blob: 07f6d38b734095f6dba885d076d4f44d681aca28 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
# =============================================================================
# VAPORDROP - DOCKERFILE HARDENED
# Multi-stage build per minimizzare attack surface
# =============================================================================
# -----------------------------------------------------------------------------
# STAGE 1: Build
# -----------------------------------------------------------------------------
FROM golang:1.22-alpine AS builder
# Build dependencies
RUN apk add --no-cache git ca-certificates
WORKDIR /build
# Cache dipendenze
COPY go.mod go.sum* ./
RUN go mod download 2>/dev/null || true
# Copia sorgenti
COPY main.go .
# Init module se non esiste
RUN [ -f go.mod ] || go mod init vapordrop
# Scarica dipendenze
RUN go mod tidy
# Compilazione statica senza CGO
# -ldflags: strip symbols, disable DWARF
# -trimpath: rimuove path locali dal binario
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
-ldflags="-s -w -extldflags '-static'" \
-trimpath \
-o vapordrop \
main.go
# Verifica binario
RUN ./vapordrop --help 2>&1 || true
# -----------------------------------------------------------------------------
# STAGE 2: Runtime
# -----------------------------------------------------------------------------
FROM debian:bookworm-slim
# Labels
LABEL maintainer="VaporDrop"
LABEL description="Ephemeral messaging over Tor"
LABEL security.privileged="false"
# Variabili ambiente per Tor
ENV TOR_SKIP_LAUNCH=1
ENV HOME=/app
# Installa solo il necessario
RUN apt-get update && apt-get install -y --no-install-recommends \
tor \
ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& rm -rf /var/cache/apt/*
# Crea utente non-root
RUN groupadd -g 1000 vapor && useradd -r -s /bin/false -d /app -u 1000 -g 1000 vapor
# Directory applicazione
WORKDIR /app
# Copia binario
COPY --from=builder /build/vapordrop /app/vapordrop
# Copia static files (se presenti)
COPY static/ /app/static/
# Permessi
RUN chown -R vapor:vapor /app && \
chmod 500 /app/vapordrop && \
chmod 400 /app/static/* 2>/dev/null || true
# Directory temporanea per Tor (in RAM via tmpfs in docker-compose)
RUN mkdir -p /tmp/tor && chown vapor:vapor /tmp/tor
# Switch a utente non privilegiato
USER vapor
# Health check
HEALTHCHECK --interval=60s --timeout=10s --start-period=120s --retries=3 \
CMD test -f /tmp/tor/.tor_is_ready || exit 1
# Espone porta Tor (non necessario per hidden service, ma utile per debug)
EXPOSE 9050
# Entry point
ENTRYPOINT ["/app/vapordrop"]
|