Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / 38837a85f102fb827342bdabb0554f9927c665ce / . / images.nix
blob: 3098ce25c4efe3da163c98fae7d8ddaa6e39fa27 [file] [log] [blame]
{ system ? builtins.currentSystem }:
let
pkgs = import <nixpkgs> { inherit system; };
in
let
img = spec: {
streamed = pkgs.dockerTools.streamLayeredImage spec;
layered = pkgs.dockerTools.buildLayeredImage spec;
image = pkgs.dockerTools.buildImage spec;
};
in
{
# ejabberd = pkgs.dockerTools.buildImage {
# name = "docker.benkard.de/mulk/ejabberd";
# tag = "latest";
# contents = [
# pkgs.ejabberd
# pkgs.bash
# pkgs.nano
# ];
# config = {
# Env = [ ];
# ExposedPorts = { };
# WorkingDir = "/";
# Volumes = {
# "/data" = { };
# };
# };
# };
prosody = img {
name = "docker.benkard.de/mulk/prosody";
#tag = "latest";
contents = with pkgs; [
prosody
bash
coreutils
nano
];
config = {
Entrypoint = [ "/bin/bash" ];
Cmd = [ ];
Env = [ ];
ExposedPorts = { };
WorkingDir = "/";
Volumes = {
"/data" = { };
};
};
};
mailcow =
let
dockerComposeOverrideYaml =
pkgs.writeTextDir "docker-compose.override.yml" ''
version: '2.1'
services:
mysql-mailcow:
image: alpine/socat:1.0.3
command:
- UNIX-LISTEN:/var/run/mysqld/mysqld.sock,reuseaddr,fork,unlink-early,mode=0777
- TCP-CONNECT:mysql.system.svc.cluster.local.:3306
volumes:
- mysql-socket-vol-1:/var/run/mysqld/:Z
restart: always
netfilter-mailcow:
build: ./data/Dockerfiles/netfilter
watchdog-mailcow:
build: ./data/Dockerfiles/watchdog
volumes:
vmail-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/vmail"}}
vmail-index-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/vmail-index"}}
mysql-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/run/mysql"}}
mysql-socket-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/run/mysql-socket"}}
redis-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/redis-data"}}
rspamd-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/rspamd-data"}}
solr-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/solr-data"}}
postfix-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/postfix-data"}}
crypt-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/crypt-data"}}
sogo-web-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/sogo-web"}}
sogo-userdata-backup-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/sogo-userdata-backup"}}
'';
init =
pkgs.writeShellScriptBin "init" ''
set -xeuo pipefail
if ! [ -e /vol/docker-data/docker.ext4 ]; then
${pkgs.busybox}/bin/dd if=/dev/zero of=/vol/docker-data/docker.ext4 bs=1G count=0 seek=30
${pkgs.e2fsprogs}/bin/mkfs.ext4 /vol/docker-data/docker.ext4
fi
${pkgs.e2fsprogs}/bin/e2fsck -y /vol/docker-data/docker.ext4
${pkgs.busybox}/bin/mkdir -p /var/lib/docker
${pkgs.busybox}/bin/mount -o loop,rw /vol/docker-data/docker.ext4 /var/lib/docker
${pkgs.docker}/bin/dockerd --storage-driver=overlay2 &
sleep 10s
${pkgs.docker}/bin/docker kill $(${pkgs.docker}/bin/docker ps -a -q) || :
${pkgs.docker}/bin/docker system prune --volumes --force || :
${pkgs.docker-compose}/bin/docker-compose -f /mailcow-dockerized/docker-compose.yml -f ${dockerComposeOverrideYaml}/docker-compose.override.yml build
${pkgs.busybox}/bin/mkdir -p /tmp /run/{mysql,mysql-socket}
exec ${pkgs.docker-compose}/bin/docker-compose --env-file /mailcow-dockerized/mailcow.conf -f /mailcow-dockerized/docker-compose.yml -f ${dockerComposeOverrideYaml}/docker-compose.override.yml up --remove-orphans
'';
src = ./mailcow/src;
extraDeps = with pkgs; [
# for Docker
cacert
# for update.sh
bash
coreutils
curl
docker
docker-compose
findutils
gawk
gitMinimal
];
maintenanceDeps = with pkgs; [
bash
busybox
coreutils
findutils
pxattr
strace
];
in
img {
name = "docker.benkard.de/mulk/mailcow";
tag = "latest";
maxLayers = 125;
contents = extraDeps ++ maintenanceDeps;
extraCommands =
''
#!${pkgs.runtimeShell}
install -dm755 vol/{crypt-data,postfix-data,redis-data,rspamd-data,sogo-web,sogo-userdata-backup,solr-data,vmail,vmail-index,web-data}
cp -a ${src}/* .
'';
config = {
Entrypoint = [ "${init}/bin/init" ];
Cmd = [ ];
Workdir = "/mailcow-dockerized";
Volumes = {
"/mailcow-dockerized/data/conf" = { };
"/mailcow-dockerized/data/assets/ssl" = { };
"/vol/crypt-data" = { };
"/vol/docker-data" = { };
"/vol/postfix-data" = { };
"/vol/redis-data" = { };
"/vol/rspamd-data" = { };
"/vol/sogo-web" = { };
"/vol/sogo-userdata-backup" = { };
"/vol/solr-data" = { };
"/vol/vmail" = { };
"/vol/vmail-index" = { };
"/vol/web-data" = { };
};
};
};
nextcloud = img {
name = "docker.benkard.de/mulk/nextcloud";
contents =
let
baseDependencies = with pkgs; [
# Service dependencies.
apacheHttpd
apacheHttpdPackages.php
# Optional dependencies.
ffmpeg
# Maintenance and manual upgrades.
bash
coreutils
php
unzip
];
phpModules = with pkgs.php74Extensions; [
# Required dependencies.
ctype
curl
dom
gd
iconv
json
mbstring
openssl
pdo_pgsql
posix
session
simplexml
xml
xmlreader
xmlwriter
zip
zlib
# Recommended dependencies.
bz2
intl
fileinfo
# Optional dependencies.
apcu
bcmath
ftp
gmp
imagick
memcached
pcntl
redis
#smbclient
];
in
baseDependencies ++ phpModules;
config = {
WorkingDir = "/var/www/html";
Volumes = {
"/var/www/html" = { };
};
};
};
webcron = img {
name = "docker.benkard.de/mulk/webcron";
contents =
with pkgs; [
# Entry points.
curl
];
config = {
Entrypoint = [ "curl" "-fsS" ];
Cmd = [ ];
Volumes = { };
};
};
samba =
let
runner =
pkgs.stdenv.mkDerivation {
name = "mulk-samba-runner";
buildInputs = with pkgs; [ bash ];
src = ./samba;
builder = builtins.toFile "builder.sh" ''
source $stdenv/setup
set -euo pipefail
set -x
install -Dm755 $src/init $out/init
for svc in avahi dbus nmbd smbd; do
install -Dm755 $src/service/$svc/run $out/service/$svc/run
done
set +x
'';
};
in
img {
name = "docker.benkard.de/mulk/samba";
contents = with pkgs; [
# Services.
avahi
dbus
#samba4Full
(samba.override { enableMDNS = true; enableProfiling = false; enableRegedit = false; })
# Control.
execline
gnused
runner
s6
# Maintenance.
busybox
];
extraCommands =
let
dbusSystemConf =
builtins.toFile "dbus-1-system.conf" ''
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<type>system</type>
<auth>ANONYMOUS</auth>
<!-- <auth>EXTERNAL</auth> -->
<allow_anonymous/>
<listen>unix:path=/run/dbus/system_bus_socket</listen>
<standard_system_servicedirs/>
<policy context="default">
<allow user="*"/>
<deny own="*"/>
<deny send_type="method_call"/>
<allow send_type="signal"/>
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
<allow receive_type="method_call"/>
<allow receive_type="method_return"/>
<allow receive_type="error"/>
<allow receive_type="signal"/>
<allow send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus" />
<allow send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus.Properties"/>
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
send_member="UpdateActivationEnvironment"/>
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus.Debug.Stats"/>
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.systemd1.Activator"/>
</policy>
<policy context="default">
<allow own="org.freedesktop.Avahi"/>
</policy>
<includedir>/share/dbus-1/system.d</includedir>
</busconfig>
'';
avahiDaemonConf =
builtins.toFile "avahi-daemon.conf" ''
[server]
use-ipv4=yes
use-ipv6=yes
enable-dbus=yes
ratelimit-interval-usec=1000000
ratelimit-burst=1000
[wide-area]
enable-wide-area=no
[publish]
add-service-cookie=no
publish-addresses=no
publish-hinfo=no
publish-workstation=no
publish-domain=no
publish-aaaa-on-ipv4=yes
publish-a-on-ipv6=no
[reflector]
[rlimits]
'';
group =
builtins.toFile "group" ''
dbus::997:
avahi::998:
'';
passwd =
builtins.toFile "passwd" ''
dbus::997:997::/tmp:/nonexistent
avahi::998:998::/tmp:/nonexistent
nobody::999:999::/tmp:/nonexistent
'';
in
''
#!${pkgs.runtimeShell}
rm -rf -- etc/avahi/services/*
install -dm755 tmp run run/dbus var/run/samba var/log/samba var/lock/samba var/locks/samba var/lib/samba/private var/cache/samba
touch var/lib/samba/registry.tdb var/lib/samba/account_policy.tdb
install -Dm644 ${dbusSystemConf} etc/dbus-1/system.conf
install -Dm644 ${avahiDaemonConf} etc/avahi/avahi-daemon.conf
install -Dm644 ${group} etc/group
install -Dm644 ${passwd} etc/passwd
'';
config = {
Entrypoint = [ "/init" ];
Cmd = [ ];
Volumes = {
"/vol/shares" = { };
};
};
};
# nano = img {
# name = "docker.benkard.de/mulk/nano";
# tag = "latest";
# contents = [
# pkgs.nano
# ];
# };
#
# vim = img {
# name = "docker.benkard.de/mulk/vim";
# tag = "latest";
# contents = [
# pkgs.vim
# ];
# };
}