From 0548585a23377a6816f248dd6392399f0cf6ba11 Mon Sep 17 00:00:00 2001
From: Bel LaPointe <breel@qualtrics.com>
Date: Fri, 18 Feb 2022 11:35:11 -0700
Subject: [PATCH] update readme, add dockerfile

---
 .gitignore           |  1 +
 server/.dockerignore |  3 +++
 server/Dockerfile    | 30 ++++++++++++++++++++++++++++++
 server/README.md     | 26 ++++++++++++++++++--------
 4 files changed, 52 insertions(+), 8 deletions(-)
 create mode 100644 server/.dockerignore
 create mode 100644 server/Dockerfile

diff --git a/.gitignore b/.gitignore
index a874295..814ec52 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ ui/render
 server/public/ui/**/.*.html
 **/*.ctmpl.html
 server/public/ui/render
+server/releasedata
diff --git a/server/.dockerignore b/server/.dockerignore
new file mode 100644
index 0000000..65f0624
--- /dev/null
+++ b/server/.dockerignore
@@ -0,0 +1,3 @@
+.*
+**/.*
+**/*.sw*
diff --git a/server/Dockerfile b/server/Dockerfile
new file mode 100644
index 0000000..46f9819
--- /dev/null
+++ b/server/Dockerfile
@@ -0,0 +1,30 @@
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as certs
+RUN apk update && apk add --no-cache ca-certificates
+
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as encoder
+WORKDIR /main
+RUN apk update && apk add --no-cache gpg gpg-agent
+ARG KEY=""
+COPY ./releasedata ./releasedata
+RUN cat ./releasedata/users.yaml \
+	| gpg --batch --no-tty --passphrase="$KEY" --cipher-algo AES256 --symmetric -z 0 \
+	> ./users.yaml.gpg
+
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as runner
+RUN apk update && apk --no-cache upgrade && apk add --no-cache bash gpg gpg-agent
+WORKDIR /main
+COPY --from=certs /etc/ssl/certs /etc/ssl/certs
+COPY --from=encoder /main/users.yaml.gpg ./
+
+COPY ./exec-server ./
+COPY ./public ./public
+RUN test -e /main/exec-server
+RUN test -d /main/public
+RUN mkdir -p /var/log /main/public/files /main/public/media
+
+ENV GOPATH=""
+VOLUME /main/public/files
+VOLUME /main/public/media
+RUN echo 'cat /main/users.yaml.gpg | gpg --batch --no-tty --passphrase="$KEY" --decrypt > /main/users.yaml && /main/exec-server "$@"' > /main/entrypoint.sh
+ENTRYPOINT ["bash", "/main/entrypoint.sh"]
+CMD []
diff --git a/server/README.md b/server/README.md
index eca2be3..255e429 100644
--- a/server/README.md
+++ b/server/README.md
@@ -1,9 +1,19 @@
-## running with docker
+## Using File Auth
 
-d1=${d1:-$(mktemp -d)}
-d2=${d2:-$(mktemp -d)}
-docker run \
-	-v $d1:/main/public/files \
-	-v $d2:/main/public/media \
-	-p 3004:3004 \
-	--rm -it registry-app.eng.qops.net:5001/bel/work-notes:latest
+1. Build a linux binary with `GOOS=linux CGO_ENABLED=0 go build -o ./exec-server -a -installsuffix cgo -ldflags "-s -w"`
+1. Add your usernames, passwords, groups to `releasedata/users.yaml`
+1. {one time} Generate and store an encryption `KEY` in Vault+Lastpass
+1. Build a Docker image with `docker build -t registry-app.eng.qops.net:5001/bel/work-notes:latest --build-arg KEY='{{INSERT YOUR KEY HERE}}' .`
+1. Push with `docker push registry-app.eng.qops.net:5001/bel/work-notes:latest`
+1. Run like `docker run -v /mnt/files:/main/public/files -v /mnt/media:/main/public/media -e KEY='{{INSERT YOUR KEY HERE}}' -p 3005:3005 --rm -it registry-app.eng.qops.net:5001/bel/work-notes:latest -auth ./users.yaml -p 3005`
+
+### `users.yaml` Format
+
+```yaml
+users:
+  bel:
+    password: bel
+    groups:
+    - g1
+    - g2
+```