remove nginx and switch to gunicorn from uwsgi (#119)

.github/actions/docker-common/action.yml

@@ -26,6 +26,16 @@ inputs:
     default: ''
     required: false
     description: GitHub Container Registry token
+  python_base_image:
+    type: string
+    default: 3.8.18-slim-bookworm
+    required: false
+    description: Base image for python
+  is_default_version:
+    type: boolean
+    default: false
+    required: false
+    description: Is this the default versions
 runs:
   using: "composite"
   steps:
@@ -52,11 +62,13 @@ runs:
           khalibre/privacyidea
           ghcr.io/Khalibre/privacyidea
         tags: |
+          type=raw,value={{branch}}-python-${{ inputs.python_version }},enable=${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+          type=raw,value={{branch}},enable=${{ github.event_name == 'push' && inputs.is_default_version || github.event_name == 'workflow_dispatch' }}
+          type=raw,value={{tag}}-python-${{ inputs.python_version }},enable=${{ github.event_name == 'push' }}
+          type=raw,value={{tag}},enable=${{ github.event_name == 'push' && inputs.is_default_version }}
+          type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') && inputs.is_default_version }}
           type=ref,event=pr,enable=${{ github.event_name == 'pull_request' }}
-          type=raw,value=latest,enable={{is_default_branch}}
           type=sha,enable=${{ github.event_name == 'push' }}
-          type=raw,value={{tag}},enable=${{ github.event_name == 'push' }}
-          type=raw,value={{branch}},enable=${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
     - name: Set up Docker Buildx
@@ -70,6 +82,7 @@ runs:
         platforms: linux/amd64
         tags: ${{ steps.docker_meta.outputs.tags }}
         labels: ${{ steps.docker_meta.outputs.labels }}
+        build-args: BASE_IMAGE_TAG=${{ inputs.python_base_image }}
     - name: Container Structure Tests
       shell: bash
       run: |
@@ -88,3 +101,4 @@ runs:
         platforms: ${{ inputs.platforms }}
         tags: ${{ steps.docker_meta.outputs.tags }}
         labels: ${{ steps.docker_meta.outputs.labels }}
+        build-args: BASE_IMAGE_TAG=${{ inputs.python_base_image }}

.github/workflows/pr.yml

@@ -7,8 +7,8 @@ on:
   workflow_dispatch:
 
 jobs:
-  build:
-    name: Build container images
+  python-38-bookworm:
+    name: Python 3.8 / Bookworm
     permissions:
       pull-requests: write
     runs-on: ubuntu-latest
@@ -20,3 +20,74 @@ jobs:
         with:
           platforms: linux/amd64
           push: false
+          python_base_image: 3.8.18-slim-bookworm
+  python-39-bookworm:
+    name: Python 3.9 / Bookworm
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          platforms: linux/amd64
+          push: false
+          python_base_image: 3.9.18-slim-bookworm
+  python-310-bookworm:
+    name: Python 3.10 / Bookworm
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          platforms: linux/amd64
+          push: false
+          python_base_image: 3.10.13-slim-bookworm
+  python-38-bullseye:
+    name: Python 3.8 / Bullseye
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          platforms: linux/amd64
+          push: false
+          python_base_image: 3.8.18-slim-bullseye
+  python-39-bullseye:
+    name: Python 3.9 / Bullseye
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          platforms: linux/amd64
+          push: false
+          python_base_image: 3.9.18-slim-bullseye
+  python-310-bullseye:
+    name: Python 3.10 / Bullseye
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          platforms: linux/amd64
+          push: false
+          python_base_image: 3.10.13-slim-bullseye

.github/workflows/release.yml

@@ -8,17 +8,99 @@ on:
       - 'v3.*'
   workflow_dispatch:
 jobs:
-  build:
-    name: Build release container images
+  python-38-bookworm:
+    name: Python 3.8 / Bookworm
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Docker common actions
         uses: ./.github/actions/docker-common
         with:
+          docker_hub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          python_base_image: 3.8.18-slim-bookworm
+          is_default_version: true
+  python-39-bookworm:
+    name: Python 3.9 / Bookworm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          docker_hub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          python_base_image: 3.9.18-slim-bookworm
+          is_default_version: false
+  python-310-bookworm:
+    name: Python 3.10 / Bookworm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          docker_hub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          python_base_image: 3.10.13-slim-bookworm
+          is_default_version: false
+  python-38-bullseye:
+    name: Python 3.8 / Bullseye
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          docker_hub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          ghcr_token: ${{ secrets.GITHUB_TOKEN }}
           platforms: linux/amd64,linux/arm64
           push: true
+          python_base_image: 3.8.18-slim-bullseye
+          is_default_version: false
+  python-39-bullseye:
+    name: Python 3.9 / Bullseye
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
+          docker_hub_token: ${{ secrets.DOCKERHUB_TOKEN }}
           docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+          ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          python_base_image: 3.9.18-slim-bullseye
+          is_default_version: false
+  python-310-bullseye:
+    name: Python 3.10 / Bullseye
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Docker common actions
+        uses: ./.github/actions/docker-common
+        with:
           docker_hub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+          docker_hub_username: ${{ secrets.DOCKERHUB_USERNAME }}
           ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          python_base_image: 3.10.13-slim-bullseye
+          is_default_version: false

.gitignore

@@ -1,4 +1,10 @@
+.github
+.gitignore
 *.swp
-secretkey
+example
+LICENSE
+Makefile
 pipepper
+README
+secretkey
 structure-tests-report.xml

Dockerfile

@@ -1,64 +1,31 @@
-FROM python:3.8.18-bookworm
+ARG BASE_IMAGE_TAG=3.8.18-slim-bookworm
 
+FROM python:$BASE_IMAGE_TAG as builder
+ENV VIRTUAL_ENV=/opt/privacyidea
+WORKDIR $VIRTUAL_ENV
+RUN apt-get update && apt-get install -y python3-dev gcc libpq-dev
+COPY requirements.txt requirements.txt
+RUN python3 -m venv "$VIRTUAL_ENV" && . $VIRTUAL_ENV/bin/activate && pip3 install wheel && pip3 install -r requirements.txt
+
+FROM python:$BASE_IMAGE_TAG
 LABEL maintainer="Sida Say <sida.say@khalibre.com>"
+ENV PI_SKIP_BOOTSTRAP=false \
+    PI_DB_VENDOR=sqlite \
+    PI_HOME=/opt/privacyidea \
+    PI_DATA_DIR=/data/privacyidea \
+    PI_CFG_DIR=/etc/privacyidea \
+    PI_CFG_FILE=pi.cfg
 
 COPY prebuildfs /
-
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-RUN install_packages ca-certificates gettext-base nginx tini tree jq && \
-    apt-get clean
-
-# Create directories and user for PrivacyIdea and set ownership
-RUN mkdir -p /data/privacyidea/keys \
-    /var/log/privacyidea \
-    /etc/privacyidea && \
-    adduser --gecos "PrivacyIdea User" \
-    --disabled-password \
-    --home /home/privacyidea \
-    --uid 1001 \
-    privacyidea && \
-    usermod -g 1001 privacyidea && \
-    chown -R privacyidea:privacyidea /var/log/privacyidea /data/privacyidea /etc/privacyidea
-
-# Set environment variables for uWSGI and Nginx
-ENV UWSGI_INI=/etc/uwsgi/uwsgi.ini \
-    UWSGI_CHEAPER=2 \
-    UWSGI_PROCESSES=16 \
-    NGINX_MAX_UPLOAD=1m \
-    NGINX_WORKER_PROCESSES=auto \
-    NGINX_SERVER_TOKENS=off \
-    NGINX_WORKER_CONNECTIONS=1024 \
-    NGINX_LISTEN_PORT=80 \
-    NGINX_LISTEN_SSL_PORT=443 \
-    NGINX_SSL_ENABLED=true \
-    PI_SKIP_BOOTSTRAP=false \
-    DB_VENDOR=sqlite \
-    PI_HOME=/opt/privacyidea \
-    VIRTUAL_ENV=/opt/privacyidea
-
-# Set environment variables for Python
-ENV PATH="$VIRTUAL_ENV/bin:$PATH"
-
-# Set the PrivacyIdea version to install
-ARG PI_VERSION=3.9.1
-
-# Create a virtual environment for PrivacyIdea and install its dependencies
-RUN python3 -m venv $VIRTUAL_ENV && \
-    pip3 install --upgrade pip && \
-    pip3 install wheel && \
-    pip3 install -r /opt/requirements.txt && \
-    rm -rf /root/.cache
-
-# Copy the rootfs directory to the root of the container filesystem
-COPY rootfs /
-
-# Expose ports 80 and 443
-EXPOSE 80/tcp
-EXPOSE 443/tcp
-
-# Set the entrypoint to the privacyidea_entrypoint.sh script
+RUN install_packages ca-certificates gettext-base tini tree jq && \
+    mkdir -p "$PI_DATA_DIR" "$PI_CFG_DIR" && \
+    chown -R nobody:nogroup "$PI_DATA_DIR" "$PI_CFG_DIR"
+USER nobody
+WORKDIR "$PI_HOME"
+COPY --from=builder /opt/privacyidea .
+COPY --chown=nobody:nogroup rootfs /
+ENV PATH="$PI_HOME/bin:$PATH"
+EXPOSE 8080/tcp
+VOLUME [ "$PI_DATA_DIR" ]
 ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/privacyidea_entrypoint.sh"]
-
-WORKDIR /opt/privacyidea
-
-VOLUME [ "/data/privacyidea" ]

Makefile

@@ -13,14 +13,14 @@ push: ## Push image
 	docker push khalibre/privacyidea:dev
 
 run: cleanup create_volume secretkey pipepper ## Run test
-	docker run -p 80:80 -p 443:443 -ti --name=privacyidea-dev --env-file=secretkey --env-file=pipepper khalibre/privacyidea:dev
+	docker run -p 8080:8080 -ti --name=privacyidea-dev --env-file=secretkey --env-file=pipepper khalibre/privacyidea:dev
 
 create_volume:
 	mkdir $(LOCAL_DATA_VOLUME)
 
 secretkey:
 	@echo Creating secretkey
-	@echo SECRET_KEY=$(shell cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) > secretkey
+	@echo PI_SECRET_KEY=$(shell cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) > secretkey
 
 pipepper:
 	@echo Creating pipepper