From fde0eeace44c45837f8be5f720f432c1416f80b1 Mon Sep 17 00:00:00 2001 From: syji35 <> Date: Tue, 21 Nov 2023 11:27:13 +0100 Subject: [PATCH] DockerFile Lufi --- .github/workflows/docker-publish.yml | 81 ++++++ Dockerfile | 40 +++ README.md | 4 +- docker-entrypoint.sh | 7 + lufi.conf | 384 +++++++++++++++++++++++++++ 5 files changed, 515 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/docker-publish.yml create mode 100644 Dockerfile create mode 100644 docker-entrypoint.sh create mode 100644 lufi.conf diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..32543f5 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,81 @@ +name: Build Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + push: + branches: ["main", "develop"] + + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository_owner }}/lufi + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + platforms: linux/amd64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=Lufi Docker + cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache + cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..cb90383 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,40 @@ +FROM debian:11-slim + +ARG LUFI_VERSION=0.05.21 + +USER root + +RUN apt update \ + && apt install -y \ + wget \ + unzip \ + build-essential \ + libssl-dev \ + zlib1g-dev \ + libio-socket-ssl-perl \ + libmojo-pg-perl \ + liblwp-protocol-https-perl \ + && apt-get clean -y \ + && rm -rf /var/lib/{apt,dpkg,cache,log,tmp}/* + +RUN cpan Carton +WORKDIR /lufi + + +RUN wget https://framagit.org/fiat-tux/hat-softwares/lufi/-/archive/${LUFI_VERSION}/lufi-${LUFI_VERSION}.zip \ + && unzip lufi-${LUFI_VERSION}.zip -d /tmp \ + && mv /tmp/lufi-${LUFI_VERSION}/* /lufi \ + && rm -rf /tmp/* lufi-${LUFI_VERSION}.zip + + +COPY lufi.conf /lufi/lufi.conf +COPY docker-entrypoint.sh /lufi/docker-entrypoint.sh +RUN chmod a+x /lufi/docker-entrypoint.sh + + +RUN carton install --deployment --without=test --without=mysql \ + && rm -rf local/cache/* local/man/* + +ENTRYPOINT ["/lufi/docker-entrypoint.sh"] + +EXPOSE 8081 \ No newline at end of file diff --git a/README.md b/README.md index f93371a..8204ad7 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,4 @@ # lufi-docker -Dockerization de Lufi +Dockerization de Lufi, application de transfert de fichier. + +Source [ici](https://framagit.org/fiat-tux/hat-softwares/lufi) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100644 index 0000000..e40f76f --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Lauch server +carton exec hypnotoad /lufi/script/lufi + +# print logs +tail -f /lufi/log/production.log \ No newline at end of file diff --git a/lufi.conf b/lufi.conf new file mode 100644 index 0000000..410dbf1 --- /dev/null +++ b/lufi.conf @@ -0,0 +1,384 @@ +# vim:set sw=4 ts=4 sts=4 ft=perl expandtab: +{ + #################### + # Hypnotoad settings + #################### + # see http://mojolicio.us/perldoc/Mojo/Server/Hypnotoad for a full list of settings + hypnotoad => { + # array of IP addresses and ports you want to listen to + # you can specify a unix socket too, like 'http+unix://%2Ftmp%2Flufi.sock' + listen => ['http://0.0.0.0:8081'], + # if you use Lufi behind a reverse proxy like Nginx, you want to set proxy to 1 + # if you use Lufi directly, let it commented + #proxy => 1, + + # Please read http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers + # to adjust this to your server + workers => 30, + clients => 1, + }, + + # Put a way to contact you here and uncomment it + # You can put some HTML in it + # MANDATORY + contact => 'Contact page', + + # Put an URL or an email address to receive file reports and uncomment it + # It's for make reporting illegal files easy for users + # MANDATORY + report => 'report@example.com', + + # Array of random strings used to encrypt cookies + # optional, default is ['fdjsofjoihrei'], PLEASE, CHANGE IT + secrets => ['SECRET_CHANGE_IT'], + + # Name of the instance, displayed next to the logo + # optional, default is Lufi + instance_name => 'Lufi', + + # Choose a theme. See the available themes in `themes` directory + # Optional, default is 'default' + theme => 'default', + + # Length of the random URL + # optional, default is 8 + length => 8, + + # How many URLs will be provisioned in a batch ? + # optional, default is 5 + provis_step => 5, + + # Max number of URLs to be provisioned + # optional, default is 100 + provisioning => 100, + + # Length of the modify/delete token + # optional, default is 32 + token_length => 32, + + # Max file size, in octets + # You can write it 100*1024*1024 + # optional, no default + #max_file_size => 104857600, + + # If you want to have piwik statistics, provide a piwik image tracker + # Only the image tracker is allowed, no javascript + # optional, no default + #piwik_img => 'https://piwik.example.org/piwik.php?idsite=1&rec=1', + + # Broadcast_message which will displayed on the index page + # optional, no default + #broadcast_message => 'Maintenance', + + # Default time limit for files + # Valid values are 0, 1, 7, 30 and 365 + # optional, default is 0 (no limit) + default_delay => 7, + + # Number of days after which the files will be deleted, even if they were uploaded with "no delay" (or value superior to max_delay) + # A warning message will be displayed on homepage + # optional, default is 0 (no limit) + max_delay => 15, + + # Size thresholds: if you want to define max delays for different sizes of file + # The keys are size in Bytes, you can't have 10*1000*10000 as key + # If a file is smaller than the smallest configured size, it will have a expiration delay of max_delay (see above) + # optional, default is using max_delay (see above) for all sizes + #delay_for_size => { + # 10000000 => 90, # between 10MB and 50MB => max is 90 days, less than 10MB => max is max_delay (see above) + # 50000000 => 60, # between 50MB ans 1GB => max is 60 days + # 1000000000 => 2, # more than 1GB => max is 2 days + #}, + + # URL sub-directory in which you want Lufi to be accessible + # example: you want to have Lufi under https://example.org/lufi/ + # => set prefix to '/lufi' or to '/lufi/', it doesn't matter + # optional, defaut is / + #prefix => '/', + + # Array of authorized domains for API calls. + # If you want to authorize everyone to use the API: ['*'] + # optional, no domains allowed by default + #allowed_domains => ['http://1.example.com', 'http://2.example.com'], + + # String of the URL to be redirected to when accessing /logout + # optional, default is no redirection after logging out + #logout_custom => 'https://sso.example.com/logout?redirect_uri=https%3A%2F%2Fexample.com', + + # Define a path to the upload directory, where the uploaded files will be stored + # You can define it relative to lufi directory or set an absolute path + # Remember that it has to be in a directory writable by Lufi user + # optional, default is 'files' + upload_dir => 'files', + + #!!!!!!!!!!!!!!! + # EXPERIMENTAL ! + #!!!!!!!!!!!!!!! + # You can store files on Swift object storage (https://en.wikipedia.org/wiki/OpenStack#Swift) instead of filesystem + # Please read https://metacpan.org/pod/Net::OpenStack::Swift#SYNOPSIS to know how to configure this setting + # IMPORTANT: add a `container` key in it, to let Lufi know which container to use. This is not a regular Net::OpenStack::Swift setting, but Lufi need it. + # EXPERIMENTAL: if the upload or download of files are stucked, reload Lufi and create a cron task to reload Lufi once a day + # You can copy Lufi files to Swift object storage by launching the command `carton exec script/lufi copyFilesToSwift` (can take a long time) + # optional, no default + #swift => { + # auth_url => 'https://auth-endpoint-url/v2.0', + # user => 'userid', + # password => 'password', + # tenant_name => 'project_id', + # container => 'lufi' + #}, + + # Allow to add a password on files, asked before allowing to download files + # optional, default is 0 + #allow_pwd_on_files => 0, + + # Force all files to be in "Burn after reading mode" + # optional, default is 0 + #force_burn_after_reading => 0, + + # If set, the files' URLs will always use this domain + # optional, no default + #fixed_domain => 'example.org', + + # Abuse reasons + # Set an integer in the abuse field of a file in the database and it will not be downloadable anymore + # The reason will be displayed to the downloader, according to the reasons you will configure here. + # optional, no default + #abuse => { + # 0 => 'Copyright infringment', + # 1 => 'Illegal content', + #}, + + ############### + # Mail settings + ############### + + # Mail configuration + # See https://metacpan.org/pod/Mojolicious::Plugin::Mail#EXAMPLES + # optional, default to sendmail method with no arguments + #mail => { + # # Valid values are 'sendmail' and 'smtp' + # how => 'smtp', + # howargs => ['smtp.example.org'] + #}, + + # Email sender address + # optional, default to no-reply@lufi.io + #mail_sender => 'no-reply@lufi.io', + + # Disable sending mail through the server + # optional, default is false + #disable_mail_sending => 0, + + ############# + # DB settings + ############# + + # Choose what database you want to use + # Valid choices are sqlite, postgresql and mysql (all lowercase) + # optional, default is sqlite + #dbtype => 'sqlite', + + # SQLite ONLY - only used if dbtype is set to sqlite + # Define a path to the SQLite database + # You can define it relative to lufi directory or set an absolute path + # Remember that it has to be in a directory writable by Lufi user + # optional, default is lufi.db + #db_path => 'lufi.db', + + # PostgreSQL ONLY - only used if dbtype is set to postgresql + # These are the credentials to access the PostgreSQL database + # mandatory if you choosed postgresql as dbtype + #pgdb => { + # database => 'lufi', + # host => 'localhost', + # # optional, default is 5432 + # #port => 5432, + # user => 'DBUSER', + # pwd => 'DBPASSWORD', + # # https://mojolicious.org/perldoc/Mojo/Pg#max_connections + # # optional, default is 1 + # #max_connections => 1, + #}, + + # MySQL ONLY - only used if dbtype is set to mysql + # These are the credentials to access the MySQL database + # mandatory if you choosed mysql as dbtype + #mysqldb => { + # database => 'lufi', + # host => 'localhost', + # # optional, default is 3306 + # #port => 3306, + # user => 'DBUSER', + # pwd => 'DBPASSWORD', + # # https://metacpan.org/pod/Mojo::mysql#max_connections + # # optional, default is 5 (set to 0 to disable persistent connections) + # #max_connections => 5, + #}, + + ############################################# + # LDAP settings (authentication and features) + ############################################# + + # Set `ldap` if you want that only authenticated users can upload files + # Please note that everybody can still download files + # optional, no default + #ldap => { + # uri => 'ldaps://ldap.example.org', # server URI + # user_tree => 'ou=users,dc=example,dc=org', # search base DN + # bind_dn => 'uid=ldap_user,ou=users,dc=example,dc=org', # search bind DN + # bind_pwd => 'secr3t', # search bind password + # user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) + # user_filter => '(!(uid=ldap_user))', # user filter (to exclude some users, etc.) + # # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls + # # don't set or uncomment if you don't want to configure it + # start_tls => { + # verify => 'optional', + # clientcert => '/etc/ssl/certs/ca-bundle.pem' + # } + #}, + + # If you've set ldap above, the session will last `session_duration` seconds before + # the user needs to reauthenticate + # optional, default is 3600 + #session_duration => 3600, + + # If you use `ldap` for authentication, you can map some attributes from LDAP to be able to access them in Lufi + # Those attributes will be accessible with: + # $c->current_user->{lufi_attribute_name} in Lufi backend files (all that is in `lib` directory) + # <%= $self->current_user->{lufi_attribute_name} %> in templates files (in `themes` directory) + # + # Define the attributes like this: `lufi_attribute_name => 'LDAP_attribute_name'` + # Note that you can’t use `username` as a Lufi attribute name: this name is reserved and will contain the login of the user + # optional, no default + #ldap_map_attr => { + # displayname => 'cn', + # mail => 'mail' + #}, + + # When using LDAP authentication, LDAP users can invite people (by mail) to use Lufi to send them files without + # being authenticated. + # This is where you configure the behavior of the invitations. + # You may need to fetch some attributes from LDAP to use some invitations settings. See `ldap_map_attr` above. + # optional, no default + #invitations => { + # # The name of the key set in `ldap_map_attr` (above) that corresponds to the mail of the LDAP user + # # optional, default is `mail` + # mail_attr => 'mail', + # # The `From` header of invitation mail can be the mail of the LDAP user + # # Be sure to have a mail system that will correctly send the mail from your users! (DKIM, SPF…) + # # To enable this feature, set it to 1 + # # optional, disabled by default + # send_invitation_with_ldap_user_mail => 1, + # # The user is able to set an expiration delay for the invitation. + # # This expiration delay can’t be more than this setting (in days). + # # optional, default is 30 days + # max_invitation_expiration_delay => 30, + # # Once the guest has submitted his files, he has an additional period of time to submit forgotten files. + # # You can set that additional period of time in minutes here. + # # To disable that feature, set it to 0 or less + # # optional, default is 10 minutes + # max_additional_period => 10, + # # Lufi follows privacy-by-design, so, by default, no files URLs (with the decode secret) are stored in database. + # # However, the concern is different for this case. Storing files URLs makes users able to retrieve the guests’ sent files + # # from their `invitations` page. + # # Set to 1 to store guests’ files URLs in database + # # optional, default is 0 (disabled) + # save_files_url_in_db => 0, + # # Users can resend the invitation to their guest. This does not extend the invitation’s expiration delay unless you + # # set this option to 1. + # # optional, default is 0 (disabled) + # extend_invitation_expiration_on_resend => 0, + #}, + + ######################### + # Htpasswd authentication + ######################### + + # Set `htpasswd` if you want to use an htpasswd file instead of ldap + # See 'man htpasswd' to know how to create such file + #htpasswd => 'lufi.passwd', + + ############################ + # HTTP header authentication + ############################ + + # Set `auth_headers` if you want to use HTTP header auth. + # Typically, these headers are set by a reverse-proxy + # acting as an authentication server. Useful for SSO. + # `auth_headers` should contains the user's username. + # + # /!\ LUFI BLINDLY TRUSTS THESE HEADERS + # /!\ IT'S UP TO YOU TO SANITIZE INCOMING HEADERS TO SECURE YOUR INSTANCE + # + #auth_headers => 'X-AUTH-PREFERRED-USERNAME', + #auth_headers_map_value => { + # # Like ldap_map_attr but for headers + # displayname => 'X-AUTH-DISPLAYNAME', + # firstname => 'X-AUTH-GIVENNAME', + # lastname => 'X-AUTH-LASTNAME', + # mail => 'X-AUTH-EMAIL' + #}, + + + ####################### + # HTTP Headers settings + ####################### + + # Content-Security-Policy header that will be sent by Lufi + # Set to '' to disable CSP header + # https://content-security-policy.com/ provides a good documentation about CSP. + # https://report-uri.com/home/generate provides a tool to generate a CSP header. + # optional, default is "base-uri 'self'; connect-src 'self' ws://YOUR_HOST; default-src 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' blob:; media-src blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" + #csp => "", + + # X-Frame-Options header that will be sent by Lufi + # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/' + # Set to '' to disable X-Frame-Options header + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly + # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) + # optional, default is 'DENY' + #x_frame_options => 'DENY', + + # X-Content-Type-Options that will be sent by Lufi + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + # Set to '' to disable X-Content-Type-Options header + # optional, default is 'nosniff' + #x_content_type_options => 'nosniff', + + # X-XSS-Protection that will be sent by Lufi + # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + # Set to '' to disable X-XSS-Protection header + # optional, default is '1; mode=block' + #x_xss_protection => '1; mode=block', + + ######################### + # Lufi cron jobs settings + ######################### + + # Expired files will be kept for 2 additional days after the expiration time has passed! + # The reasoning behind this is to allow downloads to complete and avoid deleting them while + # they are still being tranfered. + + # Number of days senders' IP addresses are kept in database + # After that delay, they will be deleted from database (used with script/lufi cron cleanbdd) + # optional, default is 365 + #keep_ip_during => 365, + + # Max size of the files directory, in octets + # Used by script/lufi cron watch to trigger an action + # optional, no default + #max_total_size => 10*1024*1024*1024, + + # Default action when files directory is over max_total_size (used with script/lufi cron watch) + # Valid values are 'warn', 'stop-upload' and 'delete' + # Please, see README.md + # optional, default is 'warn' + #policy_when_full => 'warn', + + # Files which are not viewed since delete_no_longer_viewed_files days will be deleted by the cron cleanfiles task + # If delete_no_longer_viewed_files is not set, the no longer viewed files will NOT be deleted + # optional, no default + #delete_no_longer_viewed_files => 90, +};