Dockerfile

@@ -4,15 +4,9 @@ FROM ghcr.io/linuxserver/baseimage-ubuntu:jammy
 # have apt run unattended
 ARG DEBIAN_FRONTEND="noninteractive"
 
-# copy the virtualmin repo keys
-COPY root/root/RPM-GPG-KEY-* /root/
 # copy the apt config
 COPY root/etc/apt/ /etc/apt/
 
-# install the webmin keys
-RUN apt-key add /root/RPM-GPG-KEY-virtualmin-6 && \
- apt-key add /root/RPM-GPG-KEY-webmin
-
 # update sources and install packages
 RUN apt-get update && \
  apt-get -y upgrade && \

README.md

@@ -29,6 +29,7 @@ After signing in you should run 'Re-check and refresh configuration' (should be
 - Running 'passwd' in the container will fail because /etc/shadow is actually a symlink, Webmin can manipulate the file just fine (I'm probably breaking some fundamental *nix concept here).
 - A number of features are installed directly in the container when really they should be separate containers that Virtualmin can link to (e.g. MySQL, ClamAV, SpamAssassin, and so on), and which probably have perfectly good images I could direct you to.
 - The Webmin certificate is generated during image build, this means all containers share the same default certificate which is bad for security.
+- The DKIM selector and private key need randomising.
 
 ## Licence
 

root/etc/cont-init.d/50-virtualmin-config

@@ -32,6 +32,7 @@ symlinks=( \
 /etc/group- \
 /etc/logrotate.conf \
 /etc/opendkim.conf \
+/etc/opendkim \
 /etc/passwd \
 /etc/passwd- \
 /etc/procmailrc \
@@ -87,6 +88,7 @@ MY_NAME=$(hostname)
 
 # if we have an FQDN, update the config files and replace the placeholders
 [[ -n "$MY_DOMAIN" ]] && [[ -n "$MY_NAME" ]] && \
-    sed -i --follow-symlinks -e "s#if-this-domain-resolves-someone-is-going-to-be-mad-at-me\.eteoxaoghtrhwfza#$MY_DOMAIN#" /etc/aliases /etc/webmin/status/config /etc/webmin/virtual-server/config /etc/webmin/config /etc/webmin/usermin/config /etc/webmin/package-updates/config /etc/postfix/main.cf && \
+    sed -i --follow-symlinks -e "s#if-this-domain-resolves-someone-is-going-to-be-mad-at-me\.eteoxaoghtrhwfza#$MY_DOMAIN#" /etc/aliases /etc/webmin/status/config /etc/webmin/virtual-server/config /etc/webmin/config /etc/webmin/usermin/config /etc/webmin/package-updates/config /etc/postfix/main.cf /etc/opendkim/dkim-domains.txt && \
     sed -i --follow-symlinks -e "s#myhostname = .*#myhostname = $MY_NAME.$MY_DOMAIN#" /etc/postfix/main.cf && \
-    sed -i --follow-symlinks -e "s#bind_master=.*#bind_master=$MY_NAME.$MY_DOMAIN#" /etc/webmin/virtual-server/config
+    sed -i --follow-symlinks -e "s#bind_master=.*#bind_master=$MY_NAME.$MY_DOMAIN#" /etc/webmin/virtual-server/config && \
+    sed -i --follow-symlinks -e "s#hostname#$MY_NAME#" /etc/opendkim/dkim-domains.txt

root/etc/opendkim/dkim-domains.txt

+hostname.if-this-domain-resolves-someone-is-going-to-be-mad-at-me\.eteoxaoghtrhwfza
+hostname

