initial commit

comminutus · Apr 11, 2024 · 394e86b · 394e86b
commit 394e86b
Show file tree

Hide file tree

Showing 8 changed files with 1,204 additions and 0 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,137 @@
+name: CI
+
+on:
+  schedule:
+    - cron: 0 8 * * *
+  push:
+    branches:
+      - master
+    tags:
+      - v*.*.*
+  pull_request:
+    branches:
+      - master
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@v3 #v3.1.1
+        with:
+          cosign-release: 'v2.2.3'
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3 # v3.0.0
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }},prefix=v
+            type=ref,event=branch
+            type=ref,event=tag
+            type=ref,event=pr
+            type=schedule
+            type=raw,value=${{ github.sha }}
+            type=edge,branch=master
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5 # v5.0.0
+        with:
+          context: .
+          file: Containerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+  vulnerability-scan:
+    name: Vulnerability Scan
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: template
+          template: '@/contrib/sarif.tpl'
+          output: trivy-results.sarif
+          # severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif
+
+  tagged-release:
+    name: Tagged Release
+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: marvinpinto/action-automatic-releases@latest
+        if: |
+          startsWith(github.ref, 'refs/tags/v') &&
+          github.event_name == 'push'
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          prerelease: false
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,18 @@
+{
+    "cSpell.words": [
+        "aquasecurity",
+        "BLOCKLIST",
+        "Buildx",
+        "codeql",
+        "comminutus",
+        "Fulcio",
+        "marvinpinto",
+        "moderod",
+        "monero",
+        "monerod",
+        "sarif",
+        "sigstore",
+        "stagenet",
+        "Trivy"
+    ]
+}
diff --git a/Containerfile b/Containerfile
@@ -0,0 +1,130 @@
+########################################################################################################################
+# Configuration / Base Image
+########################################################################################################################
+# Core Config
+ARG fedora_tag=39
+ARG monero_version=0.18.3.3
+
+# Ports:
+# 18080: mainnet peer-to-peer; for nodes to communicate with other nodes
+# 18081: mainnet RPC port
+# 18082: mainnet JSON RPC port
+# 18083: mainnet ZMQ port
+# 28080: stagenet peer-to-peer; for nodes to communicate with other nodes
+# 28081: stagenet RPC port
+# 28082: stagenet JSON RPC port
+# 28083: stagenet ZMQ port
+# 38080: testnet peer-to-peer; for nodes to communicate with other nodes
+# 38081: testnet RPC port
+# 38082: testnet JSON RPC port
+# 38083: testnet ZMQ port
+ARG ports='18080 18081 18082 18083 28080 28081 28082 28083 38080 38081 38082 38083'
+
+# Defaults
+ARG uid=10000
+ARG build_dir=/tmp/build
+ARG dist_dir=$build_dir/dist
+ARG hashes_file=hashes.txt
+ARG hashes_url=https://www.getmonero.org/downloads/$hashes_file
+ARG install_dir=/usr/local/bin
+ARG data_dir=/var/lib/monero
+
+FROM fedora-minimal:$fedora_tag as base
+
+
+########################################################################################################################
+# Build Image
+########################################################################################################################
+FROM base as build
+ARG build_dir dist_dir hashes_file hashes_url monero_version
+
+# Update build image and install packages necessary for build
+RUN microdnf update -y
+
+# Copy assets
+WORKDIR $build_dir
+COPY . .
+
+ARG build_packages='bzip2 gnupg2 tar wget'
+RUN microdnf install -y $build_packages
+#ARG build_packages='bzip2 ca-certificates gpg gpg-agent wget'
+
+# Download hashes and verify
+RUN gpg --import *.asc && \
+    wget "$hashes_url" && \
+    gpg --verify "$hashes_file"
+
+RUN set -ex                                                   && \
+  platform="$(uname -a | awk '{print tolower($1)}')"          && \
+  arch="$(uname -m | sed 's/x86_64/x64/g')"                   && \
+  archive="monero-$platform-$arch-v${monero_version}.tar.bz2" && \
+  echo "$archive" > archive.txt
+
+# Download Monero
+RUN wget "https://downloads.getmonero.org/cli/$(cat archive.txt)"
+
+# Verify Monero
+RUN grep "$(cat archive.txt)" "$hashes_file" | sha256sum -c
+
+# Extract archive
+RUN mkdir -p "$dist_dir" && tar -xj --strip-components 1 -C "$dist_dir" -f "$(cat archive.txt)"
+
+
+########################################################################################################################
+# Final image
+########################################################################################################################
+FROM base as final
+ARG data_dir dist_dir gid install_dir ports uid
+
+WORKDIR /home/monero
+
+# Update final image packages
+RUN microdnf update -y
+
+# Install necessary packages
+ARG runtime_packages='shadow-utils'
+RUN microdnf install -y $runtime_packages
+
+# Environment variables, overridable from container
+ENV MONERO_ADDITIONAL_ARGS=
+ENV MONERO_DATA_DIR=$data_dir
+ENV MONERO_LOG_LEVEL=0
+ENV MONERO_DISABLE_DNS_CHECKPOINTS=
+ENV MONERO_ENABLE_DNS_BLOCKLIST=true
+ENV MONERO_INSTALL_DIR=$install_dir
+ENV MONERO_NON_INTERACTIVE=true
+ENV MONERO_P2P_BIND_IP=0.0.0.0
+ENV MONERO_P2P_BIND_PORT=18080
+ENV MONERO_P2P_EXTERNAL_PORT=0
+ENV MONERO_RPC_BIND_IP=0.0.0.0
+ENV MONERO_RPC_BIND_PORT=18081
+ENV MONERO_RPC_RESTRICTED_BIND_IP=
+ENV MONERO_RPC_RESTRICTED_BIND_IPV6_ADDRESS=
+ENV MONERO_TX_PROXY=
+ENV MONERO_ZMQ_PUB=
+
+# Install binaries
+RUN mkdir -p "$install_dir" "$data_dir"
+COPY --from=build $dist_dir $MONERO_INSTALL_DIR
+
+# Create Monero user
+RUN useradd -ms /bin/bash monero -u "$uid"
+
+
+# Copy container entrypoint script into container
+COPY entrypoint.bash .
+
+# Change ownership of all files in user dir and data dir
+RUN chown -R monero:monero "$data_dir" /home/monero
+
+# Setup volume for blockchain
+VOLUME $data_dir
+
+# Expose ports
+EXPOSE $ports
+
+# Run as monero
+USER monero
+
+# Run entrypoint script
+ENTRYPOINT ["./entrypoint.bash"]