TODO #2?

[Lanjelin]

Perhaps experiment with Ubuntu Kiosk Mode, to disable terminal, su, etc? OpenAudible and system file browser.

Disable anything but OpenAudible window? I've been using baseimage-rdesktop-web instead of the full webtop to accomplish this, basically copied how the linuxserver/sqlitebrowser is built.

Only downside I've found; if you close the application window within the browser, the container needs to be restarted to pull it back up (as there's no visible desktop).

Adding a file to /etc/cont-init.d/ to install OpenAudible when the container is started the first time. Deleting/remaking the container will then install the newest version.

58-openaudibleinstall

#!/usr/bin/with-contenv bash

# install OpenAudible on firstrun
[[ ! -f /usr/local/OpenAudible/OpenAudible ]] && \
    echo "Downloading OpenAudible installer.." && \
    wget -q https://openaudible.org/latest/OpenAudible_x86_64.sh -O openaudible_installer.sh  && \
    sh ./openaudible_installer.sh -q -overwrite -dir /usr/local/OpenAudible && \
    rm openaudible_installer.sh

Dockerfile

FROM ghcr.io/linuxserver/baseimage-rdesktop-web:bionic
ENV TITLE=OpenAudible
RUN echo "Installing dependencies" && \
    apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
    libgtk-3-bin ca-certificates wget libswt-webkit-gtk-4-jni xdg-utils libnss3-dev && \
    wget -q https://raw.githubusercontent.com/Lanjelin/docker-tinker/main/openaudible/58-openaudibleinstall -O /etc/cont-init.d/58-openaudibleinstall && \
    echo "OpenAudible" > /defaults/autostart && \
    echo "Cleaning up" && \
    apt remove -y xfce4-panel firefox && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
EXPOSE 3000
#VOLUME /config/OpenAudible - skipping this as baseimage already got VOLUME /config

docker-compose, with traefik reverse proxy and authelia authentication

version: "3.8"
services:
  openaudible:
    container_name: openaudible
    image: openaudible
    ports:
      - "3000:3000"
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - ./config/openaudible:/config
    # Following is a working traefik config with authelia authentication.
    # Skip the next lines if you're not using traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.openaudible.entrypoints=websecure"
      - "traefik.http.routers.openaudible.rule=Host(`openaudible.example.com`)"
      - "traefik.http.routers.openaudible.middlewares=authelia@docker"
      - "traefik.http.routers.openaudible.service=openaudible"
      - "traefik.http.services.openaudible.loadbalancer.server.port=3000"
      - "traefik.http.services.openaudible.loadbalancer.server.scheme=http"
    networks:
      - traefik

networks:
  traefik:
    external: true

[openaudible]

Better late than never.. but that's great.

A few things.. There is still a terminal program available (with root access via sudo su) And there is no file browser.. so there is no way to "reveal" a directory or file.. But the auto start seems to work pretty well.

This isn't a project we are actively updating.. but hopefully other people will find this useful.

I will try to incorporate some of this.

[Lanjelin]

As with everything one is hosting/running on a home server, unless it's meant for the public, it should be hidden behind some sort of authentication, else not be exposed to the internet at all.

terminal (with or without su) should therefore not matter, though people do time and time again expose this sort of stuff publicly, so I see your point.

linuxserver deprecated docker-baseimage-rdesktop-web just a few months ago though, replacing it with docker-baseimage-kasmvnc (it's what webtop uses now).

While being a larger base image, it offers several benefits over rdesktop-web; gpu-acceleration, audio, shared clipboard (when using chromium browsers), and HTTP basic auth using env variables. It also feels more smooth.

If you're interested, I can throw together a Dockerfile using docker-baseimage-kasmvnc.

[Lanjelin]

Edit: Updated all files as I figured why I wasn't able to install to /usr/local/OpenAudible, short story permissions. I've now updated everything to a build & forget approach, where every recreate of the container will download and install latest version (even though best practice is one image per version).

Went ahead and made something that should tick all your boxes under the todo, only caveat is final image being 1.55GB.
Could probably be stripped down a bit, as it includes quite some stuff to make it compatible with kasm workspaces.

Add a user/password for accessing the VM

Defaults to OpenAudible:openaudible. Can be changed by user adding env variables CUSTOM_USER and PASSWORD, while setting PASSWORD to blank will disable it.

Perhaps experiment with Ubuntu Kiosk Mode, to disable terminal, su, etc? OpenAudible and system file browser.

xterm is still included, but the user is removed from sudoers

lock down "su" root ability (change root password?)

root password changed to a random 20 character hex string every time the container is started/restarted/created.

I've included thunar as file manager

Dockerfile

FROM ghcr.io/linuxserver/baseimage-kasmvnc:debianbullseye

ENV TITLE=OpenAudible
ENV CUSTOM_USER=OpenAudible
ENV PASSWORD=openaudible

RUN \
  echo "**** update packages ****" && \
    apt-get update && \
    apt-get install -y --no-install-recommends \
      wget \
      gnome-icon-theme* \
      thunar && \
  echo '**** tweaks ****' && \
  sed -i 's|</applications>|  <application title="OpenAudible" type="normal">\n    <maximized>no</maximized>\n  </application>\n</applications>|' /etc/xdg/openbox/rc.xml && \
  deluser abc sudo && \
  wget https://avatars.githubusercontent.com/u/30847528 -O /app/logo.png && \
  echo "**** cleanup ****" && \
    rm -rf \
      /tmp/* \
      /var/lib/apt/lists/* \
      /var/tmp/*

COPY /root /

EXPOSE 3000 3001

VOLUME /config

docker-compose.yml

services:
  openaudible:
    container_name: openaudible
    image: openaudible:latest
    ports:
      - "3000:3000"
      - "3001:3001"
    environment:
      - PUID=1000
      - PGID=1000
      - CUSTOM_USER=JohnDoe
      - PASSWORD=
    volumes:
      - ./openaudible:/config

Login name set to JohnDoe, but authentication disabled by setting PASSWORD to blank.
Configuration and file storage (config on container) mounted to ./openaudible
Additional env variables can be seen here: docker-baseimage-kasmvnc
To use the seemless clipboard, the container needs to be accessed through HTTPS, either behind a reverse proxy (to either ports), or by accessing port 3001.

root/defaults/autostart

#!/bin/bash
if [ ! -f /app/OpenAudible/OpenAudible ]
then
    echo "Downloading OpenAudible installer.."
    wget -q https://openaudible.org/latest/OpenAudible_x86_64.sh -O openaudible_installer.sh
    sh ./openaudible_installer.sh -q -overwrite -dir /app/OpenAudible
    rm openaudible_installer.sh
fi
/app/OpenAudible/OpenAudible

Install OpenAudible if it doesn't exist.
Start OpenAudible.

root/defaults/menu.xml

<?xml version="1.0" encoding="utf-8"?>
<openbox_menu xmlns="http://openbox.org/3.4/menu">
<menu id="root-menu" label="MENU">
<item label="xterm" icon="/usr/share/icons/hicolor/scalable/apps/xterm-color.svg"><action name="Execute"><command>/usr/bin/xterm</command></action></item>
<item label="OpenAudible" icon="/app/logo.png"><action name="Execute"><command>/app/OpenAudible/OpenAudible</command></action></item>
<item label="Thunar" icon="/usr/share/icons/hicolor/scalable/apps/org.xfce.thunar.svg"><action name="Execute"><command>thunar</command></action></item>
</menu>
</openbox_menu>

Right-click menu on background to open apps.

root/etc/cont-idit.d/58-rootscrambler

#!/bin/bash
echo "root:$(openssl rand -hex 20)" | chpasswd

Scramblin root password on container start

I've included all the files in a .zip, if you want to try it out (without needing to copy/paste everything).

cd openaudible
docker build -t openaudible .
docker compose up

openaudible.zip