fossilfranv/grocy-docker
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
franv 2020-08-13 13:48:20 -07:00
commit 4c39fb2a10
16 changed files with 3507 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
CHANGELOG.md Normal file
View File

@ -0,0 +1,66 @@
# Changelog
## [v2.7.1-3] - 2020-04-27
### Changed
- Rebuild container images with new Alpine 3.11.6 release
## [v2.7.1-2] - 2020-04-21
### Changed
- Rebuild nginx image with new Alpine 'openssl' package
- Was: 'OpenSSL 1.1.1d 10 Sep 2019'
- Now: 'OpenSSL 1.1.1g 21 Apr 2020 (Library: OpenSSL 1.1.1d 10 Sep 2019)'
## [v2.7.1-1] - 2020-04-18
### Added
- Upgrade to grocy release v2.7.1
## [v2.7.0-1] - 2020-04-17
### Added
- Upgrade to grocy release v2.7.0
## [v2.6.2-4] - 2020-04-07
### Removed
- Shared 'www-static' volume
## [v2.6.2-3] - 2020-04-06
### Changed
- Introduced a handful of Docker Hub image best-practices
## [v2.6.2-2] - 2020-04-04
### Changed
- Pull in upstream grocy v2.6.2 fix
## [v2.6.2-1] - 2020-04-04
### Changed
- Ensure that the application is bound to 127.0.0.1 by default
## [v2.6.2] - 2020-04-03
### Added
- Upgrade to grocy release v2.6.2
- Support for GitHub API tokens at build-time
- Log volumes added for grocy and nginx
- Optional support for OCI image builds
### Changed
- Breaking change: Image names are now: grocy/nginx, grocy/grocy
- Breaking change: Application database volume contents and name updated
- Image filesystems are read-only

85
Dockerfile-grocy Normal file
View File

@ -0,0 +1,85 @@
FROM alpine:3.11.6
LABEL maintainer "Talmai Oliveira <to@talm.ai>, James Addison <jay@jp-hosting.net>"
ARG GROCY_VERSION
# Optionally authenticate with GitHub using an API token
#
# This can reduce instances of download rate limiting by GitHub
# https://developer.github.com/v3/#rate-limiting
#
# This value is *not* assigned to a variable using the ENV instruction,
# since those variables are persisted in the resulting image and could leak
# developer credentials
# https://docs.docker.com/engine/reference/builder/#env
ARG GITHUB_API_TOKEN
# ensure www-data user exists
RUN set -eux; \
addgroup -g 82 -S www-data; \
adduser -u 82 -D -S -G www-data www-data
# 82 is the standard uid/gid for "www-data" in Alpine
# https://git.alpinelinux.org/aports/tree/main/apache2/apache2.pre-install?h=3.9-stable
# https://git.alpinelinux.org/aports/tree/main/lighttpd/lighttpd.pre-install?h=3.9-stable
# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.pre-install?h=3.9-stable
# Install build-time dependencies
RUN apk add --no-cache \
composer \
git \
gnupg \
wget
# Install system dependencies
RUN apk add --no-cache \
php7-fpm \
php7-fileinfo \
php7-iconv \
php7-json \
php7-gd \
php7-pdo_sqlite \
php7-simplexml \
php7-tokenizer
# Configure directory permissions
RUN chown www-data /var/log/php7 && \
mkdir /var/www && \
chown www-data /var/www
COPY docker_grocy/www.conf /etc/php7/php-fpm.d/zz-docker.conf
# Install application dependencies (unprivileged)
USER www-data
WORKDIR /var/www
# Extract application release package
ENV GROCY_RELEASE_KEY_URI="https://berrnd.de/data/Bernd_Bestel.asc"
RUN set -o pipefail && \
export GNUPGHOME=$(mktemp -d) && \
wget ${GROCY_RELEASE_KEY_URI} -O - | gpg --batch --import && \
git clone --branch ${GROCY_VERSION} --config advice.detachedHead=false --depth 1 "https://github.com/grocy/grocy.git" . && \
git verify-commit ${GROCY_VERSION} && \
rm -rf ${GNUPGHOME} && \
mkdir data/viewcache && \
cp config-dist.php data/config.php
# Install application dependencies
RUN COMPOSER_OAUTH=${GITHUB_API_TOKEN:+"\"github.com\": \"${GITHUB_API_TOKEN}\""} && \
COMPOSER_AUTH="{\"github-oauth\": { ${COMPOSER_OAUTH} }}" composer install --no-interaction --no-dev --optimize-autoloader && \
composer clear-cache
# Remove build-time dependencies (privileged)
USER root
RUN apk del \
composer \
git \
gnupg \
wget
VOLUME ["/var/www/data"]
EXPOSE 9000
USER www-data
CMD ["php-fpm7"]

72
Dockerfile-grocy-nginx Normal file
View File

@ -0,0 +1,72 @@
FROM alpine:3.11.6
LABEL maintainer "Talmai Oliveira <to@talm.ai>, James Addison <jay@jp-hosting.net>"
ARG GROCY_VERSION
# Install build-time dependencies
RUN apk add --no-cache \
openssl \
git \
gnupg \
wget \
yarn
# Install system dependencies
RUN apk add --no-cache \
nginx
# Generate TLS certificates
RUN openssl req \
-x509 \
-newkey rsa:2048 \
-keyout /etc/ssl/private/grocy-nginx.key \
-out /etc/ssl/private/grocy-nginx.crt \
-days 365 \
-nodes \
-subj /CN=localhost && \
chown nginx /etc/ssl/private/grocy-nginx.key && \
chown nginx /etc/ssl/private/grocy-nginx.crt
# Configure directory permissions
RUN chown -R nginx /var/log/nginx && \
rm -rf /var/www/localhost && \
chown nginx /var/www
COPY docker_nginx/nginx.conf /etc/nginx/nginx.conf
COPY docker_nginx/common.conf /etc/nginx/common.conf
COPY docker_nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
COPY docker_nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf
# Install application dependencies (unprivileged)
USER nginx
WORKDIR /var/www
# Extract application release package
ENV GROCY_RELEASE_KEY_URI="https://berrnd.de/data/Bernd_Bestel.asc"
RUN set -o pipefail && \
export GNUPGHOME=$(mktemp -d) && \
wget ${GROCY_RELEASE_KEY_URI} -O - | gpg --batch --import && \
git clone --branch ${GROCY_VERSION} --config advice.detachedHead=false --depth 1 "https://github.com/grocy/grocy.git" . && \
git verify-commit ${GROCY_VERSION} && \
rm -rf ${GNUPGHOME}
# Install application dependencies
RUN yarn install --modules-folder /var/www/public/node_modules --production && \
yarn cache clean
# Remove build-time dependencies (privileged)
USER root
RUN apk del \
openssl \
git \
gnupg \
wget \
yarn
VOLUME ["/var/log/nginx"]
EXPOSE 8080 8443
USER nginx
CMD ["nginx", "-g", "daemon off;"]

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2018
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

38
Makefile Normal file
View File

@ -0,0 +1,38 @@
.PHONY: build pod grocy nginx
GROCY_VERSION = v2.7.1
IMAGE_COMMIT := $(shell git rev-parse --short HEAD)
IMAGE_TAG := $(strip $(if $(shell git status --porcelain --untracked-files=no), "${IMAGE_COMMIT}-dirty", "${IMAGE_COMMIT}"))
build: pod grocy nginx
podman run \
--add-host grocy:127.0.0.1 \
--detach \
--env-file grocy.env \
--name grocy \
--pod grocy-pod \
--read-only \
--volume /var/log/php7 \
--volume app-db:/var/www/data \
grocy:${IMAGE_TAG}
podman run \
--add-host grocy:127.0.0.1 \
--detach \
--name nginx \
--pod grocy-pod \
--read-only \
--tmpfs /tmp \
--volume /var/log/nginx \
nginx:${IMAGE_TAG}
pod:
podman pod rm -f grocy-pod || true
podman pod create --name grocy-pod --publish 127.0.0.1:8080:8080
grocy:
podman image exists $@:${IMAGE_TAG} || buildah bud --build-arg GITHUB_API_TOKEN=${GITHUB_API_TOKEN} --build-arg GROCY_VERSION=${GROCY_VERSION} -f Dockerfile-grocy -t $@:${IMAGE_TAG} .
podman tag $@:${IMAGE_TAG} $@:latest
nginx:
podman image exists $@:${IMAGE_TAG} || buildah bud --build-arg GROCY_VERSION=${GROCY_VERSION} -f Dockerfile-grocy-nginx -t $@:${IMAGE_TAG} .
podman tag $@:${IMAGE_TAG} $@:latest

76
README.md Normal file
View File

@ -0,0 +1,76 @@
# grocy-docker
ERP beyond your fridge - now containerized!
This repository includes container build infrastructure for [grocy](https://github.com/grocy/grocy).
[![Docker Pulls](https://img.shields.io/docker/pulls/grocy/grocy.svg)](https://hub.docker.com/r/grocy/grocy/)
[![Docker Stars](https://img.shields.io/docker/stars/grocy/grocy.svg)](https://hub.docker.com/r/grocy/grocy/)
## Prerequisites
Follow [these instructions](https://docs.docker.com/install/) to get Docker running on your server.
## Quickstart
To get started using pre-built [Docker Hub grocy images](https://hub.docker.com/u/grocy), run the following commands:
```sh
docker-compose pull
docker-compose up
```
The grocy application should now be accessible locally to the server:
- [http://localhost](http://localhost)
- [https://localhost](https://localhost)
Since the images contain self-signed certificates, your browser may display a warning when visiting the HTTPS URL.
### Configuration
The grocy application reads configuration settings from environment variables prefixed by `GROCY_`.
Runtime environment variables are read by `docker-compose` from the [grocy.env](grocy.env) file in this directory.
The default login credentials are username `admin` and password `admin`; please change these before providing end-user access to your deployment.
#### Demo Mode
To run the container in demo mode, override the `GROCY_MODE` environment variable at application run-time:
```sh
GROCY_MODE=demo docker-compose up
```
### Build
#### Docker Images
```sh
docker-compose build
```
Note: if you experience build failures as a result of GitHub API [rate limiting](https://developer.github.com/v3/#rate-limiting), you may optionally provide a GitHub API key (preferably restricted to `read:packages` scope) at build-time:
```sh
GITHUB_API_TOKEN='your-token-here' docker-compose build
```
### Vulnerability Scans
Support is provided for running image vulnerability scans using the [snyk](https://www.npmjs.com/package/snyk) CLI tool.
This requires authentication with [Snyk](https://snyk.io/) during the vulnerability scanning process.
You can read more about Snyk's vulnerability database [here](https://support.snyk.io/hc/en-us/articles/360003968978-How-efficient-is-our-Vulnerability-Database-).
To perform a vulnerability scan, use the following command:
```sh
npm run test
```
#### OCI Images
Optional support for building [opencontainer](https://www.opencontainers.org/) images is available via the [Makefile](Makefile) provided.

56
docker-compose.yml Normal file
View File

@ -0,0 +1,56 @@
version: '2'
services:
nginx:
image: "grocy/nginx:v2.7.1-3"
build:
args:
GROCY_VERSION: v2.7.1
context: .
dockerfile: Dockerfile-grocy-nginx
depends_on:
- grocy
environment:
- VIRTUAL_HOST=grocy.franv.site
- LETSENCRYPT_HOST=grocy.franv.site
- LETSENCRYPT_EMAIL=ouch@thetrauma.org
- VIRTUAL_PORT=8080
# ports:
# - '82:8080'
# - '445:8443'
read_only: true
tmpfs:
- /tmp
volumes:
- /var/log/nginx
container_name: nginx
grocy:
image: "grocy/grocy:v2.7.1-3"
build:
args:
GITHUB_API_TOKEN: "${GITHUB_API_TOKEN}"
GROCY_VERSION: v2.7.1
context: .
dockerfile: Dockerfile-grocy
expose:
- '9000'
read_only: true
tmpfs:
- /tmp
volumes:
- /var/log/php7
- app-db:/var/www/data
env_file:
- grocy.env
container_name: grocy
volumes:
app-db:
networks:
default:
external:
name: franvproxy_proxy-tier

45
docker-compose.yml.good Normal file
View File

@ -0,0 +1,45 @@
version: '2'
services:
nginx:
image: "grocy/nginx:v2.7.1-3"
build:
args:
GROCY_VERSION: v2.7.1
context: .
dockerfile: Dockerfile-grocy-nginx
depends_on:
- grocy
ports:
- '82:8080'
- '445:8443'
read_only: true
tmpfs:
- /tmp
volumes:
- /var/log/nginx
container_name: nginx
grocy:
image: "grocy/grocy:v2.7.1-3"
build:
args:
GITHUB_API_TOKEN: "${GITHUB_API_TOKEN}"
GROCY_VERSION: v2.7.1
context: .
dockerfile: Dockerfile-grocy
expose:
- '9000'
read_only: true
tmpfs:
- /tmp
volumes:
- /var/log/php7
- app-db:/var/www/data
env_file:
- grocy.env
container_name: grocy
volumes:
app-db:

6
docker_grocy/www.conf Normal file
View File

@ -0,0 +1,6 @@
[global]
daemonize = no
[www]
clear_env = no
listen = 9000

20
docker_nginx/common.conf Normal file
View File

@ -0,0 +1,20 @@
charset utf-8;
location / {
try_files $uri /index.php$is_args$query_string;
}
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
location ~ \.php$ {
fastcgi_pass grocy:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}

8
docker_nginx/conf.d/default.conf Normal file
View File

@ -0,0 +1,8 @@
server {
listen 8080 default_server;
server_name _;
root /var/www/public; # see: volumes_from
include /etc/nginx/common.conf;
}

11
docker_nginx/conf.d/ssl.conf Normal file
View File

@ -0,0 +1,11 @@
server {
listen 8443 ssl;
server_name _;
root /var/www/public; # see: volumes_from
ssl_certificate /etc/ssl/private/grocy-nginx.crt;
ssl_certificate_key /etc/ssl/private/grocy-nginx.key;
include /etc/nginx/common.conf;
}

33
docker_nginx/nginx.conf Normal file
View File

@ -0,0 +1,33 @@
worker_processes auto;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
# Basic mime type configuration
include mime.types;
default_type application/octet-stream;
# Configuration related to client connections and content upload
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_max_body_size 50M;
# Write nginx temporary files to /tmp in order to run in rootless configuration
# See: https://hub.docker.com/_/nginx/
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
# Enable compression for application content
gzip on;
gzip_types application/javascript application/json application/octet-stream application/pdf font/woff font/woff2 image/gif image/jpeg image/png image/webp image/x-icon text/css;
include /etc/nginx/conf.d/*.conf;
}

44
grocy.env Normal file
View File

@ -0,0 +1,44 @@
# Grocy Environment Variables
# These environment variables affect PHP and the grocy application
# For a full list of grocy settings, see config-dist.php in the main grocy repo:
#
# https://github.com/grocy/grocy/blob/master/config-dist.php
#
# Grocy application settings must be prefixed with 'GROCY_'.
#
# For example, if we'd like to configure grocy to use Euros (EUR):
#
# Setting('CURRENCY', 'USD');
#
# Then we would set GROCY_CURRENCY='EUR'.
GROCY_CURRENCY='CAD'
## User-supplied Variables
# These are environment variables that may be supplied by the user
# No values are supplied for these as part of this distribution
# When you're ready to deploy grocy in production, set GROCY_MODE=production
# to enable user authentication
GROCY_MODE=production
## Distribution-supplied Variables
# These are 'sensible defaults' provided as part of the grocy-docker
# distribution.
# GROCY_CULTURE configures localization of the grocy application
# Supported locales: https://github.com/grocy/grocy/tree/master/localization
GROCY_CULTURE=en
# PHP Environment variables
MAX_UPLOAD=50M
PHP_MAX_FILE_UPLOAD=200
PHP_MAX_POST=100M
PHP_MEMORY_LIMIT=512M

2891
package-lock.json generated Normal file
View File

File diff suppressed because it is too large Load Diff

35
package.json Normal file
View File

@ -0,0 +1,35 @@
{
"name": "grocy-docker",
"version": "2.7.1-1",
"description": "ERP beyond your fridge - now containerized",
"main": ".",
"scripts": {
"build": "docker-compose build",
"test": "npm run build && npm run test:grocy && npm run test:nginx",
"test:grocy": "npx snyk test --docker grocy/grocy:v${npm_package_version} --file=Dockerfile-grocy-nginx",
"test:nginx": "npx snyk test --docker grocy/nginx:v${npm_package_version} --file=Dockerfile-grocy-nginx"
},
"repository": {
"type": "git",
"url": "git+https://github.com/grocy/grocy-docker.git"
},
"keywords": [
"self-hosted",
"food",
"home",
"erp",
"groceries",
"ownyourdata",
"docker",
"grocy"
],
"author": "Talmai Oliveira <to@talm.ai>, James Addison <jay@jp-hosting.net>",
"license": "MIT",
"bugs": {
"url": "https://github.com/grocy/grocy-docker/issues"
},
"homepage": "https://github.com/grocy/grocy-docker#readme",
"devDependencies": {
"snyk": "^1.305.1"
}
}