ci: use distroless images

explodingcamera · explodingcamera · commit 8eb3501f69b5 · 2026-01-17T19:08:21.000+01:00
Signed-off-by: Henry &lt;mail@henrygressmann.de&gt;
diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
@@ -49,17 +49,23 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Download liwan binaries
+        run: |
+          mkdir -p dist
+
+          curl -fsSL https://github.com/explodingcamera/liwan/releases/download/${{ inputs.tag }}/liwan-x86_64-unknown-linux-musl.tar.gz \
+            | tar -xz -C dist --strip-components=1 &
+
+          curl -fsSL https://github.com/explodingcamera/liwan/releases/download/${{ inputs.tag }}/liwan-aarch64-unknown-linux-musl.tar.gz \
+            | tar -xz -C dist/arm64 --strip-components=1 &
+
+          wait
       - name: Build and push Docker images
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # @v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           context: .
           file: ./scripts/Dockerfile
           push: true
+          platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          platforms: |
-            linux/amd64
-            linux/arm64
-          build-args: |
-            TAR_URL_AMD64=https://github.com/explodingcamera/liwan/releases/download/${{ inputs.tag }}/liwan-x86_64-unknown-linux-musl.tar.gz
-            TAR_URL_ARM64=https://github.com/explodingcamera/liwan/releases/download/${{ inputs.tag }}/liwan-aarch64-unknown-linux-musl.tar.gz
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,12 @@ The format is roughly based on the output of `git-cliff` and this project adhere
 Since this is not a library, this changelog focuses on the changes that are relevant to the end-users. For a detailed list of changes, see the commit history, which adheres to [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/). New releases are created automatically when a new tag is pushed (Commit message: chore(release): vX.X.X).
 -->
 
+## Unreleased
+
+- GeoIP database now automatically reloads if it has been updated on disk
+- Docker image is now based on `distroless`
+- Switched to using `axum` as the web framework and `ua-parser` for user-agent parsing
+
 ## [v1.3.0] - 2025-10-12
 
 - Updated to the latest version of DuckDB (1.4)
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -32,9 +32,8 @@ async-compression={version="0.4", default-features=false, features=["gzip", "tok
 tokio-tar={package="astral-tokio-tar", version="0.5"}
 sha3={version="0.10"}
 argon2={version="0.5", features=["rand"]}
-password-hash={version="0.5", features=["rand_core", "getrandom"]}
+password-hash={version="0.5", features=["rand_core", "getrandom"]} # required for getrandom feature
 zstd={version="0.13", default-features=false}
-uuid={version="1.19", features=["v4"]}
 
 # general
 argh={version="0.1", default-features=false, features=["help"]}
@@ -47,7 +46,14 @@ tracing-subscriber={version="0.3", features=["env-filter"]}
 ahash="0.8"
 
 # web
-axum={version="0.8", features=["macros"]}
+axum={version="0.8", default-features=false, features=[
+    "http1",
+    "tokio",
+    "json",
+    "matched-path",
+    "original-uri",
+    "query",
+]}
 axum-extra={version="0.12", default-features=false, features=["cookie", "typed-header"]}
 http="1.4"
 headers="0.4"
@@ -61,13 +67,9 @@ tower_governor={version="0.8", default-features=false, features=["axum"]}
 aide={version="0.16.0-alpha.2", default-features=false, features=[
     "axum",
     "axum-json",
-    "axum-query",
     "axum-matched-path",
-    "axum-tokio",
-    "axum-extra",
     "axum-extra-cookie",
     "axum-extra-headers",
-    "macros",
 ]}
 schemars={version="1.2", features=["derive", "chrono04"]}
 
diff --git a/scripts/Dockerfile b/scripts/Dockerfile
@@ -1,22 +1,10 @@
-FROM debian:13-slim AS downloader
-ARG TAR_URL_AMD64
-ARG TAR_URL_ARM64
-ARG TARGETPLATFORM
-
-RUN apt-get update && apt-get install -y curl tar
-RUN echo "Downloading liwan for ${TARGETPLATFORM}..." \
-    && TAR_URL=$(if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then echo ${TAR_URL_ARM64}; else echo ${TAR_URL_AMD64}; fi) \
-    && curl -fsSL $TAR_URL -o /tmp/package.tar.gz \
-    && mkdir -p /app \
-    && tar -xzf /tmp/package.tar.gz -C /app \
-    && chmod +x /app/liwan
-
-FROM alpine:3
+FROM gcr.io/distroless/cc-debian13:nonroot
 
 ENV LIWAN_CONFIG=/liwan.config.toml
 ENV LIWAN_DATA_DIR=/data
 
-COPY --from=downloader /app/liwan /liwan
-ENTRYPOINT ["/liwan"]
+COPY --from=buildx /dist/${TARGETARCH:+amd64/}liwan /liwan
+
 EXPOSE 9042
-STOPSIGNAL SIGINT
+STOPSIGNAL SIGINT
+ENTRYPOINT ["/liwan"]
diff --git a/src/utils/hash.rs b/src/utils/hash.rs
@@ -54,3 +54,9 @@ pub fn onboarding_token() -> String {
     rand::rng().fill_bytes(&mut bytes);
     bs58::encode(bytes).into_string()
 }
+
+pub fn db_name() -> String {
+    let mut bytes = [0u8; 16];
+    rand::rng().fill_bytes(&mut bytes);
+    bs58::encode(bytes).into_string()
+}
diff --git a/src/utils/r2d2_sqlite.rs b/src/utils/r2d2_sqlite.rs
@@ -1,6 +1,6 @@
+use crate::utils::hash::db_name;
 use rusqlite::{Connection, OpenFlags, Result};
 use std::path::{Path, PathBuf};
-use uuid::Uuid;
 
 pub struct SqliteConnectionManager {
     source: PathBuf,
@@ -13,7 +13,7 @@ impl SqliteConnectionManager {
     }
 
     pub fn memory() -> Self {
-        Self { source: format!("file:{}?mode=memory&cache=shared", Uuid::new_v4()).into(), flags: OpenFlags::default() }
+        Self { source: format!("file:{}?mode=memory&cache=shared", db_name()).into(), flags: OpenFlags::default() }
     }
 
     pub fn with_flags(self, flags: OpenFlags) -> Self {
diff --git a/src/web/mod.rs b/src/web/mod.rs
@@ -98,10 +98,7 @@ fn save_spec(spec: openapi::OpenApi) -> Result<()> {
 
     let path = Path::new("./web/src/api/dashboard.ts");
     if path.exists() {
-        let spec = serde_json::to_string(&spec)?
-            .replace(r#""servers":[],"#, "") // fets doesn't work with an empty servers array
-            .replace("; charset=utf-8", "") // fets doesn't detect the json content type correctly
-            .replace(r#""format":"int64","#, ""); // fets uses bigint for int64
+        let spec = serde_json::to_string(&spec)?;
 
         // check if the spec has changed
         let old_spec = std::fs::read_to_string(path)?;
@@ -112,6 +109,7 @@ fn save_spec(spec: openapi::OpenApi) -> Result<()> {
         tracing::info!("API has changed, updating the openapi spec...");
         std::fs::write(path, format!("export default {spec} as const;\n"))?;
     }
+
     Ok(())
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
	`1`	`+use crate::utils::hash::db_name;`
`1`	`2`	`use rusqlite::{Connection, OpenFlags, Result};`
`2`	`3`	`use std::path::{Path, PathBuf};`
`3`		`-use uuid::Uuid;`
`4`	`4`
`5`	`5`	`pub struct SqliteConnectionManager {`
`6`	`6`	`source: PathBuf,`
`@@ -13,7 +13,7 @@ impl SqliteConnectionManager {`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`pub fn memory() -> Self {`
`16`		`- Self { source: format!("file:{}?mode=memory&cache=shared", Uuid::new_v4()).into(), flags: OpenFlags::default() }`
	`16`	`+ Self { source: format!("file:{}?mode=memory&cache=shared", db_name()).into(), flags: OpenFlags::default() }`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`pub fn with_flags(self, flags: OpenFlags) -> Self {`