Merge pull request #27 from ZeusWPI/docker-compose

Add basic docker config

.dockerignore

@@ -0,0 +1,7 @@
+.git/
+target/
+Dockerfile
+docker-compose.yml
+shell.nix
+nix/
+openapi/

Dockerfile

@@ -0,0 +1,21 @@
+FROM rustlang/rust:nightly-buster AS builder
+
+WORKDIR /usr/src/zauth
+
+RUN cargo install diesel_cli
+COPY . .
+RUN cargo install --path .
+
+FROM debian:buster-slim
+
+WORKDIR /usr/src/zauth
+
+RUN apt-get update && apt-get install -y netcat-openbsd sqlite3 libpq-dev libmariadbclient-dev
+COPY --from=builder /usr/local/cargo/bin/diesel /usr/local/cargo/bin/zauth /usr/local/bin/
+COPY Rocket.toml diesel.toml /usr/src/zauth/
+COPY migrations/ migrations/
+COPY docker_misc/ docker_misc/
+COPY static/ static/
+
+ENV ROCKET_ENV production
+CMD ["zauth"]

Rocket.toml

@@ -3,3 +3,7 @@ url = "postgresql://zauth:zauth@localhost/zauth"
 
 [development]
 secret_key = "1vwCFFPSdQya895gNiO556SzmfShG6MokstgttLvwjw="
+
+[production.databases.postgresql_database]
+url = "postgresql://zauth:zauth@database/zauth"
+

docker-compose.yml

@@ -0,0 +1,30 @@
+version: '3.5'
+services:
+  zauth:
+    build: .
+    ports:
+      - "8000:8000"
+    restart: on-failure
+    depends_on:
+      - database
+    command: >
+      sh -c "./docker_misc/wait_for_service database 5432 && diesel --database-url 'postgresql://zauth:zauth@database/zauth' database setup && ROCKET_ENV=production zauth"
+    networks:
+      - zauth-internal
+
+  database:
+    image: postgres:13-alpine
+    restart: on-failure
+    environment:
+      POSTGRES_USER: zauth
+      POSTGRES_PASSWORD: zauth
+    volumes:
+      - zauth-database:/var/lib/postgresql/data
+    networks:
+      - zauth-internal
+
+networks:
+  zauth-internal:
+    name: 'zauth-internal'
+volumes:
+  zauth-database:

docker_misc/pg_hba.conf

@@ -0,0 +1,100 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local         DATABASE  USER  METHOD  [OPTIONS]
+# host          DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl     DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostgssenc    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnogssenc  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
+# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
+# non-SSL TCP/IP socket.  Similarly, "hostgssenc" uses a
+# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a
+# non-GSSAPI socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", or a
+# comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names
+# from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches.  It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask.  A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts.  Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE.  The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted.  Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# This file is read on server startup and when the server receives a
+# SIGHUP signal.  If you edit the file on a running system, you have to
+# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
+# or execute "SELECT pg_reload_conf()".
+#
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records.  In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+# CAUTION: Configuring the system for local "trust" authentication
+# allows any local user to connect as any PostgreSQL user, including
+# the database superuser.  If you do not trust all your local users,
+# use another authentication method.
+
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     trust
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            trust
+# IPv6 local connections:
+host    all             all             ::1/128                 trust
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     trust
+host    replication     all             127.0.0.1/32            trust
+host    replication     all             ::1/128                 trust
+
+host    all             all             .zauth-internal         md5
+host    all             mailaccess      all                     md5

docker_misc/wait_for_service

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if [ $# -ne 2 ]; then
+	echo "Usage: $0 <hostname> <port>" >&2
+	exit 1
+fi
+
+while ! nc -z "$1" "$2"; do
+	echo "$1:$2 not yet available, waiting"
+	sleep 1
+done
+echo "Done"

migrations/2019-10-30-155718_schema/down.sql

@@ -1,2 +1,3 @@
-drop table user;
+drop table users;
 drop table client;
+drop view postfix_view;

migrations/2019-10-30-155718_schema/up.sql

@@ -28,3 +28,8 @@ CREATE TABLE clients
     redirect_uri_list TEXT         NOT NULL DEFAULT '',
     created_at        TIMESTAMP    NOT NULL DEFAULT NOW()
 );
+
+CREATE VIEW postfix_view AS
+  SELECT username, email
+  FROM users
+  WHERE state = 'active';