update files to match our recent docker-compose standards

Dockerfile

@@ -3,7 +3,7 @@ FROM openjdk:8-jdk-slim as builder
 
 USER root
 
-ENV ANT_VERSION 1.10.12
+ENV ANT_VERSION 1.10.13
 ENV ANT_HOME /etc/ant-${ANT_VERSION}
 
 WORKDIR /tmp
@@ -23,9 +23,10 @@ RUN curl -L -o apache-ant-${ANT_VERSION}-bin.tar.gz http://www.apache.org/dist/a
 
 ENV PATH ${PATH}:${ANT_HOME}/bin
 
-# Comment in if you need nodejs and npm to build, e.g. if you want to 
-# self-host the web components
-# RUN curl -sL https://deb.nodesource.com/setup_14.x | bash - \
+# workaround: install OS provided nodejs and npm packages
+RUN apt-get update && apt-get install -y nodejs npm
+
+#RUN curl -sL https://deb.nodesource.com/setup_16.x | bash - \
 #     && apt-get install -y nodejs \
 #     && curl -L https://www.npmjs.com/install.sh | sh
 
@@ -34,11 +35,13 @@ FROM builder as tei
 ARG TEMPLATING_VERSION=1.1.0
 ARG PUBLISHER_LIB_VERSION=3.0.0
 ARG ROUTER_VERSION=1.8.0
+
 # replace with name of your edition repository and choose branch to build
 ARG MY_EDITION_VERSION=master
 
 # add key
-RUN  mkdir -p ~/.ssh && ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
+RUN  mkdir -p ~/.ssh && ssh-keyscan -t rsa gitlab.existsolutions.com >> ~/.ssh/known_hosts
+#RUN  mkdir -p ~/.ssh && ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
 
 # Replace git URL below to point to your git repository 
 RUN  git clone https://github.com/eeditiones/tei-publisher-app.git \
@@ -48,22 +51,12 @@ RUN  git clone https://github.com/eeditiones/tei-publisher-app.git \
     && git checkout ${MY_EDITION_VERSION} \
     && ant
 
-RUN curl -L -o /tmp/roaster-${ROUTER_VERSION}.xar http://exist-db.org/exist/apps/public-repo/public/roaster-${ROUTER_VERSION}.xar
-RUN curl -L -o /tmp/tei-publisher-lib-${PUBLISHER_LIB_VERSION}.xar http://exist-db.org/exist/apps/public-repo/public/tei-publisher-lib-${PUBLISHER_LIB_VERSION}.xar
-RUN curl -L -o /tmp/templating-${TEMPLATING_VERSION}.xar http://exist-db.org/exist/apps/public-repo/public/templating-${TEMPLATING_VERSION}.xar
-
-FROM eclipse-temurin:11-jre-alpine
-
-ARG EXIST_VERSION=6.2.0
+RUN curl -L -o /tmp/roaster-${ROUTER_VERSION}.xar https://exist-db.org/exist/apps/public-repo/public/roaster-${ROUTER_VERSION}.xar
+RUN curl -L -o /tmp/tei-publisher-lib-${PUBLISHER_LIB_VERSION}.xar https://exist-db.org/exist/apps/public-repo/public/tei-publisher-lib-${PUBLISHER_LIB_VERSION}.xar
+RUN curl -L -o /tmp/templating-${TEMPLATING_VERSION}.xar https://exist-db.org/exist/apps/public-repo/public/templating-${TEMPLATING_VERSION}.xar
 
-RUN apk add curl
+FROM duncdrum/existdb:6.2.0-debug-j8
 
-RUN curl -L -o /tmp/exist-distribution-${EXIST_VERSION}-unix.tar.bz2 https://github.com/eXist-db/exist/releases/download/eXist-${EXIST_VERSION}/exist-distribution-${EXIST_VERSION}-unix.tar.bz2 \
-    && tar xfj /tmp/exist-distribution-${EXIST_VERSION}-unix.tar.bz2 -C /tmp \
-    && rm /tmp/exist-distribution-${EXIST_VERSION}-unix.tar.bz2 \
-    && mv /tmp/exist-distribution-${EXIST_VERSION} /exist
-
-# replace my-edition with name of your app
 COPY --from=tei /tmp/tei-publisher-app/build/*.xar /exist/autodeploy/
 COPY --from=tei /tmp/*.xar /exist/autodeploy/
 
@@ -74,26 +67,33 @@ ARG ADMIN_PASS=none
 ARG HTTP_PORT=8080
 ARG HTTPS_PORT=8443
 
-ENV NER_ENDPOINT=http://localhost:8001
-ENV CONTEXT_PATH=auto
-ENV PROXY_CACHING=false
-
-ENV JAVA_OPTS \
-    -Djetty.port=${HTTP_PORT} \
-    -Djetty.ssl.port=${HTTPS_PORT} \
-    -Dfile.encoding=UTF8 \
-    -Dsun.jnu.encoding=UTF-8 \
-    -XX:+UseG1GC \
-    -XX:+UseStringDeduplication \
-    -XX:+UseContainerSupport \
-    -XX:MaxRAMPercentage=${JVM_MAX_RAM_PERCENTAGE:-75.0} \ 
-    -XX:+ExitOnOutOfMemoryError
+ARG NER_ENDPOINT=http://localhost:8001
+ARG CONTEXT_PATH=auto
+ARG PROXY_CACHING=false
+
+ENV JAVA_TOOL_OPTIONS \
+  -Dfile.encoding=UTF8 \
+  -Dsun.jnu.encoding=UTF-8 \
+  -Djava.awt.headless=true \
+  -Dorg.exist.db-connection.cacheSize=${CACHE_MEM:-256}M \
+  -Dorg.exist.db-connection.pool.max=${MAX_BROKER:-20} \
+  -Dlog4j.configurationFile=/exist/etc/log4j2.xml \
+  -Dexist.home=/exist \
+  -Dexist.configurationFile=/exist/etc/conf.xml \
+  -Djetty.home=/exist \
+  -Dexist.jetty.config=/exist/etc/jetty/standard.enabled-jetty-configs \
+  -Dteipublisher.ner-endpoint=${NER_ENDPOINT} \
+  -Dteipublisher.context-path=${CONTEXT_PATH} \
+  -Dteipublisher.proxy-caching=${PROXY_CACHING} \
+  -XX:+UseG1GC \
+  -XX:+UseStringDeduplication \
+  -XX:+UseContainerSupport \
+  -XX:MaxRAMPercentage=${JVM_MAX_RAM_PERCENTAGE:-75.0} \
+  -XX:+ExitOnOutOfMemoryError
 
 # pre-populate the database by launching it once
-RUN bin/client.sh -l --no-gui --xpath "system:get-version()"
-
-RUN if [ "${ADMIN_PASS}" != "none" ]; then bin/client.sh -l --no-gui --xpath "sm:passwd('admin', '${ADMIN_PASS}')"; fi
-
-EXPOSE ${HTTP_PORT}
+#RUN bin/client.sh -l --no-gui --xpath "system:get-version()"
+#RUN if [ "${ADMIN_PASS}" != "none" ]; then bin/client.sh -l --no-gui --xpath "sm:passwd('admin', '${ADMIN_PASS}')"; fi
+RUN [ "java", "org.exist.start.Main", "client", "--no-gui",  "-l", "-u", "admin", "-P", "" ]
 
-ENTRYPOINT JAVA_OPTS="${JAVA_OPTS} -Dteipublisher.ner-endpoint=${NER_ENDPOINT} -Dteipublisher.context-path=${CONTEXT_PATH}" /exist/bin/startup.sh
+EXPOSE ${HTTP_PORT} ${HTTPS_PORT}

certbot-renew.sh

@@ -1,13 +1,55 @@
 #!/bin/sh
+
+# renew at this many days left before a cert will expire
+MAXDAYS=30
+
+# comment out for mostly silent behavior
+#VERBOSE=yes
+
+BASEDIR=./certbot/conf/live
+
+
+num_found=0
+num_renew=0
+maxsecs=$(( MAXDAYS * 86400 ))
+
 cd $(dirname "$0")
-CERTFILE=./certbot/conf/live/example.com/cert.pem
-MAXDAYS=10
 
-# if cert expires in 10 days or less, run docker action
-if ! openssl x509 -in $CERTFILE -checkend $(( MAXDAYS * 86400 )) >/dev/null
+checkcert() {
+    local _dnsname=$1
+    local _file=${BASEDIR}/${_dnsname}/cert.pem
+
+    [ -n $VERBOSE ] && echo "Checking cert $_dnsname (file $_file) ..."
+    if ! openssl x509 -in $_file -checkend $maxsecs >/dev/null
+    then
+	num_renew=$((num_renew + 1))
+	echo "Certificate for $_dnsname is near expiry date!"
+    else
+	[ -n $VERBOSE ] && echo "Certificate $_dnsname still valid."
+    fi
+    num_found=$((num_found + 1))
+}
+
+for d in $BASEDIR/*; do
+    [ -d $d ] && [ -f $d/cert.pem ] && checkcert ${d#${BASEDIR}/}
+done
+
+# warn and exit if no certs found
+if [ $num_found -eq 0 ]
+then
+    echo "WARNING: no certificates found for renewal check!"
+    exit 1
+fi
+
+# if any cert expires in $MAXDAYS days or less, run certbot renew action
+if [ $num_renew -gt 0 ]
 then
+    echo "Renewing $num_renew certificates ..."
     docker compose run --rm certbot renew
     docker compose restart frontend
+    chmod +x ${BASEDIR}
+    chmod +x ${BASEDIR}/../archive/
+    chmod -R +r ${BASEDIR}/../archive/
 else
-    echo "Certificate still valid"
+    [ -n $VERBOSE ] && echo "Certificate(s) still valid"
 fi

conf/default.conf → conf/default.conf.off

@@ -14,7 +14,7 @@ server {
     proxy_set_header   Host $host;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header   X-Forwarded-Host $host;
+    proxy_set_header   X-Forwarded-Host $server_name;
     proxy_cookie_path /exist /;
     client_max_body_size  512m;
   }
@@ -25,8 +25,8 @@ server {
     proxy_set_header   Host $host;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header   X-Forwarded-Host $host;
+    proxy_set_header   X-Forwarded-Host $server_name;
     proxy_cookie_path /exist /;
     client_max_body_size  512m;
   }
-}
+}

conf/upstream.conf

@@ -0,0 +1,4 @@
+# change name of upstream server below to something unique
+upstream docker-publisher {
+  server publisher:8080 fail_timeout=0;
+}

conf/workshop.tei-publisher.com.conf

@@ -0,0 +1,44 @@
+# Configuration for TEI Publisher with virtual host and SSL
+
+server {
+  listen 80;
+  listen [::]:80;
+
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  server_name workshop.tei-publisher.com;
+  server_tokens off;
+
+  ssl_certificate /etc/nginx/ssl/live/${server_name}/fullchain.pem;
+  ssl_certificate_key /etc/nginx/ssl/live/${server_name}/privkey.pem;
+
+  # Required by letsencrypt certbot to acquire certificate
+  location /.well-known/acme-challenge/ {
+    root /var/www/certbot;
+  }
+
+  location / {
+    client_max_body_size 512m;
+    proxy_cookie_path /exist /;
+    #proxy_pass http://docker-publisher/exist/apps/tei-publisher$request_uri;
+    #proxy_redirect http://$host/exist/apps/tei-publisher/ /;
+    proxy_pass http://docker-publisher$request_uri;
+    proxy_redirect http://$host/ /;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Host $server_name;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_ssl_server_name on;
+
+    #location /exist/apps/eXide {
+    #  allow 127.0.0.1;
+    #  allow ::1;
+    #  allow 192.168.0.0/16;
+    #  allow 172.16.0.0/12;
+    #  deny all;
+    #  proxy_pass http://docker-publisher;
+    #  proxy_redirect off;
+    #}
+  }
+}

docker-compose.yml

@@ -5,10 +5,10 @@ services:
       CONTEXT_PATH: "" # TEI Publisher will be mapped to the root of the website
       PROXY_CACHING: false
     build:
-      context: .
+      context: github.com/eeditiones/tei-publisher-app.git#master
       dockerfile: Dockerfile
     # comment in to automatically restart:
-    # restart: always
+    restart: always
     volumes:
       # database files will be stored in a volume to avoid data loss
       # when the service is updated