Mercurial > sat_docs

diff docker/prosody/Dockerfile @ 85:bcba1966e6db

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
docker: certificate generation + various improvments: - certificate is now auto-generated on first prosody launch is there is not already one - certificate generated on build is removed to avoid image-wide certificate - generated certificates are stored in sat_data - data image is now based on prosody which is itslef based on sat_pubsub - prosody configuration is moved to /etc/prosody/prosody_sat_cfg, and stored in sat_data - building order changed to adapt to new images hierarchy - libervia default configuration set to both without redirection (and with a security warning)
author Goffi <goffi@goffi.org>
date Thu, 18 Feb 2016 17:31:09 +0100
parents 686a8c982c3f
children 30f3f83d6959
line wrap: on
line diff
--- a/docker/prosody/Dockerfile	Thu Feb 18 17:23:08 2016 +0100
+++ b/docker/prosody/Dockerfile	Thu Feb 18 17:31:09 2016 +0100
@@ -6,7 +6,7 @@
 #                                                             #
 ###############################################################
 
-FROM salutatoi/base:latest
+FROM salutatoi/sat_pubsub:latest
 
 MAINTAINER Goffi <goffi@goffi.org>
 
@@ -22,6 +22,8 @@
 # and install prosody and apg (to generate passwords)
 RUN apt-get install -y apg prosody-0.10
 RUN apt-get clean
+# prosody use need to access (and write) certificates
+RUN adduser prosody tls-cert
 
 ###################
 # PROSODY MODULES #
@@ -39,16 +41,19 @@
 #################
 
 WORKDIR /etc/prosody
+RUN mkdir prosody_sat_cfg
 # we keep up-to-date configuration for this image on the repository
-RUN python -c 'import urllib2;f=open("prosody.cfg.lua","w");f.write(urllib2.urlopen("https://repos.goffi.org/sat_docs/raw-file/tip/docker/prosody/prosody.cfg.lua").read())'
+RUN python -c 'import urllib2;f=open("prosody_sat_cfg/prosody.cfg.lua","w");f.write(urllib2.urlopen("https://repos.goffi.org/sat_docs/raw-file/tip/docker/prosody/prosody.cfg.lua").read())'
+RUN ln -fs prosody_sat_cfg/prosody.cfg.lua prosody.cfg.lua
 
 ###############
 # CERTIFICATE #
 ###############
 
-# We want to use the certificat in /usr/share/sat
-# but we do a link to be sure that there is a certificate
-RUN ln -s /etc/prosody/certs/localhost.key /usr/share/sat/libervia.key; ln -s /etc/prosody/certs/localhost.crt /usr/share/sat/libervia.crt
+# We want to use the certificates in /usr/share/sat/certificates
+# and we don't want any certificate in the image,
+# they'll be generated at launch or mounted in container
+RUN rm -rf /etc/localhost.key /etc/prosody/certs/*
 
 ############################
 # AUTOMATIC CONFIGURATION  #
@@ -70,7 +75,7 @@
 server.register_function(getenv, "getenv")\n\
 server.serve_forever()' > /usr/local/bin/container_server && chmod 0555 /usr/local/bin/container_server
 
-# the following script is used to automatically generate passwords for components
+# the following script is used to automatically generate passwords for components and certificate
 RUN echo '#!/bin/sh\n\
 export SAT_PUBSUB_SECRET=$(apg -n 1)\n\
 export SAT_SALUT_SECRET=$(apg -n 1)\n\
@@ -79,6 +84,11 @@
 fi\n\
 container_server&\n\
 echo "domain used: $DOMAIN\n"\n\
+if [ ! -f "/usr/share/sat/certificates/libervia.key" -o ! -f "/usr/share/sat/certificates/libervia.crt" ]; then\n\
+	echo "No certificate found, we generate one"\n\
+    openssl req -new -x509 -days 1825 -nodes -out "/usr/share/sat/certificates/libervia.crt"\
+            -newkey rsa:4096 -keyout "/usr/share/sat/certificates/libervia.key" -subj "/C=AU/CN=$DOMAIN"\n\
+fi\n\
 /usr/bin/prosody $@' > /usr/local/bin/prosody && chmod +x /usr/local/bin/prosody
 
 #########