Complement improvements
This commit is contained in:
parent
cb2b5beea8
commit
ada15ceacc
4 changed files with 120 additions and 48 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -62,3 +62,4 @@ conduit.db
|
||||||
|
|
||||||
# Etc.
|
# Etc.
|
||||||
**/*.rs.bk
|
**/*.rs.bk
|
||||||
|
cached_target
|
47
complement/Dockerfile
Normal file
47
complement/Dockerfile
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
# For use in our CI only. This requires a build artifact created by a previous run pipline stage to be placed in cached_target/release/conduit
|
||||||
|
FROM registry.gitlab.com/jfowl/conduit-containers/rust-with-tools:commit-16a08e9b as builder
|
||||||
|
#FROM rust:latest as builder
|
||||||
|
|
||||||
|
WORKDIR /workdir
|
||||||
|
|
||||||
|
ARG RUSTC_WRAPPER
|
||||||
|
ARG AWS_ACCESS_KEY_ID
|
||||||
|
ARG AWS_SECRET_ACCESS_KEY
|
||||||
|
ARG SCCACHE_BUCKET
|
||||||
|
ARG SCCACHE_ENDPOINT
|
||||||
|
ARG SCCACHE_S3_USE_SSL
|
||||||
|
|
||||||
|
COPY . .
|
||||||
|
RUN mkdir -p target/release
|
||||||
|
RUN test -e cached_target/release/conduit && cp cached_target/release/conduit target/release/conduit || cargo build --release
|
||||||
|
|
||||||
|
## Actual image
|
||||||
|
FROM debian:bullseye
|
||||||
|
WORKDIR /workdir
|
||||||
|
|
||||||
|
# Install caddy
|
||||||
|
RUN apt-get update && apt-get install -y debian-keyring debian-archive-keyring apt-transport-https curl && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/testing/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-testing-archive-keyring.gpg && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/testing/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-testing.list && apt-get update && apt-get install -y caddy
|
||||||
|
|
||||||
|
COPY conduit-example.toml conduit.toml
|
||||||
|
COPY complement/caddy.json caddy.json
|
||||||
|
|
||||||
|
ENV SERVER_NAME=localhost
|
||||||
|
ENV CONDUIT_CONFIG=/workdir/conduit.toml
|
||||||
|
|
||||||
|
RUN sed -i "s/port = 6167/port = 8008/g" conduit.toml
|
||||||
|
RUN echo "allow_federation = true" >> conduit.toml
|
||||||
|
RUN echo "allow_encryption = true" >> conduit.toml
|
||||||
|
RUN echo "allow_registration = true" >> conduit.toml
|
||||||
|
RUN echo "log = \"warn,_=off,sled=off\"" >> conduit.toml
|
||||||
|
RUN sed -i "s/address = \"127.0.0.1\"/address = \"0.0.0.0\"/g" conduit.toml
|
||||||
|
|
||||||
|
COPY --from=builder /workdir/target/release/conduit /workdir/conduit
|
||||||
|
RUN chmod +x /workdir/conduit
|
||||||
|
|
||||||
|
EXPOSE 8008 8448
|
||||||
|
|
||||||
|
CMD uname -a && \
|
||||||
|
sed -i "s/#server_name = \"your.server.name\"/server_name = \"${SERVER_NAME}\"/g" conduit.toml && \
|
||||||
|
sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \
|
||||||
|
caddy start --config caddy.json > /dev/null && \
|
||||||
|
/workdir/conduit
|
72
complement/caddy.json
Normal file
72
complement/caddy.json
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
{
|
||||||
|
"logging": {
|
||||||
|
"logs": {
|
||||||
|
"default": {
|
||||||
|
"level": "WARN"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"apps": {
|
||||||
|
"http": {
|
||||||
|
"https_port": 8448,
|
||||||
|
"servers": {
|
||||||
|
"srv0": {
|
||||||
|
"listen": [":8448"],
|
||||||
|
"routes": [{
|
||||||
|
"match": [{
|
||||||
|
"host": ["your.server.name"]
|
||||||
|
}],
|
||||||
|
"handle": [{
|
||||||
|
"handler": "subroute",
|
||||||
|
"routes": [{
|
||||||
|
"handle": [{
|
||||||
|
"handler": "reverse_proxy",
|
||||||
|
"upstreams": [{
|
||||||
|
"dial": "127.0.0.1:8008"
|
||||||
|
}]
|
||||||
|
}]
|
||||||
|
}]
|
||||||
|
}],
|
||||||
|
"terminal": true
|
||||||
|
}],
|
||||||
|
"tls_connection_policies": [{
|
||||||
|
"match": {
|
||||||
|
"sni": ["your.server.name"]
|
||||||
|
}
