forked from ZoeyVid/NPMplus
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
125 lines (111 loc) · 5.83 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
FROM --platform="$BUILDPLATFORM" alpine:3.19.0 as frontend
COPY frontend /build/frontend
COPY global/certbot-dns-plugins.js /build/frontend/certbot-dns-plugins.js
ARG NODE_ENV=production \
NODE_OPTIONS=--openssl-legacy-provider
WORKDIR /build/frontend
RUN apk add --no-cache ca-certificates nodejs yarn git python3 build-base && \
yarn --no-lockfile install && \
yarn --no-lockfile build && \
yarn cache clean --all
COPY darkmode.css /build/frontend/dist/css/darkmode.css
COPY security.txt /build/frontend/dist/.well-known/security.txt
FROM --platform="$BUILDPLATFORM" alpine:3.19.0 as backend
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
COPY backend /build/backend
COPY global/certbot-dns-plugins.js /build/backend/certbot-dns-plugins.js
ARG NODE_ENV=production \
TARGETARCH
WORKDIR /build/backend
RUN apk add --no-cache ca-certificates nodejs-current yarn && \
wget -q https://gobinaries.com/tj/node-prune -O - | sh && \
if [ "$TARGETARCH" = "amd64" ]; then \
npm_config_target_platform=linux npm_config_target_arch=x64 yarn install --no-lockfile; \
elif [ "$TARGETARCH" = "arm64" ]; then \
npm_config_target_platform=linux npm_config_target_arch=arm64 yarn install --no-lockfile; \
fi && \
node-prune && \
yarn cache clean --all
FROM --platform="$BUILDPLATFORM" alpine:3.19.0 as crowdsec
ARG CSNB_VER=v1.0.6-rc4
WORKDIR /src
RUN apk add --no-cache ca-certificates git build-base && \
git clone --recursive https://github.com/crowdsecurity/cs-nginx-bouncer --branch "$CSNB_VER" /src && \
make && \
tar xzf crowdsec-nginx-bouncer.tgz && \
mv crowdsec-nginx-bouncer-* crowdsec-nginx-bouncer && \
sed -i "/lua_package_path/d" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \
sed -i "s|/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf|/data/etc/crowdsec/crowdsec.conf|g" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \
sed -i "s|API_KEY=.*|API_KEY=|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|ENABLED=.*|ENABLED=false|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
FROM zoeyvid/nginx-quic:241
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ARG CRS_VER=v4.0/dev
COPY rootfs /
RUN apk add --no-cache ca-certificates tzdata tini \
lua5.1-lzlib \
nodejs-current \
openssl apache2-utils \
coreutils grep jq curl shadow sudo \
luarocks5.1 wget lua5.1-dev build-base git yarn && \
git clone https://github.com/coreruleset/coreruleset --branch "$CRS_VER" /tmp/coreruleset && \
mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \
mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
mv -v /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
rm -r /tmp/* && \
luarocks-5.1 install lua-resty-http && \
luarocks-5.1 install lua-cjson && \
yarn global add nginxbeautifier && \
apk del --no-cache luarocks5.1 wget lua5.1-dev build-base git yarn
COPY --from=backend /build/backend /app
COPY --from=frontend /build/frontend/dist /app/frontend
COPY --from=zoeyvid/certbot-docker:18 /usr/local/certbot /usr/local/certbot
COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/lib/plugins /usr/local/nginx/lib/lua/plugins
COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/lib/crowdsec.lua /usr/local/nginx/lib/lua/crowdsec.lua
COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/templates/ban.html /usr/local/nginx/conf/conf.d/include/ban.html
COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/templates/captcha.html /usr/local/nginx/conf/conf.d/include/captcha.html
COPY --from=crowdsec /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf /usr/local/nginx/conf/conf.d/include/crowdsec.conf
COPY --from=crowdsec /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf /usr/local/nginx/conf/conf.d/include/crowdsec_nginx.conf
RUN ln -s /app/password-reset.js /usr/local/bin/password-reset.js && \
ln -s /app/sqlite-vaccum.js /usr/local/bin/sqlite-vaccum.js && \
ln -s /app/index.js /usr/local/bin/index.js
ENV NODE_ENV=production \
NODE_CONFIG_DIR=/data/etc/npm \
PATH="/usr/local/certbot/bin:$PATH" \
DB_SQLITE_FILE=/data/etc/npm/database.sqlite
ENV PUID=0 \
PGID=0 \
NIBEP=48693 \
GOAIWSP=48683 \
NPM_PORT=81 \
GOA_PORT=91 \
IPV4_BINDING=0.0.0.0 \
NPM_IPV4_BINDING=0.0.0.0 \
GOA_IPV4_BINDING=0.0.0.0 \
IPV6_BINDING=[::] \
NPM_IPV6_BINDING=[::] \
GOA_IPV6_BINDING=[::] \
DISABLE_IPV6=false \
NPM_DISABLE_IPV6=false \
GOA_DISABLE_IPV6=false \
NPM_LISTEN_LOCALHOST=false \
GOA_LISTEN_LOCALHOST=false \
DEFAULT_CERT_ID=0 \
DISABLE_HTTP=false \
NGINX_ACCESS_LOG=false \
NGINX_LOG_NOT_FOUND=false \
CLEAN=true \
FULLCLEAN=false \
LOGROTATE=false \
LOGROTATIONS=3 \
GOA=false \
GOACLA="--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string" \
PHP81=false \
PHP82=false \
PHP83=false
WORKDIR /app
ENTRYPOINT ["tini", "--", "start.sh"]
HEALTHCHECK CMD healthcheck.sh