commit 44fd9a03eb5783fe4dfe8c9c0dc63a6e07f6e7d5 Author: William Petit Date: Fri Nov 9 09:29:18 2018 +0100 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..249cda9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/data \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..3318ade --- /dev/null +++ b/Dockerfile @@ -0,0 +1,48 @@ +FROM alpine:3.8 + +ARG HTTP_PROXY= +ARG HTTPS_PROXY= +ARG http_proxy= +ARG https_proxy= + +ARG FDROIDSERVER_VERSION=1.0.10 + +RUN apk add --no-cache \ + python3 build-base freetype-dev libffi-dev \ + libpng-dev py3-setuptools python3-dev libxml2-dev \ + libxslt-dev openssl-dev jpeg-dev java-common \ + bash supervisor openssh inotify-tools gettext openjdk8 fastjar darkhttpd + +RUN ln -s /usr/bin/fastjar /usr/bin/jar +RUN ln -s /usr/include/libxml2 /usr/include/libxml + +RUN pip3 install --upgrade pip + +RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION} + +COPY supervisor.ini /etc/supervisor.d/supervisor.ini +COPY docker-entrypoint.sh /docker-entrypoint.sh +RUN chmod +x /docker-entrypoint.sh + +RUN mkdir /fdroid +WORKDIR /fdroid + +COPY config.py /fdroid/config.py.tmpl + +COPY fdroid-update.sh /fdroid-update.sh +RUN chmod +x /fdroid-update.sh + +COPY fdroid-icon.png /fdroid/fdroid-icon.png + +VOLUME /fdroid/repo +VOLUME /fdroid/metadata +VOLUME /fdroid/keystore + +EXPOSE 22 +EXPOSE 80 + +ENV FDROID_ARCHIVE_OLDER=3 +ENV FDROID_REPO_ICON=fdroid-icon.png +ENV FDROID_ARCHIVE_ICON=fdroid-icon.png + +CMD /docker-entrypoint.sh \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..96f1be4 --- /dev/null +++ b/Makefile @@ -0,0 +1,35 @@ +build: + docker build \ + --build-arg "HTTP_PROXY=$(HTTP_PROXY)" \ + --build-arg "HTTPS_PROXY=$(HTTP_PROXY)" \ + --build-arg "http_proxy=$(http_proxy)" \ + --build-arg "https_proxy=$(https_proxy)" \ + -t fdroid-repository \ + ./ + +run: + docker run -it --rm \ + -p 2222:22 \ + -p 8080:80 \ + -v "$(PWD)/data/repo:/fdroid/repo" \ + -v "$(PWD)/data/metadata:/fdroid/metadata" \ + -v "$(PWD)/data/keystore:/fdroid/keystore" \ + -e "FDROID_REPO_URL=http://localhost:8080" \ + -e "FDROID_REPO_NAME=My local repo" \ + -e "FDROID_REPO_DESCRIPTION=My repo description" \ + -e "FDROID_KEYSTORE_PASS=mykeystorepass" \ + -e "FDROID_KEYSTORE_KEYPASS=mykeystorekeypass" \ + -e "FDROID_KEYSTORE_KEY_ALIAS=fdroidkey" \ + -e "FDROID_KEYSTORE_DNAME=CN=cadoles.com, OU=ID, O=Cadoles, L=Dijon, S=France, C=FR" \ + fdroid-repository:latest \ + $(DOCKER_CMD) + +push: + docker image tag fdroid-repository:latest bornholm/fdroid-repository:latest + docker push bornholm/fdroid-repository:latest + + +clean: + docker rmi fdroid-repository + +.PHONY: build \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..f543c9f --- /dev/null +++ b/README.md @@ -0,0 +1,15 @@ +# FDroid Repository - Docker + +Conteneur "tout en un" pour l'hébergement d'un dépôt [FDroid](https://f-droid.org/) + +## Usage + +`TODO` + +## Variables d'environnement + +|Variable|Description|Valeur par défaut| +|-|-|-| +|`FDROID_REPO_URL`| URL publique du dépôt | Vide | +|`FDROID_REPO_NAME`| Nom du dépôt | Vide | +|`FDROID_REPO_DESCRIPTION`| Description du dépôt | Vide | \ No newline at end of file diff --git a/config.py b/config.py new file mode 100644 index 0000000..c7a29e7 --- /dev/null +++ b/config.py @@ -0,0 +1,328 @@ +#!