SoundSoftware Code Site

# For documentation and experimental purposes only. As a

# reconstruction of the machine image that runs this application,

# there are lots of things missing here; but as a good Docker

# configuration, it fails by mixing together rather a lot of concerns.

FROM ubuntu:16.04

MAINTAINER Chris Cannam <cannam@all-day-breakfast.com>

RUN apt-get update && \

    apt-get install -y \

    apache2 \

    apache2-dev \

    apt-utils \

    build-essential \

    cron \

    curl \

    doxygen \

    exim4 \

    git \

    graphviz \

    imagemagick \

    libapache-dbi-perl \

    libapache2-mod-perl2 \

    libapr1-dev \

    libaprutil1-dev \

    libauthen-simple-ldap-perl \

    libcurl4-openssl-dev \

    libdbd-pg-perl \

    libpq-dev \

    libmagickwand-dev \

    libio-socket-ssl-perl \

    logrotate \

    mercurial \

    postgresql \

    rsync \

    ruby \

    ruby-dev \

    sudo

# Also used on the live site, for javadoc extraction, but this is

# would be by far the biggest package here: let's omit it while we're

# not making use of it

#   openjdk-9-jdk-headless

RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Passenger gets installed through gem, not apt

RUN gem install passenger -v 4.0.60 --no-rdoc --no-ri

RUN passenger-install-apache2-module --languages=ruby

# Copy across webapp, set up ownership

COPY . /var/www/code

RUN groupadd code

RUN useradd -g code -G www-data code

RUN chown -R code.www-data /var/www/code

RUN find /var/www/code -type d -exec chmod g+s \{\} \;

# Initialise /var/hg (in reality this would be mounted from somewhere)

RUN mkdir -p /var/hg

RUN chown code.www-data /var/hg

RUN chmod g+s /var/hg

COPY extra/soundsoftware/dockertest/index.cgi /var/hg/

COPY extra/soundsoftware/dockertest/hgweb.config /var/hg/

RUN chmod +x /var/hg/index.cgi

# We're based in the code webapp directory from here on

WORKDIR /var/www/code

# Set up database config etc

RUN cp extra/soundsoftware/dockertest/database.yml.interpolated config/database.yml

# Install Rails and dependencies (database.yml must be populated before this)

RUN gem install bundler

RUN bundle install

# Initialise Redmine token (bundler must be installed before this)

RUN bundle exec rake generate_secret_token

# Import Postgres database from postgres-dumpall file

RUN chown postgres postgres-dumpall

RUN /etc/init.d/postgresql start && sudo -u postgres psql -f postgres-dumpall postgres

# Install Perl auth module for Hg access

RUN mkdir -p /usr/local/lib/site_perl/Apache/Authn/

RUN cp extra/soundsoftware/SoundSoftware.pm /usr/local/lib/site_perl/Apache/Authn/

# Set up Apache config (todo: insert variables)

RUN rm -f /etc/apache2/sites-enabled/000-default.conf

RUN cp extra/soundsoftware/dockertest/passenger.conf /etc/apache2/mods-available/

RUN cp extra/soundsoftware/dockertest/passenger.load /etc/apache2/mods-available/

RUN cp extra/soundsoftware/dockertest/perl.conf      /etc/apache2/mods-available/

RUN ln -s ../mods-available/passenger.conf  /etc/apache2/mods-enabled/

RUN ln -s ../mods-available/passenger.load  /etc/apache2/mods-enabled/

RUN ln -s ../mods-available/perl.conf       /etc/apache2/mods-enabled/

RUN ln -s ../mods-available/expires.load    /etc/apache2/mods-enabled/

RUN ln -s ../mods-available/rewrite.load    /etc/apache2/mods-enabled/

RUN ln -s ../mods-available/cgi.load        /etc/apache2/mods-enabled/

RUN cp extra/soundsoftware/dockertest/code.conf.interpolated /etc/apache2/sites-available/code.conf

RUN ln -s ../sites-available/code.conf /etc/apache2/sites-enabled/10-code.conf

RUN apache2ctl configtest

# Start Postgres and foregrounded Apache

RUN echo "#!/bin/bash"                      > container-run.sh

RUN echo "/etc/init.d/postgresql start"    >> container-run.sh

RUN echo "apache2ctl -D FOREGROUND"        >> container-run.sh

RUN chmod +x container-run.sh

EXPOSE 80

CMD ./container-run.sh

# A test Apache config. Lacks SSL, lacks a desirable extra layer of

# authentication for admin interface paths. Do not deploy this.

PerlLoadModule Apache::Authn::SoundSoftware

<VirtualHost *:80>

        ServerName code.soundsoftware.ac.uk

        ServerAdmin chris.cannam@soundsoftware.ac.uk

        DocumentRoot /var/www/code/public

        PassengerRestartDir restart_files

        PassengerHighPerformance on

        PassengerMaxRequests 50000

        PassengerStatThrottleRate 5

	PassengerStartTimeout 60

	PassengerFriendlyErrorPages on

        RailsSpawnMethod smart

        ExpiresDefault "access plus 1 minute"

        <DirectoryMatch "^/.*/\.svn/">

                Order allow,deny

                Deny from all

                Satisfy All

        </DirectoryMatch>

        <DirectoryMatch "^/.*/\.hg/">

                Order allow,deny

                Deny from all

                Satisfy All

        </DirectoryMatch>

        <DirectoryMatch "^/.*/\.git/">

                Order allow,deny

                Deny from all

                Satisfy All

        </DirectoryMatch>

        <Directory /var/www/code/public>

                Options -MultiViews

	</Directory>

        <Directory /var/www/code/public/themes/soundsoftware/stylesheets/fonts>

		# Avoid other sites embedding our fonts

		RewriteEngine on

		RewriteCond %{HTTP_REFERER} !^$

		RewriteCond %{HTTP_REFERER} !^http(s)?://code.soundsoftware.ac.uk/.*$ [NC]

		RewriteRule \.(ttf|woff|eot|otf|svg|zip|gz|html|txt)$ - [F]

	</Directory>

	ScriptAlias /hg "/var/hg/index.cgi"

	<Location /hg>

               	AuthName "Mercurial"

                AuthType Basic

                Require valid-user

		PerlAccessHandler Apache::Authn::SoundSoftware::access_handler

      		PerlAuthenHandler Apache::Authn::SoundSoftware::authen_handler

		PerlSetVar HTTPS "on"

		SoundSoftwareDSN "dbi:Pg:database=code;host=localhost"

    		SoundSoftwareDbUser "code"

     		SoundSoftwareDbPass "INSERT_POSTGRES_PASSWORD_HERE"

		SoundSoftwareRepoPrefix "/var/hg/"

                #!!! "on" in production please!:

                SoundSoftwareSslRequired "off"

		Options +ExecCGI

		AddHandler cgi-script .cgi

		ExpiresDefault now

        </Location>

	Alias /git "/var/files/git-mirror"

	<Directory "/var/files/git-mirror">

		Options -Indexes +FollowSymLinks

                Order allow,deny

                Allow from all

	</Directory>

	<Directory ~ "/var/files/git-mirror/.*\.workdir">

		Order allow,deny

		Deny from all

	</Directory>

	<Directory ~ "/var/files/git-mirror/__.*">

                Order allow,deny

                Deny from all

	</Directory>

	ErrorLog /var/log/apache2/code-error.log

	CustomLog /var/log/apache2/code-access.log vhost_combined

        LogLevel warn

        ServerSignature Off

</VirtualHost>

production:

  adapter: postgresql

  database: code

  host: localhost

  username: code

  password: "INSERT_POSTGRES_PASSWORD_HERE"

[paths]

/ = /var/hg/*

[web]

allow_archive = gz, zip, bz2

allow_push = *

#!/usr/bin/env python

#

# An example CGI script to export multiple hgweb repos, edit as necessary

# adjust python path if not a system-wide install:

#import sys

#sys.path.insert(0, "/path/to/python/lib")

# enable importing on demand to reduce startup time

from mercurial import demandimport; demandimport.enable()

# Uncomment to send python tracebacks to the browser if an error occurs:

import cgitb

cgitb.enable()

# If you'd like to serve pages with UTF-8 instead of your default

# locale charset, you can do so by uncommenting the following lines.

# Note that this will cause your .hgrc files to be interpreted in

# UTF-8 and all your repo files to be displayed using UTF-8.

#

import os

os.environ["HGENCODING"] = "UTF-8"

from mercurial.hgweb.hgwebdir_mod import hgwebdir

import mercurial.hgweb.wsgicgi as wsgicgi

# The config file looks like this.  You can have paths to individual

# repos, collections of repos in a directory tree, or both.

#

# [paths]

# virtual/path1 = /real/path1

# virtual/path2 = /real/path2

# virtual/root = /real/root/*

# / = /real/root2/*

# virtual/root2 = /real/root2/**

#

# [collections]

# /prefix/to/strip/off = /root/of/tree/full/of/repos

#

# paths example:

#

# * First two lines mount one repository into one virtual path, like

# '/real/path1' into 'virtual/path1'.

#

# * The third entry mounts every mercurial repository found in '/real/root'

# in 'virtual/root'. This format is preferred over the [collections] one,

# since using absolute paths as configuration keys is not supported on every

# platform (especially on Windows).

#

# * The fourth entry is a special case mounting all repositories in

# /'real/root2' in the root of the virtual directory.

#

# * The fifth entry recursively finds all repositories under the real root,

# and mounts them using their relative path (to given real root) under the

# virtual root.

#

# collections example: say directory tree /foo contains repos /foo/bar,

# /foo/quux/baz.  Give this config section:

#   [collections]

#   /foo = /foo

# Then repos will list as bar and quux/baz.

#

# Alternatively you can pass a list of ('virtual/path', '/real/path') tuples

# or use a dictionary with entries like 'virtual/path': '/real/path'

application = hgwebdir('hgweb.config')

wsgicgi.launch(application)

PassengerMaxPoolSize 60

LoadModule passenger_module /var/lib/gems/2.3.0/gems/passenger-4.0.60/buildout/apache2/mod_passenger.so

PassengerRoot /var/lib/gems/2.3.0/gems/passenger-4.0.60

PassengerDefaultRuby /usr/bin/ruby2.3

# Apache::DBI is supposed to be a transparent replacement for Perl DBI with

# better performance when multiple connections are made with common DSN, user

# and password

PerlModule Apache::DBI

#!/bin/bash

dbpwd="$1"

if [ -z "$dbpwd" ]; then

    echo "Usage: $0 <database-password>" 1>&2

    exit 2

fi

set -eu

dockerdir=./extra/soundsoftware/dockertest

if [ ! -d "$dockerdir" ]; then

    echo "Run this script from the root of a working copy of soundsoftware-site"

    exit 2

fi

for f in database.yml code.conf ; do

    cat "$dockerdir/$f" |

        sed 's/INSERT_POSTGRES_PASSWORD_HERE/'"$dbpwd"'/g' > \

            "$dockerdir/$f.interpolated"

done

dockertag="cannam/soundsoftware-site"

sudo docker build -t "$dockertag" -f "$dockerdir/Dockerfile" .

sudo docker run -p 8080:80 -d "$dockertag"