From ada15ceacc4a18d53b40a7d84216404ae79aa888 Mon Sep 17 00:00:00 2001 From: Jonathan de Jong Date: Mon, 17 Oct 2022 18:41:45 +0200 Subject: [PATCH] Complement improvements --- .gitignore | 1 + complement/Dockerfile | 47 ++++++++++++++++++++++++ complement/caddy.json | 72 +++++++++++++++++++++++++++++++++++++ tests/Complement.Dockerfile | 48 ------------------------- 4 files changed, 120 insertions(+), 48 deletions(-) create mode 100644 complement/Dockerfile create mode 100644 complement/caddy.json delete mode 100644 tests/Complement.Dockerfile diff --git a/.gitignore b/.gitignore index f5e9505b..f5cbfaab 100644 --- a/.gitignore +++ b/.gitignore @@ -62,3 +62,4 @@ conduit.db # Etc. **/*.rs.bk +cached_target \ No newline at end of file diff --git a/complement/Dockerfile b/complement/Dockerfile new file mode 100644 index 00000000..43416fa1 --- /dev/null +++ b/complement/Dockerfile @@ -0,0 +1,47 @@ +# For use in our CI only. This requires a build artifact created by a previous run pipline stage to be placed in cached_target/release/conduit +FROM registry.gitlab.com/jfowl/conduit-containers/rust-with-tools:commit-16a08e9b as builder +#FROM rust:latest as builder + +WORKDIR /workdir + +ARG RUSTC_WRAPPER +ARG AWS_ACCESS_KEY_ID +ARG AWS_SECRET_ACCESS_KEY +ARG SCCACHE_BUCKET +ARG SCCACHE_ENDPOINT +ARG SCCACHE_S3_USE_SSL + +COPY . . +RUN mkdir -p target/release +RUN test -e cached_target/release/conduit && cp cached_target/release/conduit target/release/conduit || cargo build --release + +## Actual image +FROM debian:bullseye +WORKDIR /workdir + +# Install caddy +RUN apt-get update && apt-get install -y debian-keyring debian-archive-keyring apt-transport-https curl && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/testing/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-testing-archive-keyring.gpg && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/testing/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-testing.list && apt-get update && apt-get install -y caddy + +COPY conduit-example.toml conduit.toml +COPY complement/caddy.json caddy.json + +ENV SERVER_NAME=localhost +ENV CONDUIT_CONFIG=/workdir/conduit.toml + +RUN sed -i "s/port = 6167/port = 8008/g" conduit.toml +RUN echo "allow_federation = true" >> conduit.toml +RUN echo "allow_encryption = true" >> conduit.toml +RUN echo "allow_registration = true" >> conduit.toml +RUN echo "log = \"warn,_=off,sled=off\"" >> conduit.toml +RUN sed -i "s/address = \"127.0.0.1\"/address = \"0.0.0.0\"/g" conduit.toml + +COPY --from=builder /workdir/target/release/conduit /workdir/conduit +RUN chmod +x /workdir/conduit + +EXPOSE 8008 8448 + +CMD uname -a && \ + sed -i "s/#server_name = \"your.server.name\"/server_name = \"${SERVER_NAME}\"/g" conduit.toml && \ + sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \ + caddy start --config caddy.json > /dev/null && \ + /workdir/conduit diff --git a/complement/caddy.json b/complement/caddy.json new file mode 100644 index 00000000..ea52c2c9 --- /dev/null +++ b/complement/caddy.json @@ -0,0 +1,72 @@ +{ + "logging": { + "logs": { + "default": { + "level": "WARN" + } + } + }, + "apps": { + "http": { + "https_port": 8448, + "servers": { + "srv0": { + "listen": [":8448"], + "routes": [{ + "match": [{ + "host": ["your.server.name"] + }], + "handle": [{ + "handler": "subroute", + "routes": [{ + "handle": [{ + "handler": "reverse_proxy", + "upstreams": [{ + "dial": "127.0.0.1:8008" + }] + }] + }] + }], + "terminal": true + }], + "tls_connection_policies": [{ + "match": { + "sni": ["your.server.name"] + } + }] + } + } + }, + "pki": { + "certificate_authorities": { + "local": { + "name": "Complement CA", + "root": { + "certificate": "/complement/ca/ca.crt", + "private_key": "/complement/ca/ca.key" + }, + "intermediate": { + "certificate": "/complement/ca/ca.crt", + "private_key": "/complement/ca/ca.key" + } + } + } + }, + "tls": { + "automation": { + "policies": [{ + "subjects": ["your.server.name"], + "issuers": [{ + "module": "internal" + }], + "on_demand": true + }, { + "issuers": [{ + "module": "internal", + "ca": "local" + }] + }] + } + } + } +} \ No newline at end of file diff --git a/tests/Complement.Dockerfile b/tests/Complement.Dockerfile deleted file mode 100644 index b9d0f8c9..00000000 --- a/tests/Complement.Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ -# For use in our CI only. This requires a build artifact created by a previous run pipline stage to be placed in cached_target/release/conduit -FROM valkum/docker-rust-ci:latest as builder -WORKDIR /workdir - -ARG RUSTC_WRAPPER -ARG AWS_ACCESS_KEY_ID -ARG AWS_SECRET_ACCESS_KEY -ARG SCCACHE_BUCKET -ARG SCCACHE_ENDPOINT -ARG SCCACHE_S3_USE_SSL - -COPY . . -RUN mkdir -p target/release -RUN test -e cached_target/release/conduit && cp cached_target/release/conduit target/release/conduit || cargo build --release - - -FROM valkum/docker-rust-ci:latest -WORKDIR /workdir - -RUN curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.2.1/caddy_2.2.1_linux_amd64.tar.gz" -RUN tar xzf caddy_2.2.1_linux_amd64.tar.gz - -COPY cached_target/release/conduit /workdir/conduit -RUN chmod +x /workdir/conduit -RUN chmod +x /workdir/caddy - -COPY conduit-example.toml conduit.toml - -ENV SERVER_NAME=localhost -ENV CONDUIT_CONFIG=/workdir/conduit.toml - -RUN sed -i "s/port = 6167/port = 8008/g" conduit.toml -RUN echo "allow_federation = true" >> conduit.toml -RUN echo "allow_encryption = true" >> conduit.toml -RUN echo "allow_registration = true" >> conduit.toml -RUN echo "log = \"warn,_=off,sled=off\"" >> conduit.toml -RUN sed -i "s/address = \"127.0.0.1\"/address = \"0.0.0.0\"/g" conduit.toml - -# Enabled Caddy auto cert generation for complement provided CA. -RUN echo '{"logging":{"logs":{"default":{"level":"WARN"}}}, "apps":{"http":{"https_port":8448,"servers":{"srv0":{"listen":[":8448"],"routes":[{"match":[{"host":["your.server.name"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:8008"}]}]}]}],"terminal":true}],"tls_connection_policies": [{"match": {"sni": ["your.server.name"]}}]}}},"pki": {"certificate_authorities": {"local": {"name": "Complement CA","root": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"},"intermediate": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"}}}},"tls":{"automation":{"policies":[{"subjects":["your.server.name"],"issuer":{"module":"internal"},"on_demand":true},{"issuer":{"module":"internal", "ca": "local"}}]}}}}' > caddy.json - -EXPOSE 8008 8448 - -CMD ([ -z "${COMPLEMENT_CA}" ] && echo "Error: Need Complement PKI support" && true) || \ - sed -i "s/#server_name = \"your.server.name\"/server_name = \"${SERVER_NAME}\"/g" conduit.toml && \ - sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \ - /workdir/caddy start --config caddy.json > /dev/null && \ - /workdir/conduit