diff --git a/Caddyfile b/Caddyfile deleted file mode 100644 index aa81133..0000000 --- a/Caddyfile +++ /dev/null @@ -1,5 +0,0 @@ -{$FDROID_REPO_HOST} -gzip -log stdout -browse -tls {$FDROID_REPO_EMAIL} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 42ebafc..ffcc6a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,42 +1,52 @@ -FROM alpine:3.9 +FROM reg.cadoles.com/proxy_cache/library/alpine:3.19 as build -ARG HTTP_PROXY= -ARG HTTPS_PROXY= -ARG http_proxy= -ARG https_proxy= -ARG FDROIDSERVER_VERSION=1.0.10 -ARG TIMEZONE=Europe/Paris +ARG FDROIDSERVER_VERSION=2.2 ARG CRYPTOGRAPHY_DONT_BUILD_RUST=1 RUN apk add --no-cache \ - python3 build-base freetype-dev libffi-dev \ + python3 py3-pip build-base freetype-dev libffi-dev \ libpng-dev py3-setuptools python3-dev libxml2-dev \ - libxslt-dev openssl-dev jpeg-dev java-common \ + libxslt-dev openssl-dev jpeg-dev py3-qt5 + +RUN python3 -m venv --system-site-packages /fdroid + +RUN . /fdroid/bin/activate \ + && pip3 install --no-cache-dir androguard==3.3.5 frida-tools==10.8.0 fdroidserver==${FDROIDSERVER_VERSION} + +FROM reg.cadoles.com/proxy_cache/library/alpine:3.19 as runtime + +ARG TIMEZONE=Europe/Paris + +RUN apk add --no-cache \ + python3 openjdk8 java-common \ bash supervisor openssh inotify-tools gettext \ - openjdk8 fastjar caddy tzdata + fastjar caddy tzdata git wget gcompat rsync RUN cp /usr/share/zoneinfo/${TIMEZONE} /etc/localtime \ && echo "${TIMEZONE}" > /etc/timezone \ && apk del tzdata -RUN ln -s /usr/bin/fastjar /usr/bin/jar +RUN mkdir -p /opt/android \ + && wget https://dl.google.com/android/repository/sdk-tools-linux-4333796.zip && unzip *.zip -d /opt/android && rm *.zip + +ENV ANDROID_HOME="/opt/android" +ENV PATH="$PATH:$ANDROID_HOME/tools/bin" + +RUN yes | sdkmanager "build-tools;34.0.0" +ENV PATH="$PATH:$ANDROID_HOME/build-tools/34.0.0" + +COPY --from=build /fdroid /fdroid + +RUN rm -f /usr/bin/jar && ln -s /usr/bin/fastjar /usr/bin/jar RUN ln -s /usr/include/libxml2 /usr/include/libxml -RUN pip3 install --upgrade pip - -RUN pip3 install fdroidserver==${FDROIDSERVER_VERSION} - -RUN apk del build-base - COPY supervisor.ini /etc/supervisor.d/supervisor.ini -COPY docker-entrypoint.sh /docker-entrypoint.sh -RUN chmod +x /docker-entrypoint.sh +COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +RUN chmod +x /usr/local/bin/docker-entrypoint.sh -RUN mkdir /fdroid WORKDIR /fdroid -COPY config.py /fdroid/config.py.tmpl -COPY Caddyfile /fdroid/Caddyfile +COPY config.yml /fdroid/config.yml.tmpl COPY fdroid-update.sh /fdroid/fdroid-update.sh RUN chmod +x /fdroid/fdroid-update.sh @@ -44,21 +54,23 @@ RUN chmod +x /fdroid/fdroid-update.sh COPY fdroid-icon.png /fdroid/fdroid-icon.png VOLUME /fdroid/repo +VOLUME /fdroid/archive VOLUME /fdroid/metadata VOLUME /fdroid/keystore EXPOSE 2222 EXPOSE 80 -EXPOSE 443 ENV FDROID_ARCHIVE_OLDER=3 ENV FDROID_REPO_ICON=fdroid-icon.png ENV FDROID_ARCHIVE_ICON=fdroid-icon.png -RUN sed -i "s/^#HostKey.*$/HostKey \/fdroid\/ssh_host_rsa_key/" /etc/ssh/sshd_config +RUN sed -i "s/^#HostKey.*$/HostKey \/fdroid\/host_ssh\/ssh_host_rsa_key/" /etc/ssh/sshd_config RUN sed -i "s/^#Port.*$/Port 2222/" /etc/ssh/sshd_config -RUN addgroup -S fdroid && adduser -D -h /fdroid -s /bin/bash -G fdroid fdroid -RUN chown -R fdroid: /fdroid +RUN mkdir -p /var/www/fdroid -CMD /docker-entrypoint.sh \ No newline at end of file +RUN addgroup -S fdroid && adduser -D -h /fdroid -s /bin/bash -G fdroid fdroid +RUN chown -R fdroid: /fdroid /var/www/fdroid + +CMD /usr/local/bin/docker-entrypoint.sh \ No newline at end of file diff --git a/Makefile b/Makefile index f19d952..d6c25ea 100644 --- a/Makefile +++ b/Makefile @@ -2,22 +2,21 @@ SSH_PUBLIC_KEY := $(shell cat ~/.ssh/id_rsa.pub) build: docker build \ - --build-arg "HTTP_PROXY=$(HTTP_PROXY)" \ - --build-arg "HTTPS_PROXY=$(HTTP_PROXY)" \ - --build-arg "http_proxy=$(http_proxy)" \ - --build-arg "https_proxy=$(https_proxy)" \ - -t fdroid-repository \ + -m 4g \ + -t fdroid-repository:latest \ ./ run: docker run -it --rm \ -p 2222:2222 \ - -p 8080:80 \ - -p 8443:443 \ + -p 8080:8080 \ + --name fdroid-repo \ -v "$(PWD)/data/repo:/fdroid/repo" \ + -v "$(PWD)/data/archive:/fdroid/archive" \ -v "$(PWD)/data/metadata:/fdroid/metadata" \ -v "$(PWD)/data/keystore:/fdroid/keystore" \ - -e "FDROID_REPO_HOST=:80" \ + -e "FDROID_REPO_SCHEME=http" \ + -e "FDROID_REPO_HOST=127.0.0.1:8080" \ -e "FDROID_REPO_NAME=My local repo" \ -e "FDROID_REPO_DESCRIPTION=My repo description" \ -e "FDROID_KEYSTORE_PASS=mykeystorepass" \ @@ -29,9 +28,9 @@ run: fdroid-repository:latest \ $(DOCKER_CMD) -push: - docker image tag fdroid-repository:latest cadoles/fdroid-repository:latest - docker push cadoles/fdroid-repository:latest +release: + docker image tag fdroid-repository:latest reg.cadoles.com/cadoles/fdroid-repository:latest + docker push reg.cadoles.com/cadoles/fdroid-repository:latest clean: docker rmi fdroid-repository diff --git a/config.py b/config.py deleted file mode 100644 index 75b602e..0000000 --- a/config.py +++ /dev/null @@ -1,328 +0,0 @@ -#!/usr/bin/env python3 - -# Copy this file to config.py, then amend the settings below according to -# your system configuration. - -# Custom path to the Android SDK, defaults to $ANDROID_HOME -# sdk_path = "$ANDROID_HOME" - -# Custom paths to various versions of the Android NDK, defaults to 'r12b' set -# to $ANDROID_NDK. Most users will have the latest at $ANDROID_NDK, which is -# used by default. If a version is missing or assigned to None, it is assumed -# not installed. -# ndk_paths = { -# 'r10e': None, -# 'r11c': None, -# 'r12b': "$ANDROID_NDK", -# 'r13b': None, -# 'r14b': None, -# 'r15c': None, -# 'r16b': None, -# 'r17b': None, -# 'r18b': None, -# } - -# Directory to store downloaded tools in (i.e. gradle versions) -# By default, these are stored in ~/.cache/fdroidserver -# cachedir = cache - -java_paths = { - '8': "/usr/lib/jvm/java-1.8-openjdk", -} - -# Build tools version to be used -# build_tools = "25.0.2" - -# Force all build to use the above version of build -tools, good for testing -# builds without having all of the possible build-tools installed. -# force_build_tools = True - -# Command or path to binary for running Ant -# ant = "ant" - -# Command or path to binary for running maven 3 -# mvn3 = "mvn" - -# Command or path to binary for running Gradle -# Defaults to using an internal gradle wrapper (gradlew-fdroid). -# gradle = "gradle" - -# Set the maximum age (in days) of an index that a client should accept from -# this repo. Setting it to 0 or not setting it at all disables this -# functionality. If you do set this to a non-zero value, you need to ensure -# that your index is updated much more frequently than the specified interval. -# The same policy is applied to the archive repo, if there is one. -# repo_maxage = 0 - -repo_url = "https://${FDROID_REPO_HOST}" -repo_name = "${FDROID_REPO_NAME}" -repo_icon = "${FDROID_REPO_ICON}" -repo_description = """ -${FDROID_REPO_DESCRIPTION} -""" - -# As above, but for the archive repo. -# archive_older sets the number of versions kept in the main repo, with all -# older ones going to the archive. Set it to 0, and there will be no archive -# repository, and no need to define the other archive_ values. -archive_older = ${FDROID_ARCHIVE_OLDER} -archive_url = "${FDROID_ARCHIVE_URL}" -archive_name = "${FDROID_ARCHIVE_NAME}" -archive_icon = "${FDROID_ARCHIVE_ICON}" -archive_description = """ -${FDROID_ARCHIVE_DESCRIPTION} -""" - -# This allows a specific kind of insecure APK to be included in the -# 'repo' section. Since April 2017, APK signatures that use MD5 are -# no longer considered valid, jarsigner and apksigner will return an -# error when verifying. `fdroid update` will move APKs with these -# disabled signatures to the archive. This option stops that -# behavior, and lets those APKs stay part of 'repo'. -# -# allow_disabled_algorithms = True - -# Normally, all apps are collected into a single app repository, like on -# https://f-droid.org. For certain situations, it is better to make a repo -# that is made up of APKs only from a single app. For example, an automated -# build server that publishes nightly builds. -# per_app_repos = True - -# `fdroid update` will create a link to the current version of a given app. -# This provides a static path to the current APK. To disable the creation of -# this link, uncomment this: -# make_current_version_link = False - -# By default, the "current version" link will be based on the "Name" of the -# app from the metadata. You can change it to use a different field from the -# metadata here: -# current_version_name_source = 'packageName' - -# Optionally, override home directory for gpg -# gpghome = '/home/fdroid/somewhere/else/.gnupg' - -# The ID of a GPG key for making detached signatures for apks. Optional. -# gpgkey = '1DBA2E89' - -# The key (from the keystore defined below) to be used for signing the -# repository itself. This is the same name you would give to keytool or -# jarsigner using -alias. (Not needed in an unsigned repository). -repo_keyalias = "${FDROID_KEYSTORE_KEY_ALIAS}" - -# Optionally, the public key for the key defined by repo_keyalias above can -# be specified here. There is no need to do this, as the public key can and -# will be retrieved from the keystore when needed. However, specifying it -# manually can allow some processing to take place without access to the -# keystore. -# repo_pubkey = "..." - -# The keystore to use for release keys when building. This needs to be -# somewhere safe and secure, and backed up! The best way to manage these -# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To -# configure F-Droid to use a smartcard, set the keystore file using the keyword -# "NONE" (i.e. keystore = "NONE"). That makes Java find the keystore on the -# smartcard based on 'smartcardoptions' below. -keystore = "/fdroid/keystore/keystore.jks" - -# You should not need to change these at all, unless you have a very -# customized setup for using smartcards in Java with keytool/jarsigner -# smartcardoptions = "-storetype PKCS11 -providerName SunPKCS11-OpenSC \ -# -providerClass sun.security.pkcs11.SunPKCS11 \ -# -providerArg opensc-fdroid.cfg" - -# The password for the keystore (at least 6 characters). If this password is -# different than the keypass below, it can be OK to store the password in this -# file for real use. But in general, sensitive passwords should not be stored -# in text files! -keystorepass = "${FDROID_KEYSTORE_PASS}" - -# The password for keys - the same is used for each auto-generated key as well -# as for the repository key. You should not normally store this password in a -# file since it is a sensitive password. -keypass = "${FDROID_KEYSTORE_KEYPASS}" - -# The distinguished name used for all keys. -keydname = "${FDROID_KEYSTORE_DNAME}" - -# Use this to override the auto-generated key aliases with specific ones -# for particular applications. Normally, just leave it empty. -# keyaliases = {} -# keyaliases['com.example.app'] = 'example' -# You can also force an app to use the same key alias as another one, using -# the @ prefix. -# keyaliases['com.example.another.plugin'] = '@com.example.another' - - -# The full path to the root of the repository. It must be specified in -# rsync/ssh format for a remote host/path. This is used for syncing a locally -# generated repo to the server that is it hosted on. It must end in the -# standard public repo name of "/fdroid", but can be in up to three levels of -# sub-directories (i.e. /var/www/packagerepos/fdroid). You can include -# multiple servers to sync to by wrapping the whole thing in {} or [], and -# including the serverwebroot strings in a comma-separated list. -# -# serverwebroot = 'user@example:/var/www/fdroid' -# serverwebroot = { -# 'foo.com:/usr/share/nginx/www/fdroid', -# 'bar.info:/var/www/fdroid', -# } - -# Uncomment this option if you want to logs of builds and other processes to -# your repository server(s). Logs get published to all servers configured in -# 'serverwebroot'. For builds, only logs from build-jobs running inside a -# buildserver VM are supported. -# -# deploy_process_logs = True - -# The full URL to a git remote repository. You can include -# multiple servers to mirror to by wrapping the whole thing in {} or [], and -# including the servergitmirrors strings in a comma-separated list. -# Servers listed here will also be automatically inserted in the mirrors list. -# -# servergitmirrors = 'https://github.com/user/repo' -# servergitmirrors = { -# 'https://github.com/user/repo', -# 'https://gitlab.com/user/repo', -# } - -# Any mirrors of this repo, for example all of the servers declared in -# serverwebroot and all the servers declared in servergitmirrors, -# will automatically be used by the client. If one -# mirror is not working, then the client will try another. If the -# client has Tor enabled, then the client will prefer mirrors with -# .onion addresses. This base URL will be used for both the main repo -# and the archive, if it is enabled. So these URLs should end in the -# 'fdroid' base of the F-Droid part of the web server like serverwebroot. -# -# mirrors = ( -# 'https://foo.bar/fdroid', -# 'http://foobarfoobarfoobar.onion/fdroid', -# ) - -# optionally specify which identity file to use when using rsync or git over SSH -# -# identity_file = '~/.ssh/fdroid_id_rsa' - - -# If you are running the repo signing process on a completely offline machine, -# which provides the best security, then you can specify a folder to sync the -# repo to when running `fdroid server update`. This is most likely going to -# be a USB thumb drive, SD Card, or some other kind of removable media. Make -# sure it is mounted before running `fdroid server update`. Using the -# standard folder called 'fdroid' as the specified folder is recommended, like -# with serverwebroot. -# -# local_copy_dir = '/media/MyUSBThumbDrive/fdroid' - - -# If you are using local_copy_dir on an offline build/signing server, once the -# thumb drive has been plugged into the online machine, it will need to be -# synced to the copy on the online machine. To make that happen -# automatically, set sync_from_local_copy_dir to True: -# -# sync_from_local_copy_dir = True - - -# To upload the repo to an Amazon S3 bucket using `fdroid server -# update`. Warning, this deletes and recreates the whole fdroid/ -# directory each time. This prefers s3cmd, but can also use -# apache-libcloud. To customize how s3cmd interacts with the cloud -# provider, create a 's3cfg' file next to this file (config.py), and -# those settings will be used instead of any 'aws' variable below. -# -# awsbucket = 'myawsfdroid' -# awsaccesskeyid = 'SEE0CHAITHEIMAUR2USA' -# awssecretkey = 'yourverysecretkeywordpassphraserighthere' - - -# If you want to force 'fdroid server' to use a non-standard serverwebroot. -# This will allow you to have 'serverwebroot' entries which do not end in -# '/fdroid'. (Please note that some client features expect repository URLs -# to end in '/fdroid/repo'.) -# -# nonstandardwebroot = False - - -# If you want to upload the release apk file to androidobservatory.org -# -# androidobservatory = False - - -# If you want to upload the release apk file to virustotal.com -# You have to enter your profile apikey to enable the upload. -# -# virustotal_apikey = "virustotal_apikey" - - -# The build logs can be posted to a mediawiki instance, like on f-droid.org. -# wiki_protocol = "http" -# wiki_server = "server" -# wiki_path = "/wiki/" -# wiki_user = "login" -# wiki_password = "1234" - -# Keep a log of all generated index files in a git repo to provide a -# "binary transparency" log for anyone to check the history of the -# binaries that are published. This is in the form of a "git remote", -# which this machine where `fdroid update` is run has already been -# configured to allow push access (e.g. ssh key, username/password, etc) -# binary_transparency_remote = "git@gitlab.com:fdroid/binary-transparency-log.git" - -# Only set this to true when running a repository where you want to generate -# stats, and only then on the master build servers, not a development -# machine. If you want to keep the "added" and "last updated" dates for each -# app and APK in your repo, then you should enable this. -# update_stats = True - -# When used with stats, this is a list of IP addresses that are ignored for -# calculation purposes. -# stats_ignore = [] - -# Server stats logs are retrieved from. Required when update_stats is True. -# stats_server = "example.com" - -# User stats logs are retrieved from. Required when update_stats is True. -# stats_user = "bob" - -# Use the following to push stats to a Carbon instance: -# stats_to_carbon = False -# carbon_host = '0.0.0.0' -# carbon_port = 2003 - -# Set this to true to always use a build server. This saves specifying the -# --server option on dedicated secure build server hosts. -# build_server_always = True - -# By default, fdroid will use YAML .yml and the custom .txt metadata formats. It -# is also possible to have metadata in JSON by adding 'json'. -# accepted_formats = ('txt', 'yml') - -# Limit in number of characters that fields can take up -# Only the fields listed here are supported, defaults shown -# char_limits = { -# 'author': 256, -# 'name': 30, -# 'summary': 80, -# 'description': 4000, -# 'video': 256, -# 'whatsNew': 500, -# } - -# It is possible for the server operator to specify lists of apps that -# must be installed or uninstalled on the client (aka "push installs). -# If the user has opted in, or the device is already setup to respond -# to these requests, then F-Droid will automatically install/uninstall -# the packageNames listed. This is protected by the same signing key -# as the app index metadata. -# -# install_list = ( -# 'at.bitfire.davdroid', -# 'com.fsck.k9', -# 'us.replicant', -# ) -# -# uninstall_list = ( -# 'com.facebook.orca', -# 