feat: upgrade to latest alpine 3.19 and fdroid 2.2
This commit is contained in:
parent
aa50e74d9a
commit
033b02e1ab
|
@ -1,5 +0,0 @@
|
|||
{$FDROID_REPO_HOST}
|
||||
gzip
|
||||
log stdout
|
||||
browse
|
||||
tls {$FDROID_REPO_EMAIL}
|
66
Dockerfile
66
Dockerfile
|
@ -1,42 +1,52 @@
|
|||
FROM alpine:3.9
|
||||
FROM reg.cadoles.com/proxy_cache/library/alpine:3.19 as build
|
||||
|
||||
ARG HTTP_PROXY=
|
||||
ARG HTTPS_PROXY=
|
||||
ARG http_proxy=
|
||||
ARG https_proxy=
|
||||
ARG FDROIDSERVER_VERSION=1.0.10
|
||||
ARG TIMEZONE=Europe/Paris
|
||||
ARG FDROIDSERVER_VERSION=2.2
|
||||
ARG CRYPTOGRAPHY_DONT_BUILD_RUST=1
|
||||
|
||||
RUN apk add --no-cache \
|
||||
python3 build-base freetype-dev libffi-dev \
|
||||
python3 py3-pip build-base freetype-dev libffi-dev \
|
||||
libpng-dev py3-setuptools python3-dev libxml2-dev \
|
||||
libxslt-dev openssl-dev jpeg-dev java-common \
|
||||
libxslt-dev openssl-dev jpeg-dev py3-qt5
|
||||
|
||||
RUN python3 -m venv --system-site-packages /fdroid
|
||||
|
||||
RUN . /fdroid/bin/activate \
|
||||
&& pip3 install --no-cache-dir androguard==3.3.5 frida-tools==10.8.0 fdroidserver==${FDROIDSERVER_VERSION}
|
||||
|
||||
FROM reg.cadoles.com/proxy_cache/library/alpine:3.19 as runtime
|
||||
|
||||
ARG TIMEZONE=Europe/Paris
|
||||
|
||||
RUN apk add --no-cache \
|
||||
python3 openjdk8 java-common \
|
||||
bash supervisor openssh inotify-tools gettext \
|
||||
openjdk8 fastjar caddy tzdata
|
||||
fastjar caddy tzdata git wget gcompat rsync
|
||||
|
||||
RUN cp /usr/share/zoneinfo/${TIMEZONE} /etc/localtime \
|
||||
&& echo "${TIMEZONE}" > /etc/timezone \
|
||||
&& apk del tzdata
|
||||
|
||||
RUN ln -s /usr/bin/fastjar /usr/bin/jar
|
||||
RUN mkdir -p /opt/android \
|
||||
&& wget https://dl.google.com/android/repository/sdk-tools-linux-4333796.zip && unzip *.zip -d /opt/android && rm *.zip
|
||||
|
||||
ENV ANDROID_HOME="/opt/android"
|
||||
ENV PATH="$PATH:$ANDROID_HOME/tools/bin"
|
||||
|
||||
RUN yes | sdkmanager "build-tools;34.0.0"
|
||||
ENV PATH="$PATH:$ANDROID_HOME/build-tools/34.0.0"
|
||||
|
||||
COPY --from=build /fdroid /fdroid
|
||||
|
||||
RUN rm -f /usr/bin/jar && ln -s /usr/bin/fastjar /usr/bin/jar
|
||||
RUN ln -s /usr/include/libxml2 /usr/include/libxml
|
||||
|
||||
RUN pip3 install --upgrade pip
|
||||
|
||||
RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION}
|
||||
|
||||
RUN apk del build-base
|
||||
|
||||
COPY supervisor.ini /etc/supervisor.d/supervisor.ini
|
||||
COPY docker-entrypoint.sh /docker-entrypoint.sh
|
||||
RUN chmod +x /docker-entrypoint.sh
|
||||
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
|
||||
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
|
||||
|
||||
RUN mkdir /fdroid
|
||||
WORKDIR /fdroid
|
||||
|
||||
COPY config.py /fdroid/config.py.tmpl
|
||||
COPY Caddyfile /fdroid/Caddyfile
|
||||
COPY config.yml /fdroid/config.yml.tmpl
|
||||
|
||||
COPY fdroid-update.sh /fdroid/fdroid-update.sh
|
||||
RUN chmod +x /fdroid/fdroid-update.sh
|
||||
|
@ -44,21 +54,23 @@ RUN chmod +x /fdroid/fdroid-update.sh
|
|||
COPY fdroid-icon.png /fdroid/fdroid-icon.png
|
||||
|
||||
VOLUME /fdroid/repo
|
||||
VOLUME /fdroid/archive
|
||||
VOLUME /fdroid/metadata
|
||||
VOLUME /fdroid/keystore
|
||||
|
||||
EXPOSE 2222
|
||||
EXPOSE 80
|
||||
EXPOSE 443
|
||||
|
||||
ENV FDROID_ARCHIVE_OLDER=3
|
||||
ENV FDROID_REPO_ICON=fdroid-icon.png
|
||||
ENV FDROID_ARCHIVE_ICON=fdroid-icon.png
|
||||
|
||||
RUN sed -i "s/^#HostKey.*$/HostKey \/fdroid\/ssh_host_rsa_key/" /etc/ssh/sshd_config
|
||||
RUN sed -i "s/^#HostKey.*$/HostKey \/fdroid\/host_ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config
|
||||
RUN sed -i "s/^#Port.*$/Port 2222/" /etc/ssh/sshd_config
|
||||
|
||||
RUN addgroup -S fdroid && adduser -D -h /fdroid -s /bin/bash -G fdroid fdroid
|
||||
RUN chown -R fdroid: /fdroid
|
||||
RUN mkdir -p /var/www/fdroid
|
||||
|
||||
CMD /docker-entrypoint.sh
|
||||
RUN addgroup -S fdroid && adduser -D -h /fdroid -s /bin/bash -G fdroid fdroid
|
