From 1b7270b40b65ef089bf40a14065227f742b8507e Mon Sep 17 00:00:00 2001
From: vnugent <public@vaughnnugent.com>
Date: Tue, 14 May 2024 21:52:03 -0400
Subject: chore: make container slightly easier to setup

---
 ci/container/Dockerfile          |  9 ++++++---
 ci/container/Taskfile.yaml       |  6 ++++++
 ci/container/docker-compose.yaml | 11 ++++++-----
 ci/container/run.sh              |  7 +++++++
 4 files changed, 25 insertions(+), 8 deletions(-)

(limited to 'ci/container')

diff --git a/ci/container/Dockerfile b/ci/container/Dockerfile
index a6d35d4..8787fa3 100644
--- a/ci/container/Dockerfile
+++ b/ci/container/Dockerfile
@@ -5,7 +5,7 @@
 FROM alpine:3.19 as native-cont
 
 #install public libs and build tools
-RUN apk update && apk add --no-cache build-base cmake npm git
+RUN apk update && apk add --no-cache build-base cmake npm git openssl
 #most universal way to use Task is from NPM
 RUN npm install -g @go-task/cli
 
@@ -20,7 +20,7 @@ RUN task build-libs
 
 #APP CONTAINER
 #move into a clean dotnet apline lean image
-FROM mcr.microsoft.com/dotnet/runtime:8.0.2-alpine3.19-amd64 as app-cont
+FROM mcr.microsoft.com/dotnet/runtime:8.0.3-alpine3.19-amd64 as app-cont
 
 LABEL name="vnuge/simple-bookmark"
 LABEL maintainer="Vaughn Nugent <vnpublic@proton.me>"
@@ -31,6 +31,8 @@ COPY app/ /app
 
 #pull compiled libs from build container
 COPY --from=native-cont /build/out /app/lib
+#copy self signed ssl certs for first startup
+COPY --from=native-cont /build/ssl /app/ssl
 
 RUN apk update && apk add --no-cache gettext icu-libs dumb-init curl
 
@@ -83,8 +85,9 @@ ENV VNCACHE_CACHE_PUBLIC_KEY=""
 
 #HTTP/PROXY Config
 ENV HTTP_DOWNSTREAM_SERVERS=[]
-ENV SSL_JSON="{}"
 ENV HTTP_TRACE_ON=false
+#set default certificate files to the self signed ones created in the build container
+ENV SSL_JSON='{"cert": "ssl/cert.pem", "privkey":"ssl/key.pem"}'
 
 #run the init script within dumb-init
 ENTRYPOINT ["dumb-init", "--"]
diff --git a/ci/container/Taskfile.yaml b/ci/container/Taskfile.yaml
index 69dff71..9f486ef 100644
--- a/ci/container/Taskfile.yaml
+++ b/ci/container/Taskfile.yaml
@@ -8,6 +8,7 @@ version: "3"
 
 vars:
   INCLUDE_FILES: "Dockerfile, docker-compose.yaml"
+  CERT_KEY_PARAMS: "ec -pkeyopt ec_paramgen_curve:secp384r1"
 
 includes:
   install:
@@ -19,6 +20,7 @@ tasks:
   build-libs:
     vars:
       OUT_DIR: "{{.USER_WORKING_DIR}}/out"
+      SSL_DIR: "{{.USER_WORKING_DIR}}/ssl"
 
     #build stage generates the following libraries
     generates:
@@ -36,6 +38,10 @@ tasks:
       #build native compression lib and put in lib dir
       - cd lib/vnlib_compress && cmake -B./build && cmake --build build/ --config Release && cp build/libvn_compress.so {{.OUT_DIR}}/libvn_compress.so
 
+      #create a fresh self-signed cert for the container during build
+      - openssl req -new -x509 -days 365 -keyout {{.SSL_DIR}}/key.pem -out {{.SSL_DIR}}/cert.pem -newkey {{.CERT_KEY_PARAMS}} --nodes
+      - echo "WARNING Self signed certificate created during build stage, DO NOT COPY THIS IMAGE"
+
   #called from ci pipline to build the package
   build:
     cmds:
diff --git a/ci/container/docker-compose.yaml b/ci/container/docker-compose.yaml
index 465615d..63de647 100644
--- a/ci/container/docker-compose.yaml
+++ b/ci/container/docker-compose.yaml
@@ -11,7 +11,9 @@ services:
     volumes:
       - ./data:/app/data
       - ./assets:/app/usr/assets:ro
-      - ./ssl:/app/ssl:ro
+      #uncomment to use your own ssl certs, otherwise a build-time cert will be used
+      #- ./ssl/cert.pem:/app/ssl/cert.pem:ro
+      #- ./ssl/key.pem:/app/ssl/key.pem:ro
     ports:
       - 8080:8080
     environment:
@@ -34,7 +36,7 @@ services:
       MAX_LOGIN_ATTEMPS: "10"
 
       #SECRETS
-      PASSWORD_PEPPER: ""
+      PASSWORD_PEPPER: ""   #A base64 encoded secret is required. raw string, vault://, file:// allowed
       DATABASE_PASSWORD: ""
       REDIS_PASSWORD: ""
       #if MEMCACHE_ONLY is false, then the following keys are required to connect to a VNCACHE cluster
@@ -44,7 +46,6 @@ services:
       #HTTP
       HTTP_DOWNSTREAM_SERVERS: '[]'
       HTTP_TRACE_ON: "false"
-      #SSL_JSON: '{"cert": "ssl/cert.pem", "privkey":"ssl/priv.pem"}'
-
-      SERVER_ARGS: ""
+      
+      SERVER_ARGS: "--setup" #remove the setup flag after you are done setting up the server
 
diff --git a/ci/container/run.sh b/ci/container/run.sh
index c780929..b452f2a 100644
--- a/ci/container/run.sh
+++ b/ci/container/run.sh
@@ -2,6 +2,8 @@
 
 #this script will be invoked by dumb-init in the container on statup and is located at /app
 
+echo "Generating configuration files"
+
 rm -rf config && mkdir config
 
 #substitude all -template files in the config-templates dir and write them to the config dir
@@ -9,7 +11,12 @@ for file in config-templates/*-template.json; do
 	envsubst < $file > config/$(basename $file -template.json).json
 done
 
+echo "Complete"
+
+echo "Merging your asset files"
 cp usr/assets/* plugins/assets/ -rf
+echo "Complete"
 
 #start the server
+echo "Starting the server"
 dotnet webserver/VNLib.WebServer.dll --config config/config.json --input-off $SERVER_ARGS
\ No newline at end of file
-- 
cgit