Nuke docker.io
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
		| @@ -11,7 +11,7 @@ | ||||
|   ... | ||||
| }: | ||||
| let | ||||
|   selfLib = inputs.self.lib.${system}; | ||||
|   selfPkgs = inputs.self.packages.${system}; | ||||
|   hmConfig = config.home-manager.users.${user}; | ||||
|   inherit (hmConfig.virtualisation.quadlet) volumes containers networks; | ||||
| in | ||||
| @@ -55,8 +55,7 @@ in | ||||
|       containers = { | ||||
|         "authelia-init" = { | ||||
|           containerConfig = { | ||||
|             autoUpdate = "registry"; | ||||
|             image = "docker.io/mikefarah/yq:latest"; | ||||
|             image = "docker-archive:${selfPkgs.docker-yq}"; | ||||
|             networks = [ networks.authelia.ref ]; | ||||
|             volumes = [ | ||||
|               "${home}/.local/share/authelia/config:/workdir/config" | ||||
| @@ -69,8 +68,6 @@ in | ||||
|               "/workdir/users.yaml" | ||||
|               "-i" | ||||
|             ]; | ||||
|             user = "0"; | ||||
|             group = "0"; | ||||
|           }; | ||||
|  | ||||
|           serviceConfig = { | ||||
| @@ -91,7 +88,7 @@ in | ||||
|                 authentication_backend = { | ||||
|                   refresh_interval = "always"; | ||||
|                   file = { | ||||
|                     path = "/config/users.yaml"; | ||||
|                     path = "/etc/authelia/users.yaml"; | ||||
|                     watch = true; | ||||
|                   }; | ||||
|                 }; | ||||
| @@ -127,8 +124,7 @@ in | ||||
|               }; | ||||
|             in | ||||
|             { | ||||
|               autoUpdate = "registry"; | ||||
|               image = "ghcr.io/authelia/authelia"; | ||||
|               image = "docker-archive:${selfPkgs.docker-authelia}"; | ||||
|               environments = { | ||||
|                 AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET"; | ||||
|                 AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET"; | ||||
| @@ -137,8 +133,8 @@ in | ||||
|                 AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD"; | ||||
|               }; | ||||
|               volumes = [ | ||||
|                 "${home}/.local/share/authelia/config:/config" | ||||
|                 "${config}:/config/conf.d/configuration.yaml:ro" | ||||
|                 "${home}/.local/share/authelia/config:/etc/authelia" | ||||
|                 "${config}:/etc/authelia/conf.d/configuration.yaml:ro" | ||||
|                 "${hmConfig.sops.secrets."authelia/jwt".path}:/secrets/JWT_SECRET:ro" | ||||
|                 "${hmConfig.sops.secrets."authelia/session".path}:/secrets/SESSION_SECRET:ro" | ||||
|                 "${hmConfig.sops.secrets."authelia/storage".path}:/secrets/STORAGE_ENCRYPTION_KEY:ro" | ||||
| @@ -149,7 +145,7 @@ in | ||||
|                 networks.authelia.ref | ||||
|                 networks.traefik.ref | ||||
|               ]; | ||||
|               exec = [ "--config /config/conf.d/" ]; | ||||
|               exec = [ "--config /etc/authelia/conf.d/" ]; | ||||
|               labels = [ | ||||
|                 "traefik.enable=true" | ||||
|                 "traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)" | ||||
| @@ -171,39 +167,32 @@ in | ||||
|  | ||||
|         "authelia-postgresql" = { | ||||
|           containerConfig = { | ||||
|             autoUpdate = "registry"; | ||||
|             image = "docker.io/library/postgres:latest"; | ||||
|             image = "docker-archive:${selfPkgs.docker-postgresql}"; | ||||
|             networks = [ networks.authelia.ref ]; | ||||
|             volumes = [ | ||||
|               "${selfLib.runtime.log.docker.postgres}:/entrypoint.sh:ro" | ||||
|               "${home}/.local/share/authelia/postgresql:/var/lib/postgresql/data" | ||||
|             ]; | ||||
|             volumes = [ "${home}/.local/share/authelia/postgresql:/var/lib/postgresql/data" ]; | ||||
|             environments = { | ||||
|               POSTGRES_DB = "authelia"; | ||||
|               POSTGRES_USER = "authelia"; | ||||
|             }; | ||||
|             environmentFiles = [ hmConfig.sops.templates."authelia-postgresql.env".path ]; | ||||
|             entrypoint = "/entrypoint.sh"; | ||||
|             exec = [ "postgres" ]; | ||||
|           }; | ||||
|  | ||||
|           unitConfig.After = [ "sops-nix.service" ]; | ||||
|         }; | ||||
|  | ||||
|         "authelia-redis".containerConfig = { | ||||
|           autoUpdate = "registry"; | ||||
|           image = "docker.io/library/redis:latest"; | ||||
|           image = "docker-archive:${selfPkgs.docker-redis}"; | ||||
|           networks = [ networks.authelia.ref ]; | ||||
|           volumes = [ "${volumes."authelia-redis".ref}:/data" ]; | ||||
|           volumes = [ "${volumes."authelia-redis".ref}:/var/lib/redis" ]; | ||||
|           exec = [ "--save 60 1" ]; | ||||
|         }; | ||||
|       }; | ||||
|     }; | ||||
|  | ||||
|     systemd.user.tmpfiles.rules = [ | ||||
|       "d ${home}/.local/share/authelia/config :0755 :${user} :${user}" | ||||
|       "f ${home}/.local/share/authelia/config/users.yaml :0644 :${user} :${user}" | ||||
|       "d ${home}/.local/share/authelia/postgresql :0755 :${user} :${user}" | ||||
|       "d ${home}/.local/share/authelia/config 0755 ${user} ${user}" | ||||
|       "f ${home}/.local/share/authelia/config/users.yaml 0600 ${user} ${user}" | ||||
|       "d ${home}/.local/share/authelia/postgresql 0700 ${user} ${user}" | ||||
|     ]; | ||||
|   }; | ||||
| } | ||||
|   | ||||
| @@ -14,6 +14,11 @@ in | ||||
