~dricottone/docker-moinmoin19

60a1ffe060774247a82aebdb06e01c490a67930a — Dominic Ricottone 4 years ago 591c16c
restructured container for security, readability; re-wrote documentation
M Dockerfile => Dockerfile +16 -14
@@ 1,22 1,24 @@

# Alpine Linux removed uwsgi-python in v3.11
# NOTE: Alpine Linux removed uwsgi-python in v3.11, so using v3.10 forever
FROM alpine:3.10

RUN apk add python uwsgi uwsgi-python
RUN addgroup -S -g 82 www-data \
    && adduser -S -u 82 -D -h /var/www -s /sbin/nologin www-data

COPY build/moin-1.9.11/setup.py /var/moin/install
COPY build/moin-1.9.11/wiki /var/moin/wiki
COPY moinmoin/* /var/moin/wiki/

# rhtml plugin
#COPY rhtml/rhtml.py /var/moin/wiki/data/plugin/parser/rhtml.py
# install `MoinMoin` python package
RUN mkdir /var/moin
COPY --chown=www-data:www-data build/moin-1.9.11 /var/moin/install
RUN cd /var/moin/install && python setup.py install

RUN find /var/moin -type d -exec chmod 775 {} \; \
	&& find /var/moin -type f -exec chmod 664 {} \; \
	&& chown www-data:www-data /var/moin -R
RUN cd /var/moin/install && python setup.py install --record=install.log
# setup wiki
RUN mkdir /var/www/moin \
    && cp /usr/share/moin/server /var/www/moin/ -r \
    && cp /usr/share/moin/underlay /var/www/moin/ -r \
    && chown www-data:www-data /var/www/moin -R
COPY --chown=www-data:www-data moinmoin/* /var/www/moin/

EXPOSE 9000
WORKDIR /var/moin
CMD /usr/sbin/uwsgi --ini /var/moin/uwsgi.ini
WORKDIR /var/www/moin
ENTRYPOINT ["/usr/sbin/uwsgi"]
CMD ["--ini", "/var/www/moin/uwsgi.ini"]


M README.md => README.md +31 -37
@@ 3,49 3,43 @@
Deploy a moinmoin wiki using Docker.


## Setup

In `nginx/moinmoin.conf`, configure the server name (`s/example.com/your_domain_name_here/g`).

In `moinmoin/wikiconfig.py`, configure the wiki name (`s/Untitled Wiki/your_wiki_name_here`). Also configure the security section to suit your needs.
## Structure

```python
    # Security ----------------------------------------------------------
This container will expose uWSGI on port 9000. The `nginx` folder contains a
recommended web server configuration.

    # This is checked by some rather critical and potentially harmful actions,
    # like despam or PackageInstaller action:
    superuser = [u"your_name_here"]
The wiki is served from `/var/www/moin`. uWSGI runs in this directory as
`www-data`.

    # Some actions are by default only enabled for superusers and disabled
    # for everybody else.
    # 'newaccount' is one of these (used to let visitors create new accounts).
    # You can create wiki users on the shell by using "moin account create".
    # A superuser also can use "Settings" -> "Switch user" to create users.
    # If you need the newaccount action for everybody (e.g. to create your
    # very first [superuser] account), you can (temporarily) enable it:
    #actions_superuser = multiconfig.DefaultConfig.actions_superuser[:]
    #actions_superuser.remove('newaccount')
The `MoinMoin` source code is located at `/var/moin/install`, while the wiki
data is located at `/var/moin/data`.

    # IMPORTANT: grant yourself admin rights! replace YourName with
    # your user name. See HelpOnAccessControlLists for more help.
    # All acl_rights_xxx options must use unicode [Unicode]
    acl_rights_before = u"your_name_here:read,write,delete,revert,admin"

    # This is the default ACL that applies to pages without an ACL.
    # Adapt it to your needs, consider using an EditorGroup.
    acl_rights_default = u"Trusted:read,write,delete,revert Known:read,write,delete,revert All:read"

    # The default (ENABLED) password_checker will keep users from choosing too
    # short or too easy passwords. If you don't like this and your site has
    # rather low security requirements, feel free to DISABLE the checker by:
    #password_checker = None # None means "don't do any password strength checks"

    # Link spam protection for public wikis (Uncomment to enable)
    # Needs a reliable internet connection.
    #from MoinMoin.security.antispam import SecurityPolicy
```
## Setup

The web server will be accessible on port 8080.
`docker-compose.yml` is an example of how to deploy this container image. If
you want to use it, be sure to configure the location of your local wiki data.
It is currently configured to look at `/var/moin`.

In `moinmoin/wikiconfig.py`, configure the wiki name
(`s/your_wiki_name_here/My Wiki/g`) as well as your own account name
(`s/your_name_here/MyName/g`).

> If setting up a new wiki, a superuser must be created. The easiest method is
> to use the `moin` CLI tool inside the container.
> ```bash
> moin --config-dir=/var/moin/data --wiki-url=example.com account create --name=MyName --email=me@example.com --password=foobar
> ```
> As a reminder, to access a shell inside a container, try
> `docker exec -it <CONTAINER> /bin/sh`.

Start the container and connect it a web browser. The `nginx` folder contains a
recommended web server configuration, which would be accessible on port 8080.
Just be sure to edit `nginx/moinmoin.conf` and set the domain name
(`s/your_domain_here/example.com/g`).

Open the wiki in a browser, specifically to the LanguageSetup page. Follow the
on-screen instructions for installing system (i.e. underlay) pages.


## Security

M docker-compose.yml => docker-compose.yml +2 -2
@@ 4,7 4,7 @@ services:
    container_name: moin-nginx
    image: nginx:stable-alpine
    volumes:
      - nginx:/etc/nginx/conf.d:ro
      - ./nginx:/etc/nginx/conf.d:ro
    networks:
      - backend
    ports:


@@ 14,7 14,7 @@ services:
    container_name: moin-uwsgi
    build: .
    volumes:
      - /var/moin:/var/moin/wiki/data
      - /var/moin:/var/moin/data
    networks:
      - backend


M moinmoin/moin.wsgi => moinmoin/moin.wsgi +1 -1
@@ 29,7 29,7 @@ import sys, os

# a2) Path of the directory where wikiconfig.py / farmconfig.py is located.
#     See wiki/config/... for some sample config files.
sys.path.insert(0, '/var/moin/wiki')
sys.path.insert(0, '/var/www/moin')
#sys.path.insert(0, '/path/to/farmconfigdir')

# b) Configuration of moin's logging

M moinmoin/uwsgi.ini => moinmoin/uwsgi.ini +2 -2
@@ 4,8 4,8 @@ gid = www-data
socket = :9000
plugin = python

chdir = /var/moin/wiki
wsgi-file = /var/moin/wiki/moin.wsgi
chdir = /var/www/moin
wsgi-file = /var/www/moin/moin.wsgi

master
workers = 3

M moinmoin/wikiconfig.py => moinmoin/wikiconfig.py +6 -5
@@ 48,7 48,8 @@ class Config(multiconfig.DefaultConfig):
    instance_dir = wikiconfig_dir

    # Where your own wiki pages are (make regular backups of this directory):
    data_dir = os.path.join(instance_dir, 'data', '') # path with trailing /
    #data_dir = os.path.join(instance_dir, 'data', '') # path with trailing /
    data_dir = '/var/moin/data/'

    # Where system and help pages are (you may exclude this from backup):
    data_underlay_dir = os.path.join(instance_dir, 'underlay', '') # path with trailing /


@@ 65,7 66,7 @@ class Config(multiconfig.DefaultConfig):
    # Wiki identity ----------------------------------------------------

    # Site name, used by default for wiki name-logo [Unicode]
    sitename = u'Untitled Wiki'
    sitename = u'your_wiki_name_here'

    # Wiki logo. You can use an image, text or both. [Unicode]
    # For no logo or text, use '' - the default is to show the sitename.


@@ 75,7 76,7 @@ class Config(multiconfig.DefaultConfig):
    # name of entry page / front page [Unicode], choose one of those:

    # a) if most wiki content is in a single language
    #page_front_page = u"MyStartingPage"
    page_front_page = u"MyStartingPage"

    # b) if wiki content is maintained in many languages
    #page_front_page = u"FrontPage"


@@ 91,7 92,7 @@ class Config(multiconfig.DefaultConfig):

    # This is checked by some rather critical and potentially harmful actions,
    # like despam or PackageInstaller action:
    #superuser = [u"YourName", ]
    superuser = [u"your_name_here", ]

    # Some actions are by default only enabled for superusers and disabled
    # for everybody else.


@@ 106,7 107,7 @@ class Config(multiconfig.DefaultConfig):
    # IMPORTANT: grant yourself admin rights! replace YourName with
    # your user name. See HelpOnAccessControlLists for more help.
    # All acl_rights_xxx options must use unicode [Unicode]
    #acl_rights_before = u"YourName:read,write,delete,revert,admin"
    acl_rights_before = u"your_name_here:read,write,delete,revert,admin"

    # This is the default ACL that applies to pages without an ACL.
    # Adapt it to your needs, consider using an EditorGroup.

M nginx/moinmoin.conf => nginx/moinmoin.conf +1 -1
@@ 8,7 8,7 @@ server {
server {
	listen      80;
	listen [::]:80;
	server_name example.com;
	server_name your_domain_here;

	location / {
		include /etc/nginx/conf.d/uwsgi_params;