commit 81c4b923b5d23de7ad0f2ccae0014d2dcd1a4df4 Author: heinzel Date: Wed Apr 22 12:57:02 2020 +0200 INIT diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a77dc76 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +src/django-dav-events diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..604f732 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,33 @@ +FROM fedora + +LABEL maintainer="Jens Kleineheismann " + +ARG APPLICATION_NAME=django-dav-events +ARG APPLICATION_SRC=src/${APPLICATION_NAME} + +RUN dnf -y update && \ + dnf -y install procps-ng iproute net-tools && \ + dnf -y install httpd && \ + dnf -y install mod_ssl certbot && \ + dnf -y install python3-mod_wsgi && \ + dnf clean all + +RUN sed -i -e 's:^\(\s.*\)\(CustomLog\s.*\)$:\1#\2:' \ + /etc/httpd/conf/httpd.conf + +COPY container-filesystem/ / +RUN echo 'test -f /etc/bashrc.local && source /etc/bashrc.local' >> /etc/bashrc + +COPY src/django-dav-events /srv/app/src +RUN /setup-app.sh /srv/app/src /srv/app/wsgi && \ + rm /setup-app.sh + +EXPOSE 80/tcp +EXPOSE 443/tcp +VOLUME /srv/etc +ENV LOG_LEVEL error +ENV ENABLE_STATUS_ENDPOINTS false +ENV DJANGO_SYNCDB false + +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["--"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..e3e17af --- /dev/null +++ b/Makefile @@ -0,0 +1,41 @@ +APPLICATION_NAME := django-dav-events +REPO_URL := https://dev.heinzelwerk.de/git/DAV-KA/django-dav-events +REPO_DIR := src/$(APPLICATION_NAME) +IMAGE_NAME := $(APPLICATION_NAME) +IMAGE_LABEL := latest + +HTTP_HOST_PORT := 80 +HTTP_CONTAINER_PORT := 80 +HTTPS_HOST_PORT := 443 +HTTPS_CONTAINER_PORT := 443 + +DOCKER := docker +DGOSS := dgoss +GIT := git + +.PHONY: default help image test test-run dist-clean + +default: image + +help: + @echo "There is no help." + +$(REPO_DIR): + $(GIT) clone $(REPO_URL) $@ + +$(IMAGE_NAME): $(REPO_DIR) + $(DOCKER) build --build-arg APPLICATION_NAME=$(APPLICATION_NAME) -t $(IMAGE_NAME):$(IMAGE_LABEL) . + +image: $(IMAGE_NAME) + +test: + $(DGOSS) run $(IMAGE_NAME):$(IMAGE_LABEL) + +test-run: + $(DOCKER) run -ti --rm -p $(HTTP_HOST_PORT):$(HTTP_CONTAINER_PORT) -p $(HTTPS_HOST_PORT):$(HTTPS_CONTAINER_PORT) $(IMAGE_NAME):$(IMAGE_LABEL) + +enter: + $(DOCKER) run -ti --rm -p $(HTTP_HOST_PORT):$(HTTP_CONTAINER_PORT) -p $(HTTPS_HOST_PORT):$(HTTPS_CONTAINER_PORT) --entrypoint /bin/bash $(IMAGE_NAME):$(IMAGE_LABEL) + +dist-clean: + -rm -rf $(REPO_DIR) diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..3ccbe09 --- /dev/null +++ b/README.rst @@ -0,0 +1,99 @@ +ABOUT +===== +Docker container for django-dav-events. + + +AUTHOR +====== +Jens Kleineheismann + + +DESCRIPTION +=========== +This docker image is derivated from the official Fedora image +(https://hub.docker.com/_/fedora). + +It will contain and run + +- apache httpd +- mod_ssl +- certbot +- python3 mod_wsgi +- django-dav-events django project + + +BUILD +===== +- ``make`` +- ``make test`` + +or alternatively the *long* way: + +- ``git clone https://dev.heinzelwerk.de/git/DAV-KA/django-dav-events src/django-dav-events`` +- ``docker build -t django-dav-events .`` +- ``dgoss run django-dav-events`` + + +USAGE +===== +- ``docker run -ti --rm -v $(pwd)/conf:/srv/etc:Z -e DJANGO_SYNCDB=true django-dav-events django-createsuperuser`` +- ``docker run -ti --rm -v $(pwd)/conf:/srv/etc:Z -v $(pwd)/conf/letsencrypt:/etc/letsencrypt:Z -p 80:80 django-dav-events certbot`` +- ``docker run -d --name django-dav-events -v $(pwd)/conf:/srv/etc:Z -p 80:80 -p 443:443 django-dav-events`` + +Django settings +--------------- +The django project will read its settings from ``/srv/etc/django/settings.py`` +Note: this file will be read only upon container startup. + +If this settings file does not exist, the default settings will be installed +there. + +To provide your own settings file, you can mount a directory into the +container with the -v option of the ``docker run`` command. + +SELinux +------- +If your system is enforcing SELinux policies you have to set the correct +file contexts to mounted files and directories. +On recent docker versions, this can be done with the Z parameter of the +-v option (-v host_path:container_path:Z). + +HTTP Port +--------- +The httpd process is listening on port 80/tcp. +Thus you probably want to publish this port with the -p option. + +HTTPS Port / TLS / X.509 Certificates / certbot +----------------------------------------------- +To enable HTTPS on port 443/tcp you can either provide a key and +certificate chain as pem files, or you can use certbot to obtain a +*Let's Encrypt* certificate. + +If you already have valid certificates for the domain, you can mount +the key as ``/srv/etc/certs/privkey.pem`` and the certificate +chain as ``/srv/etc/certs/fullchain.pem``. + +For using certbot you have to mount a directory to ``/etc/letsencrypt``. +Then run the container once in interactive mode with the ``certbot`` command +argument to obtain a certificate from *Let's Encrypt*. The certificate will +be stored in the mounted directory. +If necessary the certificate will be renewed upon container startup. + +Environment variables +--------------------- +The following **environment variables** are supported and +can be set with the -e option of the ``docker run`` command: + +- LOG_LEVEL (default: error) + -- to set the httpd LogLevel directive +- ENABLE_STATUS_ENDPOINTS (default: false) + -- if true, then the httpd status-handler is mapped to /.status + and the httpd info-handler is mapped to /.info +- DJANGO_SYNCDB (default: false) + -- if true, then apply django database migrations upon startup + + +LICENCE +======= +Permission to use, copy, modify, and/or distribute this software +for any purpose with or without fee is hereby granted. diff --git a/container-filesystem/docker-entrypoint.sh b/container-filesystem/docker-entrypoint.sh new file mode 100755 index 0000000..9254b93 --- /dev/null +++ b/container-filesystem/docker-entrypoint.sh @@ -0,0 +1,91 @@ +#!/bin/sh + +PYTHON="python3" +APP_DIR="/srv/app/wsgi" +USER_CONF_DIR="/srv/etc" +CERTBOT_DIR="/etc/letsencrypt" +HTTPD_CERT_DIR="/etc/httpd/certs" + +# If user provide a django settings file, it will be copied to +# the django settings module. +# If no settings file is provided, the settings from djangos +# settings module will be copied to the users config dir, so +# he gets the defaults. +user_settings_file="${USER_CONF_DIR}/django/settings.py" +django_settings_file="${APP_DIR}/main/settings.py" +if test -e "$user_settings_file" ; then + echo "Using django settings from $user_settings_file" + cp "$user_settings_file" "$django_settings_file" +else + echo "Installing default settings to $user_settings_file" + user_settings_dir=`dirname "$user_settings_file"` + mkdir -p "$user_settings_dir" + cp "$django_settings_file" "$user_settings_file" +fi + +# If user wants it, we apply django database migrations. +case "${DJANGO_SYNCDB:-false}" in +true|yes|1) + $PYTHON "${APP_DIR}/manage.py" migrate + ;; +false|no|0) + ;; +*) + echo "DJANGO_DB_MASTER must be either true or false" >&2 + exit 64 + ;; +esac + +# If user provided a supported command in argv, run it instead of httpd. +case "$1" in +certbot) + shift + echo "" + echo "Running certbot..." + certbot run --no-eff-email --standalone --installer null --deploy-hook /usr/local/sbin/certbot-set-default.sh + exit $? + ;; +django-createsuperuser) + echo "" + echo "Running djangos createsuperuser command..." + $PYTHON "${APP_DIR}/manage.py" createsuperuser + exit $? + ;; +esac + +# If user provide a ssl cert and key, it will be copied to +# the location were httpd looks for it. +# Or if certbot is managing certificates, use it. +certbot_cert_dir="${CERTBOT_DIR}/live/default" +if test -e "${USER_CONF_DIR}/certs/fullchain.pem" -a -e "${USER_CONF_DIR}/certs/privkey.pem" ; then + echo "Using X.509 certificate and key from $USER_CERT_DIR" + touch "${HTTPD_CERT_DIR}/privkey.pem" + chmod 600 "${HTTPD_CERT_DIR}/privkey.pem" + cat "${USER_CONF_DIR}/certs/privkey.pem" > "${HTTPD_CERT_DIR}/privkey.pem" + cat "${USER_CONF_DIR}/certs/fullchain.pem" > "${HTTPD_CERT_DIR}/fullchain.pem" +elif test -d "$certbot_cert_dir" ; then + echo "Using certbot" + certbot renew + /usr/local/sbin/certbot-deploy.sh +fi + +# Remove left-overs from an incomplete shutdown previously. +rm -rf /run/httpd/* /tmp/httpd* + +# If user wants it, a flag will tell httpd to enable status endpoints. +if test "$ENABLE_STATUS_ENDPOINTS" == "true" ; then + echo "Enabling server status endpoints" + set -- -DENABLE_STATUS_ENDPOINTS "$@" +fi + +# If we have a ssl cert and key, a flag will tell httpd to enable HTTPS. +if test -e "${HTTPD_CERT_DIR}/fullchain.pem" -a -e "${HTTPD_CERT_DIR}/privkey.pem" ; then + echo "Enabling HTTPS" + set -- -DENABLE_HTTPS "$@" +fi + +exec /usr/sbin/httpd \ + -DFOREGROUND \ + -c "LogLevel ${LOG_LEVEL:-error}" \ + -c "ServerName ${HOSTNAME}" \ + "$@" diff --git a/container-filesystem/etc/bashrc.local b/container-filesystem/etc/bashrc.local new file mode 100644 index 0000000..e5993f9 --- /dev/null +++ b/container-filesystem/etc/bashrc.local @@ -0,0 +1,9 @@ +# /etc/bashrc.local + +PS1='\u@\w/ \$ ' +export PS1 + +alias ls="ls -F --color" +alias l="ls -ahl" + +#end diff --git a/container-filesystem/etc/httpd/conf.d/app.conf b/container-filesystem/etc/httpd/conf.d/app.conf new file mode 100644 index 0000000..5b13cd3 --- /dev/null +++ b/container-filesystem/etc/httpd/conf.d/app.conf @@ -0,0 +1,21 @@ +# /etc/httpd/conf.d/app.conf + +WSGIDaemonProcess wsgi-daemon display-name=wsgi-daemon python-path=/srv/app/wsgi processes=3 threads=5 + +Alias /static/ "/srv/app/wsgi/var/www/static/" + + AllowOverride None + Require all granted + + +WSGIScriptAlias / "/srv/app/wsgi/main/wsgi.py" + + WSGIProcessGroup wsgi-daemon + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + AllowOverride None + Options FollowSymLinks + + Require all granted + + diff --git a/container-filesystem/etc/httpd/conf.d/defaults.conf b/container-filesystem/etc/httpd/conf.d/defaults.conf new file mode 100644 index 0000000..a6784a9 --- /dev/null +++ b/container-filesystem/etc/httpd/conf.d/defaults.conf @@ -0,0 +1,4 @@ +# /etc/httpd/conf.d/defaults.conf + +ServerTokens Prod +ErrorLog /dev/stderr diff --git a/container-filesystem/etc/httpd/conf.d/mpm.conf b/container-filesystem/etc/httpd/conf.d/mpm.conf new file mode 100644 index 0000000..7a9f592 --- /dev/null +++ b/container-filesystem/etc/httpd/conf.d/mpm.conf @@ -0,0 +1,11 @@ +# /etc/httpd/conf.d/mpm.conf + + ServerLimit 16 + ThreadLimit 64 + ThreadsPerChild 32 + MaxRequestWorkers 256 + StartServers 2 + MinSpareThreads 32 + MaxSpareThreads 128 + #MaxConnectionsPerChild 2000 + diff --git a/container-filesystem/etc/httpd/conf.d/ssl.conf b/container-filesystem/etc/httpd/conf.d/ssl.conf new file mode 100644 index 0000000..8c13d89 --- /dev/null +++ b/container-filesystem/etc/httpd/conf.d/ssl.conf @@ -0,0 +1,221 @@ + +# +# When we also provide SSL we have to listen to the +# standard HTTPS port in addition. +# +Listen 443 https + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName www.example.com:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +#ErrorLog /dev/stderr +#TransferLog logs/ssl_access_log +#LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# List the protocol versions which clients are allowed to connect with. +# The OpenSSL system profile is configured by default. See +# update-crypto-policies(8) for more details. +SSLProtocol -all +TLSV1.2 +TLSv1.3 +SSLProxyProtocol -all +TLSV1.2 +TLSv1.3 + +# User agents such as web browsers are not configured for the user's +# own preference of either security or performance, therefore this +# must be the prerogative of the web server administrator who manages +# cpu load versus confidentiality, so enforce the server's cipher order. +SSLHonorCipherOrder on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +# The OpenSSL system profile is configured by default. See +# update-crypto-policies(8) for more details. +SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE+aRSA+AES256:ECDHE+aRSA+AES256:DHE+aRSA+AES128:ECDHE+aRSA+AES128:!SHA1:!LOW" +SSLProxyCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE+aRSA+AES256:ECDHE+aRSA+AES256:DHE+aRSA+AES128:ECDHE+aRSA+AES128:!SHA1:!LOW" +SSLCompression off + +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that restarting httpd will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. +SSLCertificateFile /etc/httpd/certs/fullchain.pem + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel +SSLCertificateKeyFile /etc/httpd/certs/privkey.pem + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convenience. +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is sent or allowed to be received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is sent and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + diff --git a/container-filesystem/etc/httpd/conf.d/status.conf b/container-filesystem/etc/httpd/conf.d/status.conf new file mode 100644 index 0000000..e8fa964 --- /dev/null +++ b/container-filesystem/etc/httpd/conf.d/status.conf @@ -0,0 +1,11 @@ +# /etc/httpd/conf.d/status.conf + + + SetHandler server-status + Require all granted + + + SetHandler server-info + Require all granted + + diff --git a/container-filesystem/etc/httpd/conf.d/welcome.conf b/container-filesystem/etc/httpd/conf.d/welcome.conf new file mode 100644 index 0000000..e69de29 diff --git a/container-filesystem/etc/httpd/conf.d/well-known.conf b/container-filesystem/etc/httpd/conf.d/well-known.conf new file mode 100644 index 0000000..6090545 --- /dev/null +++ b/container-filesystem/etc/httpd/conf.d/well-known.conf @@ -0,0 +1,6 @@ +# /etc/httpd/conf.d/well-known.conf + +Alias /.well-known /var/www/html/.well-known + + Require all granted + diff --git a/container-filesystem/etc/httpd/conf.d/wsgi.conf b/container-filesystem/etc/httpd/conf.d/wsgi.conf new file mode 100644 index 0000000..bc0e4cb --- /dev/null +++ b/container-filesystem/etc/httpd/conf.d/wsgi.conf @@ -0,0 +1 @@ +WSGISocketPrefix run/wsgi diff --git a/container-filesystem/etc/httpd/conf.d/zzz-lock-down.conf b/container-filesystem/etc/httpd/conf.d/zzz-lock-down.conf new file mode 100644 index 0000000..821871e --- /dev/null +++ b/container-filesystem/etc/httpd/conf.d/zzz-lock-down.conf @@ -0,0 +1,15 @@ +# /etc/httpd/conf.d/zzz-lock-down.conf + + + Require all denied + + + Require all denied + + + Require all denied + + + Require all denied + + diff --git a/container-filesystem/etc/httpd/conf.modules.d/00-base.conf b/container-filesystem/etc/httpd/conf.modules.d/00-base.conf new file mode 100644 index 0000000..8476a62 --- /dev/null +++ b/container-filesystem/etc/httpd/conf.modules.d/00-base.conf @@ -0,0 +1,33 @@ +# +# This file loads most of the modules included with the Apache HTTP +# Server itself. +# + +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule actions_module modules/mod_actions.so +LoadModule alias_module modules/mod_alias.so +LoadModule allowmethods_module modules/mod_allowmethods.so +LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authz_core_module modules/mod_authz_core.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule deflate_module modules/mod_deflate.so +LoadModule dir_module modules/mod_dir.so +LoadModule env_module modules/mod_env.so +LoadModule expires_module modules/mod_expires.so +LoadModule headers_module modules/mod_headers.so +LoadModule info_module modules/mod_info.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule mime_magic_module modules/mod_mime_magic.so +LoadModule mime_module modules/mod_mime.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule request_module modules/mod_request.so +LoadModule rewrite_module modules/mod_rewrite.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule status_module modules/mod_status.so +LoadModule unixd_module modules/mod_unixd.so + diff --git a/container-filesystem/etc/httpd/conf.modules.d/00-dav.conf b/container-filesystem/etc/httpd/conf.modules.d/00-dav.conf new file mode 100644 index 0000000..e69de29 diff --git a/container-filesystem/etc/httpd/conf.modules.d/00-lua.conf b/container-filesystem/etc/httpd/conf.modules.d/00-lua.conf new file mode 100644 index 0000000..e69de29 diff --git a/container-filesystem/etc/httpd/conf.modules.d/00-proxy.conf b/container-filesystem/etc/httpd/conf.modules.d/00-proxy.conf new file mode 100644 index 0000000..e69de29 diff --git a/container-filesystem/etc/httpd/conf.modules.d/00-ssl.conf b/container-filesystem/etc/httpd/conf.modules.d/00-ssl.conf new file mode 100644 index 0000000..92764a0 --- /dev/null +++ b/container-filesystem/etc/httpd/conf.modules.d/00-ssl.conf @@ -0,0 +1,3 @@ + +LoadModule ssl_module modules/mod_ssl.so + diff --git a/container-filesystem/etc/httpd/conf.modules.d/10-h2.conf b/container-filesystem/etc/httpd/conf.modules.d/10-h2.conf new file mode 100644 index 0000000..e69de29 diff --git a/container-filesystem/etc/httpd/conf.modules.d/10-proxy_h2.conf b/container-filesystem/etc/httpd/conf.modules.d/10-proxy_h2.conf new file mode 100644 index 0000000..e69de29 diff --git a/container-filesystem/setup-app.sh b/container-filesystem/setup-app.sh new file mode 100755 index 0000000..4d60ab2 --- /dev/null +++ b/container-filesystem/setup-app.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +### config ### +PYTHON="python3" +PIP="pip3" + +### argv ### +if test $# -lt 2 ; then + echo "Usage: $0 " >&2 + exit 64 +fi +SOURCE_DIR="$1" +WSGI_DIR="$2" + +### action ### +echo "Install application from $SOURCE_DIR" +cd "$SOURCE_DIR" +$PIP install -e . + +echo "Setup WSGI application in $WSGI_DIR" +django-dav-admin setup "$WSGI_DIR" + +echo "Enable modules" +$PYTHON "${WSGI_DIR}/manage.py" enable_module dav_auth +$PYTHON "${WSGI_DIR}/manage.py" enable_module dav_events +$PYTHON "${WSGI_DIR}/manage.py" enable_module dav_registration +$PYTHON "${WSGI_DIR}/manage.py" enable_module dav_event_office + +echo "Collect static files" +$PYTHON "${WSGI_DIR}/manage.py" collectstatic --noinput + +echo "Disable DEBUG mode" +cat <> "${WSGI_DIR}/main/settings.py" + +ALLOWED_HOSTS = ['*'] +# DEBUG = False +E-O-H + +echo "Done" +### end ### diff --git a/container-filesystem/usr/local/sbin/certbot-deploy.sh b/container-filesystem/usr/local/sbin/certbot-deploy.sh new file mode 100644 index 0000000..af6e5ba --- /dev/null +++ b/container-filesystem/usr/local/sbin/certbot-deploy.sh @@ -0,0 +1,36 @@ +#!/bin/sh + +LIVE_DIR="/etc/letsencrypt/live" +DEFAULT_LINK="${LIVE_DIR}/default" +DEST_DIR="/etc/httpd/certs" + +CERT_DIR="" +if test "$1" != "" ; then + CERT_DIR="$1" +elif test "$RENEWED_LINEAGE" != "" ; then + CERT_DIR="$RENEWED_LINEAGE" +elif test -d "$DEFAULT_LINK" ; then + CERT_DIR="$DEFAULT_LINK" +else + echo "You must name a certificate dir either as argument or via RENEWED_LINEAGE" >&2 + exit 64 +fi + +cert_name=`basename $CERT_DIR` +if test -d "$DEST_DIR" ; then + echo "Installing key and certs for $cert_name in $DEST_DIR" + + key_source_file="${CERT_DIR}/privkey.pem" + key_dest_file="${DEST_DIR}/privkey.pem" + + certs_source_file="${CERT_DIR}/fullchain.pem" + certs_dest_file="${DEST_DIR}/fullchain.pem" + + touch "$key_dest_file" + chmod 600 "$key_dest_file" + echo "Copy $key_source_file to $key_dest_file" + cat "$key_source_file" > "$key_dest_file" + + echo "Copy $certs_source_file to $certs_dest_file" + cat "$certs_source_file" > "$certs_dest_file" +fi diff --git a/container-filesystem/usr/local/sbin/certbot-set-default.sh b/container-filesystem/usr/local/sbin/certbot-set-default.sh new file mode 100644 index 0000000..76df302 --- /dev/null +++ b/container-filesystem/usr/local/sbin/certbot-set-default.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +LIVE_DIR="/etc/letsencrypt/live" +DEFAULT_LINK="${LIVE_DIR}/default" + +CERT_DIR="" +if test "$1" != "" ; then + CERT_DIR="$1" +elif test "$RENEWED_LINEAGE" != "" ; then + CERT_DIR="$RENEWED_LINEAGE" +else + echo "You must name a certificate dir either as argument or via RENEWED_LINEAGE" >&2 + exit 64 +fi + +cert_name=`basename $CERT_DIR` +echo "Setting $cert_name as default certificate name" +if test -L "$DEFAULT_LINK" ; then + rm "$DEFAULT_LINK" +elif test -e "$DEFAULT_LINK" ; then + echo "Not a symbolic link: $DEFAULT_LINK" >&2 + exit 78 +fi +ln -s "$cert_name" "$DEFAULT_LINK" diff --git a/goss.yaml b/goss.yaml new file mode 100644 index 0000000..b6e5e0d --- /dev/null +++ b/goss.yaml @@ -0,0 +1,34 @@ +command: + /usr/sbin/httpd -t: + exit-status: 0 + ps axo cmd | grep -q [w]sgi-daemon: + exit-status: 0 +file: + /run/httpd: + exists: true + mode: "0710" + owner: apache + group: apache + filetype: directory + /srv/app/django/main/wsgi.py: + exists: true + mode: "0644" + owner: apache + group: apache + filetype: file +package: + httpd: + installed: true + python3-mod_wsgi: + installed: true +port: + tcp6:80: + listening: true + ip: + - '::' +process: + httpd: + running: true +http: + http://localhost: + status: 200