pi-farm/base-image-debian-rdp-ldap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'dev' (#2) from dev into main
All checks were successful
/ release-and-build (push) Successful in 19m9s
Details

Browse Source 
Reviewed-on: #2
This commit was merged in pull request #2.
This commit is contained in:
info@pi-farm.de
2026-04-09 13:56:20 +00:00
parent 866c25dffa 0a37dc665a
commit 9c795a58ee
10 changed files with 400 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
.gitea/workflows/build-and-push.yaml
View File

@@ -23,6 +23,10 @@ jobs:
run: | run: |
export TZ=Europe/Berlin export TZ=Europe/Berlin
# FIX 1: Stellt sicher, dass die Datei mit einem Zeilenumbruch endet.
# Das verhindert, dass Bash die letzte Zeile beim Einlesen verschluckt.
sed -i -e '$a\' buildargs.env
set -a set -a
source <(grep -v '^#' buildargs.env | sed 's/\r$//') source <(grep -v '^#' buildargs.env | sed 's/\r$//')
set +a set +a
@@ -34,11 +38,16 @@ jobs:
echo "event_name=${{ gitea.event_name }}" >> $GITHUB_OUTPUT echo "event_name=${{ gitea.event_name }}" >> $GITHUB_OUTPUT
# FIX 2: Kugelsicheres Auslesen des Tags direkt aus der Datei.
# Trimm-Befehle (tr) entfernen eventuelle unsichtbare Zeichen oder Anführungszeichen.
SAFE_BUILD_TAG=$(grep "^BUILD_TAG=" buildargs.env | cut -d'=' -f2 | tr -d '\r' | tr -d '"' | xargs)
if [[ "${{ gitea.ref }}" == refs/tags/* ]]; then if [[ "${{ gitea.ref }}" == refs/tags/* ]]; then
CLEAN_TAG=${{ gitea.ref_name }} CLEAN_TAG=${{ gitea.ref_name }}
echo "docker_tag=${CLEAN_TAG#v}" >> $GITHUB_OUTPUT echo "docker_tag=${CLEAN_TAG#v}" >> $GITHUB_OUTPUT
else else
echo "docker_tag=${BUILD_TAG:-latest}" >> $GITHUB_OUTPUT # Nutzt jetzt garantiert den direkt extrahierten Wert
echo "docker_tag=${SAFE_BUILD_TAG:-latest}" >> $GITHUB_OUTPUT
fi fi
OWNER=$(echo "${{ gitea.repository }}" | cut -d'/' -f1 | tr '[:upper:]' '[:lower:]') OWNER=$(echo "${{ gitea.repository }}" | cut -d'/' -f1 | tr '[:upper:]' '[:lower:]')
@@ -129,32 +138,33 @@ jobs:
BASE_SHA=$(docker buildx imagetools inspect $BASE --format '{{json .Manifest.Digest}}' 2>/dev/null | tr -d '"' || echo "unknown") BASE_SHA=$(docker buildx imagetools inspect $BASE --format '{{json .Manifest.Digest}}' 2>/dev/null | tr -d '"' || echo "unknown")
AMD_TAGS=("-t" "$IMAGE_GITEA:tmp-amd64") docker buildx build "${DOCKER_ARGS[@]}" -t "$IMAGE_GITEA:tmp-amd64" \
ARM_TAGS=("-t" "$IMAGE_GITEA:tmp-arm64")
if [[ "$PUSH" == *"dockerhub"* ]]; then
DOCKERHUB_REPO="${{ secrets.DOCKERHUB_USERNAME }}/$REPO_PURE"
AMD_TAGS+=("-t" "$DOCKERHUB_REPO:tmp-amd64")
ARM_TAGS+=("-t" "$DOCKERHUB_REPO:tmp-arm64")
fi
docker buildx build "${DOCKER_ARGS[@]}" "${AMD_TAGS[@]}" \
--pull --platform linux/amd64 -f Dockerfile \ --pull --platform linux/amd64 -f Dockerfile \
--label "pi_farm.base_digest=$BASE_SHA" --label "pi_farm.args_hash=$ARGS_HASH" --push . --label "pi_farm.base_digest=$BASE_SHA" --label "pi_farm.args_hash=$ARGS_HASH" --push .
docker buildx build "${DOCKER_ARGS[@]}" "${ARM_TAGS[@]}" \ docker buildx build "${DOCKER_ARGS[@]}" -t "$IMAGE_GITEA:tmp-arm64" \
--pull --platform linux/arm64 -f Dockerfile.aarch64 \ --pull --platform linux/arm64 -f Dockerfile.aarch64 \
--label "pi_farm.base_digest=$BASE_SHA" --label "pi_farm.args_hash=$ARGS_HASH" --push . --label "pi_farm.base_digest=$BASE_SHA" --label "pi_farm.args_hash=$ARGS_HASH" --push .
GITEA_MANIFEST_TAGS=("-t" "$IMAGE_GITEA:$TAG")
if [[ "$BUILD_TAG_LATEST" == "y" ]]; then
GITEA_MANIFEST_TAGS+=("-t" "$IMAGE_GITEA:latest")
fi
docker buildx imagetools create \ docker buildx imagetools create \
--annotation "index:pi_farm.base_digest=$BASE_SHA" --annotation "index:pi_farm.args_hash=$ARGS_HASH" \ --annotation "index:pi_farm.base_digest=$BASE_SHA" --annotation "index:pi_farm.args_hash=$ARGS_HASH" \
-t $IMAGE_GITEA:$TAG -t $IMAGE_GITEA:latest $IMAGE_GITEA:tmp-amd64 $IMAGE_GITEA:tmp-arm64 "${GITEA_MANIFEST_TAGS[@]}" $IMAGE_GITEA:tmp-amd64 $IMAGE_GITEA:tmp-arm64
if [[ "$PUSH" == *"dockerhub"* ]]; then if [[ "$PUSH" == *"dockerhub"* ]]; then
DOCKERHUB_REPO="${{ secrets.DOCKERHUB_USERNAME }}/$REPO_PURE" DOCKERHUB_REPO="${{ secrets.DOCKERHUB_USERNAME }}/$REPO_PURE"
DH_MANIFEST_TAGS=("-t" "$DOCKERHUB_REPO:$TAG")
if [[ "$BUILD_TAG_LATEST" == "y" ]]; then
DH_MANIFEST_TAGS+=("-t" "$DOCKERHUB_REPO:latest")
fi
docker buildx imagetools create \ docker buildx imagetools create \
--annotation "index:pi_farm.base_digest=$BASE_SHA" --annotation "index:pi_farm.args_hash=$ARGS_HASH" \ --annotation "index:pi_farm.base_digest=$BASE_SHA" --annotation "index:pi_farm.args_hash=$ARGS_HASH" \
-t $DOCKERHUB_REPO:$TAG -t $DOCKERHUB_REPO:latest $IMAGE_GITEA:tmp-amd64 $IMAGE_GITEA:tmp-arm64 "${DH_MANIFEST_TAGS[@]}" $IMAGE_GITEA:tmp-amd64 $IMAGE_GITEA:tmp-arm64
fi fi
- name: Update Documentation and Compose - name: Update Documentation and Compose
@@ -163,7 +173,6 @@ jobs:
run: | run: |
set -x set -x
# --- 1. VARIABLEN VORBEREITEN ---
export TZ=Europe/Berlin export TZ=Europe/Berlin
CURRENT_TIME=$(date '+%d.%m.%Y %H:%M') CURRENT_TIME=$(date '+%d.%m.%Y %H:%M')
BUILD_TAG="${{ steps.prep.outputs.docker_tag }}" BUILD_TAG="${{ steps.prep.outputs.docker_tag }}"
@@ -185,11 +194,9 @@ jobs:
EOF EOF
COMMIT_MSG=$(sed 's/\[skip ci\]//g' commit_msg.txt | xargs) COMMIT_MSG=$(sed 's/\[skip ci\]//g' commit_msg.txt | xargs)
# --- 2. TEMPLATES LADEN ---
wget -q https://git.pi-farm.de/pi-farm/templates/raw/branch/main/README.template -O README.template || echo "Warnung: README Template fehlt" wget -q https://git.pi-farm.de/pi-farm/templates/raw/branch/main/README.template -O README.template || echo "Warnung: README Template fehlt"
wget -q https://git.pi-farm.de/pi-farm/templates/raw/branch/main/docker-compose.template -O docker-compose.template || echo "Warnung: Compose Template fehlt" wget -q https://git.pi-farm.de/pi-farm/templates/raw/branch/main/docker-compose.template -O docker-compose.template || echo "Warnung: Compose Template fehlt"
# --- 3. VERSION HISTORY ---
NEW_ROW="| **$BUILD_TAG** | $CURRENT_TIME | $COMMIT_MSG ✅ |" NEW_ROW="| **$BUILD_TAG** | $CURRENT_TIME | $COMMIT_MSG ✅ |"
if [ -f "VERSION.history" ]; then if [ -f "VERSION.history" ]; then
grep -v "| **$BUILD_TAG** |" VERSION.history > VERSION.history.tmp || true grep -v "| **$BUILD_TAG** |" VERSION.history > VERSION.history.tmp || true
@@ -232,9 +239,6 @@ jobs:
done <<< "$vol_vars" done <<< "$vol_vars"
fi fi
# --- 5. DOCKER RUN BEFEHL (NEU: Als Datei schreiben) ---
# Wir schreiben direkt in eine Datei. Da gibt es keine Interpretationsfehler.
# Wichtig: " \\" am Ende der Zeilen explizit hinschreiben.
{ {
echo "docker run -d \\" echo "docker run -d \\"
echo " --name $REPO_PURE \\" echo " --name $REPO_PURE \\"
@@ -256,24 +260,20 @@ jobs:
fi fi
done <<< "$all_params" done <<< "$all_params"
fi fi
# Letzte Zeile OHNE Backslash
echo " $FULL_URL:$BUILD_TAG" echo " $FULL_URL:$BUILD_TAG"
} > docker_run_block.txt } > docker_run_block.txt
# --- 6. DOCKER HUB LINK ---
DOCKERHUB_LINK_CONTENT="" DOCKERHUB_LINK_CONTENT=""
if [[ "${{ steps.prep.outputs.push_targets }}" == *"dockerhub"* ]]; then if [[ "${{ steps.prep.outputs.push_targets }}" == *"dockerhub"* ]]; then
DH_USER="${{ secrets.DOCKERHUB_USERNAME }}" DH_USER="${{ secrets.DOCKERHUB_USERNAME }}"
DOCKERHUB_LINK_CONTENT="[![Docker Hub](https://img.shields.io/badge/docker-hub-blue?logo=docker&logoColor=white)](https://hub.docker.com/r/${DH_USER}/${REPO_PURE})" DOCKERHUB_LINK_CONTENT="[![Docker Hub](https://img.shields.io/badge/docker-hub-blue?logo=docker&logoColor=white)](https://hub.docker.com/r/${DH_USER}/${REPO_PURE})"
fi fi
# --- 7. TEMPLATE ENGINE (Optimiert für File-Injection) ---
process_template() { process_template() {
local template=$1; local output=$2 local template=$1; local output=$2
[ ! -f "$template" ] && return [ ! -f "$template" ] && return
cp "$template" "$output" cp "$template" "$output"
# Simple Ersetzungen
sed -i "s|__REPO_NAME__|$REPO_PURE|g" "$output" sed -i "s|__REPO_NAME__|$REPO_PURE|g" "$output"
sed -i "s|__FULL_URL__|$FULL_URL|g" "$output" sed -i "s|__FULL_URL__|$FULL_URL|g" "$output"
sed -i "s|__BUILD_TAG__|$BUILD_TAG|g" "$output" sed -i "s|__BUILD_TAG__|$BUILD_TAG|g" "$output"
@@ -281,28 +281,23 @@ jobs:
sed -i "s|__ARM_STATUS__|$ARM_STATUS|g" "$output" sed -i "s|__ARM_STATUS__|$ARM_STATUS|g" "$output"
sed -i "s|__CURRENT_DATE__|$CURRENT_TIME|g" "$output" sed -i "s|__CURRENT_DATE__|$CURRENT_TIME|g" "$output"
# Komplexe Blöcke: AWK für Strings, SED für Files
awk -v r="$HISTORY_CONTENT" '{gsub(/__HISTORY_CONTENT__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output" awk -v r="$HISTORY_CONTENT" '{gsub(/__HISTORY_CONTENT__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
awk -v r="$DOCKERHUB_LINK_CONTENT" '{gsub(/__DOCKERHUB_LINK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output" awk -v r="$DOCKERHUB_LINK_CONTENT" '{gsub(/__DOCKERHUB_LINK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
# NEU: Docker Run Block via File einfügen (sicherste Methode)
if grep -q "__DOCKER_RUN__" "$output" && [ -f "docker_run_block.txt" ]; then if grep -q "__DOCKER_RUN__" "$output" && [ -f "docker_run_block.txt" ]; then
sed -e '/__DOCKER_RUN__/{r docker_run_block.txt' -e 'd;}' "$output" > "$output.tmp" && mv "$output.tmp" "$output" sed -e '/__DOCKER_RUN__/{r docker_run_block.txt' -e 'd;}' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
fi fi
# Compose Block via File einfügen
if grep -q "__COMPOSE_BLOCK__" "$output" && [ -f "docker-compose.yml" ]; then if grep -q "__COMPOSE_BLOCK__" "$output" && [ -f "docker-compose.yml" ]; then
sed -e '/__COMPOSE_BLOCK__/{r docker-compose.yml' -e 'd;}' "$output" > "$output.tmp" && mv "$output.tmp" "$output" sed -e '/__COMPOSE_BLOCK__/{r docker-compose.yml' -e 'd;}' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
fi fi
# ENV/PORTS/VOL Blöcke
if grep -q "__ENV_BLOCK__" "$output"; then if grep -q "__ENV_BLOCK__" "$output"; then
awk -v r="$(echo -e "$ENV_BLOCK_CONTENT")" '{gsub(/__ENV_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output" awk -v r="$(echo -e "$ENV_BLOCK_CONTENT")" '{gsub(/__ENV_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
fi fi
awk -v r="$(echo -e "$PORTS_BLOCK_CONTENT")" '{gsub(/__PORTS_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output" awk -v r="$(echo -e "$PORTS_BLOCK_CONTENT")" '{gsub(/__PORTS_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
awk -v r="$(echo -e "$VOL_BLOCK_CONTENT")" '{gsub(/__VOL_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output" awk -v r="$(echo -e "$VOL_BLOCK_CONTENT")" '{gsub(/__VOL_BLOCK__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
# Description als letztes
if grep -q "__DESCRIPTION__" "$output"; then if grep -q "__DESCRIPTION__" "$output"; then
awk -v r="$(echo -e "${DESCRIPTION:-Keine Beschreibung.}")" '{gsub(/__DESCRIPTION__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output" awk -v r="$(echo -e "${DESCRIPTION:-Keine Beschreibung.}")" '{gsub(/__DESCRIPTION__/, r)}1' "$output" > "$output.tmp" && mv "$output.tmp" "$output"
fi fi
@@ -311,7 +306,6 @@ jobs:
process_template "docker-compose.template" "docker-compose.yml" process_template "docker-compose.template" "docker-compose.yml"
process_template "README.template" "README.md" process_template "README.template" "README.md"
# --- 8. EXPORTS ---
echo "FINAL_MSG=$COMMIT_MSG" >> $GITHUB_ENV echo "FINAL_MSG=$COMMIT_MSG" >> $GITHUB_ENV
echo "DESCRIPTION<<EOF" >> $GITHUB_ENV echo "DESCRIPTION<<EOF" >> $GITHUB_ENV
echo -e "$DESCRIPTION" >> $GITHUB_ENV echo -e "$DESCRIPTION" >> $GITHUB_ENV
@@ -372,23 +366,18 @@ jobs:
git config --local user.email "action@pi-farm.de" git config --local user.email "action@pi-farm.de"
git config --local user.name "Gitea Action" git config --local user.name "Gitea Action"
# Sicherstellen, dass wir etwas zum Committen haben
git add VERSION.history README.md docker-compose.yml git add VERSION.history README.md docker-compose.yml
# Nur committen, wenn es Änderungen gibt
git diff --quiet && git diff --staged --quiet || git commit -m "${{ env.FINAL_MSG }} [skip ci]" git diff --quiet && git diff --staged --quiet || git commit -m "${{ env.FINAL_MSG }} [skip ci]"
# Das Tag exakt so setzen, wie es in prep definiert wurde (ohne extra 'v')
TARGET_TAG="${{ steps.prep.outputs.docker_tag }}" TARGET_TAG="${{ steps.prep.outputs.docker_tag }}"
git tag -f "$TARGET_TAG" git tag -f "$TARGET_TAG"
if [[ "${{ gitea.ref }}" == refs/tags/* ]]; then if [[ "${{ gitea.ref }}" == refs/tags/* ]]; then
echo "🏷️ Build aus Tag getriggert: $TARGET_TAG" echo "🏷️ Build aus Tag getriggert: $TARGET_TAG"
# Wir pushen das Tag (force), um die Doku-Updates einzuschließen
git push -f origin "$TARGET_TAG" git push -f origin "$TARGET_TAG"
else else
echo "🌿 Build aus Branch/Schedule getriggert: ${{ gitea.ref_name }}" echo "🌿 Build aus Branch/Schedule getriggert: ${{ gitea.ref_name }}"
# In den Branch pushen (HEAD:branch_name) und das Tag setzen
git push origin HEAD:${{ gitea.ref_name }} git push origin HEAD:${{ gitea.ref_name }}
git push -f origin "$TARGET_TAG" git push -f origin "$TARGET_TAG"
fi fi

9
.gitignore vendored
View File

@@ -8,12 +8,7 @@
.DS_Store .DS_Store
Thumbs.db Thumbs.db
# Deine spezifischen Ordner
# Wir ignorieren den Inhalt von data, behalten aber den Ordner
data/*
!data/.gitkeep
# Falls in config sensible Daten (Passwörter) landen,
# solltest du sie hier ebenfalls ausschließen:
config/* config/*
!config/.gitkeep !config/.gitkeep
home/*
!home/.gitkeep

119
Dockerfile
View File

@@ -1,27 +1,110 @@
# Example Dockerfile for amd64 ARG BUILD_BASE_IMAGE=debian:bookworm
ARG BASE_IMAGE=alpine:latest
FROM ${BASE_IMAGE} FROM ${BUILD_BASE_IMAGE}
ARG MAINTAINER ARG BUILD_MAINTAINER
ARG TZ ARG BUILD_TZ
ARG APP_NAME ARG BUILD_APP_NAME
ARG APP_USER ARG BUILD_LANG
ARG BUILD_LANGUAGE
ARG BUILD_LC_ALL
ARG BUILD_COUNTRY
LABEL maintainer="${MAINTAINER}" LABEL maintainer="${BUILD_MAINTAINER}"
LABEL org.opencontainers.image.title="${APP_NAME}" LABEL org.opencontainers.image.title="${BUILD_APP_NAME}"
ENV TZ=${TZ} ENV TZ=${BUILD_TZ}
ENV USER=${APP_USER} ENV LANG=${BUILD_LANG}
ENV LANGUAGE=${BUILD_LANGUAGE}
ENV LC_ALL=${BUILD_LC_ALL}
ENV COUNTRY=${BUILD_COUNTRY}
ENV DEBIAN_FRONTEND=noninteractive
RUN apk add --no-cache tzdata ca-certificates RUN sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/debian.sources && \
apt-get update && apt-get install -y \
xrdp \
sssd \
sssd-tools \
libpam-sss \
libnss-sss \
libsss-sudo \
ldap-utils \
ca-certificates \
dbus-x11 \
xfce4 \
xfce4-terminal \
sudo \
firefox-esr \
firefox-esr-l10n-${COUNTRY} \
thunderbird \
thunderbird-l10n-${COUNTRY} \
locales \
tzdata \
keyboard-configuration \
x11-xkb-utils \
pulseaudio \
build-essential \
dpkg-dev \
git \
libpulse-dev \
meson \
ninja-build \
pkg-config \
autoconf \
libtool && \
apt-get build-dep -y pulseaudio && \
cd /tmp && \
apt-get source pulseaudio && \
PULSE_DIR=$(find /tmp -maxdepth 1 -type d -name "pulseaudio-*" | head -n 1) && \
cd $PULSE_DIR && \
meson setup build \
-Dman=false \
-Dtests=false \
-Ddoxygen=false && \
cd /tmp && \
git clone https://github.com/neutrinolabs/pulseaudio-module-xrdp.git && \
cd pulseaudio-module-xrdp && \
./bootstrap && \
./configure PULSE_DIR=$PULSE_DIR && \
make && \
make install && \
cd / && \
rm -rf /tmp/pulseaudio-* /tmp/pulseaudio-module-xrdp && \
apt-get remove -y build-essential dpkg-dev meson ninja-build autoconf libtool && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/* && \
echo "${LANG} UTF-8" > /etc/locale.gen && \
locale-gen ${LANG} && \
update-locale LANG=${LANG} LANGUAGE=${LANGUAGE} && \
ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \
dpkg-reconfigure -f noninteractive tzdata && \
printf 'XKBMODEL="pc105"\nXKBLAYOUT="%s"\nXKBVARIANT=""\nXKBOPTIONS=""\nBACKSPACE="guess"\n' "${COUNTRY}" > /etc/default/keyboard && \
dpkg-reconfigure -f noninteractive keyboard-configuration
WORKDIR /app # NEU: Systemweite statische Konfigurationen für LDAP/PAM/Sudo
COPY ./config /app/config # 1. Entfernt die gefährliche %users Regel
COPY ./data /app/data # 2. Sagt nsswitch, dass Sudoers auch im SSS (LDAP) gesucht werden sollen
# 3. Aktiviert das automatische Erstellen von Home-Verzeichnissen (mkhomedir)
RUN sed -i '/%users/s/^/# /' /etc/sudoers && \
echo "sudoers: files sss" >> /etc/nsswitch.conf && \
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/common-session
RUN adduser -D ${APP_USER} && chown -R ${APP_USER}:${APP_USER} /app RUN chmod 440 /etc/sudoers && \
mkdir -p /etc/sssd && chown root:root /etc/sssd && chmod 755 /etc/sssd && \
mkdir -p /home && chmod 755 /home && \
chown xrdp:xrdp /etc/xrdp/key.pem /etc/xrdp/cert.pem /etc/xrdp/rsakeys.ini && \
chmod 600 /etc/xrdp/key.pem /etc/xrdp/rsakeys.ini && \
chmod 644 /etc/xrdp/cert.pem && \
echo "LANG=${LANG}" >> /etc/environment && \
echo "LANGUAGE=${LANGUAGE}" >> /etc/environment && \
echo "LC_ALL=${LC_ALL}" >> /etc/environment && \
sed -i '2i export LANG=${LANG}\nexport LANGUAGE=${LANGUAGE}\nexport LC_ALL=${LC_ALL}\npulseaudio --start\npactl load-module module-xrdp-sink.so\npactl load-module module-xrdp-source.so' /etc/xrdp/startwm.sh && \
chmod +x /etc/xrdp/startwm.sh && \
mkdir -p /etc/xdg/xfce4 && \
echo "setxkbmap ${COUNTRY}" >> /etc/xdg/xfce4/xinitrc
USER ${APP_USER} EXPOSE 3389
CMD ["sh"] COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD ["/entrypoint.sh"]

119
Dockerfile.aarch64
View File

@@ -1,27 +1,110 @@
# Example Dockerfile for arm64 ARG BUILD_BASE_IMAGE=debian:bookworm
ARG BASE_IMAGE=alpine:latest
FROM ${BASE_IMAGE} FROM ${BUILD_BASE_IMAGE}
ARG MAINTAINER ARG BUILD_MAINTAINER
ARG TZ ARG BUILD_TZ
ARG APP_NAME ARG BUILD_APP_NAME
ARG APP_USER ARG BUILD_LANG
ARG BUILD_LANGUAGE
ARG BUILD_LC_ALL
ARG BUILD_COUNTRY
LABEL maintainer="${MAINTAINER}" LABEL maintainer="${BUILD_MAINTAINER}"
LABEL org.opencontainers.image.title="${APP_NAME}" LABEL org.opencontainers.image.title="${BUILD_APP_NAME}"
ENV TZ=${TZ} ENV TZ=${BUILD_TZ}
ENV USER=${APP_USER} ENV LANG=${BUILD_LANG}
ENV LANGUAGE=${BUILD_LANGUAGE}
ENV LC_ALL=${BUILD_LC_ALL}
ENV COUNTRY=${BUILD_COUNTRY}
ENV DEBIAN_FRONTEND=noninteractive
RUN apk add --no-cache tzdata ca-certificates RUN sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/debian.sources && \
apt-get update && apt-get install -y \
xrdp \
sssd \
sssd-tools \
libpam-sss \
libnss-sss \
libsss-sudo \
ldap-utils \
ca-certificates \
dbus-x11 \
xfce4 \
xfce4-terminal \
sudo \
firefox-esr \
firefox-esr-l10n-${COUNTRY} \
thunderbird \
thunderbird-l10n-${COUNTRY} \
locales \
tzdata \
keyboard-configuration \
x11-xkb-utils \
pulseaudio \
build-essential \
dpkg-dev \
git \
libpulse-dev \
meson \
ninja-build \
pkg-config \
autoconf \
libtool && \
apt-get build-dep -y pulseaudio && \
cd /tmp && \
apt-get source pulseaudio && \
PULSE_DIR=$(find /tmp -maxdepth 1 -type d -name "pulseaudio-*" | head -n 1) && \
cd $PULSE_DIR && \
meson setup build \
-Dman=false \
-Dtests=false \
-Ddoxygen=false && \
cd /tmp && \
git clone https://github.com/neutrinolabs/pulseaudio-module-xrdp.git && \
cd pulseaudio-module-xrdp && \
./bootstrap && \
./configure PULSE_DIR=$PULSE_DIR && \
make && \
make install && \
cd / && \
rm -rf /tmp/pulseaudio-* /tmp/pulseaudio-module-xrdp && \
apt-get remove -y build-essential dpkg-dev meson ninja-build autoconf libtool && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/* && \
echo "${LANG} UTF-8" > /etc/locale.gen && \
locale-gen ${LANG} && \
update-locale LANG=${LANG} LANGUAGE=${LANGUAGE} && \
ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \
dpkg-reconfigure -f noninteractive tzdata && \
printf 'XKBMODEL="pc105"\nXKBLAYOUT="%s"\nXKBVARIANT=""\nXKBOPTIONS=""\nBACKSPACE="guess"\n' "${COUNTRY}" > /etc/default/keyboard && \
dpkg-reconfigure -f noninteractive keyboard-configuration
WORKDIR /app # NEU: Systemweite statische Konfigurationen für LDAP/PAM/Sudo
COPY ./config /app/config # 1. Entfernt die gefährliche %users Regel
COPY ./data /app/data # 2. Sagt nsswitch, dass Sudoers auch im SSS (LDAP) gesucht werden sollen
# 3. Aktiviert das automatische Erstellen von Home-Verzeichnissen (mkhomedir)
RUN sed -i '/%users/s/^/# /' /etc/sudoers && \
echo "sudoers: files sss" >> /etc/nsswitch.conf && \
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/common-session
RUN adduser -D ${APP_USER} && chown -R ${APP_USER}:${APP_USER} /app RUN chmod 440 /etc/sudoers && \
mkdir -p /etc/sssd && chown root:root /etc/sssd && chmod 755 /etc/sssd && \
mkdir -p /home && chmod 755 /home && \
chown xrdp:xrdp /etc/xrdp/key.pem /etc/xrdp/cert.pem /etc/xrdp/rsakeys.ini && \
chmod 600 /etc/xrdp/key.pem /etc/xrdp/rsakeys.ini && \
chmod 644 /etc/xrdp/cert.pem && \
echo "LANG=${LANG}" >> /etc/environment && \
echo "LANGUAGE=${LANGUAGE}" >> /etc/environment && \
echo "LC_ALL=${LC_ALL}" >> /etc/environment && \
sed -i '2i export LANG=${LANG}\nexport LANGUAGE=${LANGUAGE}\nexport LC_ALL=${LC_ALL}\npulseaudio --start\npactl load-module module-xrdp-sink.so\npactl load-module module-xrdp-source.so' /etc/xrdp/startwm.sh && \
chmod +x /etc/xrdp/startwm.sh && \
mkdir -p /etc/xdg/xfce4 && \
echo "setxkbmap ${COUNTRY}" >> /etc/xdg/xfce4/xinitrc
USER ${APP_USER} EXPOSE 3389
CMD ["sh"] COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD ["/entrypoint.sh"]

79
README.md
View File

@@ -1,16 +1,75 @@
# Projekt: {{.RepoName}} [![Build Status](https://git.pi-farm.de/{{.Owner.Name}}/{{.RepoName}}/actions/workflows/build-and-push.yaml/badge.svg)](https://git.pi-farm.de/{{.Owner.Name}}/{{.RepoName}}/actions) # base-image-debian-rdp-ldap
Debian Desktop with LDAP-Authentication. To use behind Guacamole with LDAP-Authentication and pass-through to Debian-Desktop.
[![Build Status](https://git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap/actions/workflows/build-and-push.yaml/badge.svg)](https://git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap/actions)
[![Gitea Repo](https://img.shields.io/badge/gitea-repository-blue?logo=gitea&logoColor=white)](__REPO_URL__)
This repository is built and pushed automatically. This repository is built and pushed automatically.
### 🏗️ Platform Support [![Docker Hub](https://img.shields.io/badge/docker-hub-blue?logo=docker__DOCKERHUB_LINK__logoColor=white)](https://hub.docker.com/r/pifarm/base-image-debian-rdp-ldap)
| Architecture | Status | Base-Image |
| :--- | :--- | :--- |
| **x86_64** (amd64) | ✅ Active | `__BASE_IMAGE__` |
| **aarch64** (arm64) | __ARM_STATUS__ | `__BASE_IMAGE__` |
### 🚀 Docker Pull Command ### 🏗️ Platform Support
| Architecture | Status | Base Image | Build Date |
| :--- | :--- | :--- | :--- |
| x86_64 (amd64) | ✅ Active | debian:bookworm | 09.04.2026 15:23 |
| aarch64 (arm64) | ✅ Active | debian:bookworm | 09.04.2026 15:23 |
### 🚀 Docker Pull
```bash ```bash
docker pull git.pi-farm.de/{{.Owner.Name}}/{{.RepoName}}:latest docker pull git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap:bookworm-de
``` ```
--- ### 🚀 Docker Compose
*Last updated on: __DATE__* ```yaml
services:
base-image-debian-rdp-ldap:
image: git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap:bookworm-de
container_name: base-image-debian-rdp-ldap
restart: unless-stopped
ports:
- 3889
environment:
- SSSD_DEBUG_LEVEL=5
- LDAP_URI=ldap://YOUR-LDAP-SERVER:389
- LDAP_BASE_DN=dc=YOUR-DOMAIN,dc=LOC
- LDAP_BIND_DN=cn=YOUR-BIND-USER,dc=YOUR-DOMAIN,dc=LOC
- LDAP_BIND_PASSWORD=YOUR-SUPER-SECRET-BIND-PASSWORD
- LDAP_SUDO_GROUP=YOUR-SUDO-USERS-GROUP
volumes:
- ./YOUR-PERSISTENT-FOLDER:/home
```
### 🚀 Docker Run
```bash
docker run -d \
--name base-image-debian-rdp-ldap \
--restart unless-stopped \
-e SSSD_DEBUG_LEVEL=5 \
-e LDAP_URI=ldap://YOUR-LDAP-SERVER:389 \
-e LDAP_BASE_DN=dc=YOUR-DOMAIN,dc=LOC \
-e LDAP_BIND_DN=cn=YOUR-BIND-USER,dc=YOUR-DOMAIN,dc=LOC \
-e LDAP_BIND_PASSWORD=YOUR-SUPER-SECRET-BIND-PASSWORD \
-e LDAP_SUDO_GROUP=YOUR-SUDO-USERS-GROUP \
-v ./YOUR-PERSISTENT-FOLDER:/home \
-p 3889 \
git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap:bookworm-de
```
*Last updated on: 09.04.2026 15:23*
### 📜 Version History
| Version | Date | Status |
| :--- | :--- | :--- |
| **bookworm-de** | 09.04.2026 15:23 | ✅ |
| **trixie-de** | 09.04.2026 14:58 | ✅ |
| **bookworm-de** | 09.04.2026 14:13 | ✅ |
| **bookworm-de** | 09.04.2026 13:10 | ✅ |
| **bookworm-de** | 09.04.2026 11:58 | ✅ |
| **bookworm-de** | 09.04.2026 10:11 | ✅ |
| **bookworm-de** | 07.04.2026 19:27 | ✅ |
| **bookworm-de** | 07.04.2026 17:38 | ✅ |
| **bookworm-de** | 05.04.2026 11:47 | ✅ |
| **bookworm-de** | 05.04.2026 11:20 | ✅ |
| **bookworm-de** | 04.04.2026 00:31 | ✅ |
| **bookworm-de** | 02.04.2026 17:26 | ✅ |
| **bookworm-de** | 02.04.2026 16:44 | ✅ |
| **bookworm-de** | 02.04.2026 15:37 | ✅ |
| **bookworm** | 02.04.2026 14:15 | ✅ |

49
buildargs.env
View File

@@ -1,26 +1,27 @@
## BUILD STAGE ## BUILD STAGE
BUILD_TAG=1.00 BUILD_BASE_IMAGE=debian:bookworm
BUILD_BASE_IMAGE=alpine:${BUILD_TAG} BUILD_COUNTRY=de
## Examples for BUILD_BASE_IMAGE BUILD_TAG=bookworm-de
# alpine:${BUILD_TAG} BUILD_TAG_LATEST=n
# git.pi-farm.de/pi-farm/docker-baseimage-alpine:v${BUILD_TAG} BUILD_LANG=de_DE.UTF-8
#BUILD_ALPINE_ARCH_AMD64=x86_64 BUILD_LANGUAGE=de_DE:de
#BUILD_ALPINE_ARCH_AARCH64=aarch64 BUILD_LC_ALL=de_DE.UTF-8
#BUILD_S6_ARCH_amd64=x86_64 BUILD_TZ=Europe/Berlin
#BUILD_S6_ARCH_aarch64=aarch64 BUILD_MAINTAINER=pi-farm
#BUILD_S6_OVERLAY_VERSION=3.2.0.2 BUILD_APP_NAME=base-image-debian-rdp-ldap
#BUILD_MAINTAINER=pi-farm BUILD_APP_VERSION=1.0.0
#BUILD_APP_VERSION=v${BUILD_TAG} PUSH=dockerhub
#BUILD_APP_NAME=basimage-alpine
#BUILD_APP_USER=pi
#BUILD_APP_GID=1000
## ENV STAGE
ENV_TZ=Europe/Berlin
ENV_PUID=1000
ENV_PGID=1000
# VOL_CONFIG=./config:/config
# VOL_DATA=./data:/data
# PORT_WEB=8080:80
#PUSH=gitea,dockerhub
DESCRIPTION="Example example example"
## ENV STAGE
ENV_SSSD_DEBUG_LEVEL=5
ENV_LDAP_URI=ldap://YOUR-LDAP-SERVER:389
ENV_LDAP_BASE_DN=dc=YOUR-DOMAIN,dc=LOC
ENV_LDAP_BIND_DN=cn=YOUR-BIND-USER,dc=YOUR-DOMAIN,dc=LOC
ENV_LDAP_BIND_PASSWORD=YOUR-SUPER-SECRET-BIND-PASSWORD
ENV_LDAP_SUDO_GROUP=YOUR-SUDO-USERS-GROUP
## DOCKER / COMPOSE CONFIG
VOL_HOME=./YOUR-PERSISTENT-FOLDER:/home
PORT_RDP=3889
DESCRIPTION="Debian Desktop with LDAP-Authentication and Pulse-Audio. To use behind Guacamole with LDAP-Authentication and pass-through to Debian-Desktop."

0
data/.gitkeep
View File

17
docker-compose.yml
View File

@@ -1 +1,16 @@
services:
base-image-debian-rdp-ldap:
image: git.pi-farm.de/pi-farm/base-image-debian-rdp-ldap:bookworm-de
container_name: base-image-debian-rdp-ldap
restart: unless-stopped
ports:
- 3889
environment:
- SSSD_DEBUG_LEVEL=5
- LDAP_URI=ldap://YOUR-LDAP-SERVER:389
- LDAP_BASE_DN=dc=YOUR-DOMAIN,dc=LOC
- LDAP_BIND_DN=cn=YOUR-BIND-USER,dc=YOUR-DOMAIN,dc=LOC
- LDAP_BIND_PASSWORD=YOUR-SUPER-SECRET-BIND-PASSWORD
- LDAP_SUDO_GROUP=YOUR-SUDO-USERS-GROUP
volumes:
- ./YOUR-PERSISTENT-FOLDER:/home

61
entrypoint.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/bash
set -e
# Mapping der Gitea-Workflow Variablen (ENV_...) auf interne Variablen
# Falls ENV_LDAP_URI nicht gesetzt ist, wird ein Fallback genutzt
LDAP_URI=${LDAP_URI:-"ldap://localhost:389"}
LDAP_BASE_DN=${LDAP_BASE_DN:-"dc=example,dc=com"}
LDAP_BIND_DN=${LDAP_BIND_DN:-"cn=admin,dc=example,dc=com"}
LDAP_BIND_PASSWORD=${LDAP_BIND_PASSWORD}
LDAP_SUDO_GROUP=${LDAP_SUDO_GROUP:-"sudo_users"}
SSSD_DEBUG=${SSSD_DEBUG_LEVEL:-0}
echo ">>> Erstelle SSSD Konfiguration..."
cat <<EOF > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
chpass_provider = ldap
ldap_uri = ${LDAP_URI}
ldap_search_base = ${LDAP_BASE_DN}
ldap_sudo_search_base = ou=SUDOers,${LDAP_BASE_DN}
ldap_default_bind_dn = ${LDAP_BIND_DN}
ldap_default_authtok = ${LDAP_BIND_PASSWORD}
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
ldap_id_use_start_tls = false
ldap_tls_reqcert = never
ldap_auth_disable_tls_never_use_in_production = true
cache_credentials = true
enumerate = false
EOF
chmod 600 /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf
echo ">>> Erstelle Sudoers-Regel für Gruppe: ${LDAP_SUDO_GROUP}..."
echo "%${LDAP_SUDO_GROUP} ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/ldap-admins
chmod 0440 /etc/sudoers.d/ldap-admins
echo ">>> Bereinige SSSD Cache..."
rm -f /var/lib/sss/db/*
rm -f /var/lib/sss/mc/*
echo ">>> Starte Dienste..."
# SSSD mit dem gemappten Debug-Level starten
sssd -D --debug-level=${SSSD_DEBUG}
service dbus start
xrdp-sesman
exec xrdp -n

0
config/.gitkeep → home/.gitkeep
View File