refs #23938 [finc] update docker environment part 1

* replace deprecated linkyard/yaml by governmentpaas/spruce
* env entrypoint: create user dev if not existing
* env entrypoint: do not create user dev if not existing
* do not use vufind-httpd - but still depend on ubleipzig/httpd
* do not use ubl httpd docker image - but shibboleth is missing
* do not use ubl httpd docker image - but shibboleth is missing
* docker: integrate ssl within vufind conf
* docker: add port for https on 11105
* mail: switch to new image
* todo: configuration
* todo: forwarding all mails to honey pot

refs #23938 [finc] REVERT docker mail: switch to new image

* This reverts commit 79057c90.
* move to 24355

devops/docker/env/entrypoint.sh

@@ -15,20 +15,16 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 # @author  Sebastian Kehr <kehr@ub.uni-leipzig.de>
+# @author  Robert Lange <lange@ub.uni-leipzig.de>
 # @license https://opensource.org/licenses/GPL-3.0 GNU GPLv3
 
+apk update && apk add jq
+
 # Taken from http://www.etalabs.net/sh_tricks.html
 quote () { printf %s\\n "$1" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/" ; }
-
-if ! [ "$(whoami)" = "dev" ]; then
-  : "${UIDGID:=$(stat -c '%u' .):$(stat -c '%g' .)}"
-  echo "dev:x:$UIDGID:dev:$(pwd):/bin/sh" >> /etc/passwd
-  su -p -c "exec $0 $*" dev
-  exit
-fi
-
 mkdir -p "${DIR=data/docker/env}"
 
+# create files from docker-env.*.yml in data/docker/env
 # shellcheck disable=SC2046
 JSON=$(spruce merge $(find docker-env.*.yml) | spruce json)
 for KEY in $(echo "$JSON" | jq -r 'keys | join(" ")'); do
@@ -37,4 +33,16 @@ for KEY in $(echo "$JSON" | jq -r 'keys | join(" ")'); do
     VAL=$(echo "$JSON" | jq -r ".\"$KEY\".\"$VAR\"")
     echo "$VAR=$(quote "$VAL")" >> "$FILE"
   done
-done
\ No newline at end of file
+done
+
+# change owner to user dev if not already
+# to write files not as root
+if ! [ "$(whoami)" = "dev" ]; then
+  : "${UIDGID:=$(stat -c '%u' .):$(stat -c '%g' .)}"
+  echo "dev:x:$UIDGID:dev:$(pwd):/bin/sh" >> /etc/passwd
+  #su -p -c "exec $0 $*" dev
+  chown "$UIDGID" data
+  chown "$UIDGID" data/docker
+  chown -R "$UIDGID" "${DIR}"
+fi
+exit
\ No newline at end of file

devops/docker/httpd/Dockerfile

+FROM httpd:2.4
+#ENTRYPOINT [ "/docker-entrypoint" ]
+CMD ["apache2ctl", "-D", "FOREGROUND"]
+
+ENV SHIB_HANDLER_URL=/Shibboleth.sso \
+	APACHE_RUN_DIR=/var/run/apache2 \
+	APACHE_RUN_USER=www-data \
+	APACHE_RUN_GROUP=www-data \
+	APACHE_DOC_ROOT=/var/www/html
+
+ADD assets/*.conf /etc/apache2/conf-available/
+
+#RUN chmod a+x /docker-entrypoint \
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends openssl apache2 \
+	&& openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048 \
+  #https://stackoverflow.com/questions/63195304/difference-between-pem-crt-key-files#:~:text=According%20to%20this%20answer%2C.crt%20keeps%20a%20signed%20certificate%2C,a%20key%2C%20certificate%2C...%29%20is%20Base64%20encoded.%20%E2%80%93%20Wolfson
+	&& openssl req -nodes -new -x509 -newkey rsa:2048 -subj "/CN=localhost" -keyout /etc/ssl/certs/ssl-vufind.key -out /etc/ssl/certs/ssl-vufind.crt -days 3650 \
+	&& apt-get purge -y openssl \
+	&& apt-get autoremove -y --purge \
+	&& sed -e 's!^\(ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/apache2.conf \
+	&& sed -e 's!^\(PidFile.*\)$!#\1!' -i /etc/apache2/apache2.conf \
+	&& sed -e 's!/var/www/html!${APACHE_DOC_ROOT}!g' -i /etc/apache2/sites-available/000-default.conf \
+	&& sed -e 's!^\(\s*ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/sites-available/000-default.conf \
+	&& sed -e 's!^\(\s*CustomLog\).*$!\1 /proc/self/fd/1 combined!' -i /etc/apache2/sites-available/000-default.conf \
+	&& sed -e 's!/var/www/html!${APACHE_DOC_ROOT}!g' -i /etc/apache2/sites-available/default-ssl.conf \
+	&& sed -e 's!^\(\s*ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/sites-available/default-ssl.conf \
+	&& sed -e 's!^\(\s*CustomLog\).*$!\1 /proc/self/fd/1 combined!' -i /etc/apache2/sites-available/default-ssl.conf \
+  && a2disconf serve-cgi-bin other-vhosts-access-log \
+	&& a2enmod rewrite proxy_fcgi \
+  && a2enmod ssl \
+	&& a2enconf debug ssl \
+	&& rm -r /var/lib/apt/lists/*
+
+ENV BASE_PATH="" \
+	FCGI_TARGET="php:9000"
+
+ADD vufind.conf /etc/apache2/sites-available/vufind.conf
+
+RUN a2ensite vufind
\ No newline at end of file

devops/docker/httpd/assets/debug.conf

+<IfDefine debug>
+  ProxyTimeout 3600
+</IfDefine>

devops/docker/httpd/assets/ssl.conf

+<IfDefine ssl>
+  LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so
+  LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+  IncludeOptional mods-available/ssl.conf
+  Listen 443
+</IfDefine>

devops/docker/httpd/vufind.conf

+# vufind.conf for finc development
+<FilesMatch \.php$>
+  SetHandler "proxy:fcgi://${FCGI_TARGET}"
+</FilesMatch>
+
+# Configuration for theme-specific resources:
+AliasMatch ^${BASE_PATH}/themes/([0-9a-zA-Z-_]*)/css/(.*)$ /usr/local/vufind/themes/$1/css/$2
+AliasMatch ^${BASE_PATH}/themes/([0-9a-zA-Z-_]*)/images/(.*)$ /usr/local/vufind/themes/$1/images/$2
+AliasMatch ^${BASE_PATH}/themes/([0-9a-zA-Z-_]*)/js/(.*)$ /usr/local/vufind/themes/$1/js/$2
+<Directory ~ "^/usr/local/vufind/themes/([0-9a-zA-Z-_]*)/(css|images|js)/">
+  <IfModule !mod_authz_core.c>
+    Order allow,deny
+    Allow from all
+  </IfModule>
+  <IfModule mod_authz_core.c>
+    Require all granted
+  </IfModule>
+  AllowOverride All
+</Directory>
+
+# Configuration for public cache (used for asset pipeline minification)
+AliasMatch ^${BASE_PATH}/cache/(.*)$ /var/cache/vufind/public/$1
+<Directory /var/cache/vufind/public/>
+  <IfModule !mod_authz_core.c>
+    Order allow,deny
+    Allow from all
+  </IfModule>
+  <IfModule mod_authz_core.c>
+    Require all granted
+  </IfModule>
+  AllowOverride All
+</Directory>
+
+# Configuration for general VuFind base:
+Alias ${BASE_PATH}/ /usr/local/vufind/public/
+<Directory /usr/local/vufind/public/>
+  <IfModule !mod_authz_core.c>
+    Order allow,deny
+    Allow from all
+  </IfModule>
+  <IfModule mod_authz_core.c>
+    Require all granted
+  </IfModule>
+  AllowOverride All
+
+  # If you wish to use the Shibboleth authentication, uncomment the following lines
+  # AND comment out the "Require all granted" line above. There must not be any other
+  # "Require" lines in this configuration section for the "Require shibboleth"
+  # directive to be effective.
+  #AuthType shibboleth
+  #Require shibboleth
+</Directory>
+
+<Location ${BASE_PATH}/>
+  RewriteEngine On
+#  RewriteBase ${BASE_PATH}/
+
+  RewriteCond %{REQUEST_FILENAME} -s [OR]
+  RewriteCond %{REQUEST_FILENAME} -l [OR]
+  RewriteCond %{REQUEST_FILENAME} -d
+  RewriteRule ^.*$ - [NC,L]
+  RewriteRule ^.*$ index.php [NC,L]
+
+</Location>
+
+# Having a configured shibboleth-handler
+<Location ${SHIB_HANDLER_URL}>
+  RewriteEngine On
+  RewriteRule .* - [L]
+</Location>
+
+<VirtualHost *:443>
+   ServerName localhost
+   DocumentRoot /usr/local/vufind/public/
+
+   SSLEngine on
+   SSLCertificateFile /etc/ssl/certs/ssl-vufind.crt
+   SSLCertificateKeyFile /etc/ssl/certs/ssl-vufind.key
+</VirtualHost>
\ No newline at end of file

docker-compose.yml

@@ -2,7 +2,7 @@ version: '2.4'
 
 services:
   env:
-    image: linkyard/yaml:1.1.1
+    image: governmentpaas/spruce:826b547c6411b0fd22ac0b07bde11eed5523879c
     volumes:
       - .:/usr/local/vufind:rw
     working_dir: /usr/local/vufind
@@ -32,13 +32,15 @@ services:
     command: ["php-fpm"]
 
   httpd:
-    image: ubleipzig/vufind-httpd:2.4-5
+    build: devops/docker/httpd
     ports:
       - 127.0.0.1:${HTTPD_PORT:-11100}:80
+      - 127.0.0.1:${HTTPD_PORT:-11105}:443
     volumes:
       - ./:/usr/local/vufind:ro
     depends_on:
       - php
+    tty: true
 
   db:
     image: mariadb:10.3.17