julien.rbrt.fr / tangled-core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom

Docker support

This container embeds everything in one container:
- knotserver
- repoguard
- keyfetch
- sshd server

To supervise knot and sshd servers I decided to use well known s6-overlay. After first launch it execline script will create host keys. knotserver runs under git, sshd under root.

krasovs.ky 195587bd be877bba

options
unified split
Changed files
+108
docker
Dockerfile
docker-compose.yml
rootfs
etc
s6-overlay
s6-rc.d
create-sshd-host-keys
type
up
knotserver
dependencies.d
base
run
type
sshd
dependencies.d
base
create-sshd-host-keys
run
type
user
contents.d
knotserver
sshd
scripts
create-sshd-host-keys
ssh
sshd_config.d
tangled_sshd.conf
+52
docker/Dockerfile 
···

       

       
1

       
+

       
FROM docker.io/golang:1.24-alpine3.21 AS build


     

       

       
2

       
+

       



     

       

       
3

       
+

       
ENV CGO_ENABLED=1


     

       

       
4

       
+

       



     

       

       
5

       
+

       
RUN apk add --no-cache gcc musl-dev


     

       

       
6

       
+

       



     

       

       
7

       
+

       
WORKDIR /usr/src/app


     

       

       
8

       
+

       



     

       

       
9

       
+

       
COPY go.mod go.sum ./


     

       

       
10

       
+

       
RUN go mod download


     

       

       
11

       
+

       



     

       

       
12

       
+

       
COPY . .


     

       

       
13

       
+

       
RUN go build -v \


     

       

       
14

       
+

       
    -o /usr/local/bin/knotserver \


     

       

       
15

       
+

       
    -ldflags='-s -w -extldflags "-static"' \


     

       

       
16

       
+

       
    ./cmd/knotserver && \


     

       

       
17

       
+

       
    go build -v \


     

       

       
18

       
+

       
    -o /usr/local/bin/keyfetch \


     

       

       
19

       
+

       
    ./cmd/keyfetch && \


     

       

       
20

       
+

       
    go build -v \


     

       

       
21

       
+

       
    -o /usr/local/bin/repoguard \


     

       

       
22

       
+

       
    ./cmd/repoguard


     

       

       
23

       
+

       



     

       

       
24

       
+

       
FROM docker.io/alpine:3.21


     

       

       
25

       
+

       



     

       

       
26

       
+

       
LABEL org.opencontainers.image.title=Tangled


     

       

       
27

       
+

       
LABEL org.opencontainers.image.description="Tangled is a decentralized and open code collaboration platform, built on atproto."


     

       

       
28

       
+

       
LABEL org.opencontainers.image.vendor=Tangled.sh


     

       

       
29

       
+

       
LABEL org.opencontainers.image.licenses=MIT


     

       

       
30

       
+

       
LABEL org.opencontainers.image.url=https://tangled.sh


     

       

       
31

       
+

       
LABEL org.opencontainers.image.source=https://tangled.sh/@tangled.sh/core


     

       

       
32

       
+

       



     

       

       
33

       
+

       
RUN apk add --no-cache shadow s6-overlay execline openssh git && \


     

       

       
34

       
+

       
    adduser --disabled-password git && \


     

       

       
35

       
+

       
    # We need to set password anyway since otherwise ssh won't work


     

       

       
36

       
+

       
    head -c 32 /dev/random | base64 | tr -dc 'a-zA-Z0-9' | passwd git --stdin && \


     

       

       
37

       
+

       
    mkdir /app && mkdir /home/git/repositories


     

       

       
38

       
+

       



     

       

       
39

       
+

       
COPY --from=build /usr/local/bin/knotserver /usr/local/bin


     

       

       
40

       
+

       
COPY --from=build /usr/local/bin/keyfetch /usr/local/libexec/tangled-keyfetch


     

       

       
41

       
+

       
COPY --from=build /usr/local/bin/repoguard /home/git/repoguard


     

       

       
42

       
+

       
COPY docker/rootfs/ .


     

       

       
43

       
+

       



     

       

       
44

       
+

       
RUN chown root:root /usr/local/libexec/tangled-keyfetch && \


     

       

       
45

       
+

       
    chmod 755 /usr/local/libexec/tangled-keyfetch && \


     

       

       
46

       
+

       
    chown git:git /home/git/repoguard && \


     

       

       
47

       
+

       
    chown git:git /app && chown git:git /home/git/repositories


     

       

       
48

       
+

       



     

       

       
49

       
+

       
EXPOSE 22


     

       

       
50

       
+

       
EXPOSE 5555


     

       

       
51

       
+

       



     

       

       
52

       
+

       
ENTRYPOINT ["/init"]
+16
docker/docker-compose.yml 
···

       

       
1

       
+

       
services:


     

       

       
2

       
+

       
  knot:


     

       

       
3

       
+

       
    build:


     

       

       
4

       
+

       
      context: ..


