changes

7 files changed, 137 insertions, 53 deletions

diff --git a/build/init/Dockerfile b/build/init/Dockerfile
index 2b3d770..98eb285 100644
--- a/build/init/Dockerfile
+++ b/build/init/Dockerfile
@@ -1,5 +1,21 @@
 FROM alpine:3.19
-RUN apk add --no-cache postgresql16-client tini
+
+# install packages
+RUN apk add --no-cache postgresql16-client tini shadow
+RUN rm -fr /var/cache/apk/*
+
+# setup main user
+RUN adduser -D init
+RUN groupmod --gid 1000 init
+RUN usermod --uid 1000 init
+
+# copy scripts
 COPY ./init /usr/local/bin/init
+
+# remove build packages
+RUN apk del shadow
+
+# do the
+USER init
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["/usr/local/bin/init"]
diff --git a/build/init/init b/build/init/init
index c64f139..c8dd3f0 100755
--- a/build/init/init
+++ b/build/init/init
@@ -1,21 +1,37 @@
 #!/bin/sh
 
+errors=$(mktemp)
+
 step() {
 	printf '\x1b[34;1m>> %s\x1b[0m\n' "$*"
 }
 
 error() {
-	printf '\x1b[31;1merror: \x1b[0m%s\n' "$*"
+	{
+		printf '\x1b[31;1merror: \x1b[0m%s\n' "$*";
+		grep -v 'current transaction is aborted' < "$errors";
+		printf "\x1b[31m;1error: \x1b[0mAborting migrations, fix file(s) then restart process.";
+	} 1>&2;
+}
+
+try() {
+	"$@" 2> "$errors";
+	count=$(grep -c 'ERROR' < "$errors")
+	if [ "$count" -eq 0 ]; then
+		return 0;
+	else
+		return 1;
+	fi
 }
 
-export PGPASSWORD=$POSTGRES_PASSWORD
+export PGPASSWORD="$POSTGRES_PASSWORD"
 
 psql() {
 	/usr/bin/psql \
 		-h db \
 		-p 5432 \
-		-d $POSTGRES_DB \
-		-U $POSTGRES_USER \
+		-d "$POSTGRES_DB" \
+		-U "$POSTGRES_USER" \
 		"$@"
 }
 
@@ -23,9 +39,8 @@ pg_isready() {
 	/usr/bin/pg_isready \
 		-h db \
 		-p 5432 \
-		-d $POSTGRES_DB \
-		-U $POSTGRES_USER \
-		"$@"
+		-d "$POSTGRES_DB" \
+		-U "$POSTGRES_USER"
 }
 
 curr_revision() {
@@ -49,17 +64,12 @@ run_migrations() {
 	while true; do
 		name=$(printf "%04d" "$i");
 		file="/db/migrations/$name.sql"
-
-		if [ -f $file ]; then
-			psql -f $file 2> /errors
-			errors=$(cat /errors | grep 'ERROR' | wc -l)
-			if [ "$errors" -eq 0 ]; then
+		if [ -f "$file" ]; then
+			if try psql -f "$file"; then
 				i=$((i+1));
 				continue;
 			else
 				error "An error occoured during a migration (rev $name)"
-				cat /errors | grep -v 'current transaction is aborted';
-				error "Aborting migrations, fix file(s) then restart process."
 				return 1;
 			fi
 		else
@@ -69,24 +79,19 @@ run_migrations() {
 }
 
 init_api() {
-	psql -f /db/rest/rest.sql 2> /errors;
-	errors=$(cat /errors | grep 'ERROR' | wc -l)
-	if [ "$errors" -eq 0 ]; then
+	if try psql -f /db/rest/rest.sql; then
 		return 0;
 	else
 		error "An error occoured during api initialization"
-		cat /errors | grep -v 'current transaction is aborted';
-		error "Aborting api initialization, fix file(s) then restart process."
 		return 1;
 	fi
 }
 
 update_jwt() {
-	psql -c "UPDATE sys.database_info SET jwt_secret = '$JWT_SECRET' WHERE name = current_database();"
-	errors=$(cat /errors | grep 'ERROR' | wc -l)
-	if [ "$errors" -eq 0 ]; then
+	if try psql -c "UPDATE sys.database_info SET jwt_secret = '$JWT_SECRET' WHERE name = current_database();"; then
 		return 0;
 	else
+		error "Could not update JWT"
 		return 1;
 	fi
 }
@@ -98,7 +103,7 @@ load_ext() {
 init () {
 	# reomve ready status
 	# so php ignores requests
-	rm -fr /status/ready
+	rm -f /status/ready
 
 	step 'Waiting for database';
 	# make sure the database is running
@@ -116,31 +121,22 @@ init () {
 	step "Database at revision: $REV"
 	# run each migration that is
 	# higher than our current revision
-	run_migrations "$REV"
-	CODE=$?;
-
-	if [ $CODE -ne 0 ]; then
-		return $CODE;
+	if ! run_migrations "$REV"; then
+		return 1;
 	fi
 
 	step 'Initalizing the api';
 	# reinit the api schema for
 	# postgrest
-	init_api;
-	CODE=$?;
-
-	if [ $CODE -ne 0 ]; then
-		return $CODE;
+	if ! init_api; then
+		return 1;
 	fi
 
 	step 'Updating JWT secret';
 	# make sure postgres has the corrent
 	# jwt secret
-	update_jwt;
-	CODE=$?;
-
-	if [ $CODE -ne 0 ]; then
-		return $CODE;
+	if ! update_jwt; then
+		return 1;
 	fi
 
 	step 'Database is initialized'
@@ -149,3 +145,4 @@ init () {
 }
 
 init
+rm "$errors"
diff --git a/build/nginx/Dockerfile b/build/nginx/Dockerfile
new file mode 100644
index 0000000..6aa4e00
--- /dev/null
+++ b/build/nginx/Dockerfile
@@ -0,0 +1,21 @@
+FROM alpine:3.19
+
+# install packages
+RUN apk add --no-cache nginx shadow tini
+RUN rm -fr /var/cache/apk/*
+
+# update nginx user
+RUN groupmod --gid 1000 nginx
+RUN usermod --uid 1000 nginx
+
+# remove build packages
+RUN apk del shadow
+
+# make log syms
+RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
+	ln -sf /dev/stderr /var/log/nginx/error.log
+
+# do the
+USER nginx
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["/usr/sbin/nginx", "-c", "/etc/nginx/nginx.conf"]
diff --git a/build/php/Dockerfile b/build/php/Dockerfile
index d05e60b..5f4bdd5 100644
--- a/build/php/Dockerfile
+++ b/build/php/Dockerfile
@@ -1,4 +1,17 @@
 FROM php:fpm-alpine
-RUN apk add --no-cache postgresql-dev runuser
+
+# install packages
+RUN apk add --no-cache postgresql-dev runuser shadow
+RUN rm -fr /var/cache/apk/*
+
+# update php user
+RUN groupmod --gid 1000 www-data
+RUN usermod --uid 1000 www-data
+
+# install php packages
 RUN docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql
 RUN docker-php-ext-install pdo pdo_pgsql
+
+# remove build packages
+RUN apk del shadow
+USER www-data
diff --git a/build/postgres/Dockerfile b/build/postgres/Dockerfile
index 834fa89..32bca6e 100644
--- a/build/postgres/Dockerfile
+++ b/build/postgres/Dockerfile
@@ -1,6 +1,21 @@
 FROM postgres:16-alpine
-RUN apk add --no-cache make git
+
+# install packages
+RUN apk add --no-cache make git shadow
+RUN rm -fr /var/cache/apk/*
+
+# install pgjwt
 RUN git clone https://github.com/michelp/pgjwt.git /tmp/pgjwt
 WORKDIR /tmp/pgjwt
 RUN make install
+
+# update postgres user
+RUN groupmod --gid 1000 postgres
+RUN usermod --uid 1000 postgres
+
+# remove build packages
+RUN apk del make git shadow
+
+# fix workdir
 WORKDIR /
+USER postgres
diff --git a/build/postgrest/Dockerfile b/build/postgrest/Dockerfile
index d7720aa..bf1a573 100644
--- a/build/postgrest/Dockerfile
+++ b/build/postgrest/Dockerfile
@@ -1,9 +1,30 @@
 FROM alpine:3.19
+
+# install packages
+RUN apk add --no-cache tini shadow
+RUN rm -fr /var/cache/apk/*
+
+# setup main user
+RUN adduser -D postgrest
+RUN groupmod --gid 1000 postgrest
+RUN usermod --uid 1000 postgrest
+
+# install postgrest
 COPY ./postgrest.tar.xz /tmp/postgrest.tar.xz
-RUN tar xJf /tmp/postgrest.tar.xz -C /tmp
-RUN cp /tmp/postgrest /usr/local/bin/postgrest
+RUN tar xJf /tmp/postgrest.tar.xz -C /usr/local/bin
 RUN rm /tmp/postgrest.tar.xz
+
+# copy scripts
 COPY ./entrypoint.sh /usr/local/bin/entrypoint.sh
-CMD ["/usr/local/bin/entrypoint.sh"]
 
+# remove build packages
+RUN apk del shadow
+
+# make the dirs
+RUN mkdir -p /etc/postgrest.d && \
+	chown postgrest:postgrest /etc/postgrest.d
 
+# do the
+USER postgrest
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["/usr/local/bin/entrypoint.sh"]
diff --git a/build/postgrest/entrypoint.sh b/build/postgrest/entrypoint.sh
index d375769..71b433d 100755
--- a/build/postgrest/entrypoint.sh
+++ b/build/postgrest/entrypoint.sh
@@ -1,6 +1,5 @@
 #!/bin/sh
 
-mkdir /etc/postgrest.d
 config=/etc/postgrest.d/postgrest.conf
 
 PGRST_DB_URI="postgres://authenticator:postgrest@db:5432/$POSTGRES_DB"
@@ -9,12 +8,14 @@ PGRST_SCHEMA="api"
 
 rm -fr "$config"
 touch "$config"
-printf 'db-uri = "%s"\n' "$PGRST_DB_URI" >> $config
-printf 'db-anon-role = "%s"\n' "$PGRST_ROLE" >> $config
-printf 'db-schemas = "%s"\n' "$PGRST_SCHEMA" >> $config
-printf 'jwt-secret = "%s"\n' "$JWT_SECRET" >> $config
-printf 'jwt-secret-is-base64 = false\n' >> $config
-printf 'server-host = "*"\n' >> $config
-printf 'server-port = 3000\n' >> $config
+{
+	printf 'db-uri = "%s"\n' "$PGRST_DB_URI";
+	printf 'db-anon-role = "%s"\n' "$PGRST_ROLE";
+	printf 'db-schemas = "%s"\n' "$PGRST_SCHEMA";
+	printf 'jwt-secret = "%s"\n' "$JWT_SECRET";
+	printf 'jwt-secret-is-base64 = false\n';
+	printf 'server-host = "*"\n';
+	printf 'server-port = 3000\n';
+} >> $config
 
-exec /usr/local/bin/postgrest $config
+exec /usr/local/bin/postgrest "$config"