root/etc/opendkim/dkim-keytable

+default %:oolielupebei:/config/etc/opendkim/dkim.key

root/etc/opendkim/dkim-signingtable

+*   default

root/etc/opendkim/dkim.key

+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEA9QtClkNwHm65BYTvFH06QjZsMSAOZVe3Z72oeHGkOzfapmvs
+QPkomcoMkLHUh8eh4JIFXMq46j1vOmaN4E/q9/pzSAjMluj5mQwluXBa+0mYUG3O
+wbbsh1KhcRXo2TLS2Q64AoBplHCtUcWb6kl3kUVuXDn1DsgBBLnAwO5cyrJlg6cm
+hJQ4oOvykg+BSkXKl3/0FRQJQxJ0HylCPM0ESBNax8H2pc5nTiC6wYdMjvX7+PWt
+4ZTNaoe5JL9h6x0HU7iSmMsM/dwYDvr/2fPzI4bzy+6A8Z2xMcvy53BshOSVsQUs
+o2ArVvouXy/QozrtMlPAcXhg5L1TUb2T09j3QQIDAQABAoIBAQDn8UWQ17p7g9Br
+8f0fBr2rSLo18aLOuC1o67NYdjC+wMqcthDFG1Ib54znNPv3nbWSzIR45YYMaiQr
+QkFOrja5jH2sFHAa8+C1xjK7CSeFLY8XqiiHYa8XE9auJM/nLt03CWCRNZ06HUFg
+4kwHgozDm9WvREi6OgQExhI2TCjWzhVpkd1t5izj7YqUeG7VzaWTOtVmpgy82I+I
+EQxkkUyfB4RAibNJo2lHRoWf2yrKViJSIjfPyA5GusfuVGh3h8rgiUPyLoET5SCJ
+bWaldl1So4saBxmP3fdXQNyuI3C5VXv2mhCOCtNpZ3rSMrLPlUA2xnmuO8IJRYR4
+6aA1+n0VAoGBAP3SLM508QzA8nw9S6MYLti6YpxFmF+lXmF164VWVlwaEE8pCylD
+WNShYDqozgFasoMtPxVLp6I0HNfXS3/nAbpvF9f0BIzqqx4l+eFwaowXkLteAGdR
+3jfwoKNFgFedK/Ar4yDAFeukAxD3xcSlpqOZK9/LUXUQ3De8PMF8D2ArAoGBAPcl
+y7Z63MqH2jQXWoZrx+KrUpnx9f4lfMnKfRqCxuTs5vk2zPB5Q/GnvRmry/1i7yuW
+/Z+MMRillgHFpCfCg343NZk7H1Zt7mvDXi27TCxt2/EaW1B6YaMFeDPZyBsGtGcn
+qxXrdJnFPDjPxYKGRJ6pFi4GNvcZEUxBDixrxmRDAoGBAOXd6eYv0f4S34fUmyNh
+S0vLwHJ2NMCqKwdom5ttzVgr4olOSmVcMJ6gZ124cpiXYwOZfn/yvCYRu+1ddWqn
+8tC8u4M/4r8b50yuZ9ba0CN/U/vb7dGkOvO+YDx9PPYbyScBF/kY/MEjEAPV4K1u
+t7OBjFJo96RlWIrBVuSDTglxAoGBAL/hxlG8/iL4ar86ynvGvoALx6viIbzZ2hLJ
+dWvZ0RX3oDQpCeBCJjA+rSB7M3tdDpfnOK5gp9Wc6eQiUJrV+EVME/8N2fy+iPd9
+zWbwHen4uWRttCu9eISbQIHxOd1RzUqxj7ELB5JDgcgR+CSonioY2TGOfapG+hkc
+AScX3gYFAoGBAKZFks9LukAD8f5YSXY0tXkXzOd+zck1rRsMtXiUjZgiCnBF8FUX
+xIVIeVpsDvwD/OybrPqKYuP1YoH5wtGXQXaGfe6RV4R17vvw4Spz/f4KLt4Vhp8F
+fMY2XGygJE5qVtDPhCh9ZZ35mE4860C5wHDuJo3f0ErAQNt6oaCQKJRO
+-----END RSA PRIVATE KEY-----