|     (import ./whoami { inherit user home; }) | ||||
|   ]; | ||||
|  | ||||
|   boot.kernel.sysctl = { | ||||
|     "net.ipv4.ip_unprivileged_port_start" = 0; | ||||
|     "vm.overcommit_memory" = 1; | ||||
|   }; | ||||
|  | ||||
|   home-manager.users.${user} = { | ||||
|     virtualisation.quadlet = { | ||||
|       autoUpdate.enable = true; | ||||
|   | ||||
| @@ -2,8 +2,15 @@ | ||||
|   user ? throw "user argument is required", | ||||
|   home ? throw "home argument is required", | ||||
| }: | ||||
| { config, pkgs, ... }: | ||||
| { | ||||
|   config, | ||||
|   inputs, | ||||
|   pkgs, | ||||
|   system, | ||||
|   ... | ||||
| }: | ||||
| let | ||||
|   selfPkgs = inputs.self.packages.${system}; | ||||
|   hmConfig = config.home-manager.users.${user}; | ||||
|   inherit (hmConfig.virtualisation.quadlet) volumes networks; | ||||
| in | ||||
| @@ -75,6 +82,7 @@ in | ||||
|           content = '' | ||||
|             #!/bin/sh | ||||
|  | ||||
|             mkdir -p /tmp | ||||
|             PIPE=$(mktemp -u) | ||||
|             mkfifo "$PIPE" | ||||
|             trap 'rm -f "$PIPE"' EXIT | ||||
| @@ -108,8 +116,7 @@ in | ||||
|  | ||||
|       containers.ntfy = { | ||||
|         containerConfig = { | ||||
|           autoUpdate = "registry"; | ||||
|           image = "docker.io/binwiederhier/ntfy:latest"; | ||||
|           image = "docker-archive:${selfPkgs.docker-ntfy}"; | ||||
|           networks = [ | ||||
|             networks.ntfy.ref | ||||
|             networks.traefik.ref | ||||
|   | ||||
| @@ -2,14 +2,18 @@ | ||||
|   user ? throw "user argument is required", | ||||
|   home ? throw "home argument is required", | ||||
| }: | ||||
| { config, pkgs, ... }: | ||||
| { | ||||
|   config, | ||||
|   inputs, | ||||
|   system, | ||||
|   ... | ||||
| }: | ||||
| let | ||||
|   selfPkgs = inputs.self.packages.${system}; | ||||
|   hmConfig = config.home-manager.users.${user}; | ||||
|   inherit (hmConfig.virtualisation.quadlet) networks volumes containers; | ||||
| in | ||||
| { | ||||
|   boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0; | ||||
|  | ||||
|   networking.firewall.allowedTCPPorts = [ | ||||
|     80 | ||||
|     443 | ||||
| @@ -30,8 +34,7 @@ in | ||||
|  | ||||
|       containers.traefik = { | ||||
|         containerConfig = { | ||||
|           autoUpdate = "registry"; | ||||
|           image = "docker.io/library/traefik:latest"; | ||||
|           image = "docker-archive:${selfPkgs.docker-traefik}"; | ||||
|           networks = [ networks.traefik.ref ]; | ||||
|           volumes = [ | ||||
|             "/run/user/${ | ||||
|   | ||||
| @@ -2,8 +2,14 @@ | ||||
|   user ? throw "user argument is required", | ||||
|   home ? throw "home argument is required", | ||||
| }: | ||||
| { config, pkgs, ... }: | ||||
| { | ||||
|   config, | ||||
|   inputs, | ||||
|   system, | ||||
|   ... | ||||
| }: | ||||
| let | ||||
|   selfPkgs = inputs.self.packages.${system}; | ||||
|   hmConfig = config.home-manager.users.${user}; | ||||
|   inherit (hmConfig.virtualisation.quadlet) networks; | ||||
| in | ||||
| @@ -12,8 +18,7 @@ in | ||||
|     networks.whoami.networkConfig.internal = true; | ||||
|  | ||||
|     containers.whoami.containerConfig = { | ||||
|       autoUpdate = "registry"; | ||||
|       image = "docker.io/traefik/whoami:latest"; | ||||
|       image = "docker-archive:${selfPkgs.docker-whoami}"; | ||||
|       networks = [ | ||||
|         networks.whoami.ref | ||||
|         networks.traefik.ref | ||||
|   | ||||
| @@ -1,5 +1,4 @@ | ||||
| { pkgs, ... }: | ||||
| { | ||||
|   log = import ./log { inherit pkgs; }; | ||||
|   merge = import ./merge { inherit pkgs; }; | ||||
| } | ||||
|   | ||||
| @@ -1,4 +0,0 @@ | ||||
| { pkgs, ... }: | ||||
| { | ||||
|   docker = import ./docker { inherit pkgs; }; | ||||
| } | ||||
| @@ -1,4 +0,0 @@ | ||||
| { pkgs, ... }: | ||||
| { | ||||
|   postgres = import ./postgres { inherit pkgs; }; | ||||
| } | ||||
| @@ -1,6 +0,0 @@ | ||||
| { pkgs, ... }: | ||||
| pkgs.writeTextFile { | ||||
|   name = "log-wrapper-docker-postgres"; | ||||
|   text = builtins.readFile ./wrapper.sh; | ||||
|   executable = true; | ||||
| } | ||||
| @@ -1,17 +0,0 @@ | ||||
| #!/bin/sh | ||||
|  | ||||
| set -o errexit | ||||
| set -o nounset | ||||
|  | ||||
| LOG_PIPE="$(mktemp -u)" | ||||
| mkfifo "$LOG_PIPE" | ||||
|  | ||||
| while IFS= read -r line; do | ||||
|   if echo "$line" | grep -qE "ERROR|FATAL|PANIC"; then | ||||
|     echo "$line" >&2 | ||||
|   else | ||||
|     echo "$line" >&1 | ||||
|   fi | ||||
| done < "$LOG_PIPE" & | ||||
|  | ||||
| exec /usr/local/bin/docker-entrypoint.sh "$@" >"$LOG_PIPE" 2>&1 | ||||
| @@ -9,6 +9,15 @@ | ||||
|   darktable-hald-clut = import ./darktable/hald-clut { inherit pkgs; }; | ||||
|   darktable-lua-scripts = import ./darktable/lua-scripts { inherit pkgs; }; | ||||
|  | ||||
|   docker-authelia = import ./docker/authelia { inherit pkgs; }; | ||||
|   docker-base = import ./docker/base { inherit pkgs; }; | ||||
|   docker-ntfy = import ./docker/ntfy { inherit pkgs; }; | ||||
|   docker-postgresql = import ./docker/postgresql { inherit pkgs; }; | ||||
|   docker-redis = import ./docker/redis { inherit pkgs; }; | ||||
|   docker-traefik = import ./docker/traefik { inherit pkgs; }; | ||||
|   docker-whoami = import ./docker/whoami { inherit pkgs; }; | ||||
|   docker-yq = import ./docker/yq { inherit pkgs; }; | ||||
|  | ||||
|   go-mmproxy = import ./go-mmproxy { inherit pkgs; }; | ||||
|  | ||||
|   obsidian-plugin-better-word-count = import ./obsidian/plugins/better-word-count { inherit pkgs; }; | ||||
|   | ||||
							
								
								
									
										18
									
								
								packages/docker/authelia/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								packages/docker/authelia/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| { pkgs, ... }: | ||||
| pkgs.dockerTools.buildImage { | ||||
|   name = "authelia"; | ||||
|   fromImage = import ../base { inherit pkgs; }; | ||||
|  | ||||
|   copyToRoot = pkgs.buildEnv { | ||||
|     name = "root"; | ||||
|     paths = with pkgs; [ authelia ]; | ||||
|     pathsToLink = [ "/bin" ]; | ||||
|   }; | ||||
|  | ||||
|   config = { | ||||
|     Entrypoint = [ "/bin/authelia" ]; | ||||
|     ExposedPorts = { | ||||
|       "9091/tcp" = { }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										21
									
								
								packages/docker/base/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								packages/docker/base/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| { pkgs, ... }: | ||||
| pkgs.dockerTools.buildImage { | ||||
|   name = "base"; | ||||
|  | ||||
|   copyToRoot = pkgs.buildEnv { | ||||
|     name = "root"; | ||||
|     paths = with pkgs; [ | ||||
|       dockerTools.binSh | ||||
|       dockerTools.caCertificates | ||||
|       bashInteractive | ||||
|       coreutils | ||||
|       gnugrep | ||||
|     ]; | ||||
|     pathsToLink = [ | ||||
|       "/bin" | ||||
|       "/lib" | ||||
|       "/share" | ||||
|       "/etc" | ||||
|     ]; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										22
									
								
								packages/docker/ntfy/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								packages/docker/ntfy/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| { pkgs, ... }: | ||||
| pkgs.dockerTools.buildImage { | ||||
|   name = "ntfy"; | ||||
|   fromImage = import ../base { inherit pkgs; }; | ||||
|  | ||||
|   copyToRoot = pkgs.buildEnv { | ||||
|     name = "root"; | ||||
|     paths = with pkgs; [ ntfy-sh ]; | ||||
|     pathsToLink = [ "/bin" ]; | ||||
|   }; | ||||
|  | ||||
|   config = { | ||||
|     Entrypoint = [ "/bin/ntfy" ]; | ||||
|     Cmd = [ "serve" ]; | ||||
|     ExposedPorts = { | ||||
|       "80/tcp" = { }; | ||||
|     }; | ||||
|     Volumes = { | ||||
|       "/var/lib/ntfy" = { }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										205
									
								
								packages/docker/postgresql/allow-root.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										205
									
