Split the single tree into three owner-isolated roots and fix the backup permission failure (restic, running as the container user, could not write the manager-owned /docker/backups). Ownership helper (libreportal-ownership), rewritten for three baked roots: SYSTEM_DIR (manager) CONTAINERS_DIR + BACKUPS_DIR (container user) - reconcile now drives each tree to its single owner; backups + the WebUI dir go to the container user (the actual fix). The container user reaches only the WebUI bind-mount sources (configs/webui/*) via a scoped _webui_bind_access — traverse the system root + configs, read configs/webui only, nothing else. - defence-in-depth: refuse dangerous/relative roots even if mis-baked; new backups-top action. Baking: init.sh initRootHelpers now seds __SYSTEM_DIR__/__CONTAINERS_DIR__/ __BACKUPS_DIR__ (alongside __MANAGER__) into every helper at install — the trust boundary stays root-controlled. svc/socket/appcfg helpers updated to derive from the baked SYSTEM_DIR; the svc unit now exports LP_*_DIR so the processor resolves roots authoritatively. A baking-safe '*"__"*' sentinel check survives the sed. Install/uninstall: initFolders creates the three roots; initContainerLayer hands containers + backups to the container user; uninstall removes all three (idempotent on legacy single-tree installs). Remaining functional /docker literals in init.sh (config reads, setupConfigsFromRepo, uninstall) parameterised. Compose: the WebUI's two relative ../../configs mounts (the only cross-tree relative mounts in the tree) are now absolute, filled at generation via a new CONFIGS_DIR_TAG; CONTAINERS_DIR_TAG likewise for the LP_CONTAINERS_DIR env. Live box unaffected: installed helpers + the live compose only change on reinstall/ rebuild (both of which fill the tags); the CLI-wrapper heredoc paths are baked in phase 3. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
56 lines
2.9 KiB
YAML
56 lines
2.9 KiB
YAML
|
|
|
|
networks:
|
|
DOCKER_NETWORK_DATA: #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
|
|
external: true
|
|
|
|
services:
|
|
libreportal-service: #LIBREPORTAL|SERVICE_TAG_1|libreportal-service
|
|
container_name: libreportal-service
|
|
build:
|
|
context: .
|
|
image: libreportal-service:latest
|
|
user: "USER_DATA" #LIBREPORTAL|USER_TAG|USER_DATA
|
|
group_add:
|
|
- SOCKET_GID_DATA #LIBREPORTAL|SOCKET_GID_TAG|SOCKET_GID_DATA
|
|
ports:
|
|
- "PORTS_DATA_1" #LIBREPORTAL|PORTS_TAG_1|PORTS_DATA_1
|
|
volumes:
|
|
- ./frontend:/app/frontend
|
|
- ./backend/routes:/app/backend/routes
|
|
- ./backend/utils:/app/backend/utils
|
|
- ./backend/server.js:/app/backend/server.js
|
|
- ./libreportal.config:/app/libreportal.config:ro
|
|
# Absolute (filled at generation) — the containers root is now separate from
|
|
# the system tree, so the old relative ../../configs no longer reaches it.
|
|
- CONFIGS_DIR_DATA/webui/webui_logins:/app/webui_logins:ro #LIBREPORTAL|CONFIGS_DIR_TAG|CONFIGS_DIR_DATA
|
|
- CONFIGS_DIR_DATA/webui/webui_logs:/app/webui_logs:ro #LIBREPORTAL|CONFIGS_DIR_TAG|CONFIGS_DIR_DATA
|
|
# >>> crowdsec-host-logs >>>
|
|
#- /var/log/crowdsec.log:/host/var/log/crowdsec.log:ro
|
|
#- /var/log/crowdsec-firewall-bouncer.log:/host/var/log/crowdsec-firewall-bouncer.log:ro
|
|
# <<< crowdsec-host-logs <<<
|
|
- SOCKET_DATA #LIBREPORTAL|SOCKET_TAG|SOCKET_DATA
|
|
environment:
|
|
FRONTEND_PATH: /data/frontend
|
|
LIBREPORTAL_CONFIG_PATH: /app/libreportal.config
|
|
LP_CONTAINERS_DIR: CONTAINERS_DIR_DATA #LIBREPORTAL|CONTAINERS_DIR_TAG|CONTAINERS_DIR_DATA
|
|
TZ: TIMEZONE_DATA #LIBREPORTAL|TIMEZONE_TAG|TIMEZONE_DATA
|
|
labels:
|
|
libreportal.category: "CATEGORY_DATA" #LIBREPORTAL|CATEGORY_TAG|CATEGORY_DATA
|
|
libreportal.title: "TITLE_DATA" #LIBREPORTAL|TITLE_TAG|TITLE_DATA
|
|
traefik.enable: TRAEFIK_ENABLE_DATA #LIBREPORTAL|TRAEFIK_ENABLE_TAG|TRAEFIK_ENABLE_DATA
|
|
# TRAEFIK_PORT_1_BEGIN
|
|
traefik.http.routers.libreportal-service.entrypoints: web,websecure
|
|
traefik.http.routers.libreportal-service.rule: Host(`DOMAINSUBNAME_DATA_1`) #LIBREPORTAL|DOMAINSUBNAME_TAG_1|DOMAINSUBNAME_DATA_1
|
|
traefik.http.routers.libreportal-service.tls: true
|
|
traefik.http.routers.libreportal-service.tls.certresolver: production
|
|
traefik.http.services.libreportal-service.loadbalancer.server.port: PORT_INTERNAL_DATA_1 #LIBREPORTAL|PORT_INTERNAL_TAG_1|PORT_INTERNAL_DATA_1
|
|
traefik.http.routers.libreportal-service.middlewares: MIDDLEWARE_DATA_1 #LIBREPORTAL|MIDDLEWARE_TAG_1|MIDDLEWARE_DATA_1
|
|
# TRAEFIK_PORT_1_END
|
|
traefik.docker.network: DOCKER_NETWORK_DATA #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
|
|
healthcheck:
|
|
disable: HEALTHCHECK_DATA #LIBREPORTAL|HEALTHCHECK_TAG|HEALTHCHECK_DATA
|
|
networks:
|
|
DOCKER_NETWORK_DATA: #LIBREPORTAL|DOCKER_NETWORK_TAG|DOCKER_NETWORK_DATA
|
|
ipv4_address: IP_DATA_1 #LIBREPORTAL|IP_TAG_1|IP_DATA_1
|