initial commit

Dockerfile

@@ -0,0 +1,198 @@
+ARG IMAGE_VERSION
+FROM docker.io/rockdrilla/angie-conv:${IMAGE_VERSION}-deps AS deps
+
+## ---
+
+FROM deps AS pycache
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /scripts-extra/*  /usr/local/sbin/
+
+COPY /j2cfg/ /usr/local/lib/j2cfg/
+
+ENV PYTHONDONTWRITEBYTECODE=''
+
+## Python cache preseed
+
+RUN python3 -m compileall -q -j 2 /usr/local/lib/j2cfg/
+
+RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
+    find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+    | sed -zEn \
+      -e '/^(collections|concurrent|encodings|importlib|json|logging|multiprocessing|re|urllib)$/p' \
+    | sort -zV \
+    | env -C "${libpython}" xargs -0r \
+      python3 -m compileall -q -j 2 ; \
+    find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
+    | sed -zE \
+      -e '/\.(dist-info|pth|txt)$/d' \
+      -e '/^pip$/d' \
+    | sort -zV \
+    | env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \
+      python3 -m compileall -q -j 2
+
+## Python cache warmup
+RUN j2cfg-single /usr/local/lib/j2cfg/j2cfg/test.j2 /tmp/test ; \
+    cat /tmp/test ; echo ; echo ; \
+    rm -f /tmp/test
+
+WORKDIR /pycache
+RUN find /usr/local/ -type f -name '*.py[co]' -printf '%P\0' \
+    | sort -zV \
+    | tar -C /usr/local --null -T - -cf - \
+    | tar -xf -
+
+## Python cache adjustments
+RUN d="@$(date '+%s')" ; \
+    find /pycache/ -mindepth 1 -exec touch -m -d "$d" {} +
+
+## ---
+
+FROM deps
+SHELL [ "/bin/sh", "-ec" ]
+
+## NB: NGX_DEBUG is set via build script
+
+COPY /Dockerfile /usr/local/share/
+
+COPY /j2cfg/ /usr/local/lib/j2cfg/
+
+## RFC: Python cache
+COPY --from=pycache /pycache/  /usr/local/
+
+ENV ANGIE_MODULES_DIR=/usr/lib/angie/modules
+
+COPY /scripts/* /usr/local/bin/
+## fixup
+RUN mv /usr/local/bin/angie /usr/local/sbin/
+
+RUN _UID=333 _GID=333 ; \
+    echo "angie:x:${_UID}:${_GID}:Angie:/etc/angie:/bin/false" >> /etc/passwd ; \
+    echo "angie:x:${_GID}:" >> /etc/group ; \
+    echo 'angie:!:::::::' >> /etc/shadow
+
+COPY /apt/sources.angie  /etc/apt/sources.list.d/angie.sources
+
+RUN apt-install.sh \
+      angie \
+      angie-console-light \
+    ; \
+    apt-mark hold angie angie-console-light ; \
+    apt-clean.sh ; \
+    ## verify Angie layout
+    [ -d "${ANGIE_MODULES_DIR}" ] ; \
+    n='/usr/sbin/angie' ; \
+    [ -h "$n" ] ; \
+    [ -x "$n-debug" ] ; \
+    [ -x "$n-nodebug" ] ; \
+    ## adjust Angie binaries
+    rm -fv "$n" ; \
+    if [ "${NGX_DEBUG}" = 0 ] ; then \
+        rm -fv "$n-debug" ; \
+        mv -fv "$n-nodebug" "$n" ; \
+    else \
+        rm -fv "$n-nodebug" ; \
+        mv -fv "$n-debug" "$n" ; \
+    fi
+
+## copy directory structure
+COPY /angie/ /etc/angie.dist/
+RUN ln -sv "${ANGIE_MODULES_DIR}" /etc/angie.dist/modules
+
+## preserve snippets from Angie config directory
+## ref: https://git.angie.software/web-server/angie/src/tag/Angie-1.9.1/conf
+RUN d=/etc/angie ; \
+    tar -C "$d" -cf - \
+      fastcgi_params \
+      fastcgi.conf \
+      mime.types \
+      prometheus_all.conf \
+      scgi_params \
+      uwsgi_params \
+    | tar -C "$d.dist/snip" -xf -
+
+## flush default directory
+RUN rm -rf /etc/angie ; \
+    mkdir /etc/angie
+
+## /angie/ is persistence store (if any)
+## /run/ngx/ is runtime volume
+RUN install -d -o angie -g angie -m 03777 /angie /run/ngx
+VOLUME [ "/run/ngx" ]
+
+## adjust paths across filesystem
+RUN for d in cache lib log ; do \
+        rm -rfv "/var/$d/angie" ; \
+        ln -sv "/run/ngx/$d" "/var/$d/angie" ; \
+    done
+
+## special empty directory
+RUN d='/var/lib/empty' ; \
+    rm -rf "$d" ; \
+    if [ -d "$d" ] ; then ls -ld "$d" ; exit 1 ; fi ; \
+    install -d -m 0555 "$d"
+
+## prepare DH params for TLS
+## NB: disabled in pipeline for now
+## reason: too slow (and too much effort)
+# RUN cd /etc/angie.dist/tls || exit 1 ; \
+#     openssl-generate-dh-bundle.sh
+
+## future quirk for angie-module-modsecurity >:)
+## a bit better config is here:
+##   /etc/angie.dist/modsecurity/rules.conf
+RUN x='/etc/angie/modsecurity/rules.conf' ; \
+    dpkg-divert --divert "$x.dist" --rename "$x"
+
+## preseed builtin modules list
+RUN x='angie-builtin-modules.sh' ; \
+    "$x" ; \
+    rm -fv "$(which "$x")"
+
+## install relatively lightweight modules
+RUN mkdir -p /etc/angie/mod ; \
+    apt-install-angie-mod.sh \
+      brotli \
+      cache-purge \
+      echo \
+      geoip2 \
+      headers-more \
+      njs-light \
+      subs \
+      upload \
+      zip \
+      zstd \
+    ; \
+    apt-clean.sh ; \
+    ## move fresh configs to appropriate location
+    find /etc/angie/mod/ -mindepth 1 -exec mv -nvt /etc/angie.dist/mod {} + ; \
+    rm -rfv /etc/angie/mod
+
+## adjust permissions/ownership
+RUN chown -hR 0:0 /etc/angie.dist /etc/angie ; \
+    find /etc/angie.dist/ /etc/angie/ -name .gitkeep -type f -delete ; \
+    find /etc/angie.dist/ /etc/angie/ -type d -exec chmod 0755 {} + ; \
+    find /etc/angie.dist/ /etc/angie/ -type f -exec chmod 0644 {} +
+
+## image-entry.sh is placed into /usr/local/bin/ to allow custom entrypoint/chaining:
+## - there's no need to change ENTRYPOINT/CMD
+## - custom entrypoint should be placed in /usr/local/sbin/
+## - custom entrypoint should "exec" /usr/local/bin/image-entry.sh
+## hovewer, this is discouraged (and this trick may be removed in future)
+COPY /image-entry.sh  /usr/local/bin/
+COPY /image-entry.d/  /image-entry.dist/
+
+## further customization
+RUN install -d /image-entry
+
+## must be bind-mounted only for local customization/overrides!
+# RUN install -d /image-entry.local
+
+## misc defaults
+ENV MALLOC_ARENA_MAX=4
+
+STOPSIGNAL SIGQUIT
+
+ENTRYPOINT [ "image-entry.sh" ]
+CMD [ "angie" ]