make apache container read-only

Signed-off-by: Simon L <szaimen@e.mail.de>
2025-12-19 22:16:49 +00:00 · 2023-06-26 17:27:13 +02:00 · 2023-06-26 17:27:13 +02:00 · 2d0b92db77
commit 2d0b92db77
parent bb63abd8a6
5 changed files with 20 additions and 7 deletions
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@ -22,6 +22,8 @@ RUN set -ex; \
    \
    mkdir -p /mnt/data; \
    chown -R www-data:www-data /mnt/data; \
+    mkdir /caddy; \
+    chown 777 /caddy; \
    \
    apk add --no-cache \
        bash \
@ -59,9 +61,13 @@ RUN set -ex; \
    mkdir /var/run/supervisord; \
    chown www-data:www-data /var/run/supervisord; \
    chown www-data:www-data /var/log/supervisord; \
+    chmod 777 /var/run/supervisord; \
+    chmod 777 /var/log/supervisord; \
    \
    chown -R www-data:www-data /usr/local/apache2; \
    chmod +r -R /usr/local/apache2; \
+    mkdir -p /usr/local/apache2/logs; \
+    chmod 777 -R /usr/local/apache2/logs; \
    \
    echo "root:$(openssl rand -base64 12)" | chpasswd

--- a/Containers/apache/start.sh
+++ b/Containers/apache/start.sh
@ -35,18 +35,18 @@ if [ "$APACHE_PORT" != '443' ]; then
 else
    CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /caddy/Caddyfile

 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /Caddyfile)"
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /caddy/Caddyfile)"
 else
-    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
+    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /caddy/Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /caddy/Caddyfile

 # Fix the Caddyfile format
-caddy fmt --overwrite /Caddyfile
+caddy fmt --overwrite /caddy/Caddyfile

 # Add caddy path
 mkdir -p /mnt/data/caddy/
--- a/Containers/apache/supervisord.conf
+++ b/Containers/apache/supervisord.conf
@ -20,4 +20,4 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /Caddyfile
+command=/usr/bin/caddy run --config /caddy/Caddyfile
--- a/php/containers-schema.json
+++ b/php/containers-schema.json
@ -141,7 +141,7 @@
 						"type": "array",
 						"items": {
 							"type": "string",
-							"pattern": "^/[a-z/_-]+$"
+							"pattern": "^/[a-z/_0-9-]+$"
 						}
 					},
 					"volumes": {
--- a/php/containers.json
+++ b/php/containers.json
@ -55,6 +55,13 @@
      ],
      "networks": [
        "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/log/supervisord",
+        "/var/run/supervisord",
+        "/usr/local/apache2/logs",
+        "/caddy"
      ]
    },
    {