-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #184 from grocy/issue-183/selfsigned-tls-optional
Deprecate support for self-signed TLS certificates in frontend container
- Loading branch information
Showing
4 changed files
with
76 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| ARG PLATFORM | ||
|
|
||
| FROM --platform=${PLATFORM} docker.io/alpine:3.16.2 | ||
| LABEL maintainer "Talmai Oliveira <[email protected]>, James Addison <[email protected]>" | ||
|
|
||
| ARG GROCY_VERSION | ||
|
|
||
| # Install build-time dependencies | ||
| RUN apk add --no-cache \ | ||
| openssl \ | ||
| git \ | ||
| gnupg \ | ||
| wget \ | ||
| yarn | ||
|
|
||
| # Install system dependencies | ||
| RUN apk update && \ | ||
| apk add --no-cache \ | ||
| nginx | ||
|
|
||
| # Generate TLS certificates | ||
| RUN openssl req \ | ||
| -x509 \ | ||
| -newkey rsa:2048 \ | ||
| -keyout /etc/ssl/private/grocy-nginx.key \ | ||
| -out /etc/ssl/private/grocy-nginx.crt \ | ||
| -days 365 \ | ||
| -nodes \ | ||
| -subj /CN=localhost && \ | ||
| chown nginx /etc/ssl/private/grocy-nginx.key && \ | ||
| chown nginx /etc/ssl/private/grocy-nginx.crt | ||
|
|
||
| # Configure directory permissions | ||
| RUN chown -R nginx /var/log/nginx && \ | ||
| rm -rf /var/www/localhost && \ | ||
| chown nginx /var/www | ||
|
|
||
| COPY static/frontend/nginx.conf /etc/nginx/nginx.conf | ||
| COPY static/frontend/common.conf /etc/nginx/common.conf | ||
| COPY static/frontend/conf.d/default.conf /etc/nginx/conf.d/default.conf | ||
| COPY static/frontend/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf | ||
|
|
||
| # Install application dependencies (unprivileged) | ||
| USER nginx | ||
| WORKDIR /var/www | ||
|
|
||
| # Extract application release package | ||
| ENV GROCY_RELEASE_KEY_URI="https://berrnd.de/data/Bernd_Bestel.asc" | ||
| RUN set -o pipefail && \ | ||
| export GNUPGHOME=$(mktemp -d) && \ | ||
| wget ${GROCY_RELEASE_KEY_URI} -O - | gpg --batch --import && \ | ||
| git clone --branch ${GROCY_VERSION} --config advice.detachedHead=false --depth 1 "https://github.com/grocy/grocy.git" . && \ | ||
| git verify-commit ${GROCY_VERSION} && \ | ||
| rm -rf ${GNUPGHOME} | ||
|
|
||
| # Install application dependencies | ||
| RUN yarn install --frozen-lockfile --modules-folder /var/www/public/node_modules --production && \ | ||
| yarn cache clean | ||
|
|
||
| # Remove build-time dependencies (privileged) | ||
| USER root | ||
| RUN apk del \ | ||
| openssl \ | ||
| git \ | ||
| gnupg \ | ||
| wget \ | ||
| yarn | ||
|
|
||
| VOLUME ["/var/log/nginx"] | ||
|
|
||
| EXPOSE 8080 8443 | ||
|
|
||
| USER nginx | ||
|
|
||
| CMD ["nginx", "-g", "daemon off;"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters