Merge pull request #5 from dubo-dubon-duponey/work

Work
dubo-dubon-duponey · Dec 19, 2019 · a59400f · a59400f
2 parents f62fb02 + e0d97f3
commit a59400f
Show file tree

Hide file tree

Showing 9 changed files with 143 additions and 33 deletions.
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [dubo-dubon-duponey] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
diff --git a/DEVELOP.md b/DEVELOP.md
@@ -0,0 +1,104 @@
+# Hackers zone
+
+## Build from source
+
+### TL;DR
+
+```bash
+VENDOR=you
+IMAGE_NAME=super_image
+IMAGE_TAG=sometag
+./build.sh
+```
+
+### The what
+
+This image is built using `dubodubonduponey/base:builder-$DEBIAN_DATE` and its runtime uses `dubodubonduponey/base:runtime-$DEBIAN_DATE`.
+
+Both these images are built upon `dubodubonduponey/debian:$DEBIAN_DATE`, a debootstrapped version of Debian Buster, built from a Debian snapshot at `$DEBIAN_DATE`.
+
+At the time of this writing, `DEBIAN_DATE` evaluates to `2019-12-01`, and is updated every 15 days.
+
+You can find out more here:
+
+ * https://github.com/dubo-dubon-duponey/docker-debian for the debootstrapped Debian base
+ * https://github.com/dubo-dubon-duponey/docker-base for the builder and runtime images
+
+These images provide very little - they are (mostly) barebone Buster with metadata and some ONBUILD
+Docker syntactic sugar (metadata, user creation, entrypoint).
+
+Let me repeat: you have very little reason to go and add anything up there.
+
+### Configuration reference
+
+```bash
+# Controls to which registry your image gets pushed (default to Docker Hub if left unspecified)
+REGISTRY="registry-1.docker.io"
+
+# "Vendor" name of the image (eg: `REGISTRY/VENDOR/IMAGE`)
+VENDOR="dubodubonduponey"
+
+# Image name (as in `REGISTRY/VENDOR/IMAGE`)
+IMAGE_NAME="super_image"
+
+# Tag name to publish
+IMAGE_TAG="v1"
+
+# Image metadata (applied through labels)
+TITLE="My super image title"
+DESCRIPTION="My super image description"
+
+# Platforms you want to target (note: certain platforms may be unavailable for the underlying software)
+PLATFORMS="linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6}"
+
+# Base debian image date to use (from our own base images)
+DEBIAN_DATE=2019-12-01
+
+# Controls which user-id to assign to the in-container user
+BUILD_UID=2000
+```
+
+### Behavior control
+
+```bash
+# Do NOT push the built image if left empty (useful for debugging) - default to true
+PUSH=
+# Do NOT use buildkit cache if left empty - default to true
+CACHE=
+
+```
+
+## Develop
+
+### TL;DR
+
+Hack away.
+
+Be sure to run `./test.sh` before submitting anything.
+
+### Philosophy
+
+ * keep it simple
+    * entrypoint should be kept self-contained
+    * minimize runtime dependencies
+    * base images should be kept dead simple
+    * one process per container (letsencrypt refresh being the only exception)
+ * unrelated ops should go elsewhere
+    * advanced logging infrastructure does not belong inside a container
+    * no init system, failing containers should fail, exit, and be handled from the outside
+ * keep it secure
+    * no root
+    * no write
+    * no cap
+ * use existing infrastructure
+    * runnable artifacts go to:
+        * `/boot/bin` (read-only)
+    * configuration goes to:
+        * `/config` (read-only)
+    * certificates go to:
+        * `/certs` (read-write)
+    * persistent application data goes to:
+        * `/data` (read-write)
+    * volatile data go to:
+        * `/tmp` (read-write)
+ * only use chroot if you really REALLY need root first
diff --git a/Dockerfile b/Dockerfile
@@ -34,17 +34,24 @@ ARG           CADDY_VERSION=99914d22043f707f3f69bb5ee509d3353d75e943
 
 ARG           PROM_VERSION=1fe4cb19becd5b9a1bf85ef841a2a348aa3d78e5
 
+ARG           CACHE_VERSION=77032df0837be011283122f6ce041dc26ecd60c0
+
 WORKDIR       $GOPATH/src/github.com/miekg/caddy-prometheus
 RUN           git clone https://github.com/miekg/caddy-prometheus.git .
 RUN           git checkout $PROM_VERSION
 
+WORKDIR       $GOPATH/src/github.com/nicolasazrak/caddy-cache
+RUN           git clone https://github.com/nicolasazrak/caddy-cache.git .
+RUN           git checkout $CACHE_VERSION
+
+
 # Checkout and build
 WORKDIR       $GOPATH/src/github.com/caddyserver/caddy
 RUN           git clone https://github.com/caddyserver/caddy.git .
 RUN           git checkout $CADDY_VERSION
 
 # v1
-COPY          main.go cmd/caddy/main.go
+COPY          build/main.go cmd/caddy/main.go
 
 # Build it
 RUN           arch="${TARGETPLATFORM#*/}"; \
@@ -66,6 +73,8 @@ COPY          --from=builder --chown=$BUILD_UID:root /dist .
 ENV           DOMAIN="dev-null.farcloser.world"
 ENV           EMAIL="dubo-dubon-duponey@farcloser.world"
 ENV           STAGING=""
+ENV           USERNAME=dmp
+ENV           PASSWORD=nhehehehe
 
 ENV           CADDYPATH=/certs
 ENV           HTTPS_PORT=1443
@@ -80,5 +89,6 @@ EXPOSE        $METRICS_PORT/tcp
 
 # Default volumes certs, since these are expected to be writable
 VOLUME        /certs
+# VOLUME        /tmp
 
 HEALTHCHECK   --interval=30s --timeout=30s --start-period=10s --retries=1 CMD http-health || exit 1
diff --git a/README.md b/README.md
@@ -21,8 +21,8 @@ This is based on [Caddy](https://github.com/caddyserver/caddy/).
     * [x] multi-stage build with no installed dependencies for the runtime image
  * observable
     * [x] healthcheck
-    * [x] prometheus endpoint
     * [x] log to stdout
+    * [x] prometheus endpoint
 
 ## Run
 
@@ -100,14 +100,10 @@ Of course using any privileged port for these requires CAP_NET_BIND_SERVICE and
 
 Finally, any additional arguments provided when running the image will get fed to the `caddy` binary.
 
-#### Build time
-
-You can rebuild the image using the following build arguments:
-
- * BUILD_UID
-
-So to control which user-id to assign to the in-container user.
-
 ### Prometheus
 
 The default configuration files expose a Prometheus metrics endpoint on port 9253.
+
+## Moar?
+
+See [DEVELOP.md](DEVELOP.md)
diff --git a/main.go → build/main.go b/main.go → build/main.go
@@ -4,6 +4,8 @@ import (
 	"github.com/caddyserver/caddy/caddy/caddymain"
 
 	_ "github.com/miekg/caddy-prometheus"
+	// XXX doesn't seem to work (get 500) - commenting out for now
+	// _ "github.com/nicolasazrak/caddy-cache"
 )
 
 func main() {

diff --git a/http-client.go b/http-client.go
diff --git a/runtime/config/caddy.conf b/runtime/config/caddy.conf
@@ -9,3 +9,5 @@
 http://127.0.0.1:10042 {
   root /config/healthcheck
 }
+
+import sites.d/*
diff --git a/runtime/config/caddy_auth.conf b/runtime/config/caddy_auth.conf
@@ -0,0 +1 @@
+basicauth / {$USERNAME} {$PASSWORD}
diff --git a/runtime/config/caddy_cache.conf b/runtime/config/caddy_cache.conf
@@ -0,0 +1,6 @@
+cache {
+  match_header Content-Type image/jpg image/png image/jpeg image/gif application/javascript text/css
+  status_header X-Cache-Status
+  default_max_age 15m
+  path /tmp/cache
+}