feature: Docker auto image build

limanmys · Dec 26, 2023 · cdcd0ee · cdcd0ee
1 parent 14cc628
commit cdcd0ee
Show file tree

Hide file tree

Showing 26 changed files with 963 additions and 0 deletions.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,89 @@
+name: Docker
+on: [push]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: docker.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: aciklab/liman
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Get version details
+        run: |
+          VERSION=`cat package/liman/server/storage/VERSION`
+          echo "RELEASE_VER=$(echo $VERSION)" >> $GITHUB_ENV
+          echo "RELEASE_RUNNUMBER=$(echo $GITHUB_RUN_NUMBER)" >> $GITHUB_ENV
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
+        with:
+          cosign-release: 'v2.1.1'
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry docker.io
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VER }}-${{ env.RELEASE_RUNNUMBER }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VER }}-${{ env.RELEASE_RUNNUMBER }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE_VER }}-${{ env.RELEASE_RUNNUMBER }}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,104 @@
+# LIMAN DOCKERFILE
+# AUTHOR: Doğukan Öksüz <dogukan@liman.dev>
+
+FROM ubuntu:jammy
+EXPOSE 80 443
+
+# DEPENDENCIES
+RUN echo LIMAN.HAVELSAN.COM.TR
+RUN export DEBIAN_FRONTEND=noninteractive;
+ARG DEBIAN_FRONTEND=noninteractive
+ENV DEBIAN_FRONTEND noninteractive
+ENV TZ=Europe/Istanbul
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+RUN apt -yqq update
+RUN DEBIAN_FRONTEND=noninteractive apt -yqq install software-properties-common gnupg2 ca-certificates wget curl
+RUN add-apt-repository --yes ppa:ondrej/php
+RUN mkdir -p /etc/apt/keyrings
+RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+RUN echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list
+RUN apt -yqq update
+
+# LIMAN DEPS
+RUN DEBIAN_FRONTEND=noninteractive apt -yqq install sudo nodejs gpg zip unzip nginx sysstat php8.1-redis php8.1-fpm php8.1-gd php8.1-curl php8.1 php8.1-sqlite3 php8.1-snmp php8.1-mbstring php8.1-xml php8.1-zip php8.1-posix libnginx-mod-http-headers-more-filter libssl3 supervisor php8.1-pgsql pgloader php8.1-bcmath rsync dnsutils php8.1-ldap php8.1-smbclient krb5-user php8.1-ssh2 smbclient novnc
+
+# FILES
+RUN bash -c 'mkdir -p /liman_files/{server,certs,logs,database,sandbox,keys,extensions,modules,packages,ui}'
+
+# UI
+RUN curl -s https://api.github.com/repos/limanmys/next/releases/latest | grep "browser_download_url.*zip" | cut -d : -f 2,3 | tr -d \" | wget -qi -
+RUN unzip ui*.zip -d ui
+RUN mv ui /liman_files/
+
+# CORE
+RUN wget "https://github.com/limanmys/core/archive/refs/heads/feature-new-ui.zip" -O "core.zip"
+RUN unzip -qq core.zip
+RUN mv core-feature-new-ui/* /liman_files/server
+RUN mv core-feature-new-ui/.env.example /liman_files/server
+RUN rm -rf core.zip
+
+# PHP SANDBOX
+RUN wget "https://github.com/limanmys/php-sandbox/archive/refs/heads/master.zip" -O "sandbox.zip"
+RUN unzip -qq sandbox.zip
+RUN mkdir -p /liman_files/sandbox/php
+RUN mv php-sandbox-master/* /liman_files/sandbox/php/
+RUN rm -rf sandbox.zip php-sandbox-master
+
+# EXT TEMPLATES
+RUN wget "https://github.com/limanmys/extension_templates/archive/master.zip" -O "extension_templates.zip"
+RUN unzip -qq extension_templates.zip
+RUN mkdir -p /liman_files/server/storage/extension_templates
+RUN mv extension_templates-master/* /liman_files/server/storage/extension_templates
+RUN rm -rf extension_templates.zip extension_templates-master
+
+# RENDER ENGINE
+RUN curl -s https://api.github.com/repos/limanmys/fiber-render-engine/releases/latest | grep "browser_download_url.*zip" | cut -d : -f 2,3 | tr -d \" | wget -qi -
+RUN unzip liman_render*.zip
+RUN mv liman_render /liman_files/server/storage/liman_render
+
+# COMPOSER
+RUN curl -sS https://getcomposer.org/installer -o composer-setup.php
+RUN php composer-setup.php --install-dir=/usr/local/bin --filename=composer
+RUN rm -rf composer-setup.php
+
+RUN composer install --no-dev --no-scripts -d /liman_files/server
+RUN composer install --no-dev -d /liman_files/sandbox/php
+
+# USERS
+RUN groupadd -g 2800 liman
+RUN useradd liman -u 2801 -g 2800 -m
+RUN useradd extuser -u 2802 -g 2800 -m
+
+# PERMS
+RUN cp -f /liman_files/server/storage/limanctl /usr/bin/limanctl
+
+# VNC SETTINGS
+RUN rm -rf /liman_files/keys/vnc
+RUN mkdir /liman_files/keys/vnc
+RUN chmod 700 /liman_files/keys/vnc
+RUN touch /liman_files/keys/vnc/config
+RUN chown liman:liman /liman_files/keys/vnc /liman_files/keys/vnc/config
+RUN chmod 700 /liman_files/keys/vnc/config
+
+# SETTINGS
+RUN sed -i "s/www-data/liman/g" /etc/php/8.1/fpm/pool.d/www.conf
+RUN sed -i "s/www-data/liman/g" /etc/nginx/nginx.conf
+COPY storage/build_tools/docker/config/nginx_default /etc/nginx/sites-available/default 
+COPY storage/build_tools/docker/config/nginx.conf /etc/nginx/sites-available/liman.conf
+RUN ln -s /etc/nginx/sites-available/liman.conf /etc/nginx/sites-enabled/liman.conf
+
+# SERVICES
+RUN mkdir /run/php
+COPY storage/build_tools/docker/config/supervisor.conf /etc/supervisor/supervisor.conf
+COPY storage/build_tools/docker/config/supervisor /etc/supervisor/conf.d
+
+# START LIMAN
+COPY storage/build_tools/docker/init.sh /tmp/init.sh
+RUN ["chmod", "755", "/tmp/init.sh"]
+RUN ["chmod", "+x", "/tmp/init.sh"]
+
+# FREE UP SPACE
+RUN apt clean -yqq
+RUN apt autoclean -yqq
+
+ENTRYPOINT ["/tmp/init.sh"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,84 @@
+version: '3.8'
+services:
+  limancore:
+    image: aciklab/liman:latest
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: always
+    environment:
+      # Redis settings
+      - REDIS_HOST=liman-redis
+      - REDIS_PASS=${DB_PASS}
+      - REDIS_PORT=6379
+      # DB settings
+      # For using Patroni or another Postgresql Cluster
+      - DB_HOST=liman-db
+      - DB_DATABASE=liman
+      - DB_USERNAME=liman
+      - DB_PORT=5432
+      - DB_PASS=${DB_PASS}
+      # Nginx settings
+      - NGINX_PORT=443
+    container_name: liman-core
+    tty: true
+    ports:
+      - '443:443'
+      - '3000:3000'
+    volumes: 
+      - core:/liman
+      - certs:/usr/local/share/ca-certificates
+    networks:
+      - liman-net
+    dns:
+      - 127.0.0.1
+      # Add active directory DNS(s) for using Domain extension and LDAP on Liman
+  db:
+    image: postgres:15
+    container_name: liman-db
+    restart: always
+    environment:
+      - POSTGRES_USER=liman
+      - POSTGRES_PASSWORD=${DB_PASS}
+      - POSTGRES_DB=liman
+    volumes: 
+      - db:/var/lib/postgresql/data
+    healthcheck :
+      test: [ "CMD", "pg_isready", "-q", "-d", "liman", "-U", "liman" ]
+      interval : 5s
+      timeout : 5s
+      retries : 5
+    networks:
+      - liman-net
+  redis:
+    image: redis
+    container_name: liman-redis
+    environment:
+      - REDIS_PASSWORD=${DB_PASS}
+      - REDIS_DISABLE_COMMANDS=CONFIG
+    command: > 
+      --requirepass ${DB_PASS} --protected-mode yes
+    networks:
+      - liman-net
+  webssh:
+    image: limanmys/webssh:latest
+    restart: always
+    container_name: liman-webssh
+    networks:
+      - liman-net
+
+volumes:
+  # Persistent Postgresql Database
+  db:
+    driver: local
+  # Persist Core Files
+  core:
+    driver: local
+  # Persist Linux System Certificates
+  certs:
+    driver: local
+
+networks:
+  liman-net:
+    name: liman-net
+    driver: bridge
diff --git a/k8s/helm/Chart.yaml b/k8s/helm/Chart.yaml
@@ -0,0 +1,10 @@
+name: Liman
+description: Liman Merkezi Yönetim Sistemi
+version: 2.0.863
+apiVersion: v2
+keywords:
+  - liman
+  - system-management
+  - linux
+sources:
+home:
diff --git a/k8s/helm/templates/certs-persistentvolumeclaim.yaml b/k8s/helm/templates/certs-persistentvolumeclaim.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  creationTimestamp: null
+  labels:
+    service: limancore
+  name: certs
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Mi
+status: {}
diff --git a/k8s/helm/templates/core-persistentvolumeclaim.yaml b/k8s/helm/templates/core-persistentvolumeclaim.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  creationTimestamp: null
+  labels:
+    service: limancore
+  name: core
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+status: {}
diff --git a/k8s/helm/templates/db-deployment.yaml b/k8s/helm/templates/db-deployment.yaml
@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  creationTimestamp: null
+  labels:
+    service: db
+  name: db
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      service: db
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        network/liman-net: "true"
+        service: db
+    spec:
+      containers:
+        - env:
+            - name: POSTGRES_DB
+              value: liman
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: {{ .Release.Name }}-auth
+            - name: POSTGRES_USER
+              value: liman
+          image: postgres:15
+          livenessProbe:
+            exec:
+              command:
+                - pg_isready
+                - -q
+                - -d
+                - liman
+                - -U
+                - liman
+            failureThreshold: 5
+            periodSeconds: 5
+            timeoutSeconds: 5
+          name: liman-db
+          resources: {}
+          volumeMounts:
+            - mountPath: /var/lib/postgresql/data
+              name: db
+      restartPolicy: Always
+      volumes:
+        - name: db
+          persistentVolumeClaim:
+            claimName: db
+status: {}
diff --git a/k8s/helm/templates/db-persistentvolumeclaim.yaml b/k8s/helm/templates/db-persistentvolumeclaim.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  creationTimestamp: null
+  labels:
+    service: db
+  name: db
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 4Gi
+status: {}