From d182a552b8002ec360587ea97705f0fdb03b4f80 Mon Sep 17 00:00:00 2001
From: Adam Outler <adamoutler@gmail.com>
Date: Sat, 27 Sep 2025 21:58:00 -0400
Subject: [PATCH] Move filesystem to more generic name & add perms

---
 .devcontainer/devcontainer.json               |   3 +-
 Dockerfile                                    |  38 +++++++++++-------
 .../app/config/app.conf                       |   0
 .../app/db/app.db                             | Bin
 .../app/log/IP_changes.log                    |   0
 .../app/log/app.log                           |   0
 .../app/log/app.php_errors.log                |   0
 .../app/log/app_front.log                     |   0
 .../app/log/crond.log                         |   0
 .../app/log/db_is_locked.log                  |   0
 .../app/log/execution_queue.log               |   0
 .../app/log/report_output.html                |   0
 .../app/log/report_output.json                |   0
 .../app/log/report_output.txt                 |   0
 .../app/log/stderr.log                        |   0
 .../app/log/stdout.log                        |   0
 .../build/init-backend.sh                     |   0
 .../build/init-crond.sh                       |   0
 .../build/init-nginx.sh                       |   0
 .../build/init-php-fpm.sh                     |   0
 .../entrypoint.sh                             |   0
 .../etc/crontabs/netalertx                    |   0
 .../aiofreebox/freebox_certificate.pem        |   0
 .../services/capcheck.sh                      |   0
 .../services/config/nginx/fastcgi_params      |   0
 .../services/config/nginx/netalertx.conf      |   0
 .../services/config/nginx/nginx.conf          |   0
 .../services/healthcheck.sh                   |   0
 .../services/start-backend.sh                 |   0
 .../services/start-crond.sh                   |   0
 .../services/start-nginx.sh                   |   0
 .../services/start-php-fpm.sh                 |   0
 .../var/log/nginx/access.log                  |   0
 .../var/log/nginx/error.log                   |   0
 34 files changed, 25 insertions(+), 16 deletions(-)
 rename install/{alpine-docker => production-filesystem}/app/config/app.conf (100%)
 rename install/{alpine-docker => production-filesystem}/app/db/app.db (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/IP_changes.log (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/app.log (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/app.php_errors.log (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/app_front.log (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/crond.log (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/db_is_locked.log (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/execution_queue.log (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/report_output.html (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/report_output.json (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/report_output.txt (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/stderr.log (100%)
 rename install/{alpine-docker => production-filesystem}/app/log/stdout.log (100%)
 rename install/{alpine-docker => production-filesystem}/build/init-backend.sh (100%)
 rename install/{alpine-docker => production-filesystem}/build/init-crond.sh (100%)
 rename install/{alpine-docker => production-filesystem}/build/init-nginx.sh (100%)
 rename install/{alpine-docker => production-filesystem}/build/init-php-fpm.sh (100%)
 rename install/{alpine-docker => production-filesystem}/entrypoint.sh (100%)
 rename install/{alpine-docker => production-filesystem}/etc/crontabs/netalertx (100%)
 rename install/{alpine-docker => production-filesystem}/opt/venv/lib/python3.12/site-packages/aiofreebox/freebox_certificate.pem (100%)
 rename install/{alpine-docker => production-filesystem}/services/capcheck.sh (100%)
 rename install/{alpine-docker => production-filesystem}/services/config/nginx/fastcgi_params (100%)
 rename install/{alpine-docker => production-filesystem}/services/config/nginx/netalertx.conf (100%)
 rename install/{alpine-docker => production-filesystem}/services/config/nginx/nginx.conf (100%)
 rename install/{alpine-docker => production-filesystem}/services/healthcheck.sh (100%)
 rename install/{alpine-docker => production-filesystem}/services/start-backend.sh (100%)
 rename install/{alpine-docker => production-filesystem}/services/start-crond.sh (100%)
 rename install/{alpine-docker => production-filesystem}/services/start-nginx.sh (100%)
 rename install/{alpine-docker => production-filesystem}/services/start-php-fpm.sh (100%)
 rename install/{alpine-docker => production-filesystem}/var/log/nginx/access.log (100%)
 rename install/{alpine-docker => production-filesystem}/var/log/nginx/error.log (100%)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index d3c08dc7..a6d7072e 100755
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -33,7 +33,8 @@
         "ms-python.vscode-pylance",
         "pamaron.pytest-runner",
         "coderabbit.coderabbit-vscode",
-        "ms-python.black-formatter"
+        "ms-python.black-formatter",
+        "jeff-hykin.better-dockerfile-syntax"
       ]
       ,
       "settings": {
diff --git a/Dockerfile b/Dockerfile
index fc99e770..ddbc2077 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -73,23 +73,26 @@ RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iprou
 # Install application, copy files, set permissions
 COPY --from=builder /opt/venv /opt/venv
 COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/
-COPY --chown=netalertx:netalertx install/alpine-docker/ /
+COPY --chown=netalertx:netalertx install/production-filesystem/ /
 COPY --chown=netalertx:netalertx --chmod=755 back ${NETALERTX_BACK}
 COPY --chown=netalertx:netalertx --chmod=755 front ${NETALERTX_FRONT}
 COPY --chown=netalertx:netalertx --chmod=755 server ${NETALERTX_SERVER}
 RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API} && \
     install -d -o netalertx -g netalertx -m 755 ${NETALERTX_LOG} && \
     sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) \
-        -exec chmod 750 {} \;"
+    -exec chmod 750 {} \;"
 