								
								packages/docker/postgresql/allow-root.patch
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,205 @@ | ||||
| diff --git a/src/backend/main/main.c b/src/backend/main/main.c | ||||
| index e8effe50242..2065061b5bb 100644 | ||||
| --- a/src/backend/main/main.c | ||||
| +++ b/src/backend/main/main.c | ||||
| @@ -190,10 +190,6 @@ main(int argc, char *argv[]) | ||||
|  			do_check_root = false; | ||||
|  	} | ||||
|   | ||||
| -	/* | ||||
| -	 * Make sure we are not running as root, unless it's safe for the selected | ||||
| -	 * option. | ||||
| -	 */ | ||||
|  	if (do_check_root) | ||||
|  		check_root(progname); | ||||
|   | ||||
| @@ -445,41 +441,6 @@ help(const char *progname) | ||||
|  static void | ||||
|  check_root(const char *progname) | ||||
|  { | ||||
| -#ifndef WIN32 | ||||
| -	if (geteuid() == 0) | ||||
| -	{ | ||||
| -		write_stderr("\"root\" execution of the PostgreSQL server is not permitted.\n" | ||||
| -					 "The server must be started under an unprivileged user ID to prevent\n" | ||||
| -					 "possible system security compromise.  See the documentation for\n" | ||||
| -					 "more information on how to properly start the server.\n"); | ||||
| -		exit(1); | ||||
| -	} | ||||
| - | ||||
| -	/* | ||||
| -	 * Also make sure that real and effective uids are the same. Executing as | ||||
| -	 * a setuid program from a root shell is a security hole, since on many | ||||
| -	 * platforms a nefarious subroutine could setuid back to root if real uid | ||||
| -	 * is root.  (Since nobody actually uses postgres as a setuid program, | ||||
| -	 * trying to actively fix this situation seems more trouble than it's | ||||
| -	 * worth; we'll just expend the effort to check for it.) | ||||
| -	 */ | ||||
| -	if (getuid() != geteuid()) | ||||
| -	{ | ||||
| -		write_stderr("%s: real and effective user IDs must match\n", | ||||
| -					 progname); | ||||
| -		exit(1); | ||||
| -	} | ||||
| -#else							/* WIN32 */ | ||||
| -	if (pgwin32_is_admin()) | ||||
| -	{ | ||||
| -		write_stderr("Execution of PostgreSQL by a user with administrative permissions is not\n" | ||||
| -					 "permitted.\n" | ||||
| -					 "The server must be started under an unprivileged user ID to prevent\n" | ||||
| -					 "possible system security compromises.  See the documentation for\n" | ||||
| -					 "more information on how to properly start the server.\n"); | ||||
| -		exit(1); | ||||
| -	} | ||||
| -#endif							/* WIN32 */ | ||||
|  } | ||||
|   | ||||
|  /* | ||||
| diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c | ||||
| index 21a0fe3ecd9..2aa44cc9ab8 100644 | ||||
| --- a/src/bin/initdb/initdb.c | ||||
| +++ b/src/bin/initdb/initdb.c | ||||
| @@ -815,15 +815,6 @@ get_id(void) | ||||
|  { | ||||
|  	const char *username; | ||||
|   | ||||
| -#ifndef WIN32 | ||||
| -	if (geteuid() == 0)			/* 0 is root's uid */ | ||||
| -	{ | ||||
| -		pg_log_error("cannot be run as root"); | ||||
| -		pg_log_error_hint("Please log in (using, e.g., \"su\") as the (unprivileged) user that will own the server process."); | ||||
| -		exit(1); | ||||
| -	} | ||||
| -#endif | ||||
| - | ||||
|  	username = get_user_name_or_exit(progname); | ||||
|   | ||||
|  	return pg_strdup(username); | ||||
| diff --git a/src/bin/pg_basebackup/pg_createsubscriber.c b/src/bin/pg_basebackup/pg_createsubscriber.c | ||||
| index a5a2d61165d..a4021734895 100644 | ||||
| --- a/src/bin/pg_basebackup/pg_createsubscriber.c | ||||
| +++ b/src/bin/pg_basebackup/pg_createsubscriber.c | ||||
| @@ -1977,20 +1977,6 @@ main(int argc, char **argv) | ||||
|  	}; | ||||
|  	opt.recovery_timeout = 0; | ||||
|   | ||||
| -	/* | ||||
| -	 * Don't allow it to be run as root. It uses pg_ctl which does not allow | ||||
| -	 * it either. | ||||
| -	 */ | ||||
| -#ifndef WIN32 | ||||
| -	if (geteuid() == 0) | ||||
| -	{ | ||||
| -		pg_log_error("cannot be executed by \"root\""); | ||||
| -		pg_log_error_hint("You must run %s as the PostgreSQL superuser.", | ||||
| -						  progname); | ||||
| -		exit(1); | ||||
| -	} | ||||
| -#endif | ||||
| - | ||||
|  	get_restricted_token(); | ||||
|   | ||||
|  	while ((c = getopt_long(argc, argv, "d:D:np:P:s:t:TU:v", | ||||
| diff --git a/src/bin/pg_ctl/pg_ctl.c b/src/bin/pg_ctl/pg_ctl.c | ||||
| index 8a405ff122c..84195a3b8c6 100644 | ||||
| --- a/src/bin/pg_ctl/pg_ctl.c | ||||
| +++ b/src/bin/pg_ctl/pg_ctl.c | ||||
| @@ -2235,7 +2235,6 @@ main(int argc, char **argv) | ||||
|  	/* Set restrictive mode mask until PGDATA permissions are checked */ | ||||
|  	umask(PG_MODE_MASK_OWNER); | ||||
|   | ||||
| -	/* support --help and --version even if invoked as root */ | ||||
|  	if (argc > 1) | ||||
|  	{ | ||||
|  		if (strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) | ||||
| @@ -2250,21 +2249,6 @@ main(int argc, char **argv) | ||||
|  		} | ||||
|  	} | ||||
|   | ||||
| -	/* | ||||
| -	 * Disallow running as root, to forestall any possible security holes. | ||||
| -	 */ | ||||
| -#ifndef WIN32 | ||||
| -	if (geteuid() == 0) | ||||
| -	{ | ||||
| -		write_stderr(_("%s: cannot be run as root\n" | ||||
| -					   "Please log in (using, e.g., \"su\") as the " | ||||
| -					   "(unprivileged) user that will\n" | ||||
| -					   "own the server process.\n"), | ||||
| -					 progname); | ||||
| -		exit(1); | ||||
| -	} | ||||
| -#endif | ||||
| - | ||||
|  	env_wait = getenv("PGCTLTIMEOUT"); | ||||
|  	if (env_wait != NULL) | ||||
|  		wait_seconds = atoi(env_wait); | ||||
| diff --git a/src/bin/pg_resetwal/pg_resetwal.c b/src/bin/pg_resetwal/pg_resetwal.c | ||||
| index 31bc0abff16..951de872d77 100644 | ||||
| --- a/src/bin/pg_resetwal/pg_resetwal.c | ||||
| +++ b/src/bin/pg_resetwal/pg_resetwal.c | ||||
| @@ -347,22 +347,6 @@ main(int argc, char *argv[]) | ||||
|  		exit(1); | ||||
|  	} | ||||
|   | ||||
| -	/* | ||||
| -	 * Don't allow pg_resetwal to be run as root, to avoid overwriting the | ||||
| -	 * ownership of files in the data directory. We need only check for root | ||||
| -	 * -- any other user won't have sufficient permissions to modify files in | ||||
| -	 * the data directory. | ||||
| -	 */ | ||||
| -#ifndef WIN32 | ||||
| -	if (geteuid() == 0) | ||||
| -	{ | ||||
| -		pg_log_error("cannot be executed by \"root\""); | ||||
| -		pg_log_error_hint("You must run %s as the PostgreSQL superuser.", | ||||
| -						  progname); | ||||
| -		exit(1); | ||||
| -	} | ||||
| -#endif | ||||
| - | ||||
|  	get_restricted_token(); | ||||
|   | ||||
|  	/* Set mask based on PGDATA permissions */ | ||||
| diff --git a/src/bin/pg_rewind/pg_rewind.c b/src/bin/pg_rewind/pg_rewind.c | ||||
| index 2ce99d06d1d..33e0a61c360 100644 | ||||
| --- a/src/bin/pg_rewind/pg_rewind.c | ||||
| +++ b/src/bin/pg_rewind/pg_rewind.c | ||||
| @@ -270,22 +270,6 @@ main(int argc, char **argv) | ||||
|  		exit(1); | ||||
|  	} | ||||
|   | ||||
| -	/* | ||||
| -	 * Don't allow pg_rewind to be run as root, to avoid overwriting the | ||||
| -	 * ownership of files in the data directory. We need only check for root | ||||
| -	 * -- any other user won't have sufficient permissions to modify files in | ||||
| -	 * the data directory. | ||||
| -	 */ | ||||
| -#ifndef WIN32 | ||||
| -	if (geteuid() == 0) | ||||
| -	{ | ||||
| -		pg_log_error("cannot be executed by \"root\""); | ||||
| -		pg_log_error_hint("You must run %s as the PostgreSQL superuser.", | ||||
| -						  progname); | ||||
| -		exit(1); | ||||
| -	} | ||||
| -#endif | ||||
| - | ||||
|  	get_restricted_token(); | ||||
|   | ||||
|  	/* Set mask based on PGDATA permissions */ | ||||
| diff --git a/src/bin/pg_upgrade/option.c b/src/bin/pg_upgrade/option.c | ||||
| index 188dd8d8a8b..cdd032be0fc 100644 | ||||
| --- a/src/bin/pg_upgrade/option.c | ||||
| +++ b/src/bin/pg_upgrade/option.c | ||||
| @@ -104,10 +104,6 @@ parseCommandLine(int argc, char *argv[]) | ||||
|  		} | ||||
|  	} | ||||
|   | ||||
| -	/* Allow help and version to be run as root, so do the test here. */ | ||||
| -	if (os_user_effective_id == 0) | ||||
| -		pg_fatal("%s: cannot be run as root", os_info.progname); | ||||
| - | ||||
|  	while ((option = getopt_long(argc, argv, "b:B:cd:D:j:kNo:O:p:P:rs:U:v", | ||||
|  								 long_options, &optindex)) != -1) | ||||
|  	{ | ||||
							
								
								
									
										48
									
								
								packages/docker/postgresql/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										48
									
								
								packages/docker/postgresql/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,48 @@ | ||||
| { pkgs, ... }: | ||||
| let | ||||
|   postgresql = pkgs.postgresql.overrideAttrs (oldAttrs: { | ||||
|     patches = oldAttrs.patches or [ ] ++ [ ./allow-root.patch ]; | ||||
|   }); | ||||
|  | ||||
|   entrypoint = pkgs.writeTextFile { | ||||
|     name = "entrypoint"; | ||||
|     executable = true; | ||||
|     destination = "/bin/entrypoint"; | ||||
|     text = builtins.readFile ./entrypoint.sh; | ||||
|   }; | ||||
| in | ||||
| pkgs.dockerTools.buildImage { | ||||
|   name = "postgresql"; | ||||
|   fromImage = import ../base { inherit pkgs; }; | ||||
|  | ||||
|   copyToRoot = pkgs.buildEnv { | ||||
|     name = "root"; | ||||
|     paths = [ | ||||
|       entrypoint | ||||
|       postgresql | ||||
|     ]; | ||||
|     pathsToLink = [ | ||||
|       "/bin" | ||||
|       "/lib" | ||||
|       "/share" | ||||
|     ]; | ||||
|   }; | ||||
|  | ||||
|   runAsRoot = '' | ||||
|     ${pkgs.dockerTools.shadowSetup} | ||||
|     mkdir -p /etc/postgresql /var/lib/postgresql /run/postgresql | ||||
|     cp ${postgresql}/share/postgresql/postgresql.conf.sample /etc/postgresql/postgresql.conf | ||||
|     ${pkgs.gnused}/bin/sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /etc/postgresql/postgresql.conf | ||||
|   ''; | ||||
|  | ||||
|   config = { | ||||
|     Entrypoint = [ "/bin/entrypoint" ]; | ||||
|     WorkingDir = "/var/lib/postgresql"; | ||||
|     ExposedPorts = { | ||||
|       "5432/tcp" = { }; | ||||
|     }; | ||||
|     Volumes = { | ||||
|       "/var/lib/postgresql/data" = { }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										43
									
								
								packages/docker/postgresql/entrypoint.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								packages/docker/postgresql/entrypoint.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,43 @@ | ||||
| #!/bin/sh | ||||
|  | ||||
| set -o errexit | ||||
| set -o nounset | ||||
|  | ||||
| POSTGRES_USER="${POSTGRES_USER:-postgres}" | ||||
| POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-postgres}" | ||||
| POSTGRES_DB="${POSTGRES_DB:-$POSTGRES_USER}" | ||||
| export PGDATA="${PGDATA:-/var/lib/postgresql/data}" | ||||
|  | ||||
| mkdir -p /tmp | ||||
| LOG_PIPE="$(mktemp -u)" | ||||
| mkfifo "$LOG_PIPE" | ||||
|  | ||||
| ( | ||||
|   while IFS= read -r line; do | ||||
|     if echo "$line" | grep -qE "ERROR|FATAL|PANIC"; then | ||||
|       echo "$line" >&2 | ||||
|     else | ||||
|       echo "$line" | ||||
|     fi | ||||
|   done < "$LOG_PIPE" | ||||
| ) & | ||||
| LOG_PID=$! | ||||
|  | ||||
| if [ ! -s "$PGDATA/PG_VERSION" ]; then | ||||
|   initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") | ||||
|  | ||||
|   auth_method=$(postgres -c config_file="/etc/postgresql/postgresql.conf" -C password_encryption) | ||||
|   POSTGRES_HOST_AUTH_METHOD="${POSTGRES_HOST_AUTH_METHOD:=$auth_method}" | ||||
|   echo -e "\nhost all all all $POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf" | ||||
|  | ||||
|   pg_ctl -w start | ||||
|  | ||||
|   if ! psql --username="$POSTGRES_USER" -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = '$POSTGRES_DB'" | grep -q 1; then | ||||
|     psql --username="$POSTGRES_USER" -d postgres -c "CREATE DATABASE \"$POSTGRES_DB\";" | ||||
|   fi | ||||
|  | ||||
|   pg_ctl -m fast -w stop | ||||
| fi | ||||
|  | ||||
| trap "kill $LOG_PID" EXIT | ||||
| exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1 | ||||
							
								
								
									
										28
									
								
								packages/docker/redis/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								packages/docker/redis/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | ||||
| { pkgs, ... }: | ||||
| let | ||||
|   redis = pkgs.redis.overrideAttrs (oldAttrs: { | ||||
|     patches = oldAttrs.patches or [ ] ++ [ ./disable-protected-mode.patch ]; | ||||
|     doCheck = false; | ||||
|   }); | ||||
| in | ||||
| pkgs.dockerTools.buildImage { | ||||
|   name = "redis"; | ||||
|   fromImage = import ../base { inherit pkgs; }; | ||||
|  | ||||
|   copyToRoot = pkgs.buildEnv { | ||||
|     name = "root"; | ||||
|     paths = [ redis ]; | ||||
|     pathsToLink = [ "/bin" ]; | ||||
|   }; | ||||
|  | ||||
|   config = { | ||||
|     Entrypoint = [ "/bin/redis-server" ]; | ||||
|     WorkingDir = "/var/lib/redis"; | ||||
|     ExposedPorts = { | ||||
|       "6379/tcp" = { }; | ||||
|     }; | ||||
|     Volumes = { | ||||
|       "/var/lib/redis" = { }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										13
									
								
								packages/docker/redis/disable-protected-mode.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								packages/docker/redis/disable-protected-mode.patch
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| diff --git a/src/config.c b/src/config.c | ||||
| index 9d287dd99..87cdd3b45 100644 | ||||
| --- a/src/config.c | ||||
| +++ b/src/config.c | ||||
| @@ -3065,7 +3065,7 @@ standardConfig static_configs[] = { | ||||
|      createBoolConfig("daemonize", NULL, IMMUTABLE_CONFIG, server.daemonize, 0, NULL, NULL), | ||||
|      createBoolConfig("io-threads-do-reads", NULL, DEBUG_CONFIG | IMMUTABLE_CONFIG, server.io_threads_do_reads, 0,NULL, NULL), /* Read + parse from threads? */ | ||||
|      createBoolConfig("always-show-logo", NULL, IMMUTABLE_CONFIG, server.always_show_logo, 0, NULL, NULL), | ||||
| -    createBoolConfig("protected-mode", NULL, MODIFIABLE_CONFIG, server.protected_mode, 1, NULL, NULL), | ||||
| +    createBoolConfig("protected-mode", NULL, MODIFIABLE_CONFIG, server.protected_mode, 0, NULL, NULL), | ||||
|      createBoolConfig("rdbcompression", NULL, MODIFIABLE_CONFIG, server.rdb_compression, 1, NULL, NULL), | ||||
|      createBoolConfig("rdb-del-sync-files", NULL, MODIFIABLE_CONFIG, server.rdb_del_sync_files, 0, NULL, NULL), | ||||
|      createBoolConfig("activerehashing", NULL, MODIFIABLE_CONFIG, server.activerehashing, 1, NULL, NULL), | ||||
							
								
								
									
										18
									
								
								packages/docker/traefik/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								packages/docker/traefik/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| { pkgs, ... }: | ||||
| pkgs.dockerTools.buildImage { | ||||
|   name = "traefik"; | ||||
|   fromImage = import ../base { inherit pkgs; }; | ||||
|  | ||||
|   copyToRoot = pkgs.buildEnv { | ||||
|     name = "root"; | ||||
|     paths = with pkgs; [ traefik ]; | ||||
|     pathsToLink = [ "/bin" ]; | ||||
|   }; | ||||
|  | ||||
|   config = { | ||||
|     Entrypoint = [ "/bin/traefik" ]; | ||||
|     ExposedPorts = { | ||||
|       "80/tcp" = { }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										23
									
								
								packages/docker/whoami/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								packages/docker/whoami/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| { pkgs, ... }: | ||||
| let | ||||
|   whoami = pkgs.whoami.overrideAttrs (oldAttrs: { | ||||
|     patches = oldAttrs.patches or [ ] ++ [ ./stdout-logs.patch ]; | ||||
|   }); | ||||
| in | ||||
| pkgs.dockerTools.buildImage { | ||||
|   name = "whoami"; | ||||
|   fromImage = import ../base { inherit pkgs; }; | ||||
|  | ||||
|   copyToRoot = pkgs.buildEnv { | ||||
|     name = "root"; | ||||
|     paths = [ whoami ]; | ||||
|     pathsToLink = [ "/bin" ]; | ||||
|   }; | ||||
|  | ||||
|   config = { | ||||
|     Entrypoint = [ "/bin/whoami" ]; | ||||
|     ExposedPorts = { | ||||
|       "80/tcp" = { }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
							
								
								
									
										13
									
								
								packages/docker/whoami/stdout-logs.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								packages/docker/whoami/stdout-logs.patch
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| diff --git a/app.go b/app.go | ||||
| index 0849b03..e9a0cf2 100644 | ||||
| --- a/app.go | ||||
| +++ b/app.go | ||||
| @@ -68,6 +68,8 @@ type Data struct { | ||||
|  } | ||||
|   | ||||
|  func main() { | ||||
| +	log.SetOutput(os.Stdout) | ||||
| + | ||||
|  	flag.Parse() | ||||
|   | ||||
|  	mux := http.NewServeMux() | ||||
							
								
								
									
										15
									
								
								packages/docker/yq/default.nix
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								packages/docker/yq/default.nix
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| { pkgs, ... }: | ||||
| pkgs.dockerTools.buildImage { | ||||
|   name = "yq"; | ||||
|   fromImage = import ../base { inherit pkgs; }; | ||||
|  | ||||
|   copyToRoot = pkgs.buildEnv { | ||||
|     name = "root"; | ||||
|     paths = with pkgs; [ yq-go ]; | ||||
|     pathsToLink = [ "/bin" ]; | ||||
|   }; | ||||
|  | ||||
|   config = { | ||||
|     Entrypoint = [ "/bin/yq" ]; | ||||
|   }; | ||||
| } | ||||
		Reference in New Issue
	
	Block a user