Merge pull request #61 from mr-ssd/improve-config

update to 3.8.1 and improvement

Dockerfile

@@ -7,65 +7,55 @@ COPY prebuildfs /
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN install_packages ca-certificates git supervisor gettext-base nginx
 
-RUN mkdir -p mkdir /etc/privacyidea/data/keys \
+# Create directories and user for PrivacyIdea and set ownership
+RUN mkdir -p /data/privacyidea/keys \
     /var/log/privacyidea && \
-    adduser --gecos "PrivacyIdea User" --disabled-password --home /home/privacyidea privacyidea --uid 1001 && \
+    adduser --gecos "PrivacyIdea User" \
+    --disabled-password \
+    --home /home/privacyidea \
+    --uid 1001 \
+    privacyidea && \
     addgroup privacyidea privacyidea && \
     usermod -g 1001 privacyidea && \
-    chown -R privacyidea:privacyidea /etc/privacyidea /var/log/privacyidea
-
-COPY rootfs /
-
-# Which uWSGI .ini file should be used, to make it customizable
-ENV UWSGI_INI /etc/uwsgi/uwsgi.ini
-
-# By default, run 2 processes
-ENV UWSGI_CHEAPER 2
-
-# By default, when on demand, run up to 16 processes
-ENV UWSGI_PROCESSES 16
-
-# By default, allow unlimited file sizes, modify it to limit the file sizes
-# To have a maximum of 1 MB (Nginx's default) change the line to:
-# ENV NGINX_MAX_UPLOAD 1m
-ENV NGINX_MAX_UPLOAD 1m
-
-# By default, Nginx will run a single worker process, setting it to auto
-# will create a worker for each CPU core
-ENV NGINX_WORKER_PROCESSES 1
-
-# By default, NGINX show NGINX version on error page and HTTP header
-ENV NGINX_SERVER_TOKENS 'off'
-
-ENV NGINX_WORKER_CONNECTIONS 1024
-
-# By default, Nginx listens on port 80.
-# To modify this, change LISTEN_PORT environment variable.
-# (in a Dockerfile or with an option for `docker run`)
-ENV NGINX_LISTEN_PORT 80
-ENV NGINX_LISTEN_SSL_PORT 443
-
-ENV NGINX_SSL_ENABLED true
-
-ENV PI_SKIP_BOOTSTRAP=false \
+    chown -R privacyidea:privacyidea /var/log/privacyidea /data/privacyidea
+
+# Set environment variables for uWSGI and Nginx
+ENV UWSGI_INI=/etc/uwsgi/uwsgi.ini \
+    UWSGI_CHEAPER=2 \
+    UWSGI_PROCESSES=16 \
+    NGINX_MAX_UPLOAD=1m \
+    NGINX_WORKER_PROCESSES=auto \
+    NGINX_SERVER_TOKENS=off \
+    NGINX_WORKER_CONNECTIONS=1024 \
+    NGINX_LISTEN_PORT=80 \
+    NGINX_LISTEN_SSL_PORT=443 \
+    NGINX_SSL_ENABLED=true \
+    PI_SKIP_BOOTSTRAP=false \
     DB_VENDOR=sqlite \
     PI_HOME=/opt/privacyidea \
     VIRTUAL_ENV=/opt/privacyidea
 
-RUN python3 -m venv $VIRTUAL_ENV
-
+# Set environment variables for Python
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
-ARG PI_VERSION=3.8
+# Set the PrivacyIdea version to install
+ARG PI_VERSION=3.8.1
 
-RUN pip3 install wheel && \
+# Create a virtual environment for PrivacyIdea and install its dependencies
+RUN python3 -m venv $VIRTUAL_ENV && \
+    pip3 install wheel && \
     pip3 install uwsgi pymysql-sa PyMySQL psycopg2-binary && \
     pip3 install -r https://raw.githubusercontent.com/privacyidea/privacyidea/v${PI_VERSION}/requirements.txt && \
     pip3 install git+https://github.com/privacyidea/privacyidea.git@v${PI_VERSION}
 
+# Copy the rootfs directory to the root of the container filesystem
+COPY rootfs /
+
+# Expose ports 80 and 443
 EXPOSE 80/tcp
 EXPOSE 443/tcp
 
+# Set the entrypoint to the privacyidea_entrypoint.sh script
 ENTRYPOINT ["/usr/local/bin/privacyidea_entrypoint.sh"]
 
 WORKDIR /opt/privacyidea

Makefile

@@ -1,9 +1,11 @@
-info:
-	@echo "build	build the privacyidea image"
-	@echo "push		push the image to the docker hub"
-
 LOCAL_DATA_VOLUME=/tmp/privacyidea-data
 
+help: ## Show this help message
+	@echo "Usage: make [target]"
+	@echo ""
+	@echo "Targets:"
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "  %-30s %s\n", $$1, $$2}' | sort
+
 build: ## Build image
 	docker build -t khalibre/privacyidea:dev .
 
@@ -25,9 +27,11 @@ pipepper:
 	@echo PI_PEPPER=$(shell cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) > pipepper
 
 cleanup:
-	docker stop privacyidea-dev || true
-	docker rm privacyidea-dev || true
-	sudo rm -rf $(LOCAL_DATA_VOLUME)
+	@if docker ps -a | grep -q privacyidea-dev; then docker stop privacyidea-dev || true; fi
+	@if docker ps -a | grep -q privacyidea-dev; then docker rm privacyidea-dev || true; fi
+	@if [ -d $(LOCAL_DATA_VOLUME) ]; then sudo rm -rf $(LOCAL_DATA_VOLUME); fi
 
 test:
 	container-structure-test test --image khalibre/privacyidea:dev --config structure-tests.yaml
+
+.DEFAULT_GOAL := help

README.md

@@ -42,20 +42,20 @@ The Khalibre privacyIDEA container can create a default admin user by setting th
 
 The Khalibre privacyIDEA requires a database to work. This is configured with the following environment variables:
 
-  - `DB_VENDOR`: Database vendor (support mysql, mariadb or posgresql) No defaults.
+  - `DB_VENDOR`: Database vendor (support mysql, mariadb or posgresql) Default **sqlite**.
   - `DB_USER`: Database user. No defaults.
   - `DB_PASSWORD`: Database. No defaults.
   - `DB_NAME`: Database name. No defaults.
   - `DB_HOST`: Database host. No defaults.
 
 ### NGINX configuration
 
-  - `NGINX_LISTEN_PORT`: Get the listen port for Nginx, default to 80
-  - `NGINX_LISTEN_SSL_PORT`: Get the secured listen port for Nginx, default to 443
-  - `NGINX_MAX_UPLOAD`: Get the maximum upload file size for Nginx, default to 100Mb
-  - `NGINX_SERVER_TOKENS`: Hide Nginx server version on error pages and in the “Server HTTP” response header field
-  - `NGINX_SSL_CERT`: Path to SSL certificate, default to **/etc/nginx/certs/pi-server-cert.pem**
-  - `NGINX_SSL_ENABLED`: Set to true to enable SSL, default **false**
+  - `NGINX_LISTEN_PORT`: Get the listen port for Nginx, default to **80**
+  - `NGINX_LISTEN_SSL_PORT`: Get the secured listen port for Nginx, default to **443**
+  - `NGINX_MAX_UPLOAD`: Get the maximum upload file size for Nginx, default to **100Mb**
+  - `NGINX_SERVER_TOKENS`: Hide Nginx server version on error pages and in the “Server HTTP” response header field. Default **off**
+  - `NGINX_SSL_CERT`: Path to SSL certificate. Default to **/etc/nginx/certs/pi-server-cert.pem**
+  - `NGINX_SSL_ENABLED`: Set to true to enable SSL, Default **false**
   - `NGINX_SSL_KEY`: Path to SSL key, default **/etc/nginx/certs/pi-server-key.pem**
   - `NGINX_WORKER_CONNECTIONS`: Set the max number of connections per worker for Nginx, if requested.
   - `NGINX_WORKER_PROCESSES`: Get the number of workers for Nginx, default to 1
@@ -64,8 +64,9 @@ The Khalibre privacyIDEA requires a database to work. This is configured with th
 
   - `CACHE_TYPE`: privacyIDEA cache type. Default simple.
   - `PI_PEPPER`: This is used to encrypt the admin passwords. No defaults.
-  - `PI_AUDIT_KEY_PRIVATE`: This is used to sign the audit log
-  - `PI_AUDIT_KEY_PUBLIC`: This is used to sign the audit log
+  - `PI_AUDIT_NO_SIGN`: If you by any reason want to avoid signing audit entries set it **true**.
+  - `PI_AUDIT_KEY_PRIVATE_PATH`: This is used to sign the audit log
+  - `PI_AUDIT_KEY_PUBLIC_PATH`: This is used to sign the audit log
   - `PI_ENCFILE`: This is used to encrypt the token data and token passwords. No defaults.
   - `PI_HSM`: privacyIDEA HSM. Default **default**
   - `PI_LOGFILE`: privacyIDEA log file location. Default **/var/log/privacyidea/privacyidea.log**

prebuildfs/usr/sbin/install_packages

@@ -1,24 +1,34 @@
 #!/bin/sh
+
+# Install packages with retry logic
 set -e
 set -u
 export DEBIAN_FRONTEND=noninteractive
+
+# Update package index
+apt-get update -qq
+
+# Install packages with retry logic
 n=0
 max=2
 until [ $n -gt $max ]; do
-    set +e
-    (
-      apt-get update -qq &&
-      apt-get install -y --no-install-recommends "$@"
-    )
-    CODE=$?
-    set -e
-    if [ $CODE -eq 0 ]; then
-        break
-    fi
-    if [ $n -eq $max ]; then
-        exit $CODE
-    fi
-    echo "apt failed, retrying"
-    n=$(($n + 1))
+  set +e
+  (
+    apt-get install -y --no-install-recommends "$@"
+  )
+  CODE=$?
+  set -e
+  if [ $CODE -eq 0 ]; then
+    break
+  fi
+  if [ $n -eq $max ]; then
+    exit $CODE
+  fi
+  echo "apt failed, retrying in 10 seconds..."
+  sleep 10
+  n=$(($n + 1))
 done
+
+# Clean up after installation
+apt-get autoremove -y
 rm -r /var/lib/apt/lists /var/cache/apt/archives

rootfs/opt/templates/nginx.conf.template

@@ -1,4 +1,3 @@
-user  www-data;
 worker_processes $NGINX_WORKER_PROCESSES;
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;

rootfs/opt/templates/pi-config.template

@@ -14,11 +14,14 @@ if PI_PEPPER is None:
 # The realm, where users are allowed to login as administrators
 SUPERUSER_REALM = os.environ.get('SUPERUSER_REALM', ['administrator'])
 SQLALCHEMY_DATABASE_URI = "$SQLALCHEMY_DATABASE_URI"
-PI_ENCFILE = os.environ.get("PI_ENCFILE", "/data/privacyidea/encfile")
+PI_ENCFILE = os.environ.get("PI_ENCFILE", "/data/privacyidea/keys/encfile")
 PI_HSM = os.environ.get("PI_HSM", "default")
+PI_AUDIT_NO_SIGN = os.environ.get("PI_AUDIT_NO_SIGN", "False").lower() == "true"
 PI_AUDIT_MODULE = os.environ.get("PI_AUDIT_MODULE", "privacyidea.lib.auditmodules.sqlaudit")
-PI_AUDIT_KEY_PRIVATE = os.environ.get("PI_AUDIT_KEY_PRIVATE", "/etc/privacyidea/data/keys/private.pem")
-PI_AUDIT_KEY_PUBLIC = os.environ.get("PI_AUDIT_KEY_PUBLIC", "/etc/privacyidea/data/keys/public.pem")
+# PI_AUDIT_KEY_PRIVATE will be used only when PI_AUDIT_NO_SIGN is True
+PI_AUDIT_KEY_PRIVATE = os.environ.get("PI_AUDIT_KEY_PRIVATE_PATH", "/data/privacyidea/keys/private.pem")
+# PI_AUDIT_KEY_PUBLIC will be used only when PI_AUDIT_NO_SIGN is True
+PI_AUDIT_KEY_PUBLIC = os.environ.get("PI_AUDIT_KEY_PUBLIC_PATH", "/data/privacyidea/keys/public.pem")
 PI_LOGFILE = os.environ.get("PI_LOGFILE", "/var/log/privacyidea/privacyidea.log")
 PI_LOGLEVEL = logging.getLevelName(os.environ.get("PI_LOGLEVEL", "INFO"))
 PI_NODE = os.environ.get("HOSTNAME", "localnode")

rootfs/usr/local/bin/_privacyidea_common.sh

@@ -1,18 +1,19 @@
 #!/bin/bash
 
-function execute_scripts {
-	if [ -e "${1}" ] && [[ $(find "${1}" -maxdepth 1 -name "*.sh" -printf "%f\n") ]]
-	then
-		echo "[PrivacyIDEA] Executing scripts in ${1}:"
+execute_scripts() {
+  local script_dir="$1"
+  local script_names
 
-		for SCRIPT_NAME in $(find "${1}" -maxdepth 1 -name "*.sh" -printf "%f\n" | sort)
-		do
-			echo ""
-			echo "[PrivacyIDEA] Executing ${SCRIPT_NAME}."
+  if [[ -d "$script_dir" ]] && script_names=("$script_dir"/*.sh); (( ${#script_names[@]} )); then
+    echo "[PrivacyIDEA] Executing scripts in $script_dir:"
 
-			source "${1}/${SCRIPT_NAME}"
-		done
+    for script_path in "${script_names[@]}"; do
+      local script_name=$(basename "$script_path")
+      echo ""
+      echo "[PrivacyIDEA] Executing $script_name."
+      source "$script_path" || { echo "[PrivacyIDEA] Error: Failed to execute $script_name."; return 1; }
+    done
 
-		echo ""
-	fi
+    echo ""
+  fi
 }