/usr/bin/env python3 + +# Copy this file to config.py, then amend the settings below according to +# your system configuration. + +# Custom path to the Android SDK, defaults to $ANDROID_HOME +# sdk_path = "$ANDROID_HOME" + +# Custom paths to various versions of the Android NDK, defaults to 'r12b' set +# to $ANDROID_NDK. Most users will have the latest at $ANDROID_NDK, which is +# used by default. If a version is missing or assigned to None, it is assumed +# not installed. +# ndk_paths = { +# 'r10e': None, +# 'r11c': None, +# 'r12b': "$ANDROID_NDK", +# 'r13b': None, +# 'r14b': None, +# 'r15c': None, +# 'r16b': None, +# 'r17b': None, +# 'r18b': None, +# } + +# Directory to store downloaded tools in (i.e. gradle versions) +# By default, these are stored in ~/.cache/fdroidserver +# cachedir = cache + +java_paths = { + '8': "/usr/lib/jvm/java-1.8-openjdk", +} + +# Build tools version to be used +# build_tools = "25.0.2" + +# Force all build to use the above version of build -tools, good for testing +# builds without having all of the possible build-tools installed. +# force_build_tools = True + +# Command or path to binary for running Ant +# ant = "ant" + +# Command or path to binary for running maven 3 +# mvn3 = "mvn" + +# Command or path to binary for running Gradle +# Defaults to using an internal gradle wrapper (gradlew-fdroid). +# gradle = "gradle" + +# Set the maximum age (in days) of an index that a client should accept from +# this repo. Setting it to 0 or not setting it at all disables this +# functionality. If you do set this to a non-zero value, you need to ensure +# that your index is updated much more frequently than the specified interval. +# The same policy is applied to the archive repo, if there is one. +# repo_maxage = 0 + +repo_url = "${FDROID_REPO_URL}" +repo_name = "${FDROID_REPO_NAME}" +repo_icon = "${FDROID_REPO_ICON}" +repo_description = """ +${FDROID_REPO_DESCRIPTION} +""" + +# As above, but for the archive repo. +# archive_older sets the number of versions kept in the main repo, with all +# older ones going to the archive. Set it to 0, and there will be no archive +# repository, and no need to define the other archive_ values. +archive_older = ${FDROID_ARCHIVE_OLDER} +archive_url = "${FDROID_ARCHIVE_URL}" +archive_name = "${FDROID_ARCHIVE_NAME}" +archive_icon = "${FDROID_ARCHIVE_ICON}" +archive_description = """ +${FDROID_ARCHIVE_DESCRIPTION} +""" + +# This allows a specific kind of insecure APK to be included in the +# 'repo' section. Since April 2017, APK signatures that use MD5 are +# no longer considered valid, jarsigner and apksigner will return an +# error when verifying. `fdroid update` will move APKs with these +# disabled signatures to the archive. This option stops that +# behavior, and lets those APKs stay part of 'repo'. +# +# allow_disabled_algorithms = True + +# Normally, all apps are collected into a single app repository, like on +# https://f-droid.org. For certain situations, it is better to make a repo +# that is made up of APKs only from a single app. For example, an automated +# build server that publishes nightly builds. +# per_app_repos = True + +# `fdroid update` will create a link to the current version of a given app. +# This provides a static path to the current APK. To disable the creation of +# this link, uncomment this: +# make_current_version_link = False + +# By default, the "current version" link will be based on the "Name" of the +# app from the metadata. You can change it to use a different field from the +# metadata here: +# current_version_name_source = 'packageName' + +# Optionally, override home directory for gpg +# gpghome = '/home/fdroid/somewhere/else/.gnupg' + +# The ID of a GPG key for making detached signatures for apks. Optional. +# gpgkey = '1DBA2E89' + +# The key (from the keystore defined below) to be used for signing the +# repository itself. This is the same name you would give to keytool or +# jarsigner using -alias. (Not needed in an unsigned repository). +repo_keyalias = "${FDROID_KEYSTORE_KEY_ALIAS}" + +# Optionally, the public key for the key defined by repo_keyalias above can +# be specified here. There is no need to do this, as the public key can and +# will be retrieved from the keystore when needed. However, specifying it +# manually can allow some processing to take place without access to the +# keystore. +# repo_pubkey = "..." + +# The keystore to use for release keys when building. This needs to be +# somewhere safe and secure, and backed up! The best way to manage these +# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To +# configure F-Droid to use a smartcard, set the keystore file using the keyword +# "NONE" (i.e. keystore = "NONE"). That makes Java find the keystore on the +# smartcard based on 'smartcardoptions' below. +keystore = "/fdroid/keystore/keystore.jks" + +# You should not need to change these at all, unless you have a very +# customized setup for using smartcards in Java with keytool/jarsigner +# smartcardoptions = "-storetype PKCS11 -providerName SunPKCS11-OpenSC \ +# -providerClass sun.security.pkcs11.SunPKCS11 \ +# -providerArg opensc-fdroid.cfg" + +# The password for the keystore (at least 6 characters). If this password is +# different than the keypass below, it can be OK to store the password in this +# file for real use. But in general, sensitive passwords should not be stored +# in text files! +keystorepass = "${FDROID_KEYSTORE_PASS}" + +# The password for keys - the same is used for each auto-generated key as well +# as for the repository key. You should not normally store this password in a +# file since it is a sensitive password. +keypass = "${FDROID_KEYSTORE_KEYPASS}" + +# The distinguished name used for all keys. +keydname = "${FDROID_KEYSTORE_DNAME}" + +# Use this to override the auto-generated key aliases with specific ones +# for particular applications. Normally, just leave it empty. +# keyaliases = {} +# keyaliases['com.example.app'] = 'example' +# You can also force an app to use the same key alias as another one, using +# the @ prefix. +# keyaliases['com.example.another.plugin'] = '@com.example.another' + + +# The full path to the root of the repository. It must be specified in +# rsync/ssh format for a remote host/path. This is used for syncing a locally +# generated repo to the server that is it hosted on. It must end in the +# standard public repo name of "/fdroid", but can be in up to three levels of +# sub-directories (i.e. /var/www/packagerepos/fdroid). You can include +# multiple servers to sync to by wrapping the whole thing in {} or [], and +# including the serverwebroot strings in a comma-separated list. +# +# serverwebroot = 'user@example:/var/www/fdroid' +# serverwebroot = { +# 'foo.com:/usr/share/nginx/www/fdroid', +# 'bar.info:/var/www/fdroid', +# } + +# Uncomment this option if you want to logs of builds and other processes to +# your repository server(s). Logs get published to all servers configured in +# 'serverwebroot'. For builds, only logs from build-jobs running inside a +# buildserver VM are supported. +# +# deploy_process_logs = True + +# The full URL to a git remote repository. You can include +# multiple servers to mirror to by wrapping the whole thing in {} or [], and +# including the servergitmirrors strings in a comma-separated list. +# Servers listed here will also be automatically inserted in the mirrors list. +# +# servergitmirrors = 'https://github.com/user/repo' +# servergitmirrors = { +# 'https://github.com/user/repo', +# 'https://gitlab.com/user/repo', +# } + +# Any mirrors of this repo, for example all of the servers declared in +# serverwebroot and all the servers declared in servergitmirrors, +# will automatically be used by the client. If one +# mirror is not working, then the client will try another. If the +# client has Tor enabled, then the client will prefer mirrors with +# .onion addresses. This base URL will be used for both the main repo +# and the archive, if it is enabled. So these URLs should end in the +# 'fdroid' base of the F-Droid part of the web server like serverwebroot. +# +# mirrors = ( +# 'https://foo.bar/fdroid', +# 'http://foobarfoobarfoobar.onion/fdroid', +# ) + +# optionally specify which identity file to use when using rsync or git over SSH +# +# identity_file = '~/.ssh/fdroid_id_rsa' + + +# If you are running the repo signing process on a completely offline machine, +# which provides the best security, then you can specify a folder to sync the +# repo to when running `fdroid server update`. This is most likely going to +# be a USB thumb drive, SD Card, or some other kind of removable media. Make +# sure it is mounted before running `fdroid server update`. Using the +# standard folder called 'fdroid' as the specified folder is recommended, like +# with serverwebroot. +# +# local_copy_dir = '/media/MyUSBThumbDrive/fdroid' + + +# If you are using local_copy_dir on an offline build/signing server, once the +# thumb drive has been plugged into the online machine, it will need to be +# synced to the copy on the online machine. To make that happen +# automatically, set sync_from_local_copy_dir to True: +# +# sync_from_local_copy_dir = True + + +# To upload the repo to an Amazon S3 bucket using `fdroid server +# update`. Warning, this deletes and recreates the whole fdroid/ +# directory each time. This prefers s3cmd, but can also use +# apache-libcloud. To customize how s3cmd interacts with the cloud +# provider, create a 's3cfg' file next to this file (config.py), and +# those settings will be used instead of any 'aws' variable below. +# +# awsbucket = 'myawsfdroid' +# awsaccesskeyid = 'SEE0CHAITHEIMAUR2USA' +# awssecretkey = 'yourverysecretkeywordpassphraserighthere' + + +# If you want to force 'fdroid server' to use a non-standard serverwebroot. +# This will allow you to have 'serverwebroot' entries which do not end in +# '/fdroid'. (Please note that some client features expect repository URLs +# to end in '/fdroid/repo'.) +# +# nonstandardwebroot = False + + +# If you want to upload the release apk file to androidobservatory.org +# +# androidobservatory = False + + +# If you want to upload the release apk file to virustotal.com +# You have to enter your profile apikey to enable the upload. +# +# virustotal_apikey = "virustotal_apikey" + + +# The build logs can be posted to a mediawiki instance, like on f-droid.org. +# wiki_protocol = "http" +# wiki_server = "server" +# wiki_path = "/wiki/" +# wiki_user = "login" +# wiki_password = "1234" + +# Keep a log of all generated index files in a git repo to provide a +# "binary transparency" log for anyone to check the history of the +# binaries that are published. This is in the form of a "git remote", +# which this machine where `fdroid update` is run has already been +# configured to allow push access (e.g. ssh key, username/password, etc) +# binary_transparency_remote = "git@gitlab.com:fdroid/binary-transparency-log.git" + +# Only set this to true when running a repository where you want to generate +# stats, and only then on the master build servers, not a development +# machine. If you want to keep the "added" and "last updated" dates for each +# app and APK in your repo, then you should enable this. +# update_stats = True + +# When used with stats, this is a list of IP addresses that are ignored for +# calculation purposes. +# stats_ignore = [] + +# Server stats logs are retrieved from. Required when update_stats is True. +# stats_server = "example.com" + +# User stats logs are retrieved from. Required when update_stats is True. +# stats_user = "bob" + +# Use the following to push stats to a Carbon instance: +# stats_to_carbon = False +# carbon_host = '0.0.0.0' +# carbon_port = 2003 + +# Set this to true to always use a build server. This saves specifying the +# --server option on dedicated secure build server hosts. +# build_server_always = True + +# By default, fdroid will use YAML .yml and the custom .txt metadata formats. It +# is also possible to have metadata in JSON by adding 'json'. +# accepted_formats = ('txt', 'yml') + +# Limit in number of characters that fields can take up +# Only the fields listed here are supported, defaults shown +# char_limits = { +# 'author': 256, +# 'name': 30, +# 'summary': 80, +# 'description': 4000, +# 'video': 256, +# 'whatsNew': 500, +# } + +# It is possible for the server operator to specify lists of apps that +# must be installed or uninstalled on the client (aka "push installs). +# If the user has opted in, or the device is already setup to respond +# to these requests, then F-Droid will automatically install/uninstall +# the packageNames listed. This is protected by the same signing key +# as the app index metadata. +# +# install_list = ( +# 'at.bitfire.davdroid', +# 'com.fsck.k9', +# 'us.replicant', +# ) +# +# uninstall_list = ( +# 'com.facebook.orca', +# 'com.android.vending', +# ) +keytool = "/usr/bin/keytool" \ No newline at end of file diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100644 index 0000000..a2d0b3d --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +set -xeo pipefail + +if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then + echo "Generating SSH key..." + sed -i "s/^#HostKey.*$/HostKey \/etc\/ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config + ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa +fi + +mkdir -p /root/.ssh +echo "${SSH_RSA_PUBLIC_KEY}" > /root/.ssh/authorized_keys + +if [ ! -f /fdroid/keystore/keystore.jks ]; then + keytool -genkey -noprompt \ + -keyalg RSA \ + -alias "${FDROID_KEYSTORE_KEY_ALIAS}" \ + -dname "${FDROID_KEYSTORE_DNAME}" \ + -keystore /fdroid/keystore/keystore.jks \ + -storepass "${FDROID_KEYSTORE_PASS}" \ + -keypass "${FDROID_KEYSTORE_KEYPASS}" +fi + +echo "Updating configuration from environment..." +envsubst < config.py.tmpl > config.py +chmod 0600 config.py + +/fdroid-update.sh + +/usr/bin/supervisord \ No newline at end of file diff --git a/fdroid-icon.png b/fdroid-icon.png new file mode 100644 index 0000000..0c0d417 Binary files /dev/null and b/fdroid-icon.png differ diff --git a/fdroid-update.sh b/fdroid-update.sh new file mode 100644 index 0000000..034874f --- /dev/null +++ b/fdroid-update.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +fdroid update -c --rename-apks --clean +fdroid update --rename-apks --clean \ No newline at end of file diff --git a/misc/start.sh b/misc/start.sh new file mode 100644 index 0000000..8dcbb28 --- /dev/null +++ b/misc/start.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -eo pipefail + +set -a +. "${PWD}/repo.conf" +set +a + +docker run -it -d \ + --restart always \ + -p 80:80 \ + -v "${PWD}/data/repo:/fdroid/repo" \ + -v "${PWD}/data/metadata:/fdroid/metadata" \ + -v "${PWD}/data/keystore:/fdroid/keystore" \ + -e "FDROID_REPO_URL=${REPO_URL}" \ + -e "FDROID_REPO_NAME=${REPO_NAME}" \ + -e "FDROID_REPO_DESCRIPTION=${REPO_DESCRIPTION}" \ + -e "FDROID_KEYSTORE_PASS=${KEYSTORE_PASS}" \ + -e "FDROID_KEYSTORE_KEYPASS=${KEYSTORE_KEY_PASS}" \ + -e "FDROID_KEYSTORE_KEY_ALIAS=${KEYSTORE_KEY_ALIAS}" \ + -e "FDROID_KEYSTORE_DNAME=${KEYSTORE_DNAME}" \ + bornholm/fdroid-repository:latest \ No newline at end of file diff --git a/supervisor.ini b/supervisor.ini new file mode 100644 index 0000000..a74aaf2 --- /dev/null +++ b/supervisor.ini @@ -0,0 +1,34 @@ +[supervisord] +nodaemon=true + +[program:sshd] +command = /usr/sbin/sshd -D +directory = /fdroid +user = root +autostart = true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + + +[program:fdroid-update] +command = inotifyd /fdroid-update.sh /fdroid/repo:w +directory = /fdroid +user = root +autostart = true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 + +[program:darkhttpd] +command = darkhttpd /fdroid/repo +directory = /fdroid +user = root +autostart = true +stdout_logfile=/dev/stdout +stdout_logfile_maxbytes=0 +stderr_logfile=/dev/stderr +stderr_logfile_maxbytes=0 +