Commit 519103f0 authored by Michał 'rysiek' Woźniak's avatar Michał 'rysiek' Woźniak
Browse files

README.md added; entrypoint.sh added but not yet used (still WIP)

parent 1ea7d6ab
# [Webschleuder](https://git.codecoop.org/schleuder/webschleuder3) on `docker`
This repo contains `docker` configuration for `webschleuder3`, a web interface for an encrypted group email system `schleuder3`.
Uses `schleuder3 beta`, because it seems to actually be installable on modern systems. See:
* https://git.codecoop.org/schleuder/schleuder3
* https://git.codecoop.org/schleuder/schleuder-conf
If a valid database is not found, `rake db:setup` is run inside the container to set-up a basic valid database.
## Communication with `schleuderd`
This image requires a `schleuderd` running somewhere and accessible via `TCP/IP` -- one option is to run the [`schlocker3` docker image](https://git.occrp.org/libre/schlocker3/). You can configure the `schleuderd` URI with the `WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI` environment variable described below.
**Please be advised that `schleuderd` does not, at this time, offer authentication, nor does it support `TLS`-encrypted connections. This means that `webschleuder3` should be run on the same physical machine, or at least on a connection that precludes the possibility of malicious connections being made to `schleuderd`.** You have been warned!
## Environment variables
- `WEBSCHLOCKER_CONFIG_HOSTNAME` (default: container's hostname)
The hostname `webschleuder3` will run under, used among others in confirmation links sent to users.
- `WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI` (default: `http://localhost:4567/`)
URI the `schleuderd` daemon can be reached at.
- `WEBSCHLOCKER_CONFIG_MAILER_FROM` (default: `noreply@$WEBSCHLOCKER_CONFIG_HOSTNAME`)
Sender address for all the e-mails originating from the web interface (i.e. confirmation e-mails). Keep in mind that this should be an address that the e-mail server will let through.
- `WEBSCHLOCKER_CONFIG_DELIVERY_METHOD` (default: `smtp`)
Delivery method to use for outgoing e-mail; `webschleuder3` uses [`ActionMailer`](http://api.rubyonrails.org/classes/ActionMailer/Base.html) to send mail.
- `WEBSCHLOCKER_CONFIG_SENDMAIL_ARGUMENTS` (default: `-t -i -f`)
Arguments passed to `sendmail`, if `WEBSCHLOCKER_CONFIG_DELIVERY_METHOD` is set to `sendmail`.
- `WEBSCHLOCKER_CONFIG_SMTP_ADDRESS` (default: `localhost`)
- `WEBSCHLOCKER_CONFIG_SMTP_PORT` (default: `25`)
SMTP server address and port to be used when `WEBSCHLOCKER_CONFIG_DELIVERY_METHOD` is set to `smtp`.
- `WEBSCHLOCKER_CONFIG_SMTP_OPENSSL_VERIFY_MODE` (default: `none`)
How should the server cert be verified, if at all, when `WEBSCHLOCKER_CONFIG_DELIVERY_METHOD` is set to `smtp`. Currently not used at all.
## TODO
- handle more [`ActionMailer` config options](http://api.rubyonrails.org/classes/ActionMailer/Base.html)
\ No newline at end of file
#!/bin/bash
#
# entrypoint script for webschlocker
#
# handle signals
trap abort SIGHUP SIGINT SIGQUIT SIGTERM SIGSTOP SIGKILL
function abort {
echo
echo "* * * ABORTED * * *"
echo
exit 0
}
# who to run as
[ -z ${WEBSCHLOCKER_USER+x} ] && WEBSCHLOCKER_USER="webschlocker"
[ -z ${WEBSCHLOCKER_GROUP+x} ] && WEBSCHLOCKER_GROUP="webschlocker"
# webschleuder config
[ -z ${WEBSCHLOCKER_CONFIG_HOSTNAME+x} ] && WEBSCHLOCKER_CONFIG_HOSTNAME=$( hostname )
[ -z ${WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI+x} ] && WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI="http://localhost:4567/"
[ -z ${WEBSCHLOCKER_CONFIG_MAILER_FROM+x} ] && WEBSCHLOCKER_CONFIG_MAILER_FROM="noreply@$WEBSCHLOCKER_CONFIG_HOSTNAME"
[ -z ${WEBSCHLOCKER_CONFIG_DELIVERY_METHOD+x} ] && WEBSCHLOCKER_CONFIG_DELIVERY_METHOD="smtp"
[ -z ${WEBSCHLOCKER_CONFIG_SENDMAIL_ARGUMENTS+x} ] && WEBSCHLOCKER_CONFIG_SENDMAIL_ARGUMENTS="-t -i -f"
[ -z ${WEBSCHLOCKER_CONFIG_SMTP_ADDRESS+x} ] && WEBSCHLOCKER_CONFIG_SMTP_ADDRESS="localhost"
[ -z ${WEBSCHLOCKER_CONFIG_SMTP_PORT+x} ] && WEBSCHLOCKER_CONFIG_SMTP_PORT="25"
[ -z ${WEBSCHLOCKER_CONFIG_OPENSSL_VERIFY_MODE+x} ] && WEBSCHLOCKER_CONFIG_OPENSSL_VERIFY_MODE="none"
# secret key base
[ -z ${WEBSCHLOCKER_SECRET_KEY_BASE+x} ] && WEBSCHLOCKER_SECRET_KEY_BASE="$( echo $RANDOM | sha256sum | sed -r -e 's/\s+-//' )$( echo $RANDOM | sha256sum | sed -r -e 's/\s+-//' )"
#
# inform
echo "+-- working with:"
echo " +-- WEBSCHLOCKER_USER : $WEBSCHLOCKER_USER"
echo " +-- WEBSCHLOCKER_GROUP : $WEBSCHLOCKER_GROUP"
#
# root is not what we want as the user to run as
#
# let's make sure we're not running as root, shall we?
if [ $WEBSCHLOCKER_UID == 0 ] || [ $WEBSCHLOCKER_USER == 'root' ] || [ $WEBSCHLOCKER_GID == 0 ] || [ $WEBSCHLOCKER_GROUP == 'root' ]; then
echo
echo "* * * ERROR: trying to run as root -- I cannot let you do that, Dave!"
echo
exit 1
fi
# get group data, if any, and check if the group exists
if GROUP_DATA=`getent group "$WEBSCHLOCKER_GROUP"`; then
# it does! do we have the gid given?
if [[ "$WEBSCHLOCKER_GID" != "" ]]; then
# we do! do these match?
if [[ `echo "$GROUP_DATA" | cut -d ':' -f 3` != "$WEBSCHLOCKER_GID" ]]; then
# they don't. we have a problem
echo "ERROR: group $WEBSCHLOCKER_GROUP already exists, but with a different gid (`echo "$GROUP_DATA" | cut -d ':' -f 3`) than provided ($WEBSCHLOCKER_GID)!"
exit 3
fi
fi
# if no gid given, the existing group satisfies us regardless of the GID
# group does not exist
else
# do we have the gid given?
GID_ARGS=""
if [[ "$WEBSCHLOCKER_GID" != "" ]]; then
# we do! does a group with a given id exist?
if getent group "$WEBSCHLOCKER_GID" >/dev/null; then
echo "ERROR: a group with a given id ($WEBSCHLOCKER_GID) already exists, can't create group $WEBSCHLOCKER_GROUP with this id"
exit 4
fi
# prepare the fragment of the groupadd command
GID_ARGS="-g $WEBSCHLOCKER_GID"
fi
# we either have no GID given (and don't care about it), or have a GID given that does not exist in the system
# great! let's add the group
groupadd $GID_ARGS "$WEBSCHLOCKER_GROUP"
fi
# get user data, if any, and check if the user exists
if USER_DATA=`id -u "$WEBSCHLOCKER_USER" 2>/dev/null`; then
# it does! do we have the uid given?
if [[ "$WEBSCHLOCKER_UID" != "" ]]; then
# we do! do these match?
if [[ "$USER_DATA" != "$WEBSCHLOCKER_UID" ]]; then
# they don't. we have a problem
echo "ERROR: user $WEBSCHLOCKER_USER already exists, but with a different uid ("$USER_DATA") than provided ($WEBSCHLOCKER_UID)!"
exit 5
fi
fi
# if no uid given, the existing user satisfies us regardless of the uid
# but is he in the right group?
adduser "$WEBSCHLOCKER_USER" "$WEBSCHLOCKER_GROUP"
# user does not exist
else
# do we have the uid given?
UID_ARGS=""
if [[ "$WEBSCHLOCKER_UID" != "" ]]; then
# we do! does a group with a given id exist?
if getent passwd "$WEBSCHLOCKER_UID" >/dev/null; then
echo "ERROR: a user with a given id ($WEBSCHLOCKER_UID) already exists, can't create user $WEBSCHLOCKER_USER with this id"
exit 6
fi
# prepare the fragment of the useradd command
UID_ARGS="-u $WEBSCHLOCKER_UID"
fi
# we either have no UID given (and don't care about it), or have a UID given that does not exist in the system
# great! let's add the user
useradd $UID_ARGS -r -g "$WEBSCHLOCKER_GROUP" "$WEBSCHLOCKER_USER"
fi
#
# config
#
# hopefully the unneeded settings will be ignored ;)
# For delivery_method, sendmail_settings and smtp_settings see
# <http://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration>.
WEBSCHLOCKER_CONFIG="
production:
web_hostname: $WEBSCHLOCKER_CONFIG_HOSTNAME
schleuderd_uri: $WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI
mailer_from: $WEBSCHLOCKER_CONFIG_MAILER_FROM
delivery_method: $WEBSCHLOCKER_CONFIG_DELIVERY_METHOD
sendmail_settings:
arguments: $WEBSCHLOCKER_CONFIG_SENDMAIL_ARGUMENTS
smtp_settings:
address: $WEBSCHLOCKER_CONFIG_SMTP_ADDRESS
port: $WEBSCHLOCKER_CONFIG_SMTP_PORT
#openssl_verify_mode: $WEBSCHLOCKER_CONFIG_OPENSSL_VERIFY_MODE
"
bundle exec rake db:setup RAILS_ENV=production
exec bundle exec rails server -b 0.0.0.0 -e production
\ No newline at end of file
defaults: &defaults
web_hostname: listtest.occrp.org
schleuderd_uri: http://schlocker:4567/
mailer_from: noreply@listtest.occrp.org
# For delivery_method, sendmail_settings and smtp_settings see
# <http://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration>.
delivery_method: smtp
sendmail_settings:
arguments: '-t -i -f'
smtp_settings:
address: smtpd
port: 25
#openssl_verify_mode: none
test:
<<: *defaults
development:
<<: *defaults
web_hostname: 0.0.0.0:3000
production:
<<: *defaults
web_hostname: listtest.occrp.org
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment