karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Nuke docker.io

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-03-11 21:04:37 +00:00
parent bdaac67bf2
commit 10e0980f8f
23 changed files with 521 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -11,7 +11,7 @@
... ...
}: }:
let let
selfLib = inputs.self.lib.${system}; selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes containers networks; inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
in in
@@ -55,8 +55,7 @@ in
containers = { containers = {
"authelia-init" = { "authelia-init" = {
containerConfig = { containerConfig = {
autoUpdate = "registry"; image = "docker-archive:${selfPkgs.docker-yq}";
image = "docker.io/mikefarah/yq:latest";
networks = [ networks.authelia.ref ]; networks = [ networks.authelia.ref ];
volumes = [ volumes = [
"${home}/.local/share/authelia/config:/workdir/config" "${home}/.local/share/authelia/config:/workdir/config"
@@ -69,8 +68,6 @@ in
"/workdir/users.yaml" "/workdir/users.yaml"
"-i" "-i"
]; ];
user = "0";
group = "0";
}; };
serviceConfig = { serviceConfig = {
@@ -91,7 +88,7 @@ in
authentication_backend = { authentication_backend = {
refresh_interval = "always"; refresh_interval = "always";
file = { file = {
path = "/config/users.yaml"; path = "/etc/authelia/users.yaml";
watch = true; watch = true;
}; };
}; };
@@ -127,8 +124,7 @@ in
}; };
in in
{ {
autoUpdate = "registry"; image = "docker-archive:${selfPkgs.docker-authelia}";
image = "ghcr.io/authelia/authelia";
environments = { environments = {
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET"; AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET";
AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET"; AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET";
@@ -137,8 +133,8 @@ in
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD"; AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD";
}; };
volumes = [ volumes = [
"${home}/.local/share/authelia/config:/config" "${home}/.local/share/authelia/config:/etc/authelia"
"${config}:/config/conf.d/configuration.yaml:ro" "${config}:/etc/authelia/conf.d/configuration.yaml:ro"
"${hmConfig.sops.secrets."authelia/jwt".path}:/secrets/JWT_SECRET:ro" "${hmConfig.sops.secrets."authelia/jwt".path}:/secrets/JWT_SECRET:ro"
"${hmConfig.sops.secrets."authelia/session".path}:/secrets/SESSION_SECRET:ro" "${hmConfig.sops.secrets."authelia/session".path}:/secrets/SESSION_SECRET:ro"
"${hmConfig.sops.secrets."authelia/storage".path}:/secrets/STORAGE_ENCRYPTION_KEY:ro" "${hmConfig.sops.secrets."authelia/storage".path}:/secrets/STORAGE_ENCRYPTION_KEY:ro"
@@ -149,7 +145,7 @@ in
networks.authelia.ref networks.authelia.ref
networks.traefik.ref networks.traefik.ref
]; ];
exec = [ "--config /config/conf.d/" ]; exec = [ "--config /etc/authelia/conf.d/" ];
labels = [ labels = [
"traefik.enable=true" "traefik.enable=true"
"traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)" "traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)"
@@ -171,39 +167,32 @@ in
"authelia-postgresql" = { "authelia-postgresql" = {
containerConfig = { containerConfig = {
autoUpdate = "registry"; image = "docker-archive:${selfPkgs.docker-postgresql}";
image = "docker.io/library/postgres:latest";
networks = [ networks.authelia.ref ]; networks = [ networks.authelia.ref ];
volumes = [ volumes = [ "${home}/.local/share/authelia/postgresql:/var/lib/postgresql/data" ];
"${selfLib.runtime.log.docker.postgres}:/entrypoint.sh:ro"
"${home}/.local/share/authelia/postgresql:/var/lib/postgresql/data"
];
environments = { environments = {
POSTGRES_DB = "authelia"; POSTGRES_DB = "authelia";
POSTGRES_USER = "authelia"; POSTGRES_USER = "authelia";
}; };
environmentFiles = [ hmConfig.sops.templates."authelia-postgresql.env".path ]; environmentFiles = [ hmConfig.sops.templates."authelia-postgresql.env".path ];
entrypoint = "/entrypoint.sh";
exec = [ "postgres" ];
}; };
unitConfig.After = [ "sops-nix.service" ]; unitConfig.After = [ "sops-nix.service" ];
}; };
"authelia-redis".containerConfig = { "authelia-redis".containerConfig = {
autoUpdate = "registry"; image = "docker-archive:${selfPkgs.docker-redis}";
image = "docker.io/library/redis:latest";
networks = [ networks.authelia.ref ]; networks = [ networks.authelia.ref ];
volumes = [ "${volumes."authelia-redis".ref}:/data" ]; volumes = [ "${volumes."authelia-redis".ref}:/var/lib/redis" ];
exec = [ "--save 60 1" ]; exec = [ "--save 60 1" ];
}; };
}; };
}; };
systemd.user.tmpfiles.rules = [ systemd.user.tmpfiles.rules = [
"d ${home}/.local/share/authelia/config :0755 :${user} :${user}" "d ${home}/.local/share/authelia/config 0755 ${user} ${user}"
"f ${home}/.local/share/authelia/config/users.yaml :0644 :${user} :${user}" "f ${home}/.local/share/authelia/config/users.yaml 0600 ${user} ${user}"
"d ${home}/.local/share/authelia/postgresql :0755 :${user} :${user}" "d ${home}/.local/share/authelia/postgresql 0700 ${user} ${user}"
]; ];
}; };
} }

5
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -14,6 +14,11 @@ in
(import ./whoami { inherit user home; }) (import ./whoami { inherit user home; })
]; ];
boot.kernel.sysctl = {
"net.ipv4.ip_unprivileged_port_start" = 0;
"vm.overcommit_memory" = 1;
};
home-manager.users.${user} = { home-manager.users.${user} = {
virtualisation.quadlet = { virtualisation.quadlet = {
autoUpdate.enable = true; autoUpdate.enable = true;

13
hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix
View File

@@ -2,8 +2,15 @@
user ? throw "user argument is required", user ? throw "user argument is required",
home ? throw "home argument is required", home ? throw "home argument is required",
}: }:
{ config, pkgs, ... }: {
config,
inputs,
pkgs,
system,
...
}:
let let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes networks; inherit (hmConfig.virtualisation.quadlet) volumes networks;
in in
@@ -75,6 +82,7 @@ in
content = '' content = ''
#!/bin/sh #!/bin/sh
mkdir -p /tmp
PIPE=$(mktemp -u) PIPE=$(mktemp -u)
mkfifo "$PIPE" mkfifo "$PIPE"
trap 'rm -f "$PIPE"' EXIT trap 'rm -f "$PIPE"' EXIT
@@ -108,8 +116,7 @@ in
containers.ntfy = { containers.ntfy = {
containerConfig = { containerConfig = {
autoUpdate = "registry"; image = "docker-archive:${selfPkgs.docker-ntfy}";
image = "docker.io/binwiederhier/ntfy:latest";
networks = [ networks = [
networks.ntfy.ref networks.ntfy.ref
networks.traefik.ref networks.traefik.ref

13
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -2,14 +2,18 @@
user ? throw "user argument is required", user ? throw "user argument is required",
home ? throw "home argument is required", home ? throw "home argument is required",
}: }:
{ config, pkgs, ... }: {
config,
inputs,
system,
...
}:
let let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) networks volumes containers; inherit (hmConfig.virtualisation.quadlet) networks volumes containers;
in in
{ {
boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443 443
@@ -30,8 +34,7 @@ in
containers.traefik = { containers.traefik = {
containerConfig = { containerConfig = {
autoUpdate = "registry"; image = "docker-archive:${selfPkgs.docker-traefik}";
image = "docker.io/library/traefik:latest";
networks = [ networks.traefik.ref ]; networks = [ networks.traefik.ref ];
volumes = [ volumes = [
"/run/user/${ "/run/user/${

11
hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix
View File

@@ -2,8 +2,14 @@
user ? throw "user argument is required", user ? throw "user argument is required",
home ? throw "home argument is required", home ? throw "home argument is required",
}: }:
{ config, pkgs, ... }: {
config,
inputs,
system,
...
}:
let let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user}; hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) networks; inherit (hmConfig.virtualisation.quadlet) networks;
in in
@@ -12,8 +18,7 @@ in
networks.whoami.networkConfig.internal = true; networks.whoami.networkConfig.internal = true;
containers.whoami.containerConfig = { containers.whoami.containerConfig = {
autoUpdate = "registry"; image = "docker-archive:${selfPkgs.docker-whoami}";
image = "docker.io/traefik/whoami:latest";
networks = [ networks = [
networks.whoami.ref networks.whoami.ref
networks.traefik.ref networks.traefik.ref

