From 6c058c678e6fdac0d6b01c9c0be78de1b75f9e9f Mon Sep 17 00:00:00 2001 From: dubo-dubon-duponey Date: Tue, 19 Mar 2024 18:20:04 -0700 Subject: [PATCH] Work in progress --- DEVELOP.md | 28 ++++++++++++------- Dockerfile | 22 ++++++--------- context/runtime/boot/entrypoint.sh | 1 - context/runtime/boot/http.sh | 6 ++-- context/runtime/boot/mdns.sh | 8 ++---- .../runtime/config/caddy/conf.d/global.conf | 15 ---------- context/runtime/config/caddy/main.conf | 2 -- .../runtime/config/caddy/sites.d/main.conf | 21 -------------- .../system}/config/caddy/conf.d/auth.conf | 0 .../system/config/caddy/conf.d/cache.conf | 27 ++++++++++++++++++ .../system/config/caddy/conf.d/global.conf | 23 +++++++++++++++ .../system}/config/caddy/conf.d/headers.conf | 1 - .../system}/config/caddy/conf.d/log.conf | 0 .../system}/config/caddy/conf.d/mtls.conf | 0 .../config/caddy/conf.d/proxy_headers.conf | 0 .../config/caddy/conf.d/proxyauth.conf | 0 .../system}/config/caddy/conf.d/tls.conf | 0 .../magnetar/system/config/caddy/main.conf | 3 ++ .../config/caddy/sites.d/healthcheck.conf | 0 .../system/config/caddy/sites.d/main.conf | 21 ++++++++++++++ 20 files changed, 106 insertions(+), 72 deletions(-) delete mode 100644 context/runtime/config/caddy/conf.d/global.conf delete mode 100644 context/runtime/config/caddy/main.conf delete mode 100644 context/runtime/config/caddy/sites.d/main.conf rename context/runtime/{ => magnetar/system}/config/caddy/conf.d/auth.conf (100%) create mode 100644 context/runtime/magnetar/system/config/caddy/conf.d/cache.conf create mode 100644 context/runtime/magnetar/system/config/caddy/conf.d/global.conf rename context/runtime/{ => magnetar/system}/config/caddy/conf.d/headers.conf (99%) rename context/runtime/{ => magnetar/system}/config/caddy/conf.d/log.conf (100%) rename context/runtime/{ => magnetar/system}/config/caddy/conf.d/mtls.conf (100%) rename context/runtime/{ => magnetar/system}/config/caddy/conf.d/proxy_headers.conf (100%) rename context/runtime/{ => magnetar/system}/config/caddy/conf.d/proxyauth.conf (100%) rename context/runtime/{ => magnetar/system}/config/caddy/conf.d/tls.conf (100%) create mode 100644 context/runtime/magnetar/system/config/caddy/main.conf rename context/runtime/{ => magnetar/system}/config/caddy/sites.d/healthcheck.conf (100%) create mode 100644 context/runtime/magnetar/system/config/caddy/sites.d/main.conf diff --git a/DEVELOP.md b/DEVELOP.md index d312032..38cf677 100644 --- a/DEVELOP.md +++ b/DEVELOP.md @@ -72,14 +72,22 @@ Be sure to run `./hack/lint.sh` and `./hack/test.sh` before submitting anything. * no write * no cap * use the provided infrastructure - * runnable artifacts go to: - * `/boot/bin` (read-only) - * configuration should be read from: - * `/config` (read-only) - * certificates should go to: - * `/certs` (either read-only or read-write) - * persistent application data should use: - * `/data` (usually read-write) - * volatile data should use: - * `/tmp` (usually read-write) + * runnable artifacts go to: + * `/boot/bin` (read-only) + * configuration should be read from: + * `/magnetar/system/config` (read-only) + * and: + * `/magnetar/user/config` (read-write, user controlled) + * certificates should go to: + * `/magnetar/user/data` (either read-only or read-write) + * or: + * `/magnetar/system/data` (read-only) + * persistent application data should use: + * `/magnerar/system/data` (usually read-only) + * runtime data (socket, pipes) should use: + * `/magnerar/runtime` + * temp data (logs, states, etc) should use: + * `/magnerar/state` + * cache should use: + * `/magnerar/cache` * only use chroot to downgrade if you really REALLY need to start your entrypoint with "root" diff --git a/Dockerfile b/Dockerfile index 56c6b85..bc178a6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -147,11 +147,10 @@ COPY --from=assembly-bridge --chown=$BUILD_UID:root /dist / # Alternative is rpathing, but what exactly? ENV LD_LIBRARY_PATH=/boot/lib -ENV ROON_DATAROOT=/data/data_root -ENV ROON_ID_DIR=/data/id_dir +ENV ROON_DATAROOT="$XDG_DATA_HOME"/roon/data +ENV ROON_ID_DIR="$XDG_DATA_HOME"/roon/id -VOLUME /data -VOLUME /tmp +VOLUME "$XDG_DATA_HOME" ########################## # Building image server @@ -247,10 +246,8 @@ RUN --mount=type=secret,uid=100,id=CA \ USER dubo-dubon-duponey -ENV ROON_DATAROOT=/data/data_root -ENV ROON_ID_DIR=/data/id_dir -EXPOSE 9003/udp -VOLUME /music +ENV ROON_DATAROOT="$XDG_DATA_HOME"/roon/data +ENV ROON_ID_DIR="$XDG_DATA_HOME"/roon/id ENV _SERVICE_NICK="roon" ENV _SERVICE_TYPE="_http._tcp" @@ -338,13 +335,10 @@ ENV ADVANCED_MOD_HTTP_ADDITIONAL_DOMAINS="" ##### EXPOSE 443 EXPOSE 80 +EXPOSE 9003/udp -# Caddy certs will be stored here -VOLUME /certs -# Caddy uses this -VOLUME /tmp -# Used by the backend service -VOLUME /data +VOLUME "$XDG_DATA_HOME" +VOLUME /music ENV HEALTHCHECK_URL="http://127.0.0.1:10000/?healthcheck" diff --git a/context/runtime/boot/entrypoint.sh b/context/runtime/boot/entrypoint.sh index affbbad..0ee2a1b 100755 --- a/context/runtime/boot/entrypoint.sh +++ b/context/runtime/boot/entrypoint.sh @@ -13,7 +13,6 @@ readonly root helpers::dir::writable "/tmp" helpers::dir::writable "$XDG_DATA_HOME" create -helpers::dir::writable "$XDG_DATA_DIRS" create helpers::dir::writable "$ROON_ID_DIR" create helpers::dir::writable "$ROON_DATAROOT" create diff --git a/context/runtime/boot/http.sh b/context/runtime/boot/http.sh index 0eedd3e..6efe916 100755 --- a/context/runtime/boot/http.sh +++ b/context/runtime/boot/http.sh @@ -27,11 +27,11 @@ http::certificate(){ printf >&2 "Your container uses letsencrypt - there is no local CA in that case." exit 1 fi - if [ ! -e /certs/pki/authorities/local/root.crt ]; then + if [ ! -e "$XDG_DATA_HOME"/certs/pki/authorities/local/root.crt ]; then printf >&2 "No root certificate installed or generated. Run the container so that a cert is generated, or provide one at runtime." exit 1 fi - cat /certs/pki/authorities/local/root.crt + cat "$XDG_DATA_HOME"/certs/pki/authorities/local/root.crt } http::start(){ @@ -69,6 +69,6 @@ http::start(){ CDY_PORT_HTTPS="${ADVANCED_MOD_HTTP_PORT:-$_default_https_port}" \ CDY_TLS_MIN="${ADVANCED_MOD_HTTP_TLS_MIN:-$_default_tls_min}" \ CDY_SERVER_NAME="${ADVANCED_MOD_HTTP_SERVER_NAME:-$_default_server_name}" \ - caddy run --config /config/caddy/main.conf --adapter caddyfile "$@" + caddy run --config "$XDG_CONFIG_DIRS"/caddy/main.conf --adapter caddyfile "$@" } diff --git a/context/runtime/boot/mdns.sh b/context/runtime/boot/mdns.sh index 02242e6..9462d76 100755 --- a/context/runtime/boot/mdns.sh +++ b/context/runtime/boot/mdns.sh @@ -90,7 +90,7 @@ mdns::start::avahi(){ [ "$LOG_LEVEL" != "debug" ] || args+=(--debug) # -D/--daemonize implies -s/--syslog that we do not want, so, just background it - avahi-daemon -f /config/avahi/main.conf --no-drop-root --no-chroot "${args[@]}" & + avahi-daemon -f "$XDG_CONFIG_DIRS"/avahi/main.conf --no-drop-root --no-chroot "${args[@]}" & local tries=1 # Wait until the socket is there @@ -109,11 +109,9 @@ mdns::start::dbus(){ # https://man7.org/linux/man-pages/man3/sd_bus_default.3.html # https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html - # $XDG_RUNTIME_DIR=/tmp/runtime + local dbussocket=/magnetar/runtime/dbus/system_bus_socket # Configuration file also has that ^ hardcoded, so, cannot use the variable... - local dbussocket=/tmp/runtime/dbus/system_bus_socket - # Ensure directory exists helpers::dir::writable "$(dirname "$dbussocket")" create @@ -122,7 +120,7 @@ mdns::start::dbus(){ export DBUS_SESSION_BUS_ADDRESS=unix:path="$dbussocket" # Start it, without a PID file - dbus-daemon --nopidfile --config-file /config/dbus/main.conf + dbus-daemon --nopidfile --config-file "$XDG_CONFIG_DIRS"/dbus/main.conf local tries=1 # Wait until the socket is there diff --git a/context/runtime/config/caddy/conf.d/global.conf b/context/runtime/config/caddy/conf.d/global.conf deleted file mode 100644 index dd1f0e3..0000000 --- a/context/runtime/config/caddy/conf.d/global.conf +++ /dev/null @@ -1,15 +0,0 @@ -{ - https_port {$CDY_PORT_HTTPS} - http_port {$CDY_PORT_HTTP} - default_sni {$CDY_DOMAIN} - admin off - storage file_system { - root "/certs" - } - skip_install_trust - auto_https {$CDY_TLS_AUTO} - order basicauth after request_header - acme_ca {$CDY_ACME_CA} - - order replace after encode -} diff --git a/context/runtime/config/caddy/main.conf b/context/runtime/config/caddy/main.conf deleted file mode 100644 index 570481a..0000000 --- a/context/runtime/config/caddy/main.conf +++ /dev/null @@ -1,2 +0,0 @@ -import conf.d/global.conf -import sites.d/*.conf diff --git a/context/runtime/config/caddy/sites.d/main.conf b/context/runtime/config/caddy/sites.d/main.conf deleted file mode 100644 index d118f57..0000000 --- a/context/runtime/config/caddy/sites.d/main.conf +++ /dev/null @@ -1,21 +0,0 @@ -{$CDY_SCHEME}://{$CDY_DOMAIN} {$CDY_ADDITIONAL_DOMAINS} { - import /config/caddy/conf.d/log.conf "{$CDY_LOG_LEVEL}" - import /config/caddy/conf.d/headers.conf "{$CDY_SERVER_NAME}" - import /config/caddy/conf.d/proxyauth.conf - import /config/caddy/conf.d/tls*{$CDY_TLS_DISABLE}.conf "{$CDY_TLS_MODE}" "{$CDY_TLS_MIN}" - import /config/caddy/conf.d/mtls*{$CDY_MTLS_DISABLE}.conf "{$CDY_TLS_MODE}" "{$CDY_MTLS_MODE}" "{$CDY_MTLS_TRUST}" - import /config/caddy/conf.d/auth*{$CDY_AUTH_DISABLE}.conf "{$CDY_AUTH_REALM}" "{$CDY_AUTH_USERNAME}" "{$CDY_AUTH_PASSWORD}" - - metrics /metrics - - rewrite / /display - replace "ws://" "wss://" - replace "http://" "https://" - - # Pass it down - reverse_proxy http://127.0.0.1:9100 { - import /config/caddy/conf.d/proxy_headers.conf - # CSP specifics to this backend service - header_down Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' blob:; font-src 'self' https://fonts.gstatic.com" - } -} diff --git a/context/runtime/config/caddy/conf.d/auth.conf b/context/runtime/magnetar/system/config/caddy/conf.d/auth.conf similarity index 100% rename from context/runtime/config/caddy/conf.d/auth.conf rename to context/runtime/magnetar/system/config/caddy/conf.d/auth.conf diff --git a/context/runtime/magnetar/system/config/caddy/conf.d/cache.conf b/context/runtime/magnetar/system/config/caddy/conf.d/cache.conf new file mode 100644 index 0000000..4275883 --- /dev/null +++ b/context/runtime/magnetar/system/config/caddy/conf.d/cache.conf @@ -0,0 +1,27 @@ +cache { + log_level "{args[0]}" + + cache_keys { + disable_body + } + + key { + disable_body + } + + stale 31536000s + ttl 31536000s + + nuts { + configuration { + Dir "{args[1]}" + EntryIdxMode 1 + RWMode 0 + SegmentSize 1024 + NodeNum 42 + SyncEnable true + StartFileLoadingMode 1 + } + } +} + diff --git a/context/runtime/magnetar/system/config/caddy/conf.d/global.conf b/context/runtime/magnetar/system/config/caddy/conf.d/global.conf new file mode 100644 index 0000000..85aefa8 --- /dev/null +++ b/context/runtime/magnetar/system/config/caddy/conf.d/global.conf @@ -0,0 +1,23 @@ +{ + https_port {args[0]} + http_port {args[1]} + default_sni {args[2]} + admin off + storage file_system { + root "{$XDG_DATA_HOME}"/certs + } + skip_install_trust + auto_https {args[3]} + order basicauth after request_header + order replace after encode + order cache before rewrite + + acme_ca {args[4]} + + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/log.conf {args[5]} + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/cache.conf "warn" "{$XDG_CACHE_HOME}/caddy" + + servers { + metrics + } +} diff --git a/context/runtime/config/caddy/conf.d/headers.conf b/context/runtime/magnetar/system/config/caddy/conf.d/headers.conf similarity index 99% rename from context/runtime/config/caddy/conf.d/headers.conf rename to context/runtime/magnetar/system/config/caddy/conf.d/headers.conf index 10a6648..cfbf296 100644 --- a/context/runtime/config/caddy/conf.d/headers.conf +++ b/context/runtime/magnetar/system/config/caddy/conf.d/headers.conf @@ -19,6 +19,5 @@ header ?Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # CSP is garbage and unusable # header ?Content-Security-Policy "default-src 'self';" - # Signature header Server "{args[0]}" diff --git a/context/runtime/config/caddy/conf.d/log.conf b/context/runtime/magnetar/system/config/caddy/conf.d/log.conf similarity index 100% rename from context/runtime/config/caddy/conf.d/log.conf rename to context/runtime/magnetar/system/config/caddy/conf.d/log.conf diff --git a/context/runtime/config/caddy/conf.d/mtls.conf b/context/runtime/magnetar/system/config/caddy/conf.d/mtls.conf similarity index 100% rename from context/runtime/config/caddy/conf.d/mtls.conf rename to context/runtime/magnetar/system/config/caddy/conf.d/mtls.conf diff --git a/context/runtime/config/caddy/conf.d/proxy_headers.conf b/context/runtime/magnetar/system/config/caddy/conf.d/proxy_headers.conf similarity index 100% rename from context/runtime/config/caddy/conf.d/proxy_headers.conf rename to context/runtime/magnetar/system/config/caddy/conf.d/proxy_headers.conf diff --git a/context/runtime/config/caddy/conf.d/proxyauth.conf b/context/runtime/magnetar/system/config/caddy/conf.d/proxyauth.conf similarity index 100% rename from context/runtime/config/caddy/conf.d/proxyauth.conf rename to context/runtime/magnetar/system/config/caddy/conf.d/proxyauth.conf diff --git a/context/runtime/config/caddy/conf.d/tls.conf b/context/runtime/magnetar/system/config/caddy/conf.d/tls.conf similarity index 100% rename from context/runtime/config/caddy/conf.d/tls.conf rename to context/runtime/magnetar/system/config/caddy/conf.d/tls.conf diff --git a/context/runtime/magnetar/system/config/caddy/main.conf b/context/runtime/magnetar/system/config/caddy/main.conf new file mode 100644 index 0000000..2c83cba --- /dev/null +++ b/context/runtime/magnetar/system/config/caddy/main.conf @@ -0,0 +1,3 @@ +import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/global.conf "{$CDY_PORT_HTTPS}" "{$CDY_PORT_HTTP}" "{$CDY_DOMAIN}" "{$CDY_TLS_AUTO}" "{$CDY_ACME_CA}" "{$CDY_LOG_LEVEL}" +import "{$XDG_CONFIG_DIRS}"/caddy/sites.d/*.conf +import "{$XDG_CONFIG_HOME}"/caddy/sites.d/*.conf diff --git a/context/runtime/config/caddy/sites.d/healthcheck.conf b/context/runtime/magnetar/system/config/caddy/sites.d/healthcheck.conf similarity index 100% rename from context/runtime/config/caddy/sites.d/healthcheck.conf rename to context/runtime/magnetar/system/config/caddy/sites.d/healthcheck.conf diff --git a/context/runtime/magnetar/system/config/caddy/sites.d/main.conf b/context/runtime/magnetar/system/config/caddy/sites.d/main.conf new file mode 100644 index 0000000..e16654f --- /dev/null +++ b/context/runtime/magnetar/system/config/caddy/sites.d/main.conf @@ -0,0 +1,21 @@ +{$CDY_SCHEME}://{$CDY_DOMAIN} {$CDY_ADDITIONAL_DOMAINS} { + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/log.conf "{$CDY_LOG_LEVEL}" + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/headers.conf "{$CDY_SERVER_NAME}" + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/proxyauth.conf + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/tls*{$CDY_TLS_DISABLE}.conf "{$CDY_TLS_MODE}" "{$CDY_TLS_MIN}" + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/mtls*{$CDY_MTLS_DISABLE}.conf "{$CDY_TLS_MODE}" "{$CDY_MTLS_MODE}" "{$CDY_MTLS_TRUST}" + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/auth*{$CDY_AUTH_DISABLE}.conf "{$CDY_AUTH_REALM}" "{$CDY_AUTH_USERNAME}" "{$CDY_AUTH_PASSWORD}" + + metrics /metrics + + rewrite / /display + replace "ws://" "wss://" + replace "http://" "https://" + + # Pass it down + reverse_proxy http://127.0.0.1:9100 { + import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/proxy_headers.conf + # CSP specifics to this backend service + header_down Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' blob:; font-src 'self' https://fonts.gstatic.com" + } +}