Trying something new

.github/workflows/build-scan-push.yml

@@ -14,37 +14,60 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run Hadolint
         uses: hadolint/hadolint-action@v2
         with:
           dockerfile: ./Dockerfile
 
+      - name: Lint Shell Script with ShellCheck
+        uses: ludeeus/action-shellcheck@v2
+        with:
+          files: |
+            build.sh
+            entrypoint.sh
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
 
-      - name: Build and Push Docker image
+      - name: Build Docker image
         uses: docker/build-push-action@v4
         with:
           context: .
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: |
             ${{ secrets.DOCKER_USERNAME }}/docker-bitlbee:${{ github.sha }}
-            ${{ secrets.DOCKER_USERNAME }}/docker-bitlbee:latest
             ghcr.io/${{ github.repository_owner }}/docker-bitlbee:${{ github.sha }}
-            ghcr.io/${{ github.repository_owner }}/docker-bitlbee:latest
-          push: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
       - name: Scan Docker image for vulnerabilities with Trivy
-        uses: aquasecurity/trivy-action@v0.12.0
+        uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ secrets.DOCKER_USERNAME }}/docker-bitlbee:${{ github.sha }}
           format: 'table'
           ignore-unfixed: true
           vuln-type: 'os,library'
           exit-code: '1'
           severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy Report
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy-scan-results
+          path: trivy-results.json
+
+      - name: Push Docker image
+        run: |
+          docker push ${{ secrets.DOCKER_USERNAME }}/docker-bitlbee:${{ github.sha }}
+          docker push ghcr.io/${{ github.repository_owner }}/docker-bitlbee:${{ github.sha }}

README.md

@@ -1,9 +1,14 @@
-This repository contains a Docker container for [BitlBee](https://www.bitlbee.org/), a chat gateway that connects different messaging protocols (like IRC, Facebook, Skype, etc.). The container is built with plugins for various services such as Skype, Discord, Mastodon, and more.
+# Docker BitlBee
 
-## Features
+![Docker](https://img.shields.io/docker/pulls/mbologna/docker-bitlbee)
+![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/mbologna/docker-bitlbee/build-scan-push.yml?branch=master)
+
+This repository provides a containerized version of [BitlBee](https://www.bitlbee.org/), an IRC gateway for instant messaging services, along with additional plugins for extended functionality (e.g., Skype, Facebook, Discord, Mastodon, and more).
 
-* In addition to the [Bitlbee's out of the box supported protocols](https://wiki.bitlbee.org/), this container also supports the following protocols:
+## Features
 
+- **BitlBee Version**: `3.6`
+- Pre-installed plugins:
     - Skype via [skype4pidgin](https://github.com/EionRobb/skype4pidgin)
     - Telegram via [tdlib-purple](https://github.com/BenWiederhake/tdlib-purple)
     - Facebook (MQTT) via [bitlbee-facebook](https://github.com/bitlbee/bitlbee-facebook)
@@ -13,51 +18,180 @@ This repository contains a Docker container for [BitlBee](https://www.bitlbee.or
     - Slack via [slack-libpurple](https://github.com/dylex/slack-libpurple)
     - Matrix via [purple-matrix](https://github.com/matrix-org/purple-matrix)
     - Microsoft Teams via [teams](https://github.com/EionRobb/purple-teams)
+- Secured IRC communication with optional TLS using **stunnel**.
+- Customizable and persistent storage.
+- Lightweight and production-ready container.
+
+---
 
-## Usage via Docker
+## Getting Started (Docker and docker compose)
 
-1. Configuration (optional):
+Follow these instructions to set up and run the BitlBee container.
 
-If you want to configure BitlBee you can do so by editing the configuration files by accessing the container or volume mounted at `bitlbee_data` (/usr/local/etc/bitlbee.conf).
+### Prerequisites
 
+- [Docker](https://www.docker.com/get-started) installed on your system.
+- [Docker Compose](https://docs.docker.com/compose/) (optional for multi-container setup).
 
-2. Start `bitlbee` via [Docker Compose](https://docs.docker.com/compose/install/):
+---
 
+### Installation
+
+#### Clone the Repository
+
+```bash
+git clone https://github.com/mbologna/docker-bitlbee.git
+cd docker-bitlbee
 ```
-docker-compose up -d
+
+#### Build and Run with Docker Compose
+
+Build the image:
+
+```
+docker compose build
 ```
 
-3. Connect your IRC client either to:
+Run the containers:
 
-    * localhost:16697 (TLS terminated via stunnel) (recommended)
-    * localhost:16667 (non-TLS, plain connection)
+```
+docker compose up -d
+```
+
+Check the container logs:
 
-## Usage via Kubernetes
+```
+docker logs -f bitlbee
+```
 
-1. Configuration:
+### Configuration
+#### Volumes
 
-Create the ConfigMap to hold the configuration for BitlBee:
+The container uses /var/lib/bitlbee to store persistent data, including user configuration files. Mount a local directory to this volume to retain data:
 
 ```
-kubectl apply -f k8s/bitlbee-configmap.yaml
+volumes:
+  - ./data:/var/lib/bitlbee
 ```
 
-If you want to further configure BitlBee you can do so by modifing the ConfigMap.
+#### Ports
+
+* 6667: Standard IRC port for BitlBee.
+* 6697: Secure IRC port (`stunnel`).
+
+You can change these ports in `docker-compose.yml` if needed.
+
+### Usage
+
+* Connect to the BitlBee server using any IRC client (e.g., HexChat, mIRC):
+    Server: localhost
+    Port: 6667 or 6697 (TLS)
+* Add IM accounts by typing commands in the IRC client. Example for adding a Google account:
+
+    ```
+    account add jabber [email protected]
+    ```
+
+Refer to the BitlBee User Guide for detailed instructions.
+
+## Getting Started (Kubernetes version)
+This repository provides Kubernetes manifests to deploy **BitlBee** with **Stunnel**. The setup ensures a secure communication channel by using Stunnel as a TLS wrapper for BitlBee.
+
+### Architecture
+
+The system consists of two components:
+
+1. **BitlBee**:
+   - IRC gateway for IM services.
+   - Exposes port `6667` for internal communication.
+   - Uses a PersistentVolumeClaim for data persistence.
+
+2. **Stunnel**:
+   - Provides TLS encryption for BitlBee communication.
+   - Listens on port `6697` and forwards traffic to BitlBee's port `6667`.
+
+---
+
+### Prerequisites
+
+1. A Kubernetes cluster (minikube, kind, or a cloud provider).
+2. `kubectl` CLI tool installed and configured.
+3. A storage class available for the PersistentVolumeClaim (PVC).
 
-2. Create the Deployment:
+### Configuration
+
+#### Environment Variables for Stunnel
+
+The Stunnel pod uses a ConfigMap to define key environment variables:
 
 ```
-kubectl apply -f k8s/bitlbee-deployment.yaml
+STUNNEL_SERVICE: Name of the Stunnel service.
+STUNNEL_ACCEPT: Port Stunnel listens on (6697).
+STUNNEL_CONNECT: Target BitlBee service and port (bitlbee:6667).
 ```
 
-NOTE: If you are using ClusterIP, BitlBee will be accessible internally within the Kubernetes cluster. If you need external access, you can modify the service type to NodePort or LoadBalancer.
+#### Storage
+
+BitlBee data is persisted using a PVC:
+
+Default size: 1Gi
+Modify the PersistentVolumeClaim if more storage is required.
 
-## Building the Container
+### Deployment
 
-To build the Docker container, clone this repository and build the image using the following command:
+#### Step 1: Apply the Namespace
 
 ```bash
-git clone https://github.com/mbologna/bitlbee-docker.git
-cd bitlbee-docker
-docker build -t bitlbee:latest .
+kubectl apply -f namespace.yml
+```
+
+#### Step 2: Deploy the ConfigMap
+
+```
+kubectl apply -f bitlbee-stunnel-configmap.yml
+```
+
+#### Step 3: Deploy BitlBee and Stunnel
+
+```
+kubectl apply -f bitlbee-deployment.yml
+kubectl apply -f bitlbee-stunnel-deployment.yml
+```
+
+#### Step 3: Create the PersistentVolumeClaim
+
 ```
+kubectl apply -f pvc.yml
+```
+
+#### Step 4: Apply Services
+
+```
+kubectl apply -f bitlbee-service.yml
+kubectl apply -f bitlbee-stunnel-service.yml
+```
+
+#### Accessing the Services (ClusterIP)
+
+* BitlBee: Internally available on port 6667 within the cluster.
+* Stunnel: Internally available on port 6697 within the cluster.
+
+## CI/CD Pipeline
+
+This project includes a GitHub Actions workflow (build-scan-push.yml) to:
+
+- Lint Dockerfiles and shell scripts using Hadolint and ShellCheck.
+- Build and push Docker images to Docker Hub and GitHub Container Registry.
+- Scan images for vulnerabilities using Trivy.
+
+The image is built for both amd64 and arm64 platforms.
+
+## Security
+
+The container runs as a non-root user (bitlbee) for enhanced security.
+A health check ensures the container is operational and serving requests.
+TLS encryption is supported via stunnel.
+
+## Resources
+
+[BitlBee Documentation](https://wiki.bitlbee.org/)

