chore: update Dockerfile for homeserver build with entrypoint script#299
chore: update Dockerfile for homeserver build with entrypoint script#299francismars wants to merge 14 commits intopubky:mainfrom
Conversation
- Change default build target from testnet to homeserver. - Install additional runtime dependencies: wget, netcat, and su-exec. - Create a non-root user for homeserver. - Update port exposure to include HTTP, Pubky TLS, Admin, and Metrics. - Implement entrypoint script for handling configuration and user switching.
francismars
changed the title
SHAcollision
left a comment
SHAcollision
left a comment
There was a problem hiding this comment.
Hey @francismars great work! Nice to see the homeserver and the dashboard fully functional on Umbrel. 💪
I left some comments and some requests for changes.
entrypoint.sh
Outdated
| mkdir -p /data | ||
|
|
||
| # Generate config.toml if it doesn't exist | ||
| if [ ! -f /data/config.toml ]; then |
There was a problem hiding this comment.
Just a comment for further reference: copying an entrypoint.sh into the image that has a hardcoded configuration feels somewhat unorthodox. But it it works, it works, so let's keep it this way for now.
I guess the cleanest way would be to mount /data/config.toml (adding the default config.toml here) and implement into the homeserver the ability to read/interpolate the missing values form the env vars. Maybe let's explore this in the future. @SeverinAlexB what do you think?
entrypoint.sh
Outdated
| [general] | ||
| signup_mode = "token_required" | ||
| user_storage_quota_mb = 0 | ||
| database_url = "postgres://pubky:${POSTGRES_PASSWORD}@postgres:5432/pubky_homeserver" |
There was a problem hiding this comment.
Out of curiosity what is the value that Umbrel feeds here ${POSTGRES_PASSWORD} , is it secure?
There was a problem hiding this comment.
According to the Umbrel Apps documentation, APP_PASSWORD is described as:
"$APP_PASSWORD - Unique plain text password that can be used for authentication in your app, shown to the user in the Umbrel UI"
There was a problem hiding this comment.
Can you take a look, on your running Umbrel container's /data/config.toml to verify that this is a strong and randomly generated password?
There was a problem hiding this comment.
Verified: the admin password is a 64-character hexadecimal string.
entrypoint.sh
Outdated
| public_ip = "127.0.0.1" | ||
| icann_domain = "localhost" |
There was a problem hiding this comment.
This configuration will not result in a working homeserver for the user. This should be the real user IP address. Ideally, if the user wants the homeserver accessible from browsers, also would need an ICANN domain.
There was a problem hiding this comment.
The entrypoint now detects configuration values:
- Uses
PUBLIC_IPenvironment variable if set - Otherwise attempts to auto-detect local IP via
hostname -i - Falls back to
127.0.0.1with a warning if detection fails
For icann_domain:
- Uses
ICANN_DOMAINenvironment variable if set - Otherwise uses Umbrel's
DEVICE_DOMAIN_NAMEas a better default - Falls back to
localhostwith a warning if neither is available
There was a problem hiding this comment.
I guess the only way forward to make this useful for a final user is to create and link an installation guide telling the user how the homeserver needs to be configured: e.g. NAT transversal should be configured correctly (firewall and ports forwarding) and if you want to use the HS from a browser, an ICANN domain is needed currently.
There was a problem hiding this comment.
Added a section in the Umbrel deployment README covering external access and PKARR configuration
- Change default build target from homeserver to testnet. - Remove unnecessary runtime dependencies and user creation. - Update port exposure to only include the homeserver port. - Set the default command to run the homeserver binary.
- Introduced a multi-stage Dockerfile for building and running the Umbrel homeserver. - Added an entrypoint script to handle configuration generation and user permissions. - Configures necessary environment variables and ensures required directories and files are created at runtime.
- Introduced a comprehensive README file detailing the Umbrel-specific Docker configuration for the Pubky Homeserver. - Included sections on building the Docker image, required and optional environment variables, configuration details, exposed ports, and security considerations. - Clarified differences from the generic Dockerfile to enhance understanding for users deploying on Umbrel.
…yment - Modified the Dockerfile to copy the entrypoint script to a temporary location, fix line endings to ensure compatibility with Unix systems, and then move it to the final destination. - This change ensures the entrypoint script functions correctly regardless of the line endings in the source repository.
- Deleted the entrypoint.sh script as it is no longer needed for the Umbrel deployment. - This change simplifies the Docker configuration and reduces maintenance overhead.
SHAcollision
left a comment
SHAcollision
left a comment
There was a problem hiding this comment.
Nice, the changes look good to me!
We likely also want to add a new PR-check to verify we don't break this docker image. We could add one more step similar to this one for docker-umbrel-build
pubky-core/.github/workflows/pr-check.yml
Lines 266 to 271 in 0ec564d
…uctions - Added a section detailing the configuration for external access and PKARR, including environment variable setup and infrastructure requirements. - Provided clear steps for users to configure NAT traversal, firewall rules, and DNS settings for production deployments.
- Introduced a new job in the GitHub Actions workflow to build the Umbrel Docker image. - This job runs on the latest Ubuntu environment and utilizes a specific Dockerfile for the Umbrel deployment.
|
Added the docker-umbrel-build job to .github/workflows/pr-check.yml |
- Included a new section in the README for deploying on Umbrel OS. - Added a link to the Umbrel deployment guide, which contains a specialized Dockerfile and entrypoint script for automatic configuration.
|
Added a reference to the Umbrel deployment in the root README under the Docker section |
SHAcollision
left a comment
SHAcollision
left a comment
There was a problem hiding this comment.
LGTM! I'd like @SeverinAlexB and @SpontaneousOverthrow to also confirm this looks OK for them before merging (regarding keeping this repo tidy and regarding mantaining docker image registry for external users).
ok300
left a comment
ok300
left a comment
There was a problem hiding this comment.
Added some thoughts on a few edge-cases.
- Added ARG TARGETARCH to the Dockerfile to allow for building images for different architectures using Docker Buildx. - This change enhances compatibility for users deploying on various platforms.
…on management - Updated the Dockerfile to include gettext for environment variable substitution. - Added a config template to the Docker image for dynamic configuration generation. - Modified the entrypoint script to utilize envsubst for safely substituting environment variables into the config file, improving flexibility and preventing syntax errors.
|
ACK from a pubky-core structure POV. It's important to have CI fail in case something doesn't work as expected. This makes sure we recognize one of our changes will make Umbrel unusable. No opinion on implementation details. That's up to you guys. |
- Added concurrency settings to cancel outdated runs, optimizing CI minutes. - Implemented permissions for content and checks in the workflow. - Introduced validation steps to ensure required template files and placeholders exist before building the Docker image. - Added syntax validation for the entrypoint script to catch errors early in the CI process. - Updated the Docker build step to tag the image appropriately and verify required files are included in the final image.
|
Thank you @SeverinAlexB! Added CI checks for Umbrel deployment (template validation, entrypoint syntax, Docker build, file verification). Also improved CI efficiency with concurrency control, explicit permissions, and build timeouts |
- Added support for reading the domain from a Cloudflare configuration file, allowing for dynamic domain assignment. - Updated logic to prioritize Cloudflare domain over environment variables for ICANN_DOMAIN detection. - Improved warnings for default values that may not work for external access, emphasizing Cloudflare usage. - Ensured the config file is updated with Cloudflare settings if already present, enhancing configuration management.
4 participants
Summary
Updates the Dockerfile for homeserver builds and adds an entrypoint script for configuration management and security.
Changes
Dockerfile Updates
BUILD_TARGETfromtestnettohomeserverwget,netcat-openbsd, andsu-execfor healthchecks and user switchinghomeserver(UID/GID 1000) to match Umbrel's default6286- HTTP (ICANN)6287- Pubky TLS6288- Admin6289- Metrics/usr/local/binto/datafor persistent data storageNew Entrypoint Script (
entrypoint.sh)config.tomlwith sensible defaults if it doesn't existsu-execto run the homeserver as thehomeserveruser--data-dir /dataflagBenefits
Testing