Skip to content

Commit 4325906

Browse files
thelamerthelamer
authored
Merge pull request #94 from linuxserver/harden-alpine322
add new container env vars and hardening setup alpine322
2 parents d9f7e63 + b9676b8 commit 4325906

10 files changed

Lines changed: 320 additions & 109 deletions

File tree

Dockerfile

Lines changed: 24 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ FROM ghcr.io/linuxserver/baseimage-alpine:3.22 AS frontend
44

55
RUN \
66
echo "**** install build packages ****" && \
7-
apk add --no-cache \
7+
apk add \
88
cmake \
99
git \
1010
nodejs \
@@ -16,24 +16,29 @@ RUN \
1616
https://github.com/selkies-project/selkies.git \
1717
/src && \
1818
cd /src && \
19-
git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab
19+
git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f
2020

2121
RUN \
22-
echo "**** build frontend ****" && \
23-
cd /src && \
24-
cd addons/gst-web-core && \
22+
echo "**** build shared core library ****" && \
23+
cd /src/addons/gst-web-core && \
2524
npm install && \
2625
npm run build && \
27-
cp dist/selkies-core.js ../selkies-dashboard/src && \
28-
cd ../selkies-dashboard && \
29-
npm install && \
30-
npm run build && \
31-
mkdir dist/src dist/nginx && \
32-
cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
33-
cp ../gst-web-core/nginx/* dist/nginx/ && \
34-
cp -r ../gst-web-core/dist/jsdb dist/ && \
26+
echo "**** build multiple dashboards ****" && \
27+
DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \
3528
mkdir /buildout && \
36-
cp -ar dist/* /buildout/
29+
for DASH in $DASHBOARDS; do \
30+
cd /src/addons/$DASH && \
31+
cp ../gst-web-core/dist/selkies-core.js src/ && \
32+
npm install && \
33+
npm run build && \
34+
mkdir -p dist/src dist/nginx && \
35+
cp ../gst-web-core/dist/selkies-core.js dist/src/ && \
36+
cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
37+
cp ../gst-web-core/nginx/* dist/nginx/ && \
38+
cp -r ../gst-web-core/dist/jsdb dist/ && \
39+
mkdir -p /buildout/$DASH && \
40+
cp -ar dist/* /buildout/$DASH/; \
41+
done
3742

3843
# Runtime stage
3944
FROM ghcr.io/linuxserver/baseimage-alpine:3.22
@@ -160,7 +165,7 @@ RUN \
160165
echo "**** install selkies ****" && \
161166
curl -o \
162167
/tmp/selkies.tar.gz -L \
163-
"https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \
168+
"https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \
164169
cd /tmp && \
165170
tar xf selkies.tar.gz && \
166171
cd selkies-* && \
@@ -201,6 +206,9 @@ RUN \
201206
-e 's|</keyboard>| <keybind key="C-S-d"><action name="ToggleDecorations"/></keybind>\n</keyboard>|' \
202207
-e 's|<number>4</number>|<number>1</number>|' \
203208
/etc/xdg/openbox/rc.xml && \
209+
sed -i \
210+
's/--startup/--replace --startup/g' \
211+
/usr/bin/openbox-session && \
204212
echo "**** user perms ****" && \
205213
echo "abc:abc" | chpasswd && \
206214
usermod -s /bin/bash abc && \
@@ -235,7 +243,7 @@ RUN \
235243

236244
# add local files
237245
COPY /root /
238-
COPY --from=frontend /buildout /usr/share/selkies/www
246+
COPY --from=frontend /buildout /usr/share/selkies
239247
COPY --from=xvfb / /
240248

241249
# ports and volumes

Dockerfile.aarch64

Lines changed: 24 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.22 AS frontend
44

55
RUN \
66
echo "**** install build packages ****" && \
7-
apk add --no-cache \
7+
apk add \
88
cmake \
99
git \
1010
nodejs \
@@ -16,24 +16,29 @@ RUN \
1616
https://github.com/selkies-project/selkies.git \
1717
/src && \
1818
cd /src && \
19-
git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab
19+
git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f
2020

2121
RUN \
22-
echo "**** build frontend ****" && \
23-
cd /src && \
24-
cd addons/gst-web-core && \
22+
echo "**** build shared core library ****" && \
23+
cd /src/addons/gst-web-core && \
2524
npm install && \
2625
npm run build && \
27-
cp dist/selkies-core.js ../selkies-dashboard/src && \
28-
cd ../selkies-dashboard && \
29-
npm install && \
30-
npm run build && \
31-
mkdir dist/src dist/nginx && \
32-
cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
33-
cp ../gst-web-core/nginx/* dist/nginx/ && \
34-
cp -r ../gst-web-core/dist/jsdb dist/ && \
26+
echo "**** build multiple dashboards ****" && \
27+
DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \
3528
mkdir /buildout && \
36-
cp -ar dist/* /buildout/
29+
for DASH in $DASHBOARDS; do \
30+
cd /src/addons/$DASH && \
31+
cp ../gst-web-core/dist/selkies-core.js src/ && \
32+
npm install && \
33+
npm run build && \
34+
mkdir -p dist/src dist/nginx && \
35+
cp ../gst-web-core/dist/selkies-core.js dist/src/ && \
36+
cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
37+
cp ../gst-web-core/nginx/* dist/nginx/ && \
38+
cp -r ../gst-web-core/dist/jsdb dist/ && \
39+
mkdir -p /buildout/$DASH && \
40+
cp -ar dist/* /buildout/$DASH/; \
41+
done
3742

3843
# Runtime stage
3944
FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.22
@@ -156,7 +161,7 @@ RUN \
156161
echo "**** install selkies ****" && \
157162
curl -o \
158163
/tmp/selkies.tar.gz -L \
159-
"https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \
164+
"https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \
160165
cd /tmp && \
161166
tar xf selkies.tar.gz && \
162167
cd selkies-* && \
@@ -197,6 +202,9 @@ RUN \
197202
-e 's|</keyboard>| <keybind key="C-S-d"><action name="ToggleDecorations"/></keybind>\n</keyboard>|' \
198203
-e 's|<number>4</number>|<number>1</number>|' \
199204
/etc/xdg/openbox/rc.xml && \
205+
sed -i \
206+
's/--startup/--replace --startup/g' \
207+
/usr/bin/openbox-session && \
200208
echo "**** user perms ****" && \
201209
echo "abc:abc" | chpasswd && \
202210
usermod -s /bin/bash abc && \
@@ -231,7 +239,7 @@ RUN \
231239

232240
# add local files
233241
COPY /root /
234-
COPY --from=frontend /buildout /usr/share/selkies/www
242+
COPY --from=frontend /buildout /usr/share/selkies
235243
COPY --from=xvfb / /
236244

237245
# ports and volumes

root/defaults/default.conf

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,11 @@ server {
44
listen 3000 default_server;
55
listen [::]:3000 default_server;
66
location SUBFOLDER {
7-
alias /usr/share/selkies/www/;
7+
alias /usr/share/selkies/web/;
88
index index.html index.htm;
99
try_files $uri $uri/ =404;
1010
}
11-
location SUBFOLDERwebsocket {
11+
location /devmode {
1212
proxy_set_header Upgrade $http_upgrade;
1313
proxy_set_header Connection "upgrade";
1414
proxy_set_header Host $host;
@@ -21,9 +21,9 @@ server {
2121
proxy_connect_timeout 3600s;
2222
proxy_buffering off;
2323
client_max_body_size 10M;
24-
proxy_pass http://127.0.0.1:CWS;
24+
proxy_pass http://127.0.0.1:5173;
2525
}
26-
location /devmode {
26+
location SUBFOLDERwebsocket {
2727
proxy_set_header Upgrade $http_upgrade;
2828
proxy_set_header Connection "upgrade";
2929
proxy_set_header Host $host;
@@ -36,17 +36,21 @@ server {
3636
proxy_connect_timeout 3600s;
3737
proxy_buffering off;
3838
client_max_body_size 10M;
39-
proxy_pass http://127.0.0.1:5173;
39+
proxy_pass http://127.0.0.1:CWS;
4040
}
4141
location SUBFOLDERfiles {
4242
fancyindex on;
4343
fancyindex_footer SUBFOLDERnginx/footer.html;
4444
fancyindex_header SUBFOLDERnginx/header.html;
45-
alias REPLACE_HOME/Desktop/;
45+
alias REPLACE_DOWNLOADS_PATH/;
46+
if (-f $request_filename) {
47+
add_header Content-Disposition "attachment";
48+
add_header X-Content-Type-Options "nosniff";
49+
}
4650
}
4751
error_page 500 502 503 504 /50x.html;
4852
location = SUBFOLDER50x.html {
49-
root /usr/share/selkies/www/;
53+
root /usr/share/selkies/web/;
5054
}
5155
}
5256