'com.android.vending', -# ) -keytool = "/usr/bin/keytool" \ No newline at end of file diff --git a/config.yml b/config.yml new file mode 100644 index 0000000..b47e3f0 --- /dev/null +++ b/config.yml @@ -0,0 +1,366 @@ +--- +# Copy this file to config.yml, then amend the settings below according to +# your system configuration. + +# Custom path to the Android SDK, defaults to $ANDROID_HOME +# sdk_path: $ANDROID_HOME + +# Paths to installed versions of the Android NDK. This will be +# automatically filled out from well known sources like +# $ANDROID_HOME/ndk-bundle and $ANDROID_HOME/ndk/*. If a required +# version is missing in the buildserver VM, it will be automatically +# downloaded and installed into the standard $ANDROID_HOME/ndk/ +# directory. Manually setting it here will override the auto-detected +# values. The keys can either be the "release" (e.g. r21e) or the +# "revision" (e.g. 21.4.7075529). +# +# ndk_paths: +# r10e: $ANDROID_HOME/android-ndk-r10e +# r17: "" +# 21.4.7075529: ~/Android/Ndk +# r22b: null + +# Directory to store downloaded tools in (i.e. gradle versions) +# By default, these are stored in ~/.cache/fdroidserver +# cachedir: cache + +# Specify paths to each major Java release that you want to support +# java_paths: +# 8: /usr/lib/jvm/java-8-openjdk + +# Command or path to binary for running Ant +# ant: ant + +# Command or path to binary for running maven 3 +# mvn3: mvn + +# Command or path to binary for running Gradle +# Defaults to using an internal gradle wrapper (gradlew-fdroid). +# gradle: gradle + +# Always scan the APKs produced by `fdroid build` for known non-free classes +# scan_binary: true + +# Set the maximum age (in days) of an index that a client should accept from +# this repo. Setting it to 0 or not setting it at all disables this +# functionality. If you do set this to a non-zero value, you need to ensure +# that your index is updated much more frequently than the specified interval. +# The same policy is applied to the archive repo, if there is one. +# repo_maxage: 0 + +# Canonical URL of the repositoy, needs to end in /repo. Is is used to identity +# the repo in the client, as well. +repo_url: "${FDROID_REPO_SCHEME}://${FDROID_REPO_HOST}/repo" +repo_name: "${FDROID_REPO_NAME}" +repo_description: >- + ${FDROID_REPO_DESCRIPTION} + +# As above, but for the archive repo. +# +archive_url: "${FDROID_REPO_SCHEME}://${FDROID_REPO_HOST}/archive" +archive_name: "${FDROID_ARCHIVE_NAME}" +# archive_description: >- +# The repository of older versions of packages from the main demo repository. + +# archive_older sets the number of versions kept in the main repo, with all +# older ones going to the archive. Set it to 0, and there will be no archive +# repository, and no need to define the other archive_ values. +# +archive_older: ${FDROID_ARCHIVE_OLDER} + +# The repo's icon defaults to a file called 'icon.png' in the 'icons' +# folder for each section, e.g. repo/icons/icon.png and +# archive/icons/icon.png. To use a different filename for the icons, +# set the filename here. You must still copy it into place in +# repo/icons/ and/or archive/icons/. +# +repo_icon: "${FDROID_REPO_ICON}" +archive_icon: "${FDROID_ARCHIVE_ICON}" + +# This allows a specific kind of insecure APK to be included in the +# 'repo' section. Since April 2017, APK signatures that use MD5 are +# no longer considered valid, jarsigner and apksigner will return an +# error when verifying. `fdroid update` will move APKs with these +# disabled signatures to the archive. This option stops that +# behavior, and lets those APKs stay part of 'repo'. +# +# allow_disabled_algorithms: true + +# Normally, all apps are collected into a single app repository, like on +# https://f-droid.org. For certain situations, it is better to make a repo +# that is made up of APKs only from a single app. For example, an automated +# build server that publishes nightly builds. +# per_app_repos: true + +# `fdroid update` will create a link to the current version of a given app. +# This provides a static path to the current APK. To disable the creation of +# this link, uncomment this: +# make_current_version_link: false + +# By default, the "current version" link will be based on the "Name" of the +# app from the metadata. You can change it to use a different field from the +# metadata here: +# current_version_name_source: packageName + +# Optionally, override home directory for gpg +# gpghome: /home/fdroid/somewhere/else/.gnupg + +# The ID of a GPG key for making detached signatures for APKs. Optional. +# gpgkey: 1DBA2E89 + +# The key (from the keystore defined below) to be used for signing the +# repository itself. This is the same name you would give to keytool or +# jarsigner using -alias. (Not needed in an unsigned repository). +repo_keyalias: "${FDROID_KEYSTORE_KEY_ALIAS}" + +# Optionally, the public key for the key defined by repo_keyalias above can +# be specified here. There is no need to do this, as the public key can and +# will be retrieved from the keystore when needed. However, specifying it +# manually can allow some processing to take place without access to the +# keystore. +# repo_pubkey: ... + +# The keystore to use for release keys when building. This needs to be +# somewhere safe and secure, and backed up! The best way to manage these +# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To +# configure F-Droid to use a smartcard, set the keystore file using the keyword +# "NONE" (i.e. keystore: "NONE"). That makes Java find the keystore on the +# smartcard based on 'smartcardoptions' below. +keystore: "/fdroid/keystore/keystore.jks" +# You should not need to change these at all, unless you have a very +# customized setup for using smartcards in Java with keytool/jarsigner +# smartcardoptions: | +# -storetype PKCS11 -providerName SunPKCS11-OpenSC +# -providerClass sun.security.pkcs11.SunPKCS11 +# -providerArg opensc-fdroid.cfg + +# The password for the keystore (at least 6 characters). If this password is +# different than the keypass below, it can be OK to store the password in this +# file for real use. But in general, sensitive passwords should not be stored +# in text files! +keystorepass: "${FDROID_KEYSTORE_PASS}" +# The password for keys - the same is used for each auto-generated key as well +# as for the repository key. You should not normally store this password in a +# file since it is a sensitive password. +keypass: "${FDROID_KEYSTORE_KEYPASS}" +# The distinguished name used for all keys. +keydname: "${FDROID_KEYSTORE_DNAME}" +# Use this to override the auto-generated key aliases with specific ones +# for particular applications. Normally, just leave it empty. +# +# keyaliases: +# com.example.app: example +# +# You can also force an app to use the same key alias as another one, using +# the @ prefix. +# +# keyaliases: +# com.example.another.plugin: "@com.example.another" + +# The full path to the root of the repository. It must be specified in +# rsync/ssh format for a remote host/path. This is used for syncing a locally +# generated repo to the server that is it hosted on. It must end in the +# standard public repo name of "/fdroid", but can be in up to three levels of +# sub-directories (i.e. /var/www/packagerepos/fdroid). You can include +# multiple servers to sync to by wrapping the whole thing in {} or [], and +# including the serverwebroot strings in a comma-separated list. +# +# serverwebroot: user@example:/var/www/fdroid +# serverwebroot: +# - foo.com:/usr/share/nginx/www/fdroid +# - bar.info:/var/www/fdroid +# +# There is a special mode to only deploy the index file: +# +# serverwebroot: +# - url: 'me@b.az:/srv/fdroid' +# indexOnly: true + +# When running fdroid processes on a remote server, it is possible to +# publish extra information about the status. Each fdroid sub-command +# can create repo/status/running.json when it starts, then a +# repo/status/.json when it completes. The builds logs +# and other processes will also get published, if they are running in +# a buildserver VM. The build logs name scheme is: +# .../repo/$APPID_$VERCODE.log.gz. These files are also pushed to all +# servers configured in 'serverwebroot'. +# +# deploy_process_logs: true + +# The full URL to a git remote repository. You can include +# multiple servers to mirror to by adding strings to a YAML list or map. +# Servers listed here will also be automatically inserted in the mirrors list. +# +# servergitmirrors: https://github.com/user/repo +# servergitmirrors: +# - https://github.com/user/repo +# - https://gitlab.com/user/repo +# +# servergitmirrors: +# - url: https://github.com/user/repo +# - url: https://gitlab.com/user/repo +# indexOnly: true + +# Most git hosting services have hard size limits for each git repo. +# `fdroid deploy` will delete the git history when the git mirror repo +# approaches this limit to ensure that the repo will still fit when +# pushed. GitHub recommends 1GB, gitlab.com recommends 10GB. +# +# git_mirror_size_limit: 10GB + +# Any mirrors of this repo, for example all of the servers declared in +# serverwebroot and all the servers declared in servergitmirrors, +# will automatically be used by the client. If one +# mirror is not working, then the client will try another. If the +# client has Tor enabled, then the client will prefer mirrors with +# .onion addresses. This base URL will be used for both the main repo +# and the archive, if it is enabled. So these URLs should end in the +# 'fdroid' base of the F-Droid part of the web server like serverwebroot. +# +# mirrors: +# - https://foo.bar/fdroid +# - http://foobarfoobarfoobar.onion/fdroid +# +# Or additional metadata can also be included by adding key/value pairs: +# +# mirrors: +# - url: https://foo.bar/fdroid +# countryCode: BA +# - url: http://foobarfoobarfoobar.onion/fdroid +# +# The list of mirrors can also be maintained in config/mirrors.yml, a +# standalone YAML file in the optional configuration directory. In +# that case, mirrors: should be removed from this file (config.yml). + +# optionally specify which identity file to use when using rsync or git over SSH +# +# identity_file: ~/.ssh/fdroid_id_rsa + +# If you are running the repo signing process on a completely offline machine, +# which provides the best security, then you can specify a folder to sync the +# repo to when running `fdroid deploy`. This is most likely going to +# be a USB thumb drive, SD Card, or some other kind of removable media. Make +# sure it is mounted before running `fdroid deploy`. Using the +# standard folder called 'fdroid' as the specified folder is recommended, like +# with serverwebroot. +# +local_copy_dir: /var/www/fdroid +# If you are using local_copy_dir on an offline build/signing server, once the +# thumb drive has been plugged into the online machine, it will need to be +# synced to the copy on the online machine. To make that happen +# automatically, set sync_from_local_copy_dir to True: +# +# sync_from_local_copy_dir: true + +# To upload the repo to an Amazon S3 bucket using `fdroid server +# update`. Warning, this deletes and recreates the whole fdroid/ +# directory each time. This prefers s3cmd, but can also use +# apache-libcloud. To customize how s3cmd interacts with the cloud +# provider, create a 's3cfg' file next to this file (config.yml), and +# those settings will be used instead of any 'aws' variable below. +# Secrets can be fetched from environment variables to ensure that +# they are not leaked as part of this file. +# +# awsbucket: myawsfdroid +# awsaccesskeyid: SEE0CHAITHEIMAUR2USA +# awssecretkey: {env: awssecretkey} + +# If you want to force 'fdroid server' to use a non-standard serverwebroot. +# This will allow you to have 'serverwebroot' entries which do not end in +# '/fdroid'. (Please note that some client features expect repository URLs +# to end in '/fdroid/repo'.) +# +# nonstandardwebroot: false + +# If you want to upload the release APK file to androidobservatory.org +# +# androidobservatory: false + +# If you want to upload the release APK file to virustotal.com +# You have to enter your profile apikey to enable the upload. +# +# virustotal_apikey: 9872987234982734 +# +# Or get it from an environment variable: +# +# virustotal_apikey: {env: virustotal_apikey} + +# Keep a log of all generated index files in a git repo to provide a +# "binary transparency" log for anyone to check the history of the +# binaries that are published. This is in the form of a "git remote", +# which this machine where `fdroid update` is run has already been +# configured to allow push access (e.g. ssh key, username/password, etc) +# binary_transparency_remote: git@gitlab.com:fdroid/binary-transparency-log.git + +# If you want to keep the "added" and "last updated" dates for each +# app and APK in your repo, enable this. The name comes from an old +# system for tracking statistics that is no longer included. +# update_stats: true + +# Set this to true to always use a build server. This saves specifying the +# --server option on dedicated secure build server hosts. +# build_server_always: true + +# Limit in number of characters that fields can take up +# Only the fields listed here are supported, defaults shown +# char_limits: +# author: 256 +# name: 50 +# summary: 80 +# description: 4000 +# video: 256 +# whatsNew: 500 + +# It is possible for the server operator to specify lists of apps that +# must be installed or uninstalled on the client (aka "push installs). +# If the user has opted in, or the device is already setup to respond +# to these requests, then F-Droid will automatically install/uninstall +# the packageNames listed. This is protected by the same signing key +# as the app index metadata. +# +# install_list: +# - at.bitfire.davdroid +# - com.fsck.k9 +# - us.replicant +# +# uninstall_list: +# - com.facebook.orca +# - com.android.vending + +# `fdroid lint` checks licenses in metadata against a built white list. By +# default we will require license metadata to be present and only allow +# licenses approved either by FSF or OSI. We're using the standardized SPDX +# license IDs. (https://spdx.org/licenses/) +# +# We use `python3 -m spdx-license-list print --filter-fsf-or-osi` for +# generating our default list. (https://pypi.org/project/spdx-license-list) +# +# You can override our default list of allowed licenes by setting this option. +# Just supply a custom list of licene names you would like to allow. To disable +# checking licenses by the linter, assign an empty value to lint_licenses. +# +# lint_licenses: +# - Custom-License-A +# - Another-License + +# `fdroid scanner` can scan for signatures from various sources. By default +# it's configured to only use F-Droids official SUSS collection. We have +# support for these special collections: +# * 'exodus' - official exodus-privacy.org signatures +# * 'etip' - exodus privacy investigation platfrom community contributed +# signatures +# * 'suss' - official F-Droid: Suspicious or Unwanted Software Signatures +# You can also configure scanner to use custom collections of signatures here. +# They have to follow the format specified in the SUSS readme. +# (https://gitlab.com/fdroid/fdroid-suss/#cache-file-data-format) +# +# scanner_signature_sources: +# - suss +# - exodus +# - https://example.com/signatures.json + +# The scanner can use signature sources from the internet. These are +# cached locally. To force them to be refreshed from the network on +# every run, set this to true: +# +# refresh_scanner: true diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 4907a1f..cb0f5c5 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -2,14 +2,19 @@ set -xeo pipefail -if [ ! -f /fdroid/ssh_host_rsa_key ]; then +if [ ! -f /fdroid/host_ssh/ssh_host_rsa_key ]; then echo "Generating host SSH key..." - ssh-keygen -f /fdroid/ssh_host_rsa_key -N '' -t rsa - chown fdroid: /fdroid/ssh_host_rsa_key + mkdir -p /fdroid/host_ssh + ssh-keygen -f /fdroid/host_ssh/ssh_host_rsa_key -N '' -t rsa + chown fdroid: /fdroid/host_ssh/ssh_host_rsa_key fi mkdir -p /fdroid/.ssh -echo "${SSH_PUBLIC_KEY}" > /fdroid/.ssh/authorized_keys + +if [ ! -z "${SSH_PUBLIC_KEY}" ]; then + echo "${SSH_PUBLIC_KEY}" > /fdroid/.ssh/authorized_keys +fi + chmod 0600 /fdroid/.ssh/authorized_keys if [ ! -f /fdroid/keystore/keystore.jks ]; then @@ -23,11 +28,11 @@ if [ ! -f /fdroid/keystore/keystore.jks ]; then fi echo "Updating configuration from environment..." -envsubst < config.py.tmpl > config.py -chmod 0600 config.py +envsubst < config.yml.tmpl > /fdroid/config.yml +chmod 0600 /fdroid/config.yml -chown -R fdroid: /fdroid +find /fdroid -not -user fdroid -exec chown -R fdroid: {} \; -su - fdroid /fdroid/fdroid-update.sh +su fdroid /fdroid/fdroid-update.sh /usr/bin/supervisord -c /etc/supervisor.d/supervisor.ini \ No newline at end of file diff --git a/fdroid-update.sh b/fdroid-update.sh index f4d40f8..2543891 100644 --- a/fdroid-update.sh +++ b/fdroid-update.sh @@ -7,6 +7,7 @@ DIR=$2 FILE=$3 if [ -z "$FILE" ] || [[ "$FILE" == *.apk ]] || [[ "$FILE" == *.yml ]]; then - fdroid update --clean --rename-apks --use-date-from-apk --delete-unknown + . /fdroid/bin/activate && fdroid update --clean -c --rename-apks --use-date-from-apk --delete-unknown + . /fdroid/bin/activate && fdroid deploy fi diff --git a/supervisor.ini b/supervisor.ini index 34a7a0b..1b1a52a 100644 --- a/supervisor.ini +++ b/supervisor.ini @@ -3,7 +3,7 @@ nodaemon=true user=root [program:sshd] -command = /usr/sbin/sshd -D +command = /usr/sbin/sshd -D -e directory = /fdroid user = fdroid autostart = true @@ -24,9 +24,9 @@ stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 [program:caddy] -command = caddy -agree -conf /fdroid/Caddyfile -directory = /fdroid/repo -user = root +command = caddy file-server -b -a -l "0.0.0.0:8080" --root /var/www/fdroid +directory = / +user = fdroid autostart = true stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0