Multiple misc changes

- Patch out hba changing at start for postgres - Add redis - Use host networking for development purposes - Fix logging for rspamd and dovecot - Make sasl socket inet - Use WORKDIR for nsd - Remove postgres pass entries
2023-08-03 15:05:15 +00:00 · 2023-08-03 15:05:15 +00:00 · bfae593b4d
parent d60bd7fb98
commit bfae593b4d
24 changed files with 280 additions and 43 deletions
--- a/config.mk
+++ b/config.mk
@ -24,11 +24,15 @@ daemons/nsd/${BUILD_ID_OUT}: daemons/nsd/% : \
 	data/dns/%

 daemons/postgres/${BUILD_ID_OUT}: daemons/postgres/% : \
+	daemons/postgres/disable-hba-patcher.patch \
 	daemons/postgres/pg_hba.conf \
 	daemons/postgres/postgresql.conf \
 	data/ca/% \
 	data/postgres-cert/%

+daemons/redis/${BUILD_ID_OUT}: daemons/redis/% : \
+	daemons/redis/redis.conf
+
 daemons/murmurd/${BUILD_ID_OUT}: daemons/murmurd/% : \
 	daemons/murmurd/murmur.ini \
 	daemons/murmurd/secrets/mregpass \
--- a/creators/dovecot.sh
+++ b/creators/dovecot.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+
+. "$(dirname $0)"/common.sh
+
+podman container create \
+	--pod host \
+	--pull missing \
+	--image-volume tmpfs \
+	--mount type=volume,src=dovecot-data,dst=/var/mail/ \
+	oci-archive:daemons/dovecot/oci-archive.tar:redxen.eu/daemons/dovecot:latest
--- a/creators/host-net-pod.sh
+++ b/creators/host-net-pod.sh
@ -0,0 +1,8 @@
+#!/bin/sh
+
+. "$(dirname $0)"/common.sh
+
+podman pod create \
+	--userns=auto \
+	--network=host \
+	host
--- a/creators/macvlan-pod.sh
+++ b/creators/macvlan-pod.sh
@ -0,0 +1,23 @@
+#!/bin/sh
+
+. "$(dirname $0)"/common.sh
+
+podman network create \
+	--ipv6 \
+	-d macvlan \
+	--ipam-driver host-local \
+	--subnet 172.20.254.192/30 \
+	macvlan-br
+
+podman pod create \
+	--userns=auto \
+	--dns='2606:4700:4700::1111' \
+	--dns='2606:4700:4700::1001' \
+	--dns='2001:4860:4860::8888' \
+	--dns='2001:4860:4860::8844' \
+	--dns='1.1.1.1' \
+	--dns='1.0.0.1' \
+	--dns='8.8.8.8' \
+	--dns='8.8.4.4' \
+	--network=macvlan-br \
+	macvlan
--- a/creators/nsd.sh
+++ b/creators/nsd.sh
@ -3,8 +3,8 @@
 . "$(dirname $0)"/common.sh

 podman container create \
-	--pod default \
+	--pod macvlan \
 	--pull missing \
 	--image-volume tmpfs \
-	--volume nsd-data:/var/lib/nsd:rw,nodev,noexec,nosuid \
+	--mount type=volume,src=nsd-data,dst=/var/lib/nsd/ \
 	oci-archive:daemons/nsd/oci-archive.tar:redxen.eu/daemons/nsd:latest
--- a/creators/opendkim.sh
+++ b/creators/opendkim.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+. "$(dirname $0)"/common.sh
+
+podman container create \
+	--pod host \
+	--pull missing \
+	--image-volume tmpfs \
+	oci-archive:daemons/opendkim/oci-archive.tar:redxen.eu/daemons/opendkim:latest
--- a/creators/pod.sh
+++ b/creators/pod.sh
@ -1,21 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman pod create \
-	--userns=auto \
-	--network=host \
-	default
-
-#podman pod create \
-#	--userns=auto \
-#	--dns='2606:4700:4700::1111' \
-#	--dns='2606:4700:4700::1001' \
-#	--dns='2001:4860:4860::8888' \
-#	--dns='2001:4860:4860::8844' \
-#	--dns='1.1.1.1' \
-#	--dns='1.0.0.1' \
-#	--dns='8.8.8.8' \
-#	--dns='8.8.4.4' \
-#	--network=standard:mac="$(randmac)" \
-#	default
--- a/creators/postfix.sh
+++ b/creators/postfix.sh
@ -3,8 +3,8 @@
 . "$(dirname $0)"/common.sh

 podman container create \
-	--pod default \
+	--pod host \
 	--pull missing \
 	--image-volume tmpfs \
-	--volume postfix-data:/var/lib/postfix:rw,nodev,noexec,nosuid \
+	--mount type=volume,src=postfix-data,dst=/var/lib/postfix/ \
 	oci-archive:daemons/postfix/oci-archive.tar:redxen.eu/daemons/postfix:latest
--- a/creators/postgres.sh
+++ b/creators/postgres.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+
+. "$(dirname $0)"/common.sh
+
+podman container create \
+	--pod host \
+	--pull missing \
+	--image-volume tmpfs \
+	--mount type=volume,src=postgres-data,dst=/var/lib/postgres/ \
+	oci-archive:daemons/postgres/oci-archive.tar:redxen.eu/daemons/postgres:latest
--- a/creators/redis.sh
+++ b/creators/redis.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+
+. "$(dirname $0)"/common.sh
+
+podman container create \
+	--pod host \
+	--pull missing \
+	--image-volume tmpfs \
+	--mount type=volume,src=redis-data,dst=/var/lib/redis/ \
+	oci-archive:daemons/redis/oci-archive.tar:redxen.eu/daemons/redis:latest
--- a/creators/rspamd.sh
+++ b/creators/rspamd.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+. "$(dirname $0)"/common.sh
+
+podman container create \
+	--pod host \
+	--pull missing \
+	--image-volume tmpfs \
+	oci-archive:daemons/rspamd/oci-archive.tar:redxen.eu/daemons/rspamd:latest
--- a/daemons/dovecot/Containerfile
+++ b/daemons/dovecot/Containerfile
@ -26,4 +26,4 @@ ADD dovecot.conf dovecot.conf
 # Check configuration
 RUN doveconf -c dovecot.conf -x

-CMD dovecot -c dovecot.conf
+CMD dovecot -F -c dovecot.conf
--- a/daemons/dovecot/dovecot.conf
+++ b/daemons/dovecot/dovecot.conf
@ -29,6 +29,9 @@ last_valid_gid = 12
 lda_mailbox_autocreate = yes
 imap_capability = +SPECIAL-USE

+# Log to container stderr
+log_path = /dev/stderr
+
 # PostgreSQL UserDB
 userdb {
 	driver = sql
@ -69,11 +72,14 @@ protocol lmtp {
 }

 service auth {
-	unix_listener auth {
-		mode = 0660
-		user = dovecot
-		group = mail
+	inet_listener lmtp {
+		port = 11666
 	}
+#	unix_listener auth {
+#		mode = 0660
+#		user = dovecot
+#		group = mail
+#	}
 	user = root
 }

--- a/daemons/dovecot/pgsql.conf
+++ b/daemons/dovecot/pgsql.conf
@ -1,4 +1,4 @@
-connect = host=postgresql.routinginfo.internal port=7550 dbname=mail user=dovecot
+connect = host=localhost port=5432 dbname=mail user=dovecot
 driver = pgsql
 default_pass_scheme = ARGON2I
 user_query = SELECT '8' AS uid, '12' AS gid FROM users WHERE userid = '%u' AND active = '1'
--- a/daemons/nsd/Containerfile
+++ b/daemons/nsd/Containerfile
@ -1,12 +1,12 @@
 FROM alpine:latest
-ARG CONFIG=/etc/redxen/nsd/nsd.conf

 RUN --network=host apk add nsd

-ADD nsd.conf $CONFIG
+WORKDIR /etc/redxen/nsd/
+
+ADD nsd.conf nsd.conf
 COPY --from=redxen.eu/data/dns:latest /dns-zones/redxen.eu /etc/redxen/bindzone/redxen.eu

-RUN nsd-checkconf $CONFIG
+RUN nsd-checkconf nsd.conf

-ENV CONFIG $CONFIG
-CMD nsd -d -c $CONFIG
+CMD nsd -d -c nsd.conf
--- a/daemons/postfix/main.cf
+++ b/daemons/postfix/main.cf
@ -67,7 +67,7 @@ smtpd_helo_restrictions      = reject_invalid_helo_hostname
 # Dovecot auth
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
-smtpd_sasl_path = /run/dovecot/auth
+smtpd_sasl_path = inet:localhost:11666
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_local_domain = $myorigin

--- a/daemons/postfix/pgsql-aliases.cf
+++ b/daemons/postfix/pgsql-aliases.cf
@ -1,6 +1,5 @@
 hosts = localhost:5432
 dbname = mail
 user = postfix
-password = POSTGRESQL_PASSWORD
 query = SELECT target FROM aliases WHERE alias = '%u' AND active = '1'
 domain = redxen.eu
--- a/daemons/postfix/pgsql-users.cf
+++ b/daemons/postfix/pgsql-users.cf
@ -1,6 +1,5 @@
 hosts = localhost:5432
 dbname = mail
 user = postfix
-password = POSTGRESQL_PASSWORD
 query = SELECT userid FROM users WHERE userid = '%u' AND active = '1'
 domain = redxen.eu
--- a/daemons/postgres/Containerfile
+++ b/daemons/postgres/Containerfile
@ -1,5 +1,10 @@
 FROM postgres:alpine

+# FUCK YOU I PROVIDE MY OWN HBA EAT FUCKING SHIT
+RUN apk add patch
+ADD disable-hba-patcher.patch /tmp/disable-hba-patcher.patch
+RUN patch -p0 /usr/local/bin/docker-entrypoint.sh /tmp/disable-hba-patcher.patch
+
 ADD postgresql.conf /etc/postgresql/postgresql.conf
 ADD pg_hba.conf /etc/postgresql/pg_hba.conf