build.sh

@@ -6,7 +6,7 @@ set -euxo pipefail
 install_package() {
     local dir="$1"
     echo "Installing $dir..."
-    cd "$dir" && make -j$(nproc) && make install && cd ..
+    cd "$dir" && make -j"$(nproc)" && make install && cd ..
 }
 
 export SKYPE4PIDGIN_VERSION=1.7
@@ -24,10 +24,10 @@ apt-get update && apt-get install -y --no-install-recommends \
     libtool-bin netcat-traditional pkg-config sudo
 
 echo "Downloading sources..."
-curl -LO https://get.bitlbee.org/src/bitlbee-$BITLBEE_VERSION.tar.gz
-curl -LO https://github.com/EionRobb/skype4pidgin/archive/$SKYPE4PIDGIN_VERSION.tar.gz
+curl -LO https://get.bitlbee.org/src/bitlbee-"$BITLBEE_VERSION".tar.gz
+curl -LO https://github.com/EionRobb/skype4pidgin/archive/"$SKYPE4PIDGIN_VERSION".tar.gz
 git clone https://github.com/BenWiederhake/tdlib-purple
-curl -LO https://github.com/bitlbee/bitlbee-facebook/archive/v$FACEBOOK_VERSION.tar.gz
+curl -LO https://github.com/bitlbee/bitlbee-facebook/archive/v"$FACEBOOK_VERSION".tar.gz
 git clone https://github.com/EionRobb/purple-hangouts
 git clone https://src.alexschroeder.ch/bitlbee-mastodon.git
 git clone https://github.com/EionRobb/purple-discord
@@ -38,8 +38,8 @@ git clone https://github.com/EionRobb/purple-teams
 
 # Install BitlBee
 echo "Building and installing BitlBee..."
-tar zxvf bitlbee-$BITLBEE_VERSION.tar.gz
-cd bitlbee-$BITLBEE_VERSION
+tar zxvf bitlbee-"$BITLBEE_VERSION".tar.gz
+cd bitlbee-"$BITLBEE_VERSION"
 ./configure --jabber=1 --otr=1 --purple=1 --ssl=openssl --prefix=/usr --etcdir=/etc/bitlbee
 make
 make install
@@ -77,10 +77,10 @@ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 echo "Removing temporary files..."
 rm -fr /root/build.sh
-rm -fr bitlbee-$BITLBEE_VERSION*
-rm -fr $SKYPE4PIDGIN_VERSION.tar.gz skype4pidgin-*
+rm -fr bitlbee-"$BITLBEE_VERSION"*
+rm -fr "$SKYPE4PIDGIN_VERSION".tar.gz skype4pidgin-*
 rm -fr tdlib-purple*
-rm -fr v$FACEBOOK_VERSION.tar.gz bitlbee-facebook-*
+rm -fr v"$FACEBOOK_VERSION".tar.gz bitlbee-facebook-*
 rm -fr purple-hangouts
 rm -rf bitlbee-mastodon
 rm -fr purple-discord*

docker-compose.yml

@@ -24,6 +24,13 @@ services:
         max-file: "3"
     networks:
       - bitlbee-net
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+          cpus: "1.0"
+        reservations:
+          memory: 256m
 
   stunnel:
     image: docker.io/dweomer/stunnel:latest
@@ -48,6 +55,13 @@ services:
         max-file: "3"
     networks:
       - bitlbee-net
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+          cpus: "1.0"
+        reservations:
+          memory: 128m
 
 networks:
   bitlbee-net: