Use ne wbuild format for crowdsec bouncer

LePresidente · LePresidente · commit a39db9332683 · 2023-03-20T08:47:26.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -67,25 +67,6 @@ RUN xx-verify /tmp/go/bin/bcrypt-tool
 COPY --from=upx /usr/bin/upx /usr/bin/upx
 RUN upx /tmp/go/bin/bcrypt-tool
 
-# Install Crowdsec OpenResty Bouncer.
-RUN \
-    # Install packages needed by the build.
-    add-pkg --virtual build-dependencies \
-        gettext \
-        && \
-    # Download the Crowdsec OpenResty Bouncer package.
-    echo "Downloading Crowdsec Openresty Bouncer package..." && \
-    mkdir crowdsec-openresty-bouncer && \
-    curl -# -L ${CROWDSEC_OPENRESTY_BOUNCER_URL} | tar xz --strip 1 -C crowdsec-openresty-bouncer && \
-    # Deploy Crowdsec Openresty Bouncer.
-    echo "Deploy Crowdsec Openresty Bouncer.." && \
-    cd /tmp/crowdsec-openresty-bouncer && \
-    bash ./install.sh --NGINX_CONF_DIR=/etc/nginx/conf.d --LIB_PATH=/var/lib/nginx/lualib --CONFIG_PATH=/defaults/crowdsec/ --DATA_PATH=/defaults/crowdsec/ --SSL_CERTS_PATH=/etc/ssl/certs/ca-cert-GTS_Root_R1.pem --docker && \
-    sed-patch 's|ENABLED=.*|ENABLED=false|' /defaults/crowdsec/crowdsec-openresty-bouncer.conf && \
-    # Cleanup.
-    del-pkg build-dependencies && \
-    rm -rf /tmp/* /tmp/.[!.]*
-
 # Build certbot.
 FROM alpine:3.16 AS certbot
 COPY --from=mod_cryptography / /wheels
@@ -99,6 +80,14 @@ RUN \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type f -name "*.exe" -delete && \
     find /tmp/certbot-install/usr/lib/python3.10/site-packages -type d -name tests -print0 | xargs -0 rm -r
 
+# Build cs-openresty-boucner.
+FROM alpine:3.16 AS cs-openresty-bouncer
+ARG TARGETPLATFORM
+ARG CROWDSEC_OPENRESTY_BOUNCER_URL
+COPY --from=xx / /
+COPY src/cs-openresty-bouncer /build
+RUN /build/build.sh "$CROWDSEC_OPENRESTY_BOUNCER_URL"
+
 # Pull base image.
 FROM jlesage/baseimage:alpine-3.16-v3.4.6
 
@@ -130,197 +119,17 @@ RUN \
     #       Certbot plugins. Thus, we need to manually install pip (with its
     #       built-in dependencies).  See:
     #       https://pip.pypa.io/en/stable/development/vendoring-policy/
-    curl -# -L "https://bootstrap.pypa.io/get-pip.py" | python3 && \
-    # Then install certbot.
-    CARGO_HOME=/tmp/.cargo pip install --no-cache-dir --prefix=/usr certbot && \
-    find /usr/lib/python3.9/site-packages -type f -name "*.so" -exec strip {} ';' && \
-    find /usr/lib/python3.9/site-packages -type f -name "*.h" -delete && \
-    find /usr/lib/python3.9/site-packages -type f -name "*.c" -delete && \
-    find /usr/lib/python3.9/site-packages -type f -name "*.exe" -delete && \
-    find /usr/lib/python3.9/site-packages -type d -name tests -print0 | xargs -0 rm -r && \
-    # Cleanup.
-    del-pkg build-dependencies && \
-    rm -rf /tmp/* /tmp/.[!.]*
-
-# Install Nginx Proxy Manager.
-RUN \
-    # Install packages needed by the build.
-    add-pkg --virtual build-dependencies \
-        build-base \
-        curl \
-        patch \
-        yarn \
-        git \
-        python2 \
-        python3 \
-        npm \
-        bash \
-        && \
-
-    # Install node-prune.
-    echo "Installing node-prune..." && \
-    mkdir /tmp/bin && \
-    curl -sfL https://gobinaries.com/tj/node-prune | PREFIX=/tmp/bin sh && \
-
-    # Download the Nginx Proxy Manager package.
-    echo "Downloading Nginx Proxy Manager package..." && \
-    mkdir nginx-proxy-manager && \
-    curl -# -L ${NGINX_PROXY_MANAGER_URL} | tar xz --strip 1 -C nginx-proxy-manager && \
-
-    sed-patch "s/\"version\": \"0.0.0\",/\"version\": \"${NGINX_PROXY_MANAGER_VERSION}\",/" nginx-proxy-manager/frontend/package.json && \
-    sed-patch "s/\"version\": \"0.0.0\",/\"version\": \"${NGINX_PROXY_MANAGER_VERSION}\",/" nginx-proxy-manager/backend/package.json && \
-
-    cp -r nginx-proxy-manager /app && \
-
-    # Build Nginx Proxy Manager frontend.
-    echo "Building Nginx Proxy Manager frontend..." && \
-    cd /app/frontend && \
-    yarn install && \
-    yarn build && \
-    /tmp/bin/node-prune && \
-    cd /tmp && \
-
-    # Build Nginx Proxy Manager backend.
-    echo "Building Nginx Proxy Manager backend..." && \
-    cd /app/backend && \
-    yarn install --prod && \
-    /tmp/bin/node-prune && \
-    cd /tmp && \
-
-    # Install Nginx Proxy Manager.
-    echo "Installing Nginx Proxy Manager..." && \
-    mkdir -p /opt && \
-    cp -r /app/backend /opt/nginx-proxy-manager && \
-    cp -r /app/frontend/dist /opt/nginx-proxy-manager/frontend && \
-    cp -r /app/global /opt/nginx-proxy-manager && \
-    mkdir /opt/nginx-proxy-manager/bin && \
-    cp -r nginx-proxy-manager/docker/rootfs/bin/handle-ipv6-setting /opt/nginx-proxy-manager/bin/ && \
-    cp -r nginx-proxy-manager/docker/rootfs/etc/nginx /etc/ && \
-    cp -r nginx-proxy-manager/docker/rootfs/var/www /var/ && \
-    cp -r nginx-proxy-manager/docker/rootfs/etc/letsencrypt.ini /etc/ && \
-    cp -r nginx-proxy-manager/docker/rootfs/etc/logrotate.d /etc/ && \
-
-    # Remove the nginx development config.
-    rm /etc/nginx/conf.d/dev.conf && \
-
-    # Change the management interface port to the unprivileged port 8181.
-    sed-patch 's|81 default|8181 default|' /etc/nginx/conf.d/production.conf && \
-
-    # Change the management interface root.
-    sed-patch 's|/app/frontend;|/opt/nginx-proxy-manager/frontend;|' /etc/nginx/conf.d/production.conf && \
-
-    # Change the HTTP port 80 to the unprivileged port 8080.
-    sed-patch 's|80;|8080;|' /etc/nginx/conf.d/default.conf && \
-    sed-patch 's|"80";|"8080";|' /etc/nginx/conf.d/default.conf && \
-    sed-patch 's|listen 80;|listen 8080;|' /opt/nginx-proxy-manager/templates/letsencrypt-request.conf && \
-    sed-patch 's|:80;|:8080;|' /opt/nginx-proxy-manager/templates/letsencrypt-request.conf && \
-    sed-patch 's|listen 80;|listen 8080;|' /opt/nginx-proxy-manager/templates/_listen.conf && \
-    sed-patch 's|:80;|:8080;|' /opt/nginx-proxy-manager/templates/_listen.conf && \
-    sed-patch 's|80 default;|8080 default;|' /opt/nginx-proxy-manager/templates/default.conf && \
-
-    # Change the HTTPs port 443 to the unprivileged port 4443.
-    sed-patch 's|443 |4443 |' /etc/nginx/conf.d/default.conf && \
-    sed-patch 's|"443";|"4443";|' /etc/nginx/conf.d/default.conf && \
-    sed-patch 's|listen 443 |listen 4443 |' /opt/nginx-proxy-manager/templates/_listen.conf && \
-    sed-patch 's|:443 |:4443 |' /opt/nginx-proxy-manager/templates/_listen.conf && \
-    sed-patch 's|:443;|:4443;|' /opt/nginx-proxy-manager/templates/_listen.conf && \
-
-    # Fix nginx test command line.
-    sed-patch 's|-g "error_log off;"||' /opt/nginx-proxy-manager/internal/nginx.js && \
+    curl -# -L "https://bootstrap.pypa.io/get-pip.py" | python3
 
-    # Remove the `user` directive, since we want nginx to run as non-root.
-    sed-patch 's|user root;|#user root;|' /etc/nginx/nginx.conf && \
-
-    # Change client_body_temp_path.
-    sed-patch 's|/tmp/nginx/body|/var/tmp/nginx/body|' /etc/nginx/nginx.conf && \
-
-    # Fix the logrotate config.
-    sed-patch 's|root root|app app|' /etc/logrotate.d/nginx-proxy-manager && \
-    sed-patch 's|/run/nginx.pid|/run/nginx/nginx.pid|' /etc/logrotate.d/nginx-proxy-manager && \
-    sed-patch 's|logrotate /etc/logrotate.d/nginx-proxy-manager|logrotate -s /config/logrotate.status /etc/logrotate.d/nginx-proxy-manager|' /opt/nginx-proxy-manager/setup.js && \
-    sed-patch 's|/data/logs/\*/access.log|/data/logs/access.log|' /etc/logrotate.d/nginx-proxy-manager && \
-    sed-patch 's|/data/logs/\*/error.log|/data/logs/error.log|' /etc/logrotate.d/nginx-proxy-manager && \
-
-    # Redirect `/data' to '/config'.
-    ln -s /config /data && \
-
-    # Make sure the config file for IP ranges is stored in persistent volume.
-    mv /etc/nginx/conf.d/include/ip_ranges.conf /defaults/ && \
-    ln -sf /config/nginx/ip_ranges.conf /etc/nginx/conf.d/include/ip_ranges.conf && \
-
-    # Make sure the config file for resolvers is stored in persistent volume.
-    ln -sf /config/nginx/resolvers.conf /etc/nginx/conf.d/include/resolvers.conf && \
-
-    # Make sure nginx cache is stored on the persistent volume.
-    ln -s /config/nginx/cache /var/lib/nginx/cache && \
-
-    # Make sure the manager config file is stored in persistent volume.
-    rm -r /opt/nginx-proxy-manager/config && \
-    mkdir /opt/nginx-proxy-manager/config && \
-    ln -s /config/production.json /opt/nginx-proxy-manager/config/production.json && \
-
-    # Make sure letsencrypt certificates are stored in persistent volume.
-    ln -s /config/letsencrypt /etc/letsencrypt && \
-
-    # Make sure some default certbot directories are stored in persistent volume.
-    ln -s /config/letsencrypt-workdir /var/lib/letsencrypt && \
-    ln -s /config/log/letsencrypt /var/log/letsencrypt && \
-
-    # Cleanup.
-    del-pkg build-dependencies && \
-    find /opt/nginx-proxy-manager -name "*.h" -delete && \
-    find /opt/nginx-proxy-manager -name "*.cc" -delete && \
-    find /opt/nginx-proxy-manager -name "*.c" -delete && \
-    find /opt/nginx-proxy-manager -name "*.gyp" -delete && \
-    rm -r \
-        /app \
-        /usr/lib/node_modules \
-        && \
-    rm -rf /tmp/* /tmp/.[!.]*
-
-# Install bcrypt-tool.
-RUN \
-    # Install packages needed by the build.
-    add-pkg --virtual build-dependencies \
-        go \
-        upx \
-        git \
-        musl-dev \
-        && \
-COPY --from=nginx /tmp/openresty-install/ /
-COPY --from=npm /tmp/nginx-proxy-manager-install/ /
-COPY --from=bcrypt-tool /tmp/go/bin/bcrypt-tool /usr/bin/
-COPY --from=certbot /tmp/certbot-install/ /
-
-# Set internal environment variables.
-RUN \
-    set-cont-env APP_NAME "Nginx Proxy Manager" && \
-    set-cont-env APP_VERSION "$NGINX_PROXY_MANAGER_VERSION" && \
-    set-cont-env DOCKER_IMAGE_VERSION "$DOCKER_IMAGE_VERSION" && \
-    true
-    # Install packages needed by the build.
-    add-pkg --virtual build-dependencies \
-        gettext \
-        && \
-    # Download the Crowdsec OpenResty Bouncer package.
-    echo "Downloading Crowdsec Openresty Bouncer package..." && \
-    mkdir crowdsec-openresty-bouncer && \
-    curl -# -L ${CROWDSEC_OPENRESTY_BOUNCER_URL} | tar xz --strip 1 -C crowdsec-openresty-bouncer && \
-    # Deploy Crowdsec Openresty Bouncer.
-    echo "Deploy Crowdsec Openresty Bouncer.." && \
-    cd /tmp/crowdsec-openresty-bouncer && \
-    bash ./install.sh --NGINX_CONF_DIR=/etc/nginx/conf.d --LIB_PATH=/var/lib/nginx/lualib --CONFIG_PATH=/defaults/crowdsec/ --DATA_PATH=/defaults/crowdsec/ --SSL_CERTS_PATH=/etc/ssl/certs/ca-cert-GTS_Root_R1.pem --docker && \
-    sed-patch 's|ENABLED=.*|ENABLED=false|' /defaults/crowdsec/crowdsec-openresty-bouncer.conf && \
-    # Cleanup.
-    del-pkg build-dependencies && \
-    rm -rf /tmp/* /tmp/.[!.]*
+    # Install Crowdsec OpenResty Bouncer.
 
