infocyph/tools Docker Image Overview

infocyph/tools

infocyph

Toolbox for generating mkcert certificates, inspecting containers & debugging networks.

1 次收藏下载次数: 0状态：社区镜像维护者：infocyph仓库类型：镜像最近更新：2 天前

轩辕镜像，加速的不只是镜像。点击查看

镜像简介版本下载

轩辕镜像，加速的不只是镜像。点击查看

🛠️ Docker Tools Container

A lightweight, multi-tool Docker image for:

✅ SSL automation (mkcert + certify)
✅ Interactive vhost generation (mkhost) + templates
✅ Cleanup vhosts (delhost)
✅ SOPS/Age encrypted env workflow (senv)
✅ Host notifications pipeline (notifierd + notify + host docknotify)
✅ Docker ops + TUI (docker-cli + compose + lazydocker)
✅ Network diagnostics (netx, dig, mtr, traceroute, nmap, etc.)
✅ Daily dev/ops utilities (git, jq, yq, rg, fd, sqlite, shellcheck, nano, etc.)

🚀 Features (what’s included)

1) SSL + local CA automation

mkcert bundled
certify scans vhosts under /etc/share/vhosts/** and generates:
- Apache server/client certs
- Nginx server/proxy/client certs (includes .p12 for Nginx client)
Wildcards are auto-added from filenames (example.com.conf → example.com + *.example.com)
Always includes: localhost, 127.0.0.1, ::1
Stable CA root via CAROOT=/etc/share/rootCA

2) Interactive vhost generator + templates

mkhost generates Nginx/Apache vhost configs using predefined templates
Uses runtime-versions DB baked during build:
- /etc/share/runtime-versions.json (override via RUNTIME_VERSIONS_DB)
Supports helper flags to query/reset internal “active” selections (ACTIVE_PHP_PROFILE, ACTIVE_NODE_PROFILE, APACHE_ACTIVE)

3) SOPS/Age encrypted env workflow

age + sops installed
senv provides a clean workflow around .env ↔ .env.enc
Supports:
- repo-local config ./.sops.yaml (highest priority)
- global fallback config/key under /etc/share/sops (mountable)
- multi-project keys (per-repo) + “shared encrypted env repo” input mount

4) Host notifications pipeline

notifierd listens on TCP (default 9901) and emits a stable single-line event to stdout using a prefix (default __HOST_NOTIFY__)
notify sends events into notifierd (inside container)
Host can watch formatted events and show popups
Optional host-side sender docknotify can push events to the container from the host

5) Docker debugging + TUI

docker-cli + compose
lazydocker bundled (mount the docker socket)

6) Network & diagnostics toolbox

netx (Toolset wrapper)
curl, wget, ping, nc
dig/nslookup (bind-tools)
iproute2, traceroute, mtr
nmap

7) Daily dev/ops utilities

git + gitx (Toolset)
jq, yq
ripgrep (rg), fd
sqlite + sqlitex (Toolset)
shellcheck
zip, unzip, tree, ncdu
Default editor UX:
- nano is default EDITOR and VISUAL
- /etc/nanorc is configured to load syntax rules when available
chromacat, figlet, show-banner shell hook

🧰 Included commands

Command	Purpose
`mkcert`	Local CA + trusted TLS certificates
`certify`	Scan vhosts and generate server/client certs
`mkhost`	Generate vhost configs (Nginx/Apache) + optional Node compose
`delhost`	Remove vhost configs for a domain (Nginx/Apache/Node yaml)
`senv`	SOPS/Age workflow for `.env` + `.env.enc`
`lazydocker`	Docker TUI (requires docker socket)
`notify`	Send notification to `notifierd`
`notifierd`	TCP → stdout bridge (for host watchers)
`gitx`	Git helper CLI
`chromacat`	Colorized output
`sqlitex`	SQLite helper CLI
`netx`	Networking helper wrapper

📂 Directory layout (recommended)

This repo is designed so you can keep all generated + persistent artifacts in a single configuration/ folder, and mount them into the container.

Rule of thumb:

Mount RW if the container should generate/update files there (certify, mkhost, senv init/keygen).

Mount RO if you want “consume only” behavior (good for shared secrets repo).

✅ Suggested structure


.
├─ configuration/
│  ├─ apache/               # Generated/managed Apache vhosts (*.conf)
│  ├─ nginx/                # Generated/managed Nginx vhosts (*.conf)
│  ├─ ssl/                  # Generated certificates (.pem, .p12, keys)
│  ├─ rootCA/               # mkcert CA store (persist across rebuilds)
│  └─ sops/                 # Global SOPS Model B (persisted)
│     ├─ age.keys           # Global Age key (fallback)
│     ├─ .sops.yaml         # Global fallback config (created by senv init if writable)
│     ├─ keys/              # Per-project keys
│     │  ├─ projectA.age.keys
│     │  └─ projectB.age.keys
│     └─ config/            # Optional per-project configs
│        ├─ projectA.sops.yaml
│        └─ projectB.sops.yaml
│
├─ secrets-repo/            # Optional shared encrypted env store (usually RO mount)
│  ├─ projectA/
│  │  └─ .env.enc
│  └─ projectB/
│     └─ prod/.env.enc
│
└─ docker-compose.yml

🔗 Container mount mapping

Host path	Container path	Used by
`./configuration/apache`	`/etc/share/vhosts/apache`	`mkhost`, `certify`
`./configuration/nginx`	`/etc/share/vhosts/nginx`	`mkhost`, `certify`
`./configuration/ssl`	`/etc/mkcert`	`certify`, `mkcert`
`./configuration/rootCA`	`/etc/share/rootCA`	`mkcert` (CA store)
`./configuration/sops`	`/etc/share/sops`	`senv init`, `senv keygen`, `senv enc/dec/edit`
`./secrets-repo`	`/etc/share/vhosts/sops`	`senv dec --in=...` (alias input source)
`/var/run/docker.sock`	`/var/run/docker.sock`	`docker`, `lazydocker`

📦 Docker Compose example

yaml
services:
  tools:
    image: infocyph/tools:latest
    container_name: docker-tools
    volumes:
      - ./configuration/apache:/etc/share/vhosts/apache
      - ./configuration/nginx:/etc/share/vhosts/nginx

      - ./configuration/ssl:/etc/mkcert
      - ./configuration/rootCA:/etc/share/rootCA

      - ./configuration/sops:/etc/share/sops
      - ./secrets-repo:/etc/share/vhosts/sops:ro

      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - TZ=Asia/Dhaka
      # - NOTIFY_TCP_PORT=9901
      # - NOTIFY_PREFIX=__HOST_NOTIFY__
      # - NOTIFY_TOKEN=

Use as:

one-shot cert generator: docker run --rm ... infocyph/tools certify
long-lived utility box: default CMD runs notifierd

▶️ Manual run

bash
docker run --rm -it \
  -v "$(pwd)/configuration/apache:/etc/share/vhosts/apache" \
  -v "$(pwd)/configuration/nginx:/etc/share/vhosts/nginx" \
  -v "$(pwd)/configuration/ssl:/etc/mkcert" \
  -v "$(pwd)/configuration/rootCA:/etc/share/rootCA" \
  -v "$(pwd)/configuration/sops:/etc/share/sops" \
  -v /var/run/docker.sock:/var/run/docker.sock \
  infocyph/tools:latest

🔧 Certificate automation (certify)

On container startup, the entrypoint runs certify (best-effort). It:

Scans all *.conf under /etc/share/vhosts/**
Extracts domains from filenames (basename without .conf)
Adds wildcard variants automatically (*.domain)
Always includes: localhost, 127.0.0.1, ::1
Generates server and client certificates using mkcert

📁 Domain detection by filename

File name	Domains generated
`test.local.conf`	`test.local`, `*.test.local`
`example.com.conf`	`example.com`, `*.example.com`
`internal.dev.site.conf`	`internal.dev.site`, `*.internal.dev.site`

🔐 Generated cert files

All certs are written to /etc/mkcert.

Certificate Type	Files Generated
Apache (Server)	`apache-server.pem`, `apache-server-key.pem`
Apache (Client)	`apache-client.pem`, `apache-client-key.pem`
Nginx (Server)	`nginx-server.pem`, `nginx-server-key.pem`
Nginx (Proxy)	`nginx-proxy.pem`, `nginx-proxy-key.pem`
Nginx (Client)	`nginx-client.pem`, `nginx-client-key.pem`, `nginx-client.p12`

🧩 mkhost (interactive vhost generator)

mkhost is your “domain setup wizard”. It generates:

Nginx vhost: /etc/share/vhosts/nginx/<domain>.conf
Apache vhost (only if you choose Apache): /etc/share/vhosts/apache/<domain>.conf
Node service yaml (only if you choose Node): /etc/share/vhosts/node/<token>.yaml

Run it:

bash
docker exec -it docker-tools mkhost

What it asks (flow)

It runs a guided 9-step flow (slightly different for PHP vs Node):

Domain name (validated)
App type: PHP or Node
Server type (PHP only): Nginx or Apache
- Node always uses Nginx proxy mode
HTTP / HTTPS mode (keep HTTP, redirect, or HTTPS)
Document root (/app/<path>)
Client body size
Runtime version selection:
- PHP: choose PHP version/profile
- Node: choose Node version + optional run command
If HTTPS: optional client certificate verification (mutual TLS)

HTTPS + certificates

If you enable HTTPS, mkhost triggers certify automatically so the required certs exist.

Helpful flags (used by devtainer)

mkhost stores the “active selections” into env (used by your server wrapper to enable compose profiles). You can query/reset these values:

bash
mkhost --RESET
mkhost --ACTIVE_PHP_PROFILE
mkhost --ACTIVE_NODE_PROFILE
mkhost --APACHE_ACTIVE

--RESET clears all active selections.
--ACTIVE_PHP_PROFILE prints the chosen PHP profile (if PHP was selected).
--ACTIVE_NODE_PROFILE prints the chosen Node profile (if Node was selected).
--APACHE_ACTIVE prints apache when Apache mode was selected.

🧹 delhost (remove vhost configs)

delhost deletes the generated files for a domain:

/etc/share/vhosts/nginx/<domain>.conf
/etc/share/vhosts/apache/<domain>.conf
/etc/share/vhosts/node/<token>.yaml (token is a safe slug of the domain)

Run it:

bash
docker exec -it docker-tools delhost example.com

Interactive mode (no args):

bash
docker exec -it docker-tools delhost

Behavior:

Validates the domain format before deleting
Shows exactly what files it will remove
Requires confirmation (y/N)
If nothing exists for that domain, it exits with code 2 (useful for scripts)

🔐 senv (SOPS/Age env workflow)

Typical usage

Initialize (creates missing defaults only when writable/mounted):

bash
senv init

Initialize repo-local config in current directory:

bash
senv init --local

Local-only init (does not touch /etc/share/sops):

bash
senv init --local-only

Status / info:

bash
senv info

Encrypt / decrypt (defaults):

bash
senv enc          # .env -> .env.enc
senv dec          # .env.enc -> .env
senv edit         # edit .env.enc using sops editor mode

Explicit input/output:

bash
senv enc --in=./.env --out=./.env.enc
senv dec --in=./.env.enc --out=./.env

Use “shared encrypted env repo” as input source:

bash
# reads from /etc/share/vhosts/sops/demo.env.enc
# writes to ./demo.env (unless --out is set)
senv dec --in=demo.env.enc

# nested path inside the shared repo
senv dec --in=projectA/prod/.env.enc --out=./.env

Push/Pull sugar (shared encrypted repo):

bash
# pull /etc/share/vhosts/sops/<project>/.env.enc -> ./.env
senv pull --project projectA

# push ./.env -> /etc/share/vhosts/sops/<project>/.env.enc
senv push --project projectA

🔔 Notifications

Server: `notifierd`

notifierd listens on TCP (default 9901) and emits a single-line event to stdout with a fixed prefix (default __HOST_NOTIFY__).

Client: `notify` (inside the tools container)

bash
notify "Build done" "All services are healthy ✅"

🖥️ Host sender: `docknotify`

A host-side companion that sends notifications to the tools notifierd service using a stable one-line TCP protocol.

Protocol (tab-separated): token timeout urgency source title body

Install on host

bash
sudo curl -fsSL \
  "[***]" \
  -o /usr/local/bin/docknotify \
  && sudo chmod +x /usr/local/bin/docknotify

Usage

bash
docknotify "Build done" "All services are healthy ✅"

📟 Tail docker logs (formatted watcher)

bash
docker logs -f docker-tools 2>/dev/null | awk -v p="__HOST_NOTIFY__" '
  index($0, p) == 1 {
    line = $0
    sub("^" p "[ \t]*", "", line)

    n = split(line, a, "\t")
    if (n >= 6) {
      urgency = a[3]
      source = a[4]
      title = a[5]

      body = a[6]
      for (i = 7; i <= n; i++) body = body "\t" a[i]

      printf("[%-8s][%s] %s — %s\n", urgency, source, title, body)
    } else {
      print line
    }
    fflush()
  }
'

🌍 Environment variables (tools container)

Variable	Default	Description
`TZ`	(empty)	Timezone
`CAROOT`	`/etc/share/rootCA`	mkcert CA root directory
`RUNTIME_VERSIONS_DB`	`/etc/share/runtime-versions.json`	runtime versions DB used by `mkhost`
`EDITOR` / `VISUAL`	`nano`	default editor
`NOTIFY_TCP_PORT`	`9901`	notifier TCP port
`NOTIFY_FIFO`	`/run/notify.fifo`	internal FIFO path
`NOTIFY_PREFIX`	`__HOST_NOTIFY__`	stdout prefix
`NOTIFY_TOKEN`	(empty)	optional token auth
`SOPS_BASE_DIR`	`/etc/share/sops`	global SOPS base directory
`SOPS_KEYS_DIR`	`/etc/share/sops/keys`	per-project keys directory
`SOPS_CFG_DIR`	`/etc/share/sops/config`	per-project config directory
`SOPS_REPO_DIR`	`/etc/share/vhosts/sops`	shared encrypted env repo mount

🐳 Lazydocker

bash
docker exec -it docker-tools lazydocker

Make sure /var/run/docker.sock is mounted.

📝 License

Licensed under the MIT License © infocyph

查看更多 tools 相关镜像 →

centos/tools

centos

包含系统管理工具、适用于CentOS Atomic主机的Docker镜像

Cinnamon基础工具镜像，集成运行及开发Cinnamon相关应用所需的核心工具与依赖，提供稳定、轻量的基础环境支持，适用于构建或运行Cinnamon应用。

Kanidm身份管理系统的命令行工具集，用于通过命令行界面管理Kanidm服务、用户、组及权限等核心功能。

轩辕镜像配置手册

探索更多轩辕镜像的使用方法，找到最适合您系统的配置方式

Docker 配置

登录仓库拉取

通过 Docker 登录认证访问私有仓库

专属域名拉取

无需登录使用专属域名

K8s Containerd

Kubernetes 集群配置 Containerd

K3s

K3s 轻量级 Kubernetes 镜像加速

Dev Containers

VS Code Dev Containers 配置

Podman

Podman 容器引擎配置

Singularity/Apptainer

HPC 科学计算容器配置

其他仓库配置

ghcr、Quay、nvcr 等镜像仓库

系统配置

Linux

在 Linux 系统配置镜像服务

Windows/Mac

在 Docker Desktop 配置镜像

MacOS OrbStack

MacOS OrbStack 容器配置

Docker Compose

Docker Compose 项目配置

NAS 设备

群晖

Synology 群晖 NAS 配置

飞牛

飞牛 fnOS 系统配置镜像

绿联

绿联 NAS 系统配置镜像

威联通

QNAP 威联通 NAS 配置

极空间

极空间 NAS 系统配置服务

网络设备

爱快路由

爱快 iKuai 路由系统配置

宝塔面板

在宝塔面板一键配置镜像

需要其他帮助？请查看我们的常见问题Docker 镜像访问常见问题解答或提交工单

镜像拉取常见问题

使用与功能问题

docker search 报错：专属域名下仅支持 Docker Hub 查询

docker search 报错问题

网页搜不到镜像：Docker Hub 有但轩辕镜像搜索无结果

镜像搜索不到

离线传输镜像：无法直连时用 docker save/load 迁移

离线传输镜像

Docker 插件安装错误：application/vnd.docker.plugin.v1+json

Docker 插件安装错误

WSL 下 Docker 拉取慢：网络与挂载目录影响及优化

WSL 拉取镜像慢

轩辕镜像是否安全？镜像完整性校验（digest）说明

镜像安全性

如何用轩辕镜像拉取镜像？登录方式与专属域名配置

如何拉取镜像

错误码与失败问题

manifest unknown 错误：镜像不存在或标签错误

manifest unknown 错误

TLS/SSL 证书验证失败：Docker pull 时 HTTPS 证书错误

TLS 证书验证失败

DNS 解析超时：无法解析镜像仓库地址或连接超时

DNS 解析超时

410 Gone 错误：Docker 版本过低导致协议不兼容

410 错误：版本过低

402 Payment Required 错误：流量耗尽错误提示

402 错误：流量耗尽

401 UNAUTHORIZED 错误：身份认证失败或登录信息错误

身份认证失败错误

429 Too Many Requests 错误：请求频率超出专业版限制

429 限流错误

Docker login 凭证保存错误：Cannot autolaunch D-Bus（不影响登录）

凭证保存错误

账号 / 计费 / 权限

免费版与专业版区别：功能、限额与使用场景对比

免费版与专业版区别

支持的镜像仓库：Docker Hub、GCR、GHCR、K8s 等列表

轩辕镜像支持的镜像仓库

拉取失败是否扣流量？计费规则说明

拉取失败流量计费

KYSEC 权限不够：麒麟 V10/统信 UOS 下脚本执行被拦截

KYSEC 权限错误

如何申请开具发票？（增值税普票/专票）

开具发票

如何修改网站与仓库登录密码？

修改网站和仓库密码

配置与原理类

registry-mirrors 未生效：仍访问官方仓库或报错的原因

registry-mirrors 未生效

如何去掉镜像名称中的轩辕域名前缀？（docker tag）

去掉域名前缀

如何拉取指定架构镜像？（ARM64/AMD64 等多架构）

拉取指定架构镜像

查看全部问题→

用户好评

来自真实用户的反馈，见证轩辕镜像的优质服务

oldzhang

运维工程师

Linux服务器

"Docker访问体验非常流畅，大镜像也能快速完成下载。"

infocyph/tools Docker 镜像 - 轩辕镜像 | Docker 镜像高效稳定拉取服务

🛠️ Docker Tools Container

🚀 Features (what’s included)

1) SSL + local CA automation

2) Interactive vhost generator + templates

3) SOPS/Age encrypted env workflow

4) Host notifications pipeline

5) Docker debugging + TUI

6) Network & diagnostics toolbox

7) Daily dev/ops utilities

🧰 Included commands

📂 Directory layout (recommended)

✅ Suggested structure

🔗 Container mount mapping

📦 Docker Compose example

▶️ Manual run

🔧 Certificate automation (certify)

📁 Domain detection by filename

🔐 Generated cert files

🧩 mkhost (interactive vhost generator)

What it asks (flow)

HTTPS + certificates

Helpful flags (used by devtainer)

🧹 delhost (remove vhost configs)

🔐 senv (SOPS/Age env workflow)

Typical usage

🔔 Notifications

Server: notifierd

Client: notify (inside the tools container)

🖥️ Host sender: docknotify

Install on host

Usage

📟 Tail docker logs (formatted watcher)

🌍 Environment variables (tools container)

🐳 Lazydocker

📝 License

轩辕镜像配置手册

Docker 配置

登录仓库拉取

专属域名拉取

K8s Containerd

K3s

Dev Containers

Podman

Singularity/Apptainer

其他仓库配置

系统配置

Linux

Windows/Mac

MacOS OrbStack

Docker Compose

NAS 设备

群晖

飞牛

绿联

威联通

极空间

网络设备

爱快路由

宝塔面板

镜像拉取常见问题

使用与功能问题

docker search 报错：专属域名下仅支持 Docker Hub 查询

网页搜不到镜像：Docker Hub 有但轩辕镜像搜索无结果

离线传输镜像：无法直连时用 docker save/load 迁移

Docker 插件安装错误：application/vnd.docker.plugin.v1+json

WSL 下 Docker 拉取慢：网络与挂载目录影响及优化

轩辕镜像是否安全？镜像完整性校验（digest）说明

如何用轩辕镜像拉取镜像？登录方式与专属域名配置

错误码与失败问题

manifest unknown 错误：镜像不存在或标签错误

TLS/SSL 证书验证失败：Docker pull 时 HTTPS 证书错误

DNS 解析超时：无法解析镜像仓库地址或连接超时

410 Gone 错误：Docker 版本过低导致协议不兼容

402 Payment Required 错误：流量耗尽错误提示

401 UNAUTHORIZED 错误：身份认证失败或登录信息错误

429 Too Many Requests 错误：请求频率超出专业版限制

Docker login 凭证保存错误：Cannot autolaunch D-Bus（不影响登录）

账号 / 计费 / 权限

免费版与专业版区别：功能、限额与使用场景对比

Server: `notifierd`

Client: `notify` (inside the tools container)

🖥️ Host sender: `docknotify`