updated docker conf for standalone

2020-01-13 17:07:14 +01:00
parent c77093b2d4
commit 27d6095ec5
9 changed files with 239 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -27,4 +27,5 @@ Thumbs.db
 /static/img/
 /static/animation/
 /.idea
-/requirements.txt
+/requirements.txt
+/conf/certbot/
--- a/10
+++ b/10
@@ -5,7 +5,7 @@
 # </WARNING>

 # <DOCKER_FROM>
-FROM aldryn/base-project:py3-3.25.1
+FROM divio/base:4.15-py3.6-slim-stretch
 # </DOCKER_FROM>

 # <PROJECT>
@@ -13,8 +13,8 @@ ENV PYTHONPATH=/app/src:$PYTHONPATH
 # </PROJECT>

 # <NODE>
-ENV NODE_VERSION=8.5.0 \
-    NPM_VERSION=5.4.2
+ENV NODE_VERSION=10.15.3 \
+    NPM_VERSION=6.4.1

 RUN export NVM_DIR="/opt/nvm" && \
    [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" && \
@@ -35,6 +35,9 @@ COPY package.json /
 RUN (cd / && npm install --production && rm -rf /tmp/*)
 # </NPM>

+# <BOWER>
+# </BOWER>
+
 # <PYTHON>
 ENV PIP_INDEX_URL=${PIP_INDEX_URL:-https://wheels.aldryn.net/v1/aldryn-extras+pypi/${WHEELS_PLATFORM:-aldryn-baseproject-py3}/+simple/} \
    WHEELSPROXY_URL=${WHEELSPROXY_URL:-https://wheels.aldryn.net/v1/aldryn-extras+pypi/${WHEELS_PLATFORM:-aldryn-baseproject-py3}/}
@@ -47,7 +50,6 @@ RUN pip-reqs compile && \
        --requirement requirements.urls
 # </PYTHON>

-
 # <SOURCE>
 COPY . /app
 # </SOURCE>
--- a/conf/nginx/app.conf
+++ b/conf/nginx/app.conf
@@ -0,0 +1,61 @@
+upstream gunicorn {
+    server web:80;
+}
+
+
+server {
+    listen 80;
+    server_name tagesschule.mprofiag.ch;
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name tagesschule.mprofiag.ch;
+    server_tokens off;
+    sendfile on;
+
+    ssl_certificate /etc/letsencrypt/live/tagesschule.mprofiag.ch/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tagesschule.mprofiag.ch/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    add_header X-Frame-Options "";
+
+    gzip on;
+    gzip_http_version 1.1;
+    gzip_disable      "MSIE [1-6]\.";
+    gzip_min_length   256;
+    gzip_vary         on;
+    gzip_proxied      expired no-cache no-store private auth;
+    gzip_types        text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+    gzip_comp_level   9;
+
+    location /static/ {
+        sendfile on;
+        alias /app/static_collected/;
+    }
+
+    location /media/ {
+        sendfile on;
+        alias /app/data/media/;
+    }
+
+    location / {
+        proxy_hide_header X-Frame-Options;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_redirect off;
+        proxy_pass http://gunicorn;
+    }
+}
+
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,21 +1,63 @@
-version: "2"
+version: '3'

 services:
+  nginx:
+    image: nginx:1.16-alpine
+    restart: unless-stopped
+    volumes:
+      - ./conf/nginx:/etc/nginx/conf.d
+      - ./conf/certbot/conf:/etc/letsencrypt
+      - ./conf/certbot/www:/var/www/certbot
+      - ./static_collected:/app/static_collected
+      - ./data/media:/app/data/media
+    ports:
+      - "80:80"
+      - "443:443"
+    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
+    depends_on:
+      - web
+    networks:
+      - nginx_network
+
+  certbot:
+    image: certbot/certbot
+    restart: unless-stopped
+    volumes:
+      - ./conf/certbot/conf:/etc/letsencrypt
+      - ./conf/certbot/www:/var/www/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+
  web:
    build: "."
    links:
      - "db:postgres"
-    ports:
-      - "8009:80"
    volumes:
      - ".:/app:rw"
      - "./data:/data:rw"
-    command: python manage.py runserver 0.0.0.0:80
-    env_file: .env-local
-
+      - ./static_collected:/app/static_collected
+      - ./data/media:/app/data/media
+    networks:
+      - nginx_network
+      - db_network
+    command: "/bin/sh -c '/app/wait-for-postgres.sh postgres /app/run.sh'"
+    environment:
+      SECRET_KEY: "TEST---asdg4hr63453452542h4sdf25g42s3df54hj38rd4sg3f2d54h3sd5f4g53"
+      DEBUG: "False"
+      SENTRY_DSN: "https://460e310d034c49a794941e087c4fcc6e@sentry.io/1196285"
+      DEFAULT_HAYSTACK_URL: "es+https://tcjf1ngoog:qj70l67kk2@tagesschule-elementa-8329801232.eu-west-1.bonsaisearch.net/index-*"
+      DATABASE_URL: "postgres://postgres@postgres:5432/db"
  db:
    image: postgres:9.6-alpine
    environment:
      POSTGRES_DB: "db"
    volumes:
      - ".:/app:rw"
+      - "./pgdata:/var/lib/postgresql/data:rw"
+    networks:
+      - db_network
+
+networks:
+  nginx_network:
+    driver: bridge
+  db_network:
+    driver: bridge
--- a/init-letsencrypt.sh
+++ b/init-letsencrypt.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+domains=(tagesschule.mprofiag.ch)
+rsa_key_size=4096
+data_path="./conf/certbot"
+email="simon@baker-street.ch" # Adding a valid address is strongly recommended
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+
+echo "### Starting nginx ..."
+docker-compose up --force-recreate -d nginx
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+
+docker-compose run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose exec nginx nginx -s reload
--- a/requirements.in
+++ b/requirements.in
@@ -19,4 +19,5 @@ django-fontawesome==0.3.1
 mailchimp3==2.1.0
 django-image-cropping==1.2.0
 django-anymail[mailgun]==1.4
-django-admin-view-permission==1.9
+django-admin-view-permission==1.9
+gunicorn==19.9.0
--- a/run.sh
+++ b/run.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+python manage.py collectstatic --noinput
+python manage.py migrate
+gunicorn wsgi -b :80
--- a/settings.py
+++ b/settings.py
@@ -224,3 +224,22 @@ FILER_STORAGES = {
        },
    },
 }
+
+if not DEBUG:
+    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+    SECURE_CONTENT_TYPE_NOSNIFF = True
+    SECURE_BROWSER_XSS_FILTER = True
+    # SECURE_SSL_REDIRECT = True
+    SESSION_COOKIE_SECURE = True
+    SESSION_COOKIE_HTTPONLY = True
+    CSRF_COOKIE_SECURE = True
+
+    ALLOWED_HOSTS = [
+        '127.0.0.1',
+        '127.0.0.1:8000',
+        'localhost',
+        'localhost:8000',
+        'tagesschule-elementa.ch',
+        'www.tagesschule-elementa.ch',
+        'tagesschule.mprofiag.ch',
+    ]
--- a/wait-for-postgres.sh
+++ b/wait-for-postgres.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+# wait-for-postgres.sh
+
+set -e
+
+host="$1"
+shift
+cmd="$@"
+
+until PGPASSWORD=$POSTGRES_PASSWORD psql -h "$host" -U "postgres" -c '\q'; do
+  >&2 echo "Postgres is unavailable - sleeping"
+  sleep 1
+done
+
+>&2 echo "Postgres is up - executing command"
+exec $cmd