Browse Source

Changing paradigm

Now the container embarks Nginx and Opensshd too. You give an SSH pubkey
through environment variable PELICAN_PUBKEY, and your blog is rebuilt
every time you push it.
Lertsenem 5 years ago
parent
commit
203412c6dd
8 changed files with 138 additions and 99 deletions
  1. 50 33
      Dockerfile
  2. 0 33
      certs/lertsenem.root.crt
  3. 0 33
      certs/lertsenem.web.crt
  4. 8 0
      git.post-receive
  5. 37 0
      nginx.conf
  6. 13 0
      run.sh
  7. 4 0
      sshd.conf
  8. 26 0
      supervisord.conf

+ 50 - 33
Dockerfile

@@ -5,40 +5,57 @@ FROM alpine
5 5
 
6 6
 MAINTAINER Lertsenem <lertsenem@lertsenem.com>
7 7
 
8
+EXPOSE 22
9
+EXPOSE 80
10
+
8 11
 # System installations
9
-RUN    apk update                  \
10
-    && apk add                     \
11
-        asciidoc                   \
12
-        bash                       \
13
-        ca-certificates            \
14
-        git                        \
15
-        make                       \
16
-        perl                       \
17
-        python                     \
18
-        python3                    \
19
-        py-pip                     \
20
-	rsync                      \
21
-    && rm -rf /var/cache/apk/*
22
-
23
-# Copy certificates
24
-COPY certs /root/certs
25
-
26
-# Adding specific ca-certificates
27
-RUN    mkdir -p /usr/local/share/ca-certificates/lertsenem                 \
28
-    && mv /root/certs/lertsenem.root.crt                                   \
29
-          /usr/local/share/ca-certificates/lertsenem                       \
30
-    && mv /root/certs/lertsenem.web.crt                                    \
31
-          /usr/local/share/ca-certificates/lertsenem                       \
32
-    && ln -s /usr/local/share/ca-certificates/lertsenem/lertsenem.root.crt \
33
-             /etc/ssl/certs                                                \
34
-    && ln -s /usr/local/share/ca-certificates/lertsenem/lertsenem.web.crt  \
35
-             /etc/ssl/certs                                                \
36
-    && cat /usr/local/share/ca-certificates/lertsenem/lertsenem.root.crt   \
37
-        >> /etc/ssl/certs/ca-certificates.crt                              \
38
-    && cat /usr/local/share/ca-certificates/lertsenem/lertsenem.web.crt    \
39
-        >> /etc/ssl/certs/ca-certificates.crt                              \
40
-    && rmdir /root/certs
12
+RUN    apk update                              \
13
+    && apk add                                 \
14
+        asciidoc                               \
15
+        bash                                   \
16
+        git                                    \
17
+        make                                   \
18
+        nginx                                  \
19
+        openssh                                \
20
+        python                                 \
21
+        python3                                \
22
+        py-pip                                 \
23
+        supervisor                             \
24
+    && rm -rf /var/cache/apk/*                 \
25
+    && adduser -h /srv/git                     \
26
+               -s /bin/bash                    \
27
+               -G pelican                      \
28
+               -G nginx                        \
29
+               -D                              \
30
+               pelican                         \
31
+    && rm    /etc/supervisord.conf             \
32
+    && rm    /etc/ssh/sshd_config              \
33
+    && rm    /etc/nginx/nginx.conf             \
34
+    && rm -r /etc/nginx/conf.d/                \
35
+    && ssh-keygen -A                           \
36
+    && mkdir /srv/www                          \
37
+    && chown nginx:nginx /srv/www
41 38
 
39
+COPY run.sh                /run.sh
40
+COPY nginx.conf            /etc/nginx/nginx.conf
41
+COPY supervisord.conf      /etc/supervisord.conf
42
+COPY sshd.conf             /etc/ssh/sshd_config
42 43
 
43 44
 # Pelican installation
44
-RUN pip install html5lib pelican markdown
45
+RUN pip install html5lib                       \
46
+                pelican                        \
47
+                markdown
48
+
49
+# Pelican parameters
50
+USER pelican
51
+
52
+RUN    mkdir -p /srv/git/.ssh                  \
53
+    && mkdir -p /srv/git/blog.git              \
54
+    && git init --bare /srv/git/blog.git       \
55
+    && touch /srv/git/.ssh/authorized_keys     \
56
+    && chmod 700 /srv/git/.ssh                 \
57
+    && chmod 640 /srv/git/.ssh/authorized_keys
58
+
59
+USER root
60
+
61
+CMD /run.sh

+ 0 - 33
certs/lertsenem.root.crt

@@ -1,33 +0,0 @@
1
------BEGIN CERTIFICATE-----
2
-MIIFuzCCA6OgAwIBAgIBATANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJGUjEO
3
-MAwGA1UEBxMFUGFyaXMxEjAQBgNVBAoTCUxlcnRzZW5lbTESMBAGA1UEAxMJQUMg
4
-cmFjaW5lMSAwHgYJKoZIhvcNAQkBFhFpZ2NAbGVydHNlbmVtLmNvbTAeFw0xNTAz
5
-MDgxMjI3MDBaFw0yNTAzMDgxMjI3MDBaMGcxCzAJBgNVBAYTAkZSMQ4wDAYDVQQH
6
-EwVQYXJpczESMBAGA1UEChMJTGVydHNlbmVtMRIwEAYDVQQDEwlBQyByYWNpbmUx
7
-IDAeBgkqhkiG9w0BCQEWEWlnY0BsZXJ0c2VuZW0uY29tMIICIjANBgkqhkiG9w0B
8
-AQEFAAOCAg8AMIICCgKCAgEA5+JDSUhz29mS1YW+ucE0O/jcdHJ8q6c2g7wYmJE6
9
-tk82wifwild6eT3y4cvWntO3j5dLmaaeSHp9/mhQ4N1zXCbAAVrP9+ehBsixTVcr
10
-2yJ/1Rmy605zduP4fhXM3+DAc7nsvo+IhYv0Aud52utrldysK5sDkMKWN27waG0D
11
-PMNGk0KD9aU2QjnAnQCKLkFVuvy5ME6sNbpoJzzZVqR6bXz5VHh32y+Nz4dD4RUJ
12
-q7PxXtX9SMkQCYC7dlHhH5+sVnPa0eWxnfpGyGlp9fjLZARqqB5r3x0QZI7bER5U
13
-wTJte3IsLNPqLMpzvs/JABYKhNVXddppKe2r1to0zKLzt3CKfs0CWLYKOjOJExeO
14
-Dh06B4745h8kVeeEnyzCXsm2mpj+1nx4uXFOuAl2+qe5xspqD3uswpF9o5W3Czx4
15
-n82A9uKXNquZqOEbG2Cy8o0GYQOKI8FkHV0ul6o/AGnmshCAcV2/jEFSpXUNpi5k
16
-MnFL9K/rMeq+9PxH6z46o7umgoMmElIa3uWHk/nVwutgeVKPETtzjbK/CXdXbTES
17
-7MMYe0e72wqxM9wo0Vgi46CFazCG/6dm2A/qHx9MFIqHWSYLDVoPGX/9g7TAUiMA
18
-qCXP4tf41tOkMA3VbS1s5XdBH7GPP/KHkCnRV/875DWK8naG/60eLYtfFOjnKcJA
19
-SnECAwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU0JM9/hEqXWK7
20
-fMktAswUKgVRykwwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglg
21
-hkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4ICAQBn
22
-UYckK5/QysMwATagcR3IzhnG1o4yzpAcbAuoeZzhZuPvDFbWD3+tnYPmJekq6wXo
23
-tub94ohMNCkUa9qLQKKeLoSFlOLvSNzr6DDF9ewQxuKy8uEY9QRvvjurj/WMuKbR
24
-3CQZdR9Aaw1Km34HKzUntibPgSffOBBa/gNPckxC2Z3rcgjoQXOCA3BG4x9F7q7r
25
-VMVj4FTHtNnN1m59pa10bkfyKc7LqA9UcFAK8Vzbyv1e4S0LIm7/zymx6V5x1/YX
26
-CmCjFCiJY936d2AuTZjiofulQe+LXVdfMI1Fg7kBKUrG8QvRkiv+cUGuMjyaqHdc
27
-gH8+/Ln8SO8Hwkzm4H3nWBXKbeZQfIMF0zSt6ryYoA3/ty7G++qLC7JO0qyQQlIg
28
-lunMv5aDDFgO4Hym3pXL2JGMliHRp7hRIy0sXMfq4qum1oV4RGofqeYo/GpD5zK1
29
-hcmkMQJAA/FebgDes/kkmu8QlTm8nbLhLOTqzNu72hTUN2aI9S6S31HvDWF4bYlh
30
-G1Koq92Wn2wJc2pNfEiSwgztWcccpBJAku48lyBW9MOsz116VuX0ZOlUym7pYX83
31
-6yZXjM31xMOoWTSWzKs904hqXLfUvuUMVygmsKXPqUmrA16ht070qI+oaeWfcOET
32
-+foD8UT8TfzjPemVHBqjM9vmIrVVv7Si1WRXihc/2g==
33
------END CERTIFICATE-----

+ 0 - 33
certs/lertsenem.web.crt

@@ -1,33 +0,0 @@
1
------BEGIN CERTIFICATE-----
2
-MIIFwTCCA6mgAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBnMQswCQYDVQQGEwJGUjEO
3
-MAwGA1UEBxMFUGFyaXMxEjAQBgNVBAoTCUxlcnRzZW5lbTESMBAGA1UEAxMJQUMg
4
-cmFjaW5lMSAwHgYJKoZIhvcNAQkBFhFpZ2NAbGVydHNlbmVtLmNvbTAeFw0xNTAz
5
-MDgxMjMwMDBaFw0yNTAzMDgxMjI3MDBaMG0xCzAJBgNVBAYTAkZSMQ4wDAYDVQQH
6
-EwVQYXJpczESMBAGA1UEChMJTGVydHNlbmVtMRgwFgYDVQQDEw9BQyBzZXJ2aWNl
7
-cyBXZWIxIDAeBgkqhkiG9w0BCQEWEWlnY0BsZXJ0c2VuZW0uY29tMIICIjANBgkq
8
-hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5IvfEjov8FDcBLFTNRJ8dEHmH+l+nEZX
9
-3cygsDv/239FtuI9SCwUB1kR+8RixDhzWjLcyBpMf/5QioMJqz4yQeXgFMofBtzB
10
-9v8eeZ1EuMeyZtDASIfJPKrlfyYUuTueBzn9vKff5LNuBFyIpqEqg2gpc5dn96+B
11
-WE2g+R6HC5UKMXvXj9dZS5xthYFigbdn1alWqVd2p/as2d838T5Rl1UkK2AwxVLU
12
-W/9Qg78YRk19f9485drr6EtUGaFL4qGLmu/RWdncHCeTyC1swbEzhr1zqvrpU/6Y
13
-cNNOIwTodrNxkOuyo8iKAScoT/mErrFZCp2kR2B+YDtNLPZ+bEKsWHGkcESCvS9Z
14
-tAPJ/Bs3/N3I2YcdJZgxNTstT/b7mWAO31I4TctU95esJNLXD6NxabZWctfTKEMa
15
-+3DENVg/Tc7dZ7yL9mtUhr6aB7bSKk7vollVg/ZOW2EJeNUeFz5+KNbE9FI5Bfz2
16
-7IRkro8a2fRQEBRg14V0CUpRhVEHRHtC0whaYkQNJhSwyG2u6iBwe7XJto2UaEsq
17
-JtPRXMFvnYWB/i7TGrd4l9CqJUTst0h2rtDhMObgK6ojm0xzxA7kKQ9AQm293fc7
18
-w1+0TQzhQFy+8TtsLvrXAGR9HZnpa5yd6RCWaouZEWd8Fi6TZLdmjtF9xQ+OY8lR
19
-v1cwJHnej9sCAwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU3aR5
20
-rrltv0DjB+febdLznkkZfl8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIA
21
-BzAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBDQUA
22
-A4ICAQCovewpif0ep1TNQ/rUMWPeFlG007xEP+E4iEMhA/0mEEmpT63Yn55fQIV2
23
-ZTpmlKT3KSqGc+ExOULJGZ+gQ606HT89a52UW2FL1mIcYyAw5xREfAFKtNFWNi+V
24
-mxkH0kfUqSRQjS8Vl7lHkjDlG7AAQ97Ce3YQSDLCpU7O2na9gi9G2YSsLG73PjJW
25
-UZ0Fyzaeyriig5Kqjs2AOhlPdSCg/LWi/AXaXAj3Upy88aHf3bMMsAiQ+yqccbq2
26
-nhMs8t78h6uN1MybVdTqSUtV82KXUXV/NeZ7uU8ifqHz7KenBUtJWNGpl7mpw+Tn
27
-h6KAoUTEFIEkR+mypaV2/f81/xAikDGefC50+1Gm5RwxAzIiPwi17F5dDLEwOpy2
28
-2eopVwXAMcRjE8qf3CKNLyDCrL12vqT3kCaSNRHp8EO/XZyPP6Bg+0fCGIx7nE0t
29
-+LByVpeP4IvnOlyB+TfZudzWV64ErYe1/22kkMCGWt0eYT0iKNqcorT4D3Lwr7Ye
30
-FB3QiloY84jKiulbs3pblNg7K5nAXZYu9jYgSOLgRMx5NO+O3nd5k40Y+MXiJ/HJ
31
-ztRjy9Y3iOhewDZjRaDjC1cODEk9c55mre/o1g4hYqMfGCgoCMaeX+iDL+3oRJPz
32
-t6jVOpScOp7OidhTC081tn3UzmF3harbcSRjdd/txMZ7HztsXw==
33
------END CERTIFICATE-----

+ 8 - 0
git.post-receive

@@ -0,0 +1,8 @@
1
+#!/bin/bash
2
+
3
+GIT_WORK_TREE=/srv/git/blog.git
4
+
5
+git checkout -f
6
+pelican    /srv/git/blog.git/content
7
+        -o /srv/www/
8
+        -s /srv/git/blog.git

+ 37 - 0
nginx.conf

@@ -0,0 +1,37 @@
1
+user nginx;
2
+daemon off;
3
+worker_processes auto;
4
+pcre_jit on;
5
+#error_log /var/log/nginx/error.log warn;
6
+error_log /dev/stderr warn;
7
+pid /run/nginx.pid;
8
+
9
+events {
10
+	worker_connections 1024;
11
+}
12
+
13
+http {
14
+	include /etc/nginx/mime.types;
15
+	default_type application/octet-stream;
16
+	server_tokens off;
17
+	client_max_body_size 1m;
18
+	keepalive_timeout 65;
19
+	sendfile on;
20
+	tcp_nodelay on;
21
+	ssl_prefer_server_ciphers on;
22
+	ssl_session_cache shared:SSL:2m;
23
+	gzip_vary on;
24
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
25
+			'$status $body_bytes_sent "$http_referer" '
26
+			'"$http_user_agent" "$http_x_forwarded_for"';
27
+	access_log /dev/stdout main;
28
+
29
+    server {
30
+        listen 80      default_server;
31
+        listen [::]:80 default_server ipv6only=on;
32
+
33
+        location / {
34
+            root /var/www/;
35
+        }
36
+    }
37
+}

+ 13 - 0
run.sh

@@ -0,0 +1,13 @@
1
+#!/bin/sh
2
+
3
+if ! [ -s "/srv/git/.ssh/authorized_keys" ]; then
4
+    if [ -z "$PELICAN_PUBKEY" ]; then
5
+        echo "Warning: if you don't give an authorized key using"
6
+        echo "Warning: PELICAN_PUBKEY, you won't be able to push"
7
+        echo "Warning: commits to your blog"
8
+    else
9
+        echo "$PELICAN_PUBKEY" >> /srv/git/.ssh/authorized_keys
10
+    fi
11
+fi
12
+
13
+/usr/bin/supervisord -n -c /etc/supervisord.conf

+ 4 - 0
sshd.conf

@@ -0,0 +1,4 @@
1
+PermitRootLogin no
2
+AuthorizedKeysFile	.ssh/authorized_keys
3
+PasswordAuthentication no
4
+Subsystem	sftp	/usr/lib/ssh/sftp-server

+ 26 - 0
supervisord.conf

@@ -0,0 +1,26 @@
1
+[unix_http_server]
2
+file=/run/supervisord.sock   ; (the path to the socket file)
3
+
4
+[supervisord]
5
+logfile=/var/log/supervisord.log ; (main log file;default $CWD/supervisord.log)
6
+loglevel=info                ; (log level;default info; others: debug,warn,trace)
7
+
8
+[rpcinterface:supervisor]
9
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
10
+
11
+[supervisorctl]
12
+serverurl=unix:///run/supervisord.sock ; use a unix:// URL  for a unix socket
13
+
14
+[program:nginx]
15
+command=/usr/sbin/nginx
16
+stdout_logfile=/dev/stdout
17
+stderr_logfile=/dev/stderr
18
+stdout_logfile_maxbytes=0
19
+stderr_logfile_maxbytes=0
20
+
21
+[program:sshd]
22
+command=/usr/sbin/sshd -D -f /etc/ssh/sshd_config
23
+stdout_logfile=/dev/stdout
24
+stderr_logfile=/dev/stderr
25
+stdout_logfile_maxbytes=0
26
+stderr_logfile_maxbytes=0