Merge branch 'dockerize' into 'master'

Dockerize

See merge request Jafner/calibre-web!5

.gitignore

@@ -21,7 +21,6 @@ vendor/
 .pylint.d
 
 # calibre-web
-*.db
 *.log
 cps/cache
 

.gitlab-ci.yml

@@ -0,0 +1,11 @@
+build_image:
+  image: docker
+  stage: build
+  services:
+    - docker:dind
+  script:
+    - echo $CI_REGISTRY_USER
+    - echo $CI_REGISTRY
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    - docker build --no-cache -t $CI_REGISTRY/jafner/calibre-web/calibre-web:$CI_COMMIT_SHORT_SHA -t $CI_REGISTRY/jafner/calibre-web/calibre-web:latest .
+    - docker push $CI_REGISTRY/jafner/calibre-web/calibre-web --all-tags

Dockerfile

@@ -0,0 +1,67 @@
+FROM ghcr.io/linuxserver/baseimage-ubuntu:focal
+
+RUN \
+  echo "**** install build packages ****" && \
+  apt-get update && \
+  apt-get install -y \
+    git \
+    libldap2-dev \
+    libsasl2-dev \
+    python3-pip
+
+RUN \
+  echo "**** install runtime packages ****" && \
+  apt-get install -y \
+    imagemagick \
+    libnss3 \
+    libxcomposite1 \
+    libxi6 \
+    libxslt1.1 \
+    libldap-2.4-2 \
+    libsasl2-2 \
+    libxrandr2 \
+    python3-minimal \
+    python3-pkg-resources \
+    unrar
+
+RUN \
+  echo "**** install kepubify ****" && \
+  if [ -z ${KEPUBIFY_RELEASE+x} ]; then \
+    KEPUBIFY_RELEASE=$(curl -sX GET "https://api.github.com/repos/pgaskin/kepubify/releases/latest" \
+      | awk '/tag_name/{print $4;exit}' FS='[""]'); \
+  fi && \
+  curl -o \
+    /usr/bin/kepubify -L \
+    https://github.com/pgaskin/kepubify/releases/download/${KEPUBIFY_RELEASE}/kepubify-linux-64bit
+
+COPY . /app/calibre-web
+
+RUN \
+  echo "**** install calibre-web (a worse way than LSIO's method) ****" && \
+  cd /app/calibre-web && \
+  pip3 install --no-cache-dir -U \
+    pip && \
+  pip install --no-cache-dir -U --ignore-installed --find-links https://wheel-index.linuxserver.io/ubuntu/ -r \
+    requirements.txt -r \
+    optional-requirements.txt
+
+RUN \
+  echo "**** cleanup ****" && \
+  apt-get -y purge \
+    git \
+    libldap2-dev \
+    libsasl2-dev \
+    python3-pip && \
+  apt-get -y autoremove && \
+  rm -rf \
+    /tmp/* \
+    /var/lib/apt/lists/* \
+    /var/tmp/* \
+    /root/.cache
+    
+# add local files
+COPY root/ /
+
+# ports and volumes
+EXPOSE 8083
+VOLUME /config

root/defaults/policy.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+<!ELEMENT policymap (policy)+>
+<!ELEMENT policy (#PCDATA)>
+<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED>
+<!ATTLIST policy name CDATA #IMPLIED>
+<!ATTLIST policy rights CDATA #IMPLIED>
+<!ATTLIST policy pattern CDATA #IMPLIED>
+<!ATTLIST policy value CDATA #IMPLIED>
+]>
+<!--
+  Configure ImageMagick policies.
+
+  Domains include system, delegate, coder, filter, path, or resource.
+
+  Rights include none, read, write, and execute.  Use | to combine them,
+  for example: "read | write" to permit read from, or write to, a path.
+
+  Use a glob expression as a pattern.
+
+  Suppose we do not want users to process MPEG video images:
+
+    <policy domain="delegate" rights="none" pattern="mpeg:decode" />
+
+  Here we do not want users reading images from HTTP:
+
+    <policy domain="coder" rights="none" pattern="HTTP" />
+
+  Lets prevent users from executing any image filters:
+
+    <policy domain="filter" rights="none" pattern="*" />
+
+  The /repository file system is restricted to read only.  We use a glob
+  expression to match all paths that start with /repository:
+  
+    <policy domain="path" rights="read" pattern="/repository/*" />
+
+  Let's prevent possible exploits by removing the right to use indirect reads.
+
+    <policy domain="path" rights="none" pattern="@*" />
+
+  Any large image is cached to disk rather than memory:
+
+    <policy domain="resource" name="area" value="1GB"/>
+
+  Define arguments for the memory, map, area, width, height, and disk resources
+  with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
+  for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
+  exceeds policy maximum so memory limit is 1GB).
+-->
+<policymap>
+  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
+  <policy domain="resource" name="memory" value="256MiB"/>
+  <policy domain="resource" name="map" value="512MiB"/>
+  <policy domain="resource" name="width" value="16KP"/>
+  <policy domain="resource" name="height" value="16KP"/>
+  <policy domain="resource" name="area" value="128MB"/>
+  <policy domain="resource" name="disk" value="1GiB"/>
+  <!-- <policy domain="resource" name="file" value="768"/> -->
+  <!-- <policy domain="resource" name="thread" value="4"/> -->
+  <!-- <policy domain="resource" name="throttle" value="0"/> -->
+  <!-- <policy domain="resource" name="time" value="3600"/> -->
+  <!-- <policy domain="system" name="precision" value="6"/> -->
+  <!-- not needed due to the need to use explicitly by mvg: -->
+  <!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->
+  <!-- use curl -->
+  <policy domain="delegate" rights="none" pattern="URL" />
+  <policy domain="delegate" rights="none" pattern="HTTPS" />
+  <policy domain="delegate" rights="none" pattern="HTTP" />
+  <!-- in order to avoid to get image with password text -->
+  <policy domain="path" rights="none" pattern="@*"/>
+  <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
+  <!-- disable ghostscript format types -->
+  <policy domain="coder" rights="none" pattern="PS" />
+  <policy domain="coder" rights="none" pattern="PS2" />
+  <policy domain="coder" rights="none" pattern="PS3" />
+  <policy domain="coder" rights="none" pattern="EPS" />
+  <policy domain="coder" rights="read" pattern="PDF" />
+  <policy domain="coder" rights="none" pattern="XPS" />
+</policymap>

root/etc/cont-init.d/30-config

@@ -0,0 +1,49 @@
+#!/usr/bin/with-contenv bash
+
+# create symlinks for imagemagick policy.xml
+[[ -f /etc/ImageMagick-6/policy.xml ]] && \
+    rm /etc/ImageMagick-6/policy.xml
+[[ ! -L /etc/ImageMagick-6/policy.xml ]] && \
+    ln -s /defaults/policy.xml /etc/ImageMagick-6/policy.xml
+
+# create symlinks for database and log
+[[ ! -f /config/app.db ]] && \
+    cp /defaults/app.db /config/app.db
+[[ -f /app/calibre-web/app.db ]] && \
+    rm /app/calibre-web/app.db
+[[ ! -L /app/calibre-web/app.db ]] && \
+    ln -s /config/app.db /app/calibre-web/app.db
+
+# create symlinks for log
+[[ ! -f /config/calibre-web.log ]] && \
+    touch /config/calibre-web.log
+[[ -f /app/calibre-web/calibre-web.log ]] && \
+    rm /app/calibre-web/calibre-web.log
+[[ ! -L /app/calibre-web/calibre-web.log ]] && \
+    ln -s /config/calibre-web.log /app/calibre-web/calibre-web.log
+
+# create Google drive client_secrets.json file
+[[ ! -f /config/client_secrets.json ]] && \
+    echo "{}" > /config/client_secrets.json
+[[ -f /app/calibre-web/client_secrets.json ]] &&
+    rm /app/calibre-web/client_secrets.json
+[[ ! -L /app/calibre-web/client_secrets.json ]] &&
+    ln -s /config/client_secrets.json /app/calibre-web/client_secrets.json
+
+# create Google drive symlinks for database
+[[ ! -f /config/gdrive.db ]] && \
+    cp /app/calibre-web/gdrive.db /config/gdrive.db
+[[ -f /app/calibre-web/gdrive.db ]] && \
+    rm /app/calibre-web/gdrive.db
+[[ ! -L /app/calibre-web/gdrive.db ]] && \
+    ln -s /config/gdrive.db /app/calibre-web/gdrive.db
+
+# check if kepubify is present and if so make executable
+[[ -f /usr/bin/kepubify ]] && \
+[[ ! -x /usr/bin/kepubify ]] && \
+    chmod +x /usr/bin/kepubify
+
+# permissions
+chown -R abc:abc \
+    /config \
+    /app/calibre-web

root/etc/services.d/calibre-web/run

@@ -0,0 +1,6 @@
+#!/usr/bin/with-contenv bash
+
+cd /app/calibre-web || exit
+
+exec \
+    s6-setuidgid abc python3 /app/calibre-web/cps.py