Misc unpriviledged fixes

redxen.eu/daemons/gitea/base/Containerfile

@@ -1,9 +1,9 @@
 FROM gitea/gitea:latest-rootless
 
 # Image is based on go-alpine, apk is available
-COPY --chown=1000:1000 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /usr/share/redxen/postgresql/ca.crt
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /usr/share/redxen/postgresql/ca.crt
-COPY --chown=1000:1000 --from=redxen.eu/data/pki/self/client/gitea:latest /redxen.eu/certs/gitea.crt /usr/share/redxen/postgresql/gitea.crt
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/gitea:latest /redxen.eu/certs/gitea.crt /usr/share/redxen/postgresql/gitea.crt
-COPY --chown=1000:1000 --from=redxen.eu/data/pki/self/client/gitea:latest /redxen.eu/keys/gitea.key /usr/share/redxen/postgresql/gitea.key
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/gitea:latest /redxen.eu/keys/gitea.key /usr/share/redxen/postgresql/gitea.key
 
 WORKDIR /etc/gitea
 
@@ -12,12 +12,14 @@ ENV GITEA_WORK_DIR=/var/lib/gitea
 ENV GITEA_APP_INI=/etc/gitea/app.ini
 
 ADD config.ini app.ini
-COPY --chown=1000:1000 --from=redxen.eu/data/secrets/gitea:latest /secret_key secret_key
+COPY --from=redxen.eu/data/secrets/gitea:latest /secret_key secret_key
-COPY --chown=1000:1000 --from=redxen.eu/data/secrets/gitea:latest /internal_token internal_token
+COPY --from=redxen.eu/data/secrets/gitea:latest /internal_token internal_token
-COPY --chown=1000:1000 --from=redxen.eu/data/secrets/gitea:latest /jwt_secret jwt_secret
+COPY --from=redxen.eu/data/secrets/gitea:latest /jwt_secret jwt_secret
-COPY --chown=1000:1000 --from=redxen.eu/data/secrets/gitea:latest /mailer_password mailer_passwd
+COPY --from=redxen.eu/data/secrets/gitea:latest /mailer_password mailer_passwd
+USER root
+RUN chown -Rv 10000:10000 ./
 
 WORKDIR /var/lib/gitea
-
+USER 10000:10000
 ENTRYPOINT [""]
 CMD ["gitea", "-c", "/etc/gitea/app.ini", "web"]

redxen.eu/daemons/grafana/Containerfile

@@ -1,12 +1,15 @@
 FROM grafana/grafana:latest
 
 # See GF_PATHS_HOME from the dockerfile where the unprivildged user is created
-COPY --chown=472:0 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /usr/share/redxen/postgresql/root.crt
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /usr/share/redxen/postgresql/root.crt
-COPY --chown=472:0 --from=redxen.eu/data/pki/self/client/grafana:latest /redxen.eu/certs/grafana.crt /usr/share/redxen/postgresql/postgresql.crt
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/grafana:latest /redxen.eu/certs/grafana.crt /usr/share/redxen/postgresql/postgresql.crt
-COPY --chown=472:0 --from=redxen.eu/data/pki/self/client/grafana:latest /redxen.eu/keys/grafana.key /usr/share/redxen/postgresql/postgresql.key
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/grafana:latest /redxen.eu/keys/grafana.key /usr/share/redxen/postgresql/postgresql.key
 
 WORKDIR /etc/redxen/grafana/
 
 ENV GF_PATHS_CONFIG=/etc/redxen/grafana/config.ini
 
 ADD config.ini config.ini
+USER root
+RUN chown -Rv 10000:10000 ./
+USER 10000:10000

redxen.eu/daemons/murmurd/Containerfile

@@ -4,13 +4,19 @@ RUN --network=host apk add \
 	murmur \
 	qt5-qtbase-postgresql
 
-COPY --from=redxen.eu/data/pki/letsencrypt:latest /ca.cer /etc/redxen/mumble-cert/ca.crt
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/letsencrypt:latest /ca.cer /etc/redxen/mumble-cert/ca.crt
-COPY --from=redxen.eu/data/pki/letsencrypt:latest /cert.cer /etc/redxen/mumble-cert/mumble.crt
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/letsencrypt:latest /cert.cer /etc/redxen/mumble-cert/mumble.crt
-COPY --from=redxen.eu/data/pki/letsencrypt:latest /cert.key /etc/redxen/mumble-cert/mumble.key
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/letsencrypt:latest /cert.key /etc/redxen/mumble-cert/mumble.key
 
-COPY --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /root/.postgresql/root.crt
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /etc/redxen/postgresql/root.crt
-COPY --from=redxen.eu/data/pki/self/client/murmur:latest /redxen.eu/certs/murmur.crt /root/.postgresql/postgresql.crt
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/murmur:latest /redxen.eu/certs/murmur.crt /etc/redxen/postgresql/postgresql.crt
-COPY --from=redxen.eu/data/pki/self/client/murmur:latest /redxen.eu/keys/murmur.key /root/.postgresql/postgresql.key
+COPY --chown=10000:10000 --from=redxen.eu/data/pki/self/client/murmur:latest /redxen.eu/keys/murmur.key /etc/redxen/postgresql/postgresql.key
+
+ENV \
+	PGSSLCERT=/etc/redxen/postgresql/postgresql.crt \
+	PGSSLKEY=/etc/redxen/postgresql/postgresql.key \
+	PGSSLROOTCERT=/etc/redxen/postgresql/root.crt \
+	PGSSLMODE=verify-ca
 
 WORKDIR /etc/redxen/murmur
 
@@ -18,5 +24,7 @@ ADD murmur.ini murmur.ini
 RUN \
 	--mount=type=bind,from=redxen.eu/data/secrets/murmurd:latest,src=/,dst=/run/secrets \
 	echo "registerPassword=$(cat /run/secrets/register_password)" >> murmur.ini
+RUN chown -Rv 10000:10000 ./
 
+USER 10000:10000
 CMD ["murmurd", "-fg", "-ini", "murmur.ini"]

redxen.eu/daemons/nginx/base/Containerfile

@@ -8,12 +8,18 @@ RUN --network=host apk add \
 
 WORKDIR /etc/redxen/nginx
 
+USER root
 RUN mkdir -p module/
 
 ADD nginx.conf ./nginx.conf
 ADD start.sh ./start.sh
 RUN chmod +x ./start.sh
 
+RUN mkdir -pv /run/nginx /var/lib/nginx
+RUN chown -Rc 10000:10000 ./ /run/nginx /var/lib/nginx
+
+# Test as root, nginx does too much bullshit beyond validation
 RUN ./start.sh -t
 
+USER 10000:10000
 CMD ["./start.sh"]

redxen.eu/daemons/nginx/base/nginx.conf

@@ -1,4 +1,4 @@
-error_log stderr;
+error_log /proc/self/fd/2;
 
 worker_processes auto;
 worker_cpu_affinity auto;
@@ -11,13 +11,15 @@ load_module "/usr/lib/nginx/modules/ngx_http_dav_ext_module.so";
 events {}
 
 http {
-	access_log                                stdout;
+	access_log                                /proc/self/fd/1;
 	gzip                                      on;
 	gzip_vary                                 on;
 	tcp_nopush                                on;
 	tcp_nodelay                               on;
 	absolute_redirect                         off;
 	keepalive_timeout                         300;
+	client_max_body_size                      0;
+	directio                                  4m;
 	include                                   /etc/nginx/mime.types;
 	default_type                              application/octet-stream;
 	include                                   module/*.conf;

redxen.eu/daemons/nginx/base/start.sh

@@ -2,6 +2,7 @@
 
 exec nginx \
 	-p /etc/redxen/nginx \
-	-g 'daemon off; error_log stderr info;' \
+	-e stderr \
+	-g 'daemon off;' \
 	-c nginx.conf \
 	$@

redxen.eu/daemons/nginx/homepage/Containerfile

@@ -4,4 +4,8 @@ ADD homepage.conf module/homepage.conf
 
 COPY --from=redxen.eu/data/homepage/combined:latest / /homepage
 
+USER root
+# Test as root, nginx does too much bullshit beyond validation
 RUN ./start.sh -t
+
+USER 10000:10000

redxen.eu/daemons/postgres/Containerfile

@@ -19,22 +19,20 @@ RUN ./postgres-seeder \
 
 FROM postgres:alpine
 
-# FUCK YOU I PROVIDE MY OWN HBA EAT FUCKING SHIT
-RUN --network=host apk add \
-	patch
-ADD disable-hba-patcher.patch /tmp/disable-hba-patcher.patch
-RUN patch -p0 /usr/local/bin/docker-entrypoint.sh /tmp/disable-hba-patcher.patch
-
 # Certificates
 COPY --from=redxen.eu/data/pki/self/ca:latest /redxen.eu/certs/ca.crt /etc/redxen/postgres-cert/redxen.eu/certs/ca.crt
 COPY --from=redxen.eu/data/pki/self/client/postgres:latest /redxen.eu/certs/postgres.crt /etc/redxen/postgres-cert/redxen.eu/certs/postgres.crt
 COPY --from=redxen.eu/data/pki/self/client/postgres:latest /redxen.eu/keys/postgres.key /etc/redxen/postgres-cert/redxen.eu/keys/postgres.key
 RUN chown -Rv postgres:postgres /etc/redxen/postgres-cert/
 
+# Customized init script
+ADD init.sh /usr/libexec/init.sh
+RUN chmod +x /usr/libexec/init.sh
+
 ADD postgresql.conf /etc/postgresql/postgresql.conf
 COPY --from=init /root/pg_hba.conf /etc/postgresql/pg_hba.conf
 COPY --from=init /root/init.sql /docker-entrypoint-initdb.d/init.sql
 ADD databases/mail.sql /docker-entrypoint-initdb.d/mail.sql
 
-# TODO: https://hub.docker.com/_/postgres > Initialisation scripts (Database)
+ENTRYPOINT [""]
 CMD ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]

redxen.eu/daemons/postgres/disable-hba-patcher.patch

@@ -1,9 +0,0 @@
-@@ -310,8 +257,6 @@
- 
- 		# only run initialization on an empty data directory
- 		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
--			docker_verify_minimum_env
--
- 			# check dir permissions to reduce likelihood of half-initialized database
- 			ls /docker-entrypoint-initdb.d/ > /dev/null
- 

redxen.eu/daemons/postgres/init.sh

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+docker_process_init_files() {
+	printf '\n'
+	local f
+	for f; do
+		case "$f" in
+			*.sh)
+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+				# https://github.com/docker-library/postgres/pull/452
+				if [ -x "$f" ]; then
+					printf '%s: running %s\n' "$0" "$f"
+					"$f"
+				else
+					printf '%s: sourcing %s\n' "$0" "$f"
+					. "$f"
+				fi
+				;;
+			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
+		esac
+		printf '\n'
+	done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+#    ie: docker_process_sql -f my-file.sql
+#    ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+	PGHOST= \
+	PGHOSTADDR= \
+	PGUSER="${POSTGRES_USER}" \
+	psql \
+		-v ON_ERROR_STOP=1 \
+		--username "$POSTGRES_USER" \
+		--no-password \
+		--no-psqlrc \
+		$@
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+	: ${PGDATA:=/var/lib/postgresql/data}
+	: ${POSTGRES_USER:=postgres}
+	if [ -s "$PGDATA/PG_VERSION" ]; then
+		DATABASE_ALREADY_EXISTS='true'
+	fi
+}
+
+docker_initdb() {
+	NOTIFY_SOCKET= \
+	PGUSER="${POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" \
+		-w initdb
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+	# internal start of server in order to allow setup using psql client
+	# does not listen on external TCP/IP and waits until start finishes
+	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+	# any process supervisor.
+	NOTIFY_SOCKET= \
+	PGUSER="${POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" \
+		-o "$(printf '%q ' "$@")" \
+		-w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+	PGUSER="${POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+_main() {
+	docker_setup_env
+
+	if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+		docker_initdb
+		docker_temp_server_start "$@"
+		docker_process_init_files /docker-entrypoint-initdb.d/*
+		docker_temp_server_stop
+		cat <<-'EOM'
+			PostgreSQL init process complete; ready for start up.
+		EOM
+	else
+		cat <<-'EOM'
+			PostgreSQL Database directory appears to contain a database; Skipping initialization
+		EOM
+	fi
+}
+
+_main "$@"