Commit 49102bc2 authored by jackie / Andrea Ida Malkah Klaura's avatar jackie / Andrea Ida Malkah Klaura
Browse files

WIP: add webserver init with letsencrypt and adapt

parent 6c523dfb
aura-config.yaml
.env
.container-data
container-data
.idea
......@@ -6,8 +6,8 @@ aura:
debug: true
domain: aura.local
admin:
username: jackie
email: jackie@tantemalkah.at
username: your_username
email: your-aura-mail@example.org
steering:
db_pass: change-to-something-secure
db_user: steering
......
server {
listen 80;
server_name localhost;
server_name sample.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name sample.example.com;
ssl_certificate /etc/letsencrypt/live/sample.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sample.example.com/privkey.pem;
location / {
root /usr/share/nginx/html;
index index.html;
}
location /openid/ {
proxy_pass http://steering-django:8000/openid/;
proxy_pass http://steering:8000/openid/;
proxy_redirect $scheme://$host/oidc_callback.html /oidc_callback.html;
proxy_redirect ~^/?(.*)$ $scheme://$host:$server_port/steering/$1;
......@@ -30,7 +39,7 @@ server {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://steering-django:8000/;
proxy_pass http://steering:8000/;
proxy_redirect $scheme://$host/ /;
proxy_redirect ~^/?(.*)$ $scheme://$host:$server_port/steering/$1;
......@@ -47,4 +56,4 @@ server {
proxy_pass http://tank:8040/;
}
}
\ No newline at end of file
}
server {
listen 80;
server_name sample.example.com;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
......@@ -19,7 +19,7 @@ auth:
## defaults to 24h
max-age: 12h
oidc:
issuer-url: http://steering-django:8000/openid
issuer-url: http://steering:8000/openid
login-timeout: 10m # defaults to 5 Minutes
# These values have to be overwritten after steering setup
client-id: 123456
......
......@@ -19,8 +19,8 @@ services:
networks:
- auranet
steering-django:
container_name: steering-django
steering:
container_name: steering
build:
context: ./steering
#target: prod
......@@ -58,7 +58,7 @@ services:
build:
context: ./tank
depends_on:
- steering-django
- steering
- tank-postgres
environment:
TANK_DB_HOST: tank-postgres
......@@ -77,7 +77,7 @@ services:
context: ./dashboard
target: prod
depends_on:
- steering-django
- steering
volumes:
- ./dashboard/dist_docker:/aura/dist_docker
- ./dashboard/.env.production:/aura/.env.production
......@@ -86,11 +86,13 @@ services:
aura-web:
container_name: aura-web
image: nginx:stable-alpine
build:
context: ./nginx-certbot
depends_on:
- steering-django
- steering
- tank
- dashboard
# we do not always want to build dashboard anew, so
# this has to be done in the run.sh setup initially
expose:
- "80"
- "443"
......@@ -100,6 +102,7 @@ services:
volumes:
- ./container-config/nginx.conf:/etc/nginx/conf.d/default.conf
- ./dashboard/dist_docker:/usr/share/nginx/html
- ./container-data/nginx/etc/letsencrypt:/etc/letsencrypt
networks:
- auranet
......
FROM nginx:stable-alpine
RUN apk add certbot
......@@ -106,30 +106,30 @@ init_steering () {
if [ "$DEBUG" = "true" ]; then
set_config_steering DEBUG True
fi
# django has to accept our configured domain as well as steering-django (due to proxying)
# django has to accept our configured domain as well as steering (due to proxying)
# TODO: localhost only makes sense if the container ports are mapped (usually in a dev setup)
set_config_steering ALLOWED_HOSTS "127.0.0.1,localhost,steering-django,$AURA_DOMAIN"
echo "Building steering-django image"
docker-compose build steering-django
echo "Starting steering-django"
docker-compose up -d steering-django
set_config_steering ALLOWED_HOSTS "127.0.0.1,localhost,steering,$AURA_DOMAIN"
echo "Building steering image"
docker-compose build steering
echo "Starting steering container"
docker-compose up -d steering
echo "Running migrations"
docker exec steering-django python manage.py migrate
docker exec steering python manage.py migrate
echo "Loading fixtures"
docker exec steering-django sh -c 'python manage.py loaddata fixtures/*/*.json'
docker exec steering sh -c 'python manage.py loaddata fixtures/*/*.json'
# TODO: only create user if not already set (or if explicitly demanded)
echo "Creating steering-django superuser account for $USERNAME <$USERMAIL>."
echo "Creating steering superuser account for $USERNAME <$USERMAIL>."
echo "Please provide a (strong) password."
docker exec -it steering-django python manage.py createsuperuser --username "$USERNAME" --email "$USERMAIL"
docker exec -it steering python manage.py createsuperuser --username "$USERNAME" --email "$USERMAIL"
echo "Creating RSA key for OpenID Connect"
docker exec steering-django python manage.py creatersakey
docker exec steering python manage.py creatersakey
echo "Creating OIDC client for dashboard"
DASHBOARD_CLIENT_ID="$(docker exec steering-django python manage.py create_oidc_client -r "id_token token" --no-require-consent -i -u "$HTTP_SCHEMA://$AURA_DOMAIN/oidc_callback.html" -u "$HTTP_SCHEMA://$AURA_DOMAIN/oidc_callback_silentRenew.html" -p "$HTTP_SCHEMA://$AURA_DOMAIN" dashboard public)"
DASHBOARD_CLIENT_ID="$(docker exec steering python manage.py create_oidc_client -r "id_token token" --no-require-consent -i -u "$HTTP_SCHEMA://$AURA_DOMAIN/oidc_callback.html" -u "$HTTP_SCHEMA://$AURA_DOMAIN/oidc_callback_silentRenew.html" -p "$HTTP_SCHEMA://$AURA_DOMAIN" dashboard public)"
echo "Creating OIDC client for tank"
TANK_OIDC_DETAILS="$(docker exec steering-django python manage.py create_oidc_client -r "code" -i -u "$HTTP_SCHEMA://$AURA_DOMAIN/tank/auth/oidc/callback" -p "$HTTP_SCHEMA://$AURA_DOMAIN" tank confidential)"
TANK_OIDC_DETAILS="$(docker exec steering python manage.py create_oidc_client -r "code" -i -u "$HTTP_SCHEMA://$AURA_DOMAIN/tank/auth/oidc/callback" -p "$HTTP_SCHEMA://$AURA_DOMAIN" tank confidential)"
TANK_CLIENT_ID="$(echo $TANK_OIDC_DETAILS | cut -d ' ' -f 1)"
TANK_CLIENT_SECRET="$(echo $TANK_OIDC_DETAILS | cut -d ' ' -f 2)"
echo "Stopping steering-django"
echo "Stopping steering"
docker-compose down
}
......@@ -137,9 +137,9 @@ init_tank () {
echo "Create new tank.yaml from sample file"
cp container-config/tank.sample.yaml container-config/tank.yaml
echo "Write OIDC info to tank.yaml"
docker run --rm -v "${PWD}"/container-config/tank.yaml:/workdir/tank.yaml mikefarah/yq eval ".auth.oidc.client-id = \"$TANK_CLIENT_ID\"" -i tank.yaml
docker run --rm -v "${PWD}"/container-config/tank.yaml:/workdir/tank.yaml mikefarah/yq eval ".auth.oidc.client-secret = \"$TANK_CLIENT_SECRET\"" -i tank.yaml
docker run --rm -v "${PWD}"/container-config/tank.yaml:/workdir/tank.yaml mikefarah/yq eval ".auth.oidc.callback-url = \"$HTTP_SCHEMA://$AURA_DOMAIN/tank/auth/oidc/callback\"" -i tank.yaml
docker run --rm -v "${PWD}"/container-config/tank.yaml:/workdir/tank.yaml -u $UID mikefarah/yq eval ".auth.oidc.client-id = \"$TANK_CLIENT_ID\"" -i tank.yaml
docker run --rm -v "${PWD}"/container-config/tank.yaml:/workdir/tank.yaml -u $UID mikefarah/yq eval ".auth.oidc.client-secret = \"$TANK_CLIENT_SECRET\"" -i tank.yaml
docker run --rm -v "${PWD}"/container-config/tank.yaml:/workdir/tank.yaml -u $UID mikefarah/yq eval ".auth.oidc.callback-url = \"$HTTP_SCHEMA://$AURA_DOMAIN/tank/auth/oidc/callback\"" -i tank.yaml
}
init_dashboard () {
......@@ -164,7 +164,21 @@ init_dashboard () {
}
init_webserver () {
echo "todo"
echo "Starting initial web container to obtain Let's Encrypt cert"
cp container-config/nginx.initial-sample.conf container-config/nginx.conf
sed -i "s/sample\\.example\\.com/$AURA_DOMAIN/" container-config/nginx.conf
docker-compose up -d aura-web
# TODO: check whether we already have a valid cert
docker exec aura-web certbot certonly --webroot -w /usr/share/nginx/html -d "$AURA_DOMAIN" -m "$USERMAIL" --agree-tos --non-interactive
docker-compose stop aura-web
echo "Creating final TLS enabled nginx conf"
cp container-config/nginx.full-sample.conf container-config/nginx.conf
sed -i "s/sample\\.example\\.com/$AURA_DOMAIN/" container-config/nginx.conf
}
start_database_containers () {
echo "Starting database containers"
docker-compose up -d steering-postgres tank-postgres
}
start_containers () {
......@@ -175,14 +189,19 @@ start_containers () {
start_webserver () {
echo "Start nginx container as web proxy"
docker-compose up -d aura-web
# TODO: implement letsencrypt for prod setup
}
# TODO: create getopts interface with options to init, run and stop services
init_common
start_database_containers
# TODO: poll until databases are ready instead of sleeping 5s
echo "Sleeping for 5 seconds for the db containers to be fully set up"
sleep 5
init_steering
init_tank
init_dashboard
start_webserver
\ No newline at end of file
start_containers
init_webserver
start_webserver
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment