add apache-nas + sftp-server

camptocamp · Nov 8, 2024 · 8da8340 · 8da8340
commit 8da8340
Show file tree

Hide file tree

Showing 13 changed files with 279 additions and 0 deletions.
diff --git a/.github/buildkitd.toml b/.github/buildkitd.toml
@@ -0,0 +1,2 @@
+[worker.oci]
+  max-parallelism = 1
diff --git a/.github/workflows/docker-build-sftp-apache-nas.yml b/.github/workflows/docker-build-sftp-apache-nas.yml
@@ -0,0 +1,49 @@
+name: Docker build apache nas image
+
+on:
+  workflow_dispatch:
+  # rebuild with latest php version each month
+  schedule:
+    - cron: "0 0 1 * *"
+  push:
+    branches: [ "master" ]
+    paths:
+      - '.github/workflows/docker-build-apache-nas.yml'
+      - 'apache-nas/**'
+
+env:
+  # https://endoflife.date/php
+  PHP_VERSION: "8.3"
+  # docker image version
+  VERSION: "1.0.0-${{ env.PHP_VERSION }}"
+
+jobs:
+  build:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Check Out Repo
+        uses: actions/checkout@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+
+      - name: Build and push docker image
+        id: docker_build
+        uses: docker/build-push-action@v3
+        with:
+          context: ./apache-nas
+          file: ./apache-nas/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: ghcr.io/camptocamp/georchestra-docker-images/apache-nas:latest, ghcr.io/camptocamp/georchestra-docker-images/apache-nas:${{ env.VERSION }}, ghcr.io/camptocamp/georchestra-docker-images/apache-nas:build-${{ github.sha }}
+          build-args: PHP_VERSION=${{ env.PHP_VERSION }}
diff --git a/.github/workflows/docker-build-sftp-server.yml b/.github/workflows/docker-build-sftp-server.yml
@@ -0,0 +1,46 @@
+name: Docker build sftp-server image
+
+on:
+  workflow_dispatch:
+  # rebuild with latest debian stable version each month
+  schedule:
+    - cron: "0 0 1 * *"
+  push:
+    branches: [ "master" ]
+    paths:
+      - '.github/workflows/docker-build-sftp-server.yml'
+      - 'sftp-server/**'
+
+env:
+  # docker image version
+  VERSION: "1.0.0-bookworm"
+
+jobs:
+  build:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: Check Out Repo
+        uses: actions/checkout@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: latest
+
+      - name: Build and push docker image
+        id: docker_build
+        uses: docker/build-push-action@v3
+        with:
+          context: ./sftp-server
+          file: ./sftp-server/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: ghcr.io/camptocamp/georchestra-docker-images/sftp-server:latest, ghcr.io/camptocamp/georchestra-docker-images/sftp-server:${{ env.VERSION }}, ghcr.io/camptocamp/georchestra-docker-images/sftp-server:build-${{ github.sha }}
diff --git a/README.md b/README.md
@@ -0,0 +1,30 @@
+# About
+
+Custom Docker images for the geOrchetra team.
+
+Currently host:
+- sftp-server: `ghcr.io/camptocamp/georchestra-docker-images/sftp-server`
+- apache-nas: `ghcr.io/camptocamp/georchestra-docker-images/apache-nas`
+
+# Update a Docker image
+
+1. Do your changes in the folder of the Docker image.
+2. Go to the workflow of the Docker image, example `.github/workflows/docker-build-sftp-server.yml`
+3. Update the version of the Docker image for `VERSION:`.
+4. Push your changes.
+
+# How to add a new Docker image
+
+## If it's a script or a custom tool that exist only for Rennes métropole (or only in this repository)
+1. Copy an existing workflow file based on sftp-server.
+2. Change the workflow name: `name:`.
+3. Adapt the paths in `push.paths`.
+4. For the step `docker_build`, adapt every parameter to the project name.
+5. Set a version for the Docker image in `VERSION:`
+
+# Explanation about the workflows with a schedule.
+These workflows will be rebuilt every X time (`0 */12 * * *` for most of them).
+
+They will fetch the latest version for the version specified in the workflow file then try to build a new docker image if the version has never been built. You can change that by setting to a fixed version.
+
+This allows to update the environment as quickly as possible because if a new geOrchestra version comes out then the new Docker images will already be ready.
diff --git a/apache-nas/Dockerfile b/apache-nas/Dockerfile
@@ -0,0 +1,16 @@
+ARG PHP_VERSION=8.3
+
+FROM php:${PHP_VERSION}-apache
+
+# set fixed UID and GID - see github.com/hexops/dockerfile
+ARG UID=999
+ARG GID=999
+
+# change the www-data user and group ID
+RUN groupmod --gid ${GID} www-data && \
+    usermod --non-unique --uid ${UID} --gid ${GID} www-data
+
+COPY build.sh /tmp/build.sh
+
+# Install and configure everything needed
+RUN /tmp/build.sh
diff --git a/apache-nas/README.md b/apache-nas/README.md
@@ -0,0 +1,12 @@
+# About
+
+This docker build is a slightly simplified version of the SFTP stack being
+used in the `geOrchestra` deployments.
+
+It is currently being used in most of our deployments, either under Kubernetes.
+
+# Notes
+
+This is based on Debian bookworm, the latest stable Debian version at the time for writing.
+
+Please update the `FROM:` debian image when a new Debian version is out.
diff --git a/apache-nas/build.sh b/apache-nas/build.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+apt update
+
+# configure sendmail and php to use georchestra-smtp-svc as mail server
+apt install -y --no-install-recommends --no-install-suggests libpq-dev ssmtp
+sed -i "s/mailhub=mail/mailhub=georchestra-smtp-svc/" /etc/ssmtp/ssmtp.conf
+sed -i 's/#FromLineOverride=YES/FromLineOverride=YES/' /etc/ssmtp/ssmtp.conf
+printf "[mail function]\nsendmail_path = /usr/sbin/ssmtp -t\n" > /usr/local/etc/php/conf.d/sendmail.ini
+
+# install additional extensions
+apt install -y --no-install-recommends --no-install-suggests libzip-dev
+docker-php-ext-install pgsql pdo_pgsql zip
+
+# configure apache2
+chown -R www-data /run/apache2 /run/lock/apache2 /var/cache/apache2/mod_cache_disk /var/log/apache2
+printf "upload_max_filesize=50M\npost_max_size=50M\n" > /usr/local/etc/php/conf.d/upload-size-customizations.ini
+a2enmod rewrite
+
+apt-get clean
+rm -rf /var/lib/apt/lists/*
diff --git a/sftp-server/Dockerfile b/sftp-server/Dockerfile
@@ -0,0 +1,17 @@
+FROM debian:bookworm
+
+COPY build.sh /tmp/build.sh
+
+# Install and configure everything needed
+RUN /tmp/build.sh
+
+# Define VOLUMES
+VOLUME ["/etc/ssh/ssh_host_keys", "/home/sftp"]
+
+# Configure entrypoint and command
+COPY docker-entrypoint.sh /
+COPY docker-entrypoint.d /docker-entrypoint.d
+
+EXPOSE 22
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/usr/sbin/sshd", "-D", "-e"]
diff --git a/sftp-server/README.md b/sftp-server/README.md
@@ -0,0 +1,12 @@
+# About
+
+This docker build is a slightly simplified version of the SFTP stack being
+used in the `geOrchestra` deployments.
+
+It is currently being used in most of our deployments, either under Kubernetes.
+
+# Notes
+
+This is based on Debian bookworm, the latest stable Debian version at the time for writing.
+
+Please update the `FROM:` debian image when a new Debian version is out.
diff --git a/sftp-server/build.sh b/sftp-server/build.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+# Install and configure openssh-server
+apt update
+apt install -y --no-install-recommends --no-install-suggests openssh-server
+
+rm -f /etc/ssh/ssh_host_*_key*
+mkdir /var/run/sshd /etc/ssh/ssh_host_keys 
+sed -i -e 's@#HostKey /etc/ssh/ssh_host@HostKey /etc/ssh/ssh_host_keys/ssh_host@g' /etc/ssh/sshd_config 
+echo "AllowUsers sftp" >> /etc/ssh/sshd_config 
+echo "PasswordAuthentication no" >> /etc/ssh/sshd_config 
+cp /etc/ssh/sshd_config /etc/ssh/sshd_config.client 
+sed -i -e 's@^Subsystem sftp .*@Subsystem sftp internal-sftp@' /etc/ssh/sshd_config.client 
+echo "Match User sftp" >> /etc/ssh/sshd_config.client 
+echo "    AllowTcpForwarding no" >> /etc/ssh/sshd_config.client 
+echo "    X11Forwarding no" >> /etc/ssh/sshd_config.client 
+echo "    ForceCommand internal-sftp" >> /etc/ssh/sshd_config.client
+
+# Add user tools
+
+apt install -y --no-install-recommends --no-install-suggests \
+    groff rsync vim-nox emacs-nox screen gdal-bin pktools wget curl file \
+    python3-gdal nano git htop sudo tree less bash-completion zsh figlet colordiff unzip \
+    python3 dnsutils ldap-utils postgresql-common
+
+# configure postgresql apt repository (PGDG)
+# see https://wiki.postgresql.org/wiki/Apt
+
+YES=yes /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh
+apt install -y postgresql-client-16/bookworm-pgdg
+
+# cleanup system
+apt-get clean
+rm -rf /var/lib/apt/lists/*
+
+# add sudo group with all sudo permissions
+echo "%sudo ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/sudo-group
+
+# Configure ssh user
+useradd -r -d /home/sftp --shell /bin/bash sftp
+mkdir -p /home/sftp.skel/.ssh
+chown -R sftp.sftp /home/sftp.skel
+ln -s /mnt /home/sftp.skel/data
+adduser sftp sudo
diff --git a/sftp-server/docker-entrypoint.d/20-set_uid.sh b/sftp-server/docker-entrypoint.d/20-set_uid.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ -n "$SFTP_UID" ]; then
+  usermod --non-unique --uid $SFTP_UID sftp
+  chown -R sftp /home/sftp
+fi
diff --git a/sftp-server/docker-entrypoint.d/30-disable-ssh.sh b/sftp-server/docker-entrypoint.d/30-disable-ssh.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+
+if [ "${DISABLE_SSH,,}" = "true" ]; then
+    cp /etc/ssh/sshd_config.client /etc/ssh/sshd_config
+fi
+
diff --git a/sftp-server/docker-entrypoint.sh b/sftp-server/docker-entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+DIR=/docker-entrypoint.d
+
+if [[ -d "$DIR" ]]
+then
+  /bin/run-parts -v --exit-on-error --regex '\.(sh|rb)$' "$DIR"
+fi
+
+exec "$@"
+