Skip to content

Commit f5c6ee4

Browse files
rspierandk
rspier
authored and
andk
committed
bootstrap-root: Cleanups for a lighter weight Docker environment.
- don't install reccomended packages - support not configuring certbot - make firewall setup optional - don't recreate users if they already exist - chown the whole data directory contents, not just the directory itself - don't recreate the homedir if it already exists
1 parent 837d5e0 commit f5c6ee4

File tree

1 file changed

+31
-23
lines changed

1 file changed

+31
-23
lines changed

bootstrap/selfconfig-root

Lines changed: 31 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ my @required_debs = qw(
7777
zlib1g-dev
7878
);
7979

80-
run_cmd(qw(apt-get -o DPkg::Lock::Timeout=60 install -y), @required_debs);
80+
run_cmd(qw(apt-get --no-install-recommends -o DPkg::Lock::Timeout=60 install -y), @required_debs);
8181

8282
# Some packages we just don't want.
8383
my @unwanted_debs = qw(
@@ -98,8 +98,10 @@ my ($opt, $usage) = Getopt::Long::Descriptive::describe_options(
9898
[ 'repo-user=s', "which GitHub user's pause.git to clone", { default => 'andk' } ],
9999
[ 'repo-branch=s', "which branch to clone for the repo", { default => 'master' } ],
100100
[],
101-
[ 'certbot-staging|C', 'use the staging version of certbot' ],
101+
[ 'certbot-staging|C', 'use the staging version of certbot'. { implies => { 'enable-certbot' => 1}}],
102+
[ 'enable-certbot=i', 'enable certbot', {default => 1}],
102103
[],
104+
[ 'enable-ufw=i', 'enable ufw', {default => 1}],
103105
[ "enable-mail|m", "enable working postfix config", ],
104106
[ 'relay-host=s', "relay host for smtp" ],
105107
[ 'relay-port=s', "relay port for smtp" ],
@@ -127,9 +129,10 @@ my $admin_user = uc $opt->user;
127129
my $admin_pass = $opt->pass;
128130

129131
# The --comment is here to suppress prompting for name, confirmation, etc.
130-
run_cmd(qw(adduser pause --disabled-password --comment), 'PAUSE User');
131-
run_cmd(qw(adduser unsafe --disabled-password --comment), 'PAUSE Unsafe');
132-
132+
run_cmd(qw(adduser pause --disabled-password --comment), 'PAUSE User')
133+
unless getpwnam('pause');
134+
run_cmd(qw(adduser unsafe --disabled-password --comment), 'PAUSE Unsafe')
135+
unless getpwnam('unsafe');
133136
if ($opt->plenv_url) {
134137
run_cmd('curl', $opt->plenv_url, '--output', '/tmp/plenv-tarball.tar.bz2');
135138
}
@@ -140,6 +143,7 @@ Path::Tiny::path("/data/mysql")->mkdir;
140143

141144
Path::Tiny::path("/data/pause")->mkdir;
142145
run_cmd("chown", "pause:", "/data/pause");
146+
run_cmd("chown", "-R", "pause:", "/home/pause");
143147

144148
if (-e "/usr/sbin/lvcreate" && $opt->volume_group) {
145149
my $vg = $opt->volume_group;
@@ -166,7 +170,7 @@ Path::Tiny::path("/data/mysql/mysql")->mkdir;
166170
run_cmd(qw(ln -s /data/mysql/mysql /var/lib/mysql));
167171

168172
# Mariadb has to be installed _after_ partitioning.
169-
run_cmd(qw(apt-get -o DPkg::Lock::Timeout=60 install -y),
173+
run_cmd(qw(apt-get --no-install-recommends -o DPkg::Lock::Timeout=60 install -y),
170174
qw(
171175
mariadb-server
172176
libmariadb-dev-compat
@@ -195,7 +199,7 @@ Path::Tiny::path("/etc/mysql/conf.d/mysql.cnf")->append(<<~EOF);
195199

196200
run_cmd(qw(/etc/init.d/mariadb restart));
197201

198-
{
202+
if (! -e "/home/pause/pause") {
199203
my $user = $opt->repo_user;
200204

201205
run_cmd(
@@ -314,24 +318,28 @@ symlink("/etc/nginx/sites-available/$hostname", "/etc/nginx/sites-enabled/$hostn
314318
or die "can't symlink nginx conf: $!";
315319

316320
# Firewall config
317-
run_cmd(qw(ufw allow http));
318-
run_cmd(qw(ufw allow https));
319-
run_cmd(qw(ufw allow rsync));
320-
run_cmd(qw(ufw allow ssh));
321-
run_cmd(qw(ufw --force enable));
321+
if ($opt->enable_ufw) {
322+
run_cmd(qw(ufw allow http));
323+
run_cmd(qw(ufw allow https));
324+
run_cmd(qw(ufw allow rsync));
325+
run_cmd(qw(ufw allow ssh));
326+
run_cmd(qw(ufw --force enable));
327+
}
322328

323329
# Install ssl cert
324-
run_cmd(
325-
qw(sudo certbot --nginx -d),
326-
$hostname,
327-
qw(--agree-tos -n --email [email protected]),
328-
329-
# This will use the staging server, which can be used to make lots more
330-
# certificates that usual, but they aren't trusted.
331-
($opt->certbot_staging
332-
? ( qw( --server https://acme-staging-v02.api.letsencrypt.org/directory ) )
333-
: ()),
334-
);
330+
if ($opt->enable_certbot) {
331+
run_cmd(
332+
qw(sudo certbot --nginx -d),
333+
$hostname,
334+
qw(--agree-tos -n --email [email protected]),
335+
336+
# This will use the staging server, which can be used to make lots more
337+
# certificates that usual, but they aren't trusted.
338+
($opt->certbot_staging
339+
? ( qw( --server https://acme-staging-v02.api.letsencrypt.org/directory ) )
340+
: ()),
341+
);
342+
}
335343

336344
Path::Tiny::path("/home/pause/pause/etc/rsyncd.conf")->copy("/etc/rsyncd.conf");
337345

0 commit comments

Comments
 (0)