126 lines
3.7 KiB
Python
126 lines
3.7 KiB
Python
import os
|
|
import os.path
|
|
|
|
import yaml
|
|
import jinja2
|
|
|
|
QUAYPATH = os.getenv("QUAYPATH", ".")
|
|
QUAYDIR = os.getenv("QUAYDIR", "/")
|
|
QUAYCONF_DIR = os.getenv("QUAYCONF", os.path.join(QUAYDIR, QUAYPATH, "conf"))
|
|
STATIC_DIR = os.path.join(QUAYDIR, 'static')
|
|
|
|
SSL_PROTOCOL_DEFAULTS = ['TLSv1', 'TLSv1.1', 'TLSv1.2']
|
|
SSL_CIPHER_DEFAULTS = [
|
|
'ECDHE-RSA-AES128-GCM-SHA256',
|
|
'ECDHE-ECDSA-AES128-GCM-SHA256',
|
|
'ECDHE-RSA-AES256-GCM-SHA384',
|
|
'ECDHE-ECDSA-AES256-GCM-SHA384',
|
|
'DHE-RSA-AES128-GCM-SHA256',
|
|
'DHE-DSS-AES128-GCM-SHA256',
|
|
'kEDH+AESGCM',
|
|
'ECDHE-RSA-AES128-SHA256',
|
|
'ECDHE-ECDSA-AES128-SHA256',
|
|
'ECDHE-RSA-AES128-SHA',
|
|
'ECDHE-ECDSA-AES128-SHA',
|
|
'ECDHE-RSA-AES256-SHA384',
|
|
'ECDHE-ECDSA-AES256-SHA384',
|
|
'ECDHE-RSA-AES256-SHA',
|
|
'ECDHE-ECDSA-AES256-SHA',
|
|
'DHE-RSA-AES128-SHA256',
|
|
'DHE-RSA-AES128-SHA',
|
|
'DHE-DSS-AES128-SHA256',
|
|
'DHE-RSA-AES256-SHA256',
|
|
'DHE-DSS-AES256-SHA',
|
|
'DHE-RSA-AES256-SHA',
|
|
'AES128-GCM-SHA256',
|
|
'AES256-GCM-SHA384',
|
|
'AES128-SHA256',
|
|
'AES256-SHA256',
|
|
'AES128-SHA',
|
|
'AES256-SHA',
|
|
'AES',
|
|
'CAMELLIA',
|
|
'!3DES',
|
|
'!aNULL',
|
|
'!eNULL',
|
|
'!EXPORT',
|
|
'!DES',
|
|
'!RC4',
|
|
'!MD5',
|
|
'!PSK',
|
|
'!aECDH',
|
|
'!EDH-DSS-DES-CBC3-SHA',
|
|
'!EDH-RSA-DES-CBC3-SHA',
|
|
'!KRB5-DES-CBC3-SHA',
|
|
]
|
|
|
|
def write_config(filename, **kwargs):
|
|
with open(filename + ".jnj") as f:
|
|
template = jinja2.Template(f.read())
|
|
rendered = template.render(kwargs)
|
|
|
|
with open(filename, 'w') as f:
|
|
f.write(rendered)
|
|
|
|
|
|
def generate_nginx_config(config):
|
|
"""
|
|
Generates nginx config from the app config
|
|
"""
|
|
config = config or {}
|
|
use_https = os.path.exists(os.path.join(QUAYCONF_DIR, 'stack/ssl.key'))
|
|
use_old_certs = os.path.exists(os.path.join(QUAYCONF_DIR, 'stack/ssl.old.key'))
|
|
v1_only_domain = config.get('V1_ONLY_DOMAIN', None)
|
|
enable_rate_limits = config.get('FEATURE_RATE_LIMITS', False)
|
|
ssl_protocols = config.get('SSL_PROTOCOLS', SSL_PROTOCOL_DEFAULTS)
|
|
ssl_ciphers = config.get('SSL_CIPHERS', SSL_CIPHER_DEFAULTS)
|
|
|
|
write_config(os.path.join(QUAYCONF_DIR, 'nginx/nginx.conf'), use_https=use_https,
|
|
use_old_certs=use_old_certs,
|
|
enable_rate_limits=enable_rate_limits,
|
|
v1_only_domain=v1_only_domain,
|
|
ssl_protocols=ssl_protocols,
|
|
ssl_ciphers=':'.join(ssl_ciphers))
|
|
|
|
|
|
def generate_server_config(config):
|
|
"""
|
|
Generates server config from the app config
|
|
"""
|
|
config = config or {}
|
|
tuf_server = config.get('TUF_SERVER', None)
|
|
tuf_host = config.get('TUF_HOST', None)
|
|
signing_enabled = config.get('FEATURE_SIGNING', False)
|
|
maximum_layer_size = config.get('MAXIMUM_LAYER_SIZE', '20G')
|
|
enable_rate_limits = config.get('FEATURE_RATE_LIMITS', False)
|
|
|
|
write_config(
|
|
os.path.join(QUAYCONF_DIR, 'nginx/server-base.conf'), tuf_server=tuf_server, tuf_host=tuf_host,
|
|
signing_enabled=signing_enabled, maximum_layer_size=maximum_layer_size,
|
|
enable_rate_limits=enable_rate_limits,
|
|
static_dir=STATIC_DIR)
|
|
|
|
|
|
def generate_rate_limiting_config(config):
|
|
"""
|
|
Generates rate limiting config from the app config
|
|
"""
|
|
config = config or {}
|
|
non_rate_limited_namespaces = config.get('NON_RATE_LIMITED_NAMESPACES') or set()
|
|
enable_rate_limits = config.get('FEATURE_RATE_LIMITS', False)
|
|
write_config(
|
|
os.path.join(QUAYCONF_DIR, 'nginx/rate-limiting.conf'),
|
|
non_rate_limited_namespaces=non_rate_limited_namespaces,
|
|
enable_rate_limits=enable_rate_limits,
|
|
static_dir=STATIC_DIR)
|
|
|
|
if __name__ == "__main__":
|
|
if os.path.exists(os.path.join(QUAYCONF_DIR, 'stack/config.yaml')):
|
|
with open(os.path.join(QUAYCONF_DIR, 'stack/config.yaml'), 'r') as f:
|
|
config = yaml.load(f)
|
|
else:
|
|
config = None
|
|
|
|
generate_rate_limiting_config(config)
|
|
generate_server_config(config)
|
|
generate_nginx_config(config)
|