From 6117ab5b91062e0081b39faed5930ccd50fda48a Mon Sep 17 00:00:00 2001
From: cangui <canguijc@gmail.com>
Date: Mon, 18 Aug 2025 18:35:07 +0200
Subject: [PATCH] UP

---
 Dockerfile         | 28 ++++++++++++++--------------
 docker-compose.yml | 26 ++++++++++++--------------
 2 files changed, 26 insertions(+), 28 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0247f8a..2f4b7c1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,19 +1,19 @@
-FROM golang:1.24
-
-WORKDIR /app
-
-# Copie les fichiers de dépendances Go
+# ----- build -----
+FROM golang:1.24 AS builder
+WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 
-# Copie tout le reste (code + web + assets)
 COPY . .
+# Si ton main est à la racine (main.go), garde ./ ; sinon mets le chemin du main
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /out/shelfy .
 
-# Build de ton binaire
-RUN go build -o shelfy .
-
-# Expose les ports nécessaires
-EXPOSE 8080 2121
-
-# Commande de lancement
-CMD ["./shelfy"]
+# ----- runtime -----
+FROM alpine:3.20
+# sh est présent (utile pour le "tee")
+RUN adduser -D -u 10001 appuser
+WORKDIR /app
+COPY --from=builder /out/shelfy /app/shelfy
+RUN chmod +x /app/shelfy && mkdir -p /app/data /app/upload /var/log/shelfy && chown -R appuser:appuser /app
+USER appuser
+ENTRYPOINT ["/bin/sh","-c","/app/shelfy 2>&1 | tee -a /var/log/shelfy/shelfy.log"]
diff --git a/docker-compose.yml b/docker-compose.yml
index f01e9ac..d97ea8d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,17 +7,19 @@ services:
       dockerfile: Dockerfile
     container_name: shelfy-go
     working_dir: /app
-    # ⚠️ Si LocalAI utilise 8080, tu as déjà mappé 8090:8080 côté HTTP, OK.
     ports:
       - "8090:8080"
-      - "2121:2121"                # FTP (si utilisé)
-      - "30000-30100:30000-30100"  # FTP passive (si utilisé)
-      - "2222:2222"                # SFTP
+      - "2121:2121"
+      - "30000-30100:30000-30100"
+      - "2222:2222"
     extra_hosts:
       - "dockerhost:host-gateway"
+    environment:
+      - SHELFY_DATA_DIR=/app/data
     volumes:
       - shelfy_upload:/app/upload
-      - shelfy_logs:/var/log/shelfy          # <-- partage des logs avec Fail2ban
+      - shelfy_data:/app/data
+      - shelfy_logs:/var/log/shelfy
     labels:
       - traefik.http.routers.shelfy.middlewares=webdav-allow-methods@docker
       - traefik.http.middlewares.webdav-allow-methods.headers.accesscontrolallowmethods=GET,PUT,POST,DELETE,PROPFIND,OPTIONS,LOCK,UNLOCK,HEAD
@@ -26,27 +28,23 @@ services:
       - 8.8.8.8
       - 1.1.1.1
     restart: unless-stopped
-    # ✅ Astuce simple pour avoir un fichier de log lisible par Fail2ban
-    #    Remplace `./app` par ta commande/entrypoint réel si besoin.
-    command: [ "sh", "-c", "./app 2>&1 | tee -a /var/log/shelfy/shelfy.log" ]
+    # (pas besoin d'un command ici si l'ENTRYPOINT du Dockerfile fait déjà le tee)
 
   fail2ban:
     image: crazymax/fail2ban:latest
     container_name: fail2ban
-    # On bannit via iptables du host
     network_mode: host
-    cap_add:
-      - NET_ADMIN
-      - NET_RAW
+    cap_add: [ "NET_ADMIN", "NET_RAW" ]
     environment:
       - TZ=Europe/Paris
       - F2B_LOG_TARGET=STDOUT
       - F2B_DB_PURGE_AGE=1d
     volumes:
-      - ./fail2ban:/data                 # conf jails/filters persistantes
-      - shelfy_logs:/var/log/shelfy:ro   # lit les logs de shelfy
+      - ./fail2ban:/data
+      - shelfy_logs:/var/log/shelfy:ro
     restart: unless-stopped
 
 volumes:
   shelfy_upload:
+  shelfy_data:
   shelfy_logs: