diff --git a/bin/pdm-build b/bin/pdm-build index e2a34d6..2a14383 100755 --- a/bin/pdm-build +++ b/bin/pdm-build @@ -64,6 +64,10 @@ fi # Main +# tell buildah to build images in docker format instead of the default OCI format +# because only docker-format images can use the SHELL directive in Containerfiles +export BUILDAH_FORMAT=docker + # build image echo "Building image ..." podman build -f Containerfile -t tmp-$epoch $buildopts || quit $? diff --git a/src/debian/Containerfile b/src/debian/Containerfile index 7023519..2ccf6cd 100644 --- a/src/debian/Containerfile +++ b/src/debian/Containerfile @@ -2,11 +2,21 @@ FROM debian:stable CMD [ "/sbin/init" ] ENTRYPOINT [ "/sbin/init" ] +# set default working directory as root for child images WORKDIR /root/ +ONBUILD WORKDIR /root/ + +# set bash as the default shell for executing commands +# inside Containerfiles for child images +ONBUILD SHELL ["/bin/bash", "-c"] + +# tell bash to read /etc/environment when being run +# non-interactively for child images +ONBUILD ENV BASH_ENV=/etc/environment # We can't use timedatectl because systemd isn't available # during the build process, so we have to set the timezone manually -ENV TZ=US/Central +ENV TZ=US/Eastern RUN rm /etc/localtime && \ ln -s /usr/share/zoneinfo/$TZ /etc/localtime && \ echo $TZ > /etc/timezone diff --git a/src/debian/assets/bash.bashrc b/src/debian/assets/bash.bashrc index e2f1090..1367475 100644 --- a/src/debian/assets/bash.bashrc +++ b/src/debian/assets/bash.bashrc @@ -6,6 +6,9 @@ # If not running interactively, don't do anything [ -z "$PS1" ] && return +# load environment variables +. /etc/environment + # check the window size after each command and, if necessary, # update the values of LINES and COLUMNS. shopt -s checkwinsize diff --git a/src/gitea/Containerfile b/src/gitea/Containerfile index 3c620aa..37df5ac 100644 --- a/src/gitea/Containerfile +++ b/src/gitea/Containerfile @@ -9,16 +9,9 @@ LABEL deployopts="\ -p 9081:80 \ -p 9022:22 \ -v /srv/vol/gitea/git:/vol/git \ --v /srv/vol/gitea/db:/vol/db" -# make sure mount directories exist -RUN mkdir -p /vol/git /vol/db +-v /srv/vol/gitea/data:/vol/data" # Build variables -# version of Gitea -# see the Gitea github page to determine the latest stable release -ARG giteav=1.12.1 -# version of postgres -ARG psqlv=11 # uid that the files owner user should have ARG FILESUID=5000 @@ -26,9 +19,6 @@ ARG FILESUID=5000 # database name and user ENV DBUSER=gtadmin ENV DBNAME=gitea -# put environment variables in /etc/environment so we can access them from cron scripts -RUN echo "DBUSER=$DBUSER" >> /etc/environment && \ - echo "DBNAME=$DBNAME" >> /etc/environment ### ### General Setup @@ -37,6 +27,14 @@ RUN echo "DBUSER=$DBUSER" >> /etc/environment && \ # install packages we want RUN apt update -y && apt install -y postgresql postgresql-doc git +# put database variables in /etc/environment so anyone can access them +# also autodetect versions of postgres and gitea and put them in /etc/environment as well +RUN echo "DBUSER=$DBUSER" >> /etc/environment && \ + echo "DBNAME=$DBNAME" >> /etc/environment && \ + echo "PSQLV=$(psql -V | cut -d ' ' -f 3 | cut -d '.' -f 1)" >> /etc/environment && \ + echo "GITEAV=$(wget -q -O - https://dl.gitea.io/gitea/ | grep -m 1 'Current Release' \ + | perl -pe 's/.*Current Release ([\d.]+).*/\1/')" >> /etc/environment + # create gitea user with file owner UID RUN addgroup --gid $FILESUID gitea && \ adduser gitea --ingroup gitea --uid $FILESUID --disabled-password --gecos "Gitea Server" --shell /usr/sbin/nologin --home /var/lib/gitea @@ -49,15 +47,15 @@ COPY assets/bin/ /usr/local/bin/ ### # configure PostgreSQL access -COPY --chown=postgres:postgres assets/pg_hba.conf /etc/postgresql/${psqlv}/main/pg_hba.conf +COPY --chown=postgres:postgres assets/pg_hba.conf /etc/postgresql/${PSQLV:?}/main/pg_hba.conf ### ### Gitea ### # dowload gitea -RUN wget https://dl.gitea.io/gitea/${giteav}/gitea-${giteav}-linux-amd64 && \ - mv gitea-${giteav}-linux-amd64 /usr/local/bin/gitea && \ +RUN wget https://dl.gitea.io/gitea/${GITEAV:?}/gitea-${GITEAV:?}-linux-amd64 && \ + mv gitea-${GITEAV:?}-linux-amd64 /usr/local/bin/gitea && \ chmod +x /usr/local/bin/gitea # make directories gitea needs diff --git a/src/gitea/assets/bin/maint b/src/gitea/assets/bin/maint index 85f6f89..bac5eb2 100755 --- a/src/gitea/assets/bin/maint +++ b/src/gitea/assets/bin/maint @@ -8,7 +8,7 @@ day=$(date +%d) month=$(date +%m) year=$(date +%Y) -dumpdir=/vol/db +dumpdir=/vol/data errlog=error/$year-$month-$day-T$hour.log mkdir -p $dumpdir/error diff --git a/src/mailsrv/Containerfile b/src/mailsrv/Containerfile index 4c668d0..13c4b07 100644 --- a/src/mailsrv/Containerfile +++ b/src/mailsrv/Containerfile @@ -10,7 +10,7 @@ LABEL deployopts="\ -p 587:587 \ -p 143:143 \ -p 993:993 \ --v /srv/vol/mailsrv/etc:/vol/etc \ +-v /srv/vol/mailsrv/data:/vol/data \ -v /srv/vol/mailsrv/mail:/vol/mail \ -v /srv/vol/mailsrv/ssl:/vol/ssl:ro" diff --git a/src/mailsrv/assets/bin/mkvirt b/src/mailsrv/assets/bin/mkvirt index 4c07ae0..5c5124b 100755 --- a/src/mailsrv/assets/bin/mkvirt +++ b/src/mailsrv/assets/bin/mkvirt @@ -6,24 +6,24 @@ set -e ### Users ### # copy users db to dovecot config -cp /vol/etc/users /etc/dovecot/users +cp /vol/data/users /etc/dovecot/users chown dovecot:dovecot /etc/dovecot/users # copy users db to postfix config, but without passwords -cat /vol/etc/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./' > /etc/postfix/users +cat /vol/data/users | cut -d':' -f1 | perl -pe 's/(.*)/\1 ./' > /etc/postfix/users postmap /etc/postfix/users ### Aliases ### # copy aliases to postifx config cd /etc/postfix -cat /vol/etc/aliases.d/*.list > aliases +cat /vol/data/aliases.d/*.list > aliases postmap aliases ### Sieve ### # copy users sieve to mail -cd /vol/etc/sieve.d +cd /vol/data/sieve.d for user in * ; do mkdir -p /vol/mail/${user} chown vmail:vmail /vol/mail/${user} diff --git a/src/minecraft_be/Containerfile b/src/minecraft_be/Containerfile index 8054c51..5398bd9 100644 --- a/src/minecraft_be/Containerfile +++ b/src/minecraft_be/Containerfile @@ -37,7 +37,8 @@ WORKDIR /home/mcadmin # download Minecraft Bedrock dedicated server RUN url=$(wget -q https://www.minecraft.net/en-us/download/server/bedrock/ -O - | grep -Eo 'https://[^ ]+bin-linux/bedrock-server-[^ ]+\.zip' | head -n 1) && \ wget $url && \ - unzip $(basename $url) && \ + echo "Unzipping ..." && \ + unzip -q $(basename $url) && \ rm $(basename $url) && \ chown -R mcadmin:mcadmin ./ diff --git a/src/nextcloud/Containerfile b/src/nextcloud/Containerfile index 2d7e024..d5b9cd5 100644 --- a/src/nextcloud/Containerfile +++ b/src/nextcloud/Containerfile @@ -6,24 +6,17 @@ FROM localhost/debian # deploy options # -p (port) and -v (volume) both go host:container LABEL deployopts="\ +--cap-add SYS_ADMIN \ -p 9080:80 \ -v /srv/vol/nextcloud/files:/vol/files \ -v /srv/vol/nextcloud/data:/vol/data" # Build Variables -# versions of php and postgres -ARG phpv=7.3 -ARG psqlv=11 # uid that the files owner user should have ARG FILESUID=5000 - -# Environment Variables # database name and user ENV DBUSER=ncadmin ENV DBNAME=nextcloud -# put environment variables in /etc/environment so we can access them from cron scripts -RUN echo "DBUSER=$DBUSER" >> /etc/environment && \ - echo "DBNAME=$DBNAME" >> /etc/environment ### ### General Setup @@ -34,37 +27,56 @@ RUN apt update -y && apt install -y apache2 php-fpm php-gd php-zip \ php-pgsql php-curl php-mbstring php-intl php-imagick php-xml \ php-json redis php-redis postgresql postgresql-doc php-ldap + +# put database variables in /etc/environment so anyone can access them +# also autodetect versions of php and postgres and put them in /etc/environment as well +RUN echo "DBUSER=$DBUSER" >> /etc/environment && \ + echo "DBNAME=$DBNAME" >> /etc/environment && \ + echo "PSQLV=$(psql -V | cut -d ' ' -f 3 | cut -d '.' -f 1)" >> /etc/environment && \ + echo "PHPV=$(echo $(php -r 'echo PHP_VERSION;') | cut -d '.' -f 1-2)" >> /etc/environment + # change www-data's UID to the file owner UID RUN usermod --uid $FILESUID www-data && \ groupmod --gid $FILESUID www-data && \ - chown -R www-data:www-data /var/www /vol + chown -R www-data:www-data /var/www # copy our custom scripts COPY assets/bin/ /usr/local/bin/ +### +### PHP +### + +# enable PHP interpreter +RUN systemctl enable php${PHPV:?}-fpm + +# copy php configuration +COPY assets/php/ php/ +RUN mv php/php.ini /etc/php/${PHPV:?}/fpm/ && \ + mv php/www.conf /etc/php/${PHPV:?}/fpm/pool.d/ && \ + rmdir php + +### +### PostgreSQL ### +### + +# configure PostgreSQL access +COPY --chown=postgres:postgres assets/pg_hba.conf ./ +RUN mv pg_hba.conf /etc/postgresql/${PSQLV:?}/main/ + ### ### Apache ### # enable modules we need -RUN a2enmod rewrite headers env dir mime proxy_fcgi && a2enconf php${phpv}-fpm +RUN a2enmod rewrite headers env dir mime proxy_fcgi && \ + a2enconf php${PHPV:?}-fpm # copy site config COPY assets/apache/nextcloud.conf /etc/apache2/sites-available/ WORKDIR /etc/apache2/sites-enabled RUN rm 000-default.conf && ln -s ../sites-available/nextcloud.conf -### -### PHP -### - -# enable PHP interpreter -RUN systemctl enable php${phpv}-fpm - -# copy php configuration -COPY assets/php/php.ini /etc/php/${phpv}/fpm/ -COPY assets/php/www.conf /etc/php/${phpv}/fpm/pool.d/ - ### ### Redis ### @@ -75,13 +87,6 @@ COPY --chown=redis:redis assets/redis.conf /etc/redis/redis.conf # add www-data to redis group so it can use the socket RUN usermod -a -G redis www-data -### -### PostgreSQL ### -### - -# configure PostgreSQL access -COPY --chown=postgres:postgres assets/pg_hba.conf /etc/postgresql/${psqlv}/main/pg_hba.conf - ### ### Nextcloud ### @@ -107,3 +112,12 @@ COPY --chown=www-data:www-data assets/my.config.php nextcloud/config/ COPY assets/crontab /root/ # crontab for www-data RUN crontab -u www-data /root/crontab + +### +### Bugfix +### + +# push the fixed systemd file for redis +COPY bugfix/redis.service /etc/systemd/system/redis.service + +COPY bugfix/apache2.override /etc/systemd/system/apache2.service.d/override.conf diff --git a/src/nextcloud/assets/bin/maint b/src/nextcloud/assets/bin/maint index bac5eb2..1f819c0 100755 --- a/src/nextcloud/assets/bin/maint +++ b/src/nextcloud/assets/bin/maint @@ -1,7 +1,7 @@ #!/bin/bash # load environment variables -source /etc/environment +. /etc/environment hour=$(date +%H) day=$(date +%d) diff --git a/src/nextcloud/assets/bin/nc-adduser b/src/nextcloud/assets/bin/nc-adduser index a4ae752..a3188c7 100755 --- a/src/nextcloud/assets/bin/nc-adduser +++ b/src/nextcloud/assets/bin/nc-adduser @@ -9,13 +9,7 @@ set -e nc-occ user:add "$1" -nc-occ maintenance:mode --on - mkdir -p /vol/files/"$1" chown www-data:www-data /vol/files/"$1" -rsync -vaSH /srv/nextcloud/data/"$1"/files/ /vol/files/"$1"/ -rm -r /srv/nextcloud/data/"$1"/files -ln -s /vol/files/"$1" /srv/nextcloud/data/"$1"/files - -nc-occ maintenance:mode --off +nc-mntuser "$1" diff --git a/src/nextcloud/assets/bin/nc-mntuser b/src/nextcloud/assets/bin/nc-mntuser new file mode 100755 index 0000000..64eff56 --- /dev/null +++ b/src/nextcloud/assets/bin/nc-mntuser @@ -0,0 +1,20 @@ +#!/bin/bash + +if [[ -z $1 ]]; then + echo "Usage: $0 user" + exit 2 +fi + +intdir=/srv/nextcloud/data +extdir=/vol/files + +set -e + +nc-occ maintenance:mode --on + +mkdir -p $intdir/$user/files +chown -R www-data:www-data $intdir/$user +echo "$extdir/$user $intdir/$user/files none defaults,bind 0 0" >> /etc/fstab +mount -a + +nc-occ maintenance:mode --off diff --git a/src/nextcloud/bugfix/apache2.override b/src/nextcloud/bugfix/apache2.override new file mode 100644 index 0000000..d9fe94e --- /dev/null +++ b/src/nextcloud/bugfix/apache2.override @@ -0,0 +1,2 @@ +[Service] +PrivateTmp=false diff --git a/src/nextcloud/bugfix/redis.service b/src/nextcloud/bugfix/redis.service new file mode 100644 index 0000000..797f23e --- /dev/null +++ b/src/nextcloud/bugfix/redis.service @@ -0,0 +1,46 @@ +[Unit] +Description=Advanced key-value store +After=network.target +Documentation=http://redis.io/documentation, man:redis-server(1) + +[Service] +Type=forking +ExecStart=/usr/bin/redis-server /etc/redis/redis.conf +ExecStop=/bin/kill -s TERM $MAINPID +PIDFile=/run/redis/redis-server.pid +TimeoutStopSec=0 +Restart=always +User=redis +Group=redis +RuntimeDirectory=redis +RuntimeDirectoryMode=2755 + +UMask=007 +#PrivateTmp=yes +LimitNOFILE=65535 +#PrivateDevices=yes +#ProtectHome=yes +#ReadOnlyDirectories=/ +#ReadWritePaths=-/var/lib/redis +#ReadWritePaths=-/var/log/redis +#ReadWritePaths=-/var/run/redis + +NoNewPrivileges=true +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE +MemoryDenyWriteExecute=true +#ProtectKernelModules=true +#ProtectKernelTunables=true +#ProtectControlGroups=true +RestrictRealtime=true +RestrictNamespaces=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +# redis-server can write to its own config file when in cluster mode so we +# permit writing there by default. If you are not using this feature, it is +# recommended that you replace the following lines with "ProtectSystem=full". +#ProtectSystem=true +#ReadWritePaths=-/etc/redis + +[Install] +WantedBy=multi-user.target +Alias=redis.service diff --git a/src/samba/Containerfile b/src/samba/Containerfile index 9785e70..3c48fa9 100644 --- a/src/samba/Containerfile +++ b/src/samba/Containerfile @@ -7,11 +7,9 @@ FROM localhost/debian:latest # -p (port) and -v (volume) both go host:container LABEL deployopts="\ -p 9045:445 \ --v /tank/files/db/samba:/vol/db \ --v /tank/files/media:/vol/media \ --v /tank/files/user:/vol/user" -# make sure mount directories exist -RUN mkdir -p /vol/db /vol/media /vol/user +-v /srv/vol/samba/data:/vol/data \ +-v /srv/vol/samba/media:/vol/media \ +-v /srv/vol/samba/files:/vol/files" # uid that the files owner user should have ARG FILESUID=5000 @@ -27,7 +25,7 @@ RUN apt update -y && apt install -y samba RUN addgroup --gid $FILESUID files && \ adduser files --ingroup files --uid $FILESUID --disabled-password --gecos "Files Owner" --shell /usr/sbin/nologin --no-create-home -RUN chown -R files:files /vol +RUN mkdir /vol && chown -R files:files /vol # copy our custom scripts COPY assets/bin/ /usr/local/bin/ @@ -35,7 +33,7 @@ COPY assets/bin/ /usr/local/bin/ RUN ls -A /home # replace home with symlink -RUN cd / && rmdir home && ln -s /vol/user home +RUN cd / && rmdir home && ln -s /vol/files home ### ### NMBD