Work in progress

DEVELOP.md

@@ -72,14 +72,22 @@ Be sure to run `./hack/lint.sh` and `./hack/test.sh` before submitting anything.
     * no write
     * no cap
  * use the provided infrastructure
-    * runnable artifacts go to:
-        * `/boot/bin` (read-only)
-    * configuration should be read from:
-        * `/config` (read-only)
-    * certificates should go to:
-        * `/certs` (either read-only or read-write)
-    * persistent application data should use:
-        * `/data` (usually read-write)
-    * volatile data should use:
-        * `/tmp` (usually read-write)
+   * runnable artifacts go to:
+     * `/boot/bin` (read-only)
+   * configuration should be read from:
+     * `/magnetar/system/config` (read-only)
+   * and:
+     * `/magnetar/user/config` (read-write, user controlled)
+   * certificates should go to:
+     * `/magnetar/user/data` (either read-only or read-write)
+   * or:
+     * `/magnetar/system/data` (read-only)
+   * persistent application data should use:
+     * `/magnerar/system/data` (usually read-only)
+   * runtime data (socket, pipes) should use:
+     * `/magnerar/runtime`
+   * temp data (logs, states, etc) should use:
+     * `/magnerar/state`
+   * cache should use:
+     * `/magnerar/cache`
  * only use chroot to downgrade if you really REALLY need to start your entrypoint with "root"

Dockerfile

@@ -147,11 +147,10 @@ COPY          --from=assembly-bridge --chown=$BUILD_UID:root  /dist /
 # Alternative is rpathing, but what exactly?
 ENV           LD_LIBRARY_PATH=/boot/lib
 
-ENV           ROON_DATAROOT=/data/data_root
-ENV           ROON_ID_DIR=/data/id_dir
+ENV           ROON_DATAROOT="$XDG_DATA_HOME"/roon/data
+ENV           ROON_ID_DIR="$XDG_DATA_HOME"/roon/id
 
-VOLUME        /data
-VOLUME        /tmp
+VOLUME        "$XDG_DATA_HOME"
 
 ##########################
 # Building image server
@@ -247,10 +246,8 @@ RUN           --mount=type=secret,uid=100,id=CA \
 
 USER          dubo-dubon-duponey
 
-ENV           ROON_DATAROOT=/data/data_root
-ENV           ROON_ID_DIR=/data/id_dir
-EXPOSE        9003/udp
-VOLUME        /music
+ENV           ROON_DATAROOT="$XDG_DATA_HOME"/roon/data
+ENV           ROON_ID_DIR="$XDG_DATA_HOME"/roon/id
 
 ENV           _SERVICE_NICK="roon"
 ENV           _SERVICE_TYPE="_http._tcp"
@@ -338,13 +335,10 @@ ENV           ADVANCED_MOD_HTTP_ADDITIONAL_DOMAINS=""
 #####
 EXPOSE        443
 EXPOSE        80
+EXPOSE        9003/udp
 
-# Caddy certs will be stored here
-VOLUME        /certs
-# Caddy uses this
-VOLUME        /tmp
-# Used by the backend service
-VOLUME        /data
+VOLUME        "$XDG_DATA_HOME"
+VOLUME        /music
 
 ENV           HEALTHCHECK_URL="http://127.0.0.1:10000/?healthcheck"
 

context/runtime/boot/entrypoint.sh

@@ -13,7 +13,6 @@ readonly root
 helpers::dir::writable "/tmp"
 
 helpers::dir::writable "$XDG_DATA_HOME" create
-helpers::dir::writable "$XDG_DATA_DIRS" create
 
 helpers::dir::writable "$ROON_ID_DIR" create
 helpers::dir::writable "$ROON_DATAROOT" create

context/runtime/boot/http.sh

@@ -27,11 +27,11 @@ http::certificate(){
     printf >&2 "Your container uses letsencrypt - there is no local CA in that case."
     exit 1
   fi
-  if [ ! -e /certs/pki/authorities/local/root.crt ]; then
+  if [ ! -e "$XDG_DATA_HOME"/certs/pki/authorities/local/root.crt ]; then
     printf >&2 "No root certificate installed or generated. Run the container so that a cert is generated, or provide one at runtime."
     exit 1
   fi
-  cat /certs/pki/authorities/local/root.crt
+  cat "$XDG_DATA_HOME"/certs/pki/authorities/local/root.crt
 }
 
 http::start(){
@@ -69,6 +69,6 @@ http::start(){
   CDY_PORT_HTTPS="${ADVANCED_MOD_HTTP_PORT:-$_default_https_port}" \
   CDY_TLS_MIN="${ADVANCED_MOD_HTTP_TLS_MIN:-$_default_tls_min}" \
   CDY_SERVER_NAME="${ADVANCED_MOD_HTTP_SERVER_NAME:-$_default_server_name}" \
-    caddy run --config /config/caddy/main.conf --adapter caddyfile "$@"
+    caddy run --config "$XDG_CONFIG_DIRS"/caddy/main.conf --adapter caddyfile "$@"
 }
 

context/runtime/boot/mdns.sh

@@ -90,7 +90,7 @@ mdns::start::avahi(){
   [ "$LOG_LEVEL" != "debug" ] || args+=(--debug)
 
   # -D/--daemonize implies -s/--syslog that we do not want, so, just background it
-  avahi-daemon -f /config/avahi/main.conf --no-drop-root --no-chroot "${args[@]}" &
+  avahi-daemon -f "$XDG_CONFIG_DIRS"/avahi/main.conf --no-drop-root --no-chroot "${args[@]}" &
 
   local tries=1
   # Wait until the socket is there
@@ -109,11 +109,9 @@ mdns::start::dbus(){
   # https://man7.org/linux/man-pages/man3/sd_bus_default.3.html
   # https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html
 
-  # $XDG_RUNTIME_DIR=/tmp/runtime
+  local dbussocket=/magnetar/runtime/dbus/system_bus_socket
   # Configuration file also has that ^ hardcoded, so, cannot use the variable...
 
-  local dbussocket=/tmp/runtime/dbus/system_bus_socket
-
   # Ensure directory exists
   helpers::dir::writable "$(dirname "$dbussocket")" create
 
@@ -122,7 +120,7 @@ mdns::start::dbus(){
   export DBUS_SESSION_BUS_ADDRESS=unix:path="$dbussocket"
 
   # Start it, without a PID file
-  dbus-daemon --nopidfile --config-file /config/dbus/main.conf
+  dbus-daemon --nopidfile --config-file "$XDG_CONFIG_DIRS"/dbus/main.conf
 
   local tries=1
   # Wait until the socket is there

context/runtime/magnetar/system/config/caddy/conf.d/cache.conf

@@ -0,0 +1,27 @@
+cache {
+  log_level "{args[0]}"
+
+  cache_keys {
+    disable_body
+  }
+
+  key {
+    disable_body
+  }
+
+  stale 31536000s
+  ttl 31536000s
+
+  nuts {
+    configuration {
+      Dir "{args[1]}"
+      EntryIdxMode 1
+      RWMode 0
+      SegmentSize 1024
+      NodeNum 42
+      SyncEnable true
+      StartFileLoadingMode 1
+    }
+  }
+}
+

context/runtime/magnetar/system/config/caddy/conf.d/global.conf

@@ -0,0 +1,23 @@
+{
+	https_port {args[0]}
+	http_port {args[1]}
+	default_sni {args[2]}
+	admin off
+	storage file_system {
+		root "{$XDG_DATA_HOME}"/certs
+	}
+	skip_install_trust
+	auto_https {args[3]}
+  order basicauth after request_header
+  order replace after encode
+  order cache before rewrite
+
+  acme_ca {args[4]}
+
+  import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/log.conf {args[5]}
+  import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/cache.conf "warn" "{$XDG_CACHE_HOME}/caddy"
+
+  servers {
+    metrics
+  }
+}

context/runtime/config/caddy/conf.d/headers.conf → context/runtime/magnetar/system/config/caddy/conf.d/headers.conf

@@ -19,6 +19,5 @@ header ?Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 # CSP is garbage and unusable
 # header ?Content-Security-Policy "default-src 'self';"
 
-
 # Signature
 header Server "{args[0]}"

context/runtime/magnetar/system/config/caddy/main.conf

@@ -0,0 +1,3 @@
+import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/global.conf "{$CDY_PORT_HTTPS}" "{$CDY_PORT_HTTP}" "{$CDY_DOMAIN}" "{$CDY_TLS_AUTO}" "{$CDY_ACME_CA}" "{$CDY_LOG_LEVEL}"
+import "{$XDG_CONFIG_DIRS}"/caddy/sites.d/*.conf
+import "{$XDG_CONFIG_HOME}"/caddy/sites.d/*.conf

context/runtime/magnetar/system/config/caddy/sites.d/main.conf

@@ -0,0 +1,21 @@
+{$CDY_SCHEME}://{$CDY_DOMAIN} {$CDY_ADDITIONAL_DOMAINS} {
+  import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/log.conf "{$CDY_LOG_LEVEL}"
+  import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/headers.conf "{$CDY_SERVER_NAME}"
+  import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/proxyauth.conf
+  import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/tls*{$CDY_TLS_DISABLE}.conf "{$CDY_TLS_MODE}" "{$CDY_TLS_MIN}"
+  import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/mtls*{$CDY_MTLS_DISABLE}.conf "{$CDY_TLS_MODE}" "{$CDY_MTLS_MODE}" "{$CDY_MTLS_TRUST}"
+  import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/auth*{$CDY_AUTH_DISABLE}.conf "{$CDY_AUTH_REALM}" "{$CDY_AUTH_USERNAME}" "{$CDY_AUTH_PASSWORD}"
+
+  metrics /metrics
+
+  rewrite / /display
+  replace "ws://" "wss://"
+  replace "http://" "https://"
+
+  # Pass it down
+	reverse_proxy http://127.0.0.1:9100 {
+    import "{$XDG_CONFIG_DIRS}"/caddy/conf.d/proxy_headers.conf
+    # CSP specifics to this backend service
+    header_down Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' blob:; font-src 'self' https://fonts.gstatic.com"
+  }
+}