Next

DOCKER-HUB-DESCRIPTION.md

@@ -100,4 +100,4 @@ The source code for this project is available on GitHub: [https://github.com/ded
 
 ## License
 
-This project is licensed under the MIT License.
+This project is licensed under the GNU Affero General Public License Version 3 (AGPLv3) License.

Dockerfile

@@ -15,32 +15,54 @@ ENV DATA_DIR=/data
 
 # Create application directory
 RUN mkdir -p $APP_HOME && \
-    chown -R reitti:reitti $APP_HOME
+    chown -R reitti:reitti $APP_HOME && \
+    chmod 755 $APP_HOME
 
 WORKDIR $APP_HOME
 
 # Copy the application jar
 COPY --chown=reitti:reitti target/*.jar $APP_HOME/app.jar
+RUN chmod 644 $APP_HOME/app.jar
 
 # Create a script to start the application with configurable UID/GID
 RUN cat <<'EOF' > /entrypoint.sh
 #!/bin/sh
-if [ -n "$APP_UID" ] && [ -n "$APP_GID" ]; then
-  echo "Changing reitti user/group to UID:$APP_UID / GID:$APP_GID"
-  apk add --no-cache shadow
-  groupmod -g $APP_GID reitti
-  usermod -u $APP_UID reitti
-  chown -R reitti:reitti $APP_HOME
-fi
 
-mkdir -p $DATA_DIR
-chown -R reitti:reitti $DATA_DIR
+# 1. Only attempt UID/GID modification if we are running as root
+if [ "$(id -u)" = '0' ]; then
+  if [ -n "$APP_UID" ] && [ -n "$APP_GID" ]; then
+    echo "Changing reitti user/group to UID:$APP_UID / GID:$APP_GID"
+    apk add --no-cache shadow
+    groupmod -g "$APP_GID" reitti
+    usermod -u "$APP_UID" reitti
+    # Ensure the home directory is owned by the new UID/GID
+    chown -R reitti:reitti "$APP_HOME"
+  fi
+
+  # 2. Ensure DATA_DIR exists
+  mkdir -p "$DATA_DIR"
+  chmod 755 "$DATA_DIR"
 
-# Execute
-exec su-exec reitti java $JAVA_OPTS -jar $APP_HOME/app.jar -Dspring.profiles.active=docker "$@"
+  # 3. Only chown DATA_DIR if the reitti user cannot write to it
+  # We use su-exec to "test" writability as the reitti user
+  if ! su-exec reitti [ -w "$DATA_DIR" ]; then
+    echo "DATA_DIR ($DATA_DIR) is not writable by reitti. Adjusting permissions..."
+    chown -R reitti:reitti "$DATA_DIR"
+  else
+    echo "DATA_DIR ($DATA_DIR) is already writable. Skipping chown."
+  fi
+
+  # Execute as the reitti user
+  exec su-exec reitti java $JAVA_OPTS -jar "$APP_HOME/app.jar" -Dspring.profiles.active=docker "$@"
+else
+  echo "Warning: Container is running as UID $(id -u), not root."
+  echo "Environment variables APP_UID/APP_GID will be ignored."
+  echo "Ensure your volumes have the correct permissions on the host."
+  exec java $JAVA_OPTS -jar "$APP_HOME/app.jar" -Dspring.profiles.active=docker "$@"
+fi
 EOF
 
-RUN chmod +x /entrypoint.sh
+RUN chmod 755 /entrypoint.sh
 # Expose the application port
 EXPOSE 8080
 

README.md

@@ -213,9 +213,8 @@ The included `docker-compose.yml` provides a complete setup with:
 | `OIDC_SCOPE`                   | Your OpenID Connect scopes for your user (optional)                                                                                                                             | openid,profile      | openid,profile                   |
 | `OIDC_AUTHENTICATION_METHOD`   | The authentication method the OIDC Client should use (optional)                                                                                                                 | client_secret_basic | client_secret_basic,none         |
 | `OIDC_SIGN_UP_ENABLED`         | Whether new users should be signed up automatically if they first login via the OIDC Provider. (optional)                                                                       | true                | false                            |
-| `PROCESSING_WAIT_TIME`         | How many seconds to wait after the last data input before starting to process all unprocessed data. (⚠️ This needs to be lower than your integrated app reports data in Reitti) | 15                  | 15                               |
 | `DANGEROUS_LIFE`               | Enables data management features that can reset/delete all database data (⚠️ USE WITH CAUTION)                                                                                  | false               | true                             |
-| `TILES_CACHE`                  | The url of the tile caching proxy (Set to ''  to disable the cache                                                                                                              | http://tile-cache   |                                  |
+| `TILES_CACHE`                  | The url of the tile caching proxy (Set to ''  to disable the cache)                                                                                                            | http://tile-cache   |                                  |
 | `PROCESSING_BATCH_SIZE`        | How many geo points should we handle at once. For low-memory environment it could be needed to set this to 100.                                                                 | 1000                | 100                              |
 | `SERVER_PORT`                  | Application server port                                                                                                                                                         | 8080                | 8080                             |
 | `APP_UID`                      | User ID to run the application as                                                                                                                                               | 1000                | 1000                             |
@@ -400,4 +399,4 @@ click on this [link](https://hosted.weblate.org/engage/reitti/)
 
 ## License
 
-This project is licensed under the MIT License, see the LICENSE file for details.
+This project is licensed under the GNU Affero General Public License Version 3 (AGPLv3), see the LICENSE file for details.

docker-compose-dev.yml

@@ -77,11 +77,6 @@ services:
     restart: unless-stopped
     ports:
       - "8084:80"
-    healthcheck:
-      test: ["CMD", "curl", "-s", "http://127.0.0.1/osm/0/0/0.png"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
     volumes:
       - tile-cache-data:/var/cache/nginx
 volumes:

docker-compose.yml

@@ -43,11 +43,6 @@ services:
   tile-cache:
     image: dedicatedcode/reitti-tile-cache:latest
     restart: unless-stopped
-    healthcheck:
-      test: ["CMD", "curl", "-s", "http://127.0.0.1/osm/0/0/0.png"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
     volumes:
       - tile-cache-data:/var/cache/nginx
 volumes:

docker/tiles-cache/Dockerfile

@@ -1,8 +1,10 @@
-FROM nginx:alpine
+FROM nginx:1.30.1-trixie
 
-# Create cache directories for different tile types
-RUN mkdir -p /var/cache/nginx/osm /var/cache/nginx/vector /var/cache/nginx/terrain /var/cache/nginx/satellite
+RUN mkdir -p /var/cache/nginx/custom
 
 COPY nginx.conf /etc/nginx/nginx.conf
 
 EXPOSE 80
+
+HEALTHCHECK --interval=10s --timeout=5s --start-period=5s --retries=5 \
+  CMD curl -f -s -o /dev/null -H "X-Reitti-Upstream-Url: https://tiles.dedicatedcode.com" http://localhost/custom/planet/latest/0/0/0.pbf || exit 1

docker/tiles-cache/nginx.conf

@@ -29,7 +29,6 @@ http {
     open_file_cache_errors   on;
 
     # Buffers/tuning for proxied tile responses (typically small images/PBF)
-    # Tune these if you see "upstream sent too big header" or buffer warnings.
     proxy_http_version 1.1;
     proxy_set_header Connection "";
     proxy_buffering on;
@@ -44,32 +43,15 @@ http {
     proxy_cache_key "$scheme$proxy_host$request_uri";
 
     # Avoid cache fragmentation by upstream compression variance
-    # (Tiles are images/PBF; further compression is not helpful.)
     proxy_set_header Accept-Encoding "";
 
     # Don’t let Set-Cookie poison the cache
     proxy_ignore_headers Set-Cookie;
     proxy_hide_header    Set-Cookie;
 
     # Larger, longer-lived caches (adjust to your disk/RAM)
-    # loader_* and manager_* help Nginx (re)load and maintain big caches efficiently
-    proxy_cache_path /var/cache/nginx/osm
-        levels=1:2 keys_zone=osm_tiles:512m max_size=2g inactive=90d use_temp_path=off
-        loader_threshold=300 loader_files=200 loader_sleep=50ms
-        manager_threshold=300 manager_files=200 manager_sleep=50ms;
-
-    proxy_cache_path /var/cache/nginx/vector
-        levels=1:2 keys_zone=vector_tiles:512m max_size=2g inactive=180d use_temp_path=off
-        loader_threshold=300 loader_files=200 loader_sleep=50ms
-        manager_threshold=300 manager_files=200 manager_sleep=50ms;
-
-    proxy_cache_path /var/cache/nginx/terrain
-        levels=1:2 keys_zone=terrain_tiles:512m max_size=2g inactive=180d use_temp_path=off
-        loader_threshold=300 loader_files=200 loader_sleep=50ms
-        manager_threshold=300 manager_files=200 manager_sleep=50ms;
-
-    proxy_cache_path /var/cache/nginx/satellite
-        levels=1:2 keys_zone=satellite_tiles:512m max_size=2g inactive=180d use_temp_path=off
+    proxy_cache_path /var/cache/nginx/custom
+        levels=1:2 keys_zone=custom_tiles:512m max_size=2g inactive=180d use_temp_path=off
         loader_threshold=300 loader_files=200 loader_sleep=50ms
         manager_threshold=300 manager_files=200 manager_sleep=50ms;
 
@@ -78,79 +60,39 @@ http {
     proxy_cache_lock_timeout 5s;
     proxy_cache_lock_age 10s;
     proxy_cache_background_update on;
-    proxy_cache_revalidate on; # Revalidate with ETag/Last-Modified when present
+    proxy_cache_revalidate on;
 
     log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                     '$status $body_bytes_sent "$http_referer" '
-                    '"$http_user_agent" "$http_x_forwarded_for" '
+                    '"$http_user_agent" "$http_x_forwarded_for" "$http_x_reitti_upstream_url" '
                     'cache:$upstream_cache_status';
 
     access_log /var/log/nginx/access.log main;
 
     server_tokens off;
+    resolver 127.0.0.11 ipv6=off valid=300s;
 
     server {
         listen 80;
 
-        # Optional: strong client cache headers (immutable tile URLs).
-        # If you prefer more conservative client caching, lower to 30d or comment out.
         set $tile_client_cache_control "public, max-age=31536000, immutable";
 
-        location /osm/ {
-            proxy_pass https://tile.openstreetmap.org/;
-            proxy_set_header Host tile.openstreetmap.org;
-            proxy_set_header User-Agent "Reitti/1.0 (+https://github.com/dedicatedcode/reitti; contact: reitti@dedicatedcode.com)";
-            proxy_ssl_server_name on;
-
-            proxy_cache osm_tiles;
-            proxy_cache_valid 200 302 1y;
-            proxy_cache_valid 404 1m;
-            proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-
-            add_header X-Cache-Status $upstream_cache_status;
-            add_header Cache-Control $tile_client_cache_control;
-            expires 1y;
-        }
-
-        location /vector/ {
-            proxy_pass https://tiles.dedicatedcode.com/planet/latest/;
-            proxy_set_header Host tiles.dedicatedcode.com;
-            proxy_set_header User-Agent "Reitti/1.0 (+https://github.com/dedicatedcode/reitti; contact: reitti@dedicatedcode.com)";
-            proxy_ssl_server_name on;
-
-            proxy_cache vector_tiles;
-            proxy_cache_valid 200 302 1y;
-            proxy_cache_valid 404 1m;
-            proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-
-            add_header X-Cache-Status $upstream_cache_status;
-            add_header Cache-Control $tile_client_cache_control;
-            expires 1y;
-        }
-
-        location /terrain/ {
-            proxy_pass https://tiles.mapterhorn.com/;
-            proxy_set_header Host tiles.mapterhorn.com;
-            proxy_set_header User-Agent "Reitti/1.0 (+https://github.com/dedicatedcode/reitti; contact: reitti@dedicatedcode.com)";
-            proxy_ssl_server_name on;
+        location /custom/ {
+            set $custom_upstream $http_x_reitti_upstream_url;
+            if ($custom_upstream = "") {
+                return 400;
+            }
 
-            proxy_cache terrain_tiles;
-            proxy_cache_valid 200 302 1y;
-            proxy_cache_valid 404 1m;
-            proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+            # Strip the /custom/ prefix so the upstream receives the correct path
+            rewrite ^/custom/(.*) /$1 break;
 
-            add_header X-Cache-Status $upstream_cache_status;
-            add_header Cache-Control $tile_client_cache_control;
-            expires 1y;
-        }
-
-        location /satellite/ {
-            proxy_pass https://server.arcgisonline.com/ArcGIS/rest/services/World_Imagery/MapServer/tile/;
-            proxy_set_header Host server.arcgisonline.com;
+            proxy_pass $custom_upstream;
+            proxy_set_header Host $proxy_host;
             proxy_set_header User-Agent "Reitti/1.0 (+https://github.com/dedicatedcode/reitti; contact: reitti@dedicatedcode.com)";
             proxy_ssl_server_name on;
 
-            proxy_cache satellite_tiles;
+            proxy_cache custom_tiles;
+            proxy_cache_key "$custom_upstream";
             proxy_cache_valid 200 302 1y;
             proxy_cache_valid 404 1m;
             proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
@@ -166,4 +108,4 @@ http {
             add_header Content-Type text/plain;
         }
     }
-}
+}