-
-
Notifications
You must be signed in to change notification settings - Fork 217
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
17 changed files
with
431 additions
and
771 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
name: Docker Image Build and Analysis | ||
|
||
on: | ||
schedule: | ||
- cron: "0 0 * * *" # Schedule the workflow to run daily at midnight (UTC time). Adjust the time if needed. | ||
workflow_dispatch: # Manual run trigger | ||
inputs: | ||
trigger-build: | ||
description: 'Trigger a manual build and push' | ||
default: 'true' | ||
|
||
jobs: | ||
build-and-analyze: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v3 | ||
|
||
- name: Log in to Docker Hub | ||
uses: docker/login-action@v3 | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
||
- name: Build Docker image | ||
id: build-image | ||
run: | | ||
echo "Building Docker image..." | ||
docker build -t my-app-image:latest . | ||
echo "Docker image built successfully." | ||
- name: Install Docker Scout | ||
run: | | ||
echo "Installing Docker Scout..." | ||
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- | ||
echo "Docker Scout installed successfully." | ||
- name: Analyze Docker image with Docker Scout | ||
id: analyze-image | ||
run: | | ||
echo "Analyzing Docker image with Docker Scout..." | ||
docker scout cves my-app-image:latest > scout-results.txt | ||
cat scout-results.txt # Print the report to the workflow logs for easy viewing | ||
echo "Docker Scout analysis completed." | ||
- name: Post Comment on Issue or PR | ||
run: | | ||
COMMENT="**Docker Image Build and Analysis Report**\n\nThe Docker image was built and analyzed successfully.\n\n**Build Summary:**\n- Image Tag: my-app-image:latest\n\n**Analysis Report:**\n\`\`\`\n$(cat scout-results.txt)\n\`\`\`" | ||
# Post comment using GitHub API | ||
curl -X POST \ | ||
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | ||
-H "Accept: application/vnd.github.v3+json" \ | ||
-d "{\"body\": \"$COMMENT\"}" \ | ||
"https://api.github.com/repos/NOXCIS/WGDashboard/issues/1/comments" # Replace '1' with the issue or PR number |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,63 +0,0 @@ | ||
# Pull from small Debian stable image. | ||
FROM alpine:latest AS build | ||
LABEL maintainer="[email protected]" | ||
|
||
# Declaring environment variables, change Peernet to an address you like, standard is a 24 bit subnet. | ||
ARG wg_net="10.0.0.1" | ||
ARG wg_port="51820" | ||
|
||
# Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. | ||
ENV TZ="Europe/Amsterdam" | ||
ENV global_dns="1.1.1.1" | ||
ENV enable="none" | ||
ENV isolate="wg0" | ||
ENV public_ip="0.0.0.0" | ||
|
||
# Doing package management operations, such as upgrading | ||
RUN apk update \ | ||
&& apk add --no-cache bash git tzdata \ | ||
iptables ip6tables openrc curl wireguard-tools \ | ||
sudo py3-psutil py3-bcrypt | ||
|
||
# Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. | ||
ENV WGDASH=/opt/wireguarddashboard | ||
|
||
# Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. | ||
|
||
# Doing WireGuard Dashboard installation measures. Modify the git clone command to get the preferred version, with a specific branch for example. | ||
RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} | ||
COPY ./src /setup/app/src | ||
#COPY src /setup/app/src | ||
|
||
# Set the volume to be used for WireGuard configuration persistency. | ||
VOLUME /etc/wireguard | ||
VOLUME ${WGDASH} | ||
|
||
# Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency. | ||
# Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. | ||
SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
RUN out_adapt=$(ip -o -4 route show to default | awk '{print $NF}') \ | ||
&& echo -e "[Interface]\n\ | ||
Address = ${wg_net}/24\n\ | ||
PrivateKey =\n\ | ||
PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o ${out_adapt} -j MASQUERADE\n\ | ||
PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP\n\ | ||
PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o ${out_adapt} -j MASQUERADE\n\ | ||
PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP\n\ | ||
ListenPort = ${wg_port}\n\ | ||
SaveConfig = true\n\ | ||
DNS = ${global_dns}" > /setup/conf/wg0.conf | ||
|
||
|
||
|
||
# Defining a way for Docker to check the health of the container. In this case: checking the login URL. | ||
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ | ||
CMD sh -c 'pgrep gunicorn > /dev/null && pgrep tail > /dev/null' || exit 1 | ||
|
||
|
||
# Copy the basic entrypoint.sh script. | ||
COPY entrypoint.sh /entrypoint.sh | ||
|
||
# Exposing the default WireGuard Dashboard port for web access. | ||
EXPOSE 10086 | ||
ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] | ||
Oops, something went wrong.