cleanup build

hotio · Aug 25, 2023 · 2b48124 · 2b48124
1 parent 15a8ac4
commit 2b48124
Show file tree

Hide file tree

Showing 25 changed files with 34 additions and 229 deletions.
diff --git a/linux-amd64.Dockerfile b/linux-amd64.Dockerfile
@@ -4,30 +4,17 @@ ARG UPSTREAM_DIGEST_AMD64
 FROM golang:alpine as builder
 ARG VERSION
 RUN apk add --no-cache curl jq
-RUN mkdir /caddy && \
-    xcaddy_version=$(curl -u "${GITHUB_ACTOR}:${GITHUB_TOKEN}" -fsSL "https://api.github.com/repos/caddyserver/xcaddy/releases/latest" | jq -r .tag_name | sed s/v//g) && \
-    wget -O - "https://github.com/caddyserver/xcaddy/releases/download/v${xcaddy_version}/xcaddy_${xcaddy_version}_linux_arm64.tar.gz" | tar xzf - -C "/bin" && \
-    cd /caddy && \
-    xcaddy build v${VERSION} --output /caddy/caddy \
+RUN xcaddy_version=$(curl -u "${GITHUB_ACTOR}:${GITHUB_TOKEN}" -fsSL "https://api.github.com/repos/caddyserver/xcaddy/releases/latest" | jq -r .tag_name | sed s/v//g) && \
+    wget -O - "https://github.com/caddyserver/xcaddy/releases/download/v${xcaddy_version}/xcaddy_${xcaddy_version}_linux_amd64.tar.gz" | tar xzf - -C "/bin" && \
+    xcaddy build v${VERSION} --output /caddy-bin \
         --with github.com/caddy-dns/cloudflare && \
-    chmod 755 "/caddy/caddy"
+    chmod 755 "/caddy-bin"
 
 
 FROM ${UPSTREAM_IMAGE}@${UPSTREAM_DIGEST_AMD64}
 EXPOSE 8080 8443
 VOLUME ["${CONFIG_DIR}"]
-
 ENV CUSTOM_BUILD=""
-
-RUN apk add --no-cache nss-tools fail2ban cronie logrotate
-
-ARG VERSION
-COPY --from=builder /caddy/caddy "${APP_DIR}/caddy"
-RUN chmod -R u=rwX,go=rX "${APP_DIR}" && \
-    ln -s "${APP_DIR}/caddy" "/usr/local/bin/caddy" && \
-    cp -R /etc/fail2ban "${APP_DIR}/" && \
-    rm -rf /etc/fail2ban && \
-    ln -s "${CONFIG_DIR}/fail2ban" "/etc/fail2ban"
-
+COPY --from=builder /caddy-bin "${APP_DIR}/caddy"
 COPY root/ /
 RUN chmod -R +x /etc/cont-init.d/ /etc/services.d/
diff --git a/linux-arm64.Dockerfile b/linux-arm64.Dockerfile
@@ -4,30 +4,17 @@ ARG UPSTREAM_DIGEST_ARM64
 FROM golang:alpine as builder
 ARG VERSION
 RUN apk add --no-cache curl jq
-RUN mkdir /caddy && \
-    xcaddy_version=$(curl -u "${GITHUB_ACTOR}:${GITHUB_TOKEN}" -fsSL "https://api.github.com/repos/caddyserver/xcaddy/releases/latest" | jq -r .tag_name | sed s/v//g) && \
+RUN xcaddy_version=$(curl -u "${GITHUB_ACTOR}:${GITHUB_TOKEN}" -fsSL "https://api.github.com/repos/caddyserver/xcaddy/releases/latest" | jq -r .tag_name | sed s/v//g) && \
     wget -O - "https://github.com/caddyserver/xcaddy/releases/download/v${xcaddy_version}/xcaddy_${xcaddy_version}_linux_arm64.tar.gz" | tar xzf - -C "/bin" && \
-    cd /caddy && \
-    xcaddy build v${VERSION} --output /caddy/caddy \
+    xcaddy build v${VERSION} --output /caddy-bin \
         --with github.com/caddy-dns/cloudflare && \
-    chmod 755 "/caddy/caddy"
+    chmod 755 "/caddy-bin"
 
 
 FROM ${UPSTREAM_IMAGE}@${UPSTREAM_DIGEST_ARM64}
 EXPOSE 8080 8443
 VOLUME ["${CONFIG_DIR}"]
-
 ENV CUSTOM_BUILD=""
-
-RUN apk add --no-cache nss-tools fail2ban cronie logrotate
-
-ARG VERSION
-COPY --from=builder /caddy/caddy "${APP_DIR}/caddy"
-RUN chmod -R u=rwX,go=rX "${APP_DIR}" && \
-    ln -s "${APP_DIR}/caddy" "/usr/local/bin/caddy" && \
-    cp -R /etc/fail2ban "${APP_DIR}/" && \
-    rm -rf /etc/fail2ban && \
-    ln -s "${CONFIG_DIR}/fail2ban" "/etc/fail2ban"
-
+COPY --from=builder /caddy-bin "${APP_DIR}/caddy"
 COPY root/ /
 RUN chmod -R +x /etc/cont-init.d/ /etc/services.d/
diff --git a/root/app/Caddyfile b/root/app/Caddyfile
@@ -8,11 +8,34 @@
   abort @block
 }
 
