From dc4848acd054a4c96f67a435219a82b2fb637217 Mon Sep 17 00:00:00 2001
From: Adam Outler <adamoutler@gmail.com>
Date: Sun, 28 Sep 2025 21:59:06 -0400
Subject: [PATCH] Information on default config and entrypoints for debug

---
 Dockerfile                                    |  7 ++-----
 .../var/lib/nginx/.git-placeholder            |  0
 install/production-filesystem/README.md       | 20 +++++++++++++++++++
 .../python/backend-extra-launch-parameters}   |  0
 .../services/start-backend.sh                 |  8 +++++++-
 .../var/log/nginx/access.log                  |  0
 .../var/log/nginx/error.log                   |  0
 7 files changed, 29 insertions(+), 6 deletions(-)
 delete mode 100644 install/alpine-docker/var/lib/nginx/.git-placeholder
 create mode 100644 install/production-filesystem/README.md
 rename install/{alpine-docker/app/log/plugins/.git-placeholder => production-filesystem/services/config/python/backend-extra-launch-parameters} (100%)
 delete mode 100644 install/production-filesystem/var/log/nginx/access.log
 delete mode 100644 install/production-filesystem/var/log/nginx/error.log

diff --git a/Dockerfile b/Dockerfile
index 70d3f32c..04a6d30f 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -110,7 +110,7 @@ ENTRYPOINT ["/bin/sh","-c","sleep infinity"]
 # When complete, if the image is compromised, there's not much that can be done with it.
 FROM runner AS hardened
 
-# create readonly user and group with no shell access
+# create readonly user and group with no shell access.  Readonly user marks folders that are created by NetAlertX, but should not be modified.
 RUN addgroup -g 20212 readonly && \
     adduser -u 20212 -G readonly -D -h /app readonly && \
     usermod -s /sbin/nologin readonly
@@ -133,10 +133,7 @@ RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_
 # remove sudo and alpine installers pacakges
 RUN apk del sudo libcap apk-tools && \
     rm -rf /var/cache/apk/*
-# remove all users and groups except readonly and netalertx without userdel/groupdel binaries
-# RUN awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/passwd | xargs -r -n 1 deluser -r && \
-#     awk -F: '($1 != "readonly" && $1 != "netalertx") {print $1}' /etc/group | xargs -r -n 1 delgroup
-# Remove all sudoers
+# remove all users and groups except readonly and netalertx & remove all sudoers
 RUN rm -Rf /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
     /lib/apk /lib/firmware  /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
     /srv /media && \
diff --git a/install/alpine-docker/var/lib/nginx/.git-placeholder b/install/alpine-docker/var/lib/nginx/.git-placeholder
deleted file mode 100644
index e69de29b..00000000
diff --git a/install/production-filesystem/README.md b/install/production-filesystem/README.md
new file mode 100644
index 00000000..313a1d13
--- /dev/null
+++ b/install/production-filesystem/README.md
@@ -0,0 +1,20 @@
+
+This is the default filesystem for NetAlertX. it contains
+
+- `/app` - The main application location.  This structure is where the source code (back, front and server directories) is copied and executed in read-only form. It also provides default structures for the working directories, such as: config, db, and log. All other directories are not required in the production image and are not tracked.
+- `/build` - a place where services can be initialized during docker container build. This folder is copied in, executed near the end of the build before the system is locked down, and then deleted.  It is only available during build time.
+- `/opt/venv/lib/pthon3.12/site-acakges/aiofreebox` - this holds a certificate used by aiofreebox package, which interacts with freebox OS.
+- `/services` - a directory where all scripts which control system executions are held
+    - `/services/config` - a directory which holds all configuration files and `conf.d` folders used in the production image.
+        - `/services/config/cond` - `crond` daemon config.
+        - `/services/config/nginx` - `nginx` conf files.
+        - `/services/config/php` - php conf file.
+            `/services/config/php/php-fmp.d` - a `.d` style directory, debugger parameters or other configurations can be dropped in here.
+        - `/services/config/python-backend-extra-launch-parameters` - the contents of this file are added to launch params. It can be used to add debugging capabilities.
+    - `/services/capcheck.sh` - This is run at startup to warn the user if the container does not hold requried permissions to operate certain raw-packet tools.
+    - `/services/healthcheck.sh` - The system healthcheck. This script tests the services and reports if something fails.
+    - `/services/start-backend.sh` - The launcher for python services. This is called at startup by `entrypoint.sh`.
+    - `/services/start-crond.sh` - The launcher for crond task scheduler. This is called at startup by `entrypoint.sh`.
+    - `/services/start-nginx.sh` - The launcher for nginx frontend/website services. This is called at startup by `entrypoint.sh`.
+    - `/services/start-php-fpm.sh` - The launcher for php-fpm, used to interpret php for the frontend website. This is called at startup by `entrypoint.sh`.
+- `/entrypoint.sh` - Called at system startup to launch all services and servers requried by NetAlertX.
\ No newline at end of file
diff --git a/install/alpine-docker/app/log/plugins/.git-placeholder b/install/production-filesystem/services/config/python/backend-extra-launch-parameters
similarity index 100%
rename from install/alpine-docker/app/log/plugins/.git-placeholder
rename to install/production-filesystem/services/config/python/backend-extra-launch-parameters
diff --git a/install/production-filesystem/services/start-backend.sh b/install/production-filesystem/services/start-backend.sh
index 79c8dc53..b2f6ac0c 100755
--- a/install/production-filesystem/services/start-backend.sh
+++ b/install/production-filesystem/services/start-backend.sh
@@ -3,5 +3,11 @@ echo "Starting backend..."
 cd "${NETALERTX_APP}" || exit
 # Change user to netalertx
 export PYTHONPATH="${NETALERTX_SERVER}:${NETALERTX_APP}"
+
+EXTRA_PARAMS=""
+if [ -f /services/config/python/backend-extra-launch-parameters ]; then
+    EXTRA_PARAMS=$(cat /services/config/python-backend-extra-launch-parameters)
+fi
+
 # Start the backend, teeing stdout and stderr to log files and the container's console
-python3 -m server > >(tee /app/log/stdout.log) 2> >(tee /app/log/stderr.log >&2)
+python3 ${EXTRA_PARAMS} -m server > >(tee /app/log/stdout.log) 2> >(tee /app/log/stderr.log >&2)
diff --git a/install/production-filesystem/var/log/nginx/access.log b/install/production-filesystem/var/log/nginx/access.log
deleted file mode 100644
index e69de29b..00000000
diff --git a/install/production-filesystem/var/log/nginx/error.log b/install/production-filesystem/var/log/nginx/error.log
deleted file mode 100644
index e69de29b..00000000