-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Dockerfile
321 lines (265 loc) · 14.5 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
ARG FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
ARG FROM_IMAGE_FETCHER=base:golang-bullseye-2022-04-01@sha256:f8d1f21174380690d50f90e2729a7e9306e044bd04a65b4a58d91385998a3325
ARG FROM_IMAGE_BUILDER=base:builder-bullseye-2022-04-01@sha256:d73bb6ea84152c42e314bc9bff6388d0df6d01e277bd238ee0e6f8ade721856d
ARG FROM_IMAGE_AUDITOR=base:auditor-bullseye-2022-04-01@sha256:ca513bf0219f654afeb2d24aae233fef99cbcb01991aea64060f3414ac792b3f
ARG FROM_IMAGE_TOOLS=tools:linux-bullseye-2022-04-01@sha256:323f3e36da17d8638a07a656e2f17d5ee4dc2b17dfea7e2da36e1b2174cc5f18
ARG FROM_IMAGE_RUNTIME=base:runtime-bullseye-2022-04-01@sha256:6456b76dd2eedf34b4c5c997f9ad92901220dfdd405ec63419d0b54b6d85a777
FROM $FROM_REGISTRY/$FROM_IMAGE_TOOLS AS builder-tools
FROM --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_BUILDER AS fetcher-caddy
ARG GIT_REPO=github.com/caddyserver/caddy
# 2.4.5 need tweak to scep (minor version bump), but then the build segfaults
ARG GIT_VERSION=v2.4.3
ARG GIT_COMMIT=9d4ed3a3236df06e54c80c4f6633b66d68ad3673
# 2.4.6 segfaults
#ARG GIT_VERSION=v2.4.6
#ARG GIT_COMMIT=e7457b43e4703080ae8713ada798ce3e20b83690
ENV WITH_BUILD_SOURCE="./cmd/caddy"
ENV WITH_BUILD_OUTPUT="caddy"
ENV CGO_ENABLED=1
ENV ENABLE_STATIC=true
RUN git clone --recurse-submodules https://"$GIT_REPO" .; git checkout "$GIT_COMMIT"
# scep v2.0.0 checksum does not match anymore
# It's unclear whether the rename of the module to v2 is responsible, but one way or the other this
# *critical* module is suspicious
# RUN echo "replace github.com/micromdm/scep/v2 v2.0.0 => github.com/micromdm/scep/v2 v2.1.0" >> go.mod
ARG GIT_REPO_REPLACE=github.com/caddyserver/replace-response
#ARG GIT_VERSION_REPLACE=8fa6a90
#ARG GIT_COMMIT_REPLACE=8fa6a90147d10fa192ad9fd1df2b97c1844ed322
ARG GIT_VERSION=d32dc3f
ARG GIT_COMMIT_REPLACE=d32dc3ffff0c07a3c935ef33092803f90c55ba19
RUN echo "require $GIT_REPO_REPLACE $GIT_COMMIT_REPLACE" >> go.mod
# hadolint ignore=DL3045
COPY build/main.go ./cmd/caddy/main.go
RUN --mount=type=secret,id=CA \
--mount=type=secret,id=NETRC \
go mod tidy; \
[[ "${GOFLAGS:-}" == *-mod=vendor* ]] || go mod download
#######################
# Main builder
#######################
FROM --platform=$BUILDPLATFORM fetcher-caddy AS builder-caddy
ARG TARGETARCH
ARG TARGETOS
ARG TARGETVARIANT
ENV GOOS=$TARGETOS
ENV GOARCH=$TARGETARCH
ENV CGO_CFLAGS="${CFLAGS:-} ${ENABLE_PIE:+-fPIE}"
ENV GOFLAGS="-trimpath ${ENABLE_PIE:+-buildmode=pie} ${GOFLAGS:-}"
RUN export GOARM="$(printf "%s" "$TARGETVARIANT" | tr -d v)"; \
[ "${CGO_ENABLED:-}" != 1 ] || { \
eval "$(dpkg-architecture -A "$(echo "$TARGETARCH$TARGETVARIANT" | sed -e "s/^armv6$/armel/" -e "s/^armv7$/armhf/" -e "s/^ppc64le$/ppc64el/" -e "s/^386$/i386/")")"; \
export PKG_CONFIG="${DEB_TARGET_GNU_TYPE}-pkg-config"; \
export AR="${DEB_TARGET_GNU_TYPE}-ar"; \
export CC="${DEB_TARGET_GNU_TYPE}-gcc"; \
export CXX="${DEB_TARGET_GNU_TYPE}-g++"; \
[ ! "${ENABLE_STATIC:-}" ] || { \
[ ! "${WITH_CGO_NET:-}" ] || { \
ENABLE_STATIC=; \
LDFLAGS="${LDFLAGS:-} -static-libgcc -static-libstdc++"; \
}; \
[ "$GOARCH" == "amd64" ] || [ "$GOARCH" == "arm64" ] || [ "${ENABLE_PIE:-}" != true ] || ENABLE_STATIC=; \
}; \
WITH_LDFLAGS="${WITH_LDFLAGS:-} -linkmode=external -extld="$CC" -extldflags \"${LDFLAGS:-} ${ENABLE_STATIC:+-static}${ENABLE_PIE:+-pie}\""; \
WITH_TAGS="${WITH_TAGS:-} cgo ${ENABLE_STATIC:+static static_build}"; \
}; \
go build -ldflags "-s -w -v ${WITH_LDFLAGS:-}" -tags "${WITH_TAGS:-} net${WITH_CGO_NET:+c}go osusergo" -o /dist/boot/bin/"$WITH_BUILD_OUTPUT" "$WITH_BUILD_SOURCE"
##########################
# Bridge: builder
##########################
FROM $FROM_REGISTRY/$FROM_IMAGE_AUDITOR AS builder-bridge
ARG TARGETPLATFORM
ARG TARGETARCH
ARG TARGETVARIANT
# Install dependencies and tools: bridge
RUN --mount=type=secret,uid=100,id=CA \
--mount=type=secret,uid=100,id=CERTIFICATE \
--mount=type=secret,uid=100,id=KEY \
--mount=type=secret,uid=100,id=GPG.gpg \
--mount=type=secret,id=NETRC \
--mount=type=secret,id=APT_SOURCES \
--mount=type=secret,id=APT_CONFIG \
apt-get update -qq && \
apt-get install -qq --no-install-recommends \
bzip2=1.0.8-4 \
libasound2=1.2.4-1.1
# \
# libicu67=67.1-7
WORKDIR /dist/boot/bin
COPY "./cache/$TARGETPLATFORM/bridge.tar.bz2" .
RUN tar -xjf bridge.tar.bz2
RUN rm bridge.tar.bz2
RUN ./RoonBridge/check.sh
RUN sed -i "s/\-\-debug//g" RoonBridge/Bridge/RAATServer
RUN sed -i "s/\-\-debug//g" RoonBridge/Bridge/RoonBridgeHelper
RUN sed -i "s/\-\-debug//g" RoonBridge/Bridge/RoonBridge
# XXX do we NEED libasound?
RUN mkdir -p /dist/boot/lib; \
eval "$(dpkg-architecture -A "$(echo "$TARGETARCH$TARGETVARIANT" | sed -e "s/^armv6$/armel/" -e "s/^armv7$/armhf/" -e "s/^ppc64le$/ppc64el/" -e "s/^386$/i386/")")"; \
cp /usr/lib/"$DEB_TARGET_MULTIARCH"/libasound.so.2 /dist/boot/lib
#######################
# Bridge: assembly
#######################
FROM --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_AUDITOR AS assembly-bridge
COPY --from=builder-bridge /dist/boot /dist/boot
COPY --from=builder-bridge /usr/share/alsa /dist/usr/share/alsa
RUN chmod 555 /dist/boot/bin/*; \
epoch="$(date --date "$BUILD_CREATED" +%s)"; \
find /dist/boot -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +;
#######################
# Bridge: runtime
#######################
FROM $FROM_REGISTRY/$FROM_IMAGE_RUNTIME AS runtime-bridge
COPY --from=assembly-bridge --chown=$BUILD_UID:root /dist /
# XXX LD_LIBRARY_PATH are a liability when mixed with caps - so, watch out
# Alternative is rpathing, but what exactly?
ENV LD_LIBRARY_PATH=/boot/lib
ENV ROON_DATAROOT=/data/data_root
ENV ROON_ID_DIR=/data/id_dir
VOLUME /data
VOLUME /tmp
##########################
# Building image server
##########################
FROM $FROM_REGISTRY/$FROM_IMAGE_AUDITOR AS builder-server
# Install dependencies and tools: bridge
RUN --mount=type=secret,uid=100,id=CA \
--mount=type=secret,uid=100,id=CERTIFICATE \
--mount=type=secret,uid=100,id=KEY \
--mount=type=secret,uid=100,id=GPG.gpg \
--mount=type=secret,id=NETRC \
--mount=type=secret,id=APT_SOURCES \
--mount=type=secret,id=APT_CONFIG \
apt-get update -qq && \
apt-get install -qq --no-install-recommends \
bzip2=1.0.8-4 \
libasound2=1.2.4-1.1 \
ffmpeg=7:4.3.3-0+deb11u1 \
cifs-utils=2:6.11-3.1
WORKDIR /dist/boot/bin
COPY "./cache/linux/amd64/server.tar.bz2" .
RUN tar -xjf server.tar.bz2
RUN rm server.tar.bz2
RUN ln -s dotnet /dist/boot/bin/RoonServer/RoonDotnet/RoonServer
RUN ln -s dotnet /dist/boot/bin/RoonServer/RoonDotnet/RoonAppliance
RUN ln -s dotnet /dist/boot/bin/RoonServer/RoonDotnet/RAATServer
RUN ./RoonServer/check.sh
#RUN ln -s mono-sgen /dist/boot/bin/RoonServer/RoonMono/bin/RAATServer
#RUN ln -s mono-sgen /dist/boot/bin/RoonServer/RoonMono/bin/RoonAppliance
#RUN ln -s mono-sgen /dist/boot/bin/RoonServer/RoonMono/bin/RoonServer
#######################
# Builder assembly for server
#######################
FROM --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_AUDITOR AS assembly
ARG TARGETARCH
COPY --from=builder-server /dist/boot /dist/boot
COPY --from=builder-caddy /dist/boot/bin/caddy /dist/boot/bin
#COPY --from=builder-tools /boot/bin/caddy /dist/boot/bin
COPY --from=builder-tools /boot/bin/goello-server-ng /dist/boot/bin
COPY --from=builder-tools /boot/bin/http-health /dist/boot/bin
RUN setcap 'cap_net_bind_service+ep' /dist/boot/bin/caddy
# XXX dubo-check currently does not avoid directories - fixed upstream
RUN RUNNING=true \
STATIC=true \
dubo-check validate /dist/boot/bin/caddy; \
dubo-check validate /dist/boot/bin/goello-server-ng; \
dubo-check validate /dist/boot/bin/http-health
RUN RO_RELOCATIONS=true \
dubo-check validate /dist/boot/bin/caddy
RUN chmod 555 /dist/boot/bin/*; \
epoch="$(date --date "$BUILD_CREATED" +%s)"; \
find /dist/boot -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +;
#######################
# Running image server
#######################
FROM $FROM_REGISTRY/$FROM_IMAGE_RUNTIME AS runtime-server
USER root
# Removing this will prevent the RoonServer from using audio devices, hence making the use of RaatBridges mandatory (which is fine)
# libasound2=1.2.4-1.1 \
RUN --mount=type=secret,uid=100,id=CA \
--mount=type=secret,uid=100,id=CERTIFICATE \
--mount=type=secret,uid=100,id=KEY \
--mount=type=secret,uid=100,id=GPG.gpg \
--mount=type=secret,id=NETRC \
--mount=type=secret,id=APT_SOURCES \
--mount=type=secret,id=APT_CONFIG \
apt-get update -qq \
&& apt-get install -qq --no-install-recommends \
ffmpeg=7:4.3.3-0+deb11u1 \
&& apt-get -qq autoremove \
&& apt-get -qq clean \
&& rm -rf /var/lib/apt/lists/* \
&& rm -rf /tmp/* \
&& rm -rf /var/tmp/*
USER dubo-dubon-duponey
ENV ROON_DATAROOT=/data/data_root
ENV ROON_ID_DIR=/data/id_dir
EXPOSE 9003/udp
VOLUME /music
ENV _SERVICE_NICK="roon"
ENV _SERVICE_TYPE="http"
COPY --from=assembly --chown=$BUILD_UID:root /dist /
### Front server configuration
## Advanced settings that usually should not be changed
# Ports for http and https - recent changes in docker make it no longer necessary to have caps, plus we have our NET_BIND_SERVICE cap set anyhow - it's 2021, there is no reason to keep on venerating privileged ports
ENV ADVANCED_PORT_HTTPS=443
ENV ADVANCED_PORT_HTTP=80
EXPOSE 443
EXPOSE 80
# By default, tls should be restricted to 1.3 - you may downgrade to 1.2+ for compatibility with older clients (webdav client on macos, older browsers)
ENV ADVANCED_TLS_MIN=1.3
# Name advertised by Caddy in the server http header
ENV ADVANCED_SERVER_NAME="DuboDubonDuponey/1.0 (Caddy/2) [$_SERVICE_NICK]"
# Root certificate to trust for mTLS - this is not used if MTLS is disabled
ENV ADVANCED_MTLS_TRUST="/certs/mtls_ca.crt"
# Log verbosity for
ENV LOG_LEVEL="warn"
# Whether to start caddy at all or not
ENV PROXY_HTTPS_ENABLED=true
# Domain name to serve
ENV DOMAIN="$_SERVICE_NICK.local"
ENV ADDITIONAL_DOMAINS="https://*.debian.org"
# Control wether tls is going to be "internal" (eg: self-signed), or alternatively an email address to enable letsencrypt - use "" to disable TLS entirely
ENV TLS="internal"
# Issuer name to appear in certificates
#ENV TLS_ISSUER="Dubo Dubon Duponey"
# Either disable_redirects or ignore_loaded_certs if one wants the redirects
ENV TLS_AUTO=disable_redirects
# Staging
# https://acme-staging-v02.api.letsencrypt.org/directory
# Plain
# https://acme-v02.api.letsencrypt.org/directory
# PKI
# https://pki.local
ENV TLS_SERVER="https://acme-v02.api.letsencrypt.org/directory"
# Either require_and_verify or verify_if_given, or "" to disable mTLS altogether
ENV MTLS="require_and_verify"
# Realm for authentication - set to "" to disable authentication entirely
ENV AUTH="My Precious Realm"
# Provide username and password here (call the container with the "hash" command to generate a properly encrypted password, otherwise, a random one will be generated)
ENV AUTH_USERNAME="dubo-dubon-duponey"
ENV AUTH_PASSWORD="cmVwbGFjZV9tZV93aXRoX3NvbWV0aGluZwo="
### mDNS broadcasting
# Whether to enable MDNS broadcasting or not
ENV MDNS_ENABLED=true
# Type to advertise
ENV MDNS_TYPE="_$_SERVICE_TYPE._tcp"
# Name is used as a short description for the service
ENV MDNS_NAME="$_SERVICE_NICK mDNS display name"
# The service will be annonced and reachable at $MDNS_HOST.local (set to empty string to disable mDNS announces entirely)
ENV MDNS_HOST="$_SERVICE_NICK"
# Also announce the service as a workstation (for example for the benefit of coreDNS mDNS)
ENV MDNS_STATION=true
# Caddy certs will be stored here
VOLUME /certs
# Caddy uses this
VOLUME /tmp
# Used by the backend service
VOLUME /data
ENV HEALTHCHECK_URL="http://127.0.0.1:10000/?healthcheck"
HEALTHCHECK --interval=120s --timeout=30s --start-period=10s --retries=1 CMD http-health || exit 1
# Roon is moving to MS
# See https://docs.microsoft.com/en-us/dotnet/core/install/linux-debian
# https://help.roonlabs.com/portal/en/kb/articles/linux-performance-improvements#Join_the_beta
# We may be missing:
#libgcc1
#libgssapi-krb5-2