slfhstd/TestPostsBot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

docker build updates to improve security

Browse Source
This commit is contained in:
Self Hosted
2026-03-11 17:42:51 +00:00
parent ea3eb899e7
commit c605e00e95
3 changed files with 55 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+14
View File
@@ -1,9 +1,23 @@
# Dockerfile for Reddit Test Posts Bot # Dockerfile for Reddit Test Posts Bot
FROM python:3.11-slim FROM python:3.11-slim
# Create a non-root user for running the bot
RUN groupadd -g ${GROUP_ID:-1000} botgroup && \
useradd -u ${USER_ID:-1000} -g botgroup -m botuser
WORKDIR /app WORKDIR /app
COPY requirements.txt . COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt RUN pip install --no-cache-dir -r requirements.txt
COPY bot.py . COPY bot.py .
COPY config.py . COPY config.py .
# Create DB directory with proper permissions
RUN mkdir -p /app/DB && chown -R botuser:botgroup /app
ENV PYTHONUNBUFFERED=1 ENV PYTHONUNBUFFERED=1
# Switch to non-root user
USER botuser
CMD ["python", "bot.py"] CMD ["python", "bot.py"]
README.md
+33 -1
View File
@@ -79,10 +79,35 @@ docker run \
### Docker Compose ### Docker Compose
```bash ```bash
# Edit docker-compose.yml with your credentials # Edit prod.env with your credentials, then:
docker-compose up docker-compose up
``` ```
#### Security: Running as Non-Root User
By default, the container runs as a non-root user (UID 1000, GID 1000) for improved security. You can customize the user and group IDs by setting environment variables before running:
```bash
# Use specific user and group IDs
USER_ID=1001 GROUP_ID=1001 docker-compose up
# Use default (1000:1000)
docker-compose up
```
The user and group IDs can also be specified in a `.env` file:
```env
USER_ID=1001
GROUP_ID=1001
REDDIT_CLIENT_ID=your_client_id
REDDIT_CLIENT_SECRET=your_client_secret
REDDIT_USERNAME=bot_username
REDDIT_PASSWORD=bot_password
SUBREDDIT=your_subreddit
WIKI_PAGE=testpostsbot_config
```
### Standalone ### Standalone
```bash ```bash
@@ -96,3 +121,10 @@ python bot.py
- The config is fetched fresh for each trigger, so you can update the wiki while the bot is running. - The config is fetched fresh for each trigger, so you can update the wiki while the bot is running.
- Only the first matching trigger per message is processed. - Only the first matching trigger per message is processed.
- All processed messages are tracked in `DB/chat_wiki_requests.txt` to avoid duplicate processing. - All processed messages are tracked in `DB/chat_wiki_requests.txt` to avoid duplicate processing.
## Security
- **Non-Root Execution:** The Docker container runs as a non-root user (UID 1000, GID 1000) by default to minimize security risks. This can be customized via `USER_ID` and `GROUP_ID` environment variables.
- **Credentials:** Store Reddit API credentials in environment variables or `.env` files, never hardcode them.
- **Moderator-Only Commands:** All bot triggers and commands require the sender to be a moderator of the target subreddit.
- **DB Directory:** Processed message IDs are stored in a local `DB/` directory to prevent duplicate processing and maintain stateful operation.
docker-compose.yml
+8
View File
@@ -1,6 +1,14 @@
services: services:
testpostsbot: testpostsbot:
image: slfhstd.uk/slfhstd/testpostsbot:dev image: slfhstd.uk/slfhstd/testpostsbot:dev
build:
context: .
args:
- USER_ID=${USER_ID:-1000}
- GROUP_ID=${GROUP_ID:-1000}
env_file: env_file:
- prod.env - prod.env
user: "${USER_ID:-1000}:${GROUP_ID:-1000}"
restart: unless-stopped restart: unless-stopped
volumes:
- ./DB:/app/DB