simplify dockerfile

Create unreferenced security assets during container build. - appUser's password - self-signed ssl certs for East/West communication
Harrolee · Mar 31, 2024 · b28165d · b28165d
1 parent 9514fd9
commit b28165d
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 7 deletions.
diff --git a/.github/workflows/build-deploy.yml b/.github/workflows/build-deploy.yml
@@ -42,7 +42,7 @@ jobs:
           # push it to ECR so that it can
           # be deployed to ECS.
 
-          pwd && ls
-          cd api && docker build . -f cloud/Dockerfile -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest
+          cd api && docker build . -f cloud/Final.Dockerfile -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest 
           docker push $ECR_REGISTRY/$ECR_REPOSITORY --all-tags
           echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
diff --git a/api/cloud/Final.Dockerfile b/api/cloud/Final.Dockerfile
@@ -13,11 +13,15 @@ COPY ./cloud/nginx.conf /etc/nginx
 # copy built static FE to docker image
 COPY /build frontend
 
-# copy the cert in 
-COPY /sslCert /etc/nginx/certs
+# create ssl cert to encrypt requests between FE and BE
+# too careful? maybe
+RUN cd /etc/nginx/certs \ 
+    && openssl req -x509 -newkey \
+    rsa:4096 -keyout key.pem -out cert.pem \
+    -sha256 -days 365 -nodes -subj "/C=US/ST=IN/L=Indianapolis/O=BTYT/OU=clowns/CN=drive-gooder"
 
 # configure appUser
-COPY cloud/password cloud/appUser.sh cloud/appUserStart.sh ./ 
+COPY cloud/appUser.sh cloud/appUserStart.sh ./ 
 RUN chmod +x appUser.sh appUserStart.sh
 RUN ./appUser.sh
 
@@ -29,5 +33,4 @@ RUN ./appUser.sh
 
 EXPOSE 80
 EXPOSE 443
-EXPOSE 22
 CMD ["./start.sh"]
diff --git a/api/cloud/appUser.sh b/api/cloud/appUser.sh
@@ -4,9 +4,12 @@ set -e
 groupadd --gid 1010 socketWriters
 usermod -a -G socketWriters www-data
 
+pwd=$(cat /proc/sys/kernel/random/uuid)
+echo "$pwd" > password
+
 # create appUser
 # gid 1010 is socketWriters
-useradd -g 1010 -m -p $(cat password) appUser # create user with a home dir. Coqui saves models to the user's home dir
+useradd -g 1010 -m -p "$(cat password)" appUser # create user with a home dir. Coqui saves models to the user's home dir
 shred -u password
 
 # set HOME on non-login user changes for appUser: