diff --git a/privatebin/Dockerfile b/privatebin/Dockerfile index 0f43318..44cd70e 100644 --- a/privatebin/Dockerfile +++ b/privatebin/Dockerfile @@ -12,23 +12,29 @@ ENV GID=991 UID=991 \ RUN BUILD_DEPS="tar gnupg" \ && apk -U upgrade && apk add $BUILD_DEPS \ - && mkdir privatebin && cd privatebin \ + && mkdir -p privatebin/data privatebin/cfg \ && export GNUPGHOME="$(mktemp -d)" \ && gpg2 --list-public-keys || /bin/true \ && wget -qO- https://privatebin.info/key/security.asc | gpg2 --import - \ && wget -qO /privatebin.tar.gz.asc https://github.com/PrivateBin/PrivateBin/releases/download/${PRIVATEBIN_VER}/PrivateBin-${PRIVATEBIN_VER}.tar.gz.asc \ && wget -qO /privatebin.tar.gz https://github.com/PrivateBin/PrivateBin/archive/${PRIVATEBIN_VER}.tar.gz \ && gpg2 --verify /privatebin.tar.gz.asc \ + && cd srv \ && tar -xzf /privatebin.tar.gz --strip 1 \ - && mv cfg/conf.sample.php cfg/conf.php \ + && mv cfg /privatebin \ + && mv lib /privatebin \ + && mv tpl /privatebin \ + && mv vendor /privatebin \ + && sed -i "s#define('PATH', '');#define('PATH', '/privatebin/');#" index.php \ && apk del $BUILD_DEPS \ - && rm -rf /var/cache/apk/* /privatebin.tar.gz* "${GNUPGHOME}" + && rm -rf /var/cache/apk/* *.md /privatebin.tar.gz* "${GNUPGHOME}" COPY rootfs / RUN chmod +x /usr/local/bin/run.sh /etc/s6.d/*/* /etc/s6.d/.s6-svscan/* -VOLUME /privatebin/data /php/session +# mark dirs as volumes that need to be writable, allows running the container --read-only +VOLUME /privatebin/data /php /nginx /tmp /etc/s6.d EXPOSE 8888 diff --git a/privatebin/rootfs/nginx/sites-enabled/nginx.conf b/privatebin/rootfs/nginx/sites-enabled/nginx.conf index 8765f48..6e923ce 100644 --- a/privatebin/rootfs/nginx/sites-enabled/nginx.conf +++ b/privatebin/rootfs/nginx/sites-enabled/nginx.conf @@ -1,33 +1,33 @@ server { - listen 8888; - root /privatebin; - index index.php index.html; + listen 8888; + root /srv; + index index.php; - location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ { - expires 30d; - access_log off; - } + location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ { + expires 30d; + access_log off; + } - location ~ ^/(data|cfg|tmp) { - deny all; - } - - location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ { - deny all; - } - - location ~ /\. { - deny all; - } + location ~ ^/(data|cfg|tmp) { + deny all; + } - location / { - try_files $uri $uri/ /index.php; - } + location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ { + deny all; + } - location ~ \.php$ { - fastcgi_index index.php; - fastcgi_pass unix:/php/run/php-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include /nginx/conf/fastcgi_params; - } + location ~ /\. { + deny all; + } + + location / { + try_files $uri $uri/ /index.php; + } + + location ~ \.php$ { + fastcgi_index index.php; + fastcgi_pass unix:/php/run/php-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /nginx/conf/fastcgi_params; + } } diff --git a/privatebin/rootfs/usr/local/bin/run.sh b/privatebin/rootfs/usr/local/bin/run.sh index 0eac2c3..e453f2d 100644 --- a/privatebin/rootfs/usr/local/bin/run.sh +++ b/privatebin/rootfs/usr/local/bin/run.sh @@ -6,5 +6,5 @@ sed -i -e "s//$UPLOAD_MAX_SIZE/g" /nginx/conf/nginx.conf /php/e -e "s//$PHP_MIN_SPARE_SERVERS/g" /php/etc/php-fpm.conf \ -e "s//$PHP_MAX_SPARE_SERVERS/g" /php/etc/php-fpm.conf -chown -R $UID:$GID /privatebin /nginx /php /tmp /etc/s6.d +chown -R $UID:$GID /privatebin/data /nginx /php /tmp /etc/s6.d exec su-exec $UID:$GID /bin/s6-svscan /etc/s6.d