make apache container read-only

Signed-off-by: Simon L <szaimen@e.mail.de>
nextcloud · Jul 13, 2023 · 536de3c · 536de3c
1 parent bb63abd
commit 536de3c
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 7 deletions.
diff --git a/Containers/apache/Dockerfile b/Containers/apache/Dockerfile
@@ -22,6 +22,8 @@ RUN set -ex; \
     \
     mkdir -p /mnt/data; \
     chown -R www-data:www-data /mnt/data; \
+    mkdir /caddy; \
+    chown 777 /caddy; \
     \
     apk add --no-cache \
         bash \
@@ -59,9 +61,13 @@ RUN set -ex; \
     mkdir /var/run/supervisord; \
     chown www-data:www-data /var/run/supervisord; \
     chown www-data:www-data /var/log/supervisord; \
+    chmod 777 /var/run/supervisord; \
+    chmod 777 /var/log/supervisord; \
     \
     chown -R www-data:www-data /usr/local/apache2; \
     chmod +r -R /usr/local/apache2; \
+    mkdir -p /usr/local/apache2/logs; \
+    chmod 777 -R /usr/local/apache2/logs; \
     \
     echo "root:$(openssl rand -base64 12)" | chpasswd
 

diff --git a/Containers/apache/start.sh b/Containers/apache/start.sh
@@ -35,18 +35,18 @@ if [ "$APACHE_PORT" != '443' ]; then
 else
     CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /caddy/Caddyfile
 
 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /Caddyfile)"
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /caddy/Caddyfile)"
 else
-    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
+    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /caddy/Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /caddy/Caddyfile
 
 # Fix the Caddyfile format
-caddy fmt --overwrite /Caddyfile
+caddy fmt --overwrite /caddy/Caddyfile
 
 # Add caddy path
 mkdir -p /mnt/data/caddy/

diff --git a/Containers/apache/supervisord.conf b/Containers/apache/supervisord.conf
@@ -20,4 +20,4 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /Caddyfile
+command=/usr/bin/caddy run --config /caddy/Caddyfile
diff --git a/php/containers-schema.json b/php/containers-schema.json
@@ -141,7 +141,7 @@
 						"type": "array",
 						"items": {
 							"type": "string",
-							"pattern": "^/[a-z/_-]+$"
+							"pattern": "^/[a-z/_-0-9]+$"
 						}
 					},
 					"volumes": {

diff --git a/php/containers.json b/php/containers.json
@@ -55,6 +55,13 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/log/supervisord",
+        "/var/run/supervisord",
+        "/usr/local/apache2/logs",
+        "/caddy"
       ]
     },
     {