--- a/daemons/postgres/disable-hba-patcher.patch
+++ b/daemons/postgres/disable-hba-patcher.patch
@ -0,0 +1,69 @@
+@@ -98,59 +98,6 @@
+ 	fi
+ }
+ 
+-# print large warning if POSTGRES_PASSWORD is long
+-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+-docker_verify_minimum_env() {
+-	# check password first so we can output the warning before postgres
+-	# messes it up
+-	if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+-		cat >&2 <<-'EOWARN'
+-
+-			WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+-
+-			  This will not work if used via PGPASSWORD with "psql".
+-
+-			  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+-			  https://github.com/docker-library/postgres/issues/507
+-
+-		EOWARN
+-	fi
+-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+-		# The - option suppresses leading tabs but *not* spaces. :)
+-		cat >&2 <<-'EOE'
+-			Error: Database is uninitialized and superuser password is not specified.
+-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
+-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+-
+-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+-			       connections without a password. This is *not* recommended.
+-
+-			       See PostgreSQL documentation about "trust":
+-			       https://www.postgresql.org/docs/current/auth-trust.html
+-		EOE
+-		exit 1
+-	fi
+-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+-		cat >&2 <<-'EOWARN'
+-			********************************************************************************
+-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+-			         anyone with access to the Postgres port to access your database without
+-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+-			         documentation about "trust":
+-			         https://www.postgresql.org/docs/current/auth-trust.html
+-			         In Docker's default configuration, this is effectively any other
+-			         container on the same system.
+-
+-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+-			         "docker run".
+-			********************************************************************************
+-		EOWARN
+-	fi
+-}
+-
+ # usage: docker_process_init_files [file [file [...]]]
+ #    ie: docker_process_init_files /always-initdb.d/*
+ # process initializer files, based on file extensions and permissions
+@@ -310,8 +257,6 @@
+ 
+ 		# only run initialization on an empty data directory
+ 		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+-			docker_verify_minimum_env
+-
+ 			# check dir permissions to reduce likelihood of half-initialized database
+ 			ls /docker-entrypoint-initdb.d/ > /dev/null
+ 
--- a/daemons/redis/Containerfile
+++ b/daemons/redis/Containerfile
@ -0,0 +1,7 @@
+FROM redis:alpine
+
+WORKDIR /etc/redxen/redis/
+
+ADD redis.conf redis.conf
+
+CMD redis-server redis.conf --daemonize no
--- a/daemons/redis/redis.conf
+++ b/daemons/redis/redis.conf
@ -0,0 +1,91 @@
+bind 0.0.0.0 ::0
+protected-mode no
+port 6379
+tcp-backlog 511
+timeout 0
+tcp-keepalive 300
+
+#tls-port 6379
+#tls-cert-file /etc/redxen/selfsigned/public.pem
+#tls-key-file /etc/redxen/selfsigned/private.key
+#tls-ca-cert-dir /etc/ssl/certs
+#tls-auth-clients optional
+#tls-protocols "TLSv1.2 TLSv1.3"
+
+supervised no
+
+loglevel notice
+#syslog-enabled yes
+#syslog-ident redis
+#syslog-facility local0
+
+databases 16
+always-show-logo no
+
+save 900 1
+save 300 10
+save 60 10000
+
+stop-writes-on-bgsave-error yes
+rdbcompression yes
+rdbchecksum yes
+dbfilename dump.rdb
+rdb-del-sync-files no
+dir /var/lib/redis
+
+replica-serve-stale-data yes
+replica-read-only yes
+repl-diskless-sync no
+repl-diskless-sync-delay 5
+repl-diskless-load disabled
+repl-disable-tcp-nodelay no
+replica-priority 100
+
+acllog-max-len 128
+
+lazyfree-lazy-eviction no
+lazyfree-lazy-expire no
+lazyfree-lazy-server-del no
+replica-lazy-flush no
+lazyfree-lazy-user-del no
+
+oom-score-adj no
+oom-score-adj-values 0 200 800
+
+appendonly no
+appendfilename "appendonly.aof"
+appendfsync everysec
+# appendfsync no
+no-appendfsync-on-rewrite no
+auto-aof-rewrite-percentage 100
+auto-aof-rewrite-min-size 64mb
+aof-load-truncated yes
+aof-use-rdb-preamble yes
+lua-time-limit 5000
+
+slowlog-log-slower-than 10000
+slowlog-max-len 128
+latency-monitor-threshold 0
+
+notify-keyspace-events ""
+hash-max-ziplist-entries 512
+hash-max-ziplist-value 64
+list-max-ziplist-size -2
+list-compress-depth 0
+set-max-intset-entries 512
+zset-max-ziplist-entries 128
+zset-max-ziplist-value 64
+hll-sparse-max-bytes 3000
+stream-node-max-bytes 4096
+stream-node-max-entries 100
+activerehashing yes
+
+client-output-buffer-limit normal 0 0 0
+client-output-buffer-limit replica 256mb 64mb 60
+client-output-buffer-limit pubsub 32mb 8mb 60
+
+hz 10
+dynamic-hz yes
+aof-rewrite-incremental-fsync yes
+rdb-save-incremental-fsync yes
+jemalloc-bg-thread yes
--- a/daemons/rspamd/config/logging.conf
+++ b/daemons/rspamd/config/logging.conf
@ -1,7 +1,6 @@
 logging {
-	type = "syslog";
-	facility = "mail";
-	level = "info";
+	type = "console";
+	level = "debug";
 	color = false;
 	log_usec = false;
 	debug_modules = []
--- a/daemons/rspamd/config/rspamd.conf
+++ b/daemons/rspamd/config/rspamd.conf
@ -45,7 +45,7 @@ options {
 	words_decay = 600;

 	# Local networks
-	local_addrs = [127.0.0.0/8, 10.0.0.0/8];
+	local_addrs = [127.0.0.0/8];
 	hs_cache_dir = "${DBDIR}/";

 	# Timeout for messages processing (must be larger than any internal timeout used)