Skip to content

Commit cb28592

Browse files
thelamerthelamer
authored
Merge pull request #96 from linuxserver/harden-noble
add new container env vars and hardening setup noble
2 parents 7599b41 + 30e0494 commit cb28592

11 files changed

Lines changed: 365 additions & 103 deletions

File tree

Dockerfile

Lines changed: 23 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -16,24 +16,29 @@ RUN \
1616
https://github.com/selkies-project/selkies.git \
1717
/src && \
1818
cd /src && \
19-
git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab
19+
git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f
2020

2121
RUN \
22-
echo "**** build frontend ****" && \
23-
cd /src && \
24-
cd addons/gst-web-core && \
25-
npm install && \
26-
npm run build && \
27-
cp dist/selkies-core.js ../selkies-dashboard/src && \
28-
cd ../selkies-dashboard && \
22+
echo "**** build shared core library ****" && \
23+
cd /src/addons/gst-web-core && \
2924
npm install && \
3025
npm run build && \
31-
mkdir dist/src dist/nginx && \
32-
cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
33-
cp ../gst-web-core/nginx/* dist/nginx/ && \
34-
cp -r ../gst-web-core/dist/jsdb dist/ && \
26+
echo "**** build multiple dashboards ****" && \
27+
DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \
3528
mkdir /buildout && \
36-
cp -ar dist/* /buildout/
29+
for DASH in $DASHBOARDS; do \
30+
cd /src/addons/$DASH && \
31+
cp ../gst-web-core/dist/selkies-core.js src/ && \
32+
npm install && \
33+
npm run build && \
34+
mkdir -p dist/src dist/nginx && \
35+
cp ../gst-web-core/dist/selkies-core.js dist/src/ && \
36+
cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
37+
cp ../gst-web-core/nginx/* dist/nginx/ && \
38+
cp -r ../gst-web-core/dist/jsdb dist/ && \
39+
mkdir -p /buildout/$DASH && \
40+
cp -ar dist/* /buildout/$DASH/; \
41+
done
3742

3843
# Runtime stage
3944
FROM ghcr.io/linuxserver/baseimage-ubuntu:noble
@@ -184,7 +189,7 @@ RUN \
184189
| awk '/tag_name/{print $4;exit}' FS='[""]') && \
185190
curl -o \
186191
/tmp/selkies.tar.gz -L \
187-
"https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \
192+
"https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \
188193
cd /tmp && \
189194
tar xf selkies.tar.gz && \
190195
cd selkies-* && \
@@ -227,6 +232,9 @@ RUN \
227232
-e 's|</keyboard>| <keybind key="C-S-d"><action name="ToggleDecorations"/></keybind>\n</keyboard>|' \
228233
-e 's|<number>4</number>|<number>1</number>|' \
229234
/etc/xdg/openbox/rc.xml && \
235+
sed -i \
236+
's/--startup/--replace --startup/g' \
237+
/usr/bin/openbox-session && \
230238
echo "**** user perms ****" && \
231239
sed -e 's/%sudo ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' \
232240
-i /etc/sudoers && \
@@ -271,7 +279,7 @@ RUN \
271279

272280
# add local files
273281
COPY /root /
274-
COPY --from=frontend /buildout /usr/share/selkies/www
282+
COPY --from=frontend /buildout /usr/share/selkies
275283
COPY --from=xvfb / /
276284

277285
# ports and volumes

Dockerfile.aarch64

Lines changed: 23 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -16,24 +16,29 @@ RUN \
1616
https://github.com/selkies-project/selkies.git \
1717
/src && \
1818
cd /src && \
19-
git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab
19+
git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f
2020

2121
RUN \
22-
echo "**** build frontend ****" && \
23-
cd /src && \
24-
cd addons/gst-web-core && \
25-
npm install && \
26-
npm run build && \
27-
cp dist/selkies-core.js ../selkies-dashboard/src && \
28-
cd ../selkies-dashboard && \
22+
echo "**** build shared core library ****" && \
23+
cd /src/addons/gst-web-core && \
2924
npm install && \
3025
npm run build && \
31-
mkdir dist/src dist/nginx && \
32-
cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
33-
cp ../gst-web-core/nginx/* dist/nginx/ && \
34-
cp -r ../gst-web-core/dist/jsdb dist/ && \
26+
echo "**** build multiple dashboards ****" && \
27+
DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \
3528
mkdir /buildout && \
36-
cp -ar dist/* /buildout/
29+
for DASH in $DASHBOARDS; do \
30+
cd /src/addons/$DASH && \
31+
cp ../gst-web-core/dist/selkies-core.js src/ && \
32+
npm install && \
33+
npm run build && \
34+
mkdir -p dist/src dist/nginx && \
35+
cp ../gst-web-core/dist/selkies-core.js dist/src/ && \
36+
cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
37+
cp ../gst-web-core/nginx/* dist/nginx/ && \
38+
cp -r ../gst-web-core/dist/jsdb dist/ && \
39+
mkdir -p /buildout/$DASH && \
40+
cp -ar dist/* /buildout/$DASH/; \
41+
done
3742

3843
# Runtime stage
3944
FROM ghcr.io/linuxserver/baseimage-ubuntu:arm64v8-noble
@@ -181,7 +186,7 @@ RUN \
181186
| awk '/tag_name/{print $4;exit}' FS='[""]') && \
182187
curl -o \
183188
/tmp/selkies.tar.gz -L \
184-
"https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \
189+
"https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \
185190
cd /tmp && \
186191
tar xf selkies.tar.gz && \
187192
cd selkies-* && \
@@ -224,6 +229,9 @@ RUN \
224229
-e 's|</keyboard>| <keybind key="C-S-d"><action name="ToggleDecorations"/></keybind>\n</keyboard>|' \
225230
-e 's|<number>4</number>|<number>1</number>|' \
226231
/etc/xdg/openbox/rc.xml && \
232+
sed -i \
233+
's/--startup/--replace --startup/g' \
234+
/usr/bin/openbox-session && \
227235
echo "**** user perms ****" && \
228236
sed -e 's/%sudo ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' \
229237
-i /etc/sudoers && \
@@ -268,7 +276,7 @@ RUN \
268276

269277
# add local files
270278
COPY /root /
271-
COPY --from=frontend /buildout /usr/share/selkies/www
279+
COPY --from=frontend /buildout /usr/share/selkies
272280
COPY --from=xvfb / /
273281

274282
# ports and volumes

root/defaults/default.conf

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ server {
44
listen 3000 default_server;
55
listen [::]:3000 default_server;
66
location SUBFOLDER {
7-
alias /usr/share/selkies/www/;
7+
alias /usr/share/selkies/web/;
88
index index.html index.htm;
99
try_files $uri $uri/ =404;
1010
}
@@ -42,11 +42,15 @@ server {
4242
fancyindex on;
4343
fancyindex_footer SUBFOLDERnginx/footer.html;
4444
fancyindex_header SUBFOLDERnginx/header.html;
45-
alias REPLACE_HOME/Desktop/;
45+
alias REPLACE_DOWNLOADS_PATH/;
46+
if (-f $request_filename) {
47+
add_header Content-Disposition "attachment";
48+
add_header X-Content-Type-Options "nosniff";
49+
}
4650
}
4751
error_page 500 502 503 504 /50x.html;
4852
location = SUBFOLDER50x.html {
49-
root /usr/share/selkies/www/;
53+
root /usr/share/selkies/web/;
5054
}
5155
}
5256

@@ -58,7 +62,7 @@ server {
5862
ssl_certificate /config/ssl/cert.pem;
5963
ssl_certificate_key /config/ssl/cert.key;
6064
location SUBFOLDER {
61-
alias /usr/share/selkies/www/;
65+
alias /usr/share/selkies/web/;
6266
index index.html index.htm;
6367
try_files $uri $uri/ =404;
6468
}
@@ -96,12 +100,14 @@ server {
96100
fancyindex on;
97101
fancyindex_footer SUBFOLDERnginx/footer.html;
98102
fancyindex_header SUBFOLDERnginx/header.html;
99-
alias REPLACE_HOME/Desktop/;
103+
alias REPLACE_DOWNLOADS_PATH/;
104+
if (-f $request_filename) {
105+
add_header Content-Disposition "attachment";
106+
add_header X-Content-Type-Options "nosniff";
107+
}
100108
}
101109
error_page 500 502 503 504 /50x.html;
102110
location = SUBFOLDER50x.html {
103-
root /usr/share/selkies/www/;
111+
root /usr/share/selkies/web/;
104112
}
105113
}
106-
107-

root/etc/s6-overlay/s6-rc.d/init-nginx/run

Lines changed: 38 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ CHPORT="${CUSTOM_HTTPS_PORT:-3001}"
99
CWS="${CUSTOM_WS_PORT:-8082}"
1010
CUSER="${CUSTOM_USER:-abc}"
1111
SFOLDER="${SUBFOLDER:-/}"
12+
FILE_MANAGER_PATH="${FILE_MANAGER_PATH:-$HOME/Desktop}"
13+
DASHBOARD="${DASHBOARD:-selkies-dashboard}"
14+
SELKIES_FILE_TRANSFERS="${SELKIES_FILE_TRANSFERS:-upload,download}"
15+
HARDEN_DESKTOP="${HARDEN_DESKTOP:-false}"
1216

1317
# create self signed cert
1418
if [ ! -f "/config/ssl/cert.pem" ]; then
@@ -28,8 +32,11 @@ sed -i "s/3000/$CPORT/g" ${NGINX_CONFIG}
2832
sed -i "s/3001/$CHPORT/g" ${NGINX_CONFIG}
2933
sed -i "s/CWS/$CWS/g" ${NGINX_CONFIG}
3034
sed -i "s|SUBFOLDER|$SFOLDER|g" ${NGINX_CONFIG}
31-
sed -i "s|REPLACE_HOME|$HOME|g" ${NGINX_CONFIG}
32-
s6-setuidgid abc mkdir -p $HOME/Desktop
35+
sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" ${NGINX_CONFIG}
36+
s6-setuidgid abc mkdir -p ${FILE_MANAGER_PATH}
37+
if [[ $SELKIES_FILE_TRANSFERS != *"download"* ]] || [[ ${HARDEN_DESKTOP,,} == "true" ]]; then
38+
sed -i '/files {/,/^ }/d' ${NGINX_CONFIG}
39+
fi
3340
if [ ! -z ${DISABLE_IPV6+x} ]; then
3441
sed -i '/listen \[::\]/d' ${NGINX_CONFIG}
3542
fi
@@ -44,7 +51,34 @@ if [ ! -z ${DEV_MODE+x} ]; then
4451
${NGINX_CONFIG}
4552
fi
4653

47-
# copy favicon
54+
# set dashboard and icon
55+
rm -Rf \
56+
/usr/share/selkies/web
57+
cp -a \
58+
/usr/share/selkies/$DASHBOARD \
59+
/usr/share/selkies/web
60+
sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" /usr/share/selkies/web/nginx/footer.html
61+
cp \
62+
/usr/share/selkies/www/icon.png \
63+
/usr/share/selkies/web/favicon.ico
4864
cp \
4965
/usr/share/selkies/www/icon.png \
50-
/usr/share/selkies/www/favicon.ico
66+
/usr/share/selkies/web/icon.png
67+
# manifest creation
68+
echo "{
69+
\"name\": \"${TITLE}\",
70+
\"short_name\": \"${TITLE}\",
71+
\"manifest_version\": 2,
72+
\"version\": \"1.0.0\",
73+
\"display\": \"fullscreen\",
74+
\"background_color\": \"#000000\",
75+
\"theme_color\": \"#000000\",
76+
\"icons\": [
77+
{
78+
\"src\": \"icon.png\",
79+
\"type\": \"image/png\",
80+
\"sizes\": \"180x180\"
81+
}
82+
],
83+
\"start_url\": \"/\"
84+
}" > /usr/share/selkies/web/manifest.json

0 commit comments

Comments
 (0)