expand initial filesystem

.devcontainer/Dockerfile

@@ -0,0 +1,171 @@
+# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-dockerfile.sh
+
+# ---/Dockerfile---
+FROM alpine:3.22 AS builder
+
+ARG INSTALL_DIR=/app
+
+ENV PYTHONUNBUFFERED=1
+
+# Install build dependencies
+RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev openssl-dev git \
+    && python -m venv /opt/venv
+
+# Enable venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+
+
+RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git
+
+
+# second stage
+FROM alpine:3.22 AS runner
+
+RUN addgroup -g 20211 netalertx && \
+    adduser -u 20211 -G netalertx -D -h /app netalertx && \
+    addgroup -g 20212 readonly && \
+    adduser -u 20212 -G readonly -D -h /app readonly
+
+ARG INSTALL_DIR=/app
+
+
+# Enable venv
+ENV PATH="/opt/venv/bin:/usr/bin:/sbin:/bin:$PATH" 
+
+
+
+ENV PORT=20211 LISTEN_ADDR=0.0.0.0 GRAPHQL_PORT=20212
+# NetAlertX app directories
+ENV NETALERTX_APP=/app
+ENV NETALERTX_CONFIG=${NETALERTX_APP}/config
+ENV NETALERTX_FRONT=${NETALERTX_APP}/front
+ENV NETALERTX_SERVER=${NETALERTX_APP}/server
+ENV NETALERTX_API=${NETALERTX_APP}/api
+ENV NETALERTX_DB=${NETALERTX_APP}/db
+ENV NETALERTX_BACK=${NETALERTX_APP}/back
+ENV NETALERTX_LOG=${NETALERTX_APP}/log
+ENV NETALERTX_PLUGINS_LOG=${NETALERTX_LOG}/plugins
+ENV NETALERTX_NGINIX_CONFIG=${NETALERTX_APP}/services/nginx
+ENV NETALERTX_SERVICES=${NETALERTX_APP}/services
+
+# NetAlertX log files
+ENV LOG_IP_CHANGES=${NETALERTX_LOG}/IP_changes.log
+ENV LOG_APP=${NETALERTX_LOG}/app.log
+ENV LOG_APP_FRONT=${NETALERTX_LOG}/app_front.log
+ENV LOG_REPORT_OUTPUT_TXT=${NETALERTX_LOG}/report_output.txt
+ENV LOG_DB_IS_LOCKED=${NETALERTX_LOG}/db_is_locked.log
+ENV LOG_REPORT_OUTPUT_HTML=${NETALERTX_LOG}/report_output.html
+ENV LOG_STDERR=${NETALERTX_LOG}/stderr.log
+ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log
+ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log
+ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json
+ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log
+ENV LOG_CROND=${NETALERTX_LOG}/crond.log
+
+# Important configuration files
+ENV NGINX_CONFIG_FILE=${NETALERTX_NGINIX_CONFIG}/nginx.conf
+ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf
+ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db
+ENV PHP_FPM_CONFIG_FILE=/etc/php83/php-fpm.conf
+ENV PHP_WWW_CONF_FILE=/etc/php83/php-fpm.d/www.conf
+ENV SYSTEM_SERVICES=/services
+
+RUN apk update --no-cache bash libbsd zip lsblk gettext-envsubst sudo mtr tzdata curl arp-scan iproute2 \
+    iproute2-ss nmap nmap-scripts traceroute nbtscan openrc dbus net-tools net-snmp-tools bind-tools awake \
+    ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 nginx sudo && \
+    rm -rf /var/cache/apk/* && \
+    rm -f /etc/nginx/http.d/default.conf
+
+# Install from previous build stage
+COPY --from=builder /opt/venv /opt/venv
+COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/
+
+# Simple copy of directory structure instead of individual files or complicated directory structure with RUN mkdir
+COPY install/alpine-docker/ /
+
+RUN chmod -R a+x ${SYSTEM_SERVICES} /build/ /entrypoint.sh && \
+    sh -c "find ${NETALERTX_APP} -type d -exec chmod 750 {} \;" && \
+    sh -c "find ${NETALERTX_APP} -type f -exec chmod 640 {} \;" && \
+    sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) -exec chmod 750 {} \;"
+
+# Copy source
+RUN mkdir ${NETALERTX_API}
+
+# Install runtime dependencies
+
+
+
+#initialize each service with the dockerfiles/init-*.sh scripts, once.
+RUN sh /build/init-nginx.sh && \
+    sh /build/init-php-fpm.sh && \
+    sh /build/init-crond.sh && \
+    sh /build/init-backend.sh && \
+    rm -rf /build/*
+
+
+# set netalertx to allow sudoers for any command, no password
+RUN echo "netalertx ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+
+
+
+
+
+FROM runner AS hardened
+
+# remove netalertx from sudoers
+RUN sh -c "sed -i '/netalertx ALL=(ALL) NOPASSWD: ALL/d' /etc/sudoers"
+
+RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES}
+RUN chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} 
+RUN chmod 005 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} 
+RUN chmod -R 005 ${SYSTEM_SERVICES}
+
+RUN chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_CONFIG_FILE} ${NETALERTX_DB_FILE} && \
+    chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_LOG} ${NETALERTX_API} && \
+    chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_LOG} ${NETALERTX_API}
+
+
+RUN chown readonly:readonly /
+RUN chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run
+RUN echo -ne '#!/bin/bash\nexit 0\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+
+RUN find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o -group 0 -o -user 0 -exec chown readonly:readonly {} +
+
+
+USER netalertx
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
+CMD /usr/local/bin/healthcheck.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+
+
+# ---/resources/devcontainer-Dockerfile---
+
+# Devcontainer build stage (do not build directly)
+# This file is combined with the root /Dockerfile by
+#   .devcontainer/scripts/generate-dockerfile.sh
+# The generator appends this stage to produce .devcontainer/Dockerfile.
+# Prefer to place dev-only setup here; use setup.sh only for runtime fixes.
+
+FROM runner AS netalertx-devcontainer
+ENV INSTALL_DIR=/app 
+ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages
+
+COPY .devcontainer/resources/99-xdebug.ini /etc/php83/conf.d/99-xdebug.ini
+
+# Install common tools, create user, and set up sudo
+RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov shadow
+  
+# Install debugpy in the virtualenv if present, otherwise into system python3
+RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true'
+RUN /opt/venv/bin/python -m pip install -U pytest pytest-cov
+
+USER netalertx
+
+WORKDIR /workspaces/NetAlertX
+
+
+ENTRYPOINT ["/bin/sh","-c","sleep infinity"]

.devcontainer/devcontainer.json

@@ -2,9 +2,9 @@
   "name": "NetAlertX DevContainer",
   "remoteUser": "netalertx",
   "build": {
-    "dockerfile": "../Dockerfile",
-    "context": "..",
-    "target": "runner"
+    "dockerfile": "./Dockerfile",
+    "context": "../",
+    "target": "netalertx-devcontainer"
   },
   "workspaceFolder": "/workspaces/NetAlertX",
   "runArgs": [
@@ -20,7 +20,7 @@
   
   
   
-  "postStartCommand": "sudo ${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh",
+  "postStartCommand": "${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh",
   
   "customizations": {
     "vscode": {

.devcontainer/resources/devcontainer-Dockerfile

@@ -4,46 +4,20 @@
 # The generator appends this stage to produce .devcontainer/Dockerfile.
 # Prefer to place dev-only setup here; use setup.sh only for runtime fixes.
 
-FROM runner AS devcontainer
+FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app 
 ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages
 
+COPY .devcontainer/resources/99-xdebug.ini /etc/php83/conf.d/99-xdebug.ini
+
 # Install common tools, create user, and set up sudo
-RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov && \
-    adduser -D -s /bin/sh netalertx && \
-    addgroup netalertx nginx && \
-    addgroup netalertx www-data && \
-    echo "netalertx ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/90-netalertx && \
-    chmod 440 /etc/sudoers.d/90-netalertx
+RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov shadow
+  
 # Install debugpy in the virtualenv if present, otherwise into system python3
 RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true'
-# setup nginx
-COPY .devcontainer/resources/netalertx-devcontainer.conf /etc/nginx/http.d/netalert-frontend.conf
-RUN set -e; \
-    chown netalertx:nginx /etc/nginx/http.d/netalert-frontend.conf; \
-    install -d -o netalertx -g www-data -m 775 /app; \
-    install -d -o netalertx -g www-data -m 755 /run/nginx; \
-    install -d -o netalertx -g www-data -m 755 /var/lib/nginx/logs; \
-    rm -f /var/lib/nginx/logs/* || true; \
-    for f in error access; do : > /var/lib/nginx/logs/$f.log; done; \
-    install -d -o netalertx -g www-data -m 777 /run/php; \
-    install -d -o netalertx -g www-data -m 775 /var/log/php; \
-    chown -R netalertx:www-data /etc/nginx/http.d; \
-    chmod -R 775 /etc/nginx/http.d; \
-    chown -R netalertx:www-data /var/lib/nginx; \
-    chmod -R 755 /var/lib/nginx && \
-    chown -R netalertx:www-data /var/log/nginx/ && \
-    sed -i '/^user /d' /etc/nginx/nginx.conf; \
-    sed -i 's|^error_log .*|error_log /dev/stderr warn;|' /etc/nginx/nginx.conf; \
-    sed -i 's|^access_log .*|access_log /dev/stdout main;|' /etc/nginx/nginx.conf; \
-    sed -i 's|error_log .*|error_log /dev/stderr warn;|g' /etc/nginx/http.d/*.conf 2>/dev/null || true; \
-    sed -i 's|access_log .*|access_log /dev/stdout main;|g' /etc/nginx/http.d/*.conf 2>/dev/null || true; \
-    mkdir -p /run/openrc; \
-    chown netalertx:nginx /run/openrc/; \
-    rm -Rf /run/openrc/*;
+RUN /opt/venv/bin/python -m pip install -U pytest pytest-cov
 
-# setup pytest
-RUN sudo /opt/venv/bin/python -m pip install -U pytest pytest-cov
+USER netalertx
 
 WORKDIR /workspaces/NetAlertX
 

.devcontainer/scripts/generate-dockerfile.sh

@@ -23,12 +23,6 @@ echo "# ---/Dockerfile---" >> "$OUT_FILE"
 
 sed '/${INSTALL_DIR}/d' "${ROOT_DIR}/Dockerfile" >> "$OUT_FILE"
 
-# sed the line https://github.com/foreign-sub/aiofreepybox.git \\ to remove trailing backslash
-sed -i '/aiofreepybox.git/ s/ \\$//' "$OUT_FILE"
-
-# don't cat the file, just copy it in because it doesn't exist at build time
-sed -i 's|^ RUN cat ${INSTALL_DIR}/install/freebox_certificate.pem >> /opt/venv/lib/python3.12/site-packages/aiofreepybox/freebox_certificates.pem$| COPY install/freebox_certificate.pem /opt/venv/lib/python3.12/site-packages/aiofreepybox/freebox_certificates.pem |' "$OUT_FILE"
-
 echo "" >> "$OUT_FILE"
 echo "# ---/resources/devcontainer-Dockerfile---" >> "$OUT_FILE"
 echo "" >> "$OUT_FILE"

.devcontainer/scripts/setup.sh

@@ -1,4 +1,4 @@
-#! /bin/bash
+#! /bin/sh
 # Runtime setup for devcontainer (executed after container starts).
 # Prefer building setup into resources/devcontainer-Dockerfile when possible.
 # Use this script for runtime-only adjustments (permissions, sockets, ownership,
@@ -29,8 +29,7 @@ export TZ=Europe/Paris
 export PORT=20211
 export SOURCE_DIR="/workspaces/NetAlertX"
 
-apk add git
- 
+
 main() {
     echo "=== NetAlertX Development Container Setup ==="
     echo "Setting up ${SOURCE_DIR}..."
@@ -66,50 +65,36 @@ safe_link() {
 configure_source() {
     echo "[1/3] Configuring Source..."
     echo "  -> Linking source to ${INSTALL_DIR}"
-    echo "Dev">${INSTALL_DIR}/.VERSION
+    rm -Rf ${INSTALL_DIR}/* || true
+
+    sudo ln -s -fT ${SOURCE_DIR}/back ${INSTALL_DIR}/back
+    sudo ln -s -fT ${SOURCE_DIR}/front ${INSTALL_DIR}/front
+    sudo ln -s -fT ${SOURCE_DIR}/config ${INSTALL_DIR}/config
+    sudo ln -s -fT ${SOURCE_DIR}/db ${INSTALL_DIR}/db
+    sudo ln -s -fT ${SOURCE_DIR}/server ${INSTALL_DIR}/server
+    
 
     echo "  -> Mounting ramdisks for /log and /api"
-    sudo mount -t tmpfs -o size=256M tmpfs "${SOURCE_DIR}/log"
-    sudo mount -t tmpfs -o size=512M tmpfs "${SOURCE_DIR}/api"
-    safe_link ${SOURCE_DIR}/api           ${INSTALL_DIR}/api
-    safe_link ${SOURCE_DIR}/back          ${INSTALL_DIR}/back
-    safe_link "${SOURCE_DIR}/config"     "${INSTALL_DIR}/config"
-    safe_link "${SOURCE_DIR}/db"         "${INSTALL_DIR}/db"
-    if [ ! -f "${SOURCE_DIR}/config/app.conf" ]; then
-        cp ${SOURCE_DIR}/back/app.conf ${INSTALL_DIR}/config/
-        cp ${SOURCE_DIR}/back/app.db ${INSTALL_DIR}/db/
-    fi
-
-    safe_link "${SOURCE_DIR}/docs"       "${INSTALL_DIR}/docs"
-    safe_link "${SOURCE_DIR}/front"      "${INSTALL_DIR}/front"
-    safe_link "${SOURCE_DIR}/install"    "${INSTALL_DIR}/install"
-    safe_link "${SOURCE_DIR}/scripts"    "${INSTALL_DIR}/scripts"
-    safe_link "${SOURCE_DIR}/server"     "${INSTALL_DIR}/server"
-    safe_link "${SOURCE_DIR}/test"       "${INSTALL_DIR}/test"
-    safe_link "${SOURCE_DIR}/log"       "${INSTALL_DIR}/log"
-    safe_link "${SOURCE_DIR}/mkdocs.yml" "${INSTALL_DIR}/mkdocs.yml"
-
-    echo "  -> Copying static files to ${INSTALL_DIR}"
-    cp -R ${SOURCE_DIR}/CODE_OF_CONDUCT.md ${INSTALL_DIR}/
-    cp -R ${SOURCE_DIR}/install/ /
-    if [ -e "${INSTALL_DIR}/api/user_notifications.json" ]; then
-        echo "  -> Removing existing user_notifications.json"
-        sudo rm "${INSTALL_DIR}"/api/user_notifications.json
-    fi
+   
+    mkdir ${INSTALL_DIR}/logt ${INSTALL_DIR}/apit || true
+    cp -R ${SOURCE_DIR}/log/* ${INSTALL_DIR}/logt/ || true
+    cp ${SOURCE_DIR}/api/* ${INSTALL_DIR}/apit/ || true
+    sudo mount -t tmpfs -o size=256M tmpfs "${INSTALL_DIR}/log"
+    sudo mount -t tmpfs -o size=512M tmpfs "${INSTALL_DIR}/api"
+    sudo cp -R ${INSTALL_DIR}/logt/* ${INSTALL_DIR}/log/ || true
+    sudo cp -R ${INSTALL_DIR}/apit/* ${INSTALL_DIR}/api/ || true
+    rm -Rf ${INSTALL_DIR}/logt ${INSTALL_DIR}/apit || true
+    echo "Dev">${INSTALL_DIR}/.VERSION
+    
 
 
     
     echo "  -> Setting ownership and permissions"
-    sudo find ${INSTALL_DIR}/ -type d -exec chmod 775 {} \;
-    sudo find ${INSTALL_DIR}/ -type f -exec chmod 664 {} \;
+    usermod -g netalertx nginx 
     sudo date +%s > "${INSTALL_DIR}/front/buildtimestamp.txt"
-    sudo chmod 640 "${INSTALL_DIR}/config/${CONF_FILE}" || true
+    
 
 
-
-    echo "  -> Setting up log directory"
-    install -d -o netalertx -g www-data -m 777 ${INSTALL_DIR}/log/plugins
-
     echo "  -> Empty log"|tee ${INSTALL_DIR}/log/app.log \
         ${INSTALL_DIR}/log/app_front.log \
         ${INSTALL_DIR}/log/stdout.log

