From 60a1ffe060774247a82aebdb06e01c490a67930a Mon Sep 17 00:00:00 2001 From: Dominic Ricottone Date: Fri, 13 Nov 2020 16:10:02 -0500 Subject: [PATCH] restructured container for security, readability; re-wrote documentation --- Dockerfile | 30 ++++++++++--------- README.md | 68 +++++++++++++++++++----------------------- docker-compose.yml | 4 +-- moinmoin/moin.wsgi | 2 +- moinmoin/uwsgi.ini | 4 +-- moinmoin/wikiconfig.py | 11 +++---- nginx/moinmoin.conf | 2 +- 7 files changed, 59 insertions(+), 62 deletions(-) diff --git a/Dockerfile b/Dockerfile index cd41b05..3deefd8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,24 @@ - -# Alpine Linux removed uwsgi-python in v3.11 +# NOTE: Alpine Linux removed uwsgi-python in v3.11, so using v3.10 forever FROM alpine:3.10 RUN apk add python uwsgi uwsgi-python +RUN addgroup -S -g 82 www-data \ + && adduser -S -u 82 -D -h /var/www -s /sbin/nologin www-data -COPY build/moin-1.9.11/setup.py /var/moin/install -COPY build/moin-1.9.11/wiki /var/moin/wiki -COPY moinmoin/* /var/moin/wiki/ - -# rhtml plugin -#COPY rhtml/rhtml.py /var/moin/wiki/data/plugin/parser/rhtml.py +# install `MoinMoin` python package +RUN mkdir /var/moin +COPY --chown=www-data:www-data build/moin-1.9.11 /var/moin/install +RUN cd /var/moin/install && python setup.py install -RUN find /var/moin -type d -exec chmod 775 {} \; \ - && find /var/moin -type f -exec chmod 664 {} \; \ - && chown www-data:www-data /var/moin -R -RUN cd /var/moin/install && python setup.py install --record=install.log +# setup wiki +RUN mkdir /var/www/moin \ + && cp /usr/share/moin/server /var/www/moin/ -r \ + && cp /usr/share/moin/underlay /var/www/moin/ -r \ + && chown www-data:www-data /var/www/moin -R +COPY --chown=www-data:www-data moinmoin/* /var/www/moin/ EXPOSE 9000 -WORKDIR /var/moin -CMD /usr/sbin/uwsgi --ini /var/moin/uwsgi.ini +WORKDIR /var/www/moin +ENTRYPOINT ["/usr/sbin/uwsgi"] +CMD ["--ini", "/var/www/moin/uwsgi.ini"] diff --git a/README.md b/README.md index 8281382..1d30e67 100644 --- a/README.md +++ b/README.md @@ -3,49 +3,43 @@ Deploy a moinmoin wiki using Docker. -## Setup - -In `nginx/moinmoin.conf`, configure the server name (`s/example.com/your_domain_name_here/g`). - -In `moinmoin/wikiconfig.py`, configure the wiki name (`s/Untitled Wiki/your_wiki_name_here`). Also configure the security section to suit your needs. +## Structure -```python - # Security ---------------------------------------------------------- +This container will expose uWSGI on port 9000. The `nginx` folder contains a +recommended web server configuration. - # This is checked by some rather critical and potentially harmful actions, - # like despam or PackageInstaller action: - superuser = [u"your_name_here"] +The wiki is served from `/var/www/moin`. uWSGI runs in this directory as +`www-data`. - # Some actions are by default only enabled for superusers and disabled - # for everybody else. - # 'newaccount' is one of these (used to let visitors create new accounts). - # You can create wiki users on the shell by using "moin account create". - # A superuser also can use "Settings" -> "Switch user" to create users. - # If you need the newaccount action for everybody (e.g. to create your - # very first [superuser] account), you can (temporarily) enable it: - #actions_superuser = multiconfig.DefaultConfig.actions_superuser[:] - #actions_superuser.remove('newaccount') +The `MoinMoin` source code is located at `/var/moin/install`, while the wiki +data is located at `/var/moin/data`. - # IMPORTANT: grant yourself admin rights! replace YourName with - # your user name. See HelpOnAccessControlLists for more help. - # All acl_rights_xxx options must use unicode [Unicode] - acl_rights_before = u"your_name_here:read,write,delete,revert,admin" - # This is the default ACL that applies to pages without an ACL. - # Adapt it to your needs, consider using an EditorGroup. - acl_rights_default = u"Trusted:read,write,delete,revert Known:read,write,delete,revert All:read" - - # The default (ENABLED) password_checker will keep users from choosing too - # short or too easy passwords. If you don't like this and your site has - # rather low security requirements, feel free to DISABLE the checker by: - #password_checker = None # None means "don't do any password strength checks" - - # Link spam protection for public wikis (Uncomment to enable) - # Needs a reliable internet connection. - #from MoinMoin.security.antispam import SecurityPolicy -``` +## Setup -The web server will be accessible on port 8080. +`docker-compose.yml` is an example of how to deploy this container image. If +you want to use it, be sure to configure the location of your local wiki data. +It is currently configured to look at `/var/moin`. + +In `moinmoin/wikiconfig.py`, configure the wiki name +(`s/your_wiki_name_here/My Wiki/g`) as well as your own account name +(`s/your_name_here/MyName/g`). + +> If setting up a new wiki, a superuser must be created. The easiest method is +> to use the `moin` CLI tool inside the container. +> ```bash +> moin --config-dir=/var/moin/data --wiki-url=example.com account create --name=MyName --email=me@example.com --password=foobar +> ``` +> As a reminder, to access a shell inside a container, try +> `docker exec -it /bin/sh`. + +Start the container and connect it a web browser. The `nginx` folder contains a +recommended web server configuration, which would be accessible on port 8080. +Just be sure to edit `nginx/moinmoin.conf` and set the domain name +(`s/your_domain_here/example.com/g`). + +Open the wiki in a browser, specifically to the LanguageSetup page. Follow the +on-screen instructions for installing system (i.e. underlay) pages. ## Security diff --git a/docker-compose.yml b/docker-compose.yml index 86d1323..0fe4df4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ services: container_name: moin-nginx image: nginx:stable-alpine volumes: - - nginx:/etc/nginx/conf.d:ro + - ./nginx:/etc/nginx/conf.d:ro networks: - backend ports: @@ -14,7 +14,7 @@ services: container_name: moin-uwsgi build: . volumes: - - /var/moin:/var/moin/wiki/data + - /var/moin:/var/moin/data networks: - backend diff --git a/moinmoin/moin.wsgi b/moinmoin/moin.wsgi index f30fa1f..d8c4727 100644 --- a/moinmoin/moin.wsgi +++ b/moinmoin/moin.wsgi @@ -29,7 +29,7 @@ import sys, os # a2) Path of the directory where wikiconfig.py / farmconfig.py is located. # See wiki/config/... for some sample config files. -sys.path.insert(0, '/var/moin/wiki') +sys.path.insert(0, '/var/www/moin') #sys.path.insert(0, '/path/to/farmconfigdir') # b) Configuration of moin's logging diff --git a/moinmoin/uwsgi.ini b/moinmoin/uwsgi.ini index b18370a..86da696 100644 --- a/moinmoin/uwsgi.ini +++ b/moinmoin/uwsgi.ini @@ -4,8 +4,8 @@ gid = www-data socket = :9000 plugin = python -chdir = /var/moin/wiki -wsgi-file = /var/moin/wiki/moin.wsgi +chdir = /var/www/moin +wsgi-file = /var/www/moin/moin.wsgi master workers = 3 diff --git a/moinmoin/wikiconfig.py b/moinmoin/wikiconfig.py index 6ac03b9..5549771 100644 --- a/moinmoin/wikiconfig.py +++ b/moinmoin/wikiconfig.py @@ -48,7 +48,8 @@ class Config(multiconfig.DefaultConfig): instance_dir = wikiconfig_dir # Where your own wiki pages are (make regular backups of this directory): - data_dir = os.path.join(instance_dir, 'data', '') # path with trailing / + #data_dir = os.path.join(instance_dir, 'data', '') # path with trailing / + data_dir = '/var/moin/data/' # Where system and help pages are (you may exclude this from backup): data_underlay_dir = os.path.join(instance_dir, 'underlay', '') # path with trailing / @@ -65,7 +66,7 @@ class Config(multiconfig.DefaultConfig): # Wiki identity ---------------------------------------------------- # Site name, used by default for wiki name-logo [Unicode] - sitename = u'Untitled Wiki' + sitename = u'your_wiki_name_here' # Wiki logo. You can use an image, text or both. [Unicode] # For no logo or text, use '' - the default is to show the sitename. @@ -75,7 +76,7 @@ class Config(multiconfig.DefaultConfig): # name of entry page / front page [Unicode], choose one of those: # a) if most wiki content is in a single language - #page_front_page = u"MyStartingPage" + page_front_page = u"MyStartingPage" # b) if wiki content is maintained in many languages #page_front_page = u"FrontPage" @@ -91,7 +92,7 @@ class Config(multiconfig.DefaultConfig): # This is checked by some rather critical and potentially harmful actions, # like despam or PackageInstaller action: - #superuser = [u"YourName", ] + superuser = [u"your_name_here", ] # Some actions are by default only enabled for superusers and disabled # for everybody else. @@ -106,7 +107,7 @@ class Config(multiconfig.DefaultConfig): # IMPORTANT: grant yourself admin rights! replace YourName with # your user name. See HelpOnAccessControlLists for more help. # All acl_rights_xxx options must use unicode [Unicode] - #acl_rights_before = u"YourName:read,write,delete,revert,admin" + acl_rights_before = u"your_name_here:read,write,delete,revert,admin" # This is the default ACL that applies to pages without an ACL. # Adapt it to your needs, consider using an EditorGroup. diff --git a/nginx/moinmoin.conf b/nginx/moinmoin.conf index 76a4de5..3828502 100644 --- a/nginx/moinmoin.conf +++ b/nginx/moinmoin.conf @@ -8,7 +8,7 @@ server { server { listen 80; listen [::]:80; - server_name example.com; + server_name your_domain_here; location / { include /etc/nginx/conf.d/uwsgi_params; -- 2.45.2