From aae227905dea1706bc765b498f0b385d9a80d744 Mon Sep 17 00:00:00 2001 From: thelamer Date: Mon, 29 Sep 2025 13:27:32 -0400 Subject: [PATCH 01/15] add initial hardening logic for env defined privs for the user --- README.md | 254 +---------------- readme-vars.yml | 255 +----------------- .../s6-rc.d/init-selkies-config/run | 219 ++++++++++++--- .../svc-watchdog/dependencies.d/init-services | 0 root/etc/s6-overlay/s6-rc.d/svc-watchdog/run | 32 +++ root/etc/s6-overlay/s6-rc.d/svc-watchdog/type | 1 + .../s6-rc.d/user/contents.d/svc-watchdog | 0 7 files changed, 214 insertions(+), 547 deletions(-) create mode 100644 root/etc/s6-overlay/s6-rc.d/svc-watchdog/dependencies.d/init-services create mode 100755 root/etc/s6-overlay/s6-rc.d/svc-watchdog/run create mode 100644 root/etc/s6-overlay/s6-rc.d/svc-watchdog/type create mode 100644 root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-watchdog diff --git a/README.md b/README.md index 5d8730cd..633021d4 100644 --- a/README.md +++ b/README.md @@ -1,255 +1,3 @@ -# Selkies Base Images from LinuxServer - -The purpose of these images is to provide a full featured web native Linux desktop experience for any Linux application or desktop environment. These images replace our old base images at [KasmVNC](https://github.com/linuxserver/docker-baseimage-kasmvnc) for greatly increased performance, fidelity, and feature set. They ship with passwordless sudo to allow easy package installation, testing, and customization. By default they have no logic to mount out anything but the users home directory, meaning on image updates anything outside of `/config` will be lost. - -- Support for using our base images in your own projects is provided on a Reasonable Endeavours basis, please see our [Support Policy](https://www.linuxserver.io/supportpolicy) for details. -- There is no `latest` tag for any of our base images, by design. We often make breaking changes between versions, and we don't publish release notes like we do for the downstream images. -- If you're intending to distribute an image using one of our bases, please read our [docs on container branding](https://docs.linuxserver.io/general/container-branding/) first. -- Images are supported for as long as the upstream release on which they are based, after which we will stop building new base images for that version. - -These images contain the following services: - -* [Selkies](https://github.com/selkies-project) - The core technology for interacting with a containerized desktop from a web browser. -* [pixelflux](https://github.com/linuxserver/pixelflux/) - The core video/image rendering pipeline. -* [pcmflux](https://github.com/linuxserver/pcmflux) - Lean low level web native opus audio encoder. -* [NGINX](https://www.nginx.com/) - Used to serve Selkies with the appropriate paths and provide basic auth. -* [Docker](https://www.docker.com/) - Can be used for interacting with a mounted in Docker socket or if the container is run in privileged mode will start a [DinD](https://www.docker.com/blog/docker-can-now-run-within-docker/) setup. -* [PulseAudio](https://www.freedesktop.org/wiki/Software/PulseAudio/) - Sound subsystem used to capture audio from the active desktop session and send it to the browser. - -# Options - -**Authentication for these containers is included as a convenience and to keep in sync with the previous KasmVNC containers they replace. We use bash to substitute in settings user/password and some strings might break that. In general this authentication mechanism should be used to keep the kids out not the internet** - -If you are looking for a robust secure application gateway please check out [SWAG](https://github.com/linuxserver/docker-swag). - -All application settings are passed via environment variables: - -| Variable | Description | -| :----: | --- | -| CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default 3000. | -| CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default 3001. | -| CUSTOM_USER | HTTP Basic auth username, abc is default. | -| PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth | -| SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` | -| TITLE | The page title displayed on the web browser, default "Selkies - webrtc". | -| FM_HOME | This is the home directory (landing) for the file manager, default "/config". | -| START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. | -| DISABLE_IPV6 | If set to true or any value this will disable IPv6 | -| LC_ALL | Set the Language for the container to run as IE `fr_FR.UTF-8` `ar_AE.UTF-8` | -| NO_DECOR | If set the application will run without window borders for use as a PWA. (Decor can be enabled and disabled with Ctrl+Shift+d) | -| NO_FULL | Do not autmatically fullscreen applications when using openbox. | -| DISABLE_ZINK | Do not set the Zink environment variables if a video card is detected (userspace applications will use CPU rendering) | -| WATERMARK_PNG | Full path inside the container to a watermark png IE `/usr/share/selkies/www/icon.png` | -| WATERMARK_LOCATION | Where to paint the image over the stream integer options below | -| MAX_RES | Pass a larger maximum resolution for the container default is 8k `7680x4320` | - -* 1 - Top Left -* 2 - Top Right -* 3 - Bottom Left -* 4 - Bottom Right -* 5 - Centered -* 6 - Animated - -## Language Support - Internationalization - -The environment variable `LC_ALL` can be used to start this image in a different language than English simply pass for example to launch the Desktop session in French `LC_ALL=fr_FR.UTF-8`. - -The web interface has an "IME Input Mode" in Settings which will allow non english characters to be used from a non en_US keyboard on the client. Once enabled it will perform the same as a local Linux installation set to your locale. - -# Available Distros - -All base images are built for x86_64 and aarch64 platforms. - -| Distro | Current Tag | -| :----: | --- | -| Alpine | alpine322 | -| Arch | arch | -| Debian | debianbookworm | -| Enterprise Linux | el9 | -| Fedora | fedora42 | -| Kali | kali | -| Ubuntu | ubuntunoble | - -### DRI3 GPU Acceleration - -For accelerated apps or games, render devices can be mounted into the container and leveraged by applications using: - -`--device /dev/dri:/dev/dri` - -This feature only supports **Open Source** GPU drivers: - -| Driver | Description | -| :----: | --- | -| Intel | i965 and i915 drivers for Intel iGPU chipsets | -| AMD | AMDGPU, Radeon, and ATI drivers for AMD dedicated or APU chipsets | -| NVIDIA | nouveau2 drivers only, closed source NVIDIA drivers lack DRI3 support | - -The `DRINODE` environment variable can be used to point to a specific GPU. - -DRI3 will work on aarch64 given the correct drivers are installed inside the container for your chipset. - -### Nvidia GPU Support - -**Note: Nvidia support is not available for Alpine-based images.** - -Nvidia GPU support is available by leveraging Zink for OpenGL. When a compatible Nvidia GPU is passed through, it will also be **automatically utilized for hardware-accelerated video stream encoding** (using the `x264enc` full-frame profile), significantly reducing CPU load. - -Enable Nvidia support with the following runtime flags: - -| Flag | Description | -| :----: | --- | -| `--gpus all` | Passes all available host GPUs to the container. This can be filtered to specific GPUs. | -| `--runtime nvidia` | Specifies the Nvidia runtime, which provides the necessary drivers and tools from the host. | - -# PRoot Apps - -All images include [proot-apps](https://github.com/linuxserver/proot-apps) which allow portable applications to be installed to persistent storage in the user's `$HOME` directory. These applications and their settings will persist upgrades of the base container and can be mounted into different flavors of Selkies containers. IE if you are running an Alpine based container you will be able to use the same `/config` directory mounted into a Debian based container and retain the same applications and settings as long as they were installed with `proot-apps install`. - -A list of linuxserver.io supported applications is located [HERE](https://github.com/linuxserver/proot-apps?tab=readme-ov-file#supported-apps). - -# I like to read documentation - -## Building images - -### Application containers - -Included in these base images is a simple [Openbox DE](http://openbox.org/) and the accompanying logic needed to launch a single application. Lets look at the bare minimum needed to create an application container starting with a Dockerfile: - -``` -FROM ghcr.io/linuxserver/baseimage-selkies:alpine322 -RUN apk add --no-cache firefox -COPY /root / -``` - -And we can define the application to start using: - -``` -mkdir -p root/defaults -echo "firefox" > root/defaults/autostart -``` - -Resulting in a folder that looks like this: - -``` -├── Dockerfile -└── root - └── defaults - └── autostart -``` - -Now build and test: - -``` -docker build -t firefox . -docker run --rm -it -p 3001:3001 firefox bash -``` - -On https://localhost:3001 you should be presented with a Firefox web browser interface. - -This similar setup can be used to embed any Linux Desktop application in a web accesible container. - -**If building images it is important to note that many application will not work inside of Docker without `--security-opt seccomp=unconfined`, they may have launch flags to not use syscalls blocked by Docker like with chromium based applications and `--no-sandbox`. In general do not expect every application will simply work like a native Linux installation without some modifications** - -#### In container application launching - -Also included in the init logic is the ability to define application launchers. As the user has the ability to close the application or if they want to open multiple instances of it this can be useful. Here is an example of a menu definition file for Firefox: - -``` - - - -/usr/bin/xterm -/usr/bin/firefox - - -``` - -Simply create this file and add it to your defaults folder as `menu.xml`: - -``` -├── Dockerfile -└── root - └── defaults - └── autostart - └── menu.xml -``` - -This allows users to right click the desktop background to launch the application. - - -### Full Desktop environments - -When building an application container we are leveraging the Openbox DE to handle window management, but it is also possible to completely replace the DE that is launched on container init using the `startwm.sh` script, located again in defaults: - -``` -├── Dockerfile -└── root - └── defaults - └── startwm.sh -``` - -If included in the build logic it will be launched in place of Openbox. Examples for this kind of configuration can be found in our [Webtop repository](https://github.com/linuxserver/docker-webtop) - -## Docker in Docker (DinD) - -These base images include an installation of Docker that can be used in two ways. The simple method is simply leveraging the Docker/Docker Compose cli bins to manage the host level Docker installation by mounting in `-v /var/run/docker.sock:/var/run/docker.sock`. - -The base images can also run an isolated in container DinD setup simply by passing `--privileged` to the container when launching. If for any reason the application needs privilege but Docker is not wanted the `-e START_DOCKER=false` can be set at runtime or in the Dockerfile. -In container Docker (DinD) will most likely use the fuse-overlayfs driver for storage which is not as fast as native overlay2. To increase perormance the `/var/lib/docker/` directory in the container can be mounted out to a Linux host and will use overlay2. Keep in mind Docker runs as root and the contents of this directory will not respect the PUID/PGID environment variables available on all LinuxServer.io containers. - -## Nvidia GPU Support - -**Nvidia is not compatible with Alpine based images** - -Nvidia support is available by leveraging Zink for OpenGL support. This can be enabled with the following run flags: - -| Variable | Description | -| :----: | --- | -| --gpus all | This can be filtered down but for most setups this will pass the one Nvidia GPU on the system | -| --runtime nvidia | Specify the Nvidia runtime which mounts drivers and tools in from the host | - -The compose syntax is slightly different for this as you will need to set nvidia as the default runtime: - -``` -sudo nvidia-ctk runtime configure --runtime=docker --set-as-default -sudo service docker restart -``` - -And to assign the GPU in compose: - -``` -services: - myimage: - image: myname/myimage:mytag - deploy: - resources: - reservations: - devices: - - driver: nvidia - count: 1 - capabilities: [compute,video,graphics,utility] -``` - -# Development - -This container can also be used as a rapid development environment for the Selkies Project. Simply clone the upstream repo and run the container as shown: - -``` -git clone https://github.com/selkies-project/selkies.git -cd selkies -git checkout -f feature/websockets -docker run --rm -it \ - --shm-size=1gb \ - -e DEV_MODE=selkies-dashboard \ - -e PUID=1000 \ - -e PGID=1000 \ - -v $(pwd):/config/src \ - -p 3001:3001 ghcr.io/linuxserver/baseimage-selkies:alpine322 bash -``` - -The application will be restarted on code changes to the src directory you mounted in and provide feedback for debugging. - -The following line is only in this repo for loop testing: -- { date: "01.01.50:", desc: "I am the release message for this internal repo." } +Up to date documentation is available [here](https://github.com/linuxserver/docker-baseimage-selkies/blob/master/README.md). diff --git a/readme-vars.yml b/readme-vars.yml index 38d5198d..faa626e4 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -4,258 +4,5 @@ project_name: baseimage-selkies full_custom_readme: | {% raw -%} - # Selkies Base Images from LinuxServer - - The purpose of these images is to provide a full featured web native Linux desktop experience for any Linux application or desktop environment. These images replace our old base images at [KasmVNC](https://github.com/linuxserver/docker-baseimage-kasmvnc) for greatly increased performance, fidelity, and feature set. They ship with passwordless sudo to allow easy package installation, testing, and customization. By default they have no logic to mount out anything but the users home directory, meaning on image updates anything outside of `/config` will be lost. - - - Support for using our base images in your own projects is provided on a Reasonable Endeavours basis, please see our [Support Policy](https://www.linuxserver.io/supportpolicy) for details. - - There is no `latest` tag for any of our base images, by design. We often make breaking changes between versions, and we don't publish release notes like we do for the downstream images. - - If you're intending to distribute an image using one of our bases, please read our [docs on container branding](https://docs.linuxserver.io/general/container-branding/) first. - - Images are supported for as long as the upstream release on which they are based, after which we will stop building new base images for that version. - - These images contain the following services: - - * [Selkies](https://github.com/selkies-project) - The core technology for interacting with a containerized desktop from a web browser. - * [pixelflux](https://github.com/linuxserver/pixelflux/) - The core video/image rendering pipeline. - * [pcmflux](https://github.com/linuxserver/pcmflux) - Lean low level web native opus audio encoder. - * [NGINX](https://www.nginx.com/) - Used to serve Selkies with the appropriate paths and provide basic auth. - * [Docker](https://www.docker.com/) - Can be used for interacting with a mounted in Docker socket or if the container is run in privileged mode will start a [DinD](https://www.docker.com/blog/docker-can-now-run-within-docker/) setup. - * [PulseAudio](https://www.freedesktop.org/wiki/Software/PulseAudio/) - Sound subsystem used to capture audio from the active desktop session and send it to the browser. - - # Options - - **Authentication for these containers is included as a convenience and to keep in sync with the previous KasmVNC containers they replace. We use bash to substitute in settings user/password and some strings might break that. In general this authentication mechanism should be used to keep the kids out not the internet** - - If you are looking for a robust secure application gateway please check out [SWAG](https://github.com/linuxserver/docker-swag). - - All application settings are passed via environment variables: - - | Variable | Description | - | :----: | --- | - | CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default 3000. | - | CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default 3001. | - | CUSTOM_USER | HTTP Basic auth username, abc is default. | - | PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth | - | SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` | - | TITLE | The page title displayed on the web browser, default "Selkies - webrtc". | - | FM_HOME | This is the home directory (landing) for the file manager, default "/config". | - | START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. | - | DISABLE_IPV6 | If set to true or any value this will disable IPv6 | - | LC_ALL | Set the Language for the container to run as IE `fr_FR.UTF-8` `ar_AE.UTF-8` | - | NO_DECOR | If set the application will run without window borders for use as a PWA. (Decor can be enabled and disabled with Ctrl+Shift+d) | - | NO_FULL | Do not autmatically fullscreen applications when using openbox. | - | DISABLE_ZINK | Do not set the Zink environment variables if a video card is detected (userspace applications will use CPU rendering) | - | WATERMARK_PNG | Full path inside the container to a watermark png IE `/usr/share/selkies/www/icon.png` | - | WATERMARK_LOCATION | Where to paint the image over the stream integer options below | - | MAX_RES | Pass a larger maximum resolution for the container default is 8k `7680x4320` | - - * 1 - Top Left - * 2 - Top Right - * 3 - Bottom Left - * 4 - Bottom Right - * 5 - Centered - * 6 - Animated - - ## Language Support - Internationalization - - The environment variable `LC_ALL` can be used to start this image in a different language than English simply pass for example to launch the Desktop session in French `LC_ALL=fr_FR.UTF-8`. - - The web interface has an "IME Input Mode" in Settings which will allow non english characters to be used from a non en_US keyboard on the client. Once enabled it will perform the same as a local Linux installation set to your locale. - - # Available Distros - - All base images are built for x86_64 and aarch64 platforms. - - | Distro | Current Tag | - | :----: | --- | - | Alpine | alpine322 | - | Arch | arch | - | Debian | debianbookworm | - | Enterprise Linux | el9 | - | Fedora | fedora42 | - | Kali | kali | - | Ubuntu | ubuntunoble | - - ### DRI3 GPU Acceleration - - For accelerated apps or games, render devices can be mounted into the container and leveraged by applications using: - - `--device /dev/dri:/dev/dri` - - This feature only supports **Open Source** GPU drivers: - - | Driver | Description | - | :----: | --- | - | Intel | i965 and i915 drivers for Intel iGPU chipsets | - | AMD | AMDGPU, Radeon, and ATI drivers for AMD dedicated or APU chipsets | - | NVIDIA | nouveau2 drivers only, closed source NVIDIA drivers lack DRI3 support | - - The `DRINODE` environment variable can be used to point to a specific GPU. - - DRI3 will work on aarch64 given the correct drivers are installed inside the container for your chipset. - - ### Nvidia GPU Support - - **Note: Nvidia support is not available for Alpine-based images.** - - Nvidia GPU support is available by leveraging Zink for OpenGL. When a compatible Nvidia GPU is passed through, it will also be **automatically utilized for hardware-accelerated video stream encoding** (using the `x264enc` full-frame profile), significantly reducing CPU load. - - Enable Nvidia support with the following runtime flags: - - | Flag | Description | - | :----: | --- | - | `--gpus all` | Passes all available host GPUs to the container. This can be filtered to specific GPUs. | - | `--runtime nvidia` | Specifies the Nvidia runtime, which provides the necessary drivers and tools from the host. | - - # PRoot Apps - - All images include [proot-apps](https://github.com/linuxserver/proot-apps) which allow portable applications to be installed to persistent storage in the user's `$HOME` directory. These applications and their settings will persist upgrades of the base container and can be mounted into different flavors of Selkies containers. IE if you are running an Alpine based container you will be able to use the same `/config` directory mounted into a Debian based container and retain the same applications and settings as long as they were installed with `proot-apps install`. - - A list of linuxserver.io supported applications is located [HERE](https://github.com/linuxserver/proot-apps?tab=readme-ov-file#supported-apps). - - # I like to read documentation - - ## Building images - - ### Application containers - - Included in these base images is a simple [Openbox DE](http://openbox.org/) and the accompanying logic needed to launch a single application. Lets look at the bare minimum needed to create an application container starting with a Dockerfile: - - ``` - FROM ghcr.io/linuxserver/baseimage-selkies:alpine322 - RUN apk add --no-cache firefox - COPY /root / - ``` - - And we can define the application to start using: - - ``` - mkdir -p root/defaults - echo "firefox" > root/defaults/autostart - ``` - - Resulting in a folder that looks like this: - - ``` - ├── Dockerfile - └── root - └── defaults - └── autostart - ``` - - Now build and test: - - ``` - docker build -t firefox . - docker run --rm -it -p 3001:3001 firefox bash - ``` - - On https://localhost:3001 you should be presented with a Firefox web browser interface. - - This similar setup can be used to embed any Linux Desktop application in a web accesible container. - - **If building images it is important to note that many application will not work inside of Docker without `--security-opt seccomp=unconfined`, they may have launch flags to not use syscalls blocked by Docker like with chromium based applications and `--no-sandbox`. In general do not expect every application will simply work like a native Linux installation without some modifications** - - #### In container application launching - - Also included in the init logic is the ability to define application launchers. As the user has the ability to close the application or if they want to open multiple instances of it this can be useful. Here is an example of a menu definition file for Firefox: - - ``` - - - - /usr/bin/xterm - /usr/bin/firefox - - - ``` - - Simply create this file and add it to your defaults folder as `menu.xml`: - - ``` - ├── Dockerfile - └── root - └── defaults - └── autostart - └── menu.xml - ``` - - This allows users to right click the desktop background to launch the application. - - - ### Full Desktop environments - - When building an application container we are leveraging the Openbox DE to handle window management, but it is also possible to completely replace the DE that is launched on container init using the `startwm.sh` script, located again in defaults: - - ``` - ├── Dockerfile - └── root - └── defaults - └── startwm.sh - ``` - - If included in the build logic it will be launched in place of Openbox. Examples for this kind of configuration can be found in our [Webtop repository](https://github.com/linuxserver/docker-webtop) - - ## Docker in Docker (DinD) - - These base images include an installation of Docker that can be used in two ways. The simple method is simply leveraging the Docker/Docker Compose cli bins to manage the host level Docker installation by mounting in `-v /var/run/docker.sock:/var/run/docker.sock`. - - The base images can also run an isolated in container DinD setup simply by passing `--privileged` to the container when launching. If for any reason the application needs privilege but Docker is not wanted the `-e START_DOCKER=false` can be set at runtime or in the Dockerfile. - In container Docker (DinD) will most likely use the fuse-overlayfs driver for storage which is not as fast as native overlay2. To increase perormance the `/var/lib/docker/` directory in the container can be mounted out to a Linux host and will use overlay2. Keep in mind Docker runs as root and the contents of this directory will not respect the PUID/PGID environment variables available on all LinuxServer.io containers. - - ## Nvidia GPU Support - - **Nvidia is not compatible with Alpine based images** - - Nvidia support is available by leveraging Zink for OpenGL support. This can be enabled with the following run flags: - - | Variable | Description | - | :----: | --- | - | --gpus all | This can be filtered down but for most setups this will pass the one Nvidia GPU on the system | - | --runtime nvidia | Specify the Nvidia runtime which mounts drivers and tools in from the host | - - The compose syntax is slightly different for this as you will need to set nvidia as the default runtime: - - ``` - sudo nvidia-ctk runtime configure --runtime=docker --set-as-default - sudo service docker restart - ``` - - And to assign the GPU in compose: - - ``` - services: - myimage: - image: myname/myimage:mytag - deploy: - resources: - reservations: - devices: - - driver: nvidia - count: 1 - capabilities: [compute,video,graphics,utility] - ``` - - # Development - - This container can also be used as a rapid development environment for the Selkies Project. Simply clone the upstream repo and run the container as shown: - - ``` - git clone https://github.com/selkies-project/selkies.git - cd selkies - git checkout -f feature/websockets - docker run --rm -it \ - --shm-size=1gb \ - -e DEV_MODE=selkies-dashboard \ - -e PUID=1000 \ - -e PGID=1000 \ - -v $(pwd):/config/src \ - -p 3001:3001 ghcr.io/linuxserver/baseimage-selkies:alpine322 bash - ``` - - The application will be restarted on code changes to the src directory you mounted in and provide feedback for debugging. - - The following line is only in this repo for loop testing: - - { date: "01.01.50:", desc: "I am the release message for this internal repo." } - + Up to date documentation is available [here](https://github.com/linuxserver/docker-baseimage-selkies/blob/master/README.md). {%- endraw %} diff --git a/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run b/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run index 146a3d26..a03de11e 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run @@ -1,69 +1,208 @@ #!/usr/bin/with-contenv bash # default file copies first run -if [[ ! -f /config/.config/openbox/autostart ]]; then - mkdir -p /config/.config/openbox - cp /defaults/autostart /config/.config/openbox/autostart - chown -R abc:abc /config/.config/openbox +mkdir -p "$HOME/.config" +chown abc:abc "$HOME/.config" +if [[ ! -f "$HOME/.config/openbox/autostart" ]]; then + mkdir -p "$HOME/.config/openbox" + cp /defaults/autostart "$HOME/.config/openbox/autostart" + chown abc:abc "$HOME/.config/openbox" "$HOME/.config/openbox/autostart" fi -if [[ ! -f /config/.config/openbox/menu.xml ]]; then - mkdir -p /config/.config/openbox && \ - cp /defaults/menu.xml /config/.config/openbox/menu.xml && \ - chown -R abc:abc /config/.config +if [[ ! -f "$HOME/.config/openbox/menu.xml" ]]; then + mkdir -p "$HOME/.config/openbox" && \ + cp /defaults/menu.xml "$HOME/.config/openbox/menu.xml" + chown abc:abc "$HOME/.config/openbox" "$HOME/.config/openbox/menu.xml" fi # XDG Home -printf "${HOME}/.XDG" > /run/s6/container_environment/XDG_RUNTIME_DIR -if [ ! -d "${HOME}/.XDG" ]; then - mkdir -p ${HOME}/.XDG - chown abc:abc ${HOME}/.XDG +if [ ! -d "$HOME/.XDG" ]; then + mkdir -p "$HOME/.XDG" + chown abc:abc "$HOME/.XDG" fi +printf "$HOME/.XDG" > /run/s6/container_environment/XDG_RUNTIME_DIR -# Locale Support +# locale Support if [ ! -z ${LC_ALL+x} ]; then printf "${LC_ALL%.UTF-8}" > /run/s6/container_environment/LANGUAGE printf "${LC_ALL}" > /run/s6/container_environment/LANG fi -# Remove window borders -if [[ ! -z ${NO_DECOR+x} ]] && [[ ! -f /decorlock ]]; then - sed -i \ - 's|| no \n|' \ - /etc/xdg/openbox/rc.xml - touch /decorlock +# hardening flags +if [[ -n "${HARDEN_DESKTOP}" ]]; then + export DISABLE_OPEN_TOOLS="true" + export DISABLE_SUDO="true" + export DISABLE_TERMINALS="true" + # application hardening if unset + if [ -z ${SELKIES_FILE_TRANSFERS+x} ]; then + printf "" > /run/s6/container_environment/SELKIES_FILE_TRANSFERS + fi + if [ -z ${SELKIES_COMMAND_ENABLED+x} ]; then + printf "false" > /run/s6/container_environment/SELKIES_COMMAND_ENABLED + fi + if [ -z ${SELKIES_UI_SIDEBAR_SHOW_FILES+x} ]; then + printf "false" > /run/s6/container_environment/SELKIES_UI_SIDEBAR_SHOW_FILES + fi + if [ -z ${SELKIES_UI_SIDEBAR_SHOW_APPS+x} ]; then + printf "false" > /run/s6/container_environment/SELKIES_UI_SIDEBAR_SHOW_APPS + fi +fi +if [[ -n "${HARDEN_OPENBOX}" ]]; then + export DISABLE_CLOSE_BUTTON="true" + export DISABLE_MOUSE_BUTTONS="true" + export HARDEN_KEYBINDS="true" + if [ -z ${RESTART_APP+x} ]; then + export RESTART_APP=true + printf "true" > /run/s6/container_environment/RESTART_APP + fi +fi + +# disable open tools +xdg_open_path=$(which xdg-open 2>/dev/null) +exo_open_path=$(which exo-open 2>/dev/null) +if [[ -n "${DISABLE_OPEN_TOOLS}" ]]; then + echo "[ls.io-init] Disabling xdg-open and exo-open" + [ -n "$xdg_open_path" ] && chmod 0000 "$xdg_open_path" + [ -n "$exo_open_path" ] && chmod 0000 "$exo_open_path" +else + [ -n "$xdg_open_path" ] && chmod 755 "$xdg_open_path" + [ -n "$exo_open_path" ] && chmod 755 "$exo_open_path" +fi + +# disable sudo +sudo_path=$(which sudo 2>/dev/null) +if [[ -n "${DISABLE_SUDO}" ]]; then + echo "[ls.io-init] Disabling sudo binary and corrupting sudoers config" + [ -n "$sudo_path" ] && chmod 0000 "$sudo_path" + sed -i "s/NOPASSWD/CORRUPT_FILE/g" /etc/sudoers +else + [ -n "$sudo_path" ] && chmod 4755 "$sudo_path" + sed -i "s/CORRUPT_FILE/NOPASSWD/g" /etc/sudoers +fi + +# disable terminals and menu entries +USER_MENU_DIR="$HOME/.config/openbox" +USER_MENU_XML="$USER_MENU_DIR/menu.xml" +USER_MENU_BAK="$USER_MENU_DIR/menu.xml.bak" +TERMINAL_NAMES=("xterm" "st" "stterm" "uxterm" "lxterminal" "gnome-terminal" "konsole" "xfce4-terminal" "terminator") +if [ -f "$USER_MENU_XML" ] && [ ! -f "$USER_MENU_BAK" ]; then + echo "[ls.io-init] Creating initial backup of menu.xml" + cp "$USER_MENU_XML" "$USER_MENU_BAK" + chown abc:abc "$USER_MENU_BAK" +fi +if [[ -n "${DISABLE_TERMINALS}" ]]; then + echo "[ls.io-init] Disabling terminal binaries and removing from menu" + [ -f "$USER_MENU_BAK" ] && cp "$USER_MENU_BAK" "$USER_MENU_XML" + for term_name in "${TERMINAL_NAMES[@]}"; do + term_path=$(which "$term_name" 2>/dev/null) + if [ -n "$term_path" ]; then + chmod 0000 "$term_path" + escaped_path=$(echo "$term_path" | sed 's/[&/\]/\\&/g') + sed -i "/${escaped_path}<\/command>/d" "$USER_MENU_XML" + fi + done + chown abc:abc "$USER_MENU_XML" +else + if [ -f "$USER_MENU_BAK" ]; then + cp "$USER_MENU_BAK" "$USER_MENU_XML" + chown abc:abc "$USER_MENU_XML" + fi + for term_name in "${TERMINAL_NAMES[@]}"; do + term_path=$(which "$term_name" 2>/dev/null) + if [ -n "$term_path" ] && [ ! -x "$term_path" ]; then + chmod 755 "$term_path" + fi + done fi -# Fullscreen everything in openbox unless the user explicitly disables it -if [[ ! -z ${NO_FULL+x} ]] && [[ ! -f /fulllock ]]; then - sed -i \ - 's|yes||g' \ - /etc/xdg/openbox/rc.xml - touch /fulllock +# lock down autostart file if auto restart is enabled +AUTOSTART_SCRIPT="$HOME/.config/openbox/autostart" +if [ -f "$AUTOSTART_SCRIPT" ]; then + if [[ -n "${RESTART_APP}" ]]; then + echo "[ls.io-init] RESTART_APP is set. Setting autostart owner to root and making read-only for user" + chown root:abc "$AUTOSTART_SCRIPT" + chmod 550 "$AUTOSTART_SCRIPT" + else + chown abc:abc "$AUTOSTART_SCRIPT" + chmod 644 "$AUTOSTART_SCRIPT" + fi fi -# Add proot-apps -if [ ! -f "${HOME}/.local/bin/proot-apps" ]; then - mkdir -p ${HOME}/.local/bin/ - cp /proot-apps/* ${HOME}/.local/bin/ - echo 'export PATH="$HOME/.local/bin:$PATH"' >> $HOME/.bashrc - chown abc:abc \ - ${HOME}/.bashrc \ - ${HOME}/.local/ \ - ${HOME}/.local/bin \ - ${HOME}/.local/bin/{ncat,proot-apps,proot,jq,pversion} -elif ! diff -q /proot-apps/pversion ${HOME}/.local/bin/pversion > /dev/null; then - cp /proot-apps/* ${HOME}/.local/bin/ - chown abc:abc ${HOME}/.local/bin/{ncat,proot-apps,proot,jq,pversion} +# openbox tweaks +SYS_RC_XML="/etc/xdg/openbox/rc.xml" +SYS_RC_BAK="/etc/xdg/openbox/rc.xml.bak" +if [ ! -f "$SYS_RC_BAK" ]; then + echo "[ls.io-init] Creating initial backup of system rc.xml" + cp "$SYS_RC_XML" "$SYS_RC_BAK" +fi +cp "$SYS_RC_BAK" "$SYS_RC_XML" +if [[ -n "${DISABLE_CLOSE_BUTTON}" ]]; then + echo "[ls.io-init] Disabling close button" + sed -i '//s/C//' "$SYS_RC_XML" +fi +if [[ -n "${DISABLE_MOUSE_BUTTONS}" ]]; then + echo "[ls.io-init] Disabling right and middle mouse clicks" + sed -i -e '//d' \ + -e '//d' "$SYS_RC_XML" +fi +if [[ ! -z ${NO_DECOR+x} ]]; then + echo "[ls.io-init] Removing window decorations" + sed -i '//a \ no' "$SYS_RC_XML" +fi +if [[ ! -z ${NO_FULL+x} ]]; then + echo "[ls.io-init] Disabling maximization" + sed -i '/yes<\/maximized>/d' "$SYS_RC_XML" +fi +if [[ -n "${HARDEN_KEYBINDS}" ]]; then + echo "[ls.io-init] Disabling dangerous keybinds" + KEYS_TO_DISABLE=( + "A-F4" + "A-Escape" + "A-space" + "W-e" + ) + for key in "${KEYS_TO_DISABLE[@]}"; do + sed -i "//{s/^/ /}" "$SYS_RC_XML" + done fi +# disable user rc path if config is hardened +USER_RC_XML="$HOME/.config/openbox/rc.xml" +if [[ -n "${DISABLE_MOUSE_BUTTONS}" || -n "${HARDEN_KEYBINDS}" ]]; then + echo "[ls.io-init] Locking user rc.xml to prevent security overrides" + mkdir -p "$(dirname $USER_RC_XML)" + chown abc:abc "$(dirname $USER_RC_XML)" + cp "$SYS_RC_XML" "$USER_RC_XML" + chown root:abc "$USER_RC_XML" + chmod 444 "$USER_RC_XML" +else + if [ -f "$USER_RC_XML" ] && [ "$(stat -c '%U' $USER_RC_XML)" == "root" ]; then + echo "[ls.io-init] Hardening disabled, removing locked user rc.xml" + rm -f "$USER_RC_XML" + fi +fi +# add proot-apps +proot_updated=false +if [ ! -f "$HOME/.local/bin/proot-apps" ]; then + mkdir -p "$HOME/.local/bin/" + cp /proot-apps/* "$HOME/.local/bin/" + echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$HOME/.bashrc" + proot_updated=true +elif ! diff -q /proot-apps/pversion "$HOME/.local/bin/pversion" > /dev/null; then + cp /proot-apps/* "$HOME/.local/bin/" + proot_updated=true +fi +if [ "$proot_updated" = true ]; then + chown -R abc:abc "$HOME/.local" + [ -f "$HOME/.bashrc" ] && chown abc:abc "$HOME/.bashrc" +fi # set env based on vars if [[ -z ${NO_GAMEPAD+x} ]]; then printf "/usr/lib/selkies_joystick_interposer.so:/opt/lib/libudev.so.1.0.0-fake" > /run/s6/container_environment/LD_PRELOAD fi -# JS folder setup +# js folder setup mkdir -pm1777 /dev/input touch /tmp/selkies_js.log mknod /dev/input/js0 c 13 0 @@ -76,7 +215,7 @@ mknod /dev/input/event1002 c 13 1066 mknod /dev/input/event1003 c 13 1067 chmod 777 /dev/input/js* /dev/input/event* /tmp/selkies* -# Manifest creation +# manifest creation echo "{ \"name\": \"${TITLE}\", \"short_name\": \"${TITLE}\", diff --git a/root/etc/s6-overlay/s6-rc.d/svc-watchdog/dependencies.d/init-services b/root/etc/s6-overlay/s6-rc.d/svc-watchdog/dependencies.d/init-services new file mode 100644 index 00000000..e69de29b diff --git a/root/etc/s6-overlay/s6-rc.d/svc-watchdog/run b/root/etc/s6-overlay/s6-rc.d/svc-watchdog/run new file mode 100755 index 00000000..ad40b30f --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-watchdog/run @@ -0,0 +1,32 @@ +#!