README.md added; entrypoint.sh added but not yet used (still WIP)

519103f0 · Michał 'rysiek' Woźniak · 1ea7d6ab · 519103f0 · 519103f0 · 1ea7d6ab
Commit 519103f0 authored Apr 22, 2016 by Michał 'rysiek' Woźniak
Hide whitespace changes
Inline Side-by-side

Showing with 191 additions and 22 deletions

README.md README.md +51 -0

entrypoint.sh entrypoint.sh +140 -0

webschleuder.yml webschleuder.yml +0 -22

No files found.
--- a/README.md
+++ b/README.md
+# [Webschleuder](https://git.codecoop.org/schleuder/webschleuder3) on `docker`
+
+This repo contains `docker` configuration for `webschleuder3`, a web interface for an encrypted group email system `schleuder3`.
+
+Uses `schleuder3 beta`, because it seems to actually be installable on modern systems. See:
+
+* https://git.codecoop.org/schleuder/schleuder3
+* https://git.codecoop.org/schleuder/schleuder-conf
+
+If a valid database is not found, `rake db:setup` is run inside the container to set-up a basic valid database.
+
+## Communication with `schleuderd`
+
+This image requires a `schleuderd` running somewhere and accessible via `TCP/IP` -- one option is to run the [`schlocker3` docker image](https://git.occrp.org/libre/schlocker3/). You can configure the `schleuderd` URI with the `WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI` environment variable described below.
+
+**Please be advised that `schleuderd` does not, at this time, offer authentication, nor does it support `TLS`-encrypted connections. This means that `webschleuder3` should be run on the same physical machine, or at least on a connection that precludes the possibility of malicious connections being made to `schleuderd`.** You have been warned!
+
+## Environment variables
+
+ - `WEBSCHLOCKER_CONFIG_HOSTNAME` (default: container's hostname)
+
+The hostname `webschleuder3` will run under, used among others in confirmation links sent to users.
+
+ - `WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI` (default: `http://localhost:4567/`)
+
+URI the `schleuderd` daemon can be reached at.
+ 
+ - `WEBSCHLOCKER_CONFIG_MAILER_FROM` (default: `noreply@$WEBSCHLOCKER_CONFIG_HOSTNAME`)
+ 
+Sender address for all the e-mails originating from the web interface (i.e. confirmation e-mails). Keep in mind that this should be an address that the e-mail server will let through.
+ 
+ - `WEBSCHLOCKER_CONFIG_DELIVERY_METHOD` (default: `smtp`)
+ 
+Delivery method to use for outgoing e-mail; `webschleuder3` uses [`ActionMailer`](http://api.rubyonrails.org/classes/ActionMailer/Base.html) to send mail.
+ 
+ - `WEBSCHLOCKER_CONFIG_SENDMAIL_ARGUMENTS` (default: `-t -i -f`)
+ 
+Arguments passed to `sendmail`, if `WEBSCHLOCKER_CONFIG_DELIVERY_METHOD` is set to `sendmail`.
+ 
+ - `WEBSCHLOCKER_CONFIG_SMTP_ADDRESS` (default: `localhost`)
+ - `WEBSCHLOCKER_CONFIG_SMTP_PORT` (default: `25`)
+ 
+SMTP server address and port to be used when `WEBSCHLOCKER_CONFIG_DELIVERY_METHOD` is set to `smtp`.
+ 
+ - `WEBSCHLOCKER_CONFIG_SMTP_OPENSSL_VERIFY_MODE` (default: `none`)
+ 
+How should the server cert be verified, if at all, when `WEBSCHLOCKER_CONFIG_DELIVERY_METHOD` is set to `smtp`. Currently not used at all.
+
+## TODO
+
+ - handle more [`ActionMailer` config options](http://api.rubyonrails.org/classes/ActionMailer/Base.html)
\ No newline at end of file
--- a/entrypoint.sh
+++ b/entrypoint.sh
+#!/bin/bash
+
+#
+# entrypoint script for webschlocker
+#
+
+# handle signals
+trap abort SIGHUP SIGINT SIGQUIT SIGTERM SIGSTOP SIGKILL
+function abort {
+    echo
+    echo "* * * ABORTED * * *"
+    echo
+    exit 0
+}
+
+# who to run as
+[ -z ${WEBSCHLOCKER_USER+x} ]  && WEBSCHLOCKER_USER="webschlocker"
+[ -z ${WEBSCHLOCKER_GROUP+x} ] && WEBSCHLOCKER_GROUP="webschlocker"
+
+# webschleuder config
+[ -z ${WEBSCHLOCKER_CONFIG_HOSTNAME+x} ] && WEBSCHLOCKER_CONFIG_HOSTNAME=$( hostname )
+[ -z ${WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI+x} ] && WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI="http://localhost:4567/"
+[ -z ${WEBSCHLOCKER_CONFIG_MAILER_FROM+x} ] && WEBSCHLOCKER_CONFIG_MAILER_FROM="noreply@$WEBSCHLOCKER_CONFIG_HOSTNAME"
+[ -z ${WEBSCHLOCKER_CONFIG_DELIVERY_METHOD+x} ] && WEBSCHLOCKER_CONFIG_DELIVERY_METHOD="smtp"
+[ -z ${WEBSCHLOCKER_CONFIG_SENDMAIL_ARGUMENTS+x} ] && WEBSCHLOCKER_CONFIG_SENDMAIL_ARGUMENTS="-t -i -f"
+[ -z ${WEBSCHLOCKER_CONFIG_SMTP_ADDRESS+x} ] && WEBSCHLOCKER_CONFIG_SMTP_ADDRESS="localhost"
+[ -z ${WEBSCHLOCKER_CONFIG_SMTP_PORT+x} ] && WEBSCHLOCKER_CONFIG_SMTP_PORT="25"
+[ -z ${WEBSCHLOCKER_CONFIG_OPENSSL_VERIFY_MODE+x} ] && WEBSCHLOCKER_CONFIG_OPENSSL_VERIFY_MODE="none"
+
+# secret key base
+[ -z ${WEBSCHLOCKER_SECRET_KEY_BASE+x} ] && WEBSCHLOCKER_SECRET_KEY_BASE="$( echo $RANDOM | sha256sum | sed -r -e 's/\s+-//' )$( echo $RANDOM | sha256sum | sed -r -e 's/\s+-//' )"
+
+#
+# inform
+echo "+-- working with:"
+echo "    +-- WEBSCHLOCKER_USER     : $WEBSCHLOCKER_USER"
+echo "    +-- WEBSCHLOCKER_GROUP    : $WEBSCHLOCKER_GROUP"
+
+#
+# root is not what we want as the user to run as
+#
+
+# let's make sure we're not running as root, shall we?
+if [ $WEBSCHLOCKER_UID == 0 ] || [ $WEBSCHLOCKER_USER == 'root' ] || [ $WEBSCHLOCKER_GID == 0 ] || [ $WEBSCHLOCKER_GROUP == 'root' ]; then
+    echo
+    echo "* * * ERROR: trying to run as root -- I cannot let you do that, Dave!"
+    echo
+    exit 1
+fi
+
+# get group data, if any, and check if the group exists
+if GROUP_DATA=`getent group "$WEBSCHLOCKER_GROUP"`; then
+  # it does! do we have the gid given?
+  if [[ "$WEBSCHLOCKER_GID" != "" ]]; then
+    # we do! do these match?
+    if [[ `echo "$GROUP_DATA" | cut -d ':' -f 3` != "$WEBSCHLOCKER_GID" ]]; then
+      # they don't. we have a problem
+      echo "ERROR: group $WEBSCHLOCKER_GROUP already exists, but with a different gid (`echo "$GROUP_DATA" | cut -d ':' -f 3`) than provided ($WEBSCHLOCKER_GID)!"
+      exit 3
+    fi
+  fi
+  # if no gid given, the existing group satisfies us regardless of the GID
+
+# group does not exist
+else
+  # do we have the gid given?
+  GID_ARGS=""
+  if [[ "$WEBSCHLOCKER_GID" != "" ]]; then
+    # we do! does a group with a given id exist?
+    if getent group "$WEBSCHLOCKER_GID" >/dev/null; then
+      echo "ERROR: a group with a given id ($WEBSCHLOCKER_GID) already exists, can't create group $WEBSCHLOCKER_GROUP with this id"
+      exit 4
+    fi
+    # prepare the fragment of the groupadd command
+    GID_ARGS="-g $WEBSCHLOCKER_GID"
+  fi
+  # we either have no GID given (and don't care about it), or have a GID given that does not exist in the system
+  # great! let's add the group
+  groupadd $GID_ARGS "$WEBSCHLOCKER_GROUP"
+fi
+
+
+# get user data, if any, and check if the user exists
+if USER_DATA=`id -u "$WEBSCHLOCKER_USER" 2>/dev/null`; then
+  # it does! do we have the uid given?
+  if [[ "$WEBSCHLOCKER_UID" != "" ]]; then
+    # we do! do these match?
+    if [[ "$USER_DATA" != "$WEBSCHLOCKER_UID" ]]; then
+      # they don't. we have a problem
+      echo "ERROR: user $WEBSCHLOCKER_USER already exists, but with a different uid ("$USER_DATA") than provided ($WEBSCHLOCKER_UID)!"
+      exit 5
+    fi
+  fi
+  # if no uid given, the existing user satisfies us regardless of the uid
+  # but is he in the right group?
+  adduser "$WEBSCHLOCKER_USER" "$WEBSCHLOCKER_GROUP"
+
+# user does not exist
+else
+  # do we have the uid given?
+  UID_ARGS=""
+  if [[ "$WEBSCHLOCKER_UID" != "" ]]; then
+    # we do! does a group with a given id exist?
+    if getent passwd "$WEBSCHLOCKER_UID" >/dev/null; then
+      echo "ERROR: a user with a given id ($WEBSCHLOCKER_UID) already exists, can't create user $WEBSCHLOCKER_USER with this id"
+      exit 6
+    fi
+    # prepare the fragment of the useradd command
+    UID_ARGS="-u $WEBSCHLOCKER_UID"
+  fi
+  # we either have no UID given (and don't care about it), or have a UID given that does not exist in the system
+  # great! let's add the user
+  useradd $UID_ARGS -r -g "$WEBSCHLOCKER_GROUP" "$WEBSCHLOCKER_USER"
+fi
+
+
+#
+# config
+#
+
+# hopefully the unneeded settings will be ignored ;)
+# For delivery_method, sendmail_settings and smtp_settings see
+# <http://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration>.
+WEBSCHLOCKER_CONFIG="
+production:
+    web_hostname: $WEBSCHLOCKER_CONFIG_HOSTNAME
+    schleuderd_uri: $WEBSCHLOCKER_CONFIG_SCHLEUDERD_URI
+    mailer_from: $WEBSCHLOCKER_CONFIG_MAILER_FROM
+    delivery_method: $WEBSCHLOCKER_CONFIG_DELIVERY_METHOD
+    sendmail_settings:
+        arguments: $WEBSCHLOCKER_CONFIG_SENDMAIL_ARGUMENTS
+    smtp_settings:
+        address: $WEBSCHLOCKER_CONFIG_SMTP_ADDRESS
+        port: $WEBSCHLOCKER_CONFIG_SMTP_PORT
+        #openssl_verify_mode: $WEBSCHLOCKER_CONFIG_OPENSSL_VERIFY_MODE
+"
+
+
+bundle exec rake db:setup RAILS_ENV=production
+exec bundle exec rails server -b 0.0.0.0 -e production
\ No newline at end of file
--- a/webschleuder.yml
+++ b/webschleuder.yml
-defaults: &defaults
-  web_hostname: listtest.occrp.org
-  schleuderd_uri: http://schlocker:4567/
-  mailer_from: noreply@listtest.occrp.org
-  # For delivery_method, sendmail_settings and smtp_settings see
-  # <http://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration>.
-  delivery_method: smtp
-  sendmail_settings:
-    arguments: '-t -i -f'
-  smtp_settings:
-    address: smtpd
-    port: 25
-    #openssl_verify_mode: none
-
-test:
-  <<: *defaults
-development:
-  <<: *defaults
-  web_hostname: 0.0.0.0:3000
-production:
-  <<: *defaults
-  web_hostname: listtest.occrp.org
\ No newline at end of file