Initial commit of multi-stage Dockerfile

Author: Martín Cigorraga

.gitignore

@@ -1,8 +1,6 @@
-.idea/
-
 npm-debug.log
 coverage.out
-db.sqlite3
-
-public/vendor/
-bindata.go
+.vscode
+README.html
+.DS_Store
+*~

Dockerfile

@@ -1,32 +1,44 @@
-FROM golang:latest
-MAINTAINER Vladimir Osintsev <[email protected]>
+ARG GOLANG_VER=1.12.4-stretch
+ARG ALPINE_VER=3.9.3
 
-RUN mkdir -p /go/src/app
-WORKDIR /go/src/app
+## Stage 0: build Go executable from code and templates
+FROM golang:${GOLANG_VER} as builder
 
 COPY . /go/src/app
+WORKDIR /go/src/app
 
-RUN apt-get update && apt-get -y install --no-install-recommends \
-        sqlite3 \
-        nodejs-legacy \
-        npm && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+# https://nodesource.com/blog/installing-node-js-tutorial-debian-linux/
+RUN curl -sL https://deb.nodesource.com/setup_6.x | bash - && \
+    apt-get -y install --no-install-recommends nodejs && \
+    npm install -g bower && \
+    bower --allow-root install && \
+    mkdir -p /go/src/github.com/cig0 && \
+    ln -sf /go/src/app /go/src/github.com/cig0/tornote
 
-# Client-side dependencies
-RUN npm install -g bower && \
-    bower --allow-root install
+VOLUME /go/src/app/
 
-RUN mkdir -p /go/src/github.com/osminogin && \
-    ln -sf /go/src/app /go/src/github.com/osminogin/tornote
+RUN make install
 
-# Database init with schema
-RUN sqlite3 db.sqlite3 <db.scheme
+## Stage 1: grab compiled binary
+FROM alpine:${ALPINE_VER} as runtime
 
-VOLUME /go/src/app/db.sqlite3
+COPY --from=builder /go/bin /go/bin
+COPY db.schema /go/src/app/
 
-RUN make install
+WORKDIR /go/src/app
+ENV PATH="/go/bin:${PATH}"
+
+RUN apk add --update sqlite && \
+    sqlite3 db.sqlite3 < db.schema && \
+    adduser -D limited -s /bin/sh && \
+    chown -R limited.limited /go && \
+    mkdir /lib64 && \
+    ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
+
+VOLUME /go/src/app/
+
+USER limited
 
 EXPOSE 8080
 
-CMD ["tornote", "-addr", ":8080"]
+CMD ["tornote", "-addr", ":8080"]

README.md

@@ -1,32 +1,22 @@
-# Tornote [![Build Status](https://travis-ci.org/osminogin/tornote.svg?branch=master)](https://travis-ci.org/osminogin/tornote) [![Coverage Status](https://coveralls.io/repos/github/osminogin/tornote/badge.svg?branch=master)](https://coveralls.io/github/osminogin/tornote?branch=master)
+# Tornote
 
-Anonymous self-destructing notes written in Go and with help Stanford Javascript Crypto Library ([SJCL](https://crypto.stanford.edu/sjcl/)) on client-side.
+![Screenshot](resources/screenshot.png)
 
-Server stores only encrypted data. JavaScript must be enabled, because notes decripted in the Web Browser with key from secret link. After reading encrypted note immediately removed from the database.    
+[![Build Status](https://travis-ci.org/osminogin/tornote.svg?branch=master)](https://travis-ci.org/osminogin/tornote) [![Coverage Status](https://coveralls.io/repos/github/cig0/tornote/badge.svg?branch=master)](https://coveralls.io/github/cig0/tornote?branch=master)
 
-Latest stable version available on https://tornote.org
+Anonymous self-destructing notes written in Go with help