fix(docker): fix ca entrypoint logic and healthcheck

With this commit, it is advised to `rm ./data/root_ca.crt ./data/*.pem`,
as new certificates and a root CA will be generated while utilizing the
step volume.

Closes #367

Signed-off-by: Kevin Morris <kevr@0cost.org>

docker-compose.yml

@@ -31,8 +31,10 @@ services:
     entrypoint: /docker/ca-entrypoint.sh
     command: /docker/scripts/run-ca.sh
     healthcheck:
-      test: "bash /docker/health/run-ca.sh"
+      test: "bash /docker/health/ca.sh"
-      interval: 2s
+      interval: 3s
+    volumes:
+      - step:/root/.step
 
   memcached:
     image: aurweb:latest
@@ -40,7 +42,7 @@ services:
     command: /docker/scripts/run-memcached.sh
     healthcheck:
       test: "bash /docker/health/memcached.sh"
-      interval: 2s
+      interval: 3s
  
   redis:
     image: aurweb:latest
@@ -49,7 +51,7 @@ services:
     command: /docker/scripts/run-redis.sh
     healthcheck:
       test: "bash /docker/health/redis.sh"
-      interval: 2s
+      interval: 3s
     ports:
       - "127.0.0.1:16379:6379"
 
@@ -67,7 +69,7 @@ services:
       - mariadb_data:/var/lib/mysql
     healthcheck:
       test: "bash /docker/health/mariadb.sh"
-      interval: 2s
+      interval: 3s
 
   mariadb_init:
     image: aurweb:latest
@@ -98,7 +100,7 @@ services:
       - mariadb_test_run:/var/run/mysqld # Bind socket in this volume.
     healthcheck:
       test: "bash /docker/health/mariadb.sh"
-      interval: 2s
+      interval: 3s
 
   git:
     image: aurweb:latest
@@ -113,7 +115,7 @@ services:
       - "2222:2222"
     healthcheck:
       test: "bash /docker/health/sshd.sh"
-      interval: 2s
+      interval: 3s
     depends_on:
       mariadb_init:
         condition: service_started
@@ -129,7 +131,7 @@ services:
     command: /docker/scripts/run-smartgit.sh
     healthcheck:
       test: "bash /docker/health/smartgit.sh"
-      interval: 2s
+      interval: 3s
 
   cgit-php:
     image: aurweb:latest
@@ -142,7 +144,7 @@ services:
     command: /docker/scripts/run-cgit.sh 3000
     healthcheck:
       test: "bash /docker/health/cgit.sh 3000"
-      interval: 2s
+      interval: 3s
     depends_on:
       git:
         condition: service_healthy
@@ -162,7 +164,7 @@ services:
     command: /docker/scripts/run-cgit.sh 3000
     healthcheck:
       test: "bash /docker/health/cgit.sh 3000"
-      interval: 2s
+      interval: 3s
     depends_on:
       git:
         condition: service_healthy
@@ -199,7 +201,7 @@ services:
     command: /docker/scripts/run-php.sh
     healthcheck:
       test: "bash /docker/health/php.sh"
-      interval: 2s
+      interval: 3s
     depends_on:
       git:
         condition: service_healthy
@@ -228,7 +230,7 @@ services:
     command: /docker/scripts/run-fastapi.sh "${FASTAPI_BACKEND}"
     healthcheck:
       test: "bash /docker/health/fastapi.sh ${FASTAPI_BACKEND}"
-      interval: 2s
+      interval: 3s
     depends_on:
       git:
         condition: service_healthy
@@ -254,10 +256,10 @@ services:
       - "127.0.0.1:8444:8444" # FastAPI
     healthcheck:
       test: "bash /docker/health/nginx.sh"
-      interval: 2s
+      interval: 3s
     depends_on:
       ca:
-        condition: service_started
+        condition: service_healthy
       cgit-php:
         condition: service_healthy
       cgit-fastapi:

docker/ca-entrypoint.sh

@@ -89,34 +89,26 @@ step_cert_request() {
     chmod 666 /data/${1}.*.pem
 }
 
-if [ ! -f $DATA_ROOT_CA ]; then
+if [ ! -d /root/.step/config ]; then
+    # Remove existing certs.
+    rm -vf /data/localhost.{cert,key}.pem /data/root_ca.crt
+
     setup_step_ca
     install_step_ca
+
+    start_step_ca
+    for host in $DATA_CERT_HOSTS; do
+        step_cert_request $host /data/${host}.cert.pem /data/${host}.key.pem
+    done
+    kill_step_ca
+
+    echo -n "WARN: Your certificates are being regenerated to resolve "
+    echo -n "an inconsistent step-ca state. You will need to re-import "
+    echo "the root CA certificate into your browser."
+else
+    exec "$@"
 fi
 
-# For all hosts separated by spaces in $DATA_CERT_HOSTS, perform a check
-# for their existence in /data and react accordingly.
-for host in $DATA_CERT_HOSTS; do
-    if [ -f /data/${host}.cert.pem ] && [ -f /data/${host}.key.pem ]; then
-        # Found an override. Move on to running the service after
-        # printing a notification to the user.
-        echo "Found '${host}.{cert,key}.pem' override, skipping..."
-        echo -n "Note: If you need to regenerate certificates, run "
-        echo '`rm -f data/*.{cert,key}.pem` before starting this service.'
-        exec "$@"
-    else
-        # Otherwise, we had a missing cert or key, so remove both.
-        rm -f /data/${host}.cert.pem
-        rm -f /data/${host}.key.pem
-    fi
-done
-
-start_step_ca
-for host in $DATA_CERT_HOSTS; do
-    step_cert_request $host /data/${host}.cert.pem /data/${host}.key.pem
-done
-kill_step_ca
-
 # Set permissions to /data to rwx for everybody.
 chmod 777 /data
 

docker/health/ca.sh

@@ -1,2 +1,2 @@
-
+#!/bin/bash
-exec printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/8443
+exec curl -qkiI 'https://localhost:8443/'