2019-04-26 21:43:26 +02:00
ARG BASE_IMAGE = alpine
2019-06-26 17:23:24 +02:00
ARG ALPINE_VERSION = 3 .10
2018-10-29 16:32:11 +01:00
2019-04-26 21:43:26 +02:00
FROM ${BASE_IMAGE}:${ALPINE_VERSION }
2018-10-29 16:32:11 +01:00
ARG BUILD_DATE
ARG VCS_REF
LABEL org.label-schema.schema-version= "1.0.0-rc1" \
2019-06-26 17:23:24 +02:00
maintainer = "quentin.mcgaw@gmail.com" \
org.label-schema.build-date= $BUILD_DATE \
org.label-schema.vcs-ref= $VCS_REF \
org.label-schema.vcs-url= "https://github.com/qdm12/private-internet-access-docker" \
org.label-schema.url= "https://github.com/qdm12/private-internet-access-docker" \
org.label-schema.vcs-description= "VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \
org.label-schema.vcs-usage= "https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
2019-06-27 13:10:51 +02:00
org.label-schema.docker.cmd= "docker run -d --init --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
org.label-schema.docker.cmd.devel= "docker run -it --rm --init --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
2019-06-26 17:23:24 +02:00
org.label-schema.docker.params= "REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,BLOCK_NSA=on/off,UNBLOCK=allowed hostnames,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
org.label-schema.version= "" \
2019-06-29 13:42:44 +02:00
image-size= "19.9MB" \
2019-06-26 17:23:24 +02:00
ram-usage= "13MB to 80MB" \
cpu-usage= "Low to Medium"
2018-11-14 14:38:10 +02:00
ENV USER = \
PASSWORD = \
ENCRYPTION = strong \
PROTOCOL = udp \
2018-10-28 14:08:14 +01:00
REGION = "CA Montreal" \
2019-06-27 13:10:51 +02:00
NONROOT = no \
DOT = on \
2018-11-14 14:38:10 +02:00
BLOCK_MALICIOUS = off \
2019-04-23 10:29:44 +02:00
BLOCK_NSA = off \
UNBLOCK = \
2019-06-27 13:12:03 +02:00
EXTRA_SUBNETS = \
2019-07-15 22:02:40 +02:00
PORT_FORWARDING = false \
2019-09-02 16:38:41 +02:00
PORT_FORWARDING_STATUS_FILE = "/forwarded_port" \
2019-06-27 13:12:03 +02:00
PROXY = on \
PROXY_LOG_LEVEL = Critical \
2019-07-03 11:07:37 +02:00
PROXY_PORT = 8888 \
2019-06-27 13:12:03 +02:00
PROXY_USER = \
PROXY_PASSWORD =
2018-11-14 14:38:10 +02:00
ENTRYPOINT /entrypoint.sh
2019-06-27 13:12:03 +02:00
EXPOSE 8888
2019-01-15 14:40:28 +01:00
HEALTHCHECK --interval= 3m --timeout= 3s --start-period= 20s --retries= 1 CMD /healthcheck.sh
2019-07-15 22:02:40 +02:00
RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip tinyproxy jq && \
2018-04-15 14:15:58 -04:00
wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
2019-06-26 17:23:24 +02:00
https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \
https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip && \
2018-11-27 17:50:08 +02:00
mkdir -p /openvpn/target && \
2018-11-17 14:44:17 +02:00
unzip -q openvpn.zip -d /openvpn/udp-normal && \
unzip -q openvpn-strong.zip -d /openvpn/udp-strong && \
unzip -q openvpn-tcp.zip -d /openvpn/tcp-normal && \
unzip -q openvpn-strong-tcp.zip -d /openvpn/tcp-strong && \
2018-10-29 16:32:11 +01:00
apk del -q --progress --purge unzip && \
2019-06-27 13:12:03 +02:00
rm -rf /*.zip /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-anchor /usr/sbin/unbound-checkconf /usr/sbin/unbound-control /usr/sbin/unbound-control-setup /usr/sbin/unbound-host /etc/tinyproxy/tinyproxy.conf && \
2019-01-01 23:14:36 +02:00
adduser nonrootuser -D -H --uid 1000 && \
wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/named.root.updated -O /etc/unbound/root.hints && \
wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/root.key.updated -O /etc/unbound/root.key && \
cd /tmp && \
wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-hostnames.updated -O malicious-hostnames && \
2019-04-23 10:29:44 +02:00
wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/nsa-hostnames.updated -O nsa-hostnames && \
2019-01-01 23:14:36 +02:00
wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-ips.updated -O malicious-ips && \
2018-11-14 14:38:10 +02:00
while read hostname; do echo "local-zone: \"" $hostname "\" static" >> blocks-malicious.conf; done < malicious-hostnames && \
while read ip; do echo " private-address: $ip " >> blocks-malicious.conf; done < malicious-ips && \
tar -cjf /etc/unbound/blocks-malicious.bz2 blocks-malicious.conf && \
2019-04-23 10:29:44 +02:00
while read hostname; do echo "local-zone: \"" $hostname "\" static" >> blocks-nsa.conf; done < nsa-hostnames && \
tar -cjf /etc/unbound/blocks-nsa.bz2 blocks-nsa.conf && \
2018-11-14 14:38:10 +02:00
rm -f /tmp/*
2018-10-29 16:32:11 +01:00
COPY unbound.conf /etc/unbound/unbound.conf
2019-06-27 13:12:03 +02:00
COPY tinyproxy.conf /etc/tinyproxy/tinyproxy.conf
2019-06-26 17:24:10 +02:00
COPY entrypoint.sh healthcheck.sh portforward.sh /
2019-06-27 13:12:03 +02:00
RUN chown nonrootuser -R /etc/unbound /etc/tinyproxy && \
chmod 700 /etc/unbound /etc/tinyproxy && \
chmod 600 /etc/unbound/unbound.conf /etc/tinyproxy/tinyproxy.conf && \
2019-06-26 17:24:10 +02:00
chmod 500 /entrypoint.sh /healthcheck.sh /portforward.sh && \
2019-06-26 17:23:24 +02:00
chmod 400 /etc/unbound/root.hints /etc/unbound/root.key /etc/unbound/*.bz2
