add compatibility with rootless docker

notably /tmp is not automatically writable inside a read-only container, contrarily to podman
This commit is contained in:
Miraty 2024-10-14 22:01:53 +02:00
parent 4cc1f2bebd
commit 50a52ca68f
14 changed files with 30 additions and 13 deletions

9
.gitignore vendored
View file

@ -13,7 +13,7 @@
/data/reg/test.servnest.test.zone
/data/tor-config/*
/data/tor-keys/*
/logs/sftpgo/sftpgo.log
/logs/sftpgo/*.log
/logs/php/error.log
/logs/cronie/*.log
/logs/nginx/servnest-access.log
@ -21,6 +21,11 @@
/logs/apache/error.log
/data/certbot/accounts/acme-staging-v02.api.letsencrypt.org/directory/*/*.json
/sock/knot/knot.pid
/data/knot/confdb/*.mdb
/data/knot/*/*.mdb
/data/knot/keys/keys/*.pem
/data/knot/servnest.test.invalid.zone
/tmp/tor/*
/tmp/cronie/cron.reboot
/tmp/php/exec.txt
/tmp/php/index.html
/tmp/*/*.pid

View file

@ -1,6 +1,6 @@
# podman-compose setup
# ServNest setup with Compose
## Use
## Use with Podman
### Preparation
@ -15,7 +15,7 @@ knotc --confdb data/knot/confdb conf-import conf/knot.conf
cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone
chmod u=rwX,g=rX,o=rX -R conf core
chmod u=rwX,g=rwX,o=rwX logs/sftpgo logs/php sock/php logs/apache logs/nginx sock/tor-client sock/nginx-onion sock/knot data/knot data/knot/confdb data/knot/confdb/*.mdb tmp/nginx tmp/certbot tmp/acme data/reg data/reg/*.zone core/db core/db/servnest.db
chmod u=rwX,g=rwX,o=rwX logs/sftpgo logs/php sock/php logs/apache logs/nginx sock/tor-client sock/nginx-onion sock/knot data/knot data/knot/confdb data/knot/confdb/*.mdb tmp/nginx tmp/certbot tmp/acme tmp/apache tmp/nginx-run tmp/php data/reg data/reg/*.zone core/db core/db/servnest.db
chmod u=rwX,g=rX,o= sock/tor-control
wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-minirootfs-3.20.2-x86_64.tar.gz
wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.2.tar.gz -O sftpgo-v2.6.2.tar.gz
@ -50,6 +50,14 @@ podman image rm --all
podman rm $(podman container list --external -q)
```
## Use with rootless Docker
```shell
export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
```
Then use the instructions for Podman but replace `podman` with `docker` in command names.
## License
This project is published under the Cooperative Nonviolent Public License No Attributions, version 7 or any later version (<abbr>CNPL-NAv7+</abbr>), as found in [`LICENSE.md`](LICENSE.md) or at <https://git.pixie.town/thufie/npl-builder>.

View file

@ -1,4 +1,4 @@
FROM servnest_alpine
FROM servnest-alpine
RUN apk add apache2 apache2-brotli
RUN chown apache: /run/apache2/
USER apache

View file

@ -57,6 +57,7 @@ services:
- ./conf/http-messages/:/srv/servnest/ht/http-messages/:ro
- ./data/ht/:/srv/servnest/ht/:ro
- ./logs/apache/:/var/log/apache2/:rw
- ./tmp/apache/:/run/apache2/:rw
php:
extends:
file: base.yaml
@ -93,6 +94,7 @@ services:
- ./logs/certbot/:/var/log/letsencrypt/:rw
- ./tmp/acme/:/srv/servnest/acme/:rw
- ./tmp/certbot/:/var/lib/letsencrypt/:rw
- ./tmp/php/:/tmp/:rw
mem_limit: 256mb
# For sudo
security_opt:
@ -109,6 +111,7 @@ services:
volumes:
- ./conf/cronie:/etc/cron.d/servnest:ro
- ./logs/cronie/:/var/log/cronie/:rw
- ./tmp/cronie/:/var/run/:rw
nginx:
extends:
file: base.yaml
@ -129,4 +132,5 @@ services:
- ./sock/nginx-onion/:/run/nginx-onion/:rw
- ./logs/nginx/:/var/lib/nginx/logs/:rw
- ./tmp/nginx/:/var/lib/nginx/tmp/:rw
- ./tmp/nginx-run/:/run/nginx/:rw
- ./tmp/acme/:/srv/servnest/acme/:ro

View file

@ -1,4 +1,4 @@
FROM servnest_php
FROM servnest-php
USER root
RUN apk add cronie moreutils
CMD ["crond", "-n", "-s"]

View file

@ -1,4 +1,4 @@
FROM servnest_alpine
FROM servnest-alpine
RUN apk add knot
USER knot
CMD ["knotd", "--confdb", "/var/lib/knot/confdb/"]

View file

@ -1,4 +1,4 @@
FROM servnest_alpine
FROM servnest-alpine
RUN apk add nginx nginx-mod-http-headers-more openssl
RUN openssl req -quiet -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt \
&& openssl req -quiet -subj '/CN=servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.test.key -out /etc/ssl/certs/servnest.test.crt \

View file

@ -1,4 +1,4 @@
FROM servnest_alpine
FROM servnest-alpine
RUN apk add \
php83 \
php83-fpm \

View file

@ -1,4 +1,4 @@
FROM servnest_alpine AS builder
FROM servnest-alpine AS builder
RUN apk add go
ARG SFTPGO
ADD $SFTPGO /
@ -8,7 +8,7 @@ RUN cp -r openapi ./internal/bundle/openapi && \
cp -r static ./internal/bundle/static
RUN go build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo && strip /usr/local/bin/sftpgo
FROM servnest_alpine
FROM servnest-alpine
RUN apk add openssh-keygen bash
RUN mkdir /etc/sftpgo/ && ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C ""
RUN touch /etc/sftpgo/banner.txt

0
tmp/apache/.gitkeep Normal file
View file

0
tmp/cronie/.gitkeep Normal file
View file

0
tmp/nginx-run/.gitkeep Normal file
View file

0
tmp/php/.gitkeep Normal file
View file

View file

@ -1,3 +1,3 @@
FROM servnest_alpine
FROM servnest-alpine
RUN apk add tor
CMD ["tor", "--hush"]