first commit

CHANGELOG.md

@@ -0,0 +1,66 @@
+# Changelog
+
+## [v2.7.1-3] - 2020-04-27
+
+### Changed
+
+- Rebuild container images with new Alpine 3.11.6 release
+
+## [v2.7.1-2] - 2020-04-21
+
+### Changed
+
+- Rebuild nginx image with new Alpine 'openssl' package
+- Was: 'OpenSSL 1.1.1d  10 Sep 2019'
+- Now: 'OpenSSL 1.1.1g  21 Apr 2020 (Library: OpenSSL 1.1.1d  10 Sep 2019)'
+
+## [v2.7.1-1] - 2020-04-18
+
+### Added
+
+- Upgrade to grocy release v2.7.1
+
+## [v2.7.0-1] - 2020-04-17
+
+### Added
+
+- Upgrade to grocy release v2.7.0
+
+## [v2.6.2-4] - 2020-04-07
+
+### Removed
+
+- Shared 'www-static' volume
+
+## [v2.6.2-3] - 2020-04-06
+
+### Changed
+
+- Introduced a handful of Docker Hub image best-practices
+
+## [v2.6.2-2] - 2020-04-04
+
+### Changed
+
+- Pull in upstream grocy v2.6.2 fix
+
+## [v2.6.2-1] - 2020-04-04
+
+### Changed
+
+- Ensure that the application is bound to 127.0.0.1 by default
+
+## [v2.6.2] - 2020-04-03
+
+### Added
+
+- Upgrade to grocy release v2.6.2
+- Support for GitHub API tokens at build-time
+- Log volumes added for grocy and nginx
+- Optional support for OCI image builds
+
+### Changed
+
+- Breaking change: Image names are now: grocy/nginx, grocy/grocy
+- Breaking change: Application database volume contents and name updated
+- Image filesystems are read-only

Dockerfile-grocy

@@ -0,0 +1,85 @@
+FROM alpine:3.11.6
+LABEL maintainer "Talmai Oliveira <to@talm.ai>, James Addison <jay@jp-hosting.net>"
+
+ARG GROCY_VERSION
+
+# Optionally authenticate with GitHub using an API token
+#
+# This can reduce instances of download rate limiting by GitHub
+# https://developer.github.com/v3/#rate-limiting
+#
+# This value is *not* assigned to a variable using the ENV instruction,
+# since those variables are persisted in the resulting image and could leak
+# developer credentials
+# https://docs.docker.com/engine/reference/builder/#env
+ARG GITHUB_API_TOKEN
+
+# ensure www-data user exists
+RUN set -eux; \
+	addgroup -g 82 -S www-data; \
+	adduser -u 82 -D -S -G www-data www-data
+# 82 is the standard uid/gid for "www-data" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/apache2/apache2.pre-install?h=3.9-stable
+# https://git.alpinelinux.org/aports/tree/main/lighttpd/lighttpd.pre-install?h=3.9-stable
+# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.pre-install?h=3.9-stable
+
+# Install build-time dependencies
+RUN     apk add --no-cache \
+            composer \
+            git \
+            gnupg \
+            wget
+
+# Install system dependencies
+RUN     apk add --no-cache \
+            php7-fpm \
+            php7-fileinfo \
+            php7-iconv \
+            php7-json \
+            php7-gd \
+            php7-pdo_sqlite \
+            php7-simplexml \
+            php7-tokenizer
+
+# Configure directory permissions
+RUN     chown www-data /var/log/php7 && \
+        mkdir /var/www && \
+        chown www-data /var/www
+
+COPY docker_grocy/www.conf /etc/php7/php-fpm.d/zz-docker.conf
+
+# Install application dependencies (unprivileged)
+USER www-data
+WORKDIR /var/www
+
+# Extract application release package
+ENV GROCY_RELEASE_KEY_URI="https://berrnd.de/data/Bernd_Bestel.asc"
+RUN     set -o pipefail && \
+        export GNUPGHOME=$(mktemp -d) && \
+        wget ${GROCY_RELEASE_KEY_URI} -O - | gpg --batch --import && \
+        git clone --branch ${GROCY_VERSION} --config advice.detachedHead=false --depth 1 "https://github.com/grocy/grocy.git" . && \
+        git verify-commit ${GROCY_VERSION} && \
+        rm -rf ${GNUPGHOME} && \
+        mkdir data/viewcache && \
+        cp config-dist.php data/config.php
+
+# Install application dependencies
+RUN     COMPOSER_OAUTH=${GITHUB_API_TOKEN:+"\"github.com\": \"${GITHUB_API_TOKEN}\""} && \
+        COMPOSER_AUTH="{\"github-oauth\": { ${COMPOSER_OAUTH} }}" composer install --no-interaction --no-dev --optimize-autoloader && \
+        composer clear-cache
+
+# Remove build-time dependencies (privileged)
+USER root
+RUN     apk del \
+            composer \
+            git \
+            gnupg \
+            wget
+
+VOLUME ["/var/www/data"]
+
+EXPOSE 9000
+
+USER www-data
+
+CMD ["php-fpm7"]

Dockerfile-grocy-nginx

@@ -0,0 +1,72 @@
+FROM alpine:3.11.6
+LABEL maintainer "Talmai Oliveira <to@talm.ai>, James Addison <jay@jp-hosting.net>"
+
+ARG GROCY_VERSION
+
+# Install build-time dependencies
+RUN     apk add --no-cache \
+            openssl \
+            git \
+            gnupg \
+            wget \
+            yarn
+
+# Install system dependencies
+RUN     apk add --no-cache \
+            nginx
+
+# Generate TLS certificates
+RUN     openssl req \
+                -x509 \
+                -newkey rsa:2048 \
+                -keyout /etc/ssl/private/grocy-nginx.key \
+                -out /etc/ssl/private/grocy-nginx.crt \
+                -days 365 \
+                -nodes \
+                -subj /CN=localhost && \
+        chown nginx /etc/ssl/private/grocy-nginx.key && \
+        chown nginx /etc/ssl/private/grocy-nginx.crt
+
+# Configure directory permissions
+RUN     chown -R nginx /var/log/nginx && \
+        rm -rf /var/www/localhost && \
+        chown nginx /var/www
+
+COPY docker_nginx/nginx.conf /etc/nginx/nginx.conf
+COPY docker_nginx/common.conf /etc/nginx/common.conf
+COPY docker_nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
+COPY docker_nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf
+
+# Install application dependencies (unprivileged)
+USER nginx
+WORKDIR /var/www
+
+# Extract application release package
+ENV GROCY_RELEASE_KEY_URI="https://berrnd.de/data/Bernd_Bestel.asc"
+RUN     set -o pipefail && \
+        export GNUPGHOME=$(mktemp -d) && \
+        wget ${GROCY_RELEASE_KEY_URI} -O - | gpg --batch --import && \
+        git clone --branch ${GROCY_VERSION} --config advice.detachedHead=false --depth 1 "https://github.com/grocy/grocy.git" . && \
+        git verify-commit ${GROCY_VERSION} && \
+        rm -rf ${GNUPGHOME}
+
+# Install application dependencies
+RUN     yarn install --modules-folder /var/www/public/node_modules --production && \
+        yarn cache clean
+
+# Remove build-time dependencies (privileged)
+USER root
+RUN     apk del \
+            openssl \
+            git \
+            gnupg \
+            wget \
+            yarn
+
+VOLUME ["/var/log/nginx"]
+
+EXPOSE 8080 8443
+
+USER nginx
+
+CMD ["nginx", "-g", "daemon off;"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,38 @@
+.PHONY: build pod grocy nginx
+
+GROCY_VERSION = v2.7.1
+IMAGE_COMMIT := $(shell git rev-parse --short HEAD)
+IMAGE_TAG := $(strip $(if $(shell git status --porcelain --untracked-files=no), "${IMAGE_COMMIT}-dirty", "${IMAGE_COMMIT}"))
+
+build: pod grocy nginx
+	podman run \
+        --add-host grocy:127.0.0.1 \
+        --detach \
+        --env-file grocy.env \
+        --name grocy \
+        --pod grocy-pod \
+        --read-only \
+        --volume /var/log/php7 \
+        --volume app-db:/var/www/data \
+        grocy:${IMAGE_TAG}
+	podman run \
+        --add-host grocy:127.0.0.1 \
+        --detach \
+        --name nginx \
+        --pod grocy-pod \
+        --read-only \
+        --tmpfs /tmp \
+        --volume /var/log/nginx \
+        nginx:${IMAGE_TAG}
+
+pod:
+	podman pod rm -f grocy-pod || true
+	podman pod create --name grocy-pod --publish 127.0.0.1:8080:8080
+
+grocy:
+	podman image exists $@:${IMAGE_TAG} || buildah bud --build-arg GITHUB_API_TOKEN=${GITHUB_API_TOKEN} --build-arg GROCY_VERSION=${GROCY_VERSION} -f Dockerfile-grocy -t $@:${IMAGE_TAG} .
+	podman tag $@:${IMAGE_TAG} $@:latest
+
+nginx:
+	podman image exists $@:${IMAGE_TAG} || buildah bud --build-arg GROCY_VERSION=${GROCY_VERSION} -f Dockerfile-grocy-nginx -t $@:${IMAGE_TAG} .
+	podman tag $@:${IMAGE_TAG} $@:latest

README.md

@@ -0,0 +1,76 @@
+# grocy-docker
+
+ERP beyond your fridge - now containerized!
+
+This repository includes container build infrastructure for [grocy](https://github.com/grocy/grocy).
+
+[![Docker Pulls](https://img.shields.io/docker/pulls/grocy/grocy.svg)](https://hub.docker.com/r/grocy/grocy/)
+[![Docker Stars](https://img.shields.io/docker/stars/grocy/grocy.svg)](https://hub.docker.com/r/grocy/grocy/)
+
+## Prerequisites
+
+Follow [these instructions](https://docs.docker.com/install/) to get Docker running on your server.
+
+## Quickstart
+
+To get started using pre-built [Docker Hub grocy images](https://hub.docker.com/u/grocy), run the following commands:
+
+```sh
+docker-compose pull
+docker-compose up
+```
+
+The grocy application should now be accessible locally to the server:
+
+ - [http://localhost](http://localhost)
+ - [https://localhost](https://localhost)
+
+Since the images contain self-signed certificates, your browser may display a warning when visiting the HTTPS URL.
+
+### Configuration
+
+The grocy application reads configuration settings from environment variables prefixed by `GROCY_`.
+
+Runtime environment variables are read by `docker-compose` from the [grocy.env](grocy.env) file in this directory.
+
+The default login credentials are username `admin` and password `admin`; please change these before providing end-user access to your deployment.
+
+#### Demo Mode
+
+To run the container in demo mode, override the `GROCY_MODE` environment variable at application run-time:
+
+```sh
+GROCY_MODE=demo docker-compose up
+```
+
+### Build
+
+#### Docker Images
+
+```sh
+docker-compose build
+```
+
+Note: if you experience build failures as a result of GitHub API [rate limiting](https://developer.github.com/v3/#rate-limiting), you may optionally provide a GitHub API key (preferably restricted to `read:packages` scope) at build-time:
+
+```sh
+GITHUB_API_TOKEN='your-token-here' docker-compose build
+```
+
+### Vulnerability Scans
+
+Support is provided for running image vulnerability scans using the [snyk](https://www.npmjs.com/package/snyk) CLI tool.
+
+This requires authentication with [Snyk](https://snyk.io/) during the vulnerability scanning process.
+
+You can read more about Snyk's vulnerability database [here](https://support.snyk.io/hc/en-us/articles/360003968978-How-efficient-is-our-Vulnerability-Database-).
+
+To perform a vulnerability scan, use the following command:
+
+```sh
+npm run test
+```
+
+#### OCI Images
+
+Optional support for building [opencontainer](https://www.opencontainers.org/) images is available via the [Makefile](Makefile) provided.