1
lib/runtime/default.nix
View File

@@ -1,5 +1,4 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
log = import ./log { inherit pkgs; };
merge = import ./merge { inherit pkgs; }; merge = import ./merge { inherit pkgs; };
} }

4
lib/runtime/log/default.nix
View File

@@ -1,4 +0,0 @@
{ pkgs, ... }:
{
docker = import ./docker { inherit pkgs; };
}

4
lib/runtime/log/docker/default.nix
View File

@@ -1,4 +0,0 @@
{ pkgs, ... }:
{
postgres = import ./postgres { inherit pkgs; };
}

6
lib/runtime/log/docker/postgres/default.nix
View File

@@ -1,6 +0,0 @@
{ pkgs, ... }:
pkgs.writeTextFile {
name = "log-wrapper-docker-postgres";
text = builtins.readFile ./wrapper.sh;
executable = true;
}

17
lib/runtime/log/docker/postgres/wrapper.sh
View File

@@ -1,17 +0,0 @@
#!/bin/sh
set -o errexit
set -o nounset
LOG_PIPE="$(mktemp -u)"
mkfifo "$LOG_PIPE"
while IFS= read -r line; do
if echo "$line" | grep -qE "ERROR|FATAL|PANIC"; then
echo "$line" >&2
else
echo "$line" >&1
fi
done < "$LOG_PIPE" &
exec /usr/local/bin/docker-entrypoint.sh "$@" >"$LOG_PIPE" 2>&1

9
packages/default.nix
View File

@@ -9,6 +9,15 @@
darktable-hald-clut = import ./darktable/hald-clut { inherit pkgs; }; darktable-hald-clut = import ./darktable/hald-clut { inherit pkgs; };
darktable-lua-scripts = import ./darktable/lua-scripts { inherit pkgs; }; darktable-lua-scripts = import ./darktable/lua-scripts { inherit pkgs; };
docker-authelia = import ./docker/authelia { inherit pkgs; };
docker-base = import ./docker/base { inherit pkgs; };
docker-ntfy = import ./docker/ntfy { inherit pkgs; };
docker-postgresql = import ./docker/postgresql { inherit pkgs; };
docker-redis = import ./docker/redis { inherit pkgs; };
docker-traefik = import ./docker/traefik { inherit pkgs; };
docker-whoami = import ./docker/whoami { inherit pkgs; };
docker-yq = import ./docker/yq { inherit pkgs; };
go-mmproxy = import ./go-mmproxy { inherit pkgs; }; go-mmproxy = import ./go-mmproxy { inherit pkgs; };
obsidian-plugin-better-word-count = import ./obsidian/plugins/better-word-count { inherit pkgs; }; obsidian-plugin-better-word-count = import ./obsidian/plugins/better-word-count { inherit pkgs; };

18
packages/docker/authelia/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ pkgs, ... }:
pkgs.dockerTools.buildImage {
name = "authelia";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = with pkgs; [ authelia ];
pathsToLink = [ "/bin" ];
};
config = {
Entrypoint = [ "/bin/authelia" ];
ExposedPorts = {
"9091/tcp" = { };
};
};
}

21
packages/docker/base/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{ pkgs, ... }:
pkgs.dockerTools.buildImage {
name = "base";
copyToRoot = pkgs.buildEnv {
name = "root";
paths = with pkgs; [
dockerTools.binSh
dockerTools.caCertificates
bashInteractive
coreutils
gnugrep
];
pathsToLink = [
"/bin"
"/lib"
"/share"
"/etc"
];
};
}

22
packages/docker/ntfy/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{ pkgs, ... }:
pkgs.dockerTools.buildImage {
name = "ntfy";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = with pkgs; [ ntfy-sh ];
pathsToLink = [ "/bin" ];
};
config = {
Entrypoint = [ "/bin/ntfy" ];
Cmd = [ "serve" ];
ExposedPorts = {
"80/tcp" = { };
};
Volumes = {
"/var/lib/ntfy" = { };
};
};
}

205
packages/docker/postgresql/allow-root.patch Normal file
View File

@@ -0,0 +1,205 @@
diff --git a/src/backend/main/main.c b/src/backend/main/main.c
index e8effe50242..2065061b5bb 100644
--- a/src/backend/main/main.c
+++ b/src/backend/main/main.c
@@ -190,10 +190,6 @@ main(int argc, char *argv[])
do_check_root = false;
}
- /*
- * Make sure we are not running as root, unless it's safe for the selected
- * option.
- */
if (do_check_root)
check_root(progname);
@@ -445,41 +441,6 @@ help(const char *progname)
static void
check_root(const char *progname)
{
-#ifndef WIN32
- if (geteuid() == 0)
- {
- write_stderr("\"root\" execution of the PostgreSQL server is not permitted.\n"
- "The server must be started under an unprivileged user ID to prevent\n"
- "possible system security compromise. See the documentation for\n"
- "more information on how to properly start the server.\n");
- exit(1);
- }
-
- /*
- * Also make sure that real and effective uids are the same. Executing as
- * a setuid program from a root shell is a security hole, since on many
- * platforms a nefarious subroutine could setuid back to root if real uid
- * is root. (Since nobody actually uses postgres as a setuid program,
- * trying to actively fix this situation seems more trouble than it's
- * worth; we'll just expend the effort to check for it.)
- */
- if (getuid() != geteuid())
- {
- write_stderr("%s: real and effective user IDs must match\n",
- progname);
- exit(1);
- }
-#else /* WIN32 */
- if (pgwin32_is_admin())
- {
- write_stderr("Execution of PostgreSQL by a user with administrative permissions is not\n"
- "permitted.\n"
- "The server must be started under an unprivileged user ID to prevent\n"
- "possible system security compromises. See the documentation for\n"
- "more information on how to properly start the server.\n");
- exit(1);
- }
-#endif /* WIN32 */
}
/*
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index 21a0fe3ecd9..2aa44cc9ab8 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -815,15 +815,6 @@ get_id(void)
{
const char *username;
-#ifndef WIN32
- if (geteuid() == 0) /* 0 is root's uid */
- {
- pg_log_error("cannot be run as root");
- pg_log_error_hint("Please log in (using, e.g., \"su\") as the (unprivileged) user that will own the server process.");
- exit(1);
- }
-#endif
-
username = get_user_name_or_exit(progname);
return pg_strdup(username);
diff --git a/src/bin/pg_basebackup/pg_createsubscriber.c b/src/bin/pg_basebackup/pg_createsubscriber.c
index a5a2d61165d..a4021734895 100644
--- a/src/bin/pg_basebackup/pg_createsubscriber.c
+++ b/src/bin/pg_basebackup/pg_createsubscriber.c
@@ -1977,20 +1977,6 @@ main(int argc, char **argv)
};
opt.recovery_timeout = 0;
- /*
- * Don't allow it to be run as root. It uses pg_ctl which does not allow
- * it either.
- */
-#ifndef WIN32
- if (geteuid() == 0)
- {
- pg_log_error("cannot be executed by \"root\"");
- pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
- progname);
- exit(1);
- }
-#endif
-
get_restricted_token();
while ((c = getopt_long(argc, argv, "d:D:np:P:s:t:TU:v",
diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c
index 8a405ff122c..84195a3b8c6 100644
--- a/src/bin/pg_ctl/pg_ctl.c
+++ b/src/bin/pg_ctl/pg_ctl.c
@@ -2235,7 +2235,6 @@ main(int argc, char **argv)
/* Set restrictive mode mask until PGDATA permissions are checked */
umask(PG_MODE_MASK_OWNER);
- /* support --help and --version even if invoked as root */
if (argc > 1)
{
if (strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0)
@@ -2250,21 +2249,6 @@ main(int argc, char **argv)
}
}
- /*
- * Disallow running as root, to forestall any possible security holes.
- */
-#ifndef WIN32
- if (geteuid() == 0)
- {
- write_stderr(_("%s: cannot be run as root\n"
- "Please log in (using, e.g., \"su\") as the "
- "(unprivileged) user that will\n"
- "own the server process.\n"),
- progname);
- exit(1);
- }
-#endif
-
env_wait = getenv("PGCTLTIMEOUT");
if (env_wait != NULL)
wait_seconds = atoi(env_wait);
diff --git a/src/bin/pg_resetwal/pg_resetwal.c b/src/bin/pg_resetwal/pg_resetwal.c
index 31bc0abff16..951de872d77 100644
--- a/src/bin/pg_resetwal/pg_resetwal.c
+++ b/src/bin/pg_resetwal/pg_resetwal.c
@@ -347,22 +347,6 @@ main(int argc, char *argv[])
exit(1);
}
- /*
- * Don't allow pg_resetwal to be run as root, to avoid overwriting the
- * ownership of files in the data directory. We need only check for root
- * -- any other user won't have sufficient permissions to modify files in
- * the data directory.
- */
-#ifndef WIN32
- if (geteuid() == 0)
- {
- pg_log_error("cannot be executed by \"root\"");
- pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
- progname);
- exit(1);
- }
-#endif
-
get_restricted_token();
/* Set mask based on PGDATA permissions */
diff --git a/src/bin/pg_rewind/pg_rewind.c b/src/bin/pg_rewind/pg_rewind.c
index 2ce99d06d1d..33e0a61c360 100644
--- a/src/bin/pg_rewind/pg_rewind.c
+++ b/src/bin/pg_rewind/pg_rewind.c
@@ -270,22 +270,6 @@ main(int argc, char **argv)
exit(1);
}
- /*
- * Don't allow pg_rewind to be run as root, to avoid overwriting the
- * ownership of files in the data directory. We need only check for root
- * -- any other user won't have sufficient permissions to modify files in
- * the data directory.
- */
-#ifndef WIN32
- if (geteuid() == 0)
- {
- pg_log_error("cannot be executed by \"root\"");
- pg_log_error_hint("You must run %s as the PostgreSQL superuser.",
- progname);
- exit(1);
- }
-#endif
-
get_restricted_token();
/* Set mask based on PGDATA permissions */
diff --git a/src/bin/pg_upgrade/option.c b/src/bin/pg_upgrade/option.c
index 188dd8d8a8b..cdd032be0fc 100644
--- a/src/bin/pg_upgrade/option.c
+++ b/src/bin/pg_upgrade/option.c
@@ -104,10 +104,6 @@ parseCommandLine(int argc, char *argv[])
}
}
- /* Allow help and version to be run as root, so do the test here. */
- if (os_user_effective_id == 0)
- pg_fatal("%s: cannot be run as root", os_info.progname);
-
while ((option = getopt_long(argc, argv, "b:B:cd:D:j:kNo:O:p:P:rs:U:v",
long_options, &optindex)) != -1)
{

48
packages/docker/postgresql/default.nix Normal file
View File

@@ -0,0 +1,48 @@
{ pkgs, ... }:
let
postgresql = pkgs.postgresql.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./allow-root.patch ];
});
entrypoint = pkgs.writeTextFile {
name = "entrypoint";
executable = true;
destination = "/bin/entrypoint";
text = builtins.readFile ./entrypoint.sh;
};
in
pkgs.dockerTools.buildImage {
name = "postgresql";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = [
entrypoint
postgresql
];
pathsToLink = [
"/bin"
"/lib"
"/share"
];
};
runAsRoot = ''
${pkgs.dockerTools.shadowSetup}
mkdir -p /etc/postgresql /var/lib/postgresql /run/postgresql
cp ${postgresql}/share/postgresql/postgresql.conf.sample /etc/postgresql/postgresql.conf
${pkgs.gnused}/bin/sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /etc/postgresql/postgresql.conf
'';
config = {
Entrypoint = [ "/bin/entrypoint" ];
WorkingDir = "/var/lib/postgresql";
ExposedPorts = {
"5432/tcp" = { };
};
Volumes = {
"/var/lib/postgresql/data" = { };
};
};
}

43
packages/docker/postgresql/entrypoint.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/sh
set -o errexit
set -o nounset
POSTGRES_USER="${POSTGRES_USER:-postgres}"
POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-postgres}"
POSTGRES_DB="${POSTGRES_DB:-$POSTGRES_USER}"
export PGDATA="${PGDATA:-/var/lib/postgresql/data}"
mkdir -p /tmp
LOG_PIPE="$(mktemp -u)"
mkfifo "$LOG_PIPE"
(
while IFS= read -r line; do
if echo "$line" | grep -qE "ERROR|FATAL|PANIC"; then
echo "$line" >&2
else
echo "$line"
fi
done < "$LOG_PIPE"
) &
LOG_PID=$!
if [ ! -s "$PGDATA/PG_VERSION" ]; then
initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD")
auth_method=$(postgres -c config_file="/etc/postgresql/postgresql.conf" -C password_encryption)
POSTGRES_HOST_AUTH_METHOD="${POSTGRES_HOST_AUTH_METHOD:=$auth_method}"
echo -e "\nhost all all all $POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf"
pg_ctl -w start
if ! psql --username="$POSTGRES_USER" -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = '$POSTGRES_DB'" | grep -q 1; then
psql --username="$POSTGRES_USER" -d postgres -c "CREATE DATABASE \"$POSTGRES_DB\";"
fi
pg_ctl -m fast -w stop
fi
trap "kill $LOG_PID" EXIT
exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1

28
packages/docker/redis/default.nix Normal file
View File

@@ -0,0 +1,28 @@
{ pkgs, ... }:
let
redis = pkgs.redis.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./disable-protected-mode.patch ];
doCheck = false;
});
in
pkgs.dockerTools.buildImage {
name = "redis";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = [ redis ];
pathsToLink = [ "/bin" ];
};
config = {
Entrypoint = [ "/bin/redis-server" ];
WorkingDir = "/var/lib/redis";
ExposedPorts = {
"6379/tcp" = { };
};
Volumes = {
"/var/lib/redis" = { };
};
};
}

13
packages/docker/redis/disable-protected-mode.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/src/config.c b/src/config.c
index 9d287dd99..87cdd3b45 100644
--- a/src/config.c
+++ b/src/config.c
@@ -3065,7 +3065,7 @@ standardConfig static_configs[] = {
createBoolConfig("daemonize", NULL, IMMUTABLE_CONFIG, server.daemonize, 0, NULL, NULL),
createBoolConfig("io-threads-do-reads", NULL, DEBUG_CONFIG | IMMUTABLE_CONFIG, server.io_threads_do_reads, 0,NULL, NULL), /* Read + parse from threads? */
createBoolConfig("always-show-logo", NULL, IMMUTABLE_CONFIG, server.always_show_logo, 0, NULL, NULL),
- createBoolConfig("protected-mode", NULL, MODIFIABLE_CONFIG, server.protected_mode, 1, NULL, NULL),
+ createBoolConfig("protected-mode", NULL, MODIFIABLE_CONFIG, server.protected_mode, 0, NULL, NULL),
createBoolConfig("rdbcompression", NULL, MODIFIABLE_CONFIG, server.rdb_compression, 1, NULL, NULL),
createBoolConfig("rdb-del-sync-files", NULL, MODIFIABLE_CONFIG, server.rdb_del_sync_files, 0, NULL, NULL),
createBoolConfig("activerehashing", NULL, MODIFIABLE_CONFIG, server.activerehashing, 1, NULL, NULL),

18
packages/docker/traefik/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ pkgs, ... }:
pkgs.dockerTools.buildImage {
name = "traefik";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = with pkgs; [ traefik ];
pathsToLink = [ "/bin" ];
};
config = {
Entrypoint = [ "/bin/traefik" ];
ExposedPorts = {
"80/tcp" = { };
};
};
}

23
packages/docker/whoami/default.nix Normal file
View File

@@ -0,0 +1,23 @@
{ pkgs, ... }:
let
whoami = pkgs.whoami.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches or [ ] ++ [ ./stdout-logs.patch ];
});
in
pkgs.dockerTools.buildImage {
name = "whoami";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = [ whoami ];
pathsToLink = [ "/bin" ];
};
config = {
Entrypoint = [ "/bin/whoami" ];
ExposedPorts = {
"80/tcp" = { };
};
};
}

13
packages/docker/whoami/stdout-logs.patch Normal file
View File

@@ -0,0 +1,13 @@
diff --git a/app.go b/app.go
index 0849b03..e9a0cf2 100644
--- a/app.go
+++ b/app.go
@@ -68,6 +68,8 @@ type Data struct {
}
func main() {
+ log.SetOutput(os.Stdout)
+
flag.Parse()
mux := http.NewServeMux()

15
packages/docker/yq/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{ pkgs, ... }:
pkgs.dockerTools.buildImage {
name = "yq";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = with pkgs; [ yq-go ];
pathsToLink = [ "/bin" ];
};
config = {
Entrypoint = [ "/bin/yq" ];
};
}