diff options
author | Mike Crute <mike@crute.us> | 2021-01-18 06:22:07 +0000 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2021-01-18 06:22:07 +0000 |
commit | 8f525f4ab1ae4f1c8daafcb4c56f95b7ff3158cc (patch) | |
tree | 494ee79de97dd7bc206fce6d5fa33ee8af34d90d | |
parent | acae3efa52e7ec82530bc231a4156f5f2ed3bdb2 (diff) | |
download | dockerfiles-8f525f4ab1ae4f1c8daafcb4c56f95b7ff3158cc.tar.bz2 dockerfiles-8f525f4ab1ae4f1c8daafcb4c56f95b7ff3158cc.tar.xz dockerfiles-8f525f4ab1ae4f1c8daafcb4c56f95b7ff3158cc.zip |
code-host: Run nginx in container
-rw-r--r-- | code-host/Dockerfile | 17 | ||||
-rw-r--r-- | code-host/Makefile | 4 | ||||
-rw-r--r-- | code-host/code.crute.me | 100 | ||||
-rwxr-xr-x | code-host/etc/service/nginx/log/run | 3 | ||||
-rwxr-xr-x | code-host/etc/service/nginx/run | 23 | ||||
-rwxr-xr-x | code-host/etc/service/ssh/run | 1 | ||||
-rw-r--r-- | code-host/etc/ssh/sshd_config | 3 | ||||
-rw-r--r-- | code-host/etc/uwsgi/code.ini | 2 |
8 files changed, 146 insertions, 7 deletions
diff --git a/code-host/Dockerfile b/code-host/Dockerfile index 4de5043..d7392fe 100644 --- a/code-host/Dockerfile +++ b/code-host/Dockerfile | |||
@@ -3,12 +3,13 @@ LABEL maintainer="Mike Crute <mike@crute.us>" | |||
3 | 3 | ||
4 | # locale-gen en_US.UTF-8 && \ | 4 | # locale-gen en_US.UTF-8 && \ |
5 | 5 | ||
6 | RUN \ | 6 | RUN set -euxo pipefail; \ |
7 | apk --no-cache add \ | 7 | apk --no-cache add \ |
8 | bash \ | 8 | bash \ |
9 | cgit \ | 9 | cgit \ |
10 | dumb-init \ | 10 | dumb-init \ |
11 | gitolite \ | 11 | gitolite \ |
12 | nginx \ | ||
12 | openssh \ | 13 | openssh \ |
13 | perl-json \ | 14 | perl-json \ |
14 | py3-pygments \ | 15 | py3-pygments \ |
@@ -18,11 +19,19 @@ RUN \ | |||
18 | uwsgi \ | 19 | uwsgi \ |
19 | uwsgi-cgi \ | 20 | uwsgi-cgi \ |
20 | uwsgi-router_static \ | 21 | uwsgi-router_static \ |
21 | && ln -s /usr/bin/rst2html /usr/bin/rst2html.py \ | 22 | ; \ |
22 | && addgroup -g 1005 -S code \ | 23 | rm -rf /etc/nginx; \ |
23 | && adduser -u 1005 -s /bin/sh -S -h /srv/code -H -D -G code code | 24 | mkdir -p /srv/nginx-conf /logs; \ |
25 | ln -s /usr/bin/rst2html /usr/bin/rst2html.py; \ | ||
26 | addgroup -g 1005 -S code; \ | ||
27 | adduser -u 1005 -s /bin/sh -S -h /srv/code -H -D -G code code; | ||
24 | 28 | ||
25 | ADD etc/ /etc/ | 29 | ADD etc/ /etc/ |
30 | ADD code.crute.me /srv/nginx-conf/ | ||
31 | ADD nginx_bootstrap / | ||
32 | |||
33 | ENV ACTIVE_PROFILE INTERNAL | ||
34 | ENV NGINX_PP_DISABLE_SSL_DEFAULT true | ||
26 | 35 | ||
27 | STOPSIGNAL SIGHUP | 36 | STOPSIGNAL SIGHUP |
28 | CMD [ "/usr/bin/dumb-init", "/sbin/runsvdir", "/etc/service" ] | 37 | CMD [ "/usr/bin/dumb-init", "/sbin/runsvdir", "/etc/service" ] |
diff --git a/code-host/Makefile b/code-host/Makefile index 6badfbc..ed807e1 100644 --- a/code-host/Makefile +++ b/code-host/Makefile | |||
@@ -1,8 +1,12 @@ | |||
1 | IMAGE=docker.crute.me/code-host:latest | 1 | IMAGE=docker.crute.me/code-host:latest |
2 | 2 | ||
3 | all: | 3 | all: |
4 | cp ../nginx-common/main.go . | ||
5 | CGO_ENABLED=0 go build -o nginx_bootstrap main.go | ||
6 | rm -rf ./etc/nginx/ && cp -r ../nginx-common/conf ./etc/nginx/ | ||
4 | docker pull alpine:edge | 7 | docker pull alpine:edge |
5 | docker build -t $(IMAGE) . | 8 | docker build -t $(IMAGE) . |
9 | rm -rf ./etc/nginx/ main.go nginx_bootstrap | ||
6 | 10 | ||
7 | all-no-cache: | 11 | all-no-cache: |
8 | docker build --no-cache -t $(IMAGE) . | 12 | docker build --no-cache -t $(IMAGE) . |
diff --git a/code-host/code.crute.me b/code-host/code.crute.me new file mode 100644 index 0000000..12b1599 --- /dev/null +++ b/code-host/code.crute.me | |||
@@ -0,0 +1,100 @@ | |||
1 | # vi:ft=nginx | ||
2 | # preprocess: link_for INTERNAL | ||
3 | |||
4 | # TODO: Consolidate these into one, they differ only by hostname and SSL cert | ||
5 | # This is like this because I'm not sure if redirects will work at all with | ||
6 | # git pulls and pretty much all repositories use code.crute.me not .us | ||
7 | |||
8 | include includes/internal_ip_cgit_acl.conf; | ||
9 | |||
10 | server { | ||
11 | listen *:443 ssl http2; | ||
12 | listen [::]:443 ssl http2; | ||
13 | |||
14 | server_name code.crute.me; | ||
15 | access_log /logs/code.crute.me.log combined_host; | ||
16 | |||
17 | include includes/hardened_ssl.conf; | ||
18 | include includes/hardened_headers.conf; | ||
19 | |||
20 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem; | ||
21 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem; | ||
22 | |||
23 | add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always; | ||
24 | |||
25 | client_max_body_size 4G; | ||
26 | |||
27 | # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some | ||
28 | # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some | ||
29 | # point it's just quick and easy to put it here. | ||
30 | location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ { | ||
31 | if ($arg_go-get = "1") { | ||
32 | add_header Content-Type text/plain; | ||
33 | return 200 '<html><head> | ||
34 | <meta name="go-import" content="code.crute.me/$user/$repo git https://code.crute.me/$user/$repo"> | ||
35 | <meta name="go-source" content="code.crute.me/$user/$repo | ||
36 | https://code.crute.me/$user/$repo | ||
37 | https://code.crute.me/$user/$repo/tree{/dir} | ||
38 | https://code.crute.me/$user/$repo/tree{/dir}/{file}#n{line}"> | ||
39 | </head></html>'; | ||
40 | } | ||
41 | |||
42 | include uwsgi_params; | ||
43 | uwsgi_modifier1 9; | ||
44 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
45 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
46 | } | ||
47 | |||
48 | location / { | ||
49 | include uwsgi_params; | ||
50 | uwsgi_modifier1 9; | ||
51 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
52 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
53 | } | ||
54 | } | ||
55 | |||
56 | server { | ||
57 | listen *:443 ssl http2; | ||
58 | listen [::]:443 ssl http2; | ||
59 | |||
60 | server_name code.crute.us; | ||
61 | access_log /logs/code.crute.me.log combined_host; | ||
62 | |||
63 | include includes/hardened_ssl.conf; | ||
64 | include includes/hardened_headers.conf; | ||
65 | |||
66 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_us.pem; | ||
67 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_us_key.pem; | ||
68 | |||
69 | add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always; | ||
70 | |||
71 | client_max_body_size 4G; | ||
72 | |||
73 | # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some | ||
74 | # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some | ||
75 | # point it's just quick and easy to put it here. | ||
76 | location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ { | ||
77 | if ($arg_go-get = "1") { | ||
78 | add_header Content-Type text/plain; | ||
79 | return 200 '<html><head> | ||
80 | <meta name="go-import" content="code.crute.me/$user/$repo git https://code.crute.me/$user/$repo"> | ||
81 | <meta name="go-source" content="code.crute.me/$user/$repo | ||
