From bd2c7e3bb900e6a9134c4fad08497b399195eb85 Mon Sep 17 00:00:00 2001
From: tleydxdy <koubeshio@tutanota.com>
Date: Fri, 1 May 2020 09:35:34 +0800
Subject: [PATCH] Verify download, fix invidious file permission (#949)

* Fix docker
---
 .travis.yml       |  7 ++-----
 docker/Dockerfile | 29 ++++++++++++++---------------
 2 files changed, 16 insertions(+), 20 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 8b83db2a..403707c7 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -27,8 +27,5 @@ jobs:
       install:
         - docker-compose build
       script:
-        - docker-compose up
-        - sleep 15 # Wait for cluster to become ready, TODO: do not sleep
-        - HEADERS="$(curl -I -s http://localhost:3000/)"
-        - STATUS="$(echo $HEADERS | head -n1)"
-        - if [[ "$STATUS" != *"200 OK"* ]]; then echo "$HEADERS"; exit 1; fi
+        - docker-compose up -d
+        - while curl -Isf http://localhost:3000; do sleep 1; done
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 11ab6ed2..d0e4827a 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,27 +1,25 @@
 FROM alpine:edge AS builder
-RUN apk add --no-cache crystal shards libc-dev \
+RUN apk add --no-cache curl crystal shards libc-dev \
     yaml-dev libxml2-dev sqlite-dev zlib-dev openssl-dev \
-    sqlite-static zlib-static openssl-libs-static
+    yaml-static sqlite-static zlib-static openssl-libs-static
 WORKDIR /invidious
-COPY ./shard.yml ./shard.yml
-RUN shards update && shards install
-RUN apk add --no-cache curl && \
-    curl -Lo /etc/apk/keys/omarroth.rsa.pub https://github.com/omarroth/boringssl-alpine/releases/download/1.1.0-r0/omarroth.rsa.pub && \
+RUN curl -Lo /etc/apk/keys/omarroth.rsa.pub https://github.com/omarroth/boringssl-alpine/releases/download/1.1.0-r0/omarroth.rsa.pub && \
     curl -Lo boringssl-dev.apk https://github.com/omarroth/boringssl-alpine/releases/download/1.1.0-r0/boringssl-dev-1.1.0-r0.apk && \
     curl -Lo lsquic.apk https://github.com/omarroth/lsquic-alpine/releases/download/2.6.3-r0/lsquic-2.6.3-r0.apk && \
-    tar -xf boringssl-dev.apk && \
-    tar -xf lsquic.apk
-RUN mv ./usr/lib/libcrypto.a ./lib/lsquic/src/lsquic/ext/libcrypto.a && \
-    mv ./usr/lib/libssl.a ./lib/lsquic/src/lsquic/ext/libssl.a && \
-    mv ./usr/lib/liblsquic.a ./lib/lsquic/src/lsquic/ext/liblsquic.a
+    apk verify --no-cache boringssl-dev.apk lsquic.apk && \
+    tar -xf boringssl-dev.apk usr/lib/libcrypto.a usr/lib/libssl.a && \
+    tar -xf lsquic.apk usr/lib/liblsquic.a && \
+    rm /etc/apk/keys/omarroth.rsa.pub boringssl-dev.apk lsquic.apk
+COPY ./shard.yml ./shard.yml
+RUN shards update && shards install && \
+    mv ./usr/lib/* ./lib/lsquic/src/lsquic/ext && \
+    rm -r ./usr /root/.cache
 COPY ./src/ ./src/
 # TODO: .git folder is required for building – this is destructive.
 # See definition of CURRENT_BRANCH, CURRENT_COMMIT and CURRENT_VERSION.
 COPY ./.git/ ./.git/
 RUN crystal build ./src/invidious.cr \
     --static --warnings all --error-on-warnings \
-# TODO: Remove next line, see https://github.com/crystal-lang/crystal/issues/7946
-    -Dmusl \
     --link-flags "-lxml2 -llzma"
 
 FROM alpine:latest
@@ -30,10 +28,11 @@ WORKDIR /invidious
 RUN addgroup -g 1000 -S invidious && \
     adduser -u 1000 -S invidious -G invidious
 COPY ./assets/ ./assets/
-COPY ./config/config.yml ./config/config.yml
+COPY --chown=invidious ./config/config.yml ./config/config.yml
+RUN sed -i 's/host: \(127.0.0.1\|localhost\)/host: postgres/' config/config.yml
 COPY ./config/sql/ ./config/sql/
 COPY ./locales/ ./locales/
-RUN sed -i 's/host: \(127.0.0.1\|localhost\)/host: postgres/' config/config.yml
 COPY --from=builder /invidious/invidious .
+
 USER invidious
 CMD [ "/invidious/invidious" ]