.vscode/tasks.json

@@ -27,7 +27,7 @@
     {
       "label": "Re-Run Startup Script",
       "type": "shell",
-      "command": "sudo ${workspaceFolder:NetAlertX}/.devcontainer/scripts/setup.sh",
+      "command": "${workspaceFolder:NetAlertX}/.devcontainer/scripts/setup.sh",
       "presentation": {
         "echo": true,
         "reveal": "always",

Dockerfile

@@ -11,19 +11,10 @@ RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev o
 # Enable venv
 ENV PATH="/opt/venv/bin:$PATH"
 
-RUN mkdir -p ${INSTALL_DIR}
-COPY api ${INSTALL_DIR}/api
-COPY back ${INSTALL_DIR}/back
-COPY config ${INSTALL_DIR}/config
-COPY db ${INSTALL_DIR}/db
-COPY front ${INSTALL_DIR}/front
-COPY server ${INSTALL_DIR}/server
+
 
 RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git
 
-RUN bash -c "find ${INSTALL_DIR} -type d -exec chmod 750 {} \;" \
-    && bash -c "find ${INSTALL_DIR} -type f -exec chmod 640 {} \;" \
-    && bash -c "find ${INSTALL_DIR} -type f \( -name '*.sh' -o -name '*.py'  -o -name 'speedtest-cli' \) -exec chmod 750 {} \;"
 
 # second stage
 FROM alpine:3.22 AS runner
@@ -34,13 +25,10 @@ RUN addgroup -g 20211 netalertx && \
     adduser -u 20212 -G readonly -D -h /app readonly
 
 ARG INSTALL_DIR=/app
-COPY --from=builder /opt/venv /opt/venv
-COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/
 
-COPY install/alpine-docker/ /
 
 # Enable venv
-ENV PATH="/opt/venv/bin:$PATH" 
+ENV PATH="/opt/venv/bin:/usr/bin:/sbin:/bin:$PATH" 
 
 
 
@@ -80,60 +68,40 @@ ENV PHP_FPM_CONFIG_FILE=/etc/php83/php-fpm.conf
 ENV PHP_WWW_CONF_FILE=/etc/php83/php-fpm.d/www.conf
 ENV SYSTEM_SERVICES=/services
 
+RUN apk update --no-cache bash libbsd zip lsblk gettext-envsubst sudo mtr tzdata curl arp-scan iproute2 \
+    iproute2-ss nmap nmap-scripts traceroute nbtscan openrc dbus net-tools net-snmp-tools bind-tools awake \
+    ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 nginx sudo && \
+    rm -rf /var/cache/apk/* && \
+    rm -f /etc/nginx/http.d/default.conf
 
-RUN apk update --no-cache \
-    && apk add --no-cache bash libbsd zip lsblk gettext-envsubst sudo mtr tzdata \
-    && apk add --no-cache curl arp-scan iproute2 iproute2-ss nmap nmap-scripts traceroute nbtscan openrc dbus net-tools net-snmp-tools bind-tools awake ca-certificates \
-    && apk add --no-cache sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session \
-    && apk add --no-cache python3 nginx
+# Install from previous build stage
+COPY --from=builder /opt/venv /opt/venv
+COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/
 
+# Simple copy of directory structure instead of individual files or complicated directory structure with RUN mkdir
+COPY install/alpine-docker/ /
 
-COPY --from=builder --chown=netalertx:netalertx ${INSTALL_DIR}/ ${INSTALL_DIR}/
-# set this properly to handle recursive ownership changes
-RUN ln -s /usr/bin/awake /usr/bin/wakeonlan \
-    && rm -f /etc/nginx/http.d/default.conf
+RUN chmod -R a+x ${SYSTEM_SERVICES} /build/ /entrypoint.sh && \
+    sh -c "find ${NETALERTX_APP} -type d -exec chmod 750 {} \;" && \
+    sh -c "find ${NETALERTX_APP} -type f -exec chmod 640 {} \;" && \
+    sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) -exec chmod 750 {} \;"
 
+# Copy source
+COPY back ${INSTALL_DIR}/back
+COPY front ${INSTALL_DIR}/front
+COPY server ${INSTALL_DIR}/server
+RUN mkdir ${NETALERTX_API}
 
-# Create required directories
-RUN mkdir -p ${INSTALL_DIR}/config ${INSTALL_DIR}/db ${INSTALL_DIR}/log/plugins
-
-
-
-# Create empty log files and API files
-RUN touch ${LOG_APP} \
-    && touch ${LOG_EXECUTION_QUEUE} \
-    && touch ${LOG_APP_FRONT} \
-    && touch ${LOG_APP_PHP_ERRORS} \
-    && touch ${LOG_STDERR} \
-    && touch ${LOG_STDOUT} \
-    && touch ${LOG_DB_IS_LOCKED} \
-    && touch ${LOG_IP_CHANGES} \
-    && touch ${LOG_REPORT_OUTPUT_TXT} \
-    && touch ${LOG_REPORT_OUTPUT_HTML} \
-    && touch ${LOG_REPORT_OUTPUT_JSON} \
-    && touch ${NETALERTX_API}/user_notifications.json 
-
-# Setup services
-RUN mkdir -p ${SYSTEM_SERVICES}
-
+# Install runtime dependencies
 
 
 
 #initialize each service with the dockerfiles/init-*.sh scripts, once.
-RUN chmod +x /build/*.sh \
-    && /build/init-nginx.sh \
-    && /build/init-php-fpm.sh \
-    && /build/init-crond.sh \
-    && /build/init-backend.sh \
-    && rm -rf /build/*
-
-# Create buildtimestamp.txt
-
-RUN chmod +x ${SYSTEM_SERVICES}/*.sh /entrypoint.sh
-
-# Setup config and db files
-RUN cp ${NETALERTX_BACK}/app.conf ${NETALERTX_CONFIG_FILE} && \
-    cp ${NETALERTX_BACK}/app.db ${NETALERTX_DB_FILE}
+RUN sh /build/init-nginx.sh && \
+    sh /build/init-php-fpm.sh && \
+    sh /build/init-crond.sh && \
+    sh /build/init-backend.sh && \
+    rm -rf /build/*
 
 
 # set netalertx to allow sudoers for any command, no password
@@ -147,7 +115,7 @@ RUN date +%s > ${INSTALL_DIR}/front/buildtimestamp.txt
 FROM runner AS hardened
 
 # remove netalertx from sudoers
-RUN sed -i '/netalertx ALL=(ALL) NOPASSWD: ALL/d
+RUN sh -c "sed -i '/netalertx ALL=(ALL) NOPASSWD: ALL/d' /etc/sudoers"
 
 RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES}
 RUN chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} 
@@ -160,10 +128,7 @@ RUN chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX
 
 
 RUN chown readonly:readonly /
-RUN rm /usr/bin/sudo
-RUN touch /var/log/nginx/access.log /var/log/nginx/error.log
-RUN chown -R netalertx:netalertx /var/log/nginx /run/
-RUN chown -R netalertx:netalertx /var/lib/nginx 
+RUN chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run
 RUN echo -ne '#!/bin/bash\nexit 0\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
 
 RUN find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o -group 0 -o -user 0 -exec chown readonly:readonly {} +

install/alpine-docker/app/config/app.conf

@@ -0,0 +1,108 @@
+#-----------------AUTOGENERATED FILE-----------------#
+#                                                    #
+#         Generated:  2022-12-30_22-19-40            #
+#                                                    #
+#   Config file for the LAN intruder detection app:  #
+#      https://github.com/jokob-sk/NetAlertX         #
+#                                                    #
+#-----------------AUTOGENERATED FILE-----------------#
+
+# 🔺 Use the Settings UI - only edit when necessary 🔺
+
+# General
+#---------------------------
+# Scan using interface eth0
+# SCAN_SUBNETS    = ['192.168.1.0/24 --interface=eth0']
+#
+# Scan multiple interfaces (eth1 and eth0):
+# SCAN_SUBNETS    = [ '192.168.1.0/24 --interface=eth1', '192.168.1.0/24 --interface=eth0' ]
+
+DISCOVER_PLUGINS=True
+SCAN_SUBNETS=['--localnet']
+TIMEZONE='Europe/Berlin'
+LOADED_PLUGINS=['ARPSCAN', 'AVAHISCAN', 'CSVBCKP','DBCLNP', 'DIGSCAN', 'INTRNT', 'MAINT', 'NEWDEV', 'NBTSCAN', 'NSLOOKUP','NTFPRCS', 'SETPWD', 'SMTP', 'SYNC', 'VNDRPDT', 'WORKFLOWS', 'UI']
+
+DAYS_TO_KEEP_EVENTS=90
+# Used for generating links in emails. Make sure not to add a trailing slash!
+REPORT_DASHBOARD_URL='update_REPORT_DASHBOARD_URL_setting'
+
+# Make sure at least these scanners are enabled for new installs, other defaults are taken from the config.json
+INTRNT_RUN='schedule'
+ARPSCAN_RUN='schedule'
+NSLOOKUP_RUN='before_name_updates'
+AVAHISCAN_RUN='before_name_updates'
+NBTSCAN_RUN='before_name_updates'
+
+# Email 
+#-------------------------------------
+# (add SMTP to LOADED_PLUGINS to load)
+#-------------------------------------
+SMTP_RUN='disabled'  # use 'on_notification' to enable
+SMTP_SERVER='smtp.gmail.com'
+SMTP_PORT=587
+SMTP_REPORT_TO='user@gmail.com'
+SMTP_REPORT_FROM='NetAlertX <user@gmail.com>'
+SMTP_SKIP_LOGIN=False
+SMTP_USER='user@gmail.com'
+SMTP_PASS='password'
+SMTP_SKIP_TLS=False
+
+
+# Webhook 
+#-------------------------------------
+# (add WEBHOOK to LOADED_PLUGINS to load)
+#-------------------------------------
+WEBHOOK_RUN='disabled'  # use 'on_notification' to enable
+WEBHOOK_URL='http://n8n.local:5555/webhook-test/aaaaaaaa-aaaa-aaaa-aaaaa-aaaaaaaaaaaa'
+WEBHOOK_PAYLOAD='json'                 # webhook payload data format for the "body > attachements > text" attribute 
+                                       # in https://github.com/jokob-sk/NetAlertX/blob/main/docs/webhook_json_sample.json 
+                                       #   supported values: 'json', 'html' or 'text'
+                                       #   e.g.: for discord use 'html'
+WEBHOOK_REQUEST_METHOD='GET'
+
+
+# Apprise 
+#-------------------------------------
+# (add APPRISE to LOADED_PLUGINS to load)
+#-------------------------------------
+APPRISE_RUN='disabled'  # use 'on_notification' to enable
+APPRISE_HOST='http://localhost:8000/notify'
+APPRISE_URL='mailto://smtp-relay.sendinblue.com:587?from=user@gmail.com&name=apprise&user=user@gmail.com&pass=password&to=user@gmail.com'
+
+
+# NTFY
+#------------------------------------- 
+# (add NTFY to LOADED_PLUGINS to load)
+#-------------------------------------
+NTFY_RUN='disabled'  # use 'on_notification' to enable
+NTFY_HOST='https://ntfy.sh'
+NTFY_TOPIC='replace_my_secure_topicname_91h889f28'
+NTFY_USER='user'
+NTFY_PASSWORD='passw0rd'
+
+
+# PUSHSAFER 
+#-------------------------------------
+# (add PUSHSAFER to LOADED_PLUGINS to load)
+#-------------------------------------
+PUSHSAFER_RUN='disabled'  # use 'on_notification' to enable
+PUSHSAFER_TOKEN='ApiKey'
+
+
+# MQTT 
+#-------------------------------------
+# (add MQTT to LOADED_PLUGINS to load)
+#-------------------------------------
+MQTT_RUN='disabled'  # use 'on_notification' to enable
+MQTT_BROKER='192.168.1.2'
+MQTT_PORT=1883
+MQTT_USER='mqtt'
+MQTT_PASSWORD='passw0rd'
+MQTT_QOS=0
+MQTT_DELAY_SEC=2
+
+
+#-------------------IMPORTANT INFO-------------------#
+#   This file is ingested by a python script, so if  #
+#        modified it needs to use python syntax      #
+#-------------------IMPORTANT INFO-------------------#