From b1aa8efea4528ae1d8d2f57ffc5a6707deeb7534 Mon Sep 17 00:00:00 2001 From: Miraty Date: Wed, 22 Jan 2025 18:58:35 +0100 Subject: [PATCH] add upstream.sh + move php to base.yaml --- .env | 2 - .gitignore | 1 + README.md | 11 ++-- alpine-minirootfs-3.21.2-x86_64.tar.gz.sha256 | 1 + base.yaml | 46 +++++++++++++++++ compose.yaml | 51 ++----------------- conf/nginx/inc/apache-proxy.conf | 2 +- sftpgo-v2.6.4.tar.gz.sha256 | 1 + sftpgo.Containerfile | 15 ++++-- sha256sums | 2 - upstream.sh | 21 ++++++++ 11 files changed, 91 insertions(+), 62 deletions(-) delete mode 100644 .env create mode 100644 alpine-minirootfs-3.21.2-x86_64.tar.gz.sha256 create mode 100644 sftpgo-v2.6.4.tar.gz.sha256 delete mode 100644 sha256sums create mode 100755 upstream.sh diff --git a/.env b/.env deleted file mode 100644 index c5ece9e..0000000 --- a/.env +++ /dev/null @@ -1,2 +0,0 @@ -SYS=alpine-minirootfs-3.21.0-x86_64.tar.gz -SFTPGO=sftpgo-v2.6.4.tar.gz diff --git a/.gitignore b/.gitignore index a7dfbbe..8bc622e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ /*.tar.gz +/*.asc /logs/certbot/letsencrypt.log* /data/certbot/live/*/*.pem /data/certbot/archive/*/*.pem diff --git a/README.md b/README.md index e9c005b..697855a 100644 --- a/README.md +++ b/README.md @@ -11,17 +11,14 @@ no_hosts=true ``` ```shell -./reset.sh -wget https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/x86_64/alpine-minirootfs-3.21.0-x86_64.tar.gz -wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.4.tar.gz -O sftpgo-v2.6.4.tar.gz -sha256sum -c sha256sums +./reset.sh # (re)initialize data +./upstream.sh # download and verify upstream software ``` ### Build ```shell -podman-compose -f base.yaml build alpine # build base image -podman-compose build php # build image php first because it's then required by cronie +podman-compose -f compose.yaml -f base.yaml build alpine php # build base images podman-compose build # build every other service images ``` @@ -31,7 +28,7 @@ podman-compose build # build every other service images podman-compose up knot knot-secondary # generate QUIC keys ./setup-xoq.sh # setup mutual XFR over QUIC podman-compose up # start containers -podman-compose exec php php /srv/servnest/core/jobs/check.php # test main features +podman-compose exec core php /srv/servnest/core/jobs/check.php # test main features ``` When running `up`, the only expected error messages are: diff --git a/alpine-minirootfs-3.21.2-x86_64.tar.gz.sha256 b/alpine-minirootfs-3.21.2-x86_64.tar.gz.sha256 new file mode 100644 index 0000000..ea6c473 --- /dev/null +++ b/alpine-minirootfs-3.21.2-x86_64.tar.gz.sha256 @@ -0,0 +1 @@ +4aa3bd4a7ef994402f1da0f728abc003737c33411ff31d5da2ab2c3399ccbc5f alpine-minirootfs-3.21.2-x86_64.tar.gz diff --git a/base.yaml b/base.yaml index 7dd47e5..187da6c 100644 --- a/base.yaml +++ b/base.yaml @@ -20,3 +20,49 @@ services: service: alpine build: args: {} + php: # used by core and cronie + image: a.invalid/servnest/php + extends: + service: base + build: + dockerfile: php.Containerfile + group_add: + - knot + - root # For tor control socket + links: + - nginx:servnest.test + - nginx:ht.servnest.test + - sftpgo:sftp.servnest.test + volumes: + - ./core/:/srv/servnest/core/:ro + - ./core/db/:/srv/servnest/core/db/:rw + - ./conf/php.ini:/etc/php83/conf.d/servnest.ini:ro + - ./conf/php-fpm.conf:/etc/php83/php-fpm.d/servnest.conf:ro + - ./conf/sudoers:/etc/sudoers.d/servnest:ro + - ./conf/certbot.ini:/etc/letsencrypt/servnest.ini:ro + - ./conf/certbot-deploy-hook.sh:/root/certbot-deploy-hook.sh:ro + - ./data/reg/:/srv/servnest/reg/:rw + - ./data/ns/:/srv/servnest/ns/:rw + - ./data/ht/fs/:/srv/servnest/ht/fs/:rw + - ./data/ht/uri/:/srv/servnest/ht/uri/:rw + - ./data/tor-config/:/srv/servnest/tor-config/:rw + - ./data/tor-keys/:/srv/servnest/tor-keys/:rw + - ./data/certbot/:/etc/letsencrypt/:rw + - ./sock/php/:/run/php-fpm/:rw + - ./sock/tor-client/:/run/tor-client/:rw + - ./sock/tor-control/:/run/tor-control/:rw + - ./sock/knot/:/run/knot/:rw + - ./sock/knot-secondary/:/run/knot-secondary/:rw + - ./logs/php/:/var/log/php83/:rw + - ./logs/certbot/:/var/log/letsencrypt/:rw + - ./tmp/acme/:/srv/servnest/acme/:rw + - ./tmp/certbot/:/var/lib/letsencrypt/:rw + - ./tmp/php/:/tmp/:rw + mem_limit: 256mb + # For sudo + security_opt: + - no-new-privileges:false + cap_add: + - SETUID + - SETGID + - CHOWN diff --git a/compose.yaml b/compose.yaml index 72ab77e..f07879a 100644 --- a/compose.yaml +++ b/compose.yaml @@ -27,7 +27,7 @@ services: build: dockerfile: sftpgo.Containerfile args: - SFTPGO: $SFTPGO + SFTPGO_VERSION: $SFTPGO_VERSION ports: - "[::1]:42022:42022/tcp" links: @@ -96,59 +96,18 @@ services: networks: snet: ipv4_address: 10.5.0.57 - php: - image: a.invalid/servnest/php + core: + image: a.invalid/servnest/core extends: file: base.yaml - service: base - build: - dockerfile: php.Containerfile - group_add: - - knot - - root # For tor control socket - links: - - nginx:servnest.test - - nginx:ht.servnest.test - - sftpgo:sftp.servnest.test - volumes: - - ./core/:/srv/servnest/core/:ro - - ./core/db/:/srv/servnest/core/db/:rw - - ./conf/php.ini:/etc/php83/conf.d/servnest.ini:ro - - ./conf/php-fpm.conf:/etc/php83/php-fpm.d/servnest.conf:ro - - ./conf/sudoers:/etc/sudoers.d/servnest:ro - - ./conf/certbot.ini:/etc/letsencrypt/servnest.ini:ro - - ./conf/certbot-deploy-hook.sh:/root/certbot-deploy-hook.sh:ro - - ./data/reg/:/srv/servnest/reg/:rw - - ./data/ns/:/srv/servnest/ns/:rw - - ./data/ht/fs/:/srv/servnest/ht/fs/:rw - - ./data/ht/uri/:/srv/servnest/ht/uri/:rw - - ./data/tor-config/:/srv/servnest/tor-config/:rw - - ./data/tor-keys/:/srv/servnest/tor-keys/:rw - - ./data/certbot/:/etc/letsencrypt/:rw - - ./sock/php/:/run/php-fpm/:rw - - ./sock/tor-client/:/run/tor-client/:rw - - ./sock/tor-control/:/run/tor-control/:rw - - ./sock/knot/:/run/knot/:rw - - ./sock/knot-secondary/:/run/knot-secondary/:rw - - ./logs/php/:/var/log/php83/:rw - - ./logs/certbot/:/var/log/letsencrypt/:rw - - ./tmp/acme/:/srv/servnest/acme/:rw - - ./tmp/certbot/:/var/lib/letsencrypt/:rw - - ./tmp/php/:/tmp/:rw - mem_limit: 256mb - # For sudo - security_opt: - - no-new-privileges:false - cap_add: - - SETUID - - SETGID - - CHOWN + service: php networks: snet: ipv4_address: 10.5.0.54 cronie: image: a.invalid/servnest/cronie extends: + file: base.yaml service: php build: dockerfile: cronie.Containerfile diff --git a/conf/nginx/inc/apache-proxy.conf b/conf/nginx/inc/apache-proxy.conf index 11a2797..0134d2b 100644 --- a/conf/nginx/inc/apache-proxy.conf +++ b/conf/nginx/inc/apache-proxy.conf @@ -1,4 +1,4 @@ -proxy_pass http://apache:42999; +proxy_pass http://10.5.0.57:42999; proxy_ignore_client_abort on; proxy_http_version 1.1; proxy_set_header Host $host; diff --git a/sftpgo-v2.6.4.tar.gz.sha256 b/sftpgo-v2.6.4.tar.gz.sha256 new file mode 100644 index 0000000..992661a --- /dev/null +++ b/sftpgo-v2.6.4.tar.gz.sha256 @@ -0,0 +1 @@ +ce102615a0534c84a480276d641812b1a5f9a52bf0c1755ca914614f14905dcb sftpgo-v2.6.4.tar.gz diff --git a/sftpgo.Containerfile b/sftpgo.Containerfile index dc2ba30..40fba1f 100644 --- a/sftpgo.Containerfile +++ b/sftpgo.Containerfile @@ -1,12 +1,19 @@ FROM a.invalid/servnest/alpine AS builder RUN apk add go -ARG SFTPGO -ADD $SFTPGO / -WORKDIR /sftpgo-2.6.4/ +ARG SFTPGO_VERSION +ADD sftpgo-v$SFTPGO_VERSION.tar.gz / +WORKDIR /sftpgo-$SFTPGO_VERSION/ RUN cp -r openapi ./internal/bundle/openapi && \ cp -r templates ./internal/bundle/templates && \ cp -r static ./internal/bundle/static -RUN go build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo && strip /usr/local/bin/sftpgo +RUN GOFLAGS="-mod=readonly" go mod vendor +RUN CGO_ENABLED=0 go build \ + -mod=vendor \ + -buildmode=pie \ + -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle \ + -trimpath \ + -ldflags "-s" \ + -o /usr/local/bin/sftpgo FROM a.invalid/servnest/alpine RUN apk add openssh-keygen bash diff --git a/sha256sums b/sha256sums deleted file mode 100644 index 7db75c9..0000000 --- a/sha256sums +++ /dev/null @@ -1,2 +0,0 @@ -55ea3e5a7c2c35e6268c5dcbb8e45a9cd5b0e372e7b4e798499a526834f7ed90 alpine-minirootfs-3.21.0-x86_64.tar.gz -ce102615a0534c84a480276d641812b1a5f9a52bf0c1755ca914614f14905dcb sftpgo-v2.6.4.tar.gz diff --git a/upstream.sh b/upstream.sh new file mode 100755 index 0000000..396002e --- /dev/null +++ b/upstream.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env sh +SFTPGO_VERSION=2.6.4 +ALPINE_MAJOR=3.21 +ALPINE_MINOR=2 +ALPINE_ARCH=x86_64 +ALPINE_RELEASE=$ALPINE_MAJOR.$ALPINE_MINOR-$ALPINE_ARCH +wget --quiet --no-clobber https://dl-cdn.alpinelinux.org/alpine/v$ALPINE_MAJOR/releases/$ALPINE_ARCH/alpine-minirootfs-$ALPINE_RELEASE.tar.gz +wget --quiet --no-clobber https://dl-cdn.alpinelinux.org/alpine/v$ALPINE_MAJOR/releases/$ALPINE_ARCH/alpine-minirootfs-$ALPINE_RELEASE.tar.gz.asc +wget --quiet --no-clobber https://alpinelinux.org/keys/ncopa.asc +sq cert import ncopa.asc +sq verify --signature-file=alpine-minirootfs-$ALPINE_RELEASE.tar.gz.asc --signer 0482D84022F52DF1C4E7CD43293ACD0907D9495A alpine-minirootfs-$ALPINE_RELEASE.tar.gz +wget --quiet --no-clobber https://github.com/drakkan/sftpgo/archive/refs/tags/v$SFTPGO_VERSION.tar.gz -O sftpgo-v$SFTPGO_VERSION.tar.gz +sha256sum -c *.sha256 +cat << EOF > .env +SYS=alpine-minirootfs-$ALPINE_RELEASE.tar.gz +SFTPGO_VERSION=$SFTPGO_VERSION +EOF + +# to generate checksums +#wget --quiet --no-clobber https://dl-cdn.alpinelinux.org/alpine/v$ALPINE_MAJOR/releases/$ALPINE_ARCH/alpine-minirootfs$ALPINE_RELEASE.tar.gz.sha256 +#sha256sum sftpgo-v$SFTPGO_VERSION.tar.gz > sftpgo-v$SFTPGO_VERSION.tar.gz.sha256