From 89f0e237922ec9a4fdb6d4002905f34445dce12d Mon Sep 17 00:00:00 2001
From: Jon Azpiazu <jonazpiazu@users.noreply.github.com>
Date: Wed, 30 May 2018 16:25:19 +0200
Subject: [PATCH 1/2] Fixes for gpg key generation and nginx configuration

---
 Dockerfile           | 41 ++++++++++++-----------------------------
 assets/gpg_batch.sh  |  2 --
 assets/nginx.conf.sh |  2 +-
 assets/startup.sh    |  6 ++++--
 4 files changed, 17 insertions(+), 34 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index aad2d2c..fd11a1e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,38 +1,28 @@
 # Copyright 2016 Bryan J. Hong
-# 
+#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM ubuntu:trusty
+FROM ubuntu:xenial
 
 MAINTAINER bryan@turbojets.net
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV DIST=ubuntu
-ENV RELEASE=trusty
-
-# Add Aptly repository
-RUN echo "deb http://repo.aptly.info/ squeeze main" > /etc/apt/sources.list.d/aptly.list
-RUN apt-key adv --keyserver keys.gnupg.net --recv-keys 9E3E53F19C7DE460
-
-# Add Nginx repository
-RUN echo "deb http://nginx.org/packages/$DIST/ $RELEASE nginx" > /etc/apt/sources.list.d/nginx.list
-RUN echo "deb-src http://nginx.org/packages/$DIST/ $RELEASE nginx" >> /etc/apt/sources.list.d/nginx.list
-RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+ENV RELEASE=xenial
 
 # Update APT repository and install packages
-RUN apt-get -q update                  \
- && apt-get -y install aptly           \
-                       bash-completion \
+RUN apt-get -qq update                  \
+ && apt-get -y -qq install aptly           \
                        bzip2           \
                        gnupg           \
                        gpgv            \
@@ -40,24 +30,17 @@ RUN apt-get -q update                  \
                        supervisor      \
                        nginx           \
                        wget            \
-                       xz-utils
+                       xz-utils        \
+                       apt-utils      \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
 
 # Install Aptly Configuration
 COPY assets/aptly.conf /etc/aptly.conf
 
-# Enable Aptly Bash completions
-RUN wget https://github.com/smira/aptly/raw/master/bash_completion.d/aptly \
-  -O /etc/bash_completion.d/aptly \
-  && echo "if ! shopt -oq posix; then\n\
-  if [ -f /usr/share/bash-completion/bash_completion ]; then\n\
-    . /usr/share/bash-completion/bash_completion\n\
-  elif [ -f /etc/bash_completion ]; then\n\
-    . /etc/bash_completion\n\
-  fi\n\
-fi" >> /etc/bash.bashrc
-
 # Install Nginx Config
 COPY assets/nginx.conf.sh /opt/nginx.conf.sh
+RUN rm /etc/nginx/sites-enabled/*
 COPY assets/supervisord.nginx.conf /etc/supervisor/conf.d/nginx.conf
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf
 
diff --git a/assets/gpg_batch.sh b/assets/gpg_batch.sh
index 79448c2..d2228c0 100755
--- a/assets/gpg_batch.sh
+++ b/assets/gpg_batch.sh
@@ -10,8 +10,6 @@ Name-Comment: Aptly Repo Signing
 Name-Email: ${EMAIL_ADDRESS}
 Expire-Date: 0
 Passphrase: ${GPG_PASSWORD}
-%pubring /opt/aptly/aptly.pub
-%secring /opt/aptly/aptly.sec 
 %commit
 %echo done
 EOF
diff --git a/assets/nginx.conf.sh b/assets/nginx.conf.sh
index 70d822a..f097724 100755
--- a/assets/nginx.conf.sh
+++ b/assets/nginx.conf.sh
@@ -4,7 +4,7 @@ cat << EOF > /etc/nginx/conf.d/default.conf
 server_names_hash_bucket_size 64;
 server {
   root /opt/aptly/public;
-  server_name ${HOSTNAME};
+  server_name _;
 
   location / {
     autoindex on;
diff --git a/assets/startup.sh b/assets/startup.sh
index f4f3fc8..6aa72fb 100755
--- a/assets/startup.sh
+++ b/assets/startup.sh
@@ -2,6 +2,8 @@
 
 # If the repository GPG keypair doesn't exist, create it.
 if [[ ! -f /opt/aptly/aptly.sec ]] || [[ ! -f /opt/aptly/aptly.pub ]]; then
+  echo "Generating new gpg keys"
+  cp -a /dev/urandom /dev/random
   /opt/gpg_batch.sh
   # If your system doesn't have a lot of entropy this may, take a long time
   # Google how-to create "artificial" entropy if this gets stuck
@@ -37,8 +39,8 @@ if [[ -f /usr/share/keyrings/debian-archive-keyring.gpg ]]; then
 fi
 
 # Aptly looks in /root/.gnupg for default keyrings
-ln -sf /opt/aptly/aptly.sec /root/.gnupg/secring.gpg
-ln -sf /opt/aptly/aptly.pub /root/.gnupg/pubring.gpg
+ln -sf /root/.gnupg/secring.gpg /opt/aptly/aptly.sec
+ln -sf /root/.gnupg/pubring.gpg /opt/aptly/aptly.pub
 
 # Generate Nginx Config
 /opt/nginx.conf.sh

From 480ac06686d50f4e9379f4d490cdb81ceda5c796 Mon Sep 17 00:00:00 2001
From: Jon Azpiazu <jonazpiazu@users.noreply.github.com>
Date: Wed, 30 May 2018 17:03:37 +0200
Subject: [PATCH 2/2] Increase gpg key security

---
 assets/gpg.conf.sh  | 8 ++++++++
 assets/gpg_batch.sh | 2 +-
 assets/startup.sh   | 8 +++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100755 assets/gpg.conf.sh

diff --git a/assets/gpg.conf.sh b/assets/gpg.conf.sh
new file mode 100755
index 0000000..934e2b2
--- /dev/null
+++ b/assets/gpg.conf.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+mkdir -p  ~/.gnupg/
+touch ~/.gnupg/gpg.conf
+cat >> ~/.gnupg/gpg.conf <<EOF
+personal-digest-preferences SHA256
+cert-digest-algo SHA256
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+EOF
diff --git a/assets/gpg_batch.sh b/assets/gpg_batch.sh
index d2228c0..e269e0a 100755
--- a/assets/gpg_batch.sh
+++ b/assets/gpg_batch.sh
@@ -2,7 +2,7 @@
 cat << EOF > /opt/gpg_batch
 %echo Generating a GPG key, might take a while
 Key-Type: RSA
-Key-Length: 2048
+Key-Length: 4096
 Subkey-Type: ELG-E
 Subkey-Length: 1024
 Name-Real: ${FULL_NAME}
diff --git a/assets/startup.sh b/assets/startup.sh
index 6aa72fb..8b86c06 100755
--- a/assets/startup.sh
+++ b/assets/startup.sh
@@ -1,5 +1,9 @@
 #! /bin/bash
 
+if [[ ! -f /root/.gnupg/gpg.conf ]]; then
+  /opt/gpg.conf.sh
+fi
+
 # If the repository GPG keypair doesn't exist, create it.
 if [[ ! -f /opt/aptly/aptly.sec ]] || [[ ! -f /opt/aptly/aptly.pub ]]; then
   echo "Generating new gpg keys"
@@ -8,6 +12,8 @@ if [[ ! -f /opt/aptly/aptly.sec ]] || [[ ! -f /opt/aptly/aptly.pub ]]; then
   # If your system doesn't have a lot of entropy this may, take a long time
   # Google how-to create "artificial" entropy if this gets stuck
   gpg --batch --gen-key /opt/gpg_batch
+else
+  echo "No need to generate new gpg keys"
 fi
 
 # Export the GPG Public key
@@ -40,7 +46,7 @@ fi
 
 # Aptly looks in /root/.gnupg for default keyrings
 ln -sf /root/.gnupg/secring.gpg /opt/aptly/aptly.sec
-ln -sf /root/.gnupg/pubring.gpg /opt/aptly/aptly.pub
+ln -sf /root/.gnupg/pubring.gpg /opt/aptly/aptly.pub 
 
 # Generate Nginx Config
 /opt/nginx.conf.sh