Initial commit

This commit is contained in:
wpetit 2018-11-09 09:29:18 +01:00
commit 44fd9a03eb
10 changed files with 517 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/data

48
Dockerfile Normal file
View File

@ -0,0 +1,48 @@
FROM alpine:3.8
ARG HTTP_PROXY=
ARG HTTPS_PROXY=
ARG http_proxy=
ARG https_proxy=
ARG FDROIDSERVER_VERSION=1.0.10
RUN apk add --no-cache \
python3 build-base freetype-dev libffi-dev \
libpng-dev py3-setuptools python3-dev libxml2-dev \
libxslt-dev openssl-dev jpeg-dev java-common \
bash supervisor openssh inotify-tools gettext openjdk8 fastjar darkhttpd
RUN ln -s /usr/bin/fastjar /usr/bin/jar
RUN ln -s /usr/include/libxml2 /usr/include/libxml
RUN pip3 install --upgrade pip
RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION}
COPY supervisor.ini /etc/supervisor.d/supervisor.ini
COPY docker-entrypoint.sh /docker-entrypoint.sh
RUN chmod +x /docker-entrypoint.sh
RUN mkdir /fdroid
WORKDIR /fdroid
COPY config.py /fdroid/config.py.tmpl
COPY fdroid-update.sh /fdroid-update.sh
RUN chmod +x /fdroid-update.sh
COPY fdroid-icon.png /fdroid/fdroid-icon.png
VOLUME /fdroid/repo
VOLUME /fdroid/metadata
VOLUME /fdroid/keystore
EXPOSE 22
EXPOSE 80
ENV FDROID_ARCHIVE_OLDER=3
ENV FDROID_REPO_ICON=fdroid-icon.png
ENV FDROID_ARCHIVE_ICON=fdroid-icon.png
CMD /docker-entrypoint.sh

35
Makefile Normal file
View File

@ -0,0 +1,35 @@
build:
docker build \
--build-arg "HTTP_PROXY=$(HTTP_PROXY)" \
--build-arg "HTTPS_PROXY=$(HTTP_PROXY)" \
--build-arg "http_proxy=$(http_proxy)" \
--build-arg "https_proxy=$(https_proxy)" \
-t fdroid-repository \
./
run:
docker run -it --rm \
-p 2222:22 \
-p 8080:80 \
-v "$(PWD)/data/repo:/fdroid/repo" \
-v "$(PWD)/data/metadata:/fdroid/metadata" \
-v "$(PWD)/data/keystore:/fdroid/keystore" \
-e "FDROID_REPO_URL=http://localhost:8080" \
-e "FDROID_REPO_NAME=My local repo" \
-e "FDROID_REPO_DESCRIPTION=My repo description" \
-e "FDROID_KEYSTORE_PASS=mykeystorepass" \
-e "FDROID_KEYSTORE_KEYPASS=mykeystorekeypass" \
-e "FDROID_KEYSTORE_KEY_ALIAS=fdroidkey" \
-e "FDROID_KEYSTORE_DNAME=CN=cadoles.com, OU=ID, O=Cadoles, L=Dijon, S=France, C=FR" \
fdroid-repository:latest \
$(DOCKER_CMD)
push:
docker image tag fdroid-repository:latest bornholm/fdroid-repository:latest
docker push bornholm/fdroid-repository:latest
clean:
docker rmi fdroid-repository
.PHONY: build

15
README.md Normal file
View File

@ -0,0 +1,15 @@
# FDroid Repository - Docker
Conteneur "tout en un" pour l'hébergement d'un dépôt [FDroid](https://f-droid.org/)
## Usage
`TODO`
## Variables d'environnement
|Variable|Description|Valeur par défaut|
|-|-|-|
|`FDROID_REPO_URL`| URL publique du dépôt | Vide |
|`FDROID_REPO_NAME`| Nom du dépôt | Vide |
|`FDROID_REPO_DESCRIPTION`| Description du dépôt | Vide |

328
config.py Normal file
View File

@ -0,0 +1,328 @@
#!/usr/bin/env python3
# Copy this file to config.py, then amend the settings below according to
# your system configuration.
# Custom path to the Android SDK, defaults to $ANDROID_HOME
# sdk_path = "$ANDROID_HOME"
# Custom paths to various versions of the Android NDK, defaults to 'r12b' set
# to $ANDROID_NDK. Most users will have the latest at $ANDROID_NDK, which is
# used by default. If a version is missing or assigned to None, it is assumed
# not installed.
# ndk_paths = {
# 'r10e': None,
# 'r11c': None,
# 'r12b': "$ANDROID_NDK",
# 'r13b': None,
# 'r14b': None,
# 'r15c': None,
# 'r16b': None,
# 'r17b': None,
# 'r18b': None,
# }
# Directory to store downloaded tools in (i.e. gradle versions)
# By default, these are stored in ~/.cache/fdroidserver
# cachedir = cache
java_paths = {
'8': "/usr/lib/jvm/java-1.8-openjdk",
}
# Build tools version to be used
# build_tools = "25.0.2"
# Force all build to use the above version of build -tools, good for testing
# builds without having all of the possible build-tools installed.
# force_build_tools = True
# Command or path to binary for running Ant
# ant = "ant"
# Command or path to binary for running maven 3
# mvn3 = "mvn"
# Command or path to binary for running Gradle
# Defaults to using an internal gradle wrapper (gradlew-fdroid).
# gradle = "gradle"
# Set the maximum age (in days) of an index that a client should accept from
# this repo. Setting it to 0 or not setting it at all disables this
# functionality. If you do set this to a non-zero value, you need to ensure
# that your index is updated much more frequently than the specified interval.
# The same policy is applied to the archive repo, if there is one.
# repo_maxage = 0
repo_url = "${FDROID_REPO_URL}"
repo_name = "${FDROID_REPO_NAME}"
repo_icon = "${FDROID_REPO_ICON}"
repo_description = """
${FDROID_REPO_DESCRIPTION}
"""
# As above, but for the archive repo.
# archive_older sets the number of versions kept in the main repo, with all
# older ones going to the archive. Set it to 0, and there will be no archive
# repository, and no need to define the other archive_ values.
archive_older = ${FDROID_ARCHIVE_OLDER}
archive_url = "${FDROID_ARCHIVE_URL}"
archive_name = "${FDROID_ARCHIVE_NAME}"
archive_icon = "${FDROID_ARCHIVE_ICON}"
archive_description = """
${FDROID_ARCHIVE_DESCRIPTION}
"""
# This allows a specific kind of insecure APK to be included in the
# 'repo' section. Since April 2017, APK signatures that use MD5 are
# no longer considered valid, jarsigner and apksigner will return an
# error when verifying. `fdroid update` will move APKs with these
# disabled signatures to the archive. This option stops that
# behavior, and lets those APKs stay part of 'repo'.
#
# allow_disabled_algorithms = True
# Normally, all apps are collected into a single app repository, like on
# https://f-droid.org. For certain situations, it is better to make a repo
# that is made up of APKs only from a single app. For example, an automated
# build server that publishes nightly builds.
# per_app_repos = True
# `fdroid update` will create a link to the current version of a given app.
# This provides a static path to the current APK. To disable the creation of
# this link, uncomment this:
# make_current_version_link = False
# By default, the "current version" link will be based on the "Name" of the
# app from the metadata. You can change it to use a different field from the
# metadata here:
# current_version_name_source = 'packageName'
# Optionally, override home directory for gpg
# gpghome = '/home/fdroid/somewhere/else/.gnupg'
# The ID of a GPG key for making detached signatures for apks. Optional.
# gpgkey = '1DBA2E89'
# The key (from the keystore defined below) to be used for signing the
# repository itself. This is the same name you would give to keytool or
# jarsigner using -alias. (Not needed in an unsigned repository).
repo_keyalias = "${FDROID_KEYSTORE_KEY_ALIAS}"
# Optionally, the public key for the key defined by repo_keyalias above can
# be specified here. There is no need to do this, as the public key can and
# will be retrieved from the keystore when needed. However, specifying it
# manually can allow some processing to take place without access to the
# keystore.
# repo_pubkey = "..."
# The keystore to use for release keys when building. This needs to be
# somewhere safe and secure, and backed up! The best way to manage these
# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To
# configure F-Droid to use a smartcard, set the keystore file using the keyword
# "NONE" (i.e. keystore = "NONE"). That makes Java find the keystore on the
# smartcard based on 'smartcardoptions' below.
keystore = "/fdroid/keystore/keystore.jks"
# You should not need to change these at all, unless you have a very
# customized setup for using smartcards in Java with keytool/jarsigner
# smartcardoptions = "-storetype PKCS11 -providerName SunPKCS11-OpenSC \
# -providerClass sun.security.pkcs11.SunPKCS11 \
# -providerArg opensc-fdroid.cfg"
# The password for the keystore (at least 6 characters). If this password is
# different than the keypass below, it can be OK to store the password in this
# file for real use. But in general, sensitive passwords should not be stored
# in text files!
keystorepass = "${FDROID_KEYSTORE_PASS}"
# The password for keys - the same is used for each auto-generated key as well
# as for the repository key. You should not normally store this password in a
# file since it is a sensitive password.
keypass = "${FDROID_KEYSTORE_KEYPASS}"
# The distinguished name used for all keys.
keydname = "${FDROID_KEYSTORE_DNAME}"
# Use this to override the auto-generated key aliases with specific ones
# for particular applications. Normally, just leave it empty.
# keyaliases = {}
# keyaliases['com.example.app'] = 'example'
# You can also force an app to use the same key alias as another one, using
# the @ prefix.
# keyaliases['com.example.another.plugin'] = '@com.example.another'
# The full path to the root of the repository. It must be specified in
# rsync/ssh format for a remote host/path. This is used for syncing a locally
# generated repo to the server that is it hosted on. It must end in the
# standard public repo name of "/fdroid", but can be in up to three levels of
# sub-directories (i.e. /var/www/packagerepos/fdroid). You can include
# multiple servers to sync to by wrapping the whole thing in {} or [], and
# including the serverwebroot strings in a comma-separated list.
#
# serverwebroot = 'user@example:/var/www/fdroid'
# serverwebroot = {
# 'foo.com:/usr/share/nginx/www/fdroid',
# 'bar.info:/var/www/fdroid',
# }
# Uncomment this option if you want to logs of builds and other processes to
# your repository server(s). Logs get published to all servers configured in
# 'serverwebroot'. For builds, only logs from build-jobs running inside a
# buildserver VM are supported.
#
# deploy_process_logs = True
# The full URL to a git remote repository. You can include
# multiple servers to mirror to by wrapping the whole thing in {} or [], and
# including the servergitmirrors strings in a comma-separated list.
# Servers listed here will also be automatically inserted in the mirrors list.
#
# servergitmirrors = 'https://github.com/user/repo'
# servergitmirrors = {
# 'https://github.com/user/repo',
# 'https://gitlab.com/user/repo',
# }
# Any mirrors of this repo, for example all of the servers declared in
# serverwebroot and all the servers declared in servergitmirrors,
# will automatically be used by the client. If one
# mirror is not working, then the client will try another. If the
# client has Tor enabled, then the client will prefer mirrors with
# .onion addresses. This base URL will be used for both the main repo
# and the archive, if it is enabled. So these URLs should end in the
# 'fdroid' base of the F-Droid part of the web server like serverwebroot.
#
# mirrors = (
# 'https://foo.bar/fdroid',
# 'http://foobarfoobarfoobar.onion/fdroid',
# )
# optionally specify which identity file to use when using rsync or git over SSH
#
# identity_file = '~/.ssh/fdroid_id_rsa'
# If you are running the repo signing process on a completely offline machine,
# which provides the best security, then you can specify a folder to sync the
# repo to when running `fdroid server update`. This is most likely going to
# be a USB thumb drive, SD Card, or some other kind of removable media. Make
# sure it is mounted before running `fdroid server update`. Using the
# standard folder called 'fdroid' as the specified folder is recommended, like
# with serverwebroot.
#
# local_copy_dir = '/media/MyUSBThumbDrive/fdroid'
# If you are using local_copy_dir on an offline build/signing server, once the
# thumb drive has been plugged into the online machine, it will need to be
# synced to the copy on the online machine. To make that happen
# automatically, set sync_from_local_copy_dir to True:
#
# sync_from_local_copy_dir = True
# To upload the repo to an Amazon S3 bucket using `fdroid server
# update`. Warning, this deletes and recreates the whole fdroid/
# directory each time. This prefers s3cmd, but can also use
# apache-libcloud. To customize how s3cmd interacts with the cloud
# provider, create a 's3cfg' file next to this file (config.py), and
# those settings will be used instead of any 'aws' variable below.
#
# awsbucket = 'myawsfdroid'
# awsaccesskeyid = 'SEE0CHAITHEIMAUR2USA'
# awssecretkey = 'yourverysecretkeywordpassphraserighthere'
# If you want to force 'fdroid server' to use a non-standard serverwebroot.
# This will allow you to have 'serverwebroot' entries which do not end in
# '/fdroid'. (Please note that some client features expect repository URLs
# to end in '/fdroid/repo'.)
#
# nonstandardwebroot = False
# If you want to upload the release apk file to androidobservatory.org
#
# androidobservatory = False
# If you want to upload the release apk file to virustotal.com
# You have to enter your profile apikey to enable the upload.
#
# virustotal_apikey = "virustotal_apikey"
# The build logs can be posted to a mediawiki instance, like on f-droid.org.
# wiki_protocol = "http"
# wiki_server = "server"
# wiki_path = "/wiki/"
# wiki_user = "login"
# wiki_password = "1234"
# Keep a log of all generated index files in a git repo to provide a
# "binary transparency" log for anyone to check the history of the
# binaries that are published. This is in the form of a "git remote",
# which this machine where `fdroid update` is run has already been
# configured to allow push access (e.g. ssh key, username/password, etc)
# binary_transparency_remote = "git@gitlab.com:fdroid/binary-transparency-log.git"
# Only set this to true when running a repository where you want to generate
# stats, and only then on the master build servers, not a development
# machine. If you want to keep the "added" and "last updated" dates for each
# app and APK in your repo, then you should enable this.
# update_stats = True
# When used with stats, this is a list of IP addresses that are ignored for
# calculation purposes.
# stats_ignore = []
# Server stats logs are retrieved from. Required when update_stats is True.
# stats_server = "example.com"
# User stats logs are retrieved from. Required when update_stats is True.
# stats_user = "bob"
# Use the following to push stats to a Carbon instance:
# stats_to_carbon = False
# carbon_host = '0.0.0.0'
# carbon_port = 2003
# Set this to true to always use a build server. This saves specifying the
# --server option on dedicated secure build server hosts.
# build_server_always = True
# By default, fdroid will use YAML .yml and the custom .txt metadata formats. It
# is also possible to have metadata in JSON by adding 'json'.
# accepted_formats = ('txt', 'yml')
# Limit in number of characters that fields can take up
# Only the fields listed here are supported, defaults shown
# char_limits = {
# 'author': 256,
# 'name': 30,
# 'summary': 80,
# 'description': 4000,
# 'video': 256,
# 'whatsNew': 500,
# }
# It is possible for the server operator to specify lists of apps that
# must be installed or uninstalled on the client (aka "push installs).
# If the user has opted in, or the device is already setup to respond
# to these requests, then F-Droid will automatically install/uninstall
# the packageNames listed. This is protected by the same signing key
# as the app index metadata.
#
# install_list = (
# 'at.bitfire.davdroid',
# 'com.fsck.k9',
# 'us.replicant',
# )
#
# uninstall_list = (
# 'com.facebook.orca',
# 'com.android.vending',
# )
keytool = "/usr/bin/keytool"

30
docker-entrypoint.sh Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
set -xeo pipefail
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
echo "Generating SSH key..."
sed -i "s/^#HostKey.*$/HostKey \/etc\/ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
fi
mkdir -p /root/.ssh
echo "${SSH_RSA_PUBLIC_KEY}" > /root/.ssh/authorized_keys
if [ ! -f /fdroid/keystore/keystore.jks ]; then
keytool -genkey -noprompt \
-keyalg RSA \
-alias "${FDROID_KEYSTORE_KEY_ALIAS}" \
-dname "${FDROID_KEYSTORE_DNAME}" \
-keystore /fdroid/keystore/keystore.jks \
-storepass "${FDROID_KEYSTORE_PASS}" \
-keypass "${FDROID_KEYSTORE_KEYPASS}"
fi
echo "Updating configuration from environment..."
envsubst < config.py.tmpl > config.py
chmod 0600 config.py
/fdroid-update.sh
/usr/bin/supervisord

BIN
fdroid-icon.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.3 KiB

4
fdroid-update.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
fdroid update -c --rename-apks --clean
fdroid update --rename-apks --clean

22
misc/start.sh Normal file
View File

@ -0,0 +1,22 @@
#!/bin/bash
set -eo pipefail
set -a
. "${PWD}/repo.conf"
set +a
docker run -it -d \
--restart always \
-p 80:80 \
-v "${PWD}/data/repo:/fdroid/repo" \
-v "${PWD}/data/metadata:/fdroid/metadata" \
-v "${PWD}/data/keystore:/fdroid/keystore" \
-e "FDROID_REPO_URL=${REPO_URL}" \
-e "FDROID_REPO_NAME=${REPO_NAME}" \
-e "FDROID_REPO_DESCRIPTION=${REPO_DESCRIPTION}" \
-e "FDROID_KEYSTORE_PASS=${KEYSTORE_PASS}" \
-e "FDROID_KEYSTORE_KEYPASS=${KEYSTORE_KEY_PASS}" \
-e "FDROID_KEYSTORE_KEY_ALIAS=${KEYSTORE_KEY_ALIAS}" \
-e "FDROID_KEYSTORE_DNAME=${KEYSTORE_DNAME}" \
bornholm/fdroid-repository:latest

34
supervisor.ini Normal file
View File

@ -0,0 +1,34 @@
[supervisord]
nodaemon=true
[program:sshd]
command = /usr/sbin/sshd -D
directory = /fdroid
user = root
autostart = true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:fdroid-update]
command = inotifyd /fdroid-update.sh /fdroid/repo:w
directory = /fdroid
user = root
autostart = true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:darkhttpd]
command = darkhttpd /fdroid/repo
directory = /fdroid
user = root
autostart = true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0