view docker/prosody/Dockerfile @ 43:4c5bd7ddaaca

xep: updated XEP-0356 (privileged entity): Several updates according to feedbacks + review: - added links to PEP and namespace delegation XEPs - removed MUST for default values in configuration - <forwarded/> element is now a child of a <privilege/> element - <perm/> "namespace" attribute has been renamed to "access" - "headline" type restriction for "message" privilege has been removed - "message" permission violation now result in a "forbidden" message error - for "presence" permission, only <presence/> stanza with no type or with a "unavailable" type are sent to privileged entity - added specifitation for "presence" if a managed entity is unavailable and if a privileged entity is available after first <presence/> stanzas have been received - added Business Rules section - Updated namespace to reflect incompatible changes
author Goffi <goffi@goffi.org>
date Mon, 23 Mar 2015 18:41:01 +0100
parents 0e78c8a4626e
children 686a8c982c3f
line wrap: on
line source

###############################################################
#                                                             #
#                     Salut à Toi/Prosody                     #
#  This Dockerfile build a Prosody version prepared for SàT   #
# Salut à Toi is a multi-frontends multi-purposes XMPP client #
#                                                             #
###############################################################

FROM salutatoi/base:latest

MAINTAINER Goffi <goffi@goffi.org>

########
# BASE #
########

RUN apt-get install -y apg prosody
RUN apt-get clean

######################
# REMOTE ROSTER HACK #
######################

# This dirty hack is used temporarily in SàT to have nice features like fine permissions tuning
# see http://www.goffi.org/post/2012/06/24/Fine-access-tuning-for-PubSub
# A proper way is being working on, with new XEPs

WORKDIR /usr/lib/prosody/modules
# wget/curl are not installed, so we use python
RUN python -c 'import urllib2;f=open("mod_remote_roster.lua","w");f.write(urllib2.urlopen("http://paste.debian.net/download/121248").read())'
WORKDIR /etc/prosody
# the hacked module must be activated
RUN sed -i 's/modules_enabled = {/\0\n\t-- SàT specific\n\t\t"remote_roster";/' prosody.cfg.lua

######################
# MISC CONFIGURATION #
######################

# we want to run foreground
RUN sed -i 's/daemonize = true;/daemonize = false;/' prosody.cfg.lua

# we listen the world for components (but we do *NOT* expose the port ! It's just for linked containers)
RUN sed -i 's/^----------- Virtual hosts -----------/component_interface="0.0.0.0"\n\n\0/' prosody.cfg.lua

# we don't want to allow self registering, this is managed by a SàT plugin
RUN sed -i 's/"register"/--\0/' prosody.cfg.lua

# announce is usefull on a Libervia instance
RUN sed -i 's/--"announce"/"announce"/' prosody.cfg.lua

# we use environment variable to get the domain
RUN sed -i 's/^admins =.*$/\nlocal domain = os.getenv("DOMAIN") or "libervia.int"\n\0/' prosody.cfg.lua

# default admin is admin@DOMAIN
RUN sed -i 's/admins = { }/admins = { "admin@"..(domain) }/' prosody.cfg.lua

# we can now set our virtualhost
RUN sed -i 's/^------ Components ------/VirtualHost (domain)\n\n\0/' prosody.cfg.lua

# we want default, unsplitted logs
RUN python -c 'import re;f=open("prosody.cfg.lua","r+");buf=re.sub(r"^log =.*^}","",f.read(),1,re.DOTALL | re.MULTILINE);f.seek(0);f.write(buf);f.truncate()'

###############
# CERTIFICATE #
###############

# We want to use the certificat in /usr/share/sat
RUN sed -i 's%key = "/etc/prosody/certs/localhost.key";%key = "/usr/share/sat/libervia.key";%; s%certificate = "/etc/prosody/certs/localhost.crt";%certificate = "/usr/share/sat/libervia.crt";%' prosody.cfg.lua

# but we do a link to be sure that there is a certificate
RUN ln -s /etc/prosody/certs/localhost.key /usr/share/sat/libervia.key; ln -s /etc/prosody/certs/localhost.cert /usr/share/sat/libervia.crt

##############
# COMPONENTS #
##############

# we activate the MUC component on chat.DOMAIN
RUN sed -i 's/--Component "conference.example.com" "muc"/Component ("chat."..domain) "muc"/' prosody.cfg.lua

# and the SOCKS5 bytestream proxy on proxy.DOMAIN
RUN sed -i 's/--Component "proxy.example.com" "proxy65"/Component ("proxy."..domain) "proxy65"/' prosody.cfg.lua

# SàT PubSub
RUN sed -i 's/^------ Additional/Component ("sat-pubsub."..domain)\n\tcomponent_secret = os.getenv("SAT_PUBSUB_SECRET")\n\n\0/' prosody.cfg.lua

# Salut, SàT's directory component
RUN sed -i 's/^------ Additional/Component ("salut."..domain)\n\tcomponent_secret = os.getenv("SAT_SALUT_SECRET")\n\n\0/' prosody.cfg.lua

############################
# AUTOMATIC CONFIGURATION  #
############################

# this script allow to call prosodyctl and get configuration variables from linked containers
RUN echo '#!/usr/bin/env python2\n\
import subprocess, SimpleXMLRPCServer, os\n\
def prosodyctl(command, profile, pwd):\n\
    process = subprocess.Popen(["prosodyctl", command, profile], stdin=subprocess.PIPE)\n\
    if pwd:\n\
        process.communicate("%s\\n%s"%(pwd,pwd))\n\
    return process.wait()\n\
def getenv(variable):\n\
    assert variable in ("SAT_PUBSUB_SECRET","SAT_SALUT_SECRET","DOMAIN")\n\
    return os.getenv(variable)\n\
server = SimpleXMLRPCServer.SimpleXMLRPCServer(("0.0.0.0", 9999))\n\
server.register_function(prosodyctl, "prosodyctl")\n\
server.register_function(getenv, "getenv")\n\
server.serve_forever()' > /usr/local/bin/container_server && chmod 0555 /usr/local/bin/container_server

# the following script is used to automatically generate passwords for components
RUN echo '#!/bin/sh\n\
export SAT_PUBSUB_SECRET=$(apg -n 1)\n\
export SAT_SALUT_SECRET=$(apg -n 1)\n\
if [ -z $DOMAIN ]; then\n\
    export DOMAIN="libervia.int"\n\
fi\n\
container_server&\n\
echo "domain used: $DOMAIN\n"\n\
/usr/bin/prosody $@' > /usr/local/bin/prosody && chmod +x /usr/local/bin/prosody

#########
# PORTS #
#########

# client to server (C2S)
EXPOSE 5222

# server to server (S2S)
EXPOSE 5269

##########
# LAUNCH #
##########

# prosody need to access /var/run to write it's pid
RUN mkdir -p /var/run/prosody; chown prosody:adm /var/run/prosody

USER prosody

ENTRYPOINT ["prosody"]