Matthias Andreas Benkard | c55bfae | 2021-01-02 07:35:21 +0100 | [diff] [blame] | 1 | { system ? builtins.currentSystem }: |
| 2 | let |
| 3 | pkgs = import <nixpkgs> { inherit system; }; |
| 4 | |
| 5 | in |
| 6 | let |
| 7 | img = spec: { |
| 8 | streamed = pkgs.dockerTools.streamLayeredImage spec; |
| 9 | layered = pkgs.dockerTools.buildLayeredImage spec; |
| 10 | image = pkgs.dockerTools.buildImage spec; |
| 11 | }; |
| 12 | |
| 13 | in |
| 14 | { |
| 15 | |
| 16 | # ejabberd = pkgs.dockerTools.buildImage { |
| 17 | # name = "docker.benkard.de/mulk/ejabberd"; |
| 18 | # tag = "latest"; |
| 19 | # contents = [ |
| 20 | # pkgs.ejabberd |
| 21 | # pkgs.bash |
| 22 | # pkgs.nano |
| 23 | # ]; |
| 24 | # config = { |
| 25 | # Env = [ ]; |
| 26 | # ExposedPorts = { }; |
| 27 | # WorkingDir = "/"; |
| 28 | # Volumes = { |
| 29 | # "/data" = { }; |
| 30 | # }; |
| 31 | # }; |
| 32 | # }; |
| 33 | |
| 34 | prosody = img { |
| 35 | name = "docker.benkard.de/mulk/prosody"; |
| 36 | #tag = "latest"; |
| 37 | contents = with pkgs; [ |
| 38 | prosody |
| 39 | bash |
| 40 | coreutils |
| 41 | nano |
| 42 | ]; |
| 43 | config = { |
| 44 | Entrypoint = [ "/bin/bash" ]; |
| 45 | Cmd = [ ]; |
| 46 | Env = [ ]; |
| 47 | ExposedPorts = { }; |
| 48 | WorkingDir = "/"; |
| 49 | Volumes = { |
| 50 | "/data" = { }; |
| 51 | }; |
| 52 | }; |
| 53 | }; |
| 54 | |
| 55 | mailcow = |
| 56 | let |
| 57 | dockerComposeOverrideYaml = |
| 58 | pkgs.writeTextDir "docker-compose.override.yml" '' |
Matthias Andreas Benkard | a846816 | 2021-01-02 11:12:15 +0100 | [diff] [blame^] | 59 | version: '2.1' |
| 60 | |
Matthias Andreas Benkard | c55bfae | 2021-01-02 07:35:21 +0100 | [diff] [blame] | 61 | services: |
| 62 | mysql-mailcow: |
| 63 | image: alpine/socat:1.0.3 |
| 64 | command: |
| 65 | - UNIX-LISTEN:/var/run/mysqld/mysqld.sock,reuseaddr,fork,unlink-early,mode=0777 |
| 66 | - TCP-CONNECT:mysql.system.svc.cluster.local.:3306 |
| 67 | volumes: |
| 68 | - mysql-socket-vol-1:/var/run/mysqld/:Z |
| 69 | restart: always |
| 70 | |
Matthias Andreas Benkard | a846816 | 2021-01-02 11:12:15 +0100 | [diff] [blame^] | 71 | netfilter-mailcow: |
| 72 | build: ./data/Dockerfiles/netfilter |
| 73 | |
| 74 | watchdog-mailcow: |
| 75 | build: ./data/Dockerfiles/watchdog |
| 76 | |
Matthias Andreas Benkard | c55bfae | 2021-01-02 07:35:21 +0100 | [diff] [blame] | 77 | volumes: |
| 78 | vmail-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/vmail"}} |
| 79 | vmail-index-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/vmail-index"}} |
| 80 | mysql-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/run/mysql"}} |
| 81 | mysql-socket-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/run/mysql-socket"}} |
| 82 | redis-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/redis-data"}} |
| 83 | rspamd-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/rspamd-data"}} |
| 84 | solr-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/solr-data"}} |
| 85 | postfix-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/postfix-data"}} |
| 86 | crypt-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/crypt-data"}} |
| 87 | sogo-web-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/sogo-web"}} |
| 88 | sogo-userdata-backup-vol-1: {driver: local, driver_opts: {o: bind, type: none, device: "/vol/sogo-userdata-backup"}} |
| 89 | ''; |
| 90 | |
| 91 | init = |
| 92 | pkgs.writeShellScriptBin "init" '' |
| 93 | set -xeuo pipefail |
| 94 | |
| 95 | if ! [ -e /vol/docker-data/docker.ext4 ]; then |
| 96 | ${pkgs.busybox}/bin/dd if=/dev/zero of=/vol/docker-data/docker.ext4 bs=1G count=0 seek=30 |
| 97 | ${pkgs.e2fsprogs}/bin/mkfs.ext4 /vol/docker-data/docker.ext4 |
| 98 | fi |
| 99 | ${pkgs.e2fsprogs}/bin/e2fsck -y /vol/docker-data/docker.ext4 |
| 100 | ${pkgs.busybox}/bin/mkdir -p /var/lib/docker |
| 101 | ${pkgs.busybox}/bin/mount -o loop,rw /vol/docker-data/docker.ext4 /var/lib/docker |
| 102 | |
| 103 | ${pkgs.docker}/bin/dockerd --storage-driver=overlay2 & |
| 104 | sleep 10s |
| 105 | |
| 106 | ${pkgs.docker}/bin/docker kill $(${pkgs.docker}/bin/docker ps -a -q) || : |
| 107 | ${pkgs.docker}/bin/docker system prune --volumes --force || : |
| 108 | |
Matthias Andreas Benkard | a846816 | 2021-01-02 11:12:15 +0100 | [diff] [blame^] | 109 | ${pkgs.docker-compose}/bin/docker-compose -f /mailcow-dockerized/docker-compose.yml -f ${dockerComposeOverrideYaml}/docker-compose.override.yml build |
| 110 | |
Matthias Andreas Benkard | c55bfae | 2021-01-02 07:35:21 +0100 | [diff] [blame] | 111 | ${pkgs.busybox}/bin/mkdir -p /tmp /run/{mysql,mysql-socket} |
| 112 | exec ${pkgs.docker-compose}/bin/docker-compose --env-file /mailcow-dockerized/mailcow.conf -f /mailcow-dockerized/docker-compose.yml -f ${dockerComposeOverrideYaml}/docker-compose.override.yml up --remove-orphans |
| 113 | ''; |
| 114 | |
| 115 | src = ./mailcow/src; |
| 116 | |
| 117 | extraDeps = with pkgs; [ |
| 118 | # for Docker |
| 119 | cacert |
| 120 | |
| 121 | # for update.sh |
| 122 | bash |
| 123 | coreutils |
| 124 | curl |
| 125 | docker |
| 126 | docker-compose |
| 127 | findutils |
| 128 | gawk |
| 129 | gitMinimal |
| 130 | ]; |
| 131 | |
| 132 | maintenanceDeps = with pkgs; [ |
| 133 | bash |
| 134 | busybox |
| 135 | coreutils |
| 136 | findutils |
| 137 | pxattr |
| 138 | strace |
| 139 | ]; |
| 140 | in |
| 141 | img { |
| 142 | name = "docker.benkard.de/mulk/mailcow"; |
| 143 | tag = "latest"; |
| 144 | maxLayers = 125; |
| 145 | contents = extraDeps ++ maintenanceDeps; |
| 146 | extraCommands = |
| 147 | '' |
| 148 | #!${pkgs.runtimeShell} |
| 149 | |
| 150 | install -dm755 vol/{crypt-data,postfix-data,redis-data,rspamd-data,sogo-web,sogo-userdata-backup,solr-data,vmail,vmail-index,web-data} |
| 151 | |
| 152 | cp -a ${src}/* . |
| 153 | ''; |
| 154 | config = { |
| 155 | Entrypoint = [ "${init}/bin/init" ]; |
| 156 | Cmd = [ ]; |
| 157 | Workdir = "/mailcow-dockerized"; |
| 158 | Volumes = { |
| 159 | "/mailcow-dockerized/data/conf" = { }; |
| 160 | "/mailcow-dockerized/data/assets/ssl" = { }; |
| 161 | "/vol/crypt-data" = { }; |
| 162 | "/vol/docker-data" = { }; |
| 163 | "/vol/postfix-data" = { }; |
| 164 | "/vol/redis-data" = { }; |
| 165 | "/vol/rspamd-data" = { }; |
| 166 | "/vol/sogo-web" = { }; |
| 167 | "/vol/sogo-userdata-backup" = { }; |
| 168 | "/vol/solr-data" = { }; |
| 169 | "/vol/vmail" = { }; |
| 170 | "/vol/vmail-index" = { }; |
| 171 | "/vol/web-data" = { }; |
| 172 | }; |
| 173 | }; |
| 174 | }; |
| 175 | |
| 176 | nextcloud = img { |
| 177 | name = "docker.benkard.de/mulk/nextcloud"; |
| 178 | contents = |
| 179 | let |
| 180 | baseDependencies = with pkgs; [ |
| 181 | # Service dependencies. |
| 182 | apacheHttpd |
| 183 | apacheHttpdPackages.php |
| 184 | |
| 185 | # Optional dependencies. |
| 186 | ffmpeg |
| 187 | |
| 188 | # Maintenance and manual upgrades. |
| 189 | bash |
| 190 | coreutils |
| 191 | php |
| 192 | unzip |
| 193 | ]; |
| 194 | |
| 195 | phpModules = with pkgs.php74Extensions; [ |
| 196 | # Required dependencies. |
| 197 | ctype |
| 198 | curl |
| 199 | dom |
| 200 | gd |
| 201 | iconv |
| 202 | json |
| 203 | mbstring |
| 204 | openssl |
| 205 | pdo_pgsql |
| 206 | posix |
| 207 | session |
| 208 | simplexml |
| 209 | xml |
| 210 | xmlreader |
| 211 | xmlwriter |
| 212 | zip |
| 213 | zlib |
| 214 | |
| 215 | # Recommended dependencies. |
| 216 | bz2 |
| 217 | intl |
| 218 | fileinfo |
| 219 | |
| 220 | # Optional dependencies. |
| 221 | apcu |
| 222 | bcmath |
| 223 | ftp |
| 224 | gmp |
| 225 | imagick |
| 226 | memcached |
| 227 | pcntl |
| 228 | redis |
| 229 | #smbclient |
| 230 | ]; |
| 231 | in |
| 232 | baseDependencies ++ phpModules; |
| 233 | config = { |
| 234 | WorkingDir = "/var/www/html"; |
| 235 | Volumes = { |
| 236 | "/var/www/html" = { }; |
| 237 | }; |
| 238 | }; |
| 239 | }; |
| 240 | |
| 241 | webcron = img { |
| 242 | name = "docker.benkard.de/mulk/webcron"; |
| 243 | contents = |
| 244 | with pkgs; [ |
| 245 | # Entry points. |
| 246 | curl |
| 247 | ]; |
| 248 | config = { |
| 249 | Entrypoint = [ "curl" "-fsS" ]; |
| 250 | Cmd = [ ]; |
| 251 | Volumes = { }; |
| 252 | }; |
| 253 | }; |
| 254 | |
| 255 | samba = |
| 256 | let |
| 257 | runner = |
| 258 | pkgs.stdenv.mkDerivation { |
| 259 | name = "mulk-samba-runner"; |
| 260 | buildInputs = with pkgs; [ bash ]; |
| 261 | src = ./samba; |
| 262 | builder = builtins.toFile "builder.sh" '' |
| 263 | source $stdenv/setup |
| 264 | set -euo pipefail |
| 265 | set -x |
| 266 | |
| 267 | install -Dm755 $src/init $out/init |
| 268 | |
| 269 | for svc in avahi dbus nmbd smbd; do |
| 270 | install -Dm755 $src/service/$svc/run $out/service/$svc/run |
| 271 | done |
| 272 | |
| 273 | set +x |
| 274 | ''; |
| 275 | }; |
| 276 | |
| 277 | in |
| 278 | img { |
| 279 | name = "docker.benkard.de/mulk/samba"; |
| 280 | contents = with pkgs; [ |
| 281 | # Services. |
| 282 | avahi |
| 283 | dbus |
| 284 | #samba4Full |
| 285 | (samba.override { enableMDNS = true; enableProfiling = false; enableRegedit = false; }) |
| 286 | |
| 287 | # Control. |
| 288 | execline |
| 289 | gnused |
| 290 | runner |
| 291 | s6 |
| 292 | |
| 293 | # Maintenance. |
| 294 | busybox |
| 295 | ]; |
| 296 | extraCommands = |
| 297 | let |
| 298 | dbusSystemConf = |
| 299 | builtins.toFile "dbus-1-system.conf" '' |
| 300 | <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN" |
| 301 | "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> |
| 302 | <busconfig> |
| 303 | <type>system</type> |
| 304 | <auth>ANONYMOUS</auth> |
| 305 | <!-- <auth>EXTERNAL</auth> --> |
| 306 | <allow_anonymous/> |
| 307 | <listen>unix:path=/run/dbus/system_bus_socket</listen> |
| 308 | <standard_system_servicedirs/> |
| 309 | |
| 310 | <policy context="default"> |
| 311 | <allow user="*"/> |
| 312 | |
| 313 | <deny own="*"/> |
| 314 | <deny send_type="method_call"/> |
| 315 | |
| 316 | <allow send_type="signal"/> |
| 317 | <allow send_requested_reply="true" send_type="method_return"/> |
| 318 | <allow send_requested_reply="true" send_type="error"/> |
| 319 | |
| 320 | <allow receive_type="method_call"/> |
| 321 | <allow receive_type="method_return"/> |
| 322 | <allow receive_type="error"/> |
| 323 | <allow receive_type="signal"/> |
| 324 | |
| 325 | <allow send_destination="org.freedesktop.DBus" |
| 326 | send_interface="org.freedesktop.DBus" /> |
| 327 | <allow send_destination="org.freedesktop.DBus" |
| 328 | send_interface="org.freedesktop.DBus.Introspectable"/> |
| 329 | <allow send_destination="org.freedesktop.DBus" |
| 330 | send_interface="org.freedesktop.DBus.Properties"/> |
| 331 | |
| 332 | <deny send_destination="org.freedesktop.DBus" |
| 333 | send_interface="org.freedesktop.DBus" |
| 334 | send_member="UpdateActivationEnvironment"/> |
| 335 | <deny send_destination="org.freedesktop.DBus" |
| 336 | send_interface="org.freedesktop.DBus.Debug.Stats"/> |
| 337 | <deny send_destination="org.freedesktop.DBus" |
| 338 | send_interface="org.freedesktop.systemd1.Activator"/> |
| 339 | </policy> |
| 340 | |
| 341 | <policy context="default"> |
| 342 | <allow own="org.freedesktop.Avahi"/> |
| 343 | </policy> |
| 344 | |
| 345 | <includedir>/share/dbus-1/system.d</includedir> |
| 346 | </busconfig> |
| 347 | ''; |
| 348 | |
| 349 | avahiDaemonConf = |
| 350 | builtins.toFile "avahi-daemon.conf" '' |
| 351 | [server] |
| 352 | use-ipv4=yes |
| 353 | use-ipv6=yes |
| 354 | enable-dbus=yes |
| 355 | ratelimit-interval-usec=1000000 |
| 356 | ratelimit-burst=1000 |
| 357 | |
| 358 | [wide-area] |
| 359 | enable-wide-area=no |
| 360 | |
| 361 | [publish] |
| 362 | add-service-cookie=no |
| 363 | publish-addresses=no |
| 364 | publish-hinfo=no |
| 365 | publish-workstation=no |
| 366 | publish-domain=no |
| 367 | publish-aaaa-on-ipv4=yes |
| 368 | publish-a-on-ipv6=no |
| 369 | |
| 370 | [reflector] |
| 371 | |
| 372 | [rlimits] |
| 373 | ''; |
| 374 | |
| 375 | group = |
| 376 | builtins.toFile "group" '' |
| 377 | dbus::997: |
| 378 | avahi::998: |
| 379 | ''; |
| 380 | |
| 381 | passwd = |
| 382 | builtins.toFile "passwd" '' |
| 383 | dbus::997:997::/tmp:/nonexistent |
| 384 | avahi::998:998::/tmp:/nonexistent |
| 385 | nobody::999:999::/tmp:/nonexistent |
| 386 | ''; |
| 387 | in |
| 388 | '' |
| 389 | #!${pkgs.runtimeShell} |
| 390 | |
| 391 | rm -rf -- etc/avahi/services/* |
| 392 | |
| 393 | install -dm755 tmp run run/dbus var/run/samba var/log/samba var/lock/samba var/locks/samba var/lib/samba/private var/cache/samba |
| 394 | |
| 395 | touch var/lib/samba/registry.tdb var/lib/samba/account_policy.tdb |
| 396 | |
| 397 | install -Dm644 ${dbusSystemConf} etc/dbus-1/system.conf |
| 398 | install -Dm644 ${avahiDaemonConf} etc/avahi/avahi-daemon.conf |
| 399 | install -Dm644 ${group} etc/group |
| 400 | install -Dm644 ${passwd} etc/passwd |
| 401 | ''; |
| 402 | config = { |
| 403 | Entrypoint = [ "/init" ]; |
| 404 | Cmd = [ ]; |
| 405 | Volumes = { |
| 406 | "/vol/shares" = { }; |
| 407 | }; |
| 408 | }; |
| 409 | }; |
| 410 | |
| 411 | # nano = img { |
| 412 | # name = "docker.benkard.de/mulk/nano"; |
| 413 | # tag = "latest"; |
| 414 | # contents = [ |
| 415 | # pkgs.nano |
| 416 | # ]; |
| 417 | # }; |
| 418 | # |
| 419 | # vim = img { |
| 420 | # name = "docker.benkard.de/mulk/vim"; |
| 421 | # tag = "latest"; |
| 422 | # contents = [ |
| 423 | # pkgs.vim |
| 424 | # ]; |
| 425 | # }; |
| 426 | |
| 427 | } |