Changes for v1.3

docker-compose.yml

@@ -10,7 +10,7 @@ services:
       POSTGRES_DATABASE: odk
     restart: always
   mail:
-    image: "itsissa/namshi-smtp:4.89-2.deb9u5"
+    image: "itsissa/namshi-smtp:4.92-8.deb10u6"
     volumes:
       - ./files/dkim/config:/etc/exim4/_docker_additional_macros:ro
       - ./files/dkim/rsa.private:/etc/exim4/domain.key:ro
@@ -35,6 +35,8 @@ services:
       - SYSADMIN_EMAIL=${SYSADMIN_EMAIL}
     command: [ "./wait-for-it.sh", "postgres:5432", "--", "./start-odk.sh" ]
     restart: always
+    logging:
+      driver: local
   nginx:
     build:
       context: .
@@ -52,8 +54,12 @@ services:
     healthcheck:
       test: [ "CMD-SHELL", "nc -z localhost 80 || exit 1" ]
     restart: always
+    logging:
+      driver: local
+      options:
+        max-file: "30"
   pyxform:
-    image: 'getodk/pyxform-http:v1.5.1'
+    image: 'ghcr.io/getodk/pyxform-http:v1.6.0'
     restart: always
   secrets:
     volumes:

enketo.dockerfile

@@ -1,4 +1,4 @@
-FROM enketo/enketo-express:2.7.3
+FROM ghcr.io/enketo/enketo-express:3.0.1
 
 ENV ENKETO_SRC_DIR=/srv/src/enketo_express
 WORKDIR ${ENKETO_SRC_DIR}
@@ -15,11 +15,11 @@ COPY files/enketo/config.json.template ${ENKETO_SRC_DIR}/config/config.json
 COPY files/enketo/start-enketo.sh ${ENKETO_SRC_DIR}/start-enketo.sh
 
 RUN apt-get update; apt-get install gettext-base
-RUN grunt
 
-RUN npm install --production
+RUN npm install
+RUN grunt
+RUN npm prune --production
 
 EXPOSE 8005
 
 CMD ./start-enketo.sh
-

files/nginx/odk-setup.sh

@@ -24,7 +24,7 @@ CNAME=$([ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
 if [ "$SSL_TYPE" = "letsencrypt" ]
 then
   echo "starting nginx with certbot.."
-  /bin/bash /scripts/entrypoint.sh
+  /bin/bash /scripts/start_nginx_certbot.sh
 elif [ "$SSL_TYPE" = "upstream" ]
 then
   perl -i -ne 's/listen 443.*/listen 80;/; print if ! /ssl_/' /etc/nginx/conf.d/odk.conf

files/nginx/odk.conf.template

@@ -4,13 +4,17 @@ server {
   ssl_certificate_key /etc/${SSL_TYPE}/live/${CNAME}/privkey.pem;
   ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem;
 
-  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
-  ssl_prefer_server_ciphers on;
-  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+  # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+
   ssl_dhparam /etc/dh/nginx.pem;
 
   server_tokens off;
-  add_header Strict-Transport-Security "max-age=31536000";
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  add_header X-Frame-Options "SAMEORIGIN";
   add_header X-Content-Type-Options nosniff;
 
   client_max_body_size 100m;
@@ -45,6 +49,13 @@ server {
 
   location / {
     root /usr/share/nginx/html;
+
+    location /version.txt {
+      add_header Cache-Control no-cache;
+    }
+    location /index.html {
+      add_header Cache-Control no-cache;
+    }
   }
 }
 

files/service/crontab

@@ -1,2 +1,3 @@
+0 3 * * * root /usr/odk/run-analytics.sh
 0 2 * * * root /usr/odk/run-backup.sh
 0 1 * * 0 root /usr/odk/reap-sessions.sh

files/service/pm2.config.js

@@ -0,0 +1,17 @@
+module.exports = {
+  apps:  [{
+    name: 'service',
+    script: './lib/bin/run-server.js',
+
+    // the default is 1600ms; we aren't that impatient:
+    kill_timeout: 30000,
+
+    // log to stdout/stderr:
+    out_file: '/proc/1/fd/1',
+    error_file: '/proc/1/fd/2',
+
+    // per Unitech/pm2#2045 this resolves a conflict w node-config:
+    instance_var: 'INSTANCE_ID'
+  }]
+};
+

files/service/scripts/run-analytics.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cd /usr/odk
+/usr/local/bin/node lib/bin/run-analytics.js >/proc/1/fd/1 2>/proc/1/fd/2
+

files/service/scripts/start-odk.sh

@@ -18,6 +18,5 @@ fi
 echo "using $WORKER_COUNT worker(s) based on available memory ($MEMTOT).."
 
 echo "starting server."
-mkdir -p /var/log/odk
-node node_modules/naught/lib/main.js start --remove-old-ipc true --worker-count $WORKER_COUNT --daemon-mode false --log /var/log/odk/naught.log --stdout /proc/1/fd/1 --stderr /proc/1/fd/2 lib/bin/run-server.js
+pm2-runtime ./pm2.config.js --instances $WORKER_COUNT
 

nginx.dockerfile

@@ -1,11 +1,11 @@
-FROM node:12.6.0 as intermediate
+FROM node:14.17.6 as intermediate
 
 COPY ./ ./
 RUN files/prebuild/write-version.sh
 RUN files/prebuild/build-frontend.sh
 
 
-FROM staticfloat/nginx-certbot@sha256:113300163d871119a261738964d7d8f24a478a605d56888a82e9f45fb353698d
+FROM jonasal/nginx-certbot:2.4
 
 EXPOSE 80
 EXPOSE 443

service.dockerfile

@@ -1,4 +1,4 @@
-FROM node:12.6.0
+FROM node:14.17.6
 
 WORKDIR /usr/odk
 
@@ -11,9 +11,11 @@ COPY files/service/crontab /etc/cron.d/odk
 
 COPY server/package*.json ./
 RUN npm install --production
+RUN npm install pm2 -g
 
 COPY server/ ./
 COPY files/service/scripts/ ./
+COPY files/service/pm2.config.js ./
 
 COPY files/service/config.json.template /usr/share/odk/
 COPY files/service/odk-cmd /usr/bin/