-# setcap to allow nmap to run without root
-RUN setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap
+# setcap to allow network tools with raw packet access  to run without root
+RUN setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap && \
+    setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
+    setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
+    setcap cap_net_raw,cap_net_admin+eip /opt/venv/bin/scapy
 
 #initialize each service with the dockerfiles/init-*.sh scripts, once.
-RUN sh /build/init-nginx.sh && \
-    sh /build/init-php-fpm.sh && \
-    sh /build/init-crond.sh && \
-    sh /build/init-backend.sh && \
+RUN /bin/sh /build/init-nginx.sh && \
+    /bin/sh /build/init-php-fpm.sh && \
+    /bin/sh /build/init-crond.sh && \
+    /bin/sh /build/init-backend.sh && \
     rm -rf /build
 
 # set netalertx to allow sudoers for any command, no password
@@ -103,8 +106,10 @@ FROM runner AS hardened
 
 # create readonly user and group with no shell access
 RUN addgroup -g 20212 readonly && \
-    adduser -u 20212 -G readonly -D -h /app readonly
-    
+    adduser -u 20212 -G readonly -D -h /app readonly && \
+    usermod -s /sbin/nologin readonly
+
+
 # remove netalertx from sudoers
 
 RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} ${SYSTEM_SERVICES} && \
@@ -117,12 +122,12 @@ RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_
     chown readonly:readonly / && \
     chown -R netalertx:netalertx /var/log/nginx /var/lib/nginx /run && \
     find / -path /proc -prune -o -path /sys -prune -o -path /dev -prune -o \
-         -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o \
-         -group 0 -o -user 0 -exec chown readonly:readonly {} +
+    -path /run -prune -o -path /var/log -prune -o -path /tmp -prune -o \
+    -group 0 -o -user 0 -exec chown readonly:readonly {} +
 
 #
 # remove sudo and alpine installers pacakges
-RUN apk del sudo && \
+RUN apk del sudo libcap apk-tools && \
     rm -rf /var/cache/apk/*
 # remove all users and groups except readonly and netalertx without userdel/groupdel binaries
 # RUN awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/passwd | xargs -r -n 1 deluser -r && \
@@ -131,7 +136,9 @@ RUN apk del sudo && \
 RUN rm -Rf /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
     /lib/apk /lib/firmware  /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
     /srv /media && \
-    echo -ne '#!/bin/bash\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+    sed -i -n -e '/^readonly:/p' -e '/^netalertx:/p' /etc/passwd && \
+    sed -i -n -e '/^readonly:/p' -e '/^netalertx:/p' /etc/group && \
+    echo -ne '#!/bin/sh\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
 
 
 
@@ -141,4 +148,5 @@ USER netalertx
 HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
     CMD /usr/local/bin/healthcheck.sh
 
-ENTRYPOINT [ "bash", "/entrypoint.sh" ]
+#ENTRYPOINT [ "/bin/sh" ]
+ENTRYPOINT [ "/bin/sh", "/entrypoint.sh" ]
diff --git a/install/alpine-docker/app/config/app.conf b/install/production-filesystem/app/config/app.conf
similarity index 100%
rename from install/alpine-docker/app/config/app.conf
rename to install/production-filesystem/app/config/app.conf
diff --git a/install/alpine-docker/app/db/app.db b/install/production-filesystem/app/db/app.db
similarity index 100%
rename from install/alpine-docker/app/db/app.db
rename to install/production-filesystem/app/db/app.db
diff --git a/install/alpine-docker/app/log/IP_changes.log b/install/production-filesystem/app/log/IP_changes.log
similarity index 100%
rename from install/alpine-docker/app/log/IP_changes.log
rename to install/production-filesystem/app/log/IP_changes.log
diff --git a/install/alpine-docker/app/log/app.log b/install/production-filesystem/app/log/app.log
similarity index 100%
rename from install/alpine-docker/app/log/app.log
rename to install/production-filesystem/app/log/app.log
diff --git a/install/alpine-docker/app/log/app.php_errors.log b/install/production-filesystem/app/log/app.php_errors.log
similarity index 100%
rename from install/alpine-docker/app/log/app.php_errors.log
rename to install/production-filesystem/app/log/app.php_errors.log
diff --git a/install/alpine-docker/app/log/app_front.log b/install/production-filesystem/app/log/app_front.log
similarity index 100%
rename from install/alpine-docker/app/log/app_front.log
rename to install/production-filesystem/app/log/app_front.log
diff --git a/install/alpine-docker/app/log/crond.log b/install/production-filesystem/app/log/crond.log
similarity index 100%
rename from install/alpine-docker/app/log/crond.log
rename to install/production-filesystem/app/log/crond.log
diff --git a/install/alpine-docker/app/log/db_is_locked.log b/install/production-filesystem/app/log/db_is_locked.log
similarity index 100%
rename from install/alpine-docker/app/log/db_is_locked.log
rename to install/production-filesystem/app/log/db_is_locked.log
diff --git a/install/alpine-docker/app/log/execution_queue.log b/install/production-filesystem/app/log/execution_queue.log
similarity index 100%
rename from install/alpine-docker/app/log/execution_queue.log
rename to install/production-filesystem/app/log/execution_queue.log
diff --git a/install/alpine-docker/app/log/report_output.html b/install/production-filesystem/app/log/report_output.html
similarity index 100%
rename from install/alpine-docker/app/log/report_output.html
rename to install/production-filesystem/app/log/report_output.html
diff --git a/install/alpine-docker/app/log/report_output.json b/install/production-filesystem/app/log/report_output.json
similarity index 100%
rename from install/alpine-docker/app/log/report_output.json
rename to install/production-filesystem/app/log/report_output.json
diff --git a/install/alpine-docker/app/log/report_output.txt b/install/production-filesystem/app/log/report_output.txt
similarity index 100%
rename from install/alpine-docker/app/log/report_output.txt
rename to install/production-filesystem/app/log/report_output.txt
diff --git a/install/alpine-docker/app/log/stderr.log b/install/production-filesystem/app/log/stderr.log
similarity index 100%
rename from install/alpine-docker/app/log/stderr.log
rename to install/production-filesystem/app/log/stderr.log
diff --git a/install/alpine-docker/app/log/stdout.log b/install/production-filesystem/app/log/stdout.log
similarity index 100%
rename from install/alpine-docker/app/log/stdout.log
rename to install/production-filesystem/app/log/stdout.log
diff --git a/install/alpine-docker/build/init-backend.sh b/install/production-filesystem/build/init-backend.sh
similarity index 100%
rename from install/alpine-docker/build/init-backend.sh
rename to install/production-filesystem/build/init-backend.sh
diff --git a/install/alpine-docker/build/init-crond.sh b/install/production-filesystem/build/init-crond.sh
similarity index 100%
rename from install/alpine-docker/build/init-crond.sh
rename to install/production-filesystem/build/init-crond.sh
diff --git a/install/alpine-docker/build/init-nginx.sh b/install/production-filesystem/build/init-nginx.sh
similarity index 100%
rename from install/alpine-docker/build/init-nginx.sh
rename to install/production-filesystem/build/init-nginx.sh
diff --git a/install/alpine-docker/build/init-php-fpm.sh b/install/production-filesystem/build/init-php-fpm.sh
similarity index 100%
rename from install/alpine-docker/build/init-php-fpm.sh
rename to install/production-filesystem/build/init-php-fpm.sh
diff --git a/install/alpine-docker/entrypoint.sh b/install/production-filesystem/entrypoint.sh
similarity index 100%
rename from install/alpine-docker/entrypoint.sh
rename to install/production-filesystem/entrypoint.sh
diff --git a/install/alpine-docker/etc/crontabs/netalertx b/install/production-filesystem/etc/crontabs/netalertx
similarity index 100%
rename from install/alpine-docker/etc/crontabs/netalertx
rename to install/production-filesystem/etc/crontabs/netalertx
diff --git a/install/alpine-docker/opt/venv/lib/python3.12/site-packages/aiofreebox/freebox_certificate.pem b/install/production-filesystem/opt/venv/lib/python3.12/site-packages/aiofreebox/freebox_certificate.pem
similarity index 100%
rename from install/alpine-docker/opt/venv/lib/python3.12/site-packages/aiofreebox/freebox_certificate.pem
rename to install/production-filesystem/opt/venv/lib/python3.12/site-packages/aiofreebox/freebox_certificate.pem
diff --git a/install/alpine-docker/services/capcheck.sh b/install/production-filesystem/services/capcheck.sh
similarity index 100%
rename from install/alpine-docker/services/capcheck.sh
rename to install/production-filesystem/services/capcheck.sh
diff --git a/install/alpine-docker/services/config/nginx/fastcgi_params b/install/production-filesystem/services/config/nginx/fastcgi_params
similarity index 100%
rename from install/alpine-docker/services/config/nginx/fastcgi_params
rename to install/production-filesystem/services/config/nginx/fastcgi_params
diff --git a/install/alpine-docker/services/config/nginx/netalertx.conf b/install/production-filesystem/services/config/nginx/netalertx.conf
similarity index 100%
rename from install/alpine-docker/services/config/nginx/netalertx.conf
rename to install/production-filesystem/services/config/nginx/netalertx.conf
diff --git a/install/alpine-docker/services/config/nginx/nginx.conf b/install/production-filesystem/services/config/nginx/nginx.conf
similarity index 100%
rename from install/alpine-docker/services/config/nginx/nginx.conf
rename to install/production-filesystem/services/config/nginx/nginx.conf
diff --git a/install/alpine-docker/services/healthcheck.sh b/install/production-filesystem/services/healthcheck.sh
similarity index 100%
rename from install/alpine-docker/services/healthcheck.sh
rename to install/production-filesystem/services/healthcheck.sh
diff --git a/install/alpine-docker/services/start-backend.sh b/install/production-filesystem/services/start-backend.sh
similarity index 100%
rename from install/alpine-docker/services/start-backend.sh
rename to install/production-filesystem/services/start-backend.sh
diff --git a/install/alpine-docker/services/start-crond.sh b/install/production-filesystem/services/start-crond.sh
similarity index 100%
rename from install/alpine-docker/services/start-crond.sh
rename to install/production-filesystem/services/start-crond.sh
diff --git a/install/alpine-docker/services/start-nginx.sh b/install/production-filesystem/services/start-nginx.sh
similarity index 100%
rename from install/alpine-docker/services/start-nginx.sh
rename to install/production-filesystem/services/start-nginx.sh
diff --git a/install/alpine-docker/services/start-php-fpm.sh b/install/production-filesystem/services/start-php-fpm.sh
similarity index 100%
rename from install/alpine-docker/services/start-php-fpm.sh
rename to install/production-filesystem/services/start-php-fpm.sh
diff --git a/install/alpine-docker/var/log/nginx/access.log b/install/production-filesystem/var/log/nginx/access.log
similarity index 100%
rename from install/alpine-docker/var/log/nginx/access.log
rename to install/production-filesystem/var/log/nginx/access.log
diff --git a/install/alpine-docker/var/log/nginx/error.log b/install/production-filesystem/var/log/nginx/error.log
similarity index 100%
rename from install/alpine-docker/var/log/nginx/error.log
rename to install/production-filesystem/var/log/nginx/error.log