From e83ea269ae832c15b92afc0e9f9b700068721a83 Mon Sep 17 00:00:00 2001
From: Diego Lendoiro <diego@passbolt.com>
Date: Thu, 9 Jul 2020 15:07:39 +0200
Subject: [PATCH] Changed: initial revamp with passbolt debian package

---
 Dockerfile               | 89 +++++++---------------------------------
 bin/docker-entrypoint.sh | 22 +++++-----
 docker-compose.yml       |  2 +-
 3 files changed, 26 insertions(+), 87 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 5797e7a..b39e323 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,84 +1,23 @@
-FROM php:7.3.16-fpm
+FROM debian:buster-slim
 
 LABEL maintainer="Passbolt SA <contact@passbolt.com>"
 
-ARG PASSBOLT_VERSION="2.12.1"
-ARG PASSBOLT_URL="https://github.com/passbolt/passbolt_api/archive/v${PASSBOLT_VERSION}.tar.gz"
-ARG PASSBOLT_CURL_HEADERS=""
+ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
+ENV PASSBOLT_PKG=passbolt-ce-server
 
-ARG PHP_EXTENSIONS="gd \
-      intl \
-      pdo_mysql \
-      opcache \
-      xsl"
-
-ARG PECL_PASSBOLT_EXTENSIONS="gnupg \
-      redis \
-      mcrypt"
-
-ARG PASSBOLT_DEV_PACKAGES="libgpgme11-dev \
-      libpng-dev \
-      libjpeg62-turbo-dev \
-      libicu-dev \
-      libxslt1-dev \
-      libmcrypt-dev \
-      unzip"
-
-ARG PASSBOLT_BASE_PACKAGES="nginx \
-         gnupg \
-         libgpgme11 \
-         libmcrypt4 \
-         mariadb-client \
-         supervisor \
-         cron"
-
-ENV PECL_BASE_URL="https://pecl.php.net/get"
-ENV PHP_EXT_DIR="/usr/src/php/ext"
-
-WORKDIR /var/www/passbolt
 RUN apt-get update \
-    && apt-get -y install --no-install-recommends \
-      $PASSBOLT_DEV_PACKAGES \
-      $PASSBOLT_BASE_PACKAGES \
-    && mkdir /home/www-data \
-    && chown -R www-data:www-data /home/www-data \
-    && usermod -d /home/www-data www-data \
-    && docker-php-source extract \
-    && for i in $PECL_PASSBOLT_EXTENSIONS; do \
-         mkdir $PHP_EXT_DIR/$i; \
-         curl -sSL $PECL_BASE_URL/$i | tar zxf - -C $PHP_EXT_DIR/$i --strip-components 1; \
-       done \
-    && docker-php-ext-configure gd --with-jpeg-dir=/usr/include/ \
-    && docker-php-ext-install -j4 $PHP_EXTENSIONS $PECL_PASSBOLT_EXTENSIONS \
-    && docker-php-ext-enable $PHP_EXTENSIONS $PECL_PASSBOLT_EXTENSIONS \
-    && docker-php-source delete \
-    && EXPECTED_SIGNATURE=$(curl -s https://composer.github.io/installer.sig) \
-    && curl -o composer-setup.php https://getcomposer.org/installer \
-    && ACTUAL_SIGNATURE=$(php -r "echo hash_file('SHA384', 'composer-setup.php');") \
-    && if [ "$EXPECTED_SIGNATURE" != "$ACTUAL_SIGNATURE" ]; then \
-         >&2 echo 'ERROR: Invalid installer signature'; \
-         rm composer-setup.php; \
-         exit 1; \
-       fi \
-    && php composer-setup.php \
-    && mv composer.phar /usr/local/bin/composer \
-    && rm composer-setup.php \
-    && curl -sSL -H "$PASSBOLT_CURL_HEADERS" "$PASSBOLT_URL" | tar zxf - -C . --strip-components 1 \
-    && composer install -n --no-dev --optimize-autoloader \
-    && chown -R www-data:www-data . \
-    && chmod 775 $(find /var/www/passbolt/tmp -type d) \
-    && chmod 664 $(find /var/www/passbolt/tmp -type f) \
-    && chmod 775 $(find /var/www/passbolt/webroot/img/public -type d) \
-    && chmod 664 $(find /var/www/passbolt/webroot/img/public -type f) \
-    && rm /etc/nginx/sites-enabled/default \
-    && apt-get purge -y --auto-remove $PASSBOLT_DEV_PACKAGES \
-    && rm -rf /var/lib/apt/lists/* \
-    && rm /usr/local/bin/composer \
-    && echo 'php_flag[expose_php] = off' > /usr/local/etc/php-fpm.d/expose.conf \
-    && sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf \
-    && mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
+    && DEBIAN_FRONTEND=non-interactive apt-get -y install \
+      ca-certificates \
+      gnupg \
+    && apt-key adv --keyserver keys.gnupg.net --recv-keys $PASSBOLT_PKG_KEY \
+    && echo "deb https://download.passbolt.com/ce/debian buster stable" > /etc/apt/sources.list.d/passbolt.list \
+    && apt-get update \
+    && DEBIAN_FRONTEND=non-interactive apt-get -y install --no-install-recommends \
+      nginx \
+      $PASSBOLT_PKG \
+      supervisor
+
 
-COPY conf/passbolt.conf /etc/nginx/conf.d/default.conf
 COPY conf/supervisor/*.conf /etc/supervisor/conf.d/
 COPY bin/docker-entrypoint.sh /docker-entrypoint.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh
diff --git a/bin/docker-entrypoint.sh b/bin/docker-entrypoint.sh
index 7bcef9c..e402318 100755
--- a/bin/docker-entrypoint.sh
+++ b/bin/docker-entrypoint.sh
@@ -8,7 +8,7 @@ gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-/var/www/passbolt/config/gpg/s
 ssl_key='/etc/ssl/certs/certificate.key'
 ssl_cert='/etc/ssl/certs/certificate.crt'
 
-export GNUPGHOME="/home/www-data/.gnupg"
+export GNUPGHOME="/var/lib/passbolt/.gnupg"
 
 entropy_check() {
   local entropy_avail
@@ -42,7 +42,7 @@ gpg_gen_key() {
 
   entropy_check
 
-  su -c "gpg --batch --no-tty --gen-key <<EOF
+  su -c "gpg --homedir $GNUPGHOME --batch --no-tty --gen-key <<EOF
     Key-Type: default
 		Key-Length: $key_length
 		Subkey-Type: default
@@ -54,13 +54,13 @@ gpg_gen_key() {
 		%commit
 EOF" -ls /bin/bash www-data
 
-  su -c "gpg --armor --export-secret-keys $key_email > $gpg_private_key" -ls /bin/bash www-data
-  su -c "gpg --armor --export $key_email > $gpg_public_key" -ls /bin/bash www-data
+  su -c "gpg --homedir $GNUPGHOME --armor --export-secret-keys $key_email > $gpg_private_key" -ls /bin/bash www-data
+  su -c "gpg --homedir $GNUPGHOME --armor --export $key_email > $gpg_public_key" -ls /bin/bash www-data
 }
 
 gpg_import_key() {
-  su -c "gpg --batch --import $gpg_public_key" -ls /bin/bash www-data
-  su -c "gpg --batch --import $gpg_private_key" -ls /bin/bash www-data
+  su -c "gpg --homedir $GNUPGHOME --batch --import $gpg_public_key" -ls /bin/bash www-data
+  su -c "gpg --homedir $GNUPGHOME --batch --import $gpg_private_key" -ls /bin/bash www-data
 }
 
 gen_ssl_cert() {
@@ -70,18 +70,18 @@ gen_ssl_cert() {
 }
 
 install() {
-  local app_config="/var/www/passbolt/config/app.php"
+  local app_config="/etc/passbolt/app.php"
 
   if [ ! -f "$app_config" ]; then
-    su -c 'cp /var/www/passbolt/config/app.default.php /var/www/passbolt/config/app.php' -s /bin/bash www-data
+    su -c "cp $app_config/app.default.php $app_config/app.php" -s /bin/bash www-data
   fi
 
-  if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f  '/var/www/passbolt/config/passbolt.php' ]; then
-    gpg_auto_fingerprint="$(su -c "gpg --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
+  if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f  "$app_config/passbolt.php" ]; then
+    gpg_auto_fingerprint="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
     export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
   fi
 
-  su -c '/var/www/passbolt/bin/cake passbolt install --no-admin' -s /bin/bash www-data || su -c '/var/www/passbolt/bin/cake passbolt migrate' -s /bin/bash www-data && echo "Enjoy! ☮"
+  su -c '/usr/share/php/passbolt/bin/cake passbolt install --no-admin' -s /bin/bash www-data || su -c '/usr/share/php/passbolt/bin/cake passbolt migrate' -s /bin/bash www-data && echo "Enjoy! ☮"
 }
 
 email_cron_job() {
diff --git a/docker-compose.yml b/docker-compose.yml
index b735821..bf8c74f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,7 @@ services:
       - "127.0.0.1:3306:3306"
 
   passbolt:
-    image: passbolt/passbolt:2.12.0-debian
+    image: localpassbolt
     tty: true
     depends_on:
       - db