@@ -58,7 +62,7 @@ server {
5862
ssl_certificate /config/ssl/cert.pem;
5963
ssl_certificate_key /config/ssl/cert.key;
6064
location SUBFOLDER {
61-
alias /usr/share/selkies/www/;
65+
alias /usr/share/selkies/web/;
6266
index index.html index.htm;
6367
try_files $uri $uri/ =404;
6468
}
@@ -96,12 +100,14 @@ server {
96100
fancyindex on;
97101
fancyindex_footer SUBFOLDERnginx/footer.html;
98102
fancyindex_header SUBFOLDERnginx/header.html;
99-
alias REPLACE_HOME/Desktop/;
103+
alias REPLACE_DOWNLOADS_PATH/;
104+
if (-f $request_filename) {
105+
add_header Content-Disposition "attachment";
106+
add_header X-Content-Type-Options "nosniff";
107+
}
100108
}
101109
error_page 500 502 503 504 /50x.html;
102110
location = SUBFOLDER50x.html {
103-
root /usr/share/selkies/www/;
111+
root /usr/share/selkies/web/;
104112
}
105113
}
106-
107-

root/etc/s6-overlay/s6-rc.d/init-nginx/run

Lines changed: 38 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ CHPORT="${CUSTOM_HTTPS_PORT:-3001}"
99
CWS="${CUSTOM_WS_PORT:-8082}"
1010
CUSER="${CUSTOM_USER:-abc}"
1111
SFOLDER="${SUBFOLDER:-/}"
12+
FILE_MANAGER_PATH="${FILE_MANAGER_PATH:-$HOME/Desktop}"
13+
DASHBOARD="${DASHBOARD:-selkies-dashboard}"
14+
SELKIES_FILE_TRANSFERS="${SELKIES_FILE_TRANSFERS:-upload,download}"
15+
HARDEN_DESKTOP="${HARDEN_DESKTOP:-false}"
1216

1317
# create self signed cert
1418
if [ ! -f "/config/ssl/cert.pem" ]; then
@@ -28,8 +32,11 @@ sed -i "s/3000/$CPORT/g" ${NGINX_CONFIG}
2832
sed -i "s/3001/$CHPORT/g" ${NGINX_CONFIG}
2933
sed -i "s/CWS/$CWS/g" ${NGINX_CONFIG}
3034
sed -i "s|SUBFOLDER|$SFOLDER|g" ${NGINX_CONFIG}
31-
sed -i "s|REPLACE_HOME|$HOME|g" ${NGINX_CONFIG}
32-
s6-setuidgid abc mkdir -p $HOME/Desktop
35+
sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" ${NGINX_CONFIG}
36+
s6-setuidgid abc mkdir -p ${FILE_MANAGER_PATH}
37+
if [[ $SELKIES_FILE_TRANSFERS != *"download"* ]] || [[ ${HARDEN_DESKTOP,,} == "true" ]]; then
38+
sed -i '/files {/,/^ }/d' ${NGINX_CONFIG}
39+
fi
3340
if [ ! -z ${DISABLE_IPV6+x} ]; then
3441
sed -i '/listen \[::\]/d' ${NGINX_CONFIG}
3542
fi
@@ -44,7 +51,34 @@ if [ ! -z ${DEV_MODE+x} ]; then
4451
${NGINX_CONFIG}
4552
fi
4653

47-
# copy favicon
54+
# set dashboard and icon
55+
rm -Rf \
56+
/usr/share/selkies/web
57+
cp -a \
58+
/usr/share/selkies/$DASHBOARD \
59+
/usr/share/selkies/web
60+
sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" /usr/share/selkies/web/nginx/footer.html
61+
cp \
62+
/usr/share/selkies/www/icon.png \
63+
/usr/share/selkies/web/favicon.ico
4864
cp \
4965
/usr/share/selkies/www/icon.png \
50-
/usr/share/selkies/www/favicon.ico
66+
/usr/share/selkies/web/icon.png
67+
# manifest creation
68+
echo "{
69+
\"name\": \"${TITLE}\",
70+
\"short_name\": \"${TITLE}\",
71+
\"manifest_version\": 2,
72+
\"version\": \"1.0.0\",
73+
\"display\": \"fullscreen\",
74+
\"background_color\": \"#000000\",
75+
\"theme_color\": \"#000000\",
76+
\"icons\": [
77+
{
78+
\"src\": \"icon.png\",
79+
\"type\": \"image/png\",
80+
\"sizes\": \"180x180\"
81+
}
82+
],
83+
\"start_url\": \"/\"
84+
}" > /usr/share/selkies/web/manifest.json

0 commit comments

Comments
 (0)