Merge pull request #1268 from gchq/feature/standalone

Feature/standalone

Dockerfile.standalone

@@ -0,0 +1,93 @@
+FROM node:18-alpine as backend
+RUN apk add --no-cache libc6-compat
+RUN apk update
+WORKDIR /app
+COPY backend/package*.json ./
+RUN --mount=type=cache,target=/cache/npm npm install --cache=/cache/npm
+COPY backend .
+RUN npm run build
+
+FROM node:18-alpine as frontend
+RUN apk add --no-cache libc6-compat
+RUN apk update
+WORKDIR /app
+COPY frontend/package*.json ./
+RUN --mount=type=cache,target=/cache/npm npm ci --cache=/cache/npm
+COPY frontend .
+ENV NEXT_TELEMETRY_DISABLED 1
+RUN npm run build
+
+FROM ubuntu:jammy
+RUN apt update
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt install git curl wget gnupg ca-certificates iproute2 nginx supervisor -y
+
+RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - &&\
+    apt install nodejs -y
+
+ENV MINIO_ROOT_USER=minioadmin
+ENV MINIO_ROOT_PASSWORD=minioadmin
+VOLUME minio-data
+RUN wget https://dl.min.io/server/minio/release/linux-amd64/minio &&\
+    wget https://dl.min.io/client/mc/release/linux-amd64/mc &&\
+    chmod +x minio &&\
+    chmod +x mc &&\
+    mv minio /usr/local/bin/ &&\
+    mv mc /usr/local/bin/
+
+RUN wget -qO - https://pgp.mongodb.com/server-6.0.asc |  gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.0.gpg &&\
+    echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" |  tee /etc/apt/sources.list.d/mongodb-org-6.0.list &&\
+    apt update &&\
+    apt install mongodb-org -y &&\
+    mkdir -m 777 -p /data/db
+
+COPY infrastructure/standalone/nginx.conf /etc/nginx/nginx.conf
+
+RUN wget https://github.com/distribution/distribution/releases/download/v2.8.3/registry_2.8.3_linux_amd64.tar.gz &&\
+    tar -xvf registry_2.8.3_linux_amd64.tar.gz &&\
+    mv registry /usr/local/bin/
+ENV REGISTRY_HTTP_TLS_CERTIFICATE=/app/backend/certs/cert.pem
+ENV REGISTRY_HTTP_TLS_KEY=/app/backend/certs/key.pem
+ENV REGISTRY_STORAGE_S3_ACCESSKEY=minioadmin
+ENV REGISTRY_STORAGE_S3_SECRETKEY=minioadmin
+ENV REGISTRY_AUTH=token
+ENV REGISTRY_AUTH_TOKEN_REALM=http://localhost:3001/api/v1/registry_auth
+ENV REGISTRY_AUTH_TOKEN_SERVICE=RegistryAuth
+ENV REGISTRY_AUTH_TOKEN_ISSUER=RegistryIssuer
+ENV REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/app/backend/certs/cert.pem
+COPY infrastructure/standalone/registry.conf /registry.conf
+
+RUN wget https://github.com/tweedegolf/mailcrab/releases/download/v1.2.0/mailcrab-linux-x86-64-gnu-v1.2.0 &&\
+    chmod +x mailcrab-linux-x86-64-gnu-v1.2.0 &&\
+    mv mailcrab-linux-x86-64-gnu-v1.2.0 /usr/local/bin/mailcrab
+
+# Backend
+WORKDIR /app/backend
+COPY backend/package*.json ./
+COPY backend/certs/san.cnf ./
+RUN --mount=type=cache,target=/cache/npm npm install --omit=dev --cache=/cache/npm
+RUN mkdir -p certs && openssl genrsa -out certs/key.pem 2048 && openssl req -new -x509 -key certs/key.pem -out certs/cert.pem -config ./san.cnf -extensions 'v3_req' -days 360
+COPY backend/python-docs python-docs
+COPY --from=backend /app/config config
+COPY --from=backend /app/dist .
+COPY infrastructure/standalone/local.cjs config/local.cjs
+ENV NODE_ENV production
+
+# Frontend
+WORKDIR /app/frontend
+COPY --from=frontend /app/next.config.mjs .
+COPY --from=frontend /app/package.json .
+COPY --from=frontend /app/.next/standalone ./
+COPY --from=frontend /app/.next/static ./.next/static
+COPY --from=frontend /app/public ./public
+ENV NEXT_TELEMETRY_DISABLED 1
+
+COPY infrastructure/standalone/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+WORKDIR /
+
+EXPOSE 8080
+EXPOSE 9000
+EXPOSE 27017
+
+ENTRYPOINT ["/usr/bin/supervisord"]

README.md

@@ -86,6 +86,13 @@ sharing.
 
 ### Installation:
 
+To run in standalone mode, not development mode (http://localhost:8080). Not for production use:
+
+````bash
+docker build -t "bailo:standalone" -f ./Dockerfile.standalone .
+docker run --name bailo -p 8080:8080 -d bailo:standalone
+```bash
+
 To run in development mode (modified files on your host machine will be reloaded into the running application):
 
 ```bash
@@ -98,7 +105,7 @@ docker compose build --parallel
 
 # Then run the development instance of Bailo.
 docker compose up -d
-```
+````
 
 On first run, it may take a while (up to 30 seconds) to start up. It needs to build several hundred TypeScript modules.
 These are cached however, so future starts only require a few seconds. You should access the site via

infrastructure/standalone/local.cjs

@@ -0,0 +1,5 @@
+module.exports = {
+    s3: {
+        endpoint: 'http://localhost:9000'
+    }
+}

infrastructure/standalone/nginx.conf

@@ -0,0 +1,97 @@
+pid /tmp/nginx.pid;
+worker_processes 1;
+events { worker_connections 1024; }
+
+http {
+    upstream frontend_service {
+       server localhost:3000;
+    }
+
+    upstream backend_service {
+       server localhost:3001;
+    }
+
+    upstream registry_service {
+       server localhost:5000;
+    }
+
+    sendfile on;
+
+    map $upstream_http_www_authenticate $new_www_authenticate {
+        ~(?<pre_auth>.*realm=")(.*?)(?<post_auth>\/api\/v1\/registry_auth".*)   "$pre_auth$scheme://$host:$server_port$post_auth";
+        default "";
+    }
+
+    server {
+        listen 8080;
+
+        location / {
+            proxy_http_version 1.1;
+            proxy_cache_bypass $http_upgrade;
+
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 0;
+            chunked_transfer_encoding on;
+
+            proxy_pass http://frontend_service;
+        }
+
+        location /api {
+            proxy_http_version 1.1;
+            proxy_cache_bypass $http_upgrade;
+
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 0;
+            chunked_transfer_encoding on;
+
+            proxy_pass http://backend_service;
+        }
+
+        location /docs/python {
+            proxy_http_version 1.1;
+            proxy_cache_bypass $http_upgrade;
+
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            client_max_body_size 0;
+            chunked_transfer_encoding on;
+
+            proxy_pass http://backend_service;
+        }
+
+        location /v2 {
+            proxy_hide_header WWW-Authenticate;
+            add_header WWW-Authenticate $new_www_authenticate always;
+
+            proxy_redirect     off;
+            proxy_set_header   Host $host;
+            proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Host $server_name;
+            proxy_set_header   X-Forwarded-Proto $scheme;
+            proxy_read_timeout 900;
+
+            client_max_body_size 0;
+            chunked_transfer_encoding on;
+
+            proxy_pass         https://registry_service;
+        }
+    }
+}

infrastructure/standalone/registry.conf

@@ -0,0 +1,34 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+  s3:
+    regionendpoint: http://localhost:9000
+    bucket: registry
+    secure: false
+    region: ignored-for-minio
+  redirect:
+    disable: true
+  delete:
+    enabled: true
+  maintenance:
+    uploadpurging:
+      enabled: true
+      age: 168h
+      interval: 24h
+      dryrun: false
+    readonly:
+      enabled: false
+http:
+  addr: :5000
+  relativeurls: true
+  headers:
+    X-Content-Type-Options: [nosniff]
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3

infrastructure/standalone/supervisord.conf

@@ -0,0 +1,61 @@
+[supervisord]
+nodaemon=true
+logfile=/dev/null
+logfile_maxbytes=0
+
+[program:minio]
+command=minio server /minio-data
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+priority=10
+startsecs=0
+
+[program:mongo]
+command=mongod
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+priority=20
+startsecs=0
+
+[program:mail]
+command=mailcrab
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+priority=30
+startsecs=0
+
+[program:nginx]
+command=nginx
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+priority=40
+startsecs=0
+
+[program:frontend]
+directory=/app/frontend
+command=node server.js
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+priority=50
+startsecs=0
+
+[program:backend]
+directory=/app/backend
+command=node src/index.js
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+priority=60
+
+[program:registry]
+command=registry serve /registry.conf
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+priority=70
+startsecs=0