From 6d2f8bd0c8a02ddb50ff193437735fba5ed0e073 Mon Sep 17 00:00:00 2001
From: Josh Krawczyk <josh@simplermm.com>
Date: Sun, 16 Feb 2020 20:26:26 -0500
Subject: [PATCH] Fix Salt container and create a user/password from .env

---
 docker/docker-compose.yml |  8 +++++---
 docker/readme.md          |  8 ++++++--
 docker/salt/api.conf      |  2 +-
 docker/salt/dockerfile    | 12 ++++++++++++
 docker/salt/user.conf     |  1 -
 5 files changed, 24 insertions(+), 7 deletions(-)
 create mode 100644 docker/salt/dockerfile
 delete mode 100644 docker/salt/user.conf

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 65cd8fd1..d2af7671 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -21,9 +21,11 @@ services:
     networks: 
       - database
   salt:
-    image: "saltstack/salt"
-    volumes:
-      - ./salt:/etc/salt/master.d
+    build: 
+      context: ./salt
+      args:
+        - SALT_USER=${SALT_USER}
+        - SALT_PASS=${SALT_PASS}
     ports:
       - "8123:8123"
       - "4505:4505"
diff --git a/docker/readme.md b/docker/readme.md
index 682858d3..133f7148 100644
--- a/docker/readme.md
+++ b/docker/readme.md
@@ -3,7 +3,7 @@
 - install docker and docker-compose
 - Obtain wildcard cert or individual certs for each subdomain
 
-## Optional - Generate certificates with certbot
+## Generate certificates with certbot
 
 Install Certbot
 
@@ -18,6 +18,10 @@ sudo certbot certonly --manual -d *.example.com --agree-tos --no-bootstrap --man
 ```
 Copy the fullchain.pem and privkey.pem to the cert directory.
 
+## Configure DNS and Firewall
+
+You will need to add DNS entries so that the three subdomains resolve to the IP of the docker host. There is a reverse proxy running that will route the hostnames to the correct container. On the host, you will need to ensure the firewall is open on tcp ports 80, 443, 8123, 4505, 4506.
+
 ## Run the environment with Docker
 
 Copy the .env.example to .env then
@@ -60,7 +64,7 @@ sudo docker exec -it docker_api_1 python manage.py generate_barcode [OTP_CODE] [
 
 ## Connect to a container instance shell
 
-run `docker ps` to get the name of the running container instance
+run `docker ps` to get the name of the running container instance.
 
 Then use the name in the below command. It will use the api container instance as an example
 
diff --git a/docker/salt/api.conf b/docker/salt/api.conf
index 9342a309..63fa5058 100644
--- a/docker/salt/api.conf
+++ b/docker/salt/api.conf
@@ -3,7 +3,7 @@ gather_job_timeout: 30
 max_event_size: 30485760
 external_auth:
     pam:
-        saltapi:
+        ${SALT_USER}:
         - .*
         - '@runner'
         - '@wheel'
diff --git a/docker/salt/dockerfile b/docker/salt/dockerfile
new file mode 100644
index 00000000..b6ec06c2
--- /dev/null
+++ b/docker/salt/dockerfile
@@ -0,0 +1,12 @@
+FROM saltstack/salt
+
+ARG SALT_USER
+ARG SALT_PASS
+
+RUN adduser --no-create-home --disabled-password --gecos "" ${SALT_USER} && \
+echo "${SALT_USER}:${SALT_PASS}" | chpasswd
+RUN apk add gettext
+
+COPY ./api.conf /etc/salt/master.d/api.conf.tmp
+RUN envsubst '\$SALT_USER' < /etc/salt/master.d/api.conf.tmp > /etc/salt/master.d/api.conf && \
+ rm /etc/salt/master.d/api.conf.tmp
\ No newline at end of file
diff --git a/docker/salt/user.conf b/docker/salt/user.conf
deleted file mode 100644
index dac049e7..00000000
--- a/docker/salt/user.conf
+++ /dev/null
@@ -1 +0,0 @@
-{"user": "salt"}
\ No newline at end of file