diff --git a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix index f492628..a40f40f 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix @@ -11,7 +11,7 @@ ... }: let - selfLib = inputs.self.lib.${system}; + selfPkgs = inputs.self.packages.${system}; hmConfig = config.home-manager.users.${user}; inherit (hmConfig.virtualisation.quadlet) volumes containers networks; in @@ -55,8 +55,7 @@ in containers = { "authelia-init" = { containerConfig = { - autoUpdate = "registry"; - image = "docker.io/mikefarah/yq:latest"; + image = "docker-archive:${selfPkgs.docker-yq}"; networks = [ networks.authelia.ref ]; volumes = [ "${home}/.local/share/authelia/config:/workdir/config" @@ -69,8 +68,6 @@ in "/workdir/users.yaml" "-i" ]; - user = "0"; - group = "0"; }; serviceConfig = { @@ -91,7 +88,7 @@ in authentication_backend = { refresh_interval = "always"; file = { - path = "/config/users.yaml"; + path = "/etc/authelia/users.yaml"; watch = true; }; }; @@ -127,8 +124,7 @@ in }; in { - autoUpdate = "registry"; - image = "ghcr.io/authelia/authelia"; + image = "docker-archive:${selfPkgs.docker-authelia}"; environments = { AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET"; AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET"; @@ -137,8 +133,8 @@ in AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD"; }; volumes = [ - "${home}/.local/share/authelia/config:/config" - "${config}:/config/conf.d/configuration.yaml:ro" + "${home}/.local/share/authelia/config:/etc/authelia" + "${config}:/etc/authelia/conf.d/configuration.yaml:ro" "${hmConfig.sops.secrets."authelia/jwt".path}:/secrets/JWT_SECRET:ro" "${hmConfig.sops.secrets."authelia/session".path}:/secrets/SESSION_SECRET:ro" "${hmConfig.sops.secrets."authelia/storage".path}:/secrets/STORAGE_ENCRYPTION_KEY:ro" @@ -149,7 +145,7 @@ in networks.authelia.ref networks.traefik.ref ]; - exec = [ "--config /config/conf.d/" ]; + exec = [ "--config /etc/authelia/conf.d/" ]; labels = [ "traefik.enable=true" "traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)" @@ -171,39 +167,32 @@ in "authelia-postgresql" = { containerConfig = { - autoUpdate = "registry"; - image = "docker.io/library/postgres:latest"; + image = "docker-archive:${selfPkgs.docker-postgresql}"; networks = [ networks.authelia.ref ]; - volumes = [ - "${selfLib.runtime.log.docker.postgres}:/entrypoint.sh:ro" - "${home}/.local/share/authelia/postgresql:/var/lib/postgresql/data" - ]; + volumes = [ "${home}/.local/share/authelia/postgresql:/var/lib/postgresql/data" ]; environments = { POSTGRES_DB = "authelia"; POSTGRES_USER = "authelia"; }; environmentFiles = [ hmConfig.sops.templates."authelia-postgresql.env".path ]; - entrypoint = "/entrypoint.sh"; - exec = [ "postgres" ]; }; unitConfig.After = [ "sops-nix.service" ]; }; "authelia-redis".containerConfig = { - autoUpdate = "registry"; - image = "docker.io/library/redis:latest"; + image = "docker-archive:${selfPkgs.docker-redis}"; networks = [ networks.authelia.ref ]; - volumes = [ "${volumes."authelia-redis".ref}:/data" ]; + volumes = [ "${volumes."authelia-redis".ref}:/var/lib/redis" ]; exec = [ "--save 60 1" ]; }; }; }; systemd.user.tmpfiles.rules = [ - "d ${home}/.local/share/authelia/config :0755 :${user} :${user}" - "f ${home}/.local/share/authelia/config/users.yaml :0644 :${user} :${user}" - "d ${home}/.local/share/authelia/postgresql :0755 :${user} :${user}" + "d ${home}/.local/share/authelia/config 0755 ${user} ${user}" + "f ${home}/.local/share/authelia/config/users.yaml 0600 ${user} ${user}" + "d ${home}/.local/share/authelia/postgresql 0700 ${user} ${user}" ]; }; } diff --git a/hosts/jupiter/users/storm/configs/console/podman/default.nix b/hosts/jupiter/users/storm/configs/console/podman/default.nix index 6362dca..a55db19 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix @@ -14,6 +14,11 @@ in (import ./whoami { inherit user home; }) ]; + boot.kernel.sysctl = { + "net.ipv4.ip_unprivileged_port_start" = 0; + "vm.overcommit_memory" = 1; + }; + home-manager.users.${user} = { virtualisation.quadlet = { autoUpdate.enable = true; diff --git a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix index 278c784..5db6f41 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix @@ -2,8 +2,15 @@ user ? throw "user argument is required", home ? throw "home argument is required", }: -{ config, pkgs, ... }: +{ + config, + inputs, + pkgs, + system, + ... +}: let + selfPkgs = inputs.self.packages.${system}; hmConfig = config.home-manager.users.${user}; inherit (hmConfig.virtualisation.quadlet) volumes networks; in @@ -75,6 +82,7 @@ in content = '' #!/bin/sh + mkdir -p /tmp PIPE=$(mktemp -u) mkfifo "$PIPE" trap 'rm -f "$PIPE"' EXIT @@ -108,8 +116,7 @@ in containers.ntfy = { containerConfig = { - autoUpdate = "registry"; - image = "docker.io/binwiederhier/ntfy:latest"; + image = "docker-archive:${selfPkgs.docker-ntfy}"; networks = [ networks.ntfy.ref networks.traefik.ref diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix index 8a59236..4510fa5 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix @@ -2,14 +2,18 @@ user ? throw "user argument is required", home ? throw "home argument is required", }: -{ config, pkgs, ... }: +{ + config, + inputs, + system, + ... +}: let + selfPkgs = inputs.self.packages.${system}; hmConfig = config.home-manager.users.${user}; inherit (hmConfig.virtualisation.quadlet) networks volumes containers; in { - boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0; - networking.firewall.allowedTCPPorts = [ 80 443 @@ -30,8 +34,7 @@ in containers.traefik = { containerConfig = { - autoUpdate = "registry"; - image = "docker.io/library/traefik:latest"; + image = "docker-archive:${selfPkgs.docker-traefik}"; networks = [ networks.traefik.ref ]; volumes = [ "/run/user/${ diff --git a/hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix b/hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix index 8f40345..b622a15 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix @@ -2,8 +2,14 @@ user ? throw "user argument is required", home ? throw "home argument is required", }: -{ config, pkgs, ... }: +{ + config, + inputs, + system, + ... +}: let + selfPkgs = inputs.self.packages.${system}; hmConfig = config.home-manager.users.${user}; inherit (hmConfig.virtualisation.quadlet) networks; in @@ -12,8 +18,7 @@ in networks.whoami.networkConfig.internal = true; containers.whoami.containerConfig = { - autoUpdate = "registry"; - image = "docker.io/traefik/whoami:latest"; + image = "docker-archive:${selfPkgs.docker-whoami}"; networks = [ networks.whoami.ref networks.traefik.ref diff --git a/lib/runtime/default.nix b/lib/runtime/default.nix index c1ec3f4..8c9cbce 100644 --- a/lib/runtime/default.nix +++ b/lib/runtime/default.nix @@ -1,5 +1,4 @@ { pkgs, ... }: { - log = import ./log { inherit pkgs; }; merge = import ./merge { inherit pkgs; }; } diff --git a/lib/runtime/log/default.nix b/lib/runtime/log/default.nix deleted file mode 100644 index e2b386f..0000000 --- a/lib/runtime/log/default.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ pkgs, ... }: -{ - docker = import ./docker { inherit pkgs; }; -} diff --git a/lib/runtime/log/docker/default.nix b/lib/runtime/log/docker/default.nix deleted file mode 100644 index fe3dbc5..0000000 --- a/lib/runtime/log/docker/default.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ pkgs, ... }: -{ - postgres = import ./postgres { inherit pkgs; }; -} diff --git a/lib/runtime/log/docker/postgres/default.nix b/lib/runtime/log/docker/postgres/default.nix deleted file mode 100644 index 838f63b..0000000 --- a/lib/runtime/log/docker/postgres/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, ... }: -pkgs.writeTextFile { - name = "log-wrapper-docker-postgres"; - text = builtins.readFile ./wrapper.sh; - executable = true; -} diff --git a/lib/runtime/log/docker/postgres/wrapper.sh b/lib/runtime/log/docker/postgres/wrapper.sh deleted file mode 100644 index 744976a..0000000 --- a/lib/runtime/log/docker/postgres/wrapper.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -set -o errexit -set -o nounset - -LOG_PIPE="$(mktemp -u)" -mkfifo "$LOG_PIPE" - -while IFS= read -r line; do - if echo "$line" | grep -qE "ERROR|FATAL|PANIC"; then - echo "$line" >&2 - else - echo "$line" >&1 - fi -done < "$LOG_PIPE" & - -exec /usr/local/bin/docker-entrypoint.sh "$@" >"$LOG_PIPE" 2>&1 diff --git a/packages/default.nix b/packages/default.nix index 322976e..05456eb 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -9,6 +9,15 @@ darktable-hald-clut = import ./darktable/hald-clut { inherit pkgs; }; darktable-lua-scripts = import ./darktable/lua-scripts { inherit pkgs; }; + docker-authelia = import ./docker/authelia { inherit pkgs; }; + docker-base = import ./docker/base { inherit pkgs; }; + docker-ntfy = import ./docker/ntfy { inherit pkgs; }; + docker-postgresql = import ./docker/postgresql { inherit pkgs; }; + docker-redis = import ./docker/redis { inherit pkgs; }; + docker-traefik = import ./docker/traefik { inherit pkgs; }; + docker-whoami = import ./docker/whoami { inherit pkgs; }; + docker-yq = import ./docker/yq { inherit pkgs; }; + go-mmproxy = import ./go-mmproxy { inherit pkgs; }; obsidian-plugin-better-word-count = import ./obsidian/plugins/better-word-count { inherit pkgs; }; diff --git a/packages/docker/authelia/default.nix b/packages/docker/authelia/default.nix new file mode 100644 index 0000000..180c214 --- /dev/null +++ b/packages/docker/authelia/default.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +pkgs.dockerTools.buildImage { + name = "authelia"; + fromImage = import ../base { inherit pkgs; }; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = with pkgs; [ authelia ]; + pathsToLink = [ "/bin" ]; + }; + + config = { + Entrypoint = [ "/bin/authelia" ]; + ExposedPorts = { + "9091/tcp" = { }; + }; + }; +} diff --git a/packages/docker/base/default.nix b/packages/docker/base/default.nix new file mode 100644 index 0000000..63442de --- /dev/null +++ b/packages/docker/base/default.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: +pkgs.dockerTools.buildImage { + name = "base"; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = with pkgs; [ + dockerTools.binSh + dockerTools.caCertificates + bashInteractive + coreutils + gnugrep + ]; + pathsToLink = [ + "/bin" + "/lib" + "/share" + "/etc" + ]; + }; +} diff --git a/packages/docker/ntfy/default.nix b/packages/docker/ntfy/default.nix new file mode 100644 index 0000000..baf4c3f --- /dev/null +++ b/packages/docker/ntfy/default.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +pkgs.dockerTools.buildImage { + name = "ntfy"; + fromImage = import ../base { inherit pkgs; }; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = with pkgs; [ ntfy-sh ]; + pathsToLink = [ "/bin" ]; + }; + + config = { + Entrypoint = [ "/bin/ntfy" ]; + Cmd = [ "serve" ]; + ExposedPorts = { + "80/tcp" = { }; + }; + Volumes = { + "/var/lib/ntfy" = { }; + }; + }; +} diff --git a/packages/docker/postgresql/allow-root.patch b/packages/docker/postgresql/allow-root.patch new file mode 100644 index 0000000..a95e20f --- /dev/null +++ b/packages/docker/postgresql/allow-root.patch @@ -0,0 +1,205 @@ +diff --git a/src/backend/main/main.c b/src/backend/main/main.c +index e8effe50242..2065061b5bb 100644 +--- a/src/backend/main/main.c ++++ b/src/backend/main/main.c +@@ -190,10 +190,6 @@ main(int argc, char *argv[]) + do_check_root = false; + } + +- /* +- * Make sure we are not running as root, unless it's safe for the selected +- * option. +- */ + if (do_check_root) + check_root(progname); + +@@ -445,41 +441,6 @@ help(const char *progname) + static void + check_root(const char *progname) + { +-#ifndef WIN32 +- if (geteuid() == 0) +- { +- write_stderr("\"root\" execution of the PostgreSQL server is not permitted.\n" +- "The server must be started under an unprivileged user ID to prevent\n" +- "possible system security compromise. See the documentation for\n" +- "more information on how to properly start the server.\n"); +- exit(1); +- } +- +- /* +- * Also make sure that real and effective uids are the same. Executing as +- * a setuid program from a root shell is a security hole, since on many +- * platforms a nefarious subroutine could setuid back to root if real uid +- * is root. (Since nobody actually uses postgres as a setuid program, +- * trying to actively fix this situation seems more trouble than it's +- * worth; we'll just expend the effort to check for it.) +- */ +- if (getuid() != geteuid()) +- { +- write_stderr("%s: real and effective user IDs must match\n", +- progname); +- exit(1); +- } +-#else /* WIN32 */ +- if (pgwin32_is_admin()) +- { +- write_stderr("Execution of PostgreSQL by a user with administrative permissions is not\n" +- "permitted.\n" +- "The server must be started under an unprivileged user ID to prevent\n" +- "possible system security compromises. See the documentation for\n" +- "more information on how to properly start the server.\n"); +- exit(1); +- } +-#endif /* WIN32 */ + } + + /* +diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c +index 21a0fe3ecd9..2aa44cc9ab8 100644 +--- a/src/bin/initdb/initdb.c ++++ b/src/bin/initdb/initdb.c +@@ -815,15 +815,6 @@ get_id(void) + { + const char *username; + +-#ifndef WIN32 +- if (geteuid() == 0) /* 0 is root's uid */ +- { +- pg_log_error("cannot be run as root"); +- pg_log_error_hint("Please log in (using, e.g., \"su\") as the (unprivileged) user that will own the server process."); +- exit(1); +- } +-#endif +- + username = get_user_name_or_exit(progname); + + return pg_strdup(username); +diff --git a/src/bin/pg_basebackup/pg_createsubscriber.c b/src/bin/pg_basebackup/pg_createsubscriber.c +index a5a2d61165d..a4021734895 100644 +--- a/src/bin/pg_basebackup/pg_createsubscriber.c ++++ b/src/bin/pg_basebackup/pg_createsubscriber.c +@@ -1977,20 +1977,6 @@ main(int argc, char **argv) + }; + opt.recovery_timeout = 0; + +- /* +- * Don't allow it to be run as root. It uses pg_ctl which does not allow +- * it either. +- */ +-#ifndef WIN32 +- if (geteuid() == 0) +- { +- pg_log_error("cannot be executed by \"root\""); +- pg_log_error_hint("You must run %s as the PostgreSQL superuser.", +- progname); +- exit(1); +- } +-#endif +- + get_restricted_token(); + + while ((c = getopt_long(argc, argv, "d:D:np:P:s:t:TU:v", +diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c +index 8a405ff122c..84195a3b8c6 100644 +--- a/src/bin/pg_ctl/pg_ctl.c ++++ b/src/bin/pg_ctl/pg_ctl.c +@@ -2235,7 +2235,6 @@ main(int argc, char **argv) + /* Set restrictive mode mask until PGDATA permissions are checked */ + umask(PG_MODE_MASK_OWNER); + +- /* support --help and --version even if invoked as root */ + if (argc > 1) + { + if (strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) +@@ -2250,21 +2249,6 @@ main(int argc, char **argv) + } + } + +- /* +- * Disallow running as root, to forestall any possible security holes. +- */ +-#ifndef WIN32 +- if (geteuid() == 0) +- { +- write_stderr(_("%s: cannot be run as root\n" +- "Please log in (using, e.g., \"su\") as the " +- "(unprivileged) user that will\n" +- "own the server process.\n"), +- progname); +- exit(1); +- } +-#endif +- + env_wait = getenv("PGCTLTIMEOUT"); + if (env_wait != NULL) + wait_seconds = atoi(env_wait); +diff --git a/src/bin/pg_resetwal/pg_resetwal.c b/src/bin/pg_resetwal/pg_resetwal.c +index 31bc0abff16..951de872d77 100644 +--- a/src/bin/pg_resetwal/pg_resetwal.c ++++ b/src/bin/pg_resetwal/pg_resetwal.c +@@ -347,22 +347,6 @@ main(int argc, char *argv[]) + exit(1); + } + +- /* +- * Don't allow pg_resetwal to be run as root, to avoid overwriting the +- * ownership of files in the data directory. We need only check for root +- * -- any other user won't have sufficient permissions to modify files in +- * the data directory. +- */ +-#ifndef WIN32 +- if (geteuid() == 0) +- { +- pg_log_error("cannot be executed by \"root\""); +- pg_log_error_hint("You must run %s as the PostgreSQL superuser.", +- progname); +- exit(1); +- } +-#endif +- + get_restricted_token(); + + /* Set mask based on PGDATA permissions */ +diff --git a/src/bin/pg_rewind/pg_rewind.c b/src/bin/pg_rewind/pg_rewind.c +index 2ce99d06d1d..33e0a61c360 100644 +--- a/src/bin/pg_rewind/pg_rewind.c ++++ b/src/bin/pg_rewind/pg_rewind.c +@@ -270,22 +270,6 @@ main(int argc, char **argv) + exit(1); + } + +- /* +- * Don't allow pg_rewind to be run as root, to avoid overwriting the +- * ownership of files in the data directory. We need only check for root +- * -- any other user won't have sufficient permissions to modify files in +- * the data directory. +- */ +-#ifndef WIN32 +- if (geteuid() == 0) +- { +- pg_log_error("cannot be executed by \"root\""); +- pg_log_error_hint("You must run %s as the PostgreSQL superuser.", +- progname); +- exit(1); +- } +-#endif +- + get_restricted_token(); + + /* Set mask based on PGDATA permissions */ +diff --git a/src/bin/pg_upgrade/option.c b/src/bin/pg_upgrade/option.c +index 188dd8d8a8b..cdd032be0fc 100644 +--- a/src/bin/pg_upgrade/option.c ++++ b/src/bin/pg_upgrade/option.c +@@ -104,10 +104,6 @@ parseCommandLine(int argc, char *argv[]) + } + } + +- /* Allow help and version to be run as root, so do the test here. */ +- if (os_user_effective_id == 0) +- pg_fatal("%s: cannot be run as root", os_info.progname); +- + while ((option = getopt_long(argc, argv, "b:B:cd:D:j:kNo:O:p:P:rs:U:v", + long_options, &optindex)) != -1) + { diff --git a/packages/docker/postgresql/default.nix b/packages/docker/postgresql/default.nix new file mode 100644 index 0000000..3f32ece --- /dev/null +++ b/packages/docker/postgresql/default.nix @@ -0,0 +1,48 @@ +{ pkgs, ... }: +let + postgresql = pkgs.postgresql.overrideAttrs (oldAttrs: { + patches = oldAttrs.patches or [ ] ++ [ ./allow-root.patch ]; + }); + + entrypoint = pkgs.writeTextFile { + name = "entrypoint"; + executable = true; + destination = "/bin/entrypoint"; + text = builtins.readFile ./entrypoint.sh; + }; +in +pkgs.dockerTools.buildImage { + name = "postgresql"; + fromImage = import ../base { inherit pkgs; }; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = [ + entrypoint + postgresql + ]; + pathsToLink = [ + "/bin" + "/lib" + "/share" + ]; + }; + + runAsRoot = '' + ${pkgs.dockerTools.shadowSetup} + mkdir -p /etc/postgresql /var/lib/postgresql /run/postgresql + cp ${postgresql}/share/postgresql/postgresql.conf.sample /etc/postgresql/postgresql.conf + ${pkgs.gnused}/bin/sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /etc/postgresql/postgresql.conf + ''; + + config = { + Entrypoint = [ "/bin/entrypoint" ]; + WorkingDir = "/var/lib/postgresql"; + ExposedPorts = { + "5432/tcp" = { }; + }; + Volumes = { + "/var/lib/postgresql/data" = { }; + }; + }; +} diff --git a/packages/docker/postgresql/entrypoint.sh b/packages/docker/postgresql/entrypoint.sh new file mode 100644 index 0000000..71cc344 --- /dev/null +++ b/packages/docker/postgresql/entrypoint.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +set -o errexit +set -o nounset + +POSTGRES_USER="${POSTGRES_USER:-postgres}" +POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-postgres}" +POSTGRES_DB="${POSTGRES_DB:-$POSTGRES_USER}" +export PGDATA="${PGDATA:-/var/lib/postgresql/data}" + +mkdir -p /tmp +LOG_PIPE="$(mktemp -u)" +mkfifo "$LOG_PIPE" + +( + while IFS= read -r line; do + if echo "$line" | grep -qE "ERROR|FATAL|PANIC"; then + echo "$line" >&2 + else + echo "$line" + fi + done < "$LOG_PIPE" +) & +LOG_PID=$! + +if [ ! -s "$PGDATA/PG_VERSION" ]; then + initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") + + auth_method=$(postgres -c config_file="/etc/postgresql/postgresql.conf" -C password_encryption) + POSTGRES_HOST_AUTH_METHOD="${POSTGRES_HOST_AUTH_METHOD:=$auth_method}" + echo -e "\nhost all all all $POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf" + + pg_ctl -w start + + if ! psql --username="$POSTGRES_USER" -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = '$POSTGRES_DB'" | grep -q 1; then + psql --username="$POSTGRES_USER" -d postgres -c "CREATE DATABASE \"$POSTGRES_DB\";" + fi + + pg_ctl -m fast -w stop +fi + +trap "kill $LOG_PID" EXIT +exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1 diff --git a/packages/docker/redis/default.nix b/packages/docker/redis/default.nix new file mode 100644 index 0000000..f881d57 --- /dev/null +++ b/packages/docker/redis/default.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +let + redis = pkgs.redis.overrideAttrs (oldAttrs: { + patches = oldAttrs.patches or [ ] ++ [ ./disable-protected-mode.patch ]; + doCheck = false; + }); +in +pkgs.dockerTools.buildImage { + name = "redis"; + fromImage = import ../base { inherit pkgs; }; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = [ redis ]; + pathsToLink = [ "/bin" ]; + }; + + config = { + Entrypoint = [ "/bin/redis-server" ]; + WorkingDir = "/var/lib/redis"; + ExposedPorts = { + "6379/tcp" = { }; + }; + Volumes = { + "/var/lib/redis" = { }; + }; + }; +} diff --git a/packages/docker/redis/disable-protected-mode.patch b/packages/docker/redis/disable-protected-mode.patch new file mode 100644 index 0000000..77eeca7 --- /dev/null +++ b/packages/docker/redis/disable-protected-mode.patch @@ -0,0 +1,13 @@ +diff --git a/src/config.c b/src/config.c +index 9d287dd99..87cdd3b45 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -3065,7 +3065,7 @@ standardConfig static_configs[] = { + createBoolConfig("daemonize", NULL, IMMUTABLE_CONFIG, server.daemonize, 0, NULL, NULL), + createBoolConfig("io-threads-do-reads", NULL, DEBUG_CONFIG | IMMUTABLE_CONFIG, server.io_threads_do_reads, 0,NULL, NULL), /* Read + parse from threads? */ + createBoolConfig("always-show-logo", NULL, IMMUTABLE_CONFIG, server.always_show_logo, 0, NULL, NULL), +- createBoolConfig("protected-mode", NULL, MODIFIABLE_CONFIG, server.protected_mode, 1, NULL, NULL), ++ createBoolConfig("protected-mode", NULL, MODIFIABLE_CONFIG, server.protected_mode, 0, NULL, NULL), + createBoolConfig("rdbcompression", NULL, MODIFIABLE_CONFIG, server.rdb_compression, 1, NULL, NULL), + createBoolConfig("rdb-del-sync-files", NULL, MODIFIABLE_CONFIG, server.rdb_del_sync_files, 0, NULL, NULL), + createBoolConfig("activerehashing", NULL, MODIFIABLE_CONFIG, server.activerehashing, 1, NULL, NULL), diff --git a/packages/docker/traefik/default.nix b/packages/docker/traefik/default.nix new file mode 100644 index 0000000..e298423 --- /dev/null +++ b/packages/docker/traefik/default.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +pkgs.dockerTools.buildImage { + name = "traefik"; + fromImage = import ../base { inherit pkgs; }; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = with pkgs; [ traefik ]; + pathsToLink = [ "/bin" ]; + }; + + config = { + Entrypoint = [ "/bin/traefik" ]; + ExposedPorts = { + "80/tcp" = { }; + }; + }; +} diff --git a/packages/docker/whoami/default.nix b/packages/docker/whoami/default.nix new file mode 100644 index 0000000..994903a --- /dev/null +++ b/packages/docker/whoami/default.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +let + whoami = pkgs.whoami.overrideAttrs (oldAttrs: { + patches = oldAttrs.patches or [ ] ++ [ ./stdout-logs.patch ]; + }); +in +pkgs.dockerTools.buildImage { + name = "whoami"; + fromImage = import ../base { inherit pkgs; }; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = [ whoami ]; + pathsToLink = [ "/bin" ]; + }; + + config = { + Entrypoint = [ "/bin/whoami" ]; + ExposedPorts = { + "80/tcp" = { }; + }; + }; +} diff --git a/packages/docker/whoami/stdout-logs.patch b/packages/docker/whoami/stdout-logs.patch new file mode 100644 index 0000000..bf06746 --- /dev/null +++ b/packages/docker/whoami/stdout-logs.patch @@ -0,0 +1,13 @@ +diff --git a/app.go b/app.go +index 0849b03..e9a0cf2 100644 +--- a/app.go ++++ b/app.go +@@ -68,6 +68,8 @@ type Data struct { + } + + func main() { ++ log.SetOutput(os.Stdout) ++ + flag.Parse() + + mux := http.NewServeMux() diff --git a/packages/docker/yq/default.nix b/packages/docker/yq/default.nix new file mode 100644 index 0000000..1bfaac0 --- /dev/null +++ b/packages/docker/yq/default.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +pkgs.dockerTools.buildImage { + name = "yq"; + fromImage = import ../base { inherit pkgs; }; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = with pkgs; [ yq-go ]; + pathsToLink = [ "/bin" ]; + }; + + config = { + Entrypoint = [ "/bin/yq" ]; + }; +}