chore: wip

devthejo · devthejo · commit 15be0657a71c · 2025-12-04T18:12:42.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -94,6 +94,11 @@ ENV NODE_ENV=production \
     PNPM_HOME=/usr/local/share/pnpm \
     PATH="/app/node_modules/.bin:$PNPM_HOME:$PATH"
 
+# Install envsubst (gettext-base) for runtime templating of Verdaccio configs
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends gettext-base \
+  && rm -rf /var/lib/apt/lists/*
+
 # Copy built repo and dependencies from builder (includes Verdaccio plugins)
 COPY --from=builder /app /app
 
@@ -112,12 +117,4 @@ EXPOSE 4873 4874
 # VERDACCIO_STRICT_PORT / VERDACCIO_LENIENT_PORT control the listen port for each mode.
 ENV REGISTRY_MODE=strict
 
-CMD ["sh", "-c", "\
-  if [ \"$REGISTRY_MODE\" = \"lenient\" ]; then \
-    CONFIG=secure-registry/verdaccio/lenient/config.docker.yaml; \
-    PORT=${VERDACCIO_LENIENT_PORT:-4874}; \
-  else \
-    CONFIG=secure-registry/verdaccio/strict/config.docker.yaml; \
-    PORT=${VERDACCIO_STRICT_PORT:-4873}; \
-  fi; \
-  npx verdaccio --config \"$CONFIG\" --listen 0.0.0.0:${PORT}"]
+CMD ["/app/secure-registry/verdaccio/entrypoint.sh"]
diff --git a/secure-registry/verdaccio/entrypoint.sh b/secure-registry/verdaccio/entrypoint.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+set -e
+
+# Runtime entrypoint for Verdaccio registry.
+#
+# - Chooses strict vs lenient config based on REGISTRY_MODE
+# - Renders the appropriate Docker config template with envsubst
+# - Applies sane defaults for SECURITY_DECISION_API_URL when not provided
+
+MODE="${REGISTRY_MODE:-strict}"
+
+if [ "$MODE" = "lenient" ]; then
+  TEMPLATE="secure-registry/verdaccio/lenient/config.docker.template.yaml"
+  CONFIG="/tmp/verdaccio-lenient.yaml"
+  PORT="${VERDACCIO_LENIENT_PORT:-4874}"
+else
+  TEMPLATE="secure-registry/verdaccio/strict/config.docker.template.yaml"
+  CONFIG="/tmp/verdaccio-strict.yaml"
+  PORT="${VERDACCIO_STRICT_PORT:-4873}"
+fi
+
+# Apply defaults for env-driven settings used in the templates.
+# SECURITY_DECISION_API_URL controls where security plugins call the decision API.
+: "${SECURITY_DECISION_API_URL:=http://decision-api:4000}"
+
+export SECURITY_DECISION_API_URL
+
+echo "[entrypoint] REGISTRY_MODE=$MODE PORT=$PORT SECURITY_DECISION_API_URL=$SECURITY_DECISION_API_URL" >&2
+
+echo "[entrypoint] Rendering Verdaccio config from $TEMPLATE to $CONFIG" >&2
+envsubst < "$TEMPLATE" > "$CONFIG"
+
+echo "[entrypoint] Starting Verdaccio on port $PORT" >&2
+exec npx verdaccio --config "$CONFIG" --listen 0.0.0.0:"$PORT"
diff --git a/secure-registry/verdaccio/lenient/config.docker.template.yaml b/secure-registry/verdaccio/lenient/config.docker.template.yaml
@@ -0,0 +1,54 @@
+storage: ./storage
+
+uplinks:
+  npmjs:
+    url: https://registry.npmjs.org/
+  # No malware uplink in Docker/Kubernetes; malware registry is only used
+  # in dedicated local dev/test setups.
+
+packages:
+  '@*/*':
+    access: $authenticated
+    publish: $authenticated
+    proxy: npmjs
+  '**':
+    access: $authenticated
+    publish: $authenticated
+    proxy: npmjs
+
+filters:
+  "@secure-registry/verdaccio-security-gate-filter":
+    enabled: true
+    # In Docker/Kubernetes, the decision API URL is provided via
+    # SECURITY_DECISION_API_URL and rendered at runtime by envsubst
+    # in secure-registry/verdaccio/entrypoint.sh.
+    apiUrl: ${SECURITY_DECISION_API_URL}
+    timeoutMs: 2000
+    policyId: "lenient"
+    blocking: false
+
+auth:
+  "@secure-registry/verdaccio-security-token-auth":
+    # See note above: apiUrl is rendered from SECURITY_DECISION_API_URL
+    # by the Docker entrypoint.
+    apiUrl: ${SECURITY_DECISION_API_URL}
+    timeoutMs: 2000
+
+middlewares:
+  "@secure-registry/verdaccio-download-guard-middleware":
+    # See note above: apiUrl is rendered from SECURITY_DECISION_API_URL
+    # by the Docker entrypoint.
+    apiUrl: ${SECURITY_DECISION_API_URL}
+    timeoutMs: 60000
+    policyId: "lenient"
+  "@secure-registry/verdaccio-rate-limit-middleware":
+    # Redis URL for rate limiting. VERDACCIO_REDIS_URL env var (if set)
+    # takes precedence in the middleware implementation.
+    redisUrl: "redis://redis:6379"
+    windowSeconds: 86400 # 24h window
+    maxRequests: 400     # 400 requests per 24h
+
+log:
+  type: stdout
+  format: pretty
+  level: http
diff --git a/secure-registry/verdaccio/strict/config.docker.template.yaml b/secure-registry/verdaccio/strict/config.docker.template.yaml
@@ -0,0 +1,54 @@
+storage: ./storage
+
+uplinks:
+  npmjs:
+    url: https://registry.npmjs.org/
+  # No malware uplink in Docker/Kubernetes; malware registry is only used
+  # in dedicated local dev/test setups.
+
+packages:
+  '@*/*':
+    access: $authenticated
+    publish: $authenticated
+    proxy: npmjs
+  '**':
+    access: $authenticated
+    publish: $authenticated
+    proxy: npmjs
+
+filters:
+  "@secure-registry/verdaccio-security-gate-filter":
+    enabled: true
+    # In Docker/Kubernetes, the decision API URL is provided via
+    # SECURITY_DECISION_API_URL and rendered at runtime by envsubst
+    # in secure-registry/verdaccio/entrypoint.sh.
+    apiUrl: ${SECURITY_DECISION_API_URL}
+    timeoutMs: 2000
+    policyId: "strict"
+    blocking: true
+
+auth:
+  "@secure-registry/verdaccio-security-token-auth":
+    # See note above: apiUrl is rendered from SECURITY_DECISION_API_URL
+    # by the Docker entrypoint.
+    apiUrl: ${SECURITY_DECISION_API_URL}
+    timeoutMs: 2000
+
+middlewares:
+  "@secure-registry/verdaccio-download-guard-middleware":
+    # See note above: apiUrl is rendered from SECURITY_DECISION_API_URL
+    # by the Docker entrypoint.
+    apiUrl: ${SECURITY_DECISION_API_URL}
+    timeoutMs: 60000
+    policyId: "strict"
+  "@secure-registry/verdaccio-rate-limit-middleware":
+    # Redis URL for rate limiting. VERDACCIO_REDIS_URL env var (if set)
+    # takes precedence in the middleware implementation.
+    redisUrl: "redis://redis:6379"
+    windowSeconds: 86400 # 24h window
+    maxRequests: 400     # 400 requests per 24h
+
+log:
+  type: stdout
+  format: pretty
+  level: http
