todo

.gitignore

@@ -11,3 +11,4 @@ ui/render
 server/public/ui/**/.*.html
 **/*.ctmpl.html
 server/public/ui/render
+server/releasedata

server/.dockerignore

@@ -0,0 +1,3 @@
+.*
+**/.*
+**/*.sw*

server/Dockerfile

@@ -0,0 +1,32 @@
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as certs
+RUN apk update && apk add --no-cache ca-certificates
+
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as encoder
+WORKDIR /main
+RUN apk update && apk add --no-cache gpg gpg-agent
+ARG KEY=""
+COPY ./releasedata ./releasedata
+RUN cat ./releasedata/users.yaml \
+	| gpg --batch --no-tty --passphrase="$KEY" --cipher-algo AES256 --symmetric -z 0 \
+	> ./users.yaml.gpg
+
+FROM registry-app.eng.qops.net:5001/imported/alpine:3.15 as runner
+RUN apk update && apk --no-cache upgrade && apk add --no-cache bash gpg gpg-agent
+WORKDIR /main
+COPY --from=certs /etc/ssl/certs /etc/ssl/certs
+COPY --from=encoder /main/users.yaml.gpg ./
+
+COPY ./exec-server ./
+COPY ./public ./public
+RUN test -e /main/exec-server
+RUN test -d /main/public
+RUN mkdir -p /var/log /main/public/files /main/public/media
+
+ENV GOPATH=""
+VOLUME /main/public/files
+VOLUME /main/public/media
+ENV COOKIE_SECRET=""
+ENV KEY=""
+RUN echo 'cat /main/users.yaml.gpg | gpg --batch --no-tty --passphrase="$KEY" --decrypt > /main/users.yaml && /main/exec-server "$@"' > /main/entrypoint.sh
+ENTRYPOINT ["bash", "/main/entrypoint.sh"]
+CMD []

server/README.md

@@ -1,9 +1,19 @@
-## running with docker
+## Using File Auth
 
-d1=${d1:-$(mktemp -d)}
+1. Build a linux binary with `GOOS=linux CGO_ENABLED=0 go build -o ./exec-server -a -installsuffix cgo -ldflags "-s -w"`
-d2=${d2:-$(mktemp -d)}
+1. Add your usernames, passwords, groups to `releasedata/users.yaml`
-docker run \
+1. {one time} Generate and store an encryption `KEY` in Vault+Lastpass
-	-v $d1:/main/public/files \
+1. Build a Docker image with `docker build -t registry-app.eng.qops.net:5001/breel/work-notes:latest --build-arg KEY='{{INSERT YOUR KEY HERE}}' .`
-	-v $d2:/main/public/media \
+1. Push with `docker push registry-app.eng.qops.net:5001/breel/work-notes:latest`
-	-p 3004:3004 \
+1. Run like `docker run -v /mnt/files:/main/public/files -v /mnt/media:/main/public/media -e KEY='{{INSERT YOUR KEY HERE}}' -e COOKIE_SECRET='{{INSERT ANOTHER KEY HERE}}' -p 3005:3005 --rm -it registry-app.eng.qops.net:5001/breel/work-notes:latest -auth ./users.yaml -p 3005`
-	--rm -it registry-app.eng.qops.net:5001/bel/work-notes:latest
+
+### `users.yaml` Format
+
+```yaml
+users:
+  breel:
+    password: breel
+    groups:
+    - g1
+    - g2
+```

server/testdata/users.yaml

@@ -1,6 +1,6 @@
 users:
-  bel:
+  breel:
-    password: bel
+    password: breel
     groups:
     - g1
     - g2

todo.yaml

@@ -1,6 +1,4 @@
 todo:
-- logout
-- encrypt files at docker build time, put decrypt key in vault
 - create fileauth login file
 - secret for cookie encrypt+decrypt
 - secrets
@@ -15,6 +13,7 @@ todo:
 - anchor links work
 - ui; last updated; 2022.02.01T12:34:56
 done:
+- encrypt files at docker build time, put decrypt key in vault
 - gitlab/-/blob/about.md does NOT map to exactly 1 file
 - crawler does NOT modify title cause readme.md everywhere
 - use `meta` so no need for extra level for explicit single files