     

       

       
5

       
+

       
      dockerfile: docker/Dockerfile


     

       

       
6

       
+

       
    environment:


     

       

       
7

       
+

       
      KNOT_SERVER_HOSTNAME: "knot.example.org"


     

       

       
8

       
+

       
      KNOT_SERVER_SECRET: "secret"


     

       

       
9

       
+

       
      KNOT_SERVER_DB_PATH: "/app/knotserver.db"


     

       

       
10

       
+

       
    volumes:


     

       

       
11

       
+

       
      - "./keys:/etc/ssh/keys"


     

       

       
12

       
+

       
      - "./repositories:/home/git/repositories"


     

       

       
13

       
+

       
      - "./server:/app"


     

       

       
14

       
+

       
    ports:


     

       

       
15

       
+

       
      - "5555:5555"


     

       

       
16

       
+

       
      - "2222:22"
+1
docker/rootfs/etc/s6-overlay/s6-rc.d/create-sshd-host-keys/type 
···

       

       
1

       
+

       
oneshot
+1
docker/rootfs/etc/s6-overlay/s6-rc.d/create-sshd-host-keys/up 
···

       

       
1

       
+

       
/etc/s6-overlay/scripts/create-sshd-host-keys
docker/rootfs/etc/s6-overlay/s6-rc.d/knotserver/dependencies.d/base

This is a binary file and will not be displayed.

+3
docker/rootfs/etc/s6-overlay/s6-rc.d/knotserver/run 
···

       

       
1

       
+

       
#!/command/with-contenv ash


     

       

       
2

       
+

       



     

       

       
3

       
+

       
exec s6-setuidgid git /usr/local/bin/knotserver
+1
docker/rootfs/etc/s6-overlay/s6-rc.d/knotserver/type 
···

       

       
1

       
+

       
longrun
docker/rootfs/etc/s6-overlay/s6-rc.d/sshd/dependencies.d/base

This is a binary file and will not be displayed.

docker/rootfs/etc/s6-overlay/s6-rc.d/sshd/dependencies.d/create-sshd-host-keys

This is a binary file and will not be displayed.

+3
docker/rootfs/etc/s6-overlay/s6-rc.d/sshd/run 
···

       

       
1

       
+

       
#!/usr/bin/execlineb -P


     

       

       
2

       
+

       



     

       

       
3

       
+

       
/usr/sbin/sshd -e -D
+1
docker/rootfs/etc/s6-overlay/s6-rc.d/sshd/type 
···

       

       
1

       
+

       
longrun
docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/knotserver

This is a binary file and will not be displayed.

docker/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/sshd

This is a binary file and will not be displayed.

+21
docker/rootfs/etc/s6-overlay/scripts/create-sshd-host-keys 
···

       

       
1

       
+

       
#!/usr/bin/execlineb -P


     

       

       
2

       
+

       



     

       

       
3

       
+

       
foreground {


     

       

       
4

       
+

       
  if -n { test -d /etc/ssh/keys }


     

       

       
5

       
+

       
  mkdir /etc/ssh/keys


     

       

       
6

       
+

       
}


     

       

       
7

       
+

       



     

       

       
8

       
+

       
foreground {


     

       

       
9

       
+

       
  if -n { test -f /etc/ssh/keys/ssh_host_rsa_key }


     

       

       
10

       
+

       
  ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_rsa_key -q -N ""


     

       

       
11

       
+

       
}


     

       

       
12

       
+

       



     

       

       
13

       
+

       
foreground {


     

       

       
14

       
+

       
  if -n { test -f /etc/ssh/keys/ssh_host_ecdsa_key }


     

       

       
15

       
+

       
  ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_ecdsa_key -q -N ""


     

       

       
16

       
+

       
}


     

       

       
17

       
+

       



     

       

       
18

       
+

       
foreground {


     

       

       
19

       
+

       
  if -n { test -f /etc/ssh/keys/ssh_host_ed25519_key }


     

       

       
20

       
+

       
  ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_ed25519_key -q -N ""


     

       

       
21

       
+

       
}
+9
docker/rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf 
···

       

       
1

       
+

       
HostKey /etc/ssh/keys/ssh_host_rsa_key


     

       

       
2

       
+

       
HostKey /etc/ssh/keys/ssh_host_ecdsa_key


     

       

       
3

       
+

       
HostKey /etc/ssh/keys/ssh_host_ed25519_key


     

       

       
4

       
+

       



     

       

       
5

       
+

       
PasswordAuthentication no


     

       

       
6

       
+

       



     

       

       
7

       
+

       
Match User git


     

       

       
8

       
+

       
  AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch -git-dir /home/git/repositories


     

       

       
9

       
+

       
  AuthorizedKeysCommandUser nobody