scratch AS builder -ARG SYS -ADD $SYS / -RUN apk upgrade -U +FROM servnest_alpine AS builder RUN apk add go ARG SFTPGO ADD $SFTPGO / @@ -11,17 +8,12 @@ RUN cp -r openapi ./internal/bundle/openapi && \ cp -r static ./internal/bundle/static RUN go build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo && strip /usr/local/bin/sftpgo -FROM scratch -ARG SYS -ADD $SYS / -RUN apk upgrade -U -RUN apk add openssh-keygen bash shadow +FROM servnest_alpine +RUN apk add openssh-keygen bash RUN mkdir /etc/sftpgo/ && ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C "" RUN touch /etc/sftpgo/banner.txt RUN ["/bin/bash", "-c", "fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519)) && echo ${fp[1]} > /etc/sftpgo/ed25519.fp"] RUN ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart -RUN useradd -U -r --uid 500 servnest -RUN useradd -U -r --uid 505 sftpgo RUN mkdir /var/log/sftpgo/ && chown sftpgo: /var/log/sftpgo/ && chmod -R u=rwX,g=rX,o= /etc/sftpgo/ && chown -R root:sftpgo /etc/sftpgo/ COPY --from=builder /usr/local/bin/sftpgo /usr/local/bin/sftpgo USER sftpgo diff --git a/tor.Containerfile b/tor.Containerfile index f1624e7..825331e 100644 --- a/tor.Containerfile +++ b/tor.Containerfile @@ -1,8 +1,4 @@ -FROM scratch -ARG SYS -ADD $SYS / -RUN apk upgrade -U -RUN apk add shadow && useradd -U -r --uid 506 tor +FROM servnest_alpine RUN apk add tor && chmod 700 /var/lib/tor USER tor CMD ["tor", "--hush"]