/usr/bin/with-contenv bash + +if [[ -z "${RESTART_APP}" ]]; then + exec sleep infinity +fi + +# monitor loop for autostart +AUTOSTART_CMD="sh $HOME/.config/openbox/autostart" +while true; do + if pgrep -o -u abc -f "$AUTOSTART_CMD" > /dev/null; then + echo "SVC Watchdog: Initial process detected. Starting active monitoring." + break + fi + sleep 2 +done +last_known_pid="" +while true; do + current_pid=$(pgrep -o -u abc -f "$AUTOSTART_CMD") + if [ -z "$current_pid" ]; then + if [ -n "$last_known_pid" ]; then + echo "SVC Watchdog: Application process (PID: $last_known_pid) has terminated. Restarting..." + else + echo "SVC Watchdog: Application not running. Attempting to start..." + fi + s6-setuidgid abc $AUTOSTART_CMD & + last_known_pid="" + elif [ "$current_pid" != "$last_known_pid" ]; then + echo "SVC Watchdog: Application process found with PID: $current_pid. Monitoring..." + last_known_pid="$current_pid" + fi + sleep 1 +done diff --git a/root/etc/s6-overlay/s6-rc.d/svc-watchdog/type b/root/etc/s6-overlay/s6-rc.d/svc-watchdog/type new file mode 100644 index 00000000..5883cff0 --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-watchdog/type @@ -0,0 +1 @@ +longrun diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-watchdog b/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-watchdog new file mode 100644 index 00000000..e69de29b From b97193bd65ad80b18b40e1df95d85a8d4143919e Mon Sep 17 00:00:00 2001 From: thelamer Date: Mon, 29 Sep 2025 14:14:31 -0400 Subject: [PATCH 02/15] read true to allow overrides --- .../s6-overlay/s6-rc.d/init-selkies-config/run | 18 +++++++++--------- root/etc/s6-overlay/s6-rc.d/svc-watchdog/run | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run b/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run index a03de11e..3a0fd72b 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run @@ -28,7 +28,7 @@ if [ ! -z ${LC_ALL+x} ]; then fi # hardening flags -if [[ -n "${HARDEN_DESKTOP}" ]]; then +if [[ ${HARDEN_DESKTOP,,} == "true" ]]; then export DISABLE_OPEN_TOOLS="true" export DISABLE_SUDO="true" export DISABLE_TERMINALS="true" @@ -46,7 +46,7 @@ if [[ -n "${HARDEN_DESKTOP}" ]]; then printf "false" > /run/s6/container_environment/SELKIES_UI_SIDEBAR_SHOW_APPS fi fi -if [[ -n "${HARDEN_OPENBOX}" ]]; then +if [[ ${HARDEN_OPENBOX,,} == "true" ]]; then export DISABLE_CLOSE_BUTTON="true" export DISABLE_MOUSE_BUTTONS="true" export HARDEN_KEYBINDS="true" @@ -59,7 +59,7 @@ fi # disable open tools xdg_open_path=$(which xdg-open 2>/dev/null) exo_open_path=$(which exo-open 2>/dev/null) -if [[ -n "${DISABLE_OPEN_TOOLS}" ]]; then +if [[ ${DISABLE_OPEN_TOOLS,,} == "true" ]]; then echo "[ls.io-init] Disabling xdg-open and exo-open" [ -n "$xdg_open_path" ] && chmod 0000 "$xdg_open_path" [ -n "$exo_open_path" ] && chmod 0000 "$exo_open_path" @@ -70,7 +70,7 @@ fi # disable sudo sudo_path=$(which sudo 2>/dev/null) -if [[ -n "${DISABLE_SUDO}" ]]; then +if [[ ${DISABLE_SUDO,,} == "true" ]]; then echo "[ls.io-init] Disabling sudo binary and corrupting sudoers config" [ -n "$sudo_path" ] && chmod 0000 "$sudo_path" sed -i "s/NOPASSWD/CORRUPT_FILE/g" /etc/sudoers @@ -89,7 +89,7 @@ if [ -f "$USER_MENU_XML" ] && [ ! -f "$USER_MENU_BAK" ]; then cp "$USER_MENU_XML" "$USER_MENU_BAK" chown abc:abc "$USER_MENU_BAK" fi -if [[ -n "${DISABLE_TERMINALS}" ]]; then +if [[ ${DISABLE_TERMINALS,,} == "true" ]]; then echo "[ls.io-init] Disabling terminal binaries and removing from menu" [ -f "$USER_MENU_BAK" ] && cp "$USER_MENU_BAK" "$USER_MENU_XML" for term_name in "${TERMINAL_NAMES[@]}"; do @@ -117,7 +117,7 @@ fi # lock down autostart file if auto restart is enabled AUTOSTART_SCRIPT="$HOME/.config/openbox/autostart" if [ -f "$AUTOSTART_SCRIPT" ]; then - if [[ -n "${RESTART_APP}" ]]; then + if [[ ${RESTART_APP,,} == "true" ]]; then echo "[ls.io-init] RESTART_APP is set. Setting autostart owner to root and making read-only for user" chown root:abc "$AUTOSTART_SCRIPT" chmod 550 "$AUTOSTART_SCRIPT" @@ -139,7 +139,7 @@ if [[ -n "${DISABLE_CLOSE_BUTTON}" ]]; then echo "[ls.io-init] Disabling close button" sed -i '//s/C//' "$SYS_RC_XML" fi -if [[ -n "${DISABLE_MOUSE_BUTTONS}" ]]; then +if [[ ${DISABLE_MOUSE_BUTTONS,,} == "true" ]]; then echo "[ls.io-init] Disabling right and middle mouse clicks" sed -i -e '//d' \ -e '//d' "$SYS_RC_XML" @@ -152,7 +152,7 @@ if [[ ! -z ${NO_FULL+x} ]]; then echo "[ls.io-init] Disabling maximization" sed -i '/yes<\/maximized>/d' "$SYS_RC_XML" fi -if [[ -n "${HARDEN_KEYBINDS}" ]]; then +if [[ ${HARDEN_KEYBINDS,,} == "true" ]]; then echo "[ls.io-init] Disabling dangerous keybinds" KEYS_TO_DISABLE=( "A-F4" @@ -167,7 +167,7 @@ fi # disable user rc path if config is hardened USER_RC_XML="$HOME/.config/openbox/rc.xml" -if [[ -n "${DISABLE_MOUSE_BUTTONS}" || -n "${HARDEN_KEYBINDS}" ]]; then +if [[ ${DISABLE_MOUSE_BUTTONS,,} == "true" || ${HARDEN_KEYBINDS,,} == "true" ]]; then echo "[ls.io-init] Locking user rc.xml to prevent security overrides" mkdir -p "$(dirname $USER_RC_XML)" chown abc:abc "$(dirname $USER_RC_XML)" diff --git a/root/etc/s6-overlay/s6-rc.d/svc-watchdog/run b/root/etc/s6-overlay/s6-rc.d/svc-watchdog/run index ad40b30f..33056625 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-watchdog/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-watchdog/run @@ -1,6 +1,6 @@ #!/usr/bin/with-contenv bash -if [[ -z "${RESTART_APP}" ]]; then +if [[ ${RESTART_APP,,} != "true" ]]; then exec sleep infinity fi From 04a1350336e76aaa00025e5a1d5f716f6e6d981b Mon Sep 17 00:00:00 2001 From: thelamer Date: Mon, 29 Sep 2025 15:18:48 -0400 Subject: [PATCH 03/15] add support for different file manager path --- Dockerfile | 4 ++-- Dockerfile.aarch64 | 4 ++-- root/defaults/default.conf | 4 ++-- root/etc/s6-overlay/s6-rc.d/init-nginx/run | 4 +++- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2c04dfe0..e7ea2da1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab + git checkout -f 67167119ea92bf6ad467b2b87b6bc9093eaf7073 RUN \ echo "**** build frontend ****" && \ @@ -182,7 +182,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/67167119ea92bf6ad467b2b87b6bc9093eaf7073.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index c92747b9..8e07cd3e 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab + git checkout -f 67167119ea92bf6ad467b2b87b6bc9093eaf7073 RUN \ echo "**** build frontend ****" && \ @@ -180,7 +180,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/67167119ea92bf6ad467b2b87b6bc9093eaf7073.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/root/defaults/default.conf b/root/defaults/default.conf index b82d5d6d..9b26b937 100644 --- a/root/defaults/default.conf +++ b/root/defaults/default.conf @@ -42,7 +42,7 @@ server { fancyindex on; fancyindex_footer SUBFOLDERnginx/footer.html; fancyindex_header SUBFOLDERnginx/header.html; - alias REPLACE_HOME/Desktop/; + alias REPLACE_DOWNLOADS_PATH/; } error_page 500 502 503 504 /50x.html; location = SUBFOLDER50x.html { @@ -96,7 +96,7 @@ server { fancyindex on; fancyindex_footer SUBFOLDERnginx/footer.html; fancyindex_header SUBFOLDERnginx/header.html; - alias REPLACE_HOME/Desktop/; + alias REPLACE_DOWNLOADS_PATH/; } error_page 500 502 503 504 /50x.html; location = SUBFOLDER50x.html { diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx/run b/root/etc/s6-overlay/s6-rc.d/init-nginx/run index d8b5ab87..cf557044 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx/run +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx/run @@ -9,6 +9,7 @@ CHPORT="${CUSTOM_HTTPS_PORT:-3001}" CWS="${CUSTOM_WS_PORT:-8082}" CUSER="${CUSTOM_USER:-abc}" SFOLDER="${SUBFOLDER:-/}" +FILE_MANAGER_PATH="${FILE_MANAGER_PATH:-$HOME/Desktop}" # create self signed cert if [ ! -f "/config/ssl/cert.pem" ]; then @@ -28,7 +29,8 @@ sed -i "s/3000/$CPORT/g" ${NGINX_CONFIG} sed -i "s/3001/$CHPORT/g" ${NGINX_CONFIG} sed -i "s/CWS/$CWS/g" ${NGINX_CONFIG} sed -i "s|SUBFOLDER|$SFOLDER|g" ${NGINX_CONFIG} -sed -i "s|REPLACE_HOME|$HOME|g" ${NGINX_CONFIG} +sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" ${NGINX_CONFIG} +sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" /usr/share/selkies/www/nginx/footer.html s6-setuidgid abc mkdir -p $HOME/Desktop if [ ! -z ${DISABLE_IPV6+x} ]; then sed -i '/listen \[::\]/d' ${NGINX_CONFIG} From 7c9b218a03dc4769e38c74088cbb106dd60b270c Mon Sep 17 00:00:00 2001 From: thelamer Date: Mon, 29 Sep 2025 18:37:31 -0400 Subject: [PATCH 04/15] bump selkies for bugfixes --- Dockerfile | 4 ++-- Dockerfile.aarch64 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index e7ea2da1..b4ad207b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 67167119ea92bf6ad467b2b87b6bc9093eaf7073 + git checkout -f 1ff75bac47ed1db85192b78c7e51212d074f75ec RUN \ echo "**** build frontend ****" && \ @@ -182,7 +182,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/67167119ea92bf6ad467b2b87b6bc9093eaf7073.