Use dedicated users to run services
This commit is contained in:
parent
516d4899b4
commit
7d7f4ccfc2
|
@ -0,0 +1 @@
|
||||||
|
/data
|
17
Dockerfile
17
Dockerfile
|
@ -4,7 +4,6 @@ ARG HTTP_PROXY=
|
||||||
ARG HTTPS_PROXY=
|
ARG HTTPS_PROXY=
|
||||||
ARG http_proxy=
|
ARG http_proxy=
|
||||||
ARG https_proxy=
|
ARG https_proxy=
|
||||||
|
|
||||||
ARG FDROIDSERVER_VERSION=1.0.10
|
ARG FDROIDSERVER_VERSION=1.0.10
|
||||||
|
|
||||||
RUN apk add --no-cache \
|
RUN apk add --no-cache \
|
||||||
|
@ -20,6 +19,8 @@ RUN pip3 install --upgrade pip
|
||||||
|
|
||||||
RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION}
|
RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION}
|
||||||
|
|
||||||
|
RUN apk del build-base
|
||||||
|
|
||||||
COPY supervisor.ini /etc/supervisor.d/supervisor.ini
|
COPY supervisor.ini /etc/supervisor.d/supervisor.ini
|
||||||
COPY docker-entrypoint.sh /docker-entrypoint.sh
|
COPY docker-entrypoint.sh /docker-entrypoint.sh
|
||||||
RUN chmod +x /docker-entrypoint.sh
|
RUN chmod +x /docker-entrypoint.sh
|
||||||
|
@ -29,8 +30,8 @@ WORKDIR /fdroid
|
||||||
|
|
||||||
COPY config.py /fdroid/config.py.tmpl
|
COPY config.py /fdroid/config.py.tmpl
|
||||||
|
|
||||||
COPY fdroid-update.sh /fdroid-update.sh
|
COPY fdroid-update.sh /fdroid/fdroid-update.sh
|
||||||
RUN chmod +x /fdroid-update.sh
|
RUN chmod +x /fdroid/fdroid-update.sh
|
||||||
|
|
||||||
COPY fdroid-icon.png /fdroid/fdroid-icon.png
|
COPY fdroid-icon.png /fdroid/fdroid-icon.png
|
||||||
|
|
||||||
|
@ -38,11 +39,17 @@ VOLUME /fdroid/repo
|
||||||
VOLUME /fdroid/metadata
|
VOLUME /fdroid/metadata
|
||||||
VOLUME /fdroid/keystore
|
VOLUME /fdroid/keystore
|
||||||
|
|
||||||
EXPOSE 22
|
EXPOSE 2222
|
||||||
EXPOSE 80
|
EXPOSE 8080
|
||||||
|
|
||||||
ENV FDROID_ARCHIVE_OLDER=3
|
ENV FDROID_ARCHIVE_OLDER=3
|
||||||
ENV FDROID_REPO_ICON=fdroid-icon.png
|
ENV FDROID_REPO_ICON=fdroid-icon.png
|
||||||
ENV FDROID_ARCHIVE_ICON=fdroid-icon.png
|
ENV FDROID_ARCHIVE_ICON=fdroid-icon.png
|
||||||
|
|
||||||
|
RUN sed -i "s/^#HostKey.*$/HostKey \/fdroid\/ssh_host_rsa_key/" /etc/ssh/sshd_config
|
||||||
|
RUN sed -i "s/^#Port.*$/Port 2222/" /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
RUN addgroup -S fdroid && adduser -D -h /fdroid -s /bin/bash -G fdroid fdroid
|
||||||
|
RUN chown -R fdroid: /fdroid
|
||||||
|
|
||||||
CMD /docker-entrypoint.sh
|
CMD /docker-entrypoint.sh
|
7
Makefile
7
Makefile
|
@ -1,3 +1,5 @@
|
||||||
|
SSH_PUBLIC_KEY := $(shell cat ~/.ssh/id_rsa.pub)
|
||||||
|
|
||||||
build:
|
build:
|
||||||
docker build \
|
docker build \
|
||||||
--build-arg "HTTP_PROXY=$(HTTP_PROXY)" \
|
--build-arg "HTTP_PROXY=$(HTTP_PROXY)" \
|
||||||
|
@ -9,8 +11,8 @@ build:
|
||||||
|
|
||||||
run:
|
run:
|
||||||
docker run -it --rm \
|
docker run -it --rm \
|
||||||
-p 2222:22 \
|
-p 2222:2222 \
|
||||||
-p 8080:80 \
|
-p 8080:8080 \
|
||||||
-v "$(PWD)/data/repo:/fdroid/repo" \
|
-v "$(PWD)/data/repo:/fdroid/repo" \
|
||||||
-v "$(PWD)/data/metadata:/fdroid/metadata" \
|
-v "$(PWD)/data/metadata:/fdroid/metadata" \
|
||||||
-v "$(PWD)/data/keystore:/fdroid/keystore" \
|
-v "$(PWD)/data/keystore:/fdroid/keystore" \
|
||||||
|
@ -20,6 +22,7 @@ run:
|
||||||
-e "FDROID_KEYSTORE_PASS=mykeystorepass" \
|
-e "FDROID_KEYSTORE_PASS=mykeystorepass" \
|
||||||
-e "FDROID_KEYSTORE_KEYPASS=mykeystorekeypass" \
|
-e "FDROID_KEYSTORE_KEYPASS=mykeystorekeypass" \
|
||||||
-e "FDROID_KEYSTORE_KEY_ALIAS=fdroidkey" \
|
-e "FDROID_KEYSTORE_KEY_ALIAS=fdroidkey" \
|
||||||
|
-e "SSH_PUBLIC_KEY=$(SSH_PUBLIC_KEY)" \
|
||||||
-e "FDROID_KEYSTORE_DNAME=CN=cadoles.com, OU=ID, O=Cadoles, L=Dijon, S=France, C=FR" \
|
-e "FDROID_KEYSTORE_DNAME=CN=cadoles.com, OU=ID, O=Cadoles, L=Dijon, S=France, C=FR" \
|
||||||
fdroid-repository:latest \
|
fdroid-repository:latest \
|
||||||
$(DOCKER_CMD)
|
$(DOCKER_CMD)
|
||||||
|
|
|
@ -2,14 +2,15 @@
|
||||||
|
|
||||||
set -xeo pipefail
|
set -xeo pipefail
|
||||||
|
|
||||||
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
|
if [ ! -f /fdroid/ssh_host_rsa_key ]; then
|
||||||
echo "Generating SSH key..."
|
echo "Generating host SSH key..."
|
||||||
sed -i "s/^#HostKey.*$/HostKey \/etc\/ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config
|
ssh-keygen -f /fdroid/ssh_host_rsa_key -N '' -t rsa
|
||||||
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
|
chown fdroid: /fdroid/ssh_host_rsa_key
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p /root/.ssh
|
mkdir -p /fdroid/.ssh
|
||||||
echo "${SSH_RSA_PUBLIC_KEY}" > /root/.ssh/authorized_keys
|
echo "${SSH_PUBLIC_KEY}" > /fdroid/.ssh/authorized_keys
|
||||||
|
chmod 0600 /fdroid/.ssh/authorized_keys
|
||||||
|
|
||||||
if [ ! -f /fdroid/keystore/keystore.jks ]; then
|
if [ ! -f /fdroid/keystore/keystore.jks ]; then
|
||||||
keytool -genkey -noprompt \
|
keytool -genkey -noprompt \
|
||||||
|
@ -25,6 +26,8 @@ echo "Updating configuration from environment..."
|
||||||
envsubst < config.py.tmpl > config.py
|
envsubst < config.py.tmpl > config.py
|
||||||
chmod 0600 config.py
|
chmod 0600 config.py
|
||||||
|
|
||||||
/fdroid-update.sh
|
chown -R fdroid: /fdroid
|
||||||
|
|
||||||
/usr/bin/supervisord
|
su - fdroid /fdroid/fdroid-update.sh
|
||||||
|
|
||||||
|
/usr/bin/supervisord -c /etc/supervisor.d/supervisor.ini
|
|
@ -1,4 +1,13 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
fdroid update -c --rename-apks --clean
|
set -eo pipefail
|
||||||
fdroid update --rename-apks --clean
|
|
||||||
|
EVENT=$1
|
||||||
|
DIR=$2
|
||||||
|
FILE=$3
|
||||||
|
|
||||||
|
if [ -z "$FILE" ] || [[ "$FILE" == *.apk ]]; then
|
||||||
|
fdroid update -c --rename-apks --clean --use-date-from-apk
|
||||||
|
fdroid update --rename-apks --clean --use-date-from-apk
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,8 @@ set +a
|
||||||
|
|
||||||
docker run -it -d \
|
docker run -it -d \
|
||||||
--restart always \
|
--restart always \
|
||||||
-p 80:80 \
|
-p 80:8080 \
|
||||||
|
-p 2222:2222 \
|
||||||
-v "${PWD}/data/repo:/fdroid/repo" \
|
-v "${PWD}/data/repo:/fdroid/repo" \
|
||||||
-v "${PWD}/data/metadata:/fdroid/metadata" \
|
-v "${PWD}/data/metadata:/fdroid/metadata" \
|
||||||
-v "${PWD}/data/keystore:/fdroid/keystore" \
|
-v "${PWD}/data/keystore:/fdroid/keystore" \
|
||||||
|
@ -19,4 +20,5 @@ docker run -it -d \
|
||||||
-e "FDROID_KEYSTORE_KEYPASS=${KEYSTORE_KEY_PASS}" \
|
-e "FDROID_KEYSTORE_KEYPASS=${KEYSTORE_KEY_PASS}" \
|
||||||
-e "FDROID_KEYSTORE_KEY_ALIAS=${KEYSTORE_KEY_ALIAS}" \
|
-e "FDROID_KEYSTORE_KEY_ALIAS=${KEYSTORE_KEY_ALIAS}" \
|
||||||
-e "FDROID_KEYSTORE_DNAME=${KEYSTORE_DNAME}" \
|
-e "FDROID_KEYSTORE_DNAME=${KEYSTORE_DNAME}" \
|
||||||
|
-e "SSH_PUBLIC_KEY=${SSH_PUBLIC_KEY}" \
|
||||||
bornholm/fdroid-repository:latest
|
bornholm/fdroid-repository:latest
|
|
@ -1,10 +1,11 @@
|
||||||
[supervisord]
|
[supervisord]
|
||||||
nodaemon=true
|
nodaemon=true
|
||||||
|
user=root
|
||||||
|
|
||||||
[program:sshd]
|
[program:sshd]
|
||||||
command = /usr/sbin/sshd -D
|
command = /usr/sbin/sshd -D
|
||||||
directory = /fdroid
|
directory = /fdroid
|
||||||
user = root
|
user = fdroid
|
||||||
autostart = true
|
autostart = true
|
||||||
stdout_logfile=/dev/stdout
|
stdout_logfile=/dev/stdout
|
||||||
stdout_logfile_maxbytes=0
|
stdout_logfile_maxbytes=0
|
||||||
|
@ -13,9 +14,9 @@ stderr_logfile_maxbytes=0
|
||||||
|
|
||||||
|
|
||||||
[program:fdroid-update]
|
[program:fdroid-update]
|
||||||
command = inotifyd /fdroid-update.sh /fdroid/repo:w
|
command = inotifyd /fdroid/fdroid-update.sh /fdroid/repo:w
|
||||||
directory = /fdroid
|
directory = /fdroid
|
||||||
user = root
|
user = fdroid
|
||||||
autostart = true
|
autostart = true
|
||||||
stdout_logfile=/dev/stdout
|
stdout_logfile=/dev/stdout
|
||||||
stdout_logfile_maxbytes=0
|
stdout_logfile_maxbytes=0
|
||||||
|
@ -23,9 +24,9 @@ stderr_logfile=/dev/stderr
|
||||||
stderr_logfile_maxbytes=0
|
stderr_logfile_maxbytes=0
|
||||||
|
|
||||||
[program:darkhttpd]
|
[program:darkhttpd]
|
||||||
command = darkhttpd /fdroid/repo
|
command = darkhttpd /fdroid/repo --port 8080
|
||||||
directory = /fdroid
|
directory = /fdroid
|
||||||
user = root
|
user = fdroid
|
||||||
autostart = true
|
autostart = true
|
||||||
stdout_logfile=/dev/stdout
|
stdout_logfile=/dev/stdout
|
||||||
stdout_logfile_maxbytes=0
|
stdout_logfile_maxbytes=0
|
||||||
|
|
Loading…
Reference in New Issue