-:8080 {
+(security_headers) {
+  header {
+    Strict-Transport-Security "max-age=31536000; includeSubDomains;"
+    X-Frame-Options "SAMEORIGIN"
+    X-Content-Type-Options "nosniff"
+    Referrer-Policy "strict-origin"
+    X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
+  }
+}
+
+(log_settings) {
   log {
     output file /config/logs/access.log
+    level WARN
   }
+}
+
+# Default http file server
+:8080 {
+  import log_settings
   root * /app/www
   file_server
   import block_world
 }
+
+# Default reverse proxy template for your domain
+# sub.yourdomain.com {
+#   import log_settings
+#   import security_headers
+#   reverse_proxy server:8080
+# }
diff --git a/root/app/crontab/default b/root/app/crontab/default
diff --git a/root/app/fail2ban/fail2ban.d/custom_settings.local b/root/app/fail2ban/fail2ban.d/custom_settings.local
diff --git a/root/app/fail2ban/filter.d/caddy-4xx.local b/root/app/fail2ban/filter.d/caddy-4xx.local
diff --git a/root/app/fail2ban/filter.d/jellyfin.local b/root/app/fail2ban/filter.d/jellyfin.local
diff --git a/root/app/fail2ban/filter.d/jellyseerr.local b/root/app/fail2ban/filter.d/jellyseerr.local
diff --git a/root/app/fail2ban/filter.d/overseerr.local b/root/app/fail2ban/filter.d/overseerr.local
diff --git a/root/app/fail2ban/filter.d/petio.local b/root/app/fail2ban/filter.d/petio.local
diff --git a/root/app/fail2ban/jail.d/alpine-ssh.local b/root/app/fail2ban/jail.d/alpine-ssh.local
diff --git a/root/app/fail2ban/jail.d/caddy-4xx.local b/root/app/fail2ban/jail.d/caddy-4xx.local
diff --git a/root/app/fail2ban/jail.d/jellyfin.local b/root/app/fail2ban/jail.d/jellyfin.local
diff --git a/root/app/fail2ban/jail.d/jellyseerr.local b/root/app/fail2ban/jail.d/jellyseerr.local
diff --git a/root/app/fail2ban/jail.d/overseerr.local b/root/app/fail2ban/jail.d/overseerr.local
diff --git a/root/app/fail2ban/jail.d/petio.local b/root/app/fail2ban/jail.d/petio.local
diff --git a/root/app/logrotate/jellyfin b/root/app/logrotate/jellyfin
diff --git a/root/app/templates/README b/root/app/templates/README
diff --git a/root/app/templates/conreq b/root/app/templates/conreq
diff --git a/root/app/templates/jellyfin b/root/app/templates/jellyfin
diff --git a/root/app/templates/overseerr b/root/app/templates/overseerr
diff --git a/root/app/templates/petio b/root/app/templates/petio
diff --git a/root/etc/cont-init.d/01-config-app b/root/etc/cont-init.d/01-config-app
@@ -11,44 +11,4 @@ if [[ ! -f "${CONFIG_DIR}/Caddyfile" ]]; then
     chown hotio:hotio "${CONFIG_DIR}/Caddyfile"
 fi
 
-if [[ ! -d "${CONFIG_DIR}/fail2ban" ]]; then
-    echo "Installing default \"fail2ban\"..."
-    cp -R "${APP_DIR}/fail2ban" "${CONFIG_DIR}/"
-    chown -R hotio:hotio "${CONFIG_DIR}/fail2ban"
-fi
-
-if [[ -f "${CONFIG_DIR}/fail2ban/fail2ban.sqlite3" ]]; then
-    chown hotio:hotio "${CONFIG_DIR}/fail2ban/fail2ban.sqlite3"
-fi
-
-if [[ ! -f "${APP_DIR}/templates/.copied" ]]; then
-    echo "Installing default \"templates\"..."
-    rm -rf "${CONFIG_DIR}/templates"
-    cp -R "${APP_DIR}/templates" "${CONFIG_DIR}/"
-    chown -R hotio:hotio "${CONFIG_DIR}/templates"
-    touch "${APP_DIR}/templates/.copied"
-fi
-
-if [[ ! -d "${CONFIG_DIR}/crontab" ]]; then
-    echo "Installing default \"crontab\"..."
-    cp -R "${APP_DIR}/crontab" "${CONFIG_DIR}/"
-    chown -R hotio:hotio "${CONFIG_DIR}/crontab"
-fi
-
-if [[ -f "${CONFIG_DIR}/crontab/default" ]]; then
-    echo "Loading user provided \"crontab\" to system..."
-    crontab "${CONFIG_DIR}/crontab/default"
-fi
-
-if [[ ! -d "${CONFIG_DIR}/logrotate" ]]; then
-    echo "Installing default \"logrotate\"..."
-    cp -R "${APP_DIR}/logrotate" "${CONFIG_DIR}/"
-    chown -R hotio:hotio "${CONFIG_DIR}/logrotate"
-fi
-
-if [[ -d "${CONFIG_DIR}/logrotate" ]]; then
-    echo "Copying \"logrotate\" folder to /tmp and chown as root..."
-    rm -rf "/tmp/logrotate"
-    cp -R "${CONFIG_DIR}/logrotate" "/tmp/"
-    chown -R root:root "/tmp/logrotate"
-fi
+ln -sf "${APP_DIR}/caddy" "/usr/local/bin/caddy"
diff --git a/root/etc/services.d/cronie/run b/root/etc/services.d/cronie/run
diff --git a/root/etc/services.d/fail2ban/run b/root/etc/services.d/fail2ban/run