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"pki": {
|
||||||
|
"certificate_authorities": {
|
||||||
|
"local": {
|
||||||
|
"name": "Complement CA",
|
||||||
|
"root": {
|
||||||
|
"certificate": "/complement/ca/ca.crt",
|
||||||
|
"private_key": "/complement/ca/ca.key"
|
||||||
|
},
|
||||||
|
"intermediate": {
|
||||||
|
"certificate": "/complement/ca/ca.crt",
|
||||||
|
"private_key": "/complement/ca/ca.key"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"automation": {
|
||||||
|
"policies": [{
|
||||||
|
"subjects": ["your.server.name"],
|
||||||
|
"issuers": [{
|
||||||
|
"module": "internal"
|
||||||
|
}],
|
||||||
|
"on_demand": true
|
||||||
|
}, {
|
||||||
|
"issuers": [{
|
||||||
|
"module": "internal",
|
||||||
|
"ca": "local"
|
||||||
|
}]
|
||||||
|
}]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,48 +0,0 @@
|
||||||
# For use in our CI only. This requires a build artifact created by a previous run pipline stage to be placed in cached_target/release/conduit
|
|
||||||
FROM valkum/docker-rust-ci:latest as builder
|
|
||||||
WORKDIR /workdir
|
|
||||||
|
|
||||||
ARG RUSTC_WRAPPER
|
|
||||||
ARG AWS_ACCESS_KEY_ID
|
|
||||||
ARG AWS_SECRET_ACCESS_KEY
|
|
||||||
ARG SCCACHE_BUCKET
|
|
||||||
ARG SCCACHE_ENDPOINT
|
|
||||||
ARG SCCACHE_S3_USE_SSL
|
|
||||||
|
|
||||||
COPY . .
|
|
||||||
RUN mkdir -p target/release
|
|
||||||
RUN test -e cached_target/release/conduit && cp cached_target/release/conduit target/release/conduit || cargo build --release
|
|
||||||
|
|
||||||
|
|
||||||
FROM valkum/docker-rust-ci:latest
|
|
||||||
WORKDIR /workdir
|
|
||||||
|
|
||||||
RUN curl -OL "https://github.com/caddyserver/caddy/releases/download/v2.2.1/caddy_2.2.1_linux_amd64.tar.gz"
|
|
||||||
RUN tar xzf caddy_2.2.1_linux_amd64.tar.gz
|
|
||||||
|
|
||||||
COPY cached_target/release/conduit /workdir/conduit
|
|
||||||
RUN chmod +x /workdir/conduit
|
|
||||||
RUN chmod +x /workdir/caddy
|
|
||||||
|
|
||||||
COPY conduit-example.toml conduit.toml
|
|
||||||
|
|
||||||
ENV SERVER_NAME=localhost
|
|
||||||
ENV CONDUIT_CONFIG=/workdir/conduit.toml
|
|
||||||
|
|
||||||
RUN sed -i "s/port = 6167/port = 8008/g" conduit.toml
|
|
||||||
RUN echo "allow_federation = true" >> conduit.toml
|
|
||||||
RUN echo "allow_encryption = true" >> conduit.toml
|
|
||||||
RUN echo "allow_registration = true" >> conduit.toml
|
|
||||||
RUN echo "log = \"warn,_=off,sled=off\"" >> conduit.toml
|
|
||||||
RUN sed -i "s/address = \"127.0.0.1\"/address = \"0.0.0.0\"/g" conduit.toml
|
|
||||||
|
|
||||||
# Enabled Caddy auto cert generation for complement provided CA.
|
|
||||||
RUN echo '{"logging":{"logs":{"default":{"level":"WARN"}}}, "apps":{"http":{"https_port":8448,"servers":{"srv0":{"listen":[":8448"],"routes":[{"match":[{"host":["your.server.name"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"127.0.0.1:8008"}]}]}]}],"terminal":true}],"tls_connection_policies": [{"match": {"sni": ["your.server.name"]}}]}}},"pki": {"certificate_authorities": {"local": {"name": "Complement CA","root": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"},"intermediate": {"certificate": "/ca/ca.crt","private_key": "/ca/ca.key"}}}},"tls":{"automation":{"policies":[{"subjects":["your.server.name"],"issuer":{"module":"internal"},"on_demand":true},{"issuer":{"module":"internal", "ca": "local"}}]}}}}' > caddy.json
|
|
||||||
|
|
||||||
EXPOSE 8008 8448
|
|
||||||
|
|
||||||
CMD ([ -z "${COMPLEMENT_CA}" ] && echo "Error: Need Complement PKI support" && true) || \
|
|
||||||
sed -i "s/#server_name = \"your.server.name\"/server_name = \"${SERVER_NAME}\"/g" conduit.toml && \
|
|
||||||
sed -i "s/your.server.name/${SERVER_NAME}/g" caddy.json && \
|
|
||||||
/workdir/caddy start --config caddy.json > /dev/null && \
|
|
||||||
/workdir/conduit
|
|
Loading…
Reference in a new issue