82 | https://code.crute.me/$user/$repo | ||
83 | https://code.crute.me/$user/$repo/tree{/dir} | ||
84 | https://code.crute.me/$user/$repo/tree{/dir}/{file}#n{line}"> | ||
85 | </head></html>'; | ||
86 | } | ||
87 | |||
88 | include uwsgi_params; | ||
89 | uwsgi_modifier1 9; | ||
90 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
91 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
92 | } | ||
93 | |||
94 | location / { | ||
95 | include uwsgi_params; | ||
96 | uwsgi_modifier1 9; | ||
97 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
98 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
99 | } | ||
100 | } | ||
diff --git a/code-host/etc/service/nginx/log/run b/code-host/etc/service/nginx/log/run new file mode 100755 index 0000000..6193824 --- /dev/null +++ b/code-host/etc/service/nginx/log/run | |||
@@ -0,0 +1,3 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | cat - | ||
diff --git a/code-host/etc/service/nginx/run b/code-host/etc/service/nginx/run new file mode 100755 index 0000000..79dcaf1 --- /dev/null +++ b/code-host/etc/service/nginx/run | |||
@@ -0,0 +1,23 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # runsv sends us a TERM but uwsgi will only shutdown cleanly | ||
4 | # if it receives an INT so we need to translate the signal | ||
5 | # properly for uwsgi | ||
6 | trap 'kill -INT $PID' TERM | ||
7 | |||
8 | /nginx_bootstrap /usr/sbin/nginx -g "daemon off;" & | ||
9 | |||
10 | PID=$! | ||
11 | |||
12 | # wait for uwsgi, will get cancelled when runsv TERMs us and | ||
13 | # the trap will get executed next, unless something goes wrong | ||
14 | # and uwsgi fails then this wait will run | ||
15 | wait $PID | ||
16 | |||
17 | # if something went wrong then unregister the trap because it | ||
18 | # won't have a target | ||
19 | trap - TERM | ||
20 | |||
21 | # waiting on a dead process will return the return code of the | ||
22 | # processes original exit | ||
23 | wait $PID | ||
diff --git a/code-host/etc/service/ssh/run b/code-host/etc/service/ssh/run index ebe5a14..2677956 100755 --- a/code-host/etc/service/ssh/run +++ b/code-host/etc/service/ssh/run | |||
@@ -21,4 +21,5 @@ if [ ! -f "$ED25519_KEY_FILE" ]; then | |||
21 | chown code:code "$ED25519_KEY_FILE" | 21 | chown code:code "$ED25519_KEY_FILE" |
22 | fi | 22 | fi |
23 | 23 | ||
24 | setcap cap_net_bind_service=+ep /usr/sbin/sshd | ||
24 | /sbin/su-exec code /usr/sbin/sshd -D -e | 25 | /sbin/su-exec code /usr/sbin/sshd -D -e |
diff --git a/code-host/etc/ssh/sshd_config b/code-host/etc/ssh/sshd_config index 7a4d3ce..9078d2e 100644 --- a/code-host/etc/ssh/sshd_config +++ b/code-host/etc/ssh/sshd_config | |||
@@ -5,8 +5,7 @@ HostKey /srv/code/hostkeys/ed25519_key | |||
5 | 5 | ||
6 | Protocol 2 | 6 | Protocol 2 |
7 | 7 | ||
8 | # Bind a port above 1024 so we can run ssh as an unpriviledged user | 8 | Port 22 |
9 | Port 9001 | ||
10 | 9 | ||
11 | SyslogFacility AUTH | 10 | SyslogFacility AUTH |
12 | LogLevel INFO | 11 | LogLevel INFO |
diff --git a/code-host/etc/uwsgi/code.ini b/code-host/etc/uwsgi/code.ini index 35f21ed..686fef8 100644 --- a/code-host/etc/uwsgi/code.ini +++ b/code-host/etc/uwsgi/code.ini | |||
@@ -1,7 +1,7 @@ | |||
1 | [uwsgi] | 1 | [uwsgi] |
2 | master = true | 2 | master = true |
3 | plugins = cgi, router_static | 3 | plugins = cgi, router_static |
4 | socket = :9000 | 4 | socket = [::]:9000 |
5 | uid = code | 5 | uid = code |
6 | gid = code | 6 | gid = code |
7 | workers = 2 | 7 | workers = 2 |