diff --git a/.woodpecker.yml b/.woodpecker.yml index ceb5737..e31d05f 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -2,13 +2,13 @@ pipeline: publish: image: plugins/docker registry: registry.nulo.in - repo: registry.nulo.in/sutty/CHANGEME + repo: registry.nulo.in/sutty/rspamd tags: - ${ALPINE_VERSION} - latest build_args: - ALPINE_VERSION=${ALPINE_VERSION} - - BASE_IMAGE=registry.nulo.in/sutty/monit + - BASE_IMAGE=registry.nulo.in/sutty/redis username: sutty secrets: - docker_password diff --git a/Dockerfile b/Dockerfile index 2d65dc2..b04cdf6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,31 +1,22 @@ ARG ALPINE_VERSION=3.13.6 ARG BASE_IMAGE=sutty/monit -FROM ${BASE_IMAGE}:${ALPINE_VERSION} +FROM ${BASE_IMAGE}:${ALPINE_VERSION}-100mb MAINTAINER "f " -RUN apk add --no-cache redis - -COPY ./monit.conf /etc/monit.d/redis.conf - -RUN sed -re "/^bind /d" -i /etc/redis.conf -RUN sed -re "/^protected-mode /d" -i /etc/redis.conf -RUN sed -re "/^logfile /d" -i /etc/redis.conf -RUN sed -re "s/^# (syslog-enabled).*/\1 yes/" -i /etc/redis.conf -RUN sed -re "s/^(appendonly).*/\1 yes/" -i /etc/redis.conf -RUN echo "pidfile /run/redis/redis.pid" >> /etc/redis.conf -RUN echo "daemonize yes" >> /etc/redis.conf -RUN echo "protected-mode no" >> /etc/redis.conf -RUN echo "maxmemory 50mb" >> /etc/redis.conf -RUN echo "maxmemory-policy volatile-ttl" >> /etc/redis.conf -RUN echo "bind 127.0.0.1 ::1" >> /etc/redis.conf -RUN sed -re "s/^(dir).*/\1 \/var\/lib\/rspamd-redis/" -i /etc/redis.conf +RUN sed -re "/^save \"\"/d" \ + -e "s/^(appendonly) .*/\1 yes/" \ + -e "s/^(maxmemory-policy) .*/\1 volatile-ttl/" \ + -e "s/^(bind) .*/\1 127.0.0.1 ::1/" \ + -e "s|^(dir) .*|\1 /var/lib/redis|" \ + -i /etc/redis.conf RUN apk add --no-cache rspamd rspamd-client rspamd-proxy rspamd-controller RUN install -dm 755 /etc/rspamd/local.d RUN install -dm 750 -o rspamd -g rspamd /var/lib/rspamd -RUN install -dm 750 -o redis -g redis /var/lib/rspamd-redis +RUN install -dm 750 -o redis -g redis /var/lib/redis -# TODO: Deprecate OpenDKIM +# TODO: Deprecate OpenDKIM, but it allow us to keep signing even if +# Rspamd is down. RUN echo "enabled = false;" >> /etc/rspamd/local.d/dkim_signing.conf # Redis @@ -53,11 +44,11 @@ RUN echo "facility = \"daemon\";" >> /etc/rspamd/local.d/logging.inc RUN echo "servers = \"localhost\";" >> /etc/rspamd/local.d/classifier-bayes.conf RUN echo "autolearn = [-5,5];" >> /etc/rspamd/local.d/classifier-bayes.conf -COPY ./local_addrs.sh /usr/local/bin/local_addrs -COPY ./rspamd.conf /etc/monit.d/rspamd.conf +COPY ./local_addrs /etc/rspamd/local.d/maps.d/local_addrs +COPY ./monit.conf /etc/monit.d/rspamd.conf EXPOSE 11332 EXPOSE 11333 EXPOSE 11334 -VOLUME "/var/lib/rspamd-redis" +VOLUME "/var/lib/redis" VOLUME "/var/lib/rspamd" diff --git a/local_addrs b/local_addrs new file mode 100644 index 0000000..d8c696b --- /dev/null +++ b/local_addrs @@ -0,0 +1,2 @@ +172.19.0.0/24 +fd00:acab::/32 diff --git a/local_addrs.sh b/local_addrs.sh deleted file mode 100755 index 2aec2d7..0000000 --- a/local_addrs.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -local_addrs="/etc/rspamd/local.d/maps.d/local_addrs" - -test -f "${local_addrs}" && exit - -ip -4 route | cut -d " " -f 1 | grep -v default >> "${local_addrs}" -ip -6 route | cut -d " " -f 1 | grep -v default >> "${local_addrs}" diff --git a/monit.conf b/monit.conf index a2a8fd1..1613046 100644 --- a/monit.conf +++ b/monit.conf @@ -1,4 +1,3 @@ -check process redis with pidfile /run/redis/redis.pid - start program = "/usr/bin/redis-server /etc/redis.conf" as uid "redis" and gid "redis" - stop program = "/usr/bin/redis-cli shutdown" - if failed port 6379 protocol redis 3 times within 5 cycles then restart +check process rspamd with matching "rspamd: main" + start program = "/usr/sbin/rspamd" as uid "rspamd" and gid "rspamd" + stop program = "/usr/bin/killall rspamd" diff --git a/rspamd.conf b/rspamd.conf deleted file mode 100644 index 24cfa50..0000000 --- a/rspamd.conf +++ /dev/null @@ -1,8 +0,0 @@ -check process rspamd with matching "rspamd: main" - start program = "/usr/sbin/rspamd" as uid "rspamd" and gid "rspamd" - stop program = "/usr/bin/killall rspamd" - -check program local_addrs - with path "/usr/local/bin/local_addrs" - every 1 cycle - if status = 0 then unmonitor