Update docker to obtain cert at runtime, not buildtime

since the latter doesn't work

Dockerfile

@@ -0,0 +1,33 @@
+FROM alpine:latest
+
+RUN apk add --update --no-cache \
+	bash python3 py3-pip nginx uwsgi uwsgi-python3 certbot certbot-nginx
+
+
+
+WORKDIR /root/ftracker
+
+COPY ftracker/ ./ftracker/
+COPY setup.py .
+COPY README.md .
+COPY LICENSE.md .
+COPY res/config.deploy.ini /etc/ftracker/config.ini
+
+RUN pip3 install wheel
+RUN pip3 install .
+
+
+
+COPY web/ /var/www/html/ftracker/
+COPY res/ ./res/
+
+COPY res/ftracker.nossl.nginx.conf /etc/nginx/conf.d/ftracker.conf
+RUN rm /etc/nginx/conf.d/default.conf
+
+RUN mkdir -p /etc/ftracker /var/ftracker \
+	&& chown -R nginx:nginx /etc/ftracker /var/ftracker
+
+
+
+RUN chmod +x ./res/docker-entrypoint.sh
+ENTRYPOINT [ "./res/docker-entrypoint.sh" ]

README.md

@@ -28,15 +28,63 @@ Then, point your browser at <http://localhost:5000/>.
 
 ## Installation/Deployment
 
-### 1. FTracker Backend
+There are 2 methods: Docker and Manual.
+
+### Method A: Docker
+
+Build the container with
 
-As above:
 ```bash
-# clone, cd into repo
+sudo docker build . -t ftracker
-pip install . # Use -e if you want to hack on the backend while installed.
 ```
 
-### 2. WSGI Server + Service file
+Then, if you want the container to also handle SSL so it can run standalone you
+need to pass it a domain and Email so it can obtain a certificate from `Let's
+encrypt`:
+
+```bash
+sudo docker run \
+	-d \
+	--name ftracker \
+	-e DOMAIN=example.com \
+	-e LE_EMAIL=admin@example.com \
+	-p 80:80 \
+	-p 443:443 \
+	-v /your/full/path/to/config.ini:/etc/ftracker/config.ini \
+	ftracker
+```
+
+Otherwise you can run it without SSL (maybe behind your own web+ssl server)
+using just
+
+```bash
+sudo docker run \
+	-d \
+	--name ftracker \
+	-p 80:80 \
+	-v /your/full/path/to/config.ini:/etc/ftracker/config.ini \
+	ftracker
+```
+
+To stop/start/uninstall the container afterwards, run:
+
+```bash
+docker stop ftracker  # might take up to 10 seconds
+docker start ftracker # continue runniing
+docker rm -f ftracker # uninstall
+```
+
+### Method B: Manual
+
+#### 1. FTracker Backend
+
+Install backend system wide:
+```bash
+# clone, cd into repo
+sudo -H pip install . # Use -e if you want to hack on the backend while installed.
+```
+
+#### 2. WSGI Server + Service file
 
 You need a WSGI Middleware (using `Flask`'s included `werkzeug` is discouraged
 for production environments). I recommend `uwsgi` since it's flexible, fast and
@@ -45,7 +93,7 @@ description files for both `systemd` and `rc` are included in `res/` for you to
 adapt (file paths etc.) and install to your system (The `systemd` service file
 still untested though, feel free to leave feedback).
 
-### 3. Webserver
+#### 3. Webserver
 
 You need a webserver. I recommend `nginx` because it's the industry standard
 and fast. A sample config file is included in `res/` for you to adapt (domain,
@@ -55,7 +103,7 @@ Webroot in `web/` with a fallback to the WSGI handler for the backend.
 Enabling SSL (https) and redirecting http to https is strongly encouraged, i
 recommend using `Let's Encrypt`'s `certbot` to easily obtain certificates.
 
-### 4. Customization
+#### 4. Customization
 
 Edit `config.ini` to your liking. Restart the backend by restarting the `uwsgi`
 service, e.g. `sudo systemctl restart ftracker` or `sudo service ftracker

res/config.deploy.ini

@@ -0,0 +1,23 @@
+[global]
+
+# Persistent file for storage of times, in .json format.
+# Remove or leave empty for temporary (/tmp/ftracker-db.json) storage
+db_file = /var/ftracker/db.json
+
+# List of people to be allowed, in .csv format (comma, no delimiters)
+# Col1: First Name(s), Col2: Last Name(s), Col3 (optional): EMail
+# Remove or leave empty for no check
+name_file =
+
+
+# Username and password for data retrieval
+admin_user = admin
+admin_pass = topSecret
+
+
+# Link to a document with guidelines for entering
+guideline_url = https://youtu.be/oHg5SJYRHA0
+
+
+# JSON indentation for debugging
+json_indent = 4

res/docker-entrypoint.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+echo " >>> Starting nginx <<< "
+
+mkdir /run/nginx # needed because of bug in package
+/usr/sbin/nginx -t
+/usr/sbin/nginx
+
+echo " >>> Checking / Installing SSL certificate <<< "
+
+if [[ ${DOMAIN} ]]
+then
+	echo "Obtaining cert for '${DOMAIN}' ..."
+	echo "Registering with email '${LE_EMAIL}' ..."
+
+	certbot -n \
+		--nginx \
+		--keep-until-expiring \
+		--redirect \
+		--agree-tos \
+		--cert-name ${DOMAIN} \
+		-d ${DOMAIN} \
+		-m ${LE_EMAIL}
+
+	echo "Checked/Installed SSL certificate."
+fi
+
+echo " >>> Starting uwsgi <<< "
+
+/usr/sbin/uwsgi --ini /root/ftracker/res/ftracker.alpine.uwsgi.ini

res/ftracker.alpine.uwsgi.ini

@@ -0,0 +1,12 @@
+[uwsgi]
+plugin = python3
+module = ftracker:app
+socket = /tmp/ftracker.sock
+manage-script-name = true
+master = true
+
+uid = nginx
+gid = nginx
+
+proesses = 1
+threads = 1

res/ftracker.debian.uwsgi.ini

@@ -0,0 +1,12 @@
+[uwsgi]
+plugin = python3
+module = ftracker:app
+socket = /tmp/ftracker.sock
+manage-script-name = true
+master = true
+
+uid = www-data
+gid = www-data
+
+proesses = 1
+threads = 1

res/ftracker.nginx.conf

@@ -1,38 +1,38 @@
 server {
-        server_name ftracker.fasttube.de;
+	server_name ftracker.fasttube.de;
 
-        listen 443 ssl;
+	listen 443 ssl;
 
-        root /root/ftracker/web;
+	root /root/ftracker/web;
 
-        index index.html index.htm;
+	index index.html index.htm;
 
-        location / {
+	location / {
-                # First attempt to serve request as file
+		# First attempt to serve request as file
-                # If no such file, show index to allow for client side routing
+		# If no such file, pass to backend
-                try_files $uri $uri/ $uri.html @api;
+		try_files $uri $uri/ $uri.html @api;
 	}
 
 	location @api {
-                include uwsgi_params;
+		include uwsgi_params;
-                # Pass it to the uwsgi server
+		# Pass it to the uwsgi server
-                uwsgi_pass unix:///tmp/ftracker.sock;
+		uwsgi_pass unix:///tmp/ftracker.sock;
-        }
+	}
 
-        # RIP
+	# RIP
-        add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
+	add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
 
-        ssl_certificate /usr/local/etc/letsencrypt/live/ftracker.fasttube.de/fullchain.pem;
+	ssl_certificate /usr/local/etc/letsencrypt/live/ftracker.fasttube.de/fullchain.pem;
-        ssl_certificate_key /usr/local/etc/letsencrypt/live/ftracker.fasttube.de/privkey.pem;
+	ssl_certificate_key /usr/local/etc/letsencrypt/live/ftracker.fasttube.de/privkey.pem;
 
 }
 
 server {
-        server_name ftracker.fasttube.de;
+	server_name ftracker.fasttube.de;
 
-        listen 80;
+	listen 80;
 
-        # 308 instead of 301 to prohibit method change on redirect
+	# 308 instead of 301 to prohibit method change on redirect
-        # (some clients change POST to GET on 301, 308 does not allow that)
+	# (some clients change POST to GET on 301, 308 does not allow that)
-        return 308 https://$host$request_uri;
+	return 308 https://$host$request_uri;
 }

res/ftracker.nossl.nginx.conf

@@ -0,0 +1,24 @@
+server {
+
+	listen 80 default_server;
+
+	root /var/www/html/ftracker;
+
+	index index.html index.htm;
+
+	location / {
+		# First attempt to serve request as file
+		# If no such file, pass to backend
+		try_files $uri $uri/ $uri.html @api;
+	}
+
+	location @api {
+		include uwsgi_params;
+		# Pass it to the uwsgi server
+		uwsgi_pass unix:///tmp/ftracker.sock;
+	}
+
+	# RIP
+	add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
+
+}