Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / 38837a85f102fb827342bdabb0554f9927c665ce / . / images.nix
blob: 3098ce25c4efe3da163c98fae7d8ddaa6e39fa27 [file] [log] [blame]
Matthias Andreas Benkardc55bfae2021-01-02 07:35:21 +0100[diff] [blame]1{ system ? builtins.currentSystem }:
2let
3 pkgs = import <nixpkgs> { inherit system; };
4
5in
6let
7 img = spec: {
8 streamed = pkgs.dockerTools.streamLayeredImage spec;
9 layered = pkgs.dockerTools.buildLayeredImage spec;
10 image = pkgs.dockerTools.buildImage spec;
11 };
12
13in
14{
15
16 # ejabberd = pkgs.dockerTools.buildImage {
17 # name = "docker.benkard.de/mulk/ejabberd";
18 # tag = "latest";
19 # contents = [
20 # pkgs.ejabberd
21 # pkgs.bash
22 # pkgs.nano
23 # ];
24 # config = {
25 # Env = [ ];
26 # ExposedPorts = { };
27 # WorkingDir = "/";
28 # Volumes = {
29 # "/data" = { };
30 # };
31 # };
32 # };
33
34 prosody = img {
35 name = "docker.benkard.de/mulk/prosody";
36 #tag = "latest";
37 contents = with pkgs; [
38 prosody
39 bash
40 coreutils
41 nano
42 ];
43 config = {
44 Entrypoint = [ "/bin/bash" ];
45 Cmd = [ ];
46 Env = [ ];
47 ExposedPorts = { };
48 WorkingDir = "/";
49 Volumes = {
50 "/data" = { };
51 };
52 };
53 };
54
55 mailcow =
56 let
57 dockerComposeOverrideYaml =
58 pkgs.writeTextDir "docker-compose.override.yml" ''
Matthias Andreas Benkarda8468162021-01-02 11:12:15 +0100[diff] [blame]59 version: '2.1'
60
Matthias Andreas Benkardc55bfae2021-01-02 07:35:21 +0100[diff] [blame]61 services:
62 mysql-mailcow:
63 image: alpine/socat:1.0.3
64 command:
65 - UNIX-LISTEN:/var/run/mysqld/mysqld.sock,reuseaddr,fork,unlink-early,mode=0777
66 - TCP-CONNECT:mysql.system.svc.cluster.local.:3306
67 volumes:
68 - mysql-socket-vol-1:/var/run/mysqld/:Z
69 restart: always
70
Matthias Andreas Benkarda8468162021-01-02 11:12:15 +0100[diff] [blame]71 netfilter-mailcow:
72 build: ./data/Dockerfiles/netfilter
73
74 watchdog-mailcow:
75 build: ./data/Dockerfiles/watchdog
76
Matthias Andreas Benkardc55bfae2021-01-02 07:35:21 +0100[diff] [blame]77 volumes:
78 vmail-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/vmail"}}
79 vmail-index-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/vmail-index"}}
80 mysql-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/run/mysql"}}
81 mysql-socket-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/run/mysql-socket"}}
82 redis-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/redis-data"}}
83 rspamd-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/rspamd-data"}}
84 solr-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/solr-data"}}
85 postfix-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/postfix-data"}}
86 crypt-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/crypt-data"}}
87 sogo-web-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/sogo-web"}}
88 sogo-userdata-backup-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/sogo-userdata-backup"}}
89 '';
90
91 init =
92 pkgs.writeShellScriptBin "init" ''
93 set -xeuo pipefail
94
95 if ! [ -e /vol/docker-data/docker.ext4 ]; then
96 ${pkgs.busybox}/bin/dd if=/dev/zero of=/vol/docker-data/docker.ext4 bs=1G count=0 seek=30
97 ${pkgs.e2fsprogs}/bin/mkfs.ext4 /vol/docker-data/docker.ext4
98 fi
99 ${pkgs.e2fsprogs}/bin/e2fsck -y /vol/docker-data/docker.ext4
100 ${pkgs.busybox}/bin/mkdir -p /var/lib/docker
101 ${pkgs.busybox}/bin/mount -o loop,rw /vol/docker-data/docker.ext4 /var/lib/docker
102
103 ${pkgs.docker}/bin/dockerd --storage-driver=overlay2 &
104 sleep 10s
105
106 ${pkgs.docker}/bin/docker kill $(${pkgs.docker}/bin/docker ps -a -q) || :
107 ${pkgs.docker}/bin/docker system prune --volumes --force || :
