Use dedicated users to run services
This commit is contained in:
parent
516d4899b4
commit
7d7f4ccfc2
|
|
@ -0,0 +1 @@
|
|||
/data
|
||||
17
Dockerfile
17
Dockerfile
|
|
@ -4,7 +4,6 @@ ARG HTTP_PROXY=
|
|||
ARG HTTPS_PROXY=
|
||||
ARG http_proxy=
|
||||
ARG https_proxy=
|
||||
|
||||
ARG FDROIDSERVER_VERSION=1.0.10
|
||||
|
||||
RUN apk add --no-cache \
|
||||
|
|
@ -20,6 +19,8 @@ RUN pip3 install --upgrade pip
|
|||
|
||||
RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION}
|
||||
|
||||
RUN apk del build-base
|
||||
|
||||
COPY supervisor.ini /etc/supervisor.d/supervisor.ini
|
||||
COPY docker-entrypoint.sh /docker-entrypoint.sh
|
||||
RUN chmod +x /docker-entrypoint.sh
|
||||
|
|
@ -29,8 +30,8 @@ WORKDIR /fdroid
|
|||
|
||||
COPY config.py /fdroid/config.py.tmpl
|
||||
|
||||
COPY fdroid-update.sh /fdroid-update.sh
|
||||
RUN chmod +x /fdroid-update.sh
|
||||
COPY fdroid-update.sh /fdroid/fdroid-update.sh
|
||||
RUN chmod +x /fdroid/fdroid-update.sh
|
||||
|
||||
COPY fdroid-icon.png /fdroid/fdroid-icon.png
|
||||
|
||||
|
|
@ -38,11 +39,17 @@ VOLUME /fdroid/repo
|
|||
VOLUME /fdroid/metadata
|
||||
VOLUME /fdroid/keystore
|
||||
|
||||
EXPOSE 22
|
||||
EXPOSE 80
|
||||
EXPOSE 2222
|
||||
EXPOSE 8080
|
||||
|
||||
ENV FDROID_ARCHIVE_OLDER=3
|
||||
ENV FDROID_REPO_ICON=fdroid-icon.png
|
||||
ENV FDROID_ARCHIVE_ICON=fdroid-icon.png
|
||||
|
||||
RUN sed -i "s/^#HostKey.*$/HostKey \/fdroid\/ssh_host_rsa_key/" /etc/ssh/sshd_config
|
||||
RUN sed -i "s/^#Port.*$/Port 2222/" /etc/ssh/sshd_config
|
||||
|
||||
RUN addgroup -S fdroid && adduser -D -h /fdroid -s /bin/bash -G fdroid fdroid
|
||||
RUN chown -R fdroid: /fdroid
|
||||
|
||||
CMD /docker-entrypoint.sh
|
||||
7
Makefile
7
Makefile
|
|
@ -1,3 +1,5 @@
|
|||
SSH_PUBLIC_KEY := $(shell cat ~/.ssh/id_rsa.pub)
|
||||
|
||||
build:
|
||||
docker build \
|
||||
--build-arg "HTTP_PROXY=$(HTTP_PROXY)" \
|
||||
|
|
@ -9,8 +11,8 @@ build:
|
|||
|
||||
run:
|
||||
docker run -it --rm \
|
||||
-p 2222:22 \
|
||||
-p 8080:80 \
|
||||
-p 2222:2222 \
|
||||
-p 8080:8080 \
|
||||
-v "$(PWD)/data/repo:/fdroid/repo" \
|
||||
-v "$(PWD)/data/metadata:/fdroid/metadata" \
|
||||
-v "$(PWD)/data/keystore:/fdroid/keystore" \
|
||||
|
|
@ -20,6 +22,7 @@ run:
|
|||
-e "FDROID_KEYSTORE_PASS=mykeystorepass" \
|
||||
-e "FDROID_KEYSTORE_KEYPASS=mykeystorekeypass" \
|
||||
-e "FDROID_KEYSTORE_KEY_ALIAS=fdroidkey" \
|
||||
-e "SSH_PUBLIC_KEY=$(SSH_PUBLIC_KEY)" \
|
||||
-e "FDROID_KEYSTORE_DNAME=CN=cadoles.com, OU=ID, O=Cadoles, L=Dijon, S=France, C=FR" \
|
||||
fdroid-repository:latest \
|
||||
$(DOCKER_CMD)
|
||||
|
|
|
|||
|
|
@ -2,14 +2,15 @@
|
|||
|
||||
set -xeo pipefail
|
||||
|
||||
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
|
||||
echo "Generating SSH key..."
