Merge branch 'dockerize' into 'master'
Dockerize See merge request Jafner/calibre-web!5
This commit is contained in:
commit
b47127fd3f
1
.gitignore
vendored
1
.gitignore
vendored
@ -21,7 +21,6 @@ vendor/
|
||||
.pylint.d
|
||||
|
||||
# calibre-web
|
||||
*.db
|
||||
*.log
|
||||
cps/cache
|
||||
|
||||
|
11
.gitlab-ci.yml
Normal file
11
.gitlab-ci.yml
Normal file
@ -0,0 +1,11 @@
|
||||
build_image:
|
||||
image: docker
|
||||
stage: build
|
||||
services:
|
||||
- docker:dind
|
||||
script:
|
||||
- echo $CI_REGISTRY_USER
|
||||
- echo $CI_REGISTRY
|
||||
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
|
||||
- docker build --no-cache -t $CI_REGISTRY/jafner/calibre-web/calibre-web:$CI_COMMIT_SHORT_SHA -t $CI_REGISTRY/jafner/calibre-web/calibre-web:latest .
|
||||
- docker push $CI_REGISTRY/jafner/calibre-web/calibre-web --all-tags
|
67
Dockerfile
Normal file
67
Dockerfile
Normal file
@ -0,0 +1,67 @@
|
||||
FROM ghcr.io/linuxserver/baseimage-ubuntu:focal
|
||||
|
||||
RUN \
|
||||
echo "**** install build packages ****" && \
|
||||
apt-get update && \
|
||||
apt-get install -y \
|
||||
git \
|
||||
libldap2-dev \
|
||||
libsasl2-dev \
|
||||
python3-pip
|
||||
|
||||
RUN \
|
||||
echo "**** install runtime packages ****" && \
|
||||
apt-get install -y \
|
||||
imagemagick \
|
||||
libnss3 \
|
||||
libxcomposite1 \
|
||||
libxi6 \
|
||||
libxslt1.1 \
|
||||
libldap-2.4-2 \
|
||||
libsasl2-2 \
|
||||
libxrandr2 \
|
||||
python3-minimal \
|
||||
python3-pkg-resources \
|
||||
unrar
|
||||
|
||||
RUN \
|
||||
echo "**** install kepubify ****" && \
|
||||
if [ -z ${KEPUBIFY_RELEASE+x} ]; then \
|
||||
KEPUBIFY_RELEASE=$(curl -sX GET "https://api.github.com/repos/pgaskin/kepubify/releases/latest" \
|
||||
| awk '/tag_name/{print $4;exit}' FS='[""]'); \
|
||||
fi && \
|
||||
curl -o \
|
||||
/usr/bin/kepubify -L \
|
||||
https://github.com/pgaskin/kepubify/releases/download/${KEPUBIFY_RELEASE}/kepubify-linux-64bit
|
||||
|
||||
COPY . /app/calibre-web
|
||||
|
||||
RUN \
|
||||
echo "**** install calibre-web (a worse way than LSIO's method) ****" && \
|
||||
cd /app/calibre-web && \
|
||||
pip3 install --no-cache-dir -U \
|
||||
pip && \
|
||||
pip install --no-cache-dir -U --ignore-installed --find-links https://wheel-index.linuxserver.io/ubuntu/ -r \
|
||||
requirements.txt -r \
|
||||
optional-requirements.txt
|
||||
|
||||
RUN \
|
||||
echo "**** cleanup ****" && \
|
||||
apt-get -y purge \
|
||||
git \
|
||||
libldap2-dev \
|
||||
libsasl2-dev \
|
||||
python3-pip && \
|
||||
apt-get -y autoremove && \
|
||||
rm -rf \
|
||||
/tmp/* \
|
||||
/var/lib/apt/lists/* \
|
||||
/var/tmp/* \
|
||||
/root/.cache
|
||||
|
||||
# add local files
|
||||
COPY root/ /
|
||||
|
||||
# ports and volumes
|
||||
EXPOSE 8083
|
||||
VOLUME /config
|
BIN
root/defaults/app.db
Normal file
BIN
root/defaults/app.db
Normal file
Binary file not shown.
80
root/defaults/policy.xml
Normal file
80
root/defaults/policy.xml
Normal file
@ -0,0 +1,80 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE policymap [
|
||||
<!ELEMENT policymap (policy)+>
|
||||
<!ELEMENT policy (#PCDATA)>
|
||||
<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED>
|
||||
<!ATTLIST policy name CDATA #IMPLIED>
|
||||
<!ATTLIST policy rights CDATA #IMPLIED>
|
||||
<!ATTLIST policy pattern CDATA #IMPLIED>
|
||||
<!ATTLIST policy value CDATA #IMPLIED>
|
||||
]>
|
||||
<!--
|
||||
Configure ImageMagick policies.
|
||||
|
||||
Domains include system, delegate, coder, filter, path, or resource.
|
||||
|
||||
Rights include none, read, write, and execute. Use | to combine them,
|
||||
for example: "read | write" to permit read from, or write to, a path.
|
||||
|
||||
Use a glob expression as a pattern.
|
||||
|
||||
Suppose we do not want users to process MPEG video images:
|
||||
|
||||
<policy domain="delegate" rights="none" pattern="mpeg:decode" />
|
||||
|
||||
Here we do not want users reading images from HTTP:
|
||||
|
||||
<policy domain="coder" rights="none" pattern="HTTP" />
|
||||
|
||||
Lets prevent users from executing any image filters:
|
||||
|
||||
<policy domain="filter" rights="none" pattern="*" />
|
||||
|
||||
The /repository file system is restricted to read only. We use a glob
|
||||
expression to match all paths that start with /repository:
|
||||
|
||||
<policy domain="path" rights="read" pattern="/repository/*" />
|
||||
|
||||
Let's prevent possible exploits by removing the right to use indirect reads.
|
||||
|
||||
<policy domain="path" rights="none" pattern="@*" />
|
||||
|
||||
Any large image is cached to disk rather than memory:
|
||||
|
||||
<policy domain="resource" name="area" value="1GB"/>
|
||||
|
||||
Define arguments for the memory, map, area, width, height, and disk resources
|
||||
with SI prefixes (.e.g 100MB). In addition, resource policies are maximums
|
||||
for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
|
||||
exceeds policy maximum so memory limit is 1GB).
|
||||
-->
|
||||
<policymap>
|
||||
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
|
||||
<policy domain="resource" name="memory" value="256MiB"/>
|
||||
<policy domain="resource" name="map" value="512MiB"/>
|
||||
<policy domain="resource" name="width" value="16KP"/>
|
||||
<policy domain="resource" name="height" value="16KP"/>
|
||||
<policy domain="resource" name="area" value="128MB"/>
|
||||
<policy domain="resource" name="disk" value="1GiB"/>
|
||||
<!-- <policy domain="resource" name="file" value="768"/> -->
|
||||
<!-- <policy domain="resource" name="thread" value="4"/> -->
|
||||
<!-- <policy domain="resource" name="throttle" value="0"/> -->
|
||||
<!-- <policy domain="resource" name="time" value="3600"/> -->
|
||||
<!-- <policy domain="system" name="precision" value="6"/> -->
|
||||
<!-- not needed due to the need to use explicitly by mvg: -->
|
||||
<!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->
|
||||
<!-- use curl -->
|
||||
<policy domain="delegate" rights="none" pattern="URL" />
|
||||
<policy domain="delegate" rights="none" pattern="HTTPS" />
|
||||
<policy domain="delegate" rights="none" pattern="HTTP" />
|
||||
<!-- in order to avoid to get image with password text -->
|
||||
<policy domain="path" rights="none" pattern="@*"/>
|
||||
<policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
|
||||
<!-- disable ghostscript format types -->
|
||||
<policy domain="coder" rights="none" pattern="PS" />
|
||||
<policy domain="coder" rights="none" pattern="PS2" />
|
||||
<policy domain="coder" rights="none" pattern="PS3" />
|
||||
<policy domain="coder" rights="none" pattern="EPS" />
|
||||
<policy domain="coder" rights="read" pattern="PDF" />
|
||||
<policy domain="coder" rights="none" pattern="XPS" />
|
||||
</policymap>
|
49
root/etc/cont-init.d/30-config
Normal file
49
root/etc/cont-init.d/30-config
Normal file
@ -0,0 +1,49 @@
|
||||
#!/usr/bin/with-contenv bash
|
||||
|
||||
# create symlinks for imagemagick policy.xml
|
||||
[[ -f /etc/ImageMagick-6/policy.xml ]] && \
|
||||
rm /etc/ImageMagick-6/policy.xml
|
||||
[[ ! -L /etc/ImageMagick-6/policy.xml ]] && \
|
||||
ln -s /defaults/policy.xml /etc/ImageMagick-6/policy.xml
|
||||
|
||||
# create symlinks for database and log
|
||||
[[ ! -f /config/app.db ]] && \
|
||||
cp /defaults/app.db /config/app.db
|
||||
[[ -f /app/calibre-web/app.db ]] && \
|
||||
rm /app/calibre-web/app.db
|
||||
[[ ! -L /app/calibre-web/app.db ]] && \
|
||||
ln -s /config/app.db /app/calibre-web/app.db
|
||||
|
||||
# create symlinks for log
|
||||
[[ ! -f /config/calibre-web.log ]] && \
|
||||
touch /config/calibre-web.log
|
||||
[[ -f /app/calibre-web/calibre-web.log ]] && \
|
||||
rm /app/calibre-web/calibre-web.log
|
||||
[[ ! -L /app/calibre-web/calibre-web.log ]] && \
|
||||
ln -s /config/calibre-web.log /app/calibre-web/calibre-web.log
|
||||
|
||||
# create Google drive client_secrets.json file
|
||||
[[ ! -f /config/client_secrets.json ]] && \
|
||||
echo "{}" > /config/client_secrets.json
|
||||
[[ -f /app/calibre-web/client_secrets.json ]] &&
|
||||
rm /app/calibre-web/client_secrets.json
|
||||
[[ ! -L /app/calibre-web/client_secrets.json ]] &&
|
||||
ln -s /config/client_secrets.json /app/calibre-web/client_secrets.json
|
||||
|
||||
# create Google drive symlinks for database
|
||||
[[ ! -f /config/gdrive.db ]] && \
|
||||
cp /app/calibre-web/gdrive.db /config/gdrive.db
|
||||
[[ -f /app/calibre-web/gdrive.db ]] && \
|
||||
rm /app/calibre-web/gdrive.db
|
||||
[[ ! -L /app/calibre-web/gdrive.db ]] && \
|
||||
ln -s /config/gdrive.db /app/calibre-web/gdrive.db
|
||||
|
||||
# check if kepubify is present and if so make executable
|
||||
[[ -f /usr/bin/kepubify ]] && \
|
||||
[[ ! -x /usr/bin/kepubify ]] && \
|
||||
chmod +x /usr/bin/kepubify
|
||||
|
||||
# permissions
|
||||
chown -R abc:abc \
|
||||
/config \
|
||||
/app/calibre-web
|
6
root/etc/services.d/calibre-web/run
Normal file
6
root/etc/services.d/calibre-web/run
Normal file
@ -0,0 +1,6 @@
|
||||
#!/usr/bin/with-contenv bash
|
||||
|
||||
cd /app/calibre-web || exit
|
||||
|
||||
exec \
|
||||
s6-setuidgid abc python3 /app/calibre-web/cps.py
|
Loading…
Reference in New Issue
Block a user