108
Matthias Andreas Benkarda8468162021-01-02 11:12:15 +0100[diff] [blame]109 ${pkgs.docker-compose}/bin/docker-compose -f /mailcow-dockerized/docker-compose.yml -f ${dockerComposeOverrideYaml}/docker-compose.override.yml build
110
Matthias Andreas Benkardc55bfae2021-01-02 07:35:21 +0100[diff] [blame]111 ${pkgs.busybox}/bin/mkdir -p /tmp /run/{mysql,mysql-socket}
112 exec ${pkgs.docker-compose}/bin/docker-compose --env-file /mailcow-dockerized/mailcow.conf -f /mailcow-dockerized/docker-compose.yml -f ${dockerComposeOverrideYaml}/docker-compose.override.yml up --remove-orphans
113 '';
114
115 src = ./mailcow/src;
116
117 extraDeps = with pkgs; [
118 # for Docker
119 cacert
120
121 # for update.sh
122 bash
123 coreutils
124 curl
125 docker
126 docker-compose
127 findutils
128 gawk
129 gitMinimal
130 ];
131
132 maintenanceDeps = with pkgs; [
133 bash
134 busybox
135 coreutils
136 findutils
137 pxattr
138 strace
139 ];
140 in
141 img {
142 name = "docker.benkard.de/mulk/mailcow";
143 tag = "latest";
144 maxLayers = 125;
145 contents = extraDeps ++ maintenanceDeps;
146 extraCommands =
147 ''
148 #!${pkgs.runtimeShell}
149
150 install -dm755 vol/{crypt-data,postfix-data,redis-data,rspamd-data,sogo-web,sogo-userdata-backup,solr-data,vmail,vmail-index,web-data}
151
152 cp -a ${src}/* .
153 '';
154 config = {
155 Entrypoint = [ "${init}/bin/init" ];
156 Cmd = [ ];
157 Workdir = "/mailcow-dockerized";
158 Volumes = {
159 "/mailcow-dockerized/data/conf" = { };
160 "/mailcow-dockerized/data/assets/ssl" = { };
161 "/vol/crypt-data" = { };
162 "/vol/docker-data" = { };
163 "/vol/postfix-data" = { };
164 "/vol/redis-data" = { };
165 "/vol/rspamd-data" = { };
166 "/vol/sogo-web" = { };
167 "/vol/sogo-userdata-backup" = { };
168 "/vol/solr-data" = { };
169 "/vol/vmail" = { };
170 "/vol/vmail-index" = { };
171 "/vol/web-data" = { };
172 };
173 };
174 };
175
176 nextcloud = img {
177 name = "docker.benkard.de/mulk/nextcloud";
178 contents =
179 let
180 baseDependencies = with pkgs; [
181 # Service dependencies.
182 apacheHttpd
183 apacheHttpdPackages.php
184
185 # Optional dependencies.
186 ffmpeg
187
188 # Maintenance and manual upgrades.
189 bash
190 coreutils
191 php
192 unzip
193 ];
194
195 phpModules = with pkgs.php74Extensions; [
196 # Required dependencies.
197 ctype
198 curl
199 dom
200 gd
201 iconv
202 json
203 mbstring
204 openssl
205 pdo_pgsql
206 posix
207 session
208 simplexml
209 xml
210 xmlreader
211 xmlwriter
212 zip
213 zlib
214
215 # Recommended dependencies.
216 bz2
217 intl
218 fileinfo
219
220 # Optional dependencies.
221 apcu
222 bcmath
223 ftp
224 gmp
225 imagick
226 memcached
227 pcntl
228 redis
229 #smbclient
230 ];
231 in
232 baseDependencies ++ phpModules;
233 config = {
234 WorkingDir = "/var/www/html";
235 Volumes = {
236 "/var/www/html" = { };
237 };
238 };
239 };
240
241 webcron = img {
242 name = "docker.benkard.de/mulk/webcron";
243 contents =
244 with pkgs; [
245 # Entry points.
246 curl
247 ];
248 config = {
249 Entrypoint = [ "curl" "-fsS" ];
250 Cmd = [ ];
251 Volumes = { };
252 };
253 };
254
255 samba =
256 let
257 runner =
258 pkgs.stdenv.mkDerivation {
259 name = "mulk-samba-runner";
260 buildInputs = with pkgs; [ bash ];
261 src = ./samba;
262 builder = builtins.toFile "builder.sh" ''
263 source $stdenv/setup
264 set -euo pipefail
265 set -x
266
267 install -Dm755 $src/init $out/init
268
269 for svc in avahi dbus nmbd smbd; do
270 install -Dm755 $src/service/$svc/run $out/service/$svc/run
271 done
272
273 set +x
274 '';
275 };
276
277 in
278 img {
279 name = "docker.benkard.de/mulk/samba";
280 contents = with pkgs; [
281 # Services.
282 avahi
283 dbus
284 #samba4Full
285 (samba.override { enableMDNS = true; enableProfiling = false; enableRegedit = false; })
286
287 # Control.
288 execline
289 gnused
290 runner
291 s6
292
293 # Maintenance.
294 busybox
295 ];
296 extraCommands =
297 let
298 dbusSystemConf =
299 builtins.toFile "dbus-1-system.conf" ''
300 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
301 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
302 <busconfig>
303 <type>system</type>
304 <auth>ANONYMOUS</auth>
305 <!-- <auth>EXTERNAL</auth> -->
306 <allow_anonymous/>
307 <listen>unix:path=/run/dbus/system_bus_socket</listen>
308 <standard_system_servicedirs/>
309
310 <policy context="default">
311 <allow user="*"/>
312
313 <deny own="*"/>
314 <deny send_type="method_call"/>
315
316 <allow send_type="signal"/>
317 <allow send_requested_reply="true" send_type="method_return"/>
318 <allow send_requested_reply="true" send_type="error"/>
319
320 <allow receive_type="method_call"/>
321 <allow receive_type="method_return"/>
322 <allow receive_type="error"/>
323 <allow receive_type="signal"/>
324
325 <allow send_destination="org.freedesktop.DBus"
326 send_interface="org.freedesktop.DBus" />
327 <allow send_destination="org.freedesktop.DBus"
328 send_interface="org.freedesktop.DBus.Introspectable"/>
329 <allow send_destination="org.freedesktop.DBus"
330 send_interface="org.freedesktop.DBus.Properties"/>
331
332 <deny send_destination="org.freedesktop.DBus"
333 send_interface="org.freedesktop.DBus"
334 send_member="UpdateActivationEnvironment"/>
335 <deny send_destination="org.freedesktop.DBus"
336 send_interface="org.freedesktop.DBus.Debug.Stats"/>
337 <deny send_destination="org.freedesktop.DBus"
338 send_interface="org.freedesktop.systemd1.Activator"/>
339 </policy>
340
341 <policy context="default">
342 <allow own="org.freedesktop.Avahi"/>
343 </policy>
344
345 <includedir>/share/dbus-1/system.d</includedir>
346 </busconfig>
347 '';
348
349 avahiDaemonConf =
350 builtins.toFile "avahi-daemon.conf" ''
351 [server]
352 use-ipv4=yes
353 use-ipv6=yes
354 enable-dbus=yes
355 ratelimit-interval-usec=1000000
356 ratelimit-burst=1000
357
358 [wide-area]
359 enable-wide-area=no
360
361 [publish]
362 add-service-cookie=no
363 publish-addresses=no
364 publish-hinfo=no
365 publish-workstation=no
366 publish-domain=no
367 publish-aaaa-on-ipv4=yes
368 publish-a-on-ipv6=no
369
370 [reflector]
371
372 [rlimits]
373 '';
374
375 group =
376 builtins.toFile "group" ''
377 dbus::997:
378 avahi::998:
379 '';
380
381 passwd =
382 builtins.toFile "passwd" ''
383 dbus::997:997::/tmp:/nonexistent
384 avahi::998:998::/tmp:/nonexistent
385 nobody::999:999::/tmp:/nonexistent
386 '';
387 in
388 ''
389 #!${pkgs.runtimeShell}
390
391 rm -rf -- etc/avahi/services/*
392
393 install -dm755 tmp run run/dbus var/run/samba var/log/samba var/lock/samba var/locks/samba var/lib/samba/private var/cache/samba
394
395 touch var/lib/samba/registry.tdb var/lib/samba/account_policy.tdb
396
397 install -Dm644 ${dbusSystemConf} etc/dbus-1/system.conf
398 install -Dm644 ${avahiDaemonConf} etc/avahi/avahi-daemon.conf
399 install -Dm644 ${group} etc/group
400 install -Dm644 ${passwd} etc/passwd
401 '';
402 config = {
403 Entrypoint = [ "/init" ];
404 Cmd = [ ];
405 Volumes = {
406 "/vol/shares" = { };
407 };
408 };
409 };
410
411 # nano = img {
412 # name = "docker.benkard.de/mulk/nano";
413 # tag = "latest";
414 # contents = [
415 # pkgs.nano
416 # ];
417 # };
418 #
419 # vim = img {
420 # name = "docker.benkard.de/mulk/vim";
421 # tag = "latest";
422 # contents = [
423 # pkgs.vim
424 # ];
425 # };
426
427}