|
||||
sed -i "s/^#HostKey.*$/HostKey \/etc\/ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config
|
||||
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
|
||||
if [ ! -f /fdroid/ssh_host_rsa_key ]; then
|
||||
echo "Generating host SSH key..."
|
||||
ssh-keygen -f /fdroid/ssh_host_rsa_key -N '' -t rsa
|
||||
chown fdroid: /fdroid/ssh_host_rsa_key
|
||||
fi
|
||||
|
||||
mkdir -p /root/.ssh
|
||||
echo "${SSH_RSA_PUBLIC_KEY}" > /root/.ssh/authorized_keys
|
||||
mkdir -p /fdroid/.ssh
|
||||
echo "${SSH_PUBLIC_KEY}" > /fdroid/.ssh/authorized_keys
|
||||
chmod 0600 /fdroid/.ssh/authorized_keys
|
||||
|
||||
if [ ! -f /fdroid/keystore/keystore.jks ]; then
|
||||
keytool -genkey -noprompt \
|
||||
|
|
@ -25,6 +26,8 @@ echo "Updating configuration from environment..."
|
|||
envsubst < config.py.tmpl > config.py
|
||||
chmod 0600 config.py
|
||||
|
||||
/fdroid-update.sh
|
||||
chown -R fdroid: /fdroid
|
||||
|
||||
/usr/bin/supervisord
|
||||
su - fdroid /fdroid/fdroid-update.sh
|
||||
|
||||
/usr/bin/supervisord -c /etc/supervisor.d/supervisor.ini
|
||||
|
|
@ -1,4 +1,13 @@
|
|||
#!/bin/bash
|
||||
|
||||
fdroid update -c --rename-apks --clean
|
||||
fdroid update --rename-apks --clean
|
||||
set -eo pipefail
|
||||
|
||||
EVENT=$1
|
||||
DIR=$2
|
||||
FILE=$3
|
||||
|
||||
if [ -z "$FILE" ] || [[ "$FILE" == *.apk ]]; then
|
||||
fdroid update -c --rename-apks --clean --use-date-from-apk
|
||||
fdroid update --rename-apks --clean --use-date-from-apk
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,8 @@ set +a
|
|||
|
||||
docker run -it -d \
|
||||
--restart always \
|
||||
-p 80:80 \
|
||||
-p 80:8080 \
|
||||
-p 2222:2222 \
|
||||
-v "${PWD}/data/repo:/fdroid/repo" \
|
||||
-v "${PWD}/data/metadata:/fdroid/metadata" \
|
||||
-v "${PWD}/data/keystore:/fdroid/keystore" \
|
||||
|
|
@ -19,4 +20,5 @@ docker run -it -d \
|
|||
-e "FDROID_KEYSTORE_KEYPASS=${KEYSTORE_KEY_PASS}" \
|
||||
-e "FDROID_KEYSTORE_KEY_ALIAS=${KEYSTORE_KEY_ALIAS}" \
|
||||
-e "FDROID_KEYSTORE_DNAME=${KEYSTORE_DNAME}" \
|
||||
-e "SSH_PUBLIC_KEY=${SSH_PUBLIC_KEY}" \
|
||||
bornholm/fdroid-repository:latest
|
||||
|
|
@ -1,10 +1,11 @@
|
|||
[supervisord]
|
||||
nodaemon=true
|
||||
user=root
|
||||
|
||||
[program:sshd]
|
||||
command = /usr/sbin/sshd -D
|
||||
directory = /fdroid
|
||||
user = root
|
||||
user = fdroid
|
||||
autostart = true
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
|
|
@ -13,9 +14,9 @@ stderr_logfile_maxbytes=0
|
|||
|
||||
|
||||
[program:fdroid-update]
|
||||
command = inotifyd /fdroid-update.sh /fdroid/repo:w
|
||||
command = inotifyd /fdroid/fdroid-update.sh /fdroid/repo:w
|
||||
directory = /fdroid
|
||||
user = root
|
||||
user = fdroid
|
||||
autostart = true
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
|
|
@ -23,9 +24,9 @@ stderr_logfile=/dev/stderr
|
|||
stderr_logfile_maxbytes=0
|
||||
|
||||
[program:darkhttpd]
|
||||
command = darkhttpd /fdroid/repo
|
||||
command = darkhttpd /fdroid/repo --port 8080
|
||||
directory = /fdroid
|
||||
user = root
|
||||
user = fdroid
|
||||
autostart = true
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
|
|
|
|||
Loading…
Reference in New Issue