root/etc/opendkim/opendkim.conf

+Syslog              yes
+UMask               007
+Domain              /config/etc/opendkim/dkim-domains.txt
+KeyFile             /config/etc/opendkim/dkim.key
+Selector            oolielupebei
+Canonicalization    simple
+Mode                sv
+SubDomains          no
+Socket              inet:8891@localhost
+PidFile             /run/opendkim/opendkim.pid
+OversignHeaders     From
+TrustAnchorFile     /usr/share/dns/root.key
+UserID              opendkim
+SigningTable        refile:/config/etc/opendkim/dkim-signingtable
+KeyTable            /config/etc/opendkim/dkim-keytable

root/etc/services.d/opendkim/run

 #!/bin/sh -e
-/usr/sbin/opendkim -x /config/etc/opendkim.conf -f
+/usr/sbin/opendkim -x /config/etc/opendkim/opendkim.conf -f

root/root/RPM-GPG-KEY-virtualmin-6

------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFkGtR8BEAC7KtalryLtWfO+Hb8rpxalHiKDaQzNfvDz/qyJiViGWPMxE/Ml
-M20OrAQmdR4gfq6zevguszHkkUSEcSwE4Tprc9rPy1dI+bQwBCm1PxSU8Q74hu/b
-NsUpU8stMeOfAop7pgKAFzxpUpkl6rQxttJrOY30QPQp59UoJfFUECOv1Zbms1YD
-yYLPPsQBj/5LPdLcGJxmg22yMhd8Ckrq4AQk7RBBeHq+UBKIiigf6Ntq9DluBPfQ
-7v4lBJya7UyMNa7P+11C3dTFCRbrVkWTUzxuh9xBJtHQ4A0+Q6rUxBe3w/u+vDYd
-xri/m7A2Cmo2E2hugS8UiHvWtr1Ke4mOjIXEfV19XajBKQzqE5FiA8+KGWp9sPTr
-qScr9Rf8x8dPDSxwuPYvOLH55iR0bPPW0j+VHu4Wb83w1jrvI4Xp8IMqp3Pemnwo
-WHx8cewcpjKVhsAcDOp2ebhagK/HiAkUEhL5UXljD1dae1aK7rZIf+4wNCDxSi3W
-exop662vGVO0p1guH9DRncbcijTWAfKVBdN+K1ZBBmzFl0/fGcZD7gbhXHw03F9/
-PZIA6xm/hikpZZFwJYjG5K+SXZxzFTA37r9zte+F/kaINqc6Zu66qqvfXKZAcP1+
-HQjpHoj4Fn1hmDWDBw1Y6wpRBtXD9UIJdDZ7l6/B91qbXWNqOZwPql0QywARAQAB
-tFFWaXJ0dWFsbWluLCBJbmMuIChQYWNrYWdlIHNpZ25pbmcga2V5IGZvciBWaXJ0
-dWFsbWluIDYpIDxzZWN1cml0eUB2aXJ0dWFsbWluLmNvbT6JAj4EEwECACgFAlkG
-tR8CGwMFCQ0oaIAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENn5AQdg1ipr
-fXwQAIU7ut2UVZKHl1QyRMv38SQfNuUUpKA7Zp1y2a0zm3Lsk/yOVRLEUVh/PIoU
-imrx1tkmT5KqMvrh5rslGJO5GRZlFd7Wz34TOcRIwDm1qmxNBkmRsUAzl0gF7QKA
-FxOpZXF+s512XE5R94ujpw7wqEjYu9nd/QtxJH7nigvaqYrpvPv9ljQhl5Yg0ZK9
-/9Rdv/smbIC9Yi9LGh0KHUZu/P+cKDE4panJvyDILDBeN+Cf1HiZ9HGw5jslUxYw
-UOGsw/pjzKFTz5/QcjSoLT4W1c544Y9yU5AeUdVd3W10M/BeTJyxYXcgGGapi/+k
-w856+bONARVpGy2m2sMI8y4TN656HW/CTa2E11JcgNuRU6F3FZSx9z1QJc6874Qg
-f8yAv+X2zyk1Z93WAR5nd65CPwL1DQdyCiZsxc6x8KX4sxkGMLkAx5uProIrBxJf
-nOC9n7WQtrInsaqb/MwI2SqHOdRFLPVIhF01JlAwdkq7unlNieDA2ee++sj9ZfTH
-+vjDUuNE/p+yvMQcWzxouNOJKmQBGCRZg6eTJbTbuKcZCDEOTp164bI9iq6N1RWj
-UKnJZlB7MDMFMnYOsMNUakkWbmfoHQNGSRSQDwIPNjJUzT0qDb4Mt33Z3McwEAjd
-iKdmWXvGWZrbwzUr7HWEX8qO5n4qwRgMj7863EQEoXyrRuFQuQINBFkGtR8BEAC6
-k3yfnTG5pArOOWL//pxKPVdlFG1uNq8Bst7H8yZQvoU8QBibnCusgmyu1ycwYw6y
-Pt0l/XqGGME/n4StLO3Y0K5y1iTYF9415NQyVXhY7kHNrAJkEKXypyNzyhm4raAY
-fGZCeG7BvCiksvYvywyoWeJye7ICK6ZrWuH0siYN5RkZsU/77GkDRAKc+OQEydIS
-AmDVbc18lomCOJxBfKWmnEgbWUOaunBxW35e6HEHiUqrTh4IWZoawilBGIE/klth
-CIzWmVUjAWRbjLZYsBtk2hUxLl5QepzudRLjn8xbKUGFiBegouueAx9QAVu4AVZk
-uGH0+buYjzzIk6UtnEaz997ttHryrGOkAQ+cSHvTaM03LnFFDwKlpX6EENv5pVzb
-78RcrODy5ip06E4/AGqL6HeSTrx5gVud3JNY1yBAV5HFkWfzZgmG7qRnmPme94E2
-afDmwnQ2RJgWevRAEp3X6S0b4RjbfWZDFtRYqUmDo/sPVSqM95i59LgTzdcajePu
-5yA2nQwELG7zrQnouz/ThaoySXb9SCwYU/EBYuG6CHnv+oxQqrlRo5Fs6eVtbaLE
-vpzaKUfXjtCM+XhHjK89GaZY5CWxrPa0lL2nJqjpjqgFX14UKpgTMVn4uhkpVvRv
-oGC97+wNRqYDG6hu7YimgJP9Lsx34Ymedl950i8pgwARAQABiQIlBBgBAgAPBQJZ
-BrUfAhsMBQkNKGiAAAoJENn5AQdg1iprHdAP/Re/GQK7EMiBKBpy96d0Ho+41mAr
-vuPFjDsQhpqQErHwC2q9sYIvDAUttkt8TC0Ygeu72eL8d4wRLlcfMvUP2TmLOsl2
-Kni8zMfe8mCDZkREWQmEQ3IwRbY5Oc2Q0jFLMNd82PuupsIbWAO7iwBXU9UJlb4l
-Bff7jUliY54VQjruklud56VPsRgASAS8uAO4pKSPFo3/t3wFTQ27e4IAjys1E4tE
-o68QMy6KL80QI5C6JnV8T5S/BYjEnA5MqUuV0o+7gpwhp8uB3Lpo7z1yK5BslZco
-GxI2vC5BFUaGxlC/wurWwfhh/6tpx38pxLzVzr383hoMIJ0LLX1215End3mDdli1
-lDzHswEHB68zA1WSYSTACzqDdMgGpeiQWKk4lkgCATWSWorm976SB32kjPNkl/DB
-0+UD0322joAAzRoScKsuefsqLUUrlcMeoc5gCK9WnF9A8q4C3nAHTTd1FhnS7OLZ
-FYjrOke8K3yhImeEspfhl/oYGgXN4YP0eMaW87TNA4Bn2vAKi6MaTGAylHW63+Zh
-THKZ2JSerEb3ABcdmNBDvXrBtyAUg48zdvMMHP7qnK5yPsRlzTvKe4vYYM3kCjlY
-ZZCDMYEXVkAUfPcvCBcIZLuypE0NoO6jl7xJxuZolRmYpkvI+nBlu1xRtDHDG3Zk
-SzSkMUlF1VPzSQ4t
-=rDWp
------END PGP PUBLIC KEY BLOCK-----

root/root/RPM-GPG-KEY-webmin

------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.0.7 (GNU/Linux)
-
-mQGiBDx9wR0RBACR3xGPTkG5Staj7EVeiVJDrYXIPF28MGCrOEGw04tQmQTALz0E
-YEcyfvui7KScrpHmZpy70PwgwxUDPUMik7vvRiUa9RRbJsDYyom06NGk+Z4dURhn
-DeNRhcBrNBfyMvUY7HSJ2JP9jhQDWb8Lo1i231tvlnY0tNudVsP484ax6wCgrBwW
-myad6TLYaETj0+AxGJxYgikD/iERqNF60x+WyfEH/SIOuKGlV/QoxmqOePn2gj9V
-DWiOOAZ9DDWD6DpRNK/UVZRD1MK37HU1ePv7i92DTL9yIbyJwFcZNkEyMU3t+GBj
-zf4YvaQnvtA09EdQNsC1GXxNXqYkVmTE1dHH83UK+chaXRoDQ6O9KD9SFE2vsj1d
-z9VPBACPgmuVcUKXag6ZBY+SBColQzwyZfXtTOCnBh0HP4HOjU4G6CRTcAgLQrdM
-1Uu29Al7TaE2p8HZb37dVoTRntM+Nf5O+2dX5iHA6ncdozKGftuXQMC7z9758nUi
-2E4Svo9hmroM+NKonpZByt6TilhDXrPIcNYHlNsxpTAxq+lnw7QjSmFtaWUgQ2Ft
-ZXJvbiA8amNhbWVyb25Ad2VibWluLmNvbT6IVwQTEQIAFwUCPH3BHQULBwoDBAMV
-AwIDFgIBAheAAAoJENl6OukR9jxRQZEAoIHxngo/LxLBeFF9cpEViVGgChRIAJ90
-zwqcBfw02su5AavnXjv6HxXF8bkBDQQ8fcEqEAQAx88aO9zI912/tbsNjLhDXpq0
-WMw5F6fUUlwYpkaspPwWZ3UgDJaR1+oL3xnJKlD1Eu5x9B3r+rxYyoFpXubWz4R6
-sL1u4kMRb347+fv140dE/RGFNEmqefZDeysz1TQG1Sskyyf7sV2KRUmI8wJTwg3n
-IOtbyOoE3XlxI5FUrW8AAwUD/iEBdIH5DYB/FnOb/EkP3G3kCXGgTdZk7UA9HPKB
-dV7JckgSicpi/mX898LxQrr0jyb6nyi2900OgQUQArrviTnp37j4ciQj214gTHzf
-ssA40O5QR4t915z6wS4Ml+fAc5ZOeL6EQxiP+x+rz6h9+Mc8rawowY+7sBnvVw5O
-YoVXiEYEGBECAAYFAjx9wSoACgkQ2Xo66RH2PFH+ZgCggAyuOLaoE9t9tyJbifEz
-/YzvqYwAnj85Ehe8EmnKuor/k/TPtKl4MzDm
-=oxvD
------END PGP PUBLIC KEY BLOCK-----

root/var/webmin/modules/virtual-server/scriptsunavail

+allowmaster=0
+allowvers=0
+denydefault=0
+django=1
+phpmyadmin=1
+phppgadmin=1
+roundcube=1
+squirrelmail=1
+whmcs=1
+wordpress=1