16302ed309
Stock strfry + a default-deny write-policy plugin (kinds 0,3,5,13,1059, 10002,10050,27235 only), NIP-42 auth, neutral NIP-11, a bundled name authority (paid names/uses via GoblinPay), and a config-toggled co-located mixnet exit. Docker Compose + Caddy + hardened systemd. strfry core stays stock (plugin + config only). Validated end to end against real strfry.
46 lines
2.0 KiB
Docker
46 lines
2.0 KiB
Docker
# Builds the floonet-strfry relay: STOCK strfry (https://github.com/hoytech/
|
|
# strfry), cloned fresh at a pinned commit and compiled UNMODIFIED (no fork,
|
|
# no patches), plus python3 and the Floonet write policy plugin. The only
|
|
# Floonet-specific bits are strfry.conf + floonet_writepolicy.py, layered on
|
|
# via strfry's own config and plugin mechanisms. docker-compose builds this
|
|
# as the `relay` service (build context = repo root).
|
|
#
|
|
# Pinned for reproducibility. Bump STRFRY_REF to a newer upstream commit to
|
|
# update strfry; nothing else changes, since the source is never touched.
|
|
FROM alpine:3.18 AS build
|
|
ENV TZ=Europe/London
|
|
WORKDIR /build
|
|
RUN apk --no-cache add \
|
|
linux-headers git g++ make perl pkgconfig libtool ca-certificates \
|
|
libressl-dev zlib-dev lmdb-dev flatbuffers-dev libsecp256k1-dev zstd-dev
|
|
ARG STRFRY_REF=b80cda3a812af1b662223edad47eb70b053508b6
|
|
RUN git clone https://github.com/hoytech/strfry . \
|
|
&& git checkout "${STRFRY_REF}" \
|
|
&& git submodule update --init \
|
|
&& make setup-golpe \
|
|
&& make -j"$(nproc)"
|
|
|
|
FROM alpine:3.18
|
|
WORKDIR /app
|
|
# PYTHONUNBUFFERED keeps the write policy plugin's stdio prompt; it also
|
|
# flushes explicitly, so this is belt-and-suspenders against buffering stalls.
|
|
ENV PYTHONUNBUFFERED=1
|
|
RUN apk --no-cache add \
|
|
lmdb flatbuffers libsecp256k1 libb2 zstd libressl python3 \
|
|
&& rm -rf /var/cache/apk/*
|
|
COPY --from=build /build/strfry /app/strfry
|
|
COPY plugin/floonet_writepolicy.py /usr/local/bin/floonet_writepolicy.py
|
|
# Run as a fixed non-root uid: the relay takes untrusted network input, so
|
|
# drop privilege. Only the db dir needs to be owned by that uid (the binary
|
|
# and plugin are world-readable and executable already); a named volume
|
|
# inherits this ownership, and a bind mount must be chowned to 10001.
|
|
RUN addgroup -g 10001 -S strfry \
|
|
&& adduser -u 10001 -S -G strfry strfry \
|
|
&& chmod +x /usr/local/bin/floonet_writepolicy.py \
|
|
&& mkdir -p /strfry-db \
|
|
&& chown -R strfry:strfry /strfry-db
|
|
USER strfry
|
|
EXPOSE 7777
|
|
ENTRYPOINT ["/app/strfry"]
|
|
CMD ["relay"]
|