diff --git a/Dockerfile b/Dockerfile index 9b6ea77..de45ff6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,9 @@ FROM python:3.12-slim as production ENV VIRTUAL_ENV=/venv +# renovate: datasource=github-tags depName=gchq/cyberchef +ENV S6_OVERLAY_VERSION=3.1.6.2 + RUN useradd website --create-home -u 1000 && mkdir /app $VIRTUAL_ENV && chown -R website /app $VIRTUAL_ENV WORKDIR /app @@ -31,6 +34,9 @@ RUN apt-get update --yes --quiet && apt-get install --yes --quiet --no-install-r && apt-get autoremove && rm -rf /var/lib/apt/lists/* RUN curl -fsSL https://github.com/aptible/supercronic/releases/download/v0.2.1/supercronic-linux-amd64 -o /usr/local/bin/supercronic && chmod +x /usr/local/bin/supercronic +ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp +ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp +RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz ENV PATH=$VIRTUAL_ENV/bin:$PATH \ PYTHONUNBUFFERED=1 @@ -56,7 +62,11 @@ RUN cat ./etc/bashrc.sh >> ~/.bashrc RUN SECRET_KEY=none python manage.py collectstatic --noinput --clear -CMD ["/app/etc/entrypoints/web"] +COPY ./etc/s6-rc.d /etc/s6-overlay/s6-rc.d + +# Become root at the last minute for s6 +USER root +ENTRYPOINT [ "/init" ] # Just dev stuff FROM production as dev @@ -74,4 +84,5 @@ USER website COPY --chown=website dev-requirements.txt ./ RUN pip install --no-cache -r dev-requirements.txt +ENTRYPOINT [] CMD sleep infinity diff --git a/docker/dev/docker-compose.yml b/docker/dev/docker-compose.yml index cd6a27b..d5449ac 100644 --- a/docker/dev/docker-compose.yml +++ b/docker/dev/docker-compose.yml @@ -4,7 +4,6 @@ services: build: context: ../../ target: dev - init: true environment: - QUEUE_STORE_URL=redis://redis/0 - DEBUG=true diff --git a/etc/entrypoints/nginx b/etc/entrypoints/nginx deleted file mode 100755 index b9db4da..0000000 --- a/etc/entrypoints/nginx +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash - -set -e - -exec nginx -g "daemon off;" diff --git a/etc/entrypoints/web b/etc/entrypoints/web deleted file mode 100755 index e4146f6..0000000 --- a/etc/entrypoints/web +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash - -set -e - -python manage.py migrate --noinput - -exec gunicorn -c etc/gunicorn.conf.py diff --git a/etc/entrypoints/worker b/etc/entrypoints/worker deleted file mode 100755 index c7315ee..0000000 --- a/etc/entrypoints/worker +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash - -set -e - -exec python manage.py rqworker --with-scheduler diff --git a/etc/gunicorn.conf.py b/etc/gunicorn.conf.py index 48c83e4..2d0c238 100644 --- a/etc/gunicorn.conf.py +++ b/etc/gunicorn.conf.py @@ -1,8 +1,7 @@ wsgi_app = "website.wsgi:application" -accesslog = "-" disable_redirect_access_to_syslog = True preload_app = True -bind = "0.0.0.0:8080" +bind = "127.0.0.1:8080" max_requests = 1200 max_requests_jitter = 50 forwarded_allow_ips = "*" diff --git a/etc/nginx.conf b/etc/nginx.conf index ec22469..afd2897 100644 --- a/etc/nginx.conf +++ b/etc/nginx.conf @@ -26,7 +26,7 @@ server { proxy_set_header X-Forwarded-Host $host; proxy_set_header Proxy ""; - proxy_pass http://django:8080; + proxy_pass http://localhost:8080; } location /static { diff --git a/etc/s6-rc.d/cron/dependencies.d/migrate b/etc/s6-rc.d/cron/dependencies.d/migrate new file mode 100644 index 0000000..e69de29 diff --git a/etc/s6-rc.d/cron/run b/etc/s6-rc.d/cron/run new file mode 100644 index 0000000..57225a1 --- /dev/null +++ b/etc/s6-rc.d/cron/run @@ -0,0 +1,7 @@ +#!/command/with-contenv bash + +set -e + +cd /app + +exec supercronic etc/crontab diff --git a/etc/s6-rc.d/cron/type b/etc/s6-rc.d/cron/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/etc/s6-rc.d/cron/type @@ -0,0 +1 @@ +longrun diff --git a/etc/s6-rc.d/django/dependencies.d/migrate b/etc/s6-rc.d/django/dependencies.d/migrate new file mode 100644 index 0000000..e69de29 diff --git a/etc/s6-rc.d/django/run b/etc/s6-rc.d/django/run new file mode 100644 index 0000000..cb7153f --- /dev/null +++ b/etc/s6-rc.d/django/run @@ -0,0 +1,7 @@ +#!/command/with-contenv bash + +set -e + +cd /app + +exec s6-setuidgid website gunicorn -c etc/gunicorn.conf.py diff --git a/etc/s6-rc.d/django/type b/etc/s6-rc.d/django/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/etc/s6-rc.d/django/type @@ -0,0 +1 @@ +longrun diff --git a/etc/s6-rc.d/migrate/type b/etc/s6-rc.d/migrate/type new file mode 100644 index 0000000..bdd22a1 --- /dev/null +++ b/etc/s6-rc.d/migrate/type @@ -0,0 +1 @@ +oneshot diff --git a/etc/s6-rc.d/migrate/up b/etc/s6-rc.d/migrate/up new file mode 100644 index 0000000..bc2fd90 --- /dev/null +++ b/etc/s6-rc.d/migrate/up @@ -0,0 +1 @@ +s6-setuidgid website with-contenv bash -c "cd /app && python manage.py migrate --noinput" diff --git a/etc/s6-rc.d/nginx/dependencies.d/django b/etc/s6-rc.d/nginx/dependencies.d/django new file mode 100644 index 0000000..e69de29 diff --git a/etc/s6-rc.d/nginx/run b/etc/s6-rc.d/nginx/run new file mode 100644 index 0000000..af11f74 --- /dev/null +++ b/etc/s6-rc.d/nginx/run @@ -0,0 +1,7 @@ +#!/command/with-contenv bash + +set -e + +cd /app + +exec nginx -g "daemon off;" diff --git a/etc/s6-rc.d/nginx/type b/etc/s6-rc.d/nginx/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/etc/s6-rc.d/nginx/type @@ -0,0 +1 @@ +longrun diff --git a/etc/s6-rc.d/rq/dependencies.d/migrate b/etc/s6-rc.d/rq/dependencies.d/migrate new file mode 100644 index 0000000..e69de29 diff --git a/etc/s6-rc.d/rq/run b/etc/s6-rc.d/rq/run new file mode 100644 index 0000000..b540e7e --- /dev/null +++ b/etc/s6-rc.d/rq/run @@ -0,0 +1,7 @@ +#!/command/with-contenv bash + +set -e + +cd /app + +exec s6-setuidgid website python manage.py rqworker --with-scheduler diff --git a/etc/s6-rc.d/rq/type b/etc/s6-rc.d/rq/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/etc/s6-rc.d/rq/type @@ -0,0 +1 @@ +longrun diff --git a/etc/s6-rc.d/user/contents.d/cron b/etc/s6-rc.d/user/contents.d/cron new file mode 100644 index 0000000..e69de29 diff --git a/etc/s6-rc.d/user/contents.d/django b/etc/s6-rc.d/user/contents.d/django new file mode 100644 index 0000000..e69de29 diff --git a/etc/s6-rc.d/user/contents.d/nginx b/etc/s6-rc.d/user/contents.d/nginx new file mode 100644 index 0000000..e69de29 diff --git a/etc/s6-rc.d/user/contents.d/rq b/etc/s6-rc.d/user/contents.d/rq new file mode 100644 index 0000000..e69de29 diff --git a/justfile b/justfile index dcc0985..ae8c62c 100644 --- a/justfile +++ b/justfile @@ -9,7 +9,7 @@ DEV_COMPOSE := justfile_directory() + "/docker/dev/docker-compose.yml" build: docker-compose -f {{ DEV_COMPOSE }} pull docker-compose -f {{ DEV_COMPOSE }} build - docker-compose -f {{ DEV_COMPOSE }} run --rm --no-deps web bash -lc "npm ci" + docker-compose -f {{ DEV_COMPOSE }} run --user=website --rm --no-deps web -c "npm ci" @compose +ARGS: docker-compose -f {{ DEV_COMPOSE }} {{ ARGS }} @@ -50,7 +50,7 @@ lint_python: @sh: docker-compose -f {{ DEV_COMPOSE }} up -d - docker-compose -f {{ DEV_COMPOSE }} exec web bash + docker-compose -f {{ DEV_COMPOSE }} exec --user=website web bash @down: docker-compose -f {{ DEV_COMPOSE }} down diff --git a/renovate.json b/renovate.json index 987ef7a..8e5266c 100644 --- a/renovate.json +++ b/renovate.json @@ -10,5 +10,13 @@ "schedule": ["every weekend"], "enabled": false } + ], + "regexManagers": [ + { + "fileMatch": ["^Dockerfile$"], + "matchStrings": ["ENV S6_OVERLAY_VERSION=(?.*?)\\n"], + "depNameTemplate": "just-containers/s6-overlay", + "datasourceTemplate": "github-releases" + } ] }