docker-compose.yml

@@ -0,0 +1,56 @@
+version: '2'
+
+services:
+
+  nginx:
+    image: "grocy/nginx:v2.7.1-3"
+    build:
+      args:
+        GROCY_VERSION: v2.7.1
+      context: .
+      dockerfile: Dockerfile-grocy-nginx
+    depends_on:
+      - grocy
+    environment:
+      - VIRTUAL_HOST=grocy.franv.site
+      - LETSENCRYPT_HOST=grocy.franv.site
+      - LETSENCRYPT_EMAIL=ouch@thetrauma.org
+      - VIRTUAL_PORT=8080
+       
+#    ports:
+#      - '82:8080'
+#      - '445:8443'
+    read_only: true
+    tmpfs:
+      - /tmp
+    volumes:
+      - /var/log/nginx
+    container_name: nginx
+
+  grocy:
+    image: "grocy/grocy:v2.7.1-3"
+    build:
+      args:
+        GITHUB_API_TOKEN: "${GITHUB_API_TOKEN}"
+        GROCY_VERSION: v2.7.1
+      context: .
+      dockerfile: Dockerfile-grocy
+    expose:
+      - '9000'
+    read_only: true
+    tmpfs:
+      - /tmp
+    volumes:
+      - /var/log/php7
+      - app-db:/var/www/data
+    env_file:
+      - grocy.env
+    container_name: grocy
+
+volumes:
+  app-db:
+
+networks:
+  default:
+    external:
+      name: franvproxy_proxy-tier

docker-compose.yml.good

@@ -0,0 +1,45 @@
+version: '2'
+
+services:
+
+  nginx:
+    image: "grocy/nginx:v2.7.1-3"
+    build:
+      args:
+        GROCY_VERSION: v2.7.1
+      context: .
+      dockerfile: Dockerfile-grocy-nginx
+    depends_on:
+      - grocy
+    ports:
+      - '82:8080'
+      - '445:8443'
+    read_only: true
+    tmpfs:
+      - /tmp
+    volumes:
+      - /var/log/nginx
+    container_name: nginx
+
+  grocy:
+    image: "grocy/grocy:v2.7.1-3"
+    build:
+      args:
+        GITHUB_API_TOKEN: "${GITHUB_API_TOKEN}"
+        GROCY_VERSION: v2.7.1
+      context: .
+      dockerfile: Dockerfile-grocy
+    expose:
+      - '9000'
+    read_only: true
+    tmpfs:
+      - /tmp
+    volumes:
+      - /var/log/php7
+      - app-db:/var/www/data
+    env_file:
+      - grocy.env
+    container_name: grocy
+
+volumes:
+  app-db:

docker_grocy/www.conf

@@ -0,0 +1,6 @@
+[global]
+daemonize = no
+
+[www]
+clear_env = no
+listen = 9000

docker_nginx/common.conf

@@ -0,0 +1,20 @@
+charset utf-8;
+
+location / {
+    try_files $uri /index.php$is_args$query_string;
+}
+
+location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
+    expires 365d;
+}
+
+location ~ \.php$ {
+    fastcgi_pass   grocy:9000;
+    fastcgi_index  index.php;
+    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+    include        fastcgi_params;
+}
+
+location ~ /\.ht {
+    deny  all;
+}

docker_nginx/conf.d/default.conf

@@ -0,0 +1,8 @@
+server {
+    listen 8080 default_server;
+    server_name _;
+    
+    root /var/www/public; # see: volumes_from
+    
+    include /etc/nginx/common.conf;
+}

docker_nginx/conf.d/ssl.conf

@@ -0,0 +1,11 @@
+server {
+    listen 8443 ssl;
+    server_name _;
+    
+    root /var/www/public; # see: volumes_from
+
+    ssl_certificate      /etc/ssl/private/grocy-nginx.crt;
+    ssl_certificate_key  /etc/ssl/private/grocy-nginx.key;
+    
+    include /etc/nginx/common.conf;
+}

docker_nginx/nginx.conf

@@ -0,0 +1,33 @@
+worker_processes auto;
+
+pid /tmp/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    # Basic mime type configuration
+    include mime.types;
+    default_type application/octet-stream;
+
+    # Configuration related to client connections and content upload
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    client_max_body_size 50M;
+
+    # Write nginx temporary files to /tmp in order to run in rootless configuration
+    # See: https://hub.docker.com/_/nginx/
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+
+    # Enable compression for application content
+    gzip on;
+    gzip_types application/javascript application/json application/octet-stream application/pdf font/woff font/woff2 image/gif image/jpeg image/png image/webp image/x-icon text/css;
+
+    include /etc/nginx/conf.d/*.conf;
+}

grocy.env

@@ -0,0 +1,44 @@
+
+
+# Grocy Environment Variables
+
+# These environment variables affect PHP and the grocy application
+# For a full list of grocy settings, see config-dist.php in the main grocy repo:
+#
+#       https://github.com/grocy/grocy/blob/master/config-dist.php
+#
+# Grocy application settings must be prefixed with 'GROCY_'.
+#
+# For example, if we'd like to configure grocy to use Euros (EUR):
+#
+#       Setting('CURRENCY', 'USD');
+#
+# Then we would set GROCY_CURRENCY='EUR'. 
+GROCY_CURRENCY='CAD'
+
+
+## User-supplied Variables
+
+# These are environment variables that may be supplied by the user
+# No values are supplied for these as part of this distribution
+
+# When you're ready to deploy grocy in production, set GROCY_MODE=production
+# to enable user authentication
+GROCY_MODE=production
+
+
+## Distribution-supplied Variables
+
+# These are 'sensible defaults' provided as part of the grocy-docker
+# distribution.
+
+# GROCY_CULTURE configures localization of the grocy application
+# Supported locales: https://github.com/grocy/grocy/tree/master/localization
+GROCY_CULTURE=en
+
+
+# PHP Environment variables
+MAX_UPLOAD=50M
+PHP_MAX_FILE_UPLOAD=200
+PHP_MAX_POST=100M
+PHP_MEMORY_LIMIT=512M

package.json

@@ -0,0 +1,35 @@
+{
+  "name": "grocy-docker",
+  "version": "2.7.1-1",
+  "description": "ERP beyond your fridge - now containerized",
+  "main": ".",
+  "scripts": {
+    "build": "docker-compose build",
+    "test": "npm run build && npm run test:grocy && npm run test:nginx",
+    "test:grocy": "npx snyk test --docker grocy/grocy:v${npm_package_version} --file=Dockerfile-grocy-nginx",
+    "test:nginx": "npx snyk test --docker grocy/nginx:v${npm_package_version} --file=Dockerfile-grocy-nginx"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/grocy/grocy-docker.git"
+  },
+  "keywords": [
+    "self-hosted",
+    "food",
+    "home",
+    "erp",
+    "groceries",
+    "ownyourdata",
+    "docker",
+    "grocy"
+  ],
+  "author": "Talmai Oliveira <to@talm.ai>, James Addison <jay@jp-hosting.net>",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/grocy/grocy-docker/issues"
+  },
+  "homepage": "https://github.com/grocy/grocy-docker#readme",
+  "devDependencies": {
+    "snyk": "^1.305.1"
+  }
+}