diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile new file mode 100644 index 00000000..f4ff511f --- /dev/null +++ b/.devcontainer/Dockerfile @@ -0,0 +1,171 @@ +# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-dockerfile.sh + +# ---/Dockerfile--- +FROM alpine:3.22 AS builder + +ARG INSTALL_DIR=/app + +ENV PYTHONUNBUFFERED=1 + +# Install build dependencies +RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev openssl-dev git \ + && python -m venv /opt/venv + +# Enable venv +ENV PATH="/opt/venv/bin:$PATH" + + + +RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git + + +# second stage +FROM alpine:3.22 AS runner + +RUN addgroup -g 20211 netalertx && \ + adduser -u 20211 -G netalertx -D -h /app netalertx && \ + addgroup -g 20212 readonly && \ + adduser -u 20212 -G readonly -D -h /app readonly + +ARG INSTALL_DIR=/app + + +# Enable venv +ENV PATH="/opt/venv/bin:/usr/bin:/sbin:/bin:$PATH" + + + +ENV PORT=20211 LISTEN_ADDR=0.0.0.0 GRAPHQL_PORT=20212 +# NetAlertX app directories +ENV NETALERTX_APP=/app +ENV NETALERTX_CONFIG=${NETALERTX_APP}/config +ENV NETALERTX_FRONT=${NETALERTX_APP}/front +ENV NETALERTX_SERVER=${NETALERTX_APP}/server +ENV NETALERTX_API=${NETALERTX_APP}/api +ENV NETALERTX_DB=${NETALERTX_APP}/db +ENV NETALERTX_BACK=${NETALERTX_APP}/back +ENV NETALERTX_LOG=${NETALERTX_APP}/log +ENV NETALERTX_PLUGINS_LOG=${NETALERTX_LOG}/plugins +ENV NETALERTX_NGINIX_CONFIG=${NETALERTX_APP}/services/nginx +ENV NETALERTX_SERVICES=${NETALERTX_APP}/services + +# NetAlertX log files +ENV LOG_IP_CHANGES=${NETALERTX_LOG}/IP_changes.log +ENV LOG_APP=${NETALERTX_LOG}/app.log +ENV LOG_APP_FRONT=${NETALERTX_LOG}/app_front.log +ENV LOG_REPORT_OUTPUT_TXT=${NETALERTX_LOG}/report_output.txt +ENV LOG_DB_IS_LOCKED=${NETALERTX_LOG}/db_is_locked.log +ENV LOG_REPORT_OUTPUT_HTML=${NETALERTX_LOG}/report_output.html +ENV LOG_STDERR=${NETALERTX_LOG}/stderr.log +ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log +ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log +ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json +ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log +ENV LOG_CROND=${NETALERTX_LOG}/crond.log + +# Important configuration files +ENV NGINX_CONFIG_FILE=${NETALERTX_NGINIX_CONFIG}/nginx.conf +ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf +ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db +ENV PHP_FPM_CONFIG_FILE=/etc/php83/php-fpm.conf +ENV PHP_WWW_CONF_FILE=/etc/php83/php-fpm.d/www.conf +ENV SYSTEM_SERVICES=/services + +RUN apk update --no-cache bash libbsd zip lsblk gettext-envsubst sudo mtr tzdata curl arp-scan iproute2 \ + iproute2-ss nmap nmap-scripts traceroute nbtscan openrc dbus net-tools net-snmp-tools bind-tools awake \ + ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 nginx sudo && \ + rm -rf /var/cache/apk/* && \ + rm -f /etc/nginx/http.d/default.conf + +# Install from previous build stage +COPY --from=builder /opt/venv /opt/venv +COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/ + +# Simple copy of directory structure instead of individual files or complicated directory structure with RUN mkdir +COPY install/alpine-docker/ / + +RUN chmod -R a+x ${SYSTEM_SERVICES} /build/ /entrypoint.sh && \ + sh -c "find ${NETALERTX_APP} -type d -exec chmod 750 {} \;" && \ + sh -c "find ${NETALERTX_APP} -type f -exec chmod 640 {} \;" && \ + sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) -exec chmod 750 {} \;" + +# Copy source +RUN mkdir ${NETALERTX_API} + +# Install runtime dependencies + + + +#initialize each service with the dockerfiles/init-*.sh scripts, once. +RUN sh /build/init-nginx.sh && \ + sh /build/init-php-fpm.sh && \ + sh /build/init-crond.sh && \ + sh /build/init-backend.sh && \ + rm -rf /build/* + + +# set netalertx to allow sudoers for any command, no password +RUN echo "netalertx ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers + + + + + +FROM runner AS hardened + +# remove netalertx from sudoers +RUN sh -c "sed -i '/netalertx ALL=(ALL) NOPASSWD: ALL/d' /etc/sudoers" + +RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} +RUN chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} +RUN chmod 005 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} +RUN chmod -R 005 ${SYSTEM_SERVICES} + +RUN chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_CONFIG_FILE} ${NETALERTX_DB_FILE} && \ + chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_LOG} ${NETALERTX_API} && \ + chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_LOG} ${NETALERTX_API} + + +RUN chown readonly:readonly / +RUN chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run +RUN echo -ne '#!/bin/bash\nexit 0\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo + +RUN find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o -group 0 -o -user 0 -exec chown readonly:readonly {} + + + +USER netalertx + +HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ +CMD /usr/local/bin/healthcheck.sh + +ENTRYPOINT ["/entrypoint.sh"] + + + +# ---/resources/devcontainer-Dockerfile--- + +# Devcontainer build stage (do not build directly) +# This file is combined with the root /Dockerfile by +# .devcontainer/scripts/generate-dockerfile.sh +# The generator appends this stage to produce .devcontainer/Dockerfile. +# Prefer to place dev-only setup here; use setup.sh only for runtime fixes. + +FROM runner AS netalertx-devcontainer +ENV INSTALL_DIR=/app +ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages + +COPY .devcontainer/resources/99-xdebug.ini /etc/php83/conf.d/99-xdebug.ini + +# Install common tools, create user, and set up sudo +RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov shadow + +# Install debugpy in the virtualenv if present, otherwise into system python3 +RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true' +RUN /opt/venv/bin/python -m pip install -U pytest pytest-cov + +USER netalertx + +WORKDIR /workspaces/NetAlertX + + +ENTRYPOINT ["/bin/sh","-c","sleep infinity"] \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 8de111ad..d3c08dc7 100755 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -2,9 +2,9 @@ "name": "NetAlertX DevContainer", "remoteUser": "netalertx", "build": { - "dockerfile": "../Dockerfile", - "context": "..", - "target": "runner" + "dockerfile": "./Dockerfile", + "context": "../", + "target": "netalertx-devcontainer" }, "workspaceFolder": "/workspaces/NetAlertX", "runArgs": [ @@ -20,7 +20,7 @@ - "postStartCommand": "sudo ${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh", + "postStartCommand": "${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh", "customizations": { "vscode": { diff --git a/.devcontainer/resources/devcontainer-Dockerfile b/.devcontainer/resources/devcontainer-Dockerfile index 88ef4ece..8924430c 100755 --- a/.devcontainer/resources/devcontainer-Dockerfile +++ b/.devcontainer/resources/devcontainer-Dockerfile @@ -4,46 +4,20 @@ # The generator appends this stage to produce .devcontainer/Dockerfile. # Prefer to place dev-only setup here; use setup.sh only for runtime fixes. -FROM runner AS devcontainer +FROM runner AS netalertx-devcontainer ENV INSTALL_DIR=/app ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages +COPY .devcontainer/resources/99-xdebug.ini /etc/php83/conf.d/99-xdebug.ini + # Install common tools, create user, and set up sudo -RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov && \ - adduser -D -s /bin/sh netalertx && \ - addgroup netalertx nginx && \ - addgroup netalertx www-data && \ - echo "netalertx ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/90-netalertx && \ - chmod 440 /etc/sudoers.d/90-netalertx +RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov shadow + # Install debugpy in the virtualenv if present, otherwise into system python3 RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true' -# setup nginx -COPY .devcontainer/resources/netalertx-devcontainer.conf /etc/nginx/http.d/netalert-frontend.conf -RUN set -e; \ - chown netalertx:nginx /etc/nginx/http.d/netalert-frontend.conf; \ - install -d -o netalertx -g www-data -m 775 /app; \ - install -d -o netalertx -g www-data -m 755 /run/nginx; \ - install -d -o netalertx -g www-data -m 755 /var/lib/nginx/logs; \ - rm -f /var/lib/nginx/logs/* || true; \ - for f in error access; do : > /var/lib/nginx/logs/$f.log; done; \ - install -d -o netalertx -g www-data -m 777 /run/php; \ - install -d -o netalertx -g www-data -m 775 /var/log/php; \ - chown -R netalertx:www-data /etc/nginx/http.d; \ - chmod -R 775 /etc/nginx/http.d; \ - chown -R netalertx:www-data /var/lib/nginx; \ - chmod -R 755 /var/lib/nginx && \ - chown -R netalertx:www-data /var/log/nginx/ && \ - sed -i '/^user /d' /etc/nginx/nginx.conf; \ - sed -i 's|^error_log .*|error_log /dev/stderr warn;|' /etc/nginx/nginx.conf; \ - sed -i 's|^access_log .*|access_log /dev/stdout main;|' /etc/nginx/nginx.conf; \ - sed -i 's|error_log .*|error_log /dev/stderr warn;|g' /etc/nginx/http.d/*.conf 2>/dev/null || true; \ - sed -i 's|access_log .*|access_log /dev/stdout main;|g' /etc/nginx/http.d/*.conf 2>/dev/null || true; \ - mkdir -p /run/openrc; \ - chown netalertx:nginx /run/openrc/; \ - rm -Rf /run/openrc/*; +RUN /opt/venv/bin/python -m pip install -U pytest pytest-cov -# setup pytest -RUN sudo /opt/venv/bin/python -m pip install -U pytest pytest-cov +USER netalertx WORKDIR /workspaces/NetAlertX diff --git a/.devcontainer/scripts/generate-dockerfile.sh b/.devcontainer/scripts/generate-dockerfile.sh index d97cefd9..95a94b6a 100755 --- a/.devcontainer/scripts/generate-dockerfile.sh +++ b/.devcontainer/scripts/generate-dockerfile.sh @@ -23,12 +23,6 @@ echo "# ---/Dockerfile---" >> "$OUT_FILE" sed '/${INSTALL_DIR}/d' "${ROOT_DIR}/Dockerfile" >> "$OUT_FILE" -# sed the line https://github.com/foreign-sub/aiofreepybox.git \\ to remove trailing backslash -sed -i '/aiofreepybox.git/ s/ \\$//' "$OUT_FILE" - -# don't cat the file, just copy it in because it doesn't exist at build time -sed -i 's|^ RUN cat ${INSTALL_DIR}/install/freebox_certificate.pem >> /opt/venv/lib/python3.12/site-packages/aiofreepybox/freebox_certificates.pem$| COPY install/freebox_certificate.pem /opt/venv/lib/python3.12/site-packages/aiofreepybox/freebox_certificates.pem |' "$OUT_FILE" - echo "" >> "$OUT_FILE" echo "# ---/resources/devcontainer-Dockerfile---" >> "$OUT_FILE" echo "" >> "$OUT_FILE" diff --git a/.devcontainer/scripts/setup.sh b/.devcontainer/scripts/setup.sh index 611f75fc..f6ba1d86 100755 --- a/.devcontainer/scripts/setup.sh +++ b/.devcontainer/scripts/setup.sh @@ -1,4 +1,4 @@ -#! /bin/bash +#! /bin/sh # Runtime setup for devcontainer (executed after container starts). # Prefer building setup into resources/devcontainer-Dockerfile when possible. # Use this script for runtime-only adjustments (permissions, sockets, ownership, @@ -29,8 +29,7 @@ export TZ=Europe/Paris export PORT=20211 export SOURCE_DIR="/workspaces/NetAlertX" -apk add git - + main() { echo "=== NetAlertX Development Container Setup ===" echo "Setting up ${SOURCE_DIR}..." @@ -66,50 +65,36 @@ safe_link() { configure_source() { echo "[1/3] Configuring Source..." echo " -> Linking source to ${INSTALL_DIR}" - echo "Dev">${INSTALL_DIR}/.VERSION + rm -Rf ${INSTALL_DIR}/* || true + + sudo ln -s -fT ${SOURCE_DIR}/back ${INSTALL_DIR}/back + sudo ln -s -fT ${SOURCE_DIR}/front ${INSTALL_DIR}/front + sudo ln -s -fT ${SOURCE_DIR}/config ${INSTALL_DIR}/config + sudo ln -s -fT ${SOURCE_DIR}/db ${INSTALL_DIR}/db + sudo ln -s -fT ${SOURCE_DIR}/server ${INSTALL_DIR}/server + echo " -> Mounting ramdisks for /log and /api" - sudo mount -t tmpfs -o size=256M tmpfs "${SOURCE_DIR}/log" - sudo mount -t tmpfs -o size=512M tmpfs "${SOURCE_DIR}/api" - safe_link ${SOURCE_DIR}/api ${INSTALL_DIR}/api - safe_link ${SOURCE_DIR}/back ${INSTALL_DIR}/back - safe_link "${SOURCE_DIR}/config" "${INSTALL_DIR}/config" - safe_link "${SOURCE_DIR}/db" "${INSTALL_DIR}/db" - if [ ! -f "${SOURCE_DIR}/config/app.conf" ]; then - cp ${SOURCE_DIR}/back/app.conf ${INSTALL_DIR}/config/ - cp ${SOURCE_DIR}/back/app.db ${INSTALL_DIR}/db/ - fi - - safe_link "${SOURCE_DIR}/docs" "${INSTALL_DIR}/docs" - safe_link "${SOURCE_DIR}/front" "${INSTALL_DIR}/front" - safe_link "${SOURCE_DIR}/install" "${INSTALL_DIR}/install" - safe_link "${SOURCE_DIR}/scripts" "${INSTALL_DIR}/scripts" - safe_link "${SOURCE_DIR}/server" "${INSTALL_DIR}/server" - safe_link "${SOURCE_DIR}/test" "${INSTALL_DIR}/test" - safe_link "${SOURCE_DIR}/log" "${INSTALL_DIR}/log" - safe_link "${SOURCE_DIR}/mkdocs.yml" "${INSTALL_DIR}/mkdocs.yml" - - echo " -> Copying static files to ${INSTALL_DIR}" - cp -R ${SOURCE_DIR}/CODE_OF_CONDUCT.md ${INSTALL_DIR}/ - cp -R ${SOURCE_DIR}/install/ / - if [ -e "${INSTALL_DIR}/api/user_notifications.json" ]; then - echo " -> Removing existing user_notifications.json" - sudo rm "${INSTALL_DIR}"/api/user_notifications.json - fi + + mkdir ${INSTALL_DIR}/logt ${INSTALL_DIR}/apit || true + cp -R ${SOURCE_DIR}/log/* ${INSTALL_DIR}/logt/ || true + cp ${SOURCE_DIR}/api/* ${INSTALL_DIR}/apit/ || true + sudo mount -t tmpfs -o size=256M tmpfs "${INSTALL_DIR}/log" + sudo mount -t tmpfs -o size=512M tmpfs "${INSTALL_DIR}/api" + sudo cp -R ${INSTALL_DIR}/logt/* ${INSTALL_DIR}/log/ || true + sudo cp -R ${INSTALL_DIR}/apit/* ${INSTALL_DIR}/api/ || true + rm -Rf ${INSTALL_DIR}/logt ${INSTALL_DIR}/apit || true + echo "Dev">${INSTALL_DIR}/.VERSION + echo " -> Setting ownership and permissions" - sudo find ${INSTALL_DIR}/ -type d -exec chmod 775 {} \; - sudo find ${INSTALL_DIR}/ -type f -exec chmod 664 {} \; + usermod -g netalertx nginx sudo date +%s > "${INSTALL_DIR}/front/buildtimestamp.txt" - sudo chmod 640 "${INSTALL_DIR}/config/${CONF_FILE}" || true + - - echo " -> Setting up log directory" - install -d -o netalertx -g www-data -m 777 ${INSTALL_DIR}/log/plugins - echo " -> Empty log"|tee ${INSTALL_DIR}/log/app.log \ ${INSTALL_DIR}/log/app_front.log \ ${INSTALL_DIR}/log/stdout.log diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 9cef7855..673a0243 100755 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -27,7 +27,7 @@ { "label": "Re-Run Startup Script", "type": "shell", - "command": "sudo ${workspaceFolder:NetAlertX}/.devcontainer/scripts/setup.sh", + "command": "${workspaceFolder:NetAlertX}/.devcontainer/scripts/setup.sh", "presentation": { "echo": true, "reveal": "always", diff --git a/Dockerfile b/Dockerfile index 06d62577..dbbe1f9a 100755 --- a/Dockerfile +++ b/Dockerfile @@ -11,19 +11,10 @@ RUN apk add --no-cache bash shadow python3 python3-dev gcc musl-dev libffi-dev o # Enable venv ENV PATH="/opt/venv/bin:$PATH" -RUN mkdir -p ${INSTALL_DIR} -COPY api ${INSTALL_DIR}/api -COPY back ${INSTALL_DIR}/back -COPY config ${INSTALL_DIR}/config -COPY db ${INSTALL_DIR}/db -COPY front ${INSTALL_DIR}/front -COPY server ${INSTALL_DIR}/server + RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git -RUN bash -c "find ${INSTALL_DIR} -type d -exec chmod 750 {} \;" \ - && bash -c "find ${INSTALL_DIR} -type f -exec chmod 640 {} \;" \ - && bash -c "find ${INSTALL_DIR} -type f \( -name '*.sh' -o -name '*.py' -o -name 'speedtest-cli' \) -exec chmod 750 {} \;" # second stage FROM alpine:3.22 AS runner @@ -34,13 +25,10 @@ RUN addgroup -g 20211 netalertx && \ adduser -u 20212 -G readonly -D -h /app readonly ARG INSTALL_DIR=/app -COPY --from=builder /opt/venv /opt/venv -COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/ -COPY install/alpine-docker/ / # Enable venv -ENV PATH="/opt/venv/bin:$PATH" +ENV PATH="/opt/venv/bin:/usr/bin:/sbin:/bin:$PATH" @@ -80,60 +68,40 @@ ENV PHP_FPM_CONFIG_FILE=/etc/php83/php-fpm.conf ENV PHP_WWW_CONF_FILE=/etc/php83/php-fpm.d/www.conf ENV SYSTEM_SERVICES=/services +RUN apk update --no-cache bash libbsd zip lsblk gettext-envsubst sudo mtr tzdata curl arp-scan iproute2 \ + iproute2-ss nmap nmap-scripts traceroute nbtscan openrc dbus net-tools net-snmp-tools bind-tools awake \ + ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 nginx sudo && \ + rm -rf /var/cache/apk/* && \ + rm -f /etc/nginx/http.d/default.conf -RUN apk update --no-cache \ - && apk add --no-cache bash libbsd zip lsblk gettext-envsubst sudo mtr tzdata \ - && apk add --no-cache curl arp-scan iproute2 iproute2-ss nmap nmap-scripts traceroute nbtscan openrc dbus net-tools net-snmp-tools bind-tools awake ca-certificates \ - && apk add --no-cache sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session \ - && apk add --no-cache python3 nginx +# Install from previous build stage +COPY --from=builder /opt/venv /opt/venv +COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/ +# Simple copy of directory structure instead of individual files or complicated directory structure with RUN mkdir +COPY install/alpine-docker/ / -COPY --from=builder --chown=netalertx:netalertx ${INSTALL_DIR}/ ${INSTALL_DIR}/ -# set this properly to handle recursive ownership changes -RUN ln -s /usr/bin/awake /usr/bin/wakeonlan \ - && rm -f /etc/nginx/http.d/default.conf +RUN chmod -R a+x ${SYSTEM_SERVICES} /build/ /entrypoint.sh && \ + sh -c "find ${NETALERTX_APP} -type d -exec chmod 750 {} \;" && \ + sh -c "find ${NETALERTX_APP} -type f -exec chmod 640 {} \;" && \ + sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) -exec chmod 750 {} \;" +# Copy source +COPY back ${INSTALL_DIR}/back +COPY front ${INSTALL_DIR}/front +COPY server ${INSTALL_DIR}/server +RUN mkdir ${NETALERTX_API} -# Create required directories -RUN mkdir -p ${INSTALL_DIR}/config ${INSTALL_DIR}/db ${INSTALL_DIR}/log/plugins - - - -# Create empty log files and API files -RUN touch ${LOG_APP} \ - && touch ${LOG_EXECUTION_QUEUE} \ - && touch ${LOG_APP_FRONT} \ - && touch ${LOG_APP_PHP_ERRORS} \ - && touch ${LOG_STDERR} \ - && touch ${LOG_STDOUT} \ - && touch ${LOG_DB_IS_LOCKED} \ - && touch ${LOG_IP_CHANGES} \ - && touch ${LOG_REPORT_OUTPUT_TXT} \ - && touch ${LOG_REPORT_OUTPUT_HTML} \ - && touch ${LOG_REPORT_OUTPUT_JSON} \ - && touch ${NETALERTX_API}/user_notifications.json - -# Setup services -RUN mkdir -p ${SYSTEM_SERVICES} - +# Install runtime dependencies #initialize each service with the dockerfiles/init-*.sh scripts, once. -RUN chmod +x /build/*.sh \ - && /build/init-nginx.sh \ - && /build/init-php-fpm.sh \ - && /build/init-crond.sh \ - && /build/init-backend.sh \ - && rm -rf /build/* - -# Create buildtimestamp.txt - -RUN chmod +x ${SYSTEM_SERVICES}/*.sh /entrypoint.sh - -# Setup config and db files -RUN cp ${NETALERTX_BACK}/app.conf ${NETALERTX_CONFIG_FILE} && \ - cp ${NETALERTX_BACK}/app.db ${NETALERTX_DB_FILE} +RUN sh /build/init-nginx.sh && \ + sh /build/init-php-fpm.sh && \ + sh /build/init-crond.sh && \ + sh /build/init-backend.sh && \ + rm -rf /build/* # set netalertx to allow sudoers for any command, no password @@ -147,7 +115,7 @@ RUN date +%s > ${INSTALL_DIR}/front/buildtimestamp.txt FROM runner AS hardened # remove netalertx from sudoers -RUN sed -i '/netalertx ALL=(ALL) NOPASSWD: ALL/d +RUN sh -c "sed -i '/netalertx ALL=(ALL) NOPASSWD: ALL/d' /etc/sudoers" RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} RUN chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} @@ -160,10 +128,7 @@ RUN chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX RUN chown readonly:readonly / -RUN rm /usr/bin/sudo -RUN touch /var/log/nginx/access.log /var/log/nginx/error.log -RUN chown -R netalertx:netalertx /var/log/nginx /run/ -RUN chown -R netalertx:netalertx /var/lib/nginx +RUN chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run RUN echo -ne '#!/bin/bash\nexit 0\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo RUN find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o -group 0 -o -user 0 -exec chown readonly:readonly {} + diff --git a/install/alpine-docker/app/config/app.conf b/install/alpine-docker/app/config/app.conf new file mode 100755 index 00000000..469c4e8e --- /dev/null +++ b/install/alpine-docker/app/config/app.conf @@ -0,0 +1,108 @@ +#-----------------AUTOGENERATED FILE-----------------# +# # +# Generated: 2022-12-30_22-19-40 # +# # +# Config file for the LAN intruder detection app: # +# https://github.com/jokob-sk/NetAlertX # +# # +#-----------------AUTOGENERATED FILE-----------------# + +# 🔺 Use the Settings UI - only edit when necessary 🔺 + +# General +#--------------------------- +# Scan using interface eth0 +# SCAN_SUBNETS = ['192.168.1.0/24 --interface=eth0'] +# +# Scan multiple interfaces (eth1 and eth0): +# SCAN_SUBNETS = [ '192.168.1.0/24 --interface=eth1', '192.168.1.0/24 --interface=eth0' ] + +DISCOVER_PLUGINS=True +SCAN_SUBNETS=['--localnet'] +TIMEZONE='Europe/Berlin' +LOADED_PLUGINS=['ARPSCAN', 'AVAHISCAN', 'CSVBCKP','DBCLNP', 'DIGSCAN', 'INTRNT', 'MAINT', 'NEWDEV', 'NBTSCAN', 'NSLOOKUP','NTFPRCS', 'SETPWD', 'SMTP', 'SYNC', 'VNDRPDT', 'WORKFLOWS', 'UI'] + +DAYS_TO_KEEP_EVENTS=90 +# Used for generating links in emails. Make sure not to add a trailing slash! +REPORT_DASHBOARD_URL='update_REPORT_DASHBOARD_URL_setting' + +# Make sure at least these scanners are enabled for new installs, other defaults are taken from the config.json +INTRNT_RUN='schedule' +ARPSCAN_RUN='schedule' +NSLOOKUP_RUN='before_name_updates' +AVAHISCAN_RUN='before_name_updates' +NBTSCAN_RUN='before_name_updates' + +# Email +#------------------------------------- +# (add SMTP to LOADED_PLUGINS to load) +#------------------------------------- +SMTP_RUN='disabled' # use 'on_notification' to enable +SMTP_SERVER='smtp.gmail.com' +SMTP_PORT=587 +SMTP_REPORT_TO='user@gmail.com' +SMTP_REPORT_FROM='NetAlertX ' +SMTP_SKIP_LOGIN=False +SMTP_USER='user@gmail.com' +SMTP_PASS='password' +SMTP_SKIP_TLS=False + + +# Webhook +#------------------------------------- +# (add WEBHOOK to LOADED_PLUGINS to load) +#------------------------------------- +WEBHOOK_RUN='disabled' # use 'on_notification' to enable +WEBHOOK_URL='http://n8n.local:5555/webhook-test/aaaaaaaa-aaaa-aaaa-aaaaa-aaaaaaaaaaaa' +WEBHOOK_PAYLOAD='json' # webhook payload data format for the "body > attachements > text" attribute + # in https://github.com/jokob-sk/NetAlertX/blob/main/docs/webhook_json_sample.json + # supported values: 'json', 'html' or 'text' + # e.g.: for discord use 'html' +WEBHOOK_REQUEST_METHOD='GET' + + +# Apprise +#------------------------------------- +# (add APPRISE to LOADED_PLUGINS to load) +#------------------------------------- +APPRISE_RUN='disabled' # use 'on_notification' to enable +APPRISE_HOST='http://localhost:8000/notify' +APPRISE_URL='mailto://smtp-relay.sendinblue.com:587?from=user@gmail.com&name=apprise&user=user@gmail.com&pass=password&to=user@gmail.com' + + +# NTFY +#------------------------------------- +# (add NTFY to LOADED_PLUGINS to load) +#------------------------------------- +NTFY_RUN='disabled' # use 'on_notification' to enable +NTFY_HOST='https://ntfy.sh' +NTFY_TOPIC='replace_my_secure_topicname_91h889f28' +NTFY_USER='user' +NTFY_PASSWORD='passw0rd' + + +# PUSHSAFER +#------------------------------------- +# (add PUSHSAFER to LOADED_PLUGINS to load) +#------------------------------------- +PUSHSAFER_RUN='disabled' # use 'on_notification' to enable +PUSHSAFER_TOKEN='ApiKey' + + +# MQTT +#------------------------------------- +# (add MQTT to LOADED_PLUGINS to load) +#------------------------------------- +MQTT_RUN='disabled' # use 'on_notification' to enable +MQTT_BROKER='192.168.1.2' +MQTT_PORT=1883 +MQTT_USER='mqtt' +MQTT_PASSWORD='passw0rd' +MQTT_QOS=0 +MQTT_DELAY_SEC=2 + + +#-------------------IMPORTANT INFO-------------------# +# This file is ingested by a python script, so if # +# modified it needs to use python syntax # +#-------------------IMPORTANT INFO-------------------# diff --git a/install/alpine-docker/app/db/app.db b/install/alpine-docker/app/db/app.db new file mode 100755 index 00000000..a0bdc92c Binary files /dev/null and b/install/alpine-docker/app/db/app.db differ diff --git a/install/alpine-docker/app/log/IP_changes.log b/install/alpine-docker/app/log/IP_changes.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/app.log b/install/alpine-docker/app/log/app.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/app.php_errors.log b/install/alpine-docker/app/log/app.php_errors.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/app_front.log b/install/alpine-docker/app/log/app_front.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/crond.log b/install/alpine-docker/app/log/crond.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/db_is_locked.log b/install/alpine-docker/app/log/db_is_locked.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/execution_queue.log b/install/alpine-docker/app/log/execution_queue.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/plugins/.git-placeholder b/install/alpine-docker/app/log/plugins/.git-placeholder new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/report_output.html b/install/alpine-docker/app/log/report_output.html new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/report_output.json b/install/alpine-docker/app/log/report_output.json new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/report_output.txt b/install/alpine-docker/app/log/report_output.txt new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/stderr.log b/install/alpine-docker/app/log/stderr.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/app/log/stdout.log b/install/alpine-docker/app/log/stdout.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/var/lib/nginx/.git-placeholder b/install/alpine-docker/var/lib/nginx/.git-placeholder new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/var/log/nginx/access.log b/install/alpine-docker/var/log/nginx/access.log new file mode 100644 index 00000000..e69de29b diff --git a/install/alpine-docker/var/log/nginx/error.log b/install/alpine-docker/var/log/nginx/error.log new file mode 100644 index 00000000..e69de29b