.docker/entrypoint.sh

+#!/bin/bash
+
+echo "Copying static files ..."
+cp -r /usr/share/uffd/uffd/static /var/www/uffd
+
+db_ready="false"
+count=0
+while [ $count -lt 4 ] && [ "$db_ready" != "true" ] ;do
+  if uffd-admin db current >> /dev/null 2>&1 ;then
+    db_ready="true"
+  else
+    echo "Waiting for db to become ready..."
+    ((duration=2**$count))
+    sleep $duration
+    ((count=$count+1))
+  fi
+done
+
+if [ "$db_ready" == "true" ] ;then
+  echo "Running datbase migrations ..."
+  uffd-admin db upgrade
+
+  if [ -n "$UFFD_INITIAL_ADMIN_PW" ] && [ "$(uffd-admin user list)" == "" ]; then
+    echo "Creating groups and roles for initial admin user ..."
+    if ! uffd-admin group show 'uffd_admin' >> /dev/null 2>&1 ;then
+      uffd-admin group create 'uffd_admin'
+    fi
+    if ! uffd-admin group show 'uffd_access' >> /dev/null 2>&1 ;then
+      uffd-admin group create 'uffd_access'
+    fi
+    if ! uffd-admin role show 'uffd_admin' >> /dev/null 2>&1 ;then
+      uffd-admin role create 'uffd_admin' --add-group 'uffd_admin' --add-group 'uffd_access'
+    fi
+    if [ -z "$UFFD_INITIAL_ADMIN_USER" ] ;then
+      UFFD_INITIAL_ADMIN_USER='uffd_admin'
+    fi
+    if [ -z "$UFFD_INITIAL_ADMIN_MAIL" ] ;then
+      UFFD_INITIAL_ADMIN_MAIL='uffd_admin@localhost'
+    fi
+    echo "Creating initial admin user ..."
+    uffd-admin user create "$UFFD_INITIAL_ADMIN_USER" --password "$UFFD_INITIAL_ADMIN_PW" --mail "$UFFD_INITIAL_ADMIN_MAIL" --add-role 'uffd_admin'
+  fi
+else
+  echo "WARNING: Database is not ready yet, skipping migration and initialization"
+fi
+
+echo "Starting server ..."
+runuser --preserve-environment -u uffd -- \
+ uwsgi --ini /etc/uwsgi/apps-enabled/uffd.ini --socket 0.0.0.0:3031 --master --stats 0.0.0.0:9191

.dockerignore

+
+examples
+tests
+
+## All below is copied from .gitignore at 05460269538ad6b2bd8b80f6f8a6202cee1dd065
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# Swap
+[._]*.s[a-v][a-z]
+!*.svg  # comment out if you don't need vector files
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+Sessionx.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+# Auto-generated development key/certificate
+devcert.crt
+devcert.key

.gitlab-ci.yml

 image: registry.git.cccv.de/uffd/docker-images/buster
 
 variables:
-  DEBIAN_FRONTEND: noninteractive 
+  DEBIAN_FRONTEND: noninteractive
   GIT_SUBMODULE_STRATEGY: normal
   PYTHONPATH: deps/ldapalchemy
   APT_API_URL: https://packages.cccv.de
   APT_REPO: uffd
   PYLINT_PIN: pylint~=2.10.0
+  DOCKER_IMAGE_TAG: latest
 
 before_script:
   - python3 -V
@@ -40,6 +41,20 @@ build:apt:
     paths:
     - ./*.deb
 
+build:docker:
+  extends: .build
+  image:
+    name: gcr.io/kaniko-project/executor:debug
+    entrypoint: [""]
+  before_script: []
+  script:
+    - mkdir -p /kaniko/.docker
+    - /kaniko/executor --force --use-new-run --context $CI_PROJECT_DIR --no-push --destination $CI_REGISTRY_IMAGE --tarPath image.tar
+  artifacts:
+    paths:
+    - image.tar
+    when: on_success
+
 db_migrations_updated:
   stage: test
   script:
@@ -221,3 +236,15 @@ publish:apt:
   - 'curl --user "${APTLY_API_USER}:${APTLY_API_PW}" -X PUT -H "Content-Type: application/json" --data "{ }" "${APT_API_URL}/api/publish/uffd/bullseye"'
   dependencies:
   - build:apt
+
+publish:docker:
+  extends: .publish
+  image:
+    name: gcr.io/go-containerregistry/crane:debug
+    entrypoint: [""]
+  before_script: []
+  script:
+  - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  - crane push image.tar $CI_REGISTRY_IMAGE:$DOCKER_IMAGE_TAG
+  needs:
+  - build:docker

Dockerfile

+FROM registry.git.cccv.de/uffd/docker-images/bullseye AS builder
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV PYBUILD_INSTALL_ARGS="--install-lib=/usr/share/uffd/ --install-scripts=/usr/share/uffd/"
+
+RUN mkdir /build-dir && mkdir /build
+WORKDIR /build-dir
+
+COPY . .
+
+RUN set -x && \
+    ./debian/create_changelog.py uffd > debian/changelog && \
+    dpkg-buildpackage -us -uc && \
+    dpkg-deb -I /*.deb && \
+    dpkg-deb -c /*.deb && \
+    mv /*.deb /build/uffd.deb
+
+FROM debian:bullseye
+
+COPY --from=builder /build/uffd.deb /uffd.deb
+
+RUN set -x && \
+    apt update && \
+    apt install -y --no-install-recommends /uffd.deb python3-psycopg2 python3-pymysql && \
+    rm -rf /var/lib/apt/lists/* && \
+    rm /uffd.deb && \
+    cat /etc/uffd/uffd.cfg | grep -v "SECRET_KEY=" > /etc/uffd/uffd.cfg.tmp && \
+    mv /etc/uffd/uffd.cfg.tmp /etc/uffd/uffd.cfg && \
+    mkdir --parents /var/www/uffd && \
+    chown root:uffd /var/www/uffd
+
+COPY .docker/entrypoint.sh /entrypoint.sh
+
+USER uffd
+USER root
+
+EXPOSE 3031/tcp
+EXPOSE 9191/tcp
+
+CMD bash /entrypoint.sh
+
+LABEL project="https://git.cccv.de/uffd/uffd"

README.md

@@ -71,6 +71,25 @@ The Debian package uses uwsgi to run uffd and ships an `uffd-admin` to execute f
 If you upgrade, make sure to run `flask db upgrade` after every update! The Debian package takes care of this by itself using uwsgi pre start hooks.
 For an example uwsgi config, see our [uswgi.ini](uwsgi.ini). You might find our [nginx include file](nginx.include.conf) helpful to setup a web server in front of uwsgi.
 
+### Docker-based deployment
+
+To deploy uffd using docker, you can use the docker container `registry.git.cccv.de/uffd/uffd`.
+See <https://git.cccv.de/uffd/uffd/container_registry> for available tags.
+
+The container copies the static files to `/var/www/uffd`, runs database migrations, optionally creates an initial admin user,
+and finally runs the software using a uwsgi server.
+The api can be accessed through a uwsgi socket on port 3031.
+To deploy the software, a seperate http server (e.g. nginx) is required.
+
+See [examples/docker/basic-docker-compose.yml](examples/docker/basic-docker-compose.yml) for a minimal running setup.
+It uses a sqlite database in the volume `data`.
+
+For more advanced setups take a look at [examples/docker/advanced-docker-compose.yml](examples/docker/advanced-docker-compose.yml).
+It uses an external mariadb instance and allows configuation through the `uffd.cfg`.
+Additionally a custom name and email address is provided for the initial admin user.
+
+The uwsgi server also exposes stats on port 9191, which can be used for monitoring.
+
 ## Migration from version 1
 
 Prior to version 2 uffd stored users, groups and mail aliases in an LDAP server.

examples/docker/advanced-docker-compose.yml

+version: "3"
+
+networks:
+  uffd: {}
+
+volumes:
+  static-files: {}
+  data: {}
+
+services:
+  database:
+    image: mariadb
+    environment:
+      MYSQL_ROOT_PASSWORD: supersecret
+      MYSQL_USER: user
+      MYSQL_PASSWORD: secret
+      MYSQL_DATABASE: uffd
+    volumes:
+      - data:/var/lib/mysql
+    networks:
+      - uffd
+
+  uffd-python:
+    image: registry.git.cccv.de/uffd/uffd
+    environment:
+      UFFD_SECRET_KEY: supersecret
+      UFFD_INITIAL_ADMIN_USER: myadmin
+      UFFD_INITIAL_ADMIN_PW: S3cr3tS3cr3t!
+      UFFD_INITIAL_ADMIN_MAIL: myadmin@example.com
+    volumes:
+      - static-files:/var/www/uffd
+      - ./uffd.cfg:/etc/uffd/uffd.cfg:ro
+    networks:
+      - uffd
+
+  nginx:
+    image: nginx
+    volumes:
+      - static-files:/var/www/uffd
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+    ports:
+      - "80:80"
+    networks:
+      - uffd

examples/docker/basic-docker-compose.yml

+version: "3"
+
+networks:
+  uffd: {}
+
+volumes:
+  static-files: {}
+  data: {}
+
+services:
+  uffd-python:
+    image: registry.git.cccv.de/uffd/uffd
+    environment:
+      UFFD_SECRET_KEY: supersecret
+      UFFD_INITIAL_ADMIN_PW: S3cr3tS3cr3t!
+    volumes:
+      - static-files:/var/www/uffd
+      - data:/var/lib/uffd
+    networks:
+      - uffd
+  nginx:
+    image: nginx
+    volumes:
+      - static-files:/var/www/uffd
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+    ports:
+      - "80:80"
+    networks:
+      - uffd

examples/docker/nginx.conf

+server {
+    listen       80;
+    server_name  _;
+
+    location / {
+        uwsgi_pass uffd-python:3031;
+        include uwsgi_params;
+    }
+
+    location /static {
+        alias /var/www/uffd/static;
+    }
+}

examples/docker/uffd.cfg

+SQLALCHEMY_DATABASE_URI='mysql+pymysql://user:secret@database/uffd'

uffd/__init__.py

@@ -57,6 +57,9 @@ def init_config(app: Flask, test_config):
 	# Prior to v1.1 login required ACL_SELFSERVICE_GROUP and ACL_ACCESS_GROUP did not exist
 	app.config.setdefault('ACL_ACCESS_GROUP', app.config['ACL_SELFSERVICE_GROUP'])
 
+	if "UFFD_SECRET_KEY" in os.environ:
+		app.config["SECRET_KEY"] = os.environ["UFFD_SECRET_KEY"]
+
 	if app.env == "production" and app.secret_key is None:
 		raise Exception("SECRET_KEY not configured and we are running in production mode!")
 	app.config.setdefault("SECRET_KEY", secrets.token_hex(128))