code-host: Run nginx in container

8 files changed, 146 insertions, 7 deletions

diff --git a/code-host/Dockerfile b/code-host/Dockerfile
index 4de5043..d7392fe 100644
--- a/code-host/Dockerfile
+++ b/code-host/Dockerfile
@@ -3,12 +3,13 @@ LABEL maintainer="Mike Crute <mike@crute.us>"
 
 # locale-gen en_US.UTF-8 && \
 
-RUN \
+RUN set -euxo pipefail; \
     apk --no-cache add \
         bash \
         cgit \
         dumb-init \
         gitolite \
+        nginx \
         openssh \
         perl-json \
         py3-pygments \
@@ -18,11 +19,19 @@ RUN \
         uwsgi \
         uwsgi-cgi \
         uwsgi-router_static \
-    && ln -s /usr/bin/rst2html /usr/bin/rst2html.py \
-    && addgroup -g 1005 -S code \
-    && adduser -u 1005 -s /bin/sh -S -h /srv/code -H -D -G code code
+    ; \
+    rm -rf /etc/nginx; \
+    mkdir -p /srv/nginx-conf /logs; \
+    ln -s /usr/bin/rst2html /usr/bin/rst2html.py; \
+    addgroup -g 1005 -S code; \
+    adduser -u 1005 -s /bin/sh -S -h /srv/code -H -D -G code code;
 
 ADD etc/ /etc/
+ADD code.crute.me /srv/nginx-conf/
+ADD nginx_bootstrap /
+
+ENV ACTIVE_PROFILE INTERNAL
+ENV NGINX_PP_DISABLE_SSL_DEFAULT true
 
 STOPSIGNAL SIGHUP
 CMD [ "/usr/bin/dumb-init", "/sbin/runsvdir", "/etc/service" ]
diff --git a/code-host/Makefile b/code-host/Makefile
index 6badfbc..ed807e1 100644
--- a/code-host/Makefile
+++ b/code-host/Makefile
@@ -1,8 +1,12 @@
 IMAGE=docker.crute.me/code-host:latest
 
 all:
+        cp ../nginx-common/main.go .
+        CGO_ENABLED=0 go build -o nginx_bootstrap main.go
+        rm -rf ./etc/nginx/ && cp -r ../nginx-common/conf ./etc/nginx/
         docker pull alpine:edge
         docker build -t $(IMAGE) .
+        rm -rf ./etc/nginx/ main.go nginx_bootstrap
 
 all-no-cache:
         docker build --no-cache -t $(IMAGE) .
diff --git a/code-host/code.crute.me b/code-host/code.crute.me
new file mode 100644
index 0000000..12b1599
--- /dev/null
+++ b/code-host/code.crute.me
@@ -0,0 +1,100 @@
+# vi:ft=nginx
+# preprocess: link_for INTERNAL
+
+# TODO: Consolidate these into one, they differ only by hostname and SSL cert
+# This is like this because I'm not sure if redirects will work at all with
+# git pulls and pretty much all repositories use code.crute.me not .us
+
+include includes/internal_ip_cgit_acl.conf;
+
+server {
+  listen *:443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name code.crute.me;
+  access_log /logs/code.crute.me.log combined_host;
+
+  include includes/hardened_ssl.conf;
+  include includes/hardened_headers.conf;
+
+  ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem;
+  ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem;
+
+  add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always;
+
+  client_max_body_size 4G;
+
+  # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some
+  # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some
+  # point it's just quick and easy to put it here.
+  location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ {
+    if ($arg_go-get = "1") {
+      add_header Content-Type text/plain;
+      return 200 '<html><head>
+  <meta name="go-import" content="code.crute.me/$user/$repo git https://code.crute.me/$user/$repo">
+  <meta name="go-source" content="code.crute.me/$user/$repo
+        https://code.crute.me/$user/$repo
+        https://code.crute.me/$user/$repo/tree{/dir}
+        https://code.crute.me/$user/$repo/tree{/dir}/{file}#n{line}">
+</head></html>';
+    }
+
+    include uwsgi_params;
+    uwsgi_modifier1 9;
+    uwsgi_param CGIT_CONFIG $cgit_config;
+    uwsgi_pass uwsgi://127.0.0.1:9000;
+  }
+
+  location / {
+    include uwsgi_params;
+    uwsgi_modifier1 9;
+    uwsgi_param CGIT_CONFIG $cgit_config;
+    uwsgi_pass uwsgi://127.0.0.1:9000;
+  }
+}
+
+server {
+  listen *:443 ssl http2;
+  listen [::]:443 ssl http2;
+
+  server_name code.crute.us;
+  access_log /logs/code.crute.me.log combined_host;
+
+  include includes/hardened_ssl.conf;
+  include includes/hardened_headers.conf;
+
+  ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_us.pem;
+  ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_us_key.pem;
+
+  add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always;
+
+  client_max_body_size 4G;
+
+  # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some
+  # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some
+  # point it's just quick and easy to put it here.
+  location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ {
+    if ($arg_go-get = "1") {
+      add_header Content-Type text/plain;
+      return 200 '<html><head>
+  <meta name="go-import" content="code.crute.me/$user/$repo git https://code.crute.me/$user/$repo">
+  <meta name="go-source" content="code.crute.me/$user/$repo
+        https://code.crute.me/$user/$repo
+        https://code.crute.me/$user/$repo/tree{/dir}
+        https://code.crute.me/$user/$repo/tree{/dir}/{file}#n{line}">
+</head></html>';
+    }
+
+    include uwsgi_params;
+    uwsgi_modifier1 9;
+    uwsgi_param CGIT_CONFIG $cgit_config;
+    uwsgi_pass uwsgi://127.0.0.1:9000;
+  }
+
+  location / {
+    include uwsgi_params;
+    uwsgi_modifier1 9;
+    uwsgi_param CGIT_CONFIG $cgit_config;
+    uwsgi_pass uwsgi://127.0.0.1:9000;
+  }
+}
diff --git a/code-host/etc/service/nginx/log/run b/code-host/etc/service/nginx/log/run
new file mode 100755
index 0000000..6193824
--- /dev/null
+++ b/code-host/etc/service/nginx/log/run
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cat -
diff --git a/code-host/etc/service/nginx/run b/code-host/etc/service/nginx/run
new file mode 100755
index 0000000..79dcaf1
--- /dev/null
+++ b/code-host/etc/service/nginx/run
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# runsv sends us a TERM but uwsgi will only shutdown cleanly
+# if it receives an INT so we need to translate the signal
+# properly for uwsgi
+trap 'kill -INT $PID' TERM
+
+/nginx_bootstrap /usr/sbin/nginx -g "daemon off;" &
+
+PID=$!
+
+# wait for uwsgi, will get cancelled when runsv TERMs us and
+# the trap will get executed next, unless something goes wrong
+# and uwsgi fails then this wait will run
+wait $PID
+
+# if something went wrong then unregister the trap because it
+# won't have a target
+trap - TERM
+
+# waiting on a dead process will return the return code of the
+# processes original exit
+wait $PID
diff --git a/code-host/etc/service/ssh/run b/code-host/etc/service/ssh/run
index ebe5a14..2677956 100755
--- a/code-host/etc/service/ssh/run
+++ b/code-host/etc/service/ssh/run
@@ -21,4 +21,5 @@ if [ ! -f "$ED25519_KEY_FILE" ]; then
     chown code:code "$ED25519_KEY_FILE"
 fi
 
+setcap cap_net_bind_service=+ep /usr/sbin/sshd
 /sbin/su-exec code /usr/sbin/sshd -D -e
diff --git a/code-host/etc/ssh/sshd_config b/code-host/etc/ssh/sshd_config
index 7a4d3ce..9078d2e 100644
--- a/code-host/etc/ssh/sshd_config
+++ b/code-host/etc/ssh/sshd_config
@@ -5,8 +5,7 @@ HostKey /srv/code/hostkeys/ed25519_key
 
 Protocol 2
 
-# Bind a port above 1024 so we can run ssh as an unpriviledged user
-Port 9001
+Port 22
 
 SyslogFacility AUTH
 LogLevel INFO
diff --git a/code-host/etc/uwsgi/code.ini b/code-host/etc/uwsgi/code.ini
index 35f21ed..686fef8 100644
--- a/code-host/etc/uwsgi/code.ini
+++ b/code-host/etc/uwsgi/code.ini
@@ -1,7 +1,7 @@
 [uwsgi]
 master = true
 plugins = cgi, router_static
-socket = :9000
+socket = [::]:9000
 uid = code
 gid = code
 workers = 2