||||
RUN chown -R fdroid: /fdroid /var/www/fdroid
|
||||
|
||||
CMD /usr/local/bin/docker-entrypoint.sh
|
21
Makefile
21
Makefile
|
@ -2,22 +2,21 @@ SSH_PUBLIC_KEY := $(shell cat ~/.ssh/id_rsa.pub)
|
|||
|
||||
build:
|
||||
docker build \
|
||||
--build-arg "HTTP_PROXY=$(HTTP_PROXY)" \
|
||||
--build-arg "HTTPS_PROXY=$(HTTP_PROXY)" \
|
||||
--build-arg "http_proxy=$(http_proxy)" \
|
||||
--build-arg "https_proxy=$(https_proxy)" \
|
||||
-t fdroid-repository \
|
||||
-m 4g \
|
||||
-t fdroid-repository:latest \
|
||||
./
|
||||
|
||||
run:
|
||||
docker run -it --rm \
|
||||
-p 2222:2222 \
|
||||
-p 8080:80 \
|
||||
-p 8443:443 \
|
||||
-p 8080:8080 \
|
||||
--name fdroid-repo \
|
||||
-v "$(PWD)/data/repo:/fdroid/repo" \
|
||||
-v "$(PWD)/data/archive:/fdroid/archive" \
|
||||
-v "$(PWD)/data/metadata:/fdroid/metadata" \
|
||||
-v "$(PWD)/data/keystore:/fdroid/keystore" \
|
||||
-e "FDROID_REPO_HOST=:80" \
|
||||
-e "FDROID_REPO_SCHEME=http" \
|
||||
-e "FDROID_REPO_HOST=127.0.0.1:8080" \
|
||||
-e "FDROID_REPO_NAME=My local repo" \
|
||||
-e "FDROID_REPO_DESCRIPTION=My repo description" \
|
||||
-e "FDROID_KEYSTORE_PASS=mykeystorepass" \
|
||||
|
@ -29,9 +28,9 @@ run:
|
|||
fdroid-repository:latest \
|
||||
$(DOCKER_CMD)
|
||||
|
||||
push:
|
||||
docker image tag fdroid-repository:latest cadoles/fdroid-repository:latest
|
||||
docker push cadoles/fdroid-repository:latest
|
||||
release:
|
||||
docker image tag fdroid-repository:latest reg.cadoles.com/cadoles/fdroid-repository:latest
|
||||
docker push reg.cadoles.com/cadoles/fdroid-repository:latest
|
||||
|
||||
clean:
|
||||
docker rmi fdroid-repository
|
||||
|
|
328
config.py
328
config.py
|
@ -1,328 +0,0 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
# Copy this file to config.py, then amend the settings below according to
|
||||
# your system configuration.
|
||||
|
||||
# Custom path to the Android SDK, defaults to $ANDROID_HOME
|
||||
# sdk_path = "$ANDROID_HOME"
|
||||
|
||||
# Custom paths to various versions of the Android NDK, defaults to 'r12b' set
|
||||
# to $ANDROID_NDK. Most users will have the latest at $ANDROID_NDK, which is
|
||||
# used by default. If a version is missing or assigned to None, it is assumed
|
||||
# not installed.
|
||||
# ndk_paths = {
|
||||
# 'r10e': None,
|
||||
# 'r11c': None,
|
||||
# 'r12b': "$ANDROID_NDK",
|
||||
# 'r13b': None,
|
||||
# 'r14b': None,
|
||||
# 'r15c': None,
|
||||
# 'r16b': None,
|
||||
# 'r17b': None,
|
||||
# 'r18b': None,
|
||||
# }
|
||||
|
||||
# Directory to store downloaded tools in (i.e. gradle versions)
|
||||
# By default, these are stored in ~/.cache/fdroidserver
|
||||
# cachedir = cache
|
||||
|
||||
java_paths = {
|
||||
'8': "/usr/lib/jvm/java-1.8-openjdk",
|
||||
}
|
||||
|
||||
# Build tools version to be used
|
||||
# build_tools = "25.0.2"
|
||||
|
||||
# Force all build to use the above version of build -tools, good for testing
|
||||
# builds without having all of the possible build-tools installed.
|
||||
# force_build_tools = True
|
||||
|
||||
# Command or path to binary for running Ant
|
||||
# ant = "ant"
|
||||
|
||||
# Command or path to binary for running maven 3
|
||||
# mvn3 = "mvn"
|
||||
|
||||
# Command or path to binary for running Gradle
|
||||
# Defaults to using an internal gradle wrapper (gradlew-fdroid).
|
||||
# gradle = "gradle"
|
||||
|
||||
# Set the maximum age (in days) of an index that a client should accept from
|
||||
# this repo. Setting it to 0 or not setting it at all disables this
|
||||
# functionality. If you do set this to a non-zero value, you need to ensure
|
||||
# that your index is updated much more frequently than the specified interval.
|
||||
# The same policy is applied to the archive repo, if there is one.
|
||||
# repo_maxage = 0
|
||||
|
||||
repo_url = "https://${FDROID_REPO_HOST}"
|
||||
repo_name = "${FDROID_REPO_NAME}"
|
||||
repo_icon = "${FDROID_REPO_ICON}"
|
||||
repo_description = """
|
||||
${FDROID_REPO_DESCRIPTION}
|
||||
"""
|
||||
|
||||
# As above, but for the archive repo.
|
||||
# archive_older sets the number of versions kept in the main repo, with all
|
||||
# older ones going to the archive. Set it to 0, and there will be no archive
|
||||
# repository, and no need to define the other archive_ values.
|
||||
archive_older = ${FDROID_ARCHIVE_OLDER}
|
||||
archive_url = "${FDROID_ARCHIVE_URL}"
|
||||
archive_name = "${FDROID_ARCHIVE_NAME}"
|
||||
archive_icon = "${FDROID_ARCHIVE_ICON}"
|
||||
archive_description = """
|
||||
${FDROID_ARCHIVE_DESCRIPTION}
|
||||
"""
|
||||
|
||||
# This allows a specific kind of insecure APK to be included in the
|
||||
# 'repo' section. Since April 2017, APK signatures that use MD5 are
|
||||
# no longer considered valid, jarsigner and apksigner will return an
|
||||
# error when verifying. `fdroid update` will move APKs with these
|
||||
# disabled signatures to the archive. This option stops that
|
||||
# behavior, and lets those APKs stay part of 'repo'.
|
||||
#
|
||||
# allow_disabled_algorithms = True
|
||||
|
||||
# Normally, all apps are collected into a single app repository, like on
|
||||
# https://f-droid.org. For certain situations, it is better to make a repo
|
||||
# that is made up of APKs only from a single app. For example, an automated
|
||||
# build server that publishes nightly builds.
|
||||
# per_app_repos = True
|
||||
|
||||
# `fdroid update` will create a link to the current version of a given app.
|
||||
# This provides a static path to the current APK. To disable the creation of
|
||||
# this link, uncomment this:
|
||||
# make_current_version_link = False
|
||||
|
||||
# By default, the "current version" link will be based on the "Name" of the
|
||||
# app from the metadata. You can change it to use a different field from the
|
||||
# metadata here:
|
||||
# current_version_name_source = 'packageName'
|
||||
|
||||
# Optionally, override home directory for gpg
|
||||
# gpghome = '/home/fdroid/somewhere/else/.gnupg'
|
||||
|
||||
# The ID of a GPG key for making detached signatures for apks. Optional.
|
||||
# gpgkey = '1DBA2E89'
|
||||
|
||||
# The key (from the keystore defined below) to be used for signing the
|
||||
# repository itself. This is the same name you would give to keytool or
|
||||
# jarsigner using -alias. (Not needed in an unsigned repository).
|
||||
repo_keyalias = "${FDROID_KEYSTORE_KEY_ALIAS}"
|
||||
|
||||
# Optionally, the public key for the key defined by repo_keyalias above can
|
||||
# be specified here. There is no need to do this, as the public key can and
|
||||
# will be retrieved from the keystore when needed. However, specifying it
|
||||
# manually can allow some processing to take place without access to the
|
||||
# keystore.
|
||||
# repo_pubkey = "..."
|
||||
|
||||
# The keystore to use for release keys when building. This needs to be
|
||||
# somewhere safe and secure, and backed up! The best way to manage these
|
||||
# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To
|
||||
# configure F-Droid to use a smartcard, set the keystore file using the keyword
|
||||
# "NONE" (i.e. keystore = "NONE"). That makes Java find the keystore on the
|
||||
# smartcard based on 'smartcardoptions' below.
|
||||
keystore = "/fdroid/keystore/keystore.jks"
|
||||
|
||||
# You should not need to change these at all, unless you have a very
|
||||
# customized setup for using smartcards in Java with keytool/jarsigner
|
||||
# smartcardoptions = "-storetype PKCS11 -providerName SunPKCS11-OpenSC \
|
||||
# -providerClass sun.security.pkcs11.SunPKCS11 \
|
||||
# -providerArg opensc-fdroid.cfg"
|
||||
|
||||
# The password for the keystore (at least 6 characters). If this password is
|
||||
# different than the keypass below, it can be OK to store the password in this
|
||||
# file for real use. But in general, sensitive passwords should not be stored
|
||||
# in text files!
|
||||
keystorepass = "${FDROID_KEYSTORE_PASS}"
|
||||
|
||||
# The password for keys - the same is used for each auto-generated key as well
|
||||
# as for the repository key. You should not normally store this password in a
|
||||
# file since it is a sensitive password.
|
||||
keypass = "${FDROID_KEYSTORE_KEYPASS}"
|
||||
|
||||
# The distinguished name used for all keys.
|
||||
keydname = "${FDROID_KEYSTORE_DNAME}"
|
||||
|
||||
# Use this to override the auto-generated key aliases with specific ones
|
||||
# for particular applications. Normally, just leave it empty.
|
||||
# keyaliases = {}
|
||||
# keyaliases['com.example.app'] = 'example'
|
||||
# You can also force an app to use the same key alias as another one, using
|
||||
# the @ prefix.
|
||||
# keyaliases['com.example.another.plugin'] = '@com.example.another'
|
||||
|
||||
|
||||
# The full path to the root of the repository. It must be specified in
|
||||
# rsync/ssh format for a remote host/path. This is used for syncing a locally
|
||||
# generated repo to the server that is it hosted on. It must end in the
|
||||
# standard public repo name of "/fdroid", but can be in up to three levels of
|
||||
# sub-directories (i.e. /var/www/packagerepos/fdroid). You can include
|
||||
# multiple servers to sync to by wrapping the whole thing in {} or [], and
|
||||
# including the serverwebroot strings in a comma-separated list.
|
||||
#
|
||||
# serverwebroot = 'user@example:/var/www/fdroid'
|
||||
# serverwebroot = {
|
||||
# 'foo.com:/usr/share/nginx/www/fdroid',
|
||||
# 'bar.info:/var/www/fdroid',
|
||||
# }
|
||||
|
||||
# Uncomment this option if you want to logs of builds and other processes to
|
||||
# your repository server(s). Logs get published to all servers configured in
|
||||
# 'serverwebroot'. For builds, only logs from build-jobs running inside a
|
||||
# buildserver VM are supported.
|
||||
#
|
||||
# deploy_process_logs = True
|
||||
|
||||
# The full URL to a git remote repository. You can include
|
||||
# multiple servers to mirror to by wrapping the whole thing in {} or [], and
|
||||
# including the servergitmirrors strings in a comma-separated list.
|
||||
# Servers listed here will also be automatically inserted in the mirrors list.
|
||||
#
|
||||
# servergitmirrors = 'https://github.com/user/repo'
|
||||
# servergitmirrors = {
|
||||
# 'https://github.com/user/repo',
|
||||
# 'https://gitlab.com/user/repo',
|
||||
# }
|
||||
|
||||
# Any mirrors of this repo, for example all of the servers declared in
|
||||
# serverwebroot and all the servers declared in servergitmirrors,
|
||||
# will automatically be used by the client. If one
|
||||
# mirror is not working, then the client will try another. If the
|
||||
# client has Tor enabled, then the client will prefer mirrors with
|
||||
# .onion addresses. This base URL will be used for both the main repo
|
||||
# and the archive, if it is enabled. So these URLs should end in the
|
||||
# 'fdroid' base of the F-Droid part of the web server like serverwebroot.
|
||||
#
|
||||
# mirrors = (
|
||||
# 'https://foo.bar/fdroid',
|
||||
# 'http://foobarfoobarfoobar.onion/fdroid',
|
||||
# )
|
||||
|
||||
# optionally specify which identity file to use when using rsync or git over SSH
|
||||
#
|
||||
# identity_file = '~/.ssh/fdroid_id_rsa'
|
||||
|
||||
|
||||
# If you are running the repo signing process on a completely offline machine,
|
||||
# which provides the best security, then you can specify a folder to sync the
|
||||
# repo to when running `fdroid server update`. This is most likely going to
|
||||
# be a USB thumb drive, SD Card, or some other kind of removable media. Make
|
||||
# sure it is mounted before running `fdroid server update`. Using the
|
||||
# standard folder called 'fdroid' as the specified folder is recommended, like
|
||||
# with serverwebroot.
|
||||
#
|
||||
# local_copy_dir = '/media/MyUSBThumbDrive/fdroid'
|
||||
|
||||
|
||||
# If you are using local_copy_dir on an offline build/signing server, once the
|
||||
# thumb drive has been plugged into the online machine, it will need to be
|
||||
# synced to the copy on the online machine. To make that happen
|
||||
# automatically, set sync_from_local_copy_dir to True:
|
||||
#
|
||||
# sync_from_local_copy_dir = True
|
||||
|
||||
|
||||
# To upload the repo to an Amazon S3 bucket using `fdroid server
|
||||
# update`. Warning, this deletes and recreates the whole fdroid/
|
||||
# directory each time. This prefers s3cmd, but can also use
|
||||
# apache-libcloud. To customize how s3cmd interacts with the cloud
|
||||
# provider, create a 's3cfg' file next to this file (config.py), and
|
||||
# those settings will be used instead of any 'aws' variable below.
|
||||
#
|
||||
# awsbucket = 'myawsfdroid'
|
||||
# awsaccesskeyid = 'SEE0CHAITHEIMAUR2USA'
|
||||
# awssecretkey = 'yourverysecretkeywordpassphraserighthere'
|
||||
|
||||
|
||||
# If you want to force 'fdroid server' to use a non-standard serverwebroot.
|
||||
# This will allow you to have 'serverwebroot' entries which do not end in
|
||||
# '/fdroid'. (Please note that some client features expect repository URLs
|
||||
# to end in '/fdroid/repo'.)
|
||||
#
|
||||
# nonstandardwebroot = False
|
||||
|
||||
|
||||
# If you want to upload the release apk file to androidobservatory.org
|
||||
#
|
||||
# androidobservatory = False
|
||||
|
||||
|
||||
# If you want to upload the release apk file to virustotal.com
|
||||
# You have to enter your profile apikey to enable the upload.
|
||||
#
|
||||
# virustotal_apikey = "virustotal_apikey"
|
||||
|
||||
|
||||
# The build logs can be posted to a mediawiki instance, like on f-droid.org.
|
||||
# wiki_protocol = "http"
|
||||
# wiki_server = "server"
|
||||
# wiki_path = "/wiki/"
|
||||
# wiki_user = "login"
|
||||
# wiki_password = "1234"
|
||||
|
||||
# Keep a log of all generated index files in a git repo to provide a
|
||||
# "binary transparency" log for anyone to check the history of the
|
||||
# binaries that are published. This is in the form of a "git remote",
|
||||
# which this machine where `fdroid update` is run has already been
|
||||
# configured to allow push access (e.g. ssh key, username/password, etc)
|
||||
# binary_transparency_remote = "git@gitlab.com:fdroid/binary-transparency-log.git"
|
||||
|
||||
# Only set this to true when running a repository where you want to generate
|
||||
# stats, and only then on the master build servers, not a development
|
||||
# machine. If you want to keep the "added" and "last updated" dates for each
|
||||
# app and APK in your repo, then you should enable this.
|
||||
# update_stats = True
|
||||
|
||||
# When used with stats, this is a list of IP addresses that are ignored for
|
||||
# calculation purposes.
|
||||
# stats_ignore = []
|
||||
|
||||
# Server stats logs are retrieved from. Required when update_stats is True.
|
||||
# stats_server = "example.com"
|
||||
|
||||
# User stats logs are retrieved from. Required when update_stats is True.
|
||||
# stats_user = "bob"
|
||||
|
||||
# Use the following to push stats to a Carbon instance:
|
||||
# stats_to_carbon = False
|
||||
# carbon_host = '0.0.0.0'
|
||||
# carbon_port = 2003
|
||||
|
||||
# Set this to true to always use a build server. This saves specifying the
|
||||
# --server option on dedicated secure build server hosts.
|
||||
# build_server_always = True
|
||||
|
||||
# By default, fdroid will use YAML .yml and the custom .txt metadata formats. It
|
||||
# is also possible to have metadata in JSON by adding 'json'.
|
||||
# accepted_formats = ('txt', 'yml')
|
||||
|
||||
# Limit in number of characters that fields can take up
|
||||
# Only the fields listed here are supported, defaults shown
|
||||
# char_limits = {
|
||||
# 'author': 256,
|
||||
# 'name': 30,
|
||||
# 'summary': 80,
|
||||
# 'description': 4000,
|
||||
# 'video': 256,
|
||||
# 'whatsNew': 500,
|
||||
# }
|
||||
|
||||
# It is possible for the server operator to specify lists of apps that
|
||||
# must be installed or uninstalled on the client (aka "push installs).
|
||||
# If the user has opted in, or the device is already setup to respond
|
||||
# to these requests, then F-Droid will automatically install/uninstall
|
||||
# the packageNames listed. This is protected by the same signing key
|
||||
# as the app index metadata.
|
||||
#
|
||||
# install_list = (
|
||||
# 'at.bitfire.davdroid',
|
||||
# 'com.fsck.k9',
|
||||
# 'us.replicant',
|
||||
# )
|
||||
#
|
||||
# uninstall_list = (
|
||||
# 'com.facebook.orca',
|
||||
# 'com.android.vending',
|
||||
# )
|
||||
keytool = "/usr/bin/keytool"
|
|
@ -0,0 +1,366 @@
|
|||
---
|
||||
# Copy this file to config.yml, then amend the settings below according to
|
||||
# your system configuration.
|
||||
|
||||
# Custom path to the Android SDK, defaults to $ANDROID_HOME
|
||||
# sdk_path: $ANDROID_HOME
|
||||
|
||||
# Paths to installed versions of the Android NDK. This will be
|
||||
# automatically filled out from well known sources like
|
||||
# $ANDROID_HOME/ndk-bundle and $ANDROID_HOME/ndk/*. If a required
|
||||
# version is missing in the buildserver VM, it will be automatically
|
||||
# downloaded and installed into the standard $ANDROID_HOME/ndk/
|
||||
# directory. Manually setting it here will override the auto-detected
|
||||
# values. The keys can either be the "release" (e.g. r21e) or the
|
||||
# "revision" (e.g. 21.4.7075529).
|
||||
#
|
||||
# ndk_paths:
|
||||
# r10e: $ANDROID_HOME/android-ndk-r10e
|
||||
# r17: ""
|
||||
# 21.4.7075529: ~/Android/Ndk
|
||||
# r22b: null
|
||||
|
||||
# Directory to store downloaded tools in (i.e. gradle versions)
|
||||
# By default, these are stored in ~/.cache/fdroidserver
|
||||
# cachedir: cache
|
||||
|
||||
# Specify paths to each major Java release that you want to support
|
||||
# java_paths:
|
||||
# 8: /usr/lib/jvm/java-8-openjdk
|
||||
|
||||
# Command or path to binary for running Ant
|
||||
# ant: ant
|
||||
|
||||
# Command or path to binary for running maven 3
|
||||
# mvn3: mvn
|
||||
|
||||
# Command or path to binary for running Gradle
|
||||
# Defaults to using an internal gradle wrapper (gradlew-fdroid).
|
||||
# gradle: gradle
|
||||
|
||||
# Always scan the APKs produced by `fdroid build` for known non-free classes
|
||||
# scan_binary: true
|
||||
|
||||
# Set the maximum age (in days) of an index that a client should accept from
|
||||
# this repo. Setting it to 0 or not setting it at all disables this
|
||||
# functionality. If you do set this to a non-zero value, you need to ensure
|
||||
# that your index is updated much more frequently than the specified interval.
|
||||
# The same policy is applied to the archive repo, if there is one.
|
||||
# repo_maxage: 0
|
||||
|
||||
# Canonical URL of the repositoy, needs to end in /repo. Is is used to identity
|
||||
# the repo in the client, as well.
|
||||
repo_url: "${FDROID_REPO_SCHEME}://${FDROID_REPO_HOST}/repo"
|
||||
repo_name: "${FDROID_REPO_NAME}"
|
||||
repo_description: >-
|
||||
${FDROID_REPO_DESCRIPTION}
|
||||
|
||||
# As above, but for the archive repo.
|
||||
#
|
||||
archive_url: "${FDROID_REPO_SCHEME}://${FDROID_REPO_HOST}/archive"
|
||||
archive_name: "${FDROID_ARCHIVE_NAME}"
|
||||
# archive_description: >-
|
||||
# The repository of older versions of packages from the main demo repository.
|
||||
|
||||
# archive_older sets the number of versions kept in the main repo, with all
|
||||
# older ones going to the archive. Set it to 0, and there will be no archive
|
||||
# repository, and no need to define the other archive_ values.
|
||||
#
|
||||
archive_older: ${FDROID_ARCHIVE_OLDER}
|
||||
|
||||
# The repo's icon defaults to a file called 'icon.png' in the 'icons'
|
||||
# folder for each section, e.g. repo/icons/icon.png and
|
||||
# archive/icons/icon.png. To use a different filename for the icons,
|
||||
# set the filename here. You must still copy it into place in
|
||||
# repo/icons/ and/or archive/icons/.
|
||||
#
|
||||
repo_icon: "${FDROID_REPO_ICON}"
|
||||
archive_icon: "${FDROID_ARCHIVE_ICON}"
|
||||
|
||||
# This allows a specific kind of insecure APK to be included in the
|
||||
# 'repo' section. Since April 2017, APK signatures that use MD5 are
|
||||
# no longer considered valid, jarsigner and apksigner will return an
|
||||
# error when verifying. `fdroid update` will move APKs with these
|
||||
# disabled signatures to the archive. This option stops that
|
||||
# behavior, and lets those APKs stay part of 'repo'.
|
||||
#
|
||||
# allow_disabled_algorithms: true
|
||||
|
||||
# Normally, all apps are collected into a single app repository, like on
|
||||
# https://f-droid.org. For certain situations, it is better to make a repo
|
||||
# that is made up of APKs only from a single app. For example, an automated
|
||||
# build server that publishes nightly builds.
|
||||
# per_app_repos: true
|
||||
|
||||
# `fdroid update` will create a link to the current version of a given app.
|
||||
# This provides a static path to the current APK. To disable the creation of
|
||||
# this link, uncomment this:
|
||||
# make_current_version_link: false
|
||||
|
||||
# By default, the "current version" link will be based on the "Name" of the
|
||||
# app from the metadata. You can change it to use a different field from the
|
||||
# metadata here:
|
||||
# current_version_name_source: packageName
|
||||
|
||||
# Optionally, override home directory for gpg
|
||||
# gpghome: /home/fdroid/somewhere/else/.gnupg
|
||||
|
||||
# The ID of a GPG key for making detached signatures for APKs. Optional.
|
||||
# gpgkey: 1DBA2E89
|
||||
|
||||
# The key (from the keystore defined below) to be used for signing the
|
||||
# repository itself. This is the same name you would give to keytool or
|
||||
# jarsigner using -alias. (Not needed in an unsigned repository).
|
||||
repo_keyalias: "${FDROID_KEYSTORE_KEY_ALIAS}"
|
||||
|
||||
# Optionally, the public key for the key defined by repo_keyalias above can
|
||||
# be specified here. There is no need to do this, as the public key can and
|
||||
# will be retrieved from the keystore when needed. However, specifying it
|
||||
# manually can allow some processing to take place without access to the
|
||||
# keystore.
|
||||
# repo_pubkey: ...
|
||||
|
||||
# The keystore to use for release keys when building. This needs to be
|
||||
# somewhere safe and secure, and backed up! The best way to manage these
|
||||
# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To
|
||||
# configure F-Droid to use a smartcard, set the keystore file using the keyword
|
||||
# "NONE" (i.e. keystore: "NONE"). That makes Java find the keystore on the
|
||||
# smartcard based on 'smartcardoptions' below.
|
||||
keystore: "/fdroid/keystore/keystore.jks"
|
||||
# You should not need to change these at all, unless you have a very
|
||||
# customized setup for using smartcards in Java with keytool/jarsigner
|
||||
# smartcardoptions: |
|
||||
# -storetype PKCS11 -providerName SunPKCS11-OpenSC
|
||||
# -providerClass sun.security.pkcs11.SunPKCS11
|
||||
# -providerArg opensc-fdroid.cfg
|
||||
|
||||
# The password for the keystore (at least 6 characters). If this password is
|
||||
# different than the keypass below, it can be OK to store the password in this
|
||||
# file for real use. But in general, sensitive passwords should not be stored
|
||||
# in text files!
|
||||
keystorepass: "${FDROID_KEYSTORE_PASS}"
|
||||
# The password for keys - the same is used for each auto-generated key as well
|
||||
# as for the repository key. You should not normally store this password in a
|
||||
# file since it is a sensitive password.
|
||||
keypass: "${FDROID_KEYSTORE_KEYPASS}"
|
||||
# The distinguished name used for all keys.
|
||||
keydname: "${FDROID_KEYSTORE_DNAME}"
|
||||
# Use this to override the auto-generated key aliases with specific ones
|
||||
# for particular applications. Normally, just leave it empty.
|
||||
#
|
||||
# keyaliases:
|
||||
# com.example.app: example
|
||||
#
|
||||
# You can also force an app to use the same key alias as another one, using
|
||||
# the @ prefix.
|
||||
#
|
||||
# keyaliases:
|
||||
# com.example.another.plugin: "@com.example.another"
|
||||
|
||||
# The full path to the root of the repository. It must be specified in
|
||||
# rsync/ssh format for a remote host/path. This is used for syncing a locally
|
||||
# generated repo to the server that is it hosted on. It must end in the
|
||||
# standard public repo name of "/fdroid", but can be in up to three levels of
|
||||
# sub-directories (i.e. /var/www/packagerepos/fdroid). You can include
|
||||
# multiple servers to sync to by wrapping the whole thing in {} or [], and
|
||||
# including the serverwebroot strings in a comma-separated list.
|
||||
#
|
||||
# serverwebroot: user@example:/var/www/fdroid
|
||||
# serverwebroot:
|
||||
# - foo.com:/usr/share/nginx/www/fdroid
|
||||
# - bar.info:/var/www/fdroid
|
||||
#
|
||||
# There is a special mode to only deploy the index file:
|
||||
#
|
||||
# serverwebroot:
|
||||
# - url: 'me@b.az:/srv/fdroid'
|
||||
# indexOnly: true
|
||||
|
||||
# When running fdroid processes on a remote server, it is possible to
|
||||
# publish extra information about the status. Each fdroid sub-command
|
||||
# can create repo/status/running.json when it starts, then a
|
||||
# repo/status/<sub-command>.json when it completes. The builds logs
|
||||
# and other processes will also get published, if they are running in
|
||||
# a buildserver VM. The build logs name scheme is:
|
||||
# .../repo/$APPID_$VERCODE.log.gz. These files are also pushed to all
|
||||
# servers configured in 'serverwebroot'.
|
||||
#
|
||||
# deploy_process_logs: true
|
||||
|
||||
# The full URL to a git remote repository. You can include
|
||||
# multiple servers to mirror to by adding strings to a YAML list or map.
|
||||
# Servers listed here will also be automatically inserted in the mirrors list.
|
||||
#
|
||||
# servergitmirrors: https://github.com/user/repo
|
||||
# servergitmirrors:
|
||||
# - https://github.com/user/repo
|
||||
# - https://gitlab.com/user/repo
|
||||
#
|
||||
# servergitmirrors:
|
||||
# - url: https://github.com/user/repo
|
||||
# - url: https://gitlab.com/user/repo
|
||||
# indexOnly: true
|
||||
|
||||
# Most git hosting services have hard size limits for each git repo.
|
||||
# `fdroid deploy` will delete the git history when the git mirror repo
|
||||
# approaches this limit to ensure that the repo will still fit when
|
||||
# pushed. GitHub recommends 1GB, gitlab.com recommends 10GB.
|
||||
#
|
||||
# git_mirror_size_limit: 10GB
|
||||
|
||||
# Any mirrors of this repo, for example all of the servers declared in
|
||||
# serverwebroot and all the servers declared in servergitmirrors,
|
||||
# will automatically be used by the client. If one
|
||||
# mirror is not working, then the client will try another. If the
|
||||
# client has Tor enabled, then the client will prefer mirrors with
|
||||
# .onion addresses. This base URL will be used for both the main repo
|
||||
# and the archive, if it is enabled. So these URLs should end in the
|
||||
# 'fdroid' base of the F-Droid part of the web server like serverwebroot.
|
||||
#
|
||||
# mirrors:
|
||||
# - https://foo.bar/fdroid
|
||||
# - http://foobarfoobarfoobar.onion/fdroid
|
||||
#
|
||||
# Or additional metadata can also be included by adding key/value pairs:
|
||||
#
|
||||
# mirrors:
|
||||
# - url: https://foo.bar/fdroid
|
||||
# countryCode: BA
|
||||
# - url: http://foobarfoobarfoobar.onion/fdroid
|
||||
#
|
||||
# The list of mirrors can also be maintained in config/mirrors.yml, a
|
||||
# standalone YAML file in the optional configuration directory. In
|
||||
# that case, mirrors: should be removed from this file (config.yml).
|
||||
|
||||
# optionally specify which identity file to use when using rsync or git over SSH
|
||||
#
|
||||
# identity_file: ~/.ssh/fdroid_id_rsa
|
||||
|
||||
# If you are running the repo signing process on a completely offline machine,
|
||||
# which provides the best security, then you can specify a folder to sync the
|
||||
# repo to when running `fdroid deploy`. This is most likely going to
|
||||
# be a USB thumb drive, SD Card, or some other kind of removable media. Make
|
||||
# sure it is mounted before running `fdroid deploy`. Using the
|
||||
# standard folder called 'fdroid' as the specified folder is recommended, like
|
||||
# with serverwebroot.
|
||||
#
|
||||
local_copy_dir: /var/www/fdroid
|
||||
# If you are using local_copy_dir on an offline build/signing server, once the
|
||||
# thumb drive has been plugged into the online machine, it will need to be
|
||||
# synced to the copy on the online machine. To make that happen
|
||||
# automatically, set sync_from_local_copy_dir to True:
|
||||
#
|
||||
# sync_from_local_copy_dir: true
|
||||
|
||||
# To upload the repo to an Amazon S3 bucket using `fdroid server
|
||||
# update`. Warning, this deletes and recreates the whole fdroid/
|
||||
# directory each time. This prefers s3cmd, but can also use
|
||||
# apache-libcloud. To customize how s3cmd interacts with the cloud
|
||||
# provider, create a 's3cfg' file next to this file (config.yml), and
|
||||
# those settings will be used instead of any 'aws' variable below.
|
||||
# Secrets can be fetched from environment variables to ensure that
|
||||
# they are not leaked as part of this file.
|
||||
#
|
||||
# awsbucket: myawsfdroid
|
||||
# awsaccesskeyid: SEE0CHAITHEIMAUR2USA
|
||||
# awssecretkey: {env: awssecretkey}
|
||||
|
||||
# If you want to force 'fdroid server' to use a non-standard serverwebroot.
|
||||
# This will allow you to have 'serverwebroot' entries which do not end in
|
||||
# '/fdroid'. (Please note that some client features expect repository URLs
|
||||
# to end in '/fdroid/repo'.)
|
||||
#
|
||||
# nonstandardwebroot: false
|
||||
|
||||
# If you want to upload the release APK file to androidobservatory.org
|
||||
#
|
||||
# androidobservatory: false
|
||||
|
||||
# If you want to upload the release APK file to virustotal.com
|
||||
# You have to enter your profile apikey to enable the upload.
|
||||
#
|
||||
# virustotal_apikey: 9872987234982734
|
||||
#
|
||||
# Or get it from an environment variable:
|
||||
#
|
||||
# virustotal_apikey: {env: virustotal_apikey}
|
||||
|
||||
# Keep a log of all generated index files in a git repo to provide a
|
||||
# "binary transparency" log for anyone to check the history of the
|
||||
# binaries that are published. This is in the form of a "git remote",
|
||||
# which this machine where `fdroid update` is run has already been
|
||||
# configured to allow push access (e.g. ssh key, username/password, etc)
|
||||
# binary_transparency_remote: git@gitlab.com:fdroid/binary-transparency-log.git
|
||||
|
||||
# If you want to keep the "added" and "last updated" dates for each
|
||||
# app and APK in your repo, enable this. The name comes from an old
|
||||
# system for tracking statistics that is no longer included.
|
||||
# update_stats: true
|
||||
|
||||
# Set this to true to always use a build server. This saves specifying the
|
||||
# --server option on dedicated secure build server hosts.
|
||||
# build_server_always: true
|
||||
|
||||
# Limit in number of characters that fields can take up
|
||||
# Only the fields listed here are supported, defaults shown
|
||||
# char_limits:
|
||||
# author: 256
|
||||
# name: 50
|
||||
# summary: 80
|
||||
# description: 4000
|
||||
# video: 256
|
||||
# whatsNew: 500
|
||||
|
||||
# It is possible for the server operator to specify lists of apps that
|
||||
# must be installed or uninstalled on the client (aka "push installs).
|
||||
# If the user has opted in, or the device is already setup to respond
|
||||
# to these requests, then F-Droid will automatically install/uninstall
|
||||
# the packageNames listed. This is protected by the same signing key
|
||||
# as the app index metadata.
|
||||
#
|
||||
# install_list:
|
||||
# - at.bitfire.davdroid
|
||||
# - com.fsck.k9
|
||||
# - us.replicant
|
||||
#
|
||||
# uninstall_list:
|
||||
# - com.facebook.orca
|
||||
# - com.android.vending
|
||||
|
||||
# `fdroid lint` checks licenses in metadata against a built white list. By
|
||||
# default we will require license metadata to be present and only allow
|
||||
# licenses approved either by FSF or OSI. We're using the standardized SPDX
|
||||
# license IDs. (https://spdx.org/licenses/)
|
||||
#
|
||||
# We use `python3 -m spdx-license-list print --filter-fsf-or-osi` for
|
||||
# generating our default list. (https://pypi.org/project/spdx-license-list)
|
||||
#
|
||||
# You can override our default list of allowed licenes by setting this option.
|
||||
# Just supply a custom list of licene names you would like to allow. To disable
|
||||
# checking licenses by the linter, assign an empty value to lint_licenses.
|
||||
#
|
||||
# lint_licenses:
|
||||
# - Custom-License-A
|
||||
# - Another-License
|
||||
|
||||
# `fdroid scanner` can scan for signatures from various sources. By default
|
||||
# it's configured to only use F-Droids official SUSS collection. We have
|
||||
# support for these special collections:
|
||||
# * 'exodus' - official exodus-privacy.org signatures
|
||||
# * 'etip' - exodus privacy investigation platfrom community contributed
|
||||
# signatures
|
||||
# * 'suss' - official F-Droid: Suspicious or Unwanted Software Signatures
|
||||
# You can also configure scanner to use custom collections of signatures here.
|
||||
# They have to follow the format specified in the SUSS readme.
|
||||
# (https://gitlab.com/fdroid/fdroid-suss/#cache-file-data-format)
|
||||
#
|
||||
# scanner_signature_sources:
|
||||
# - suss
|
||||
# - exodus
|
||||
# - https://example.com/signatures.json
|
||||
|
||||
# The scanner can use signature sources from the internet. These are
|
||||
# cached locally. To force them to be refreshed from the network on
|
||||
# every run, set this to true:
|
||||
#
|
||||
# refresh_scanner: true
|
|
@ -2,14 +2,19 @@
|
|||
|
||||
set -xeo pipefail
|
||||
|
||||
if [ ! -f /fdroid/ssh_host_rsa_key ]; then
|
||||
if [ ! -f /fdroid/host_ssh/ssh_host_rsa_key ]; then
|
||||
echo "Generating host SSH key..."
|
||||
ssh-keygen -f /fdroid/ssh_host_rsa_key -N '' -t rsa
|
||||
chown fdroid: /fdroid/ssh_host_rsa_key
|
||||
mkdir -p /fdroid/host_ssh
|
||||
ssh-keygen -f /fdroid/host_ssh/ssh_host_rsa_key -N '' -t rsa
|
||||
chown fdroid: /fdroid/host_ssh/ssh_host_rsa_key
|
||||
fi
|
||||
|
||||
mkdir -p /fdroid/.ssh
|
||||
|
||||
if [ ! -z "${SSH_PUBLIC_KEY}" ]; then
|
||||
echo "${SSH_PUBLIC_KEY}" > /fdroid/.ssh/authorized_keys
|
||||
fi
|
||||
|
||||
chmod 0600 /fdroid/.ssh/authorized_keys
|
||||
|
||||
if [ ! -f /fdroid/keystore/keystore.jks ]; then
|
||||
|
@ -23,11 +28,11 @@ if [ ! -f /fdroid/keystore/keystore.jks ]; then
|
|||
fi
|
||||
|
||||
echo "Updating configuration from environment..."
|
||||
envsubst < config.py.tmpl > config.py
|
||||
chmod 0600 config.py
|
||||
envsubst < config.yml.tmpl > /fdroid/config.yml
|
||||
chmod 0600 /fdroid/config.yml
|
||||
|
||||
chown -R fdroid: /fdroid
|
||||
find /fdroid -not -user fdroid | xargs chown fdroid:
|
||||
|
||||
su - fdroid /fdroid/fdroid-update.sh
|
||||
su fdroid /fdroid/fdroid-update.sh
|
||||
|
||||
/usr/bin/supervisord -c /etc/supervisor.d/supervisor.ini
|
|
@ -7,6 +7,7 @@ DIR=$2
|
|||
FILE=$3
|
||||
|
||||
if [ -z "$FILE" ] || [[ "$FILE" == *.apk ]] || [[ "$FILE" == *.yml ]]; then
|
||||
fdroid update --clean --rename-apks --use-date-from-apk --delete-unknown
|
||||
. /fdroid/bin/activate && fdroid update --clean --rename-apks --use-date-from-apk --delete-unknown
|
||||
. /fdroid/bin/activate && fdroid deploy
|
||||
fi
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@ nodaemon=true
|
|||
user=root
|
||||
|
||||
[program:sshd]
|
||||
command = /usr/sbin/sshd -D
|
||||
command = /usr/sbin/sshd -D -e
|
||||
directory = /fdroid
|
||||
user = fdroid
|
||||
autostart = true
|
||||
|
@ -24,9 +24,9 @@ stderr_logfile=/dev/stderr
|
|||
stderr_logfile_maxbytes=0
|
||||
|
||||
[program:caddy]
|
||||
command = caddy -agree -conf /fdroid/Caddyfile
|
||||
directory = /fdroid/repo
|
||||
user = root
|
||||
command = caddy file-server -b -a -l "0.0.0.0:8080" --root /var/www/fdroid
|
||||
directory = /
|
||||
user = fdroid
|
||||
autostart = true
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
|
|
Loading…
Reference in New Issue