 # Add files.
 COPY rootfs/ /
 COPY --from=nginx /tmp/openresty-install/ /
 COPY --from=npm /tmp/nginx-proxy-manager-install/ /
 COPY --from=bcrypt-tool /tmp/go/bin/bcrypt-tool /usr/bin/
 COPY --from=certbot /tmp/certbot-install/ /
+COPY --from=cs-openresty-bouncer /tmp/crowdsec-openresty-bouncer-install/ /
 
 # Set internal environment variables.
 RUN \
@@ -345,4 +154,4 @@ LABEL \
       org.label-schema.description="Docker container for Nginx Proxy Manager" \
       org.label-schema.version="${DOCKER_IMAGE_VERSION:-unknown}" \
       org.label-schema.vcs-url="https://github.com/jlesage/docker-nginx-proxy-manager" \
-      org.label-schema.schema-version="1.0"
+      org.label-schema.schema-version="1.0"
diff --git a/src/cs-openresty-bouncer/build.sh b/src/cs-openresty-bouncer/build.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -e # Exit immediately if a command exits with a non-zero status.
+set -u # Treat unset variables as an error.
+
+log() {
+    echo ">>> $*"
+}
+
+CROWDSEC_OPENRESTY_BOUNCER_URL="${1:-}"
+
+ROOTFS=/tmp/crowdsec-openresty-bouncer-install
+
+if [ -z "$CROWDSEC_OPENRESTY_BOUNCER_URL" ]; then
+    log "ERROR: bcrypt tool version missing."
+    exit 1
+fi
+
+#
+# Install required packages.
+#
+
+apk --no-cache add \
+    build-base \
+    gettext \
+    bash \
+
+#
+# Build.
+#
+
+log "Downloading Crowdsec Openresty Bouncer package..."
+mkdir /tmp/crowdsec-openresty-bouncer
+curl -# -L "${CROWDSEC_OPENRESTY_BOUNCER_URL}" | tar xz --strip 1 -C /tmp/crowdsec-openresty-bouncer
+log "Deploy Crowdsec Openresty Bouncer..."
+cd /tmp/crowdsec-openresty-bouncer
+bash ./install.sh --NGINX_CONF_DIR=${ROOTFS}/etc/nginx/conf.d --LIB_PATH=${ROOTFS}/var/lib/nginx/lualib --CONFIG_PATH=${ROOTFS}/defaults/crowdsec/ --DATA_PATH=${ROOTFS}/defaults/crowdsec/ --SSL_CERTS_PATH=/etc/ssl/certs/ca-cert-GTS_Root_R1.pem --docker
+sed-patch 's|ENABLED=.*|ENABLED=false|' ${ROOTFS}/defaults/crowdsec/crowdsec-openresty-bouncer.conf 