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/1ff75bac47ed1db85192b78c7e51212d074f75ec.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 8e07cd3e..90ced536 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 67167119ea92bf6ad467b2b87b6bc9093eaf7073 + git checkout -f 1ff75bac47ed1db85192b78c7e51212d074f75ec RUN \ echo "**** build frontend ****" && \ @@ -180,7 +180,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/67167119ea92bf6ad467b2b87b6bc9093eaf7073.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/1ff75bac47ed1db85192b78c7e51212d074f75ec.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ From ddfd89c83fd5dea5586097b3cfc2fd8f22a84052 Mon Sep 17 00:00:00 2001 From: thelamer Date: Mon, 29 Sep 2025 19:29:22 -0400 Subject: [PATCH 05/15] bump selkies --- Dockerfile | 4 ++-- Dockerfile.aarch64 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index b4ad207b..505652ed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 1ff75bac47ed1db85192b78c7e51212d074f75ec + git checkout -f 42b3b741da458d8b12ac8b915fa082ebeb4a4c50 RUN \ echo "**** build frontend ****" && \ @@ -182,7 +182,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/1ff75bac47ed1db85192b78c7e51212d074f75ec.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/42b3b741da458d8b12ac8b915fa082ebeb4a4c50.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 90ced536..efc4414c 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 1ff75bac47ed1db85192b78c7e51212d074f75ec + git checkout -f 42b3b741da458d8b12ac8b915fa082ebeb4a4c50 RUN \ echo "**** build frontend ****" && \ @@ -180,7 +180,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/1ff75bac47ed1db85192b78c7e51212d074f75ec.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/42b3b741da458d8b12ac8b915fa082ebeb4a4c50.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ From 755d61f92074d384975b33bbd23a490a24e6a579 Mon Sep 17 00:00:00 2001 From: thelamer Date: Tue, 30 Sep 2025 13:52:24 -0400 Subject: [PATCH 06/15] bump selkies, build multiple dashboards and support launching with them --- Dockerfile | 34 +++++++++++-------- Dockerfile.aarch64 | 34 +++++++++++-------- root/defaults/default.conf | 8 ++--- root/etc/s6-overlay/s6-rc.d/init-nginx/run | 31 +++++++++++++++-- .../s6-rc.d/init-selkies-config/run | 19 ----------- 5 files changed, 70 insertions(+), 56 deletions(-) diff --git a/Dockerfile b/Dockerfile index 505652ed..2e1df9c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,24 +16,28 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 42b3b741da458d8b12ac8b915fa082ebeb4a4c50 + git checkout -f 2ffa79c04f1f816bb8713ef49b3f30bf12fc49e6 RUN \ - echo "**** build frontend ****" && \ - cd /src && \ - cd addons/gst-web-core && \ - npm install && \ - npm run build && \ - cp dist/selkies-core.js ../selkies-dashboard/src && \ - cd ../selkies-dashboard && \ + echo "**** build shared core library ****" && \ + cd /src/addons/gst-web-core && \ npm install && \ npm run build && \ - mkdir dist/src dist/nginx && \ - cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \ - cp ../gst-web-core/nginx/* dist/nginx/ && \ - cp -r ../gst-web-core/dist/jsdb dist/ && \ + echo "**** build multiple dashboards ****" && \ + DASHBOARDS="selkies-dashboard selkies-dashboard-zinc" && \ mkdir /buildout && \ - cp -ar dist/* /buildout/ + for DASH in $DASHBOARDS; do \ + cd /src/addons/$DASH && \ + cp ../gst-web-core/dist/selkies-core.js src/ && \ + npm install && \ + npm run build && \ + mkdir -p dist/src dist/nginx && \ + cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \ + cp ../gst-web-core/nginx/* dist/nginx/ && \ + cp -r ../gst-web-core/dist/jsdb dist/ && \ + mkdir -p /buildout/$DASH && \ + cp -ar dist/* /buildout/$DASH/; \ + done # Runtime stage FROM ghcr.io/linuxserver/baseimage-debian:trixie @@ -182,7 +186,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/42b3b741da458d8b12ac8b915fa082ebeb4a4c50.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/2ffa79c04f1f816bb8713ef49b3f30bf12fc49e6.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ @@ -269,7 +273,7 @@ RUN \ # add local files COPY /root / -COPY --from=frontend /buildout /usr/share/selkies/www +COPY --from=frontend /buildout /usr/share/selkies COPY --from=xvfb / / # ports and volumes diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index efc4414c..a68c451b 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,24 +16,28 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 42b3b741da458d8b12ac8b915fa082ebeb4a4c50 + git checkout -f 2ffa79c04f1f816bb8713ef49b3f30bf12fc49e6 RUN \ - echo "**** build frontend ****" && \ - cd /src && \ - cd addons/gst-web-core && \ - npm install && \ - npm run build && \ - cp dist/selkies-core.js ../selkies-dashboard/src && \ - cd ../selkies-dashboard && \ + echo "**** build shared core library ****" && \ + cd /src/addons/gst-web-core && \ npm install && \ npm run build && \ - mkdir dist/src dist/nginx && \ - cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \ - cp ../gst-web-core/nginx/* dist/nginx/ && \ - cp -r ../gst-web-core/dist/jsdb dist/ && \ + echo "**** build multiple dashboards ****" && \ + DASHBOARDS="selkies-dashboard selkies-dashboard-zinc" && \ mkdir /buildout && \ - cp -ar dist/* /buildout/ + for DASH in $DASHBOARDS; do \ + cd /src/addons/$DASH && \ + cp ../gst-web-core/dist/selkies-core.js src/ && \ + npm install && \ + npm run build && \ + mkdir -p dist/src dist/nginx && \ + cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \ + cp ../gst-web-core/nginx/* dist/nginx/ && \ + cp -r ../gst-web-core/dist/jsdb dist/ && \ + mkdir -p /buildout/$DASH && \ + cp -ar dist/* /buildout/$DASH/; \ + done # Runtime stage FROM ghcr.io/linuxserver/baseimage-debian:arm64v8-trixie @@ -180,7 +184,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/42b3b741da458d8b12ac8b915fa082ebeb4a4c50.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/2ffa79c04f1f816bb8713ef49b3f30bf12fc49e6.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ @@ -267,7 +271,7 @@ RUN \ # add local files COPY /root / -COPY --from=frontend /buildout /usr/share/selkies/www +COPY --from=frontend /buildout /usr/share/selkies COPY --from=xvfb / / # ports and volumes diff --git a/root/defaults/default.conf b/root/defaults/default.conf index 9b26b937..8a3a686f 100644 --- a/root/defaults/default.conf +++ b/root/defaults/default.conf @@ -4,7 +4,7 @@ server { listen 3000 default_server; listen [::]:3000 default_server; location SUBFOLDER { - alias /usr/share/selkies/www/; + alias /usr/share/selkies/web/; index index.html index.htm; try_files $uri $uri/ =404; } @@ -46,7 +46,7 @@ server { } error_page 500 502 503 504 /50x.html; location = SUBFOLDER50x.html { - root /usr/share/selkies/www/; + root /usr/share/selkies/web/; } } @@ -58,7 +58,7 @@ server { ssl_certificate /config/ssl/cert.pem; ssl_certificate_key /config/ssl/cert.key; location SUBFOLDER { - alias /usr/share/selkies/www/; + alias /usr/share/selkies/web/; index index.html index.htm; try_files $uri $uri/ =404; } @@ -100,7 +100,7 @@ server { } error_page 500 502 503 504 /50x.html; location = SUBFOLDER50x.html { - root /usr/share/selkies/www/; + root /usr/share/selkies/web/; } } diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx/run b/root/etc/s6-overlay/s6-rc.d/init-nginx/run index cf557044..f5755b9f 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx/run +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx/run @@ -10,6 +10,7 @@ CWS="${CUSTOM_WS_PORT:-8082}" CUSER="${CUSTOM_USER:-abc}" SFOLDER="${SUBFOLDER:-/}" FILE_MANAGER_PATH="${FILE_MANAGER_PATH:-$HOME/Desktop}" +DASHBOARD="${DASHBOARD:-selkies-dashboard}" # create self signed cert if [ ! -f "/config/ssl/cert.pem" ]; then @@ -30,7 +31,6 @@ sed -i "s/3001/$CHPORT/g" ${NGINX_CONFIG} sed -i "s/CWS/$CWS/g" ${NGINX_CONFIG} sed -i "s|SUBFOLDER|$SFOLDER|g" ${NGINX_CONFIG} sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" ${NGINX_CONFIG} -sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" /usr/share/selkies/www/nginx/footer.html s6-setuidgid abc mkdir -p $HOME/Desktop if [ ! -z ${DISABLE_IPV6+x} ]; then sed -i '/listen \[::\]/d' ${NGINX_CONFIG} @@ -46,7 +46,32 @@ if [ ! -z ${DEV_MODE+x} ]; then ${NGINX_CONFIG} fi -# copy favicon +# set dashboard and icon +rm -Rf \ + /usr/share/selkies/web +cp -a \ + /usr/share/selkies/$DASHBOARD \ + /usr/share/selkies/web +sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" /usr/share/selkies/web/nginx/footer.html cp \ /usr/share/selkies/www/icon.png \ - /usr/share/selkies/www/favicon.ico + /usr/share/selkies/$DASHBOARD/favicon.ico \ + /usr/share/selkies/$DASHBOARD/icon.png +# manifest creation +echo "{ + \"name\": \"${TITLE}\", + \"short_name\": \"${TITLE}\", + \"manifest_version\": 2, + \"version\": \"1.0.0\", + \"display\": \"fullscreen\", + \"background_color\": \"#000000\", + \"theme_color\": \"#000000\", + \"icons\": [ + { + \"src\": \"icon.png\", + \"type\": \"image/png\", + \"sizes\": \"180x180\" + } + ], + \"start_url\": \"/\" +}" > /usr/share/selkies/web/manifest.json diff --git a/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run b/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run index 3a0fd72b..ee31f48a 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-selkies-config/run @@ -214,22 +214,3 @@ mknod /dev/input/event1001 c 13 1065 mknod /dev/input/event1002 c 13 1066 mknod /dev/input/event1003 c 13 1067 chmod 777 /dev/input/js* /dev/input/event* /tmp/selkies* - -# manifest creation -echo "{ - \"name\": \"${TITLE}\", - \"short_name\": \"${TITLE}\", - \"manifest_version\": 2, - \"version\": \"1.0.0\", - \"display\": \"fullscreen\", - \"background_color\": \"#000000\", - \"theme_color\": \"#000000\", - \"icons\": [ - { - \"src\": \"icon.png\", - \"type\": \"image/png\", - \"sizes\": \"180x180\" - } - ], - \"start_url\": \"/\" -}" > /usr/share/selkies/www/manifest.json From 054f376b798b1c815f8c93491abf936e0b5bad3e Mon Sep 17 00:00:00 2001 From: thelamer Date: Tue, 30 Sep 2025 14:36:56 -0400 Subject: [PATCH 07/15] bump selkies --- Dockerfile | 4 ++-- Dockerfile.aarch64 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2e1df9c7..22cdd5c4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 2ffa79c04f1f816bb8713ef49b3f30bf12fc49e6 + git checkout -f d58b5363bade194322e24fa9fbd1294e13dddbce RUN \ echo "**** build shared core library ****" && \ @@ -186,7 +186,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/2ffa79c04f1f816bb8713ef49b3f30bf12fc49e6.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/d58b5363bade194322e24fa9fbd1294e13dddbce.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index a68c451b..1ae6bccb 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 2ffa79c04f1f816bb8713ef49b3f30bf12fc49e6 + git checkout -f d58b5363bade194322e24fa9fbd1294e13dddbce RUN \ echo "**** build shared core library ****" && \ @@ -184,7 +184,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/2ffa79c04f1f816bb8713ef49b3f30bf12fc49e6.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/d58b5363bade194322e24fa9fbd1294e13dddbce.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ From 3467e5199efc1630c3113e1d0a53d45f8589836b Mon Sep 17 00:00:00 2001 From: thelamer Date: Tue, 30 Sep 2025 14:58:09 -0400 Subject: [PATCH 08/15] bump selkies --- Dockerfile | 4 ++-- Dockerfile.aarch64 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 22cdd5c4..0e22d75a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f d58b5363bade194322e24fa9fbd1294e13dddbce + git checkout -f 24757f43406424f5a7e2c8ea8c5b8b1ec6fe1866 RUN \ echo "**** build shared core library ****" && \ @@ -186,7 +186,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/d58b5363bade194322e24fa9fbd1294e13dddbce.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/24757f43406424f5a7e2c8ea8c5b8b1ec6fe1866.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 1ae6bccb..345acee4 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f d58b5363bade194322e24fa9fbd1294e13dddbce + git checkout -f 24757f43406424f5a7e2c8ea8c5b8b1ec6fe1866 RUN \ echo "**** build shared core library ****" && \ @@ -184,7 +184,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/d58b5363bade194322e24fa9fbd1294e13dddbce.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/24757f43406424f5a7e2c8ea8c5b8b1ec6fe1866.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ From aae7f8a738dde09f8900f084b9ece65fe630dff3 Mon Sep 17 00:00:00 2001 From: thelamer Date: Tue, 30 Sep 2025 16:32:45 -0400 Subject: [PATCH 09/15] bump selkies --- Dockerfile | 4 ++-- Dockerfile.aarch64 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0e22d75a..74eafcb2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 24757f43406424f5a7e2c8ea8c5b8b1ec6fe1866 + git checkout -f 5775a7dc3d55c140887ead0738c575ad21b0f94c RUN \ echo "**** build shared core library ****" && \ @@ -186,7 +186,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/24757f43406424f5a7e2c8ea8c5b8b1ec6fe1866.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/5775a7dc3d55c140887ead0738c575ad21b0f94c.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 345acee4..93aa06e4 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 24757f43406424f5a7e2c8ea8c5b8b1ec6fe1866 + git checkout -f 5775a7dc3d55c140887ead0738c575ad21b0f94c RUN \ echo "**** build shared core library ****" && \ @@ -184,7 +184,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/24757f43406424f5a7e2c8ea8c5b8b1ec6fe1866.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/5775a7dc3d55c140887ead0738c575ad21b0f94c.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ From 42a56c457d1bd63af3c41fbe99f5f875bc202965 Mon Sep 17 00:00:00 2001 From: thelamer Date: Tue, 30 Sep 2025 20:22:11 -0400 Subject: [PATCH 10/15] bump selkies --- Dockerfile | 4 ++-- Dockerfile.aarch64 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 74eafcb2..b7e1ca24 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 5775a7dc3d55c140887ead0738c575ad21b0f94c + git checkout -f 7cf9ad486b370d856a721a4dc2cc6c7a7823cb74 RUN \ echo "**** build shared core library ****" && \ @@ -186,7 +186,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/5775a7dc3d55c140887ead0738c575ad21b0f94c.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/7cf9ad486b370d856a721a4dc2cc6c7a7823cb74.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 93aa06e4..d7c94b65 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 5775a7dc3d55c140887ead0738c575ad21b0f94c + git checkout -f 7cf9ad486b370d856a721a4dc2cc6c7a7823cb74 RUN \ echo "**** build shared core library ****" && \ @@ -184,7 +184,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/5775a7dc3d55c140887ead0738c575ad21b0f94c.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/7cf9ad486b370d856a721a4dc2cc6c7a7823cb74.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ From 1fce8da4d056f57482ba44dc8a1b6b304d0dd5fd Mon Sep 17 00:00:00 2001 From: thelamer Date: Wed, 1 Oct 2025 10:34:14 -0400 Subject: [PATCH 11/15] bump selkies, block downloads properly, fix icon copies, make sure downloads are not rendered in browser --- Dockerfile | 4 ++-- Dockerfile.aarch64 | 4 ++-- root/defaults/default.conf | 8 ++++++++ root/etc/s6-overlay/s6-rc.d/init-nginx/run | 13 ++++++++++--- 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index b7e1ca24..9b2a5f89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 7cf9ad486b370d856a721a4dc2cc6c7a7823cb74 + git checkout -f f143e7b8006d98e4bea47f39ebb5e1b3053f34f4 RUN \ echo "**** build shared core library ****" && \ @@ -186,7 +186,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/7cf9ad486b370d856a721a4dc2cc6c7a7823cb74.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/f143e7b8006d98e4bea47f39ebb5e1b3053f34f4.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index d7c94b65..5c481c03 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f 7cf9ad486b370d856a721a4dc2cc6c7a7823cb74 + git checkout -f f143e7b8006d98e4bea47f39ebb5e1b3053f34f4 RUN \ echo "**** build shared core library ****" && \ @@ -184,7 +184,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/7cf9ad486b370d856a721a4dc2cc6c7a7823cb74.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/f143e7b8006d98e4bea47f39ebb5e1b3053f34f4.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/root/defaults/default.conf b/root/defaults/default.conf index 8a3a686f..2b6258af 100644 --- a/root/defaults/default.conf +++ b/root/defaults/default.conf @@ -43,6 +43,10 @@ server { fancyindex_footer SUBFOLDERnginx/footer.html; fancyindex_header SUBFOLDERnginx/header.html; alias REPLACE_DOWNLOADS_PATH/; + if (-f $request_filename) { + add_header Content-Disposition "attachment"; + add_header X-Content-Type-Options "nosniff"; + } } error_page 500 502 503 504 /50x.html; location = SUBFOLDER50x.html { @@ -97,6 +101,10 @@ server { fancyindex_footer SUBFOLDERnginx/footer.html; fancyindex_header SUBFOLDERnginx/header.html; alias REPLACE_DOWNLOADS_PATH/; + if (-f $request_filename) { + add_header Content-Disposition "attachment"; + add_header X-Content-Type-Options "nosniff"; + } } error_page 500 502 503 504 /50x.html; location = SUBFOLDER50x.html { diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx/run b/root/etc/s6-overlay/s6-rc.d/init-nginx/run index f5755b9f..05be0d29 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx/run +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx/run @@ -11,6 +11,8 @@ CUSER="${CUSTOM_USER:-abc}" SFOLDER="${SUBFOLDER:-/}" FILE_MANAGER_PATH="${FILE_MANAGER_PATH:-$HOME/Desktop}" DASHBOARD="${DASHBOARD:-selkies-dashboard}" +SELKIES_FILE_TRANSFERS="${SELKIES_FILE_TRANSFERS:-upload,download}" +HARDEN_DESKTOP="${HARDEN_DESKTOP:-false}" # create self signed cert if [ ! -f "/config/ssl/cert.pem" ]; then @@ -31,7 +33,10 @@ sed -i "s/3001/$CHPORT/g" ${NGINX_CONFIG} sed -i "s/CWS/$CWS/g" ${NGINX_CONFIG} sed -i "s|SUBFOLDER|$SFOLDER|g" ${NGINX_CONFIG} sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" ${NGINX_CONFIG} -s6-setuidgid abc mkdir -p $HOME/Desktop +s6-setuidgid abc mkdir -p ${FILE_MANAGER_PATH} +if [[ $SELKIES_FILE_TRANSFERS != *"download"* ]] || [[ ${HARDEN_DESKTOP,,} == "true" ]]; then + sed -i '/files {/,/}/d' ${NGINX_CONFIG} +fi if [ ! -z ${DISABLE_IPV6+x} ]; then sed -i '/listen \[::\]/d' ${NGINX_CONFIG} fi @@ -55,8 +60,10 @@ cp -a \ sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" /usr/share/selkies/web/nginx/footer.html cp \ /usr/share/selkies/www/icon.png \ - /usr/share/selkies/$DASHBOARD/favicon.ico \ - /usr/share/selkies/$DASHBOARD/icon.png + /usr/share/selkies/web/favicon.ico +cp \ + /usr/share/selkies/www/icon.png \ + /usr/share/selkies/web/icon.png # manifest creation echo "{ \"name\": \"${TITLE}\", From 3e93e7d28c03540005513fafb4719df4c1e23a40 Mon Sep 17 00:00:00 2001 From: thelamer Date: Wed, 1 Oct 2025 12:12:03 -0400 Subject: [PATCH 12/15] fix openbox restarts or replac --- Dockerfile | 3 +++ Dockerfile.aarch64 | 3 +++ root/etc/s6-overlay/s6-rc.d/svc-de/run | 8 +++++--- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9b2a5f89..cc6f8f62 100644 --- a/Dockerfile +++ b/Dockerfile @@ -229,6 +229,9 @@ RUN \ -e 's|| \n|' \ -e 's|4|1|' \ /etc/xdg/openbox/rc.xml && \ + sed -i \ + 's/--startup/--replace --startup/g' \ + /usr/bin/openbox-session && \ echo "**** user perms ****" && \ sed -e 's/%sudo ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' \ -i /etc/sudoers && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 5c481c03..92efdb69 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -227,6 +227,9 @@ RUN \ -e 's|| \n|' \ -e 's|4|1|' \ /etc/xdg/openbox/rc.xml && \ + sed -i \ + 's/--startup/--replace --startup/g' \ + /usr/bin/openbox-session && \ echo "**** user perms ****" && \ sed -e 's/%sudo ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' \ -i /etc/sudoers && \ diff --git a/root/etc/s6-overlay/s6-rc.d/svc-de/run b/root/etc/s6-overlay/s6-rc.d/svc-de/run index 43c32f32..fa5f3e19 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-de/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-de/run @@ -9,9 +9,11 @@ while true; do done # set sane resolution before starting apps -s6-setuidgid abc xrandr --newmode "1024x768" 63.50 1024 1072 1176 1328 768 771 775 798 -hsync +vsync -s6-setuidgid abc xrandr --addmode screen "1024x768" -s6-setuidgid abc xrandr --output screen --mode "1024x768" --dpi 96 +if ! s6-setuidgid abc xrandr | grep -q "1024x768"; then + s6-setuidgid abc xrandr --newmode "1024x768" 63.50 1024 1072 1176 1328 768 771 775 798 -hsync +vsync + s6-setuidgid abc xrandr --addmode screen "1024x768" + s6-setuidgid abc xrandr --output screen --mode "1024x768" --dpi 96 +fi # set xresources if [ -f "${HOME}/.Xresources" ]; then From 379ec625203529af014e9e6ca7d0040779195438 Mon Sep 17 00:00:00 2001 From: thelamer Date: Wed, 1 Oct 2025 12:57:10 -0400 Subject: [PATCH 13/15] add all dashboards and build properly --- Dockerfile | 7 ++++--- Dockerfile.aarch64 | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index cc6f8f62..9689d800 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f f143e7b8006d98e4bea47f39ebb5e1b3053f34f4 + git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f RUN \ echo "**** build shared core library ****" && \ @@ -24,7 +24,7 @@ RUN \ npm install && \ npm run build && \ echo "**** build multiple dashboards ****" && \ - DASHBOARDS="selkies-dashboard selkies-dashboard-zinc" && \ + DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \ mkdir /buildout && \ for DASH in $DASHBOARDS; do \ cd /src/addons/$DASH && \ @@ -32,6 +32,7 @@ RUN \ npm install && \ npm run build && \ mkdir -p dist/src dist/nginx && \ + cp ../gst-web-core/dist/selkies-core.js dist/src/ && \ cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \ cp ../gst-web-core/nginx/* dist/nginx/ && \ cp -r ../gst-web-core/dist/jsdb dist/ && \ @@ -186,7 +187,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/f143e7b8006d98e4bea47f39ebb5e1b3053f34f4.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 92efdb69..0a8ac403 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -16,7 +16,7 @@ RUN \ https://github.com/selkies-project/selkies.git \ /src && \ cd /src && \ - git checkout -f f143e7b8006d98e4bea47f39ebb5e1b3053f34f4 + git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f RUN \ echo "**** build shared core library ****" && \ @@ -24,7 +24,7 @@ RUN \ npm install && \ npm run build && \ echo "**** build multiple dashboards ****" && \ - DASHBOARDS="selkies-dashboard selkies-dashboard-zinc" && \ + DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \ mkdir /buildout && \ for DASH in $DASHBOARDS; do \ cd /src/addons/$DASH && \ @@ -32,6 +32,7 @@ RUN \ npm install && \ npm run build && \ mkdir -p dist/src dist/nginx && \ + cp ../gst-web-core/dist/selkies-core.js dist/src/ && \ cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \ cp ../gst-web-core/nginx/* dist/nginx/ && \ cp -r ../gst-web-core/dist/jsdb dist/ && \ @@ -184,7 +185,7 @@ RUN \ | awk '/tag_name/{print $4;exit}' FS='[""]') && \ curl -o \ /tmp/selkies.tar.gz -L \ - "https://github.com/selkies-project/selkies/archive/f143e7b8006d98e4bea47f39ebb5e1b3053f34f4.tar.gz" && \ + "https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \ cd /tmp && \ tar xf selkies.tar.gz && \ cd selkies-* && \ From 641609d8011446613f337d71f6771ea3d17abbe5 Mon Sep 17 00:00:00 2001 From: thelamer Date: Wed, 1 Oct 2025 16:27:02 -0400 Subject: [PATCH 14/15] replace syntax to pull files block --- root/etc/s6-overlay/s6-rc.d/init-nginx/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-nginx/run b/root/etc/s6-overlay/s6-rc.d/init-nginx/run index 05be0d29..e1eaed6f 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-nginx/run +++ b/root/etc/s6-overlay/s6-rc.d/init-nginx/run @@ -35,7 +35,7 @@ sed -i "s|SUBFOLDER|$SFOLDER|g" ${NGINX_CONFIG} sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" ${NGINX_CONFIG} s6-setuidgid abc mkdir -p ${FILE_MANAGER_PATH} if [[ $SELKIES_FILE_TRANSFERS != *"download"* ]] || [[ ${HARDEN_DESKTOP,,} == "true" ]]; then - sed -i '/files {/,/}/d' ${NGINX_CONFIG} + sed -i '/files {/,/^ }/d' ${NGINX_CONFIG} fi if [ ! -z ${DISABLE_IPV6+x} ]; then sed -i '/listen \[::\]/d' ${NGINX_CONFIG} From 815c2a37f00c0150443babc480863a1ca38eacc4 Mon Sep 17 00:00:00 2001 From: thelamer Date: Thu, 2 Oct 2025 10:42:57 -0400 Subject: [PATCH 15/15] add nvidia linking #91 --- root/etc/s6-overlay/s6-rc.d/init-video/run | 51 ++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/root/etc/s6-overlay/s6-rc.d/init-video/run b/root/etc/s6-overlay/s6-rc.d/init-video/run index aaf9dfd7..82213b08 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-video/run +++ b/root/etc/s6-overlay/s6-rc.d/init-video/run @@ -33,3 +33,54 @@ do fi fi done + +# check if nvidia gpu is present +if which nvidia-smi > /dev/null 2>&1 && ls -A /dev/dri 2>/dev/null; then + # nvidia-container-toolkit may not place files correctly, so we set them up here + echo "**** NVIDIA GPU detected ****" + OPENCL_ICDS=$(find /etc/OpenCL/vendors -name '*nvidia*.icd' 2>/dev/null) + # if no opencl icd found + if [ -z "${OPENCL_ICDS}" ]; then + echo "**** Setting up OpenCL ICD for NVIDIA ****" + mkdir -pm755 /etc/OpenCL/vendors/ + echo "libnvidia-opencl.so.1" > /etc/OpenCL/vendors/nvidia.icd + fi + # find vulkan icds + ICDS=$(find /usr/share/vulkan/icd.d /etc/vulkan/icd.d -name '*nvidia*.json' 2>/dev/null) + # if no icd found + if [ -z "${ICDS}" ]; then + echo "**** Setting up Vulkan ICD for NVIDIA ****" + # get vulkan api version + VULKAN_API_VERSION=$(ldconfig -p | grep "libvulkan.so" | awk '{print $NF}' | xargs readlink | grep -oE "[0-9]+\.[0-9]+\.[0-9]+") + # Fallback if pipeline fails + if [ -z "${VULKAN_API_VERSION}" ]; then + # version 1.1 or greater allows vulkan-loader to load the driver's dynamic library + VULKAN_API_VERSION="1.1.0" + fi + mkdir -pm755 /etc/vulkan/icd.d/ + cat > /etc/vulkan/icd.d/nvidia_icd.json << EOF +{ + "file_format_version" : "1.0.0", + "ICD": { + "library_path": "libGLX_nvidia.so.0", + "api_version" : "${VULKAN_API_VERSION}" + } +} +EOF + fi + # find glvnd egl_vendor files + EGLS=$(find /usr/share/glvnd/egl_vendor.d /etc/glvnd/egl_vendor.d -name '*nvidia*.json' 2>/dev/null) + # if no egl_vendor file found + if [ -z "${EGLS}" ]; then + echo "**** Setting up EGL vendor file for NVIDIA ****" + mkdir -pm755 /etc/glvnd/egl_vendor.d/ + cat > /etc/glvnd/egl_vendor.d/10_nvidia.json << EOF +{ + "file_format_version" : "1.0.0", + "ICD": { + "library_path": "libEGL_nvidia.so.0" + } +} +EOF + fi +fi