Compare commits

..

1 Commits

Author SHA1 Message Date
James Edington
21fe97fa16 Saner TOTP provisioning
A user's e-mail address may be fluid, and the site "instance name"
may be strange or change regularly. There's no reason to use these
over the user's stable ID and the site's stable hostname for TOTP
parameters. Even if the system is built to TOLERATE changes (as it
is -- I tested it), it seems much more elegant to have these para-
meters as stable identifiers.
2022-03-15 12:56:27 -05:00
7 changed files with 24 additions and 94 deletions

View File

@ -7,8 +7,5 @@ COPYING
elixir_buildpack.config
test/
uploads/
postgres/
# Required to get version
!.git

View File

@ -17,9 +17,6 @@ FROM alpine:3.11
ARG BUILD_DATE
ARG VCS_REF
ARG UID=911
ARG GID=911
LABEL maintainer="ops@pleroma.social" \
org.opencontainers.image.title="pleroma" \
org.opencontainers.image.description="Pleroma for Docker" \
@ -35,9 +32,9 @@ ARG HOME=/opt/pleroma
ARG DATA=/var/lib/pleroma
RUN echo "http://nl.alpinelinux.org/alpine/latest-stable/community" >> /etc/apk/repositories &&\
apk update --allow-untrusted &&\
apk update &&\
apk add exiftool ffmpeg imagemagick libmagic ncurses postgresql-client &&\
adduser --system --shell /bin/false -u $UID -g $GID --home ${HOME} pleroma &&\
adduser --system --shell /bin/false --home ${HOME} pleroma &&\
mkdir -p ${DATA}/uploads &&\
mkdir -p ${DATA}/static &&\
chown -R pleroma ${DATA} &&\
@ -47,10 +44,10 @@ RUN echo "http://nl.alpinelinux.org/alpine/latest-stable/community" >> /etc/apk/
USER pleroma
COPY --from=build --chown=pleroma:0 /release ${HOME}
ENV PATH="${HOME}/bin:${PATH}"
COPY ./config/docker.exs /etc/pleroma/config.exs
COPY ./docker-entrypoint.sh ${HOME}
EXPOSE 4000
CMD ["pleroma", "start"]
ENTRYPOINT ["/opt/pleroma/docker-entrypoint.sh"]

View File

@ -15,7 +15,7 @@ config :pleroma, :instance,
config :pleroma, Pleroma.Repo,
adapter: Ecto.Adapters.Postgres,
username: System.get_env("DB_USER", "pleroma"),
password: System.get_env("DB_PASS", nil),
password: System.fetch_env!("DB_PASS"),
database: System.get_env("DB_NAME", "pleroma"),
hostname: System.get_env("DB_HOST", "db"),
pool_size: 10
@ -26,10 +26,9 @@ config :web_push_encryption, :vapid_details, subject: "mailto:#{System.get_env("
config :pleroma, :database, rum_enabled: false
config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
config :pleroma, configurable_from_database: true
# We can't store the secrets in this file, since this is baked into the docker image
if not File.exists?("/var/lib/pleroma/config/secret.exs") do
if not File.exists?("/var/lib/pleroma/secret.exs") do
secret = :crypto.strong_rand_bytes(64) |> Base.encode64() |> binary_part(0, 64)
signing_salt = :crypto.strong_rand_bytes(8) |> Base.encode64() |> binary_part(0, 8)
{web_push_public_key, web_push_private_key} = :crypto.generate_key(:ecdh, :prime256v1)
@ -53,10 +52,10 @@ if not File.exists?("/var/lib/pleroma/config/secret.exs") do
web_push_private_key: Base.url_encode64(web_push_private_key, padding: false)
)
File.write("/var/lib/pleroma/config/secret.exs", secret_file)
File.write("/var/lib/pleroma/secret.exs", secret_file)
end
import_config("/var/lib/pleroma/config/secret.exs")
import_config("/var/lib/pleroma/secret.exs")
# For additional user config
if File.exists?("/var/lib/pleroma/config.exs"),

View File

@ -1,77 +0,0 @@
version: '3'
services:
web:
build: .
image: pleroma/pleroma
restart: always
# env_file: .env.production
networks:
- external_network
- internal_network
healthcheck:
test: ["CMD", "curl", "-s", "-f", "--noproxy", "localhost:4000", "localhost:4000/health"]
ports:
- "127.0.0.1:4000:4000"
depends_on:
- db
# - es
volumes:
- ./uploads:/var/lib/pleroma/uploads
- ./config:/var/lib/pleroma/config
db:
restart: always
image: postgres:14-alpine
# shm_size: 256mb
networks:
- internal_network
healthcheck:
test: ["CMD", "pg_isready", "-U", "postgres"]
volumes:
- ./postgres:/var/lib/postgresql/data
environment:
- "POSTGRES_HOST_AUTH_METHOD=trust"
## https://coffee-and-dreams.uk/tutorials/2021/12/15/integrating-elasticsearch-with-pleroma.html
## https://git.pleroma.social/pleroma/pleroma/-/issues/1331
# es:
# restart: always
# image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
# environment:
# - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
# - "cluster.name=es-pleroma"
# - "discovery.type=single-node"
# - "bootstrap.memory_lock=true"
# networks:
# - internal_network
# healthcheck:
# test: ["CMD", "curl", "-s", "-f", "localhost:9200/_cluster/health"]
# volumes:
# - ./elasticsearch:/usr/share/elasticsearch/data
# ulimits:
# memlock:
# soft: -1
# hard: -1
## Uncomment to enable federation with tor instances along with adding the following ENV variables
## http_proxy=http://privoxy:8118
## ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
# tor:
# image: sirboops/tor
# networks:
# - external_network
# - internal_network
#
# privoxy:
# image: sirboops/privoxy
# volumes:
# - ./priv-config:/opt/config
# networks:
# - external_network
# - internal_network
networks:
external_network:
internal_network:
internal: true

14
docker-entrypoint.sh Executable file
View File

@ -0,0 +1,14 @@
#!/bin/ash
set -e
echo "-- Waiting for database..."
while ! pg_isready -U ${DB_USER:-pleroma} -d postgres://${DB_HOST:-db}:5432/${DB_NAME:-pleroma} -t 1; do
sleep 1s
done
echo "-- Running migrations..."
$HOME/bin/pleroma_ctl migrate
echo "-- Starting!"
exec $HOME/bin/pleroma start

View File

@ -34,7 +34,7 @@ defmodule Pleroma.MFA.TOTP do
defp default_digits, do: Config.get(@config_ns ++ [:digits])
defp default_issuer,
do: Config.get(@config_ns ++ [:issuer], Config.get([:instance, :name]))
do: Config.get(@config_ns ++ [:issuer], Config.get([:instance, :host]))
@doc "Creates a random Base 32 encoded string"
def generate_secret do

View File

@ -41,7 +41,7 @@ defmodule Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController do
def setup(%{assigns: %{user: user}} = conn, %{"method" => "totp"} = _params) do
with {:ok, user} <- MFA.setup_totp(user),
%{secret: secret} = _ <- user.multi_factor_authentication_settings.totp do
provisioning_uri = TOTP.provisioning_uri(secret, "#{user.email}")
provisioning_uri = TOTP.provisioning_uri(secret, "#{user.ap_id}")
json(conn, %{provisioning_uri: provisioning_uri, key: secret})
else