From 50a52ca68f1571b22e03f8ab01c7f7ee9c59660d Mon Sep 17 00:00:00 2001
From: Miraty <miraty+git@antopie.org>
Date: Mon, 14 Oct 2024 22:01:53 +0200
Subject: [PATCH] add compatibility with rootless docker

notably /tmp is not automatically writable inside a read-only container, contrarily to podman
---
 .gitignore             |  9 +++++++--
 README.md              | 14 +++++++++++---
 apache.Containerfile   |  2 +-
 compose.yaml           |  4 ++++
 cronie.Containerfile   |  2 +-
 knot.Containerfile     |  2 +-
 nginx.Containerfile    |  2 +-
 php.Containerfile      |  2 +-
 sftpgo.Containerfile   |  4 ++--
 tmp/apache/.gitkeep    |  0
 tmp/cronie/.gitkeep    |  0
 tmp/nginx-run/.gitkeep |  0
 tmp/php/.gitkeep       |  0
 tor.Containerfile      |  2 +-
 14 files changed, 30 insertions(+), 13 deletions(-)
 create mode 100644 tmp/apache/.gitkeep
 create mode 100644 tmp/cronie/.gitkeep
 create mode 100644 tmp/nginx-run/.gitkeep
 create mode 100644 tmp/php/.gitkeep

diff --git a/.gitignore b/.gitignore
index 275cd63..706eb41 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,7 +13,7 @@
 /data/reg/test.servnest.test.zone
 /data/tor-config/*
 /data/tor-keys/*
-/logs/sftpgo/sftpgo.log
+/logs/sftpgo/*.log
 /logs/php/error.log
 /logs/cronie/*.log
 /logs/nginx/servnest-access.log
@@ -21,6 +21,11 @@
 /logs/apache/error.log
 /data/certbot/accounts/acme-staging-v02.api.letsencrypt.org/directory/*/*.json
 /sock/knot/knot.pid
-/data/knot/confdb/*.mdb
+/data/knot/*/*.mdb
+/data/knot/keys/keys/*.pem
 /data/knot/servnest.test.invalid.zone
 /tmp/tor/*
+/tmp/cronie/cron.reboot
+/tmp/php/exec.txt
+/tmp/php/index.html
+/tmp/*/*.pid
diff --git a/README.md b/README.md
index b382732..02b5133 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
-# podman-compose setup
+# ServNest setup with Compose
 
-## Use
+## Use with Podman
 
 ### Preparation
 
@@ -15,7 +15,7 @@ knotc --confdb data/knot/confdb conf-import conf/knot.conf
 cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
 cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone
 chmod u=rwX,g=rX,o=rX -R conf core
-chmod u=rwX,g=rwX,o=rwX logs/sftpgo logs/php sock/php logs/apache logs/nginx sock/tor-client sock/nginx-onion sock/knot data/knot data/knot/confdb data/knot/confdb/*.mdb tmp/nginx tmp/certbot tmp/acme data/reg data/reg/*.zone core/db core/db/servnest.db
+chmod u=rwX,g=rwX,o=rwX logs/sftpgo logs/php sock/php logs/apache logs/nginx sock/tor-client sock/nginx-onion sock/knot data/knot data/knot/confdb data/knot/confdb/*.mdb tmp/nginx tmp/certbot tmp/acme tmp/apache tmp/nginx-run tmp/php data/reg data/reg/*.zone core/db core/db/servnest.db
 chmod u=rwX,g=rX,o= sock/tor-control
 wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-minirootfs-3.20.2-x86_64.tar.gz
 wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.2.tar.gz -O sftpgo-v2.6.2.tar.gz
@@ -50,6 +50,14 @@ podman image rm --all
 podman rm $(podman container list --external -q)
 ```
 
+## Use with rootless Docker
+
+```shell
+export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
+```
+
+Then use the instructions for Podman but replace `podman` with `docker` in command names.
+
 ## License
 
 This project is published under the Cooperative Nonviolent Public License No Attributions, version 7 or any later version (<abbr>CNPL-NAv7+</abbr>), as found in [`LICENSE.md`](LICENSE.md) or at <https://git.pixie.town/thufie/npl-builder>.
diff --git a/apache.Containerfile b/apache.Containerfile
index 65a2170..552f2c1 100644
--- a/apache.Containerfile
+++ b/apache.Containerfile
@@ -1,4 +1,4 @@
-FROM servnest_alpine
+FROM servnest-alpine
 RUN apk add apache2 apache2-brotli
 RUN chown apache: /run/apache2/
 USER apache
diff --git a/compose.yaml b/compose.yaml
index 916bb9f..437af7b 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -57,6 +57,7 @@ services:
       - ./conf/http-messages/:/srv/servnest/ht/http-messages/:ro
       - ./data/ht/:/srv/servnest/ht/:ro
       - ./logs/apache/:/var/log/apache2/:rw
+      - ./tmp/apache/:/run/apache2/:rw
   php:
     extends:
       file: base.yaml
@@ -93,6 +94,7 @@ services:
       - ./logs/certbot/:/var/log/letsencrypt/:rw
       - ./tmp/acme/:/srv/servnest/acme/:rw
       - ./tmp/certbot/:/var/lib/letsencrypt/:rw
+      - ./tmp/php/:/tmp/:rw
     mem_limit: 256mb
     # For sudo
     security_opt:
@@ -109,6 +111,7 @@ services:
     volumes:
       - ./conf/cronie:/etc/cron.d/servnest:ro
       - ./logs/cronie/:/var/log/cronie/:rw
+      - ./tmp/cronie/:/var/run/:rw
   nginx:
     extends:
       file: base.yaml
@@ -129,4 +132,5 @@ services:
       - ./sock/nginx-onion/:/run/nginx-onion/:rw
       - ./logs/nginx/:/var/lib/nginx/logs/:rw
       - ./tmp/nginx/:/var/lib/nginx/tmp/:rw
+      - ./tmp/nginx-run/:/run/nginx/:rw
       - ./tmp/acme/:/srv/servnest/acme/:ro
diff --git a/cronie.Containerfile b/cronie.Containerfile
index 6662993..ed55ec1 100644
--- a/cronie.Containerfile
+++ b/cronie.Containerfile
@@ -1,4 +1,4 @@
-FROM servnest_php
+FROM servnest-php
 USER root
 RUN apk add cronie moreutils
 CMD ["crond", "-n", "-s"]
diff --git a/knot.Containerfile b/knot.Containerfile
index bc2d90e..6ceed28 100644
--- a/knot.Containerfile
+++ b/knot.Containerfile
@@ -1,4 +1,4 @@
-FROM servnest_alpine
+FROM servnest-alpine
 RUN apk add knot
 USER knot
 CMD ["knotd", "--confdb", "/var/lib/knot/confdb/"]
diff --git a/nginx.Containerfile b/nginx.Containerfile
index 334632f..2d3d395 100644
--- a/nginx.Containerfile
+++ b/nginx.Containerfile
@@ -1,4 +1,4 @@
-FROM servnest_alpine
+FROM servnest-alpine
 RUN apk add nginx nginx-mod-http-headers-more openssl
 RUN openssl req -quiet -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt \
 	&& openssl req -quiet -subj '/CN=servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.test.key -out /etc/ssl/certs/servnest.test.crt \
diff --git a/php.Containerfile b/php.Containerfile
index e637dbe..31cc4e6 100644
--- a/php.Containerfile
+++ b/php.Containerfile
@@ -1,4 +1,4 @@
-FROM servnest_alpine
+FROM servnest-alpine
 RUN apk add \
 	php83 \
 	php83-fpm \
diff --git a/sftpgo.Containerfile b/sftpgo.Containerfile
index 59802b5..46d9aae 100644
--- a/sftpgo.Containerfile
+++ b/sftpgo.Containerfile
@@ -1,4 +1,4 @@
-FROM servnest_alpine AS builder
+FROM servnest-alpine AS builder
 RUN apk add go
 ARG SFTPGO
 ADD $SFTPGO /
@@ -8,7 +8,7 @@ RUN cp -r openapi ./internal/bundle/openapi && \
 	cp -r static ./internal/bundle/static
 RUN go build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo && strip /usr/local/bin/sftpgo
 
-FROM servnest_alpine
+FROM servnest-alpine
 RUN apk add openssh-keygen bash
 RUN mkdir /etc/sftpgo/ && ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C ""
 RUN touch /etc/sftpgo/banner.txt
diff --git a/tmp/apache/.gitkeep b/tmp/apache/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/tmp/cronie/.gitkeep b/tmp/cronie/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/tmp/nginx-run/.gitkeep b/tmp/nginx-run/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/tmp/php/.gitkeep b/tmp/php/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/tor.Containerfile b/tor.Containerfile
index 0a09e58..aac960a 100644
--- a/tor.Containerfile
+++ b/tor.Containerfile
@@ -1,3 +1,3 @@
-FROM servnest_alpine
+FROM servnest-alpine
 RUN apk add tor
 CMD ["tor", "--hush"]