From b1cf2fe0a1e22fa9980b5d83dcd47de8c0f6fe16 Mon Sep 17 00:00:00 2001 From: Jeff Fredrickson Date: Thu, 13 Jul 2023 14:57:14 -0600 Subject: [PATCH 1/2] enable SSL on local dev DB; clean up local dev stack --- Dockerfile | 5 ---- README.md | 4 +-- dev/db/Dockerfile | 6 +++++ dev/db/generate-cert.sh | 14 ++++++++++ Dockerfile.uaadev => dev/uaa/Dockerfile | 0 uaadev.yml => dev/uaa/uaa.yml | 0 docker-compose.yaml | 34 ++++++++++--------------- 7 files changed, 34 insertions(+), 29 deletions(-) delete mode 100644 Dockerfile create mode 100644 dev/db/Dockerfile create mode 100755 dev/db/generate-cert.sh rename Dockerfile.uaadev => dev/uaa/Dockerfile (100%) rename uaadev.yml => dev/uaa/uaa.yml (100%) diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index cb28e26d..00000000 --- a/Dockerfile +++ /dev/null @@ -1,5 +0,0 @@ -FROM python:3.10 -WORKDIR /usr/src/app -COPY requirements*.txt . -RUN pip install --no-cache-dir -r requirements.dev.txt -r requirements.txt -CMD ["uvicorn", "training.main:app", "--host", "0.0.0.0", "--reload"] diff --git a/README.md b/README.md index f20eb67d..f871793d 100644 --- a/README.md +++ b/README.md @@ -31,11 +31,9 @@ npm run build:frontend ### Service dependencies -This app depends on Redis to support the temporary tokens used for verification emails. It also uses PostgreSQL as a main data store. For administrator logins, the app requires an OAuth server. To start up local services: +This app depends on a few services. For local development, these services have been neatly packaged into a Docker Compose stack. First, optionally edit `dev/uaa/uaa.yml` to create your own test user accounts (see the `scim.users` section of that file). Then to run the services: ```sh -docker-compose up -# Or to run them in the background: docker-compose up -d ``` diff --git a/dev/db/Dockerfile b/dev/db/Dockerfile new file mode 100644 index 00000000..1ec4cf1f --- /dev/null +++ b/dev/db/Dockerfile @@ -0,0 +1,6 @@ +# For best results, match version in use by cloud.gov RDS +FROM postgres:12 + +ADD generate-cert.sh /tmp/generate-cert.sh + +RUN /tmp/generate-cert.sh diff --git a/dev/db/generate-cert.sh b/dev/db/generate-cert.sh new file mode 100755 index 00000000..1df62419 --- /dev/null +++ b/dev/db/generate-cert.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +echo "Generating SSL certificate..." + +set -euo pipefail + +openssl req \ + -new -x509 -days 3650 -nodes \ + -subj /CN=localhost \ + -out /var/lib/postgresql/server.crt \ + -keyout /var/lib/postgresql/server.key + +chown postgres:postgres /var/lib/postgresql/server.{crt,key} +chmod 600 /var/lib/postgresql/server.{crt,key} diff --git a/Dockerfile.uaadev b/dev/uaa/Dockerfile similarity index 100% rename from Dockerfile.uaadev rename to dev/uaa/Dockerfile diff --git a/uaadev.yml b/dev/uaa/uaa.yml similarity index 100% rename from uaadev.yml rename to dev/uaa/uaa.yml diff --git a/docker-compose.yaml b/docker-compose.yaml index dea5d2ff..15bf7c8f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,43 +1,35 @@ version: '3.8' + services: + redis: image: redis:6.2-alpine ports: - "6379:6379" + db: - image: postgres:12 # For best results, match version in use by cloud.gov RDS + build: + context: ./dev/db + command: > + -c ssl=on + -c ssl_cert_file=/var/lib/postgresql/server.crt + -c ssl_key_file=/var/lib/postgresql/server.key ports: - "5432:5432" environment: - POSTGRES_PASSWORD=postgres + adminer: image: adminer ports: - "8432:8080" depends_on: - db + uaa: build: - context: . - dockerfile: Dockerfile.uaadev + context: ./dev/uaa ports: - "8080:8080" volumes: - - ./uaadev.yml:/tmp/uaa/uaa/src/main/resources/uaa.yml:ro - # api: - # build: - # context: . - # ports: - # - "8000:8000" - # volumes: - # - ./:/usr/src/app - # depends_on: - # - redis - # - db - # web: - # build: - # context: ./training-front-end - # ports: - # - "3000:3000" - # volumes: - # - ./training-front-end:/usr/src/app + - ./dev/uaa/uaa.yml:/tmp/uaa/uaa/src/main/resources/uaa.yml:ro From b43de5f163fe036dc39ea674dba9b82abf6ca9e9 Mon Sep 17 00:00:00 2001 From: Jeff Fredrickson Date: Thu, 13 Jul 2023 14:57:50 -0600 Subject: [PATCH 2/2] improve .env documentation --- .env_example | 56 +++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 9 deletions(-) diff --git a/.env_example b/.env_example index 5567684b..82818687 100644 --- a/.env_example +++ b/.env_example @@ -1,36 +1,74 @@ # JWT secret key: For local testing, the value doesn't matter. In production, -# this needs to be populated with a randomly generated key (see README.md). -# This will be used to sign the JWT. +# this needs to be populated with a randomly generated key. This will be used +# to sign the JWT. +# +# Deployment TL;DR: Set this in the app's environment secrets. + JWT_SECRET="something_hard_to_guess" + +# Log level: Customize the logging level. By default, it's INFO. This can be +# set to any of the Python logging module's levels. +# +# Deployment TL;DR: Don't set this manually anywhere. + +# LOG_LEVEL="INFO" + + # SMTP server to use for sending emails to users. For development, you can # create an Ethereal account to test emails (https://ethereal.email/). In # production, refer to the README.md file for instructions. +# +# Deployment TL;DR: Set these in the app's environment variables. + SMTP_SERVER="smtp-relay.gmail.com" SMTP_PORT=587 -# SMTP authentication: Not needed if using a trusted SMTP relay + +# SMTP authentication: Not needed if using a trusted SMTP relay. For local +# development, you can set these to the username/password of the test email +# server (e.g., Ethereal Email). +# +# Deployment TL;DR: Don't set these manually anywhere. + # SMTP_PASSWORD="EXAMPLE" # SMTP_USER="EXAMPLE@ethereal.email" -# These already have default values in config.py, but you can override them -# here if needed. +# Email settings: These already have default values in config.py, but you can +# override them here if needed. +# +# Deployment TL;DR: Don't set these manually anywhere. + # EMAIL_FROM="name@example.com" # EMAIL_FROM_NAME="GSA SmartPay" # EMAIL_SUBJECT="GSA SmartPay Training" + # Datastores: For local testing, these defaults should be fine. In production, # these will be automatically populated from the cloud.gov VCAP_SERVICES data. +# +# Deployment TL;DR: Don't set these manually anywhere. + REDIS_HOST="localhost" REDIS_PORT=6379 REDIS_PASSWORD="" DB_URI="postgres://postgres:postgres@localhost:5432/postgres" -# Base URL: The app needs to know what base URL to append to links. The default -# is fine for local development. In production, this needs to be set to the -# live website's URL. + +# Base URL: The app needs to know what base URL to append to links. In +# production, this needs to be set to the live website's URL. +# +# Deployment TL;DR: Set this in the app's environment variables. + BASE_URL="https://training.smartpay.gsa.gov" -# These are configured via config.py, but you can override them here if needed. + +# OAuth server information. In production, AUTH_CLIENT_ID will be populated by +# The VCAP_SERVICES data. AUTH_AUTHORITY_URL needs to be set appropriately in +# each environment. +# +# Deployment TL;DR: Don't set AUTH_CLIENT_ID manually anywhere. Set +# AUTH_AUTHORITY_URL in the app's environment variables. + AUTH_CLIENT_ID="test_client_id" AUTH_AUTHORITY_URL="http://localhost:8080/uaa"