Merging compose to master

compose/.gitignore

@@ -0,0 +1,2 @@
+*.crt
+*.key

compose/README.md

@@ -0,0 +1,20 @@
+This is a repo to hold all the bits to get a prod-like Normandy running using
+[Docker Compose][].
+
+1. Install [Docker][] and Docker Compose, and start the Docker daemon (possibly via [Docker Machine][]).
+2. Clone this repo, and `cd` into it.
+3. `./bin/genkeys.sh` to create keys for HTTPS.
+4. `docker-compose up -d` to download Docker images, and run them in the background.
+5. `docker-compose run normandy ./manage.py migrate` to create the needed database tables.
+6. `docker-compose run normandy ./manage.py createsuperuser` to create a user you can log in with.
+6. `docker-compose run normandy ./manage.py update_actions` to load the action code into the database.
+8. Open `http://localhost:8000` or `http://$(docker-machine ip):8000` in your browser. Accept the self-signed certificate.
+9. Later, run `docker-compose stop` to shut everything down.
+
+[Docker Machine]: https://docs.docker.com/machine/
+[Docker Compose]: https://docs.docker.com/compose/
+[Docker]: https://docker.io
+
+# Signing
+
+This compose configuration is set up to use [Autograph][] to sign recipes. These signatures are required for [the system addon][]. They are signed using a development key, which is publically known and shouldn't be trusted for anything serious. To instruct Firefox to trust this development key, set the pref `security.content.signature.root_hash` to `4C:35:B1:C3:E3:12:D9:55:E7:78:ED:D0:A7:E7:8A:38:83:04:EF:01:BF:FA:03:29:B2:46:9F:3C:C5:EC:36:04`.

compose/bin/genkeys.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# This script generates SSL keys for the Nginx proxy.
+BASE_DIR="$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")"
+SSL_DIR="$BASE_DIR/etc"
+KEY="$SSL_DIR/proxy.key"
+CERT="$SSL_DIR/proxy.crt"
+
+# If the key or cert don't exist, generate them.
+if [ ! -f $KEY ]; then
+    mkdir -p $SSL_DIR
+    openssl genrsa -out $KEY 2048
+fi
+
+if [ ! -f $CERT ]; then
+    openssl req -new -x509 -nodes -sha256 -key $KEY \
+        -subj "/C=US/ST=Test/L=Test/O=Mozilla/CN=normandy_dev" > $CERT
+fi

compose/docker-compose.yml

@@ -0,0 +1,40 @@
+version: '2'
+
+services:
+  database:
+    image: postgres:9.5.2
+
+  normandy:
+    image: mozilla/normandy:latest
+    links:
+      - database
+      - autograph
+    environment:
+      DATABASE_URL: "postgres://postgres@database/postgres"
+      DJANGO_CONFIGURATION: ProductionInsecure
+      DJANGO_AUTOGRAPH_URL: http://autograph:8000/
+      # From etc/autograph.yaml
+      DJANGO_AUTOGRAPH_HAWK_ID: normandev
+      DJANGO_AUTOGRAPH_HAWK_SECRET_KEY: 3dhoaupudifjjvm7xznd9bn73159xn3xwr77b61kzdjwzzsjts
+      DJANGO_CAN_EDIT_ACTIONS_IN_USE: "true"
+    stop_signal: SIGKILL
+
+  proxy:
+    image: nginx:1.9.14
+    ports:
+      - "8000:8000"
+      - "8443:8443"
+    links:
+      - normandy
+    volumes:
+      - ./etc/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./etc/proxy.crt:/etc/nginx/proxy.crt:ro
+      - ./etc/proxy.key:/etc/nginx/proxy.key:ro
+
+  autograph:
+    image: mozilla/autograph
+    stop_signal: SIGKILL
+    volumes:
+      - ./etc/autograph.yaml:/etc/autograph/autograph.yaml:ro
+    ports:
+        - "8000"

compose/etc/autograph.yaml

@@ -0,0 +1,15 @@
+server:
+  listen: "0.0.0.0:8000"
+  noncecachesize: 524288
+
+signers:
+  # Normandy dev chain with x5u on github
+  - id: normankey
+    privatekey: "MIGkAgEBBDCZFHf46zW7Wp5fgwc2zL42+Uir4qCj/MMxqhXhRuGQMCR0+RWLqE0DpX0gjKsqWT2gBwYFK4EEACKhZANiAARUQqIIAiTBGDVUWw/wk5h1IXpreq+BtE+gQr15O4tusHpCLGjOxwpHiJYnxk45fpE8JGAV19UOhmqMUEU0k31C1EGTSZW0ducSvHrh3a8wXShZ6dxLWHItbbCGA6A7Puk="
+    x5u: "https://raw.githubusercontent.com/mozilla-services/autograph/2a6166a1c8d1ae8f8d9a2c5a518795e796844392/docs/statics/normandy.content-signature.mozilla.org-20210705.dev.chain"
+
+authorizations:
+  - id: normandev
+    key: 3dhoaupudifjjvm7xznd9bn73159xn3xwr77b61kzdjwzzsjts
+    signers:
+      - normankey

compose/etc/nginx.conf

@@ -0,0 +1,50 @@
+worker_processes 1;
+
+events {
+    worker_connections 64;
+}
+
+http {
+    include mime.types;
+    default_type application/octet-stream;
+
+    gzip on;
+    gzip_proxied any;
+    gzip_types application/json application/javascript text/css;
+
+    ssl_certificate proxy.crt;
+    ssl_certificate_key proxy.key;
+    ssl_session_cache shared:SSL:5m;
+    ssl_session_timeout 30m;
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    ssl_prefer_server_ciphers on;
+
+    proxy_cache_path /etc/nginx/cache levels=1:2 keys_zone=dflow:1m max_size=100m inactive=120m use_temp_path=off;
+
+    server {
+        listen 8000;
+        return 301 https://localhost:8443$request_uri;
+    }
+
+    server {
+        listen 8443 ssl;
+        location / {
+            proxy_pass http://normandy:8000;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Host $http_host;
+            proxy_redirect off;
+            add_header X-Cached $upstream_cache_status;
+
+            # Enable cache. Matches proxy_cache_path above.
+            proxy_cache dflow;
+
+            # these two directives configures nginx to
+            # use stale cache entries when updating so the
+            # docker container gets only a single HTTP request
+            proxy_cache_use_stale updating;
+            proxy_cache_lock on;
+        }
+    }
+}