Commit 40d1ebf3 authored by Noah Prail's avatar Noah Prail

refactor: Make the Docker image tiny!

parent f8a0e080
Pipeline #13255 passed with stage
in 1 minute and 21 seconds
0.0.0.0
log stdout
errors stdout
root /srv
gzip
\ No newline at end of file
FROM golang:1.12-alpine
FROM golang:1.12-alpine as builder
RUN mkdir /app
ADD build /app/
......@@ -10,4 +10,26 @@ ENV GO111MODULE=on
RUN go build
ENTRYPOINT ["/app/caddy"]
\ No newline at end of file
FROM alpine:3.10
RUN apk add --no-cache \
ca-certificates \
git \
mailcap \
openssh-client \
tzdata
COPY --from=builder /app/caddy /usr/bin/caddy
RUN /usr/bin/caddy -version
RUN /usr/bin/caddy -plugins
EXPOSE 80 443 2015
VOLUME /root/.caddy /srv
WORKDIR /srv
COPY Caddyfile /etc/Caddyfile
COPY index.html /srv/index.html
ENTRYPOINT ["/usr/bin/caddy"]
CMD ["-conf", "/etc/Caddyfile", "-log", "stdout"]
# Caddy
Caddy docker image.
### based on [golang:1.12-alpine](https://hub.docker.com/_/golang/)
----
### based on [golang:1.12-alpine](https://hub.docker.com/_/golang) and [alpine:3.10](https://hub.docker.com/_/alpine)
---
### Pull from e1dev
```
docker pull registry.e1dev.com/docker/caddy:latest
```
### Build from GitLab
```
docker build -t registry.e1dev.com/docker/caddy https://e1dev.com/docker/caddy.git
docker pull registry.e1dev.com/docker/caddy:latest
```
### Run image
```
docker run -it registry.e1dev.com/docker/caddy
```
### Use as base image
```Dockerfile
FROM registry.e1dev.com/docker/caddy:latest
```
docker run -p 2015:2015 registry.e1dev.com/docker/caddy
```
......@@ -7,5 +7,6 @@ import (
)
func main() {
caddymain.EnableTelemetry = false
caddymain.Run()
}
\ No newline at end of file
* {
proxy / https://staging-pages.event1.io {
proxy / {{.Env.PAGES_LOCATION}} {
transparent
}
gzip
tls {
ask https://api.event1.io/system/domain
ask {{.Env.CERT_CHECK_API}}
}
}
*.convention.page {
proxy / https://staging-pages.event1.io {
proxy / {{.Env.PAGES_LOCATION}} {
transparent
}
gzip
# tls certs@event1.io {
# tls {{.Env.LE_EMAIL}} {
# wildcard
# dns cloudflare
# }
......
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
; User and group the process will run as.
User=www-data
Group=www-data
; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/var/lib/caddy
EnvironmentFile=/etc/caddy/envfile
ExecStartPre=/usr/local/bin/caddy -conf /etc/caddy/caddy.conf -validate
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/caddy.conf -root=/var/tmp -quic
ExecReload=/bin/kill -USR1 $MAINPID
; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/var/lib/caddy
ReadWriteDirectories=/var/log/caddy
; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
\ No newline at end of file
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment