Merge branch 'release/v1.1.0'

api/Dockerfile

@@ -1,14 +1,15 @@
 # Stage 1 - Create a builder container
-FROM gradle:jdk11 as builder
+FROM gradle:jdk11 as dev
 
 ENV APP_HOME=/home/app/
 WORKDIR $APP_HOME
 COPY build.gradle settings.gradle gradlew $APP_HOME
 COPY gradle $APP_HOME/gradle
 COPY . .
-RUN gradle build -x test
-
+CMD ["gradle", "clean", "bootRun"]
 
+FROM dev as builder
+RUN gradle build -x test
 
 # Stage 2 - Create a downsized production container
 FROM openjdk:11 as deploy
@@ -20,3 +21,30 @@ WORKDIR /home/app/
 COPY --from=builder /home/app/build/libs/api-*.jar /home/app/api.jar
 
 CMD ["java", "-Djava.security.egd=file:/dev/./urandom","-jar", "/home/app/api.jar"]
+
+
+#
+#
+#
+#
+## Stage 1 - Create a builder container
+#FROM gradle:jdk11 as builder
+#
+#ENV APP_HOME=/home/app/
+#WORKDIR $APP_HOME
+#COPY build.gradle settings.gradle gradlew $APP_HOME
+#COPY gradle $APP_HOME/gradle
+#COPY . .
+#RUN gradle build -x test
+#
+## Stage 2 - Create a downsized production container
+#FROM openjdk:11 as deploy
+#
+#RUN groupadd --system --gid 1000 deploy
+#RUN useradd --system --gid deploy --uid 1000 --shell /bin/bash --create-home deploy
+#USER deploy
+#WORKDIR /home/app/
+#COPY --from=builder /home/app/build/libs/api-*.jar /home/app/api.jar
+#
+#CMD ["java", "-Djava.security.egd=file:/dev/./urandom","-jar", "/home/app/api.jar"]
+

api/src/main/resources/config/application-dev.yml

@@ -14,9 +14,9 @@ datasources:
   database:
     username: admin
     password: zaqwsx
-    port: 5444
+    port: 5432
     schema: app
-    host: localhost
+    host: database
   migration:
     locations: ["classpath:/db/migration", "classpath:/db/mock"]
     cleanOnValidationError: true

api/src/main/resources/config/application-prod.yml

@@ -1,23 +1,24 @@
 # ===================================================================
 # Spring Boot configuration for the "prod" profile.
 # ===================================================================
+#TODO - set prod logging
 logging:
   level:
-    ROOT: WARN
-    pbs.api: DEBUG
-    pbs.api.mappers:
+    ROOT: INFO
+    web: DEBUG
+    base.api: DEBUG
+    base.api.mappers:
       AuthMapper: INFO
-    pbs.api.domain.diaries.DiaryDao.selectUser: INFO
+    base.api.domain.diaries.DiaryDao.selectUser: INFO
 
 datasources:
   database:
     username: admin
     password: cderfv
     port: 5432
     schema: app
-
-
-spring:
-  flyway:
-    locations: "classpath:/db/migration, classpath:/db/prod"
-    clean-disabled: true
+    host: database
+  migration:
+    locations: ["classpath:/db/migration"]
+    cleanOnValidationError: false
+    cleanOnStart: false

api/src/main/resources/config/application-test.yml

@@ -3,19 +3,20 @@
 # ===================================================================
 logging:
   level:
-    ROOT: WARN
+    ROOT: INFO
+    web: DEBUG
     base.api: DEBUG
     base.api.mappers:
       AuthMapper: INFO
+    base.api.domain.diaries.DiaryDao.selectUser: INFO
 
 datasources:
   database:
     username: admin
-    password: xswedc
+    password: cderfv
     port: 5432
     schema: app
-    host: database
-
-spring:
-  flyway:
-    locations: "classpath:/db/migration, classpath:/db/test"
+  migration:
+    locations: ["classpath:/db/migration", "classpath:/db/mock"]
+    cleanOnValidationError: false
+    cleanOnStart: false

api/src/main/resources/config/application.yml

@@ -1,3 +1,6 @@
+# ===================================================================
+# Main Spring Boot configuration
+# ===================================================================
 server:
   port: 9000
 
@@ -22,6 +25,8 @@ spring:
 mail:
   host: smtp.gmail.com
   port: 587
+  username: "[email protected]"
+  password: "matpioapp"
   from: "Aplikacja Codeito"
   debug: false
 

dev.sh

@@ -0,0 +1,2 @@
+docker-compose -f ./docker/docker-compose.dev.yml up -d --build
+docker-compose -f ./docker/docker-compose.dev.yml logs -f --tail 100

docker/docker-compose.db.yml

@@ -0,0 +1,16 @@
+version: '3'
+services:
+  database:
+    build: ../database
+    command: postgres -c shared_preload_libraries=pgaudit -c config_file=/etc/postgresql.conf
+    container_name: dev-database-app
+    environment:
+      POSTGRES_USER: admin
+      POSTGRES_PASSWORD: zaqwsx
+      POSTGRES_DB: app
+      PGDATA: /var/lib/postgresql/data/pgdata
+    volumes:
+      - ../database/pgdata:/var/lib/postgresql/data/pgdata
+      - ../database/postgresql.conf:/etc/postgresql.conf
+    ports:
+      - "5444:5432"

docker/docker-compose.dev.yml

@@ -1,16 +1,41 @@
-version: '3'
+version: '3.4'
 services:
+
   database:
+    container_name: dev-database-app
     build: ../database
     command: postgres -c shared_preload_libraries=pgaudit -c config_file=/etc/postgresql.conf
-    container_name: dev-database-app
     environment:
       POSTGRES_USER: admin
       POSTGRES_PASSWORD: zaqwsx
       POSTGRES_DB: app
-      PGDATA: /var/lib/postgresql/data/pgdata
+      PGDATA: /var/lib/postgresql/pgdata
     volumes:
-      - ../database/pgdata:/var/lib/postgresql/data/pgdata
+      - ../database/pgdata:/var/lib/postgresql/pgdata
       - ../database/postgresql.conf:/etc/postgresql.conf
     ports:
       - "5444:5432"
+
+  api:
+    container_name: dev-api-app
+    build:
+      context: ../api
+      dockerfile: ./Dockerfile
+      target: dev
+    volumes:
+      - ../files:/home/app/files
+    environment:
+      - "SPRING_PROFILES_ACTIVE=dev, swagger"
+    depends_on:
+      - database
+
+  ui:
+    container_name: dev-ui-app
+    build:
+      context: ../ui
+      dockerfile: ./Dockerfile
+      target: dev
+    environment:
+      - "APIPROXY=api"
+    ports:
+      - "3000:3000"

docker/docker-compose.prod.yml

@@ -25,8 +25,9 @@ services:
       - ../files:/home/app/files
     environment:
       - "SPRING_PROFILES_ACTIVE=prod"
-      - "DATASOURCES_DATABASE_HOST=database"
     restart: on-failure
+    depends_on:
+      - database
 
   ui:
     container_name: prod-ui-app
@@ -36,18 +37,8 @@ services:
       target: deploy
     volumes:
       - ./nginx-prod.conf:/etc/nginx/conf.d/default.conf
-#      - /etc/letsencrypt:/etc/letsencrypt
-      - ./certbot/conf:/etc/letsencrypt
-      - ./certbot/www:/var/www/certbot
+      - /etc/letsencrypt:/etc/letsencrypt
     ports:
       - "80:80"
       - "443:443"
     restart: on-failure
-    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
-
-  certbot:
-    image: certbot/certbot
-    volumes:
-      - ./certbot/conf:/etc/letsencrypt
-      - ./certbot/www:/var/www/certbot
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

docker/nginx-prod.conf

@@ -1,6 +1,6 @@
 server {
 
-    server_name pbs.codeito.pl www.pbs.codeito.pl;
+    server_name test.codeito.pl www.test.codeito.pl;
 
     location / {
       root /usr/share/nginx/html;
@@ -12,23 +12,42 @@ server {
       proxy_pass http://api:9000/api/;
     }
 
-;     test
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
     }
 
     listen [::]:443 ssl ipv6only=on; # managed by Certbot
     listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/pbs.codeito.pl/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/pbs.codeito.pl/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    ssl_certificate /etc/letsencrypt/live/test.codeito.pl/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/test.codeito.pl/privkey.pem; # managed by Certbot
+
+    ssl_trusted_certificate /etc/letsencrypt/live/test.codeito.pl/chain.pem;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    ssl_ecdh_curve secp384r1;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
+    add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
 
 }
 
 server {
   listen 80;
-  server_name localhost pbs.codeito.pl www.pbs.codeito.pl;
+  server_name localhost test.codeito.pl www.test.codeito.pl;
 
   location / {
     return 301 https://$host$request_uri;

docker/scripts/cert.txt

@@ -0,0 +1,7 @@
+sudo certbot-auto certonly --standalone -d test.codeito.pl  -d www.test.codeito.pl
+sudo openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048
+
+sudo /usr/sbin/certbot-auto renew --dry-run
+
+crontab -e
+0 2 * * * sudo /usr/sbin/certbot-auto -q renew

docker/scripts/nginx-csp-header.txt

@@ -0,0 +1 @@
+add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'; script-src 'unsafe-eval'; img-src 'self' data:image:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; object-src: 'none'";