Automated, hardened container image builds for oPodSync, a gPodder API compatible server previously known as Micro GPodder Server.
The images are based on FrankenPHP (and therefore Caddy) and Google Distroless Debian.
services:
opodsync:
container_name: opodsync
image: ghcr.io/tomgehrmann/opodsync:latest
restart: on-failure:5
security_opt:
- "no-new-privileges=true"
# - "apparmor=docker-opodsync" # optional hardening with AppArmor
read_only: true
mem_limit: 500MB
cpus: 0.25
cap_add:
- CAP_NET_BIND_SERVICE
cap_drop:
- ALL
ports:
- "8080:8080"
# - "8443:8443" # TLS
# environment:
# SERVER_NAME: ":8080 localhost:8443" # TLS
volumes:
- ./data:/app/data
- ./caddy_config:/caddy_config
- ./caddy_data:/caddy_data
tmpfs:
- /tmp # session dataCopy the config.dist.php to ./data/config.local.php on the host.
Host port(s) and container port(s) must match the address' port(s) defined in the Caddyfile. You can change the address(es) with the SERVER_NAME environment variable.
See Caddy docs for further information.
The user of the application is nonroot (65532) by default. Mind the file permissions for the mapped directories! Override the user with user.
Caddy supports HTTPS by default. As I don't recommend or use this myself, there was only rudimentary testing involved with locally-trusted certificates generated by Caddy. (Use a reverse proxy instead! (If you only access this application through a reverse proxy, only expose the ports and use a dedicated Docker network if on the same machine.))
Add the domain to the SERVER_NAME environment variable. Don't forget about the ports.
To configure oPodSync, edit the config file as described in the project.
The builds are fully automated, I use them myself, but I don't actively monitor the health of the service. Contributions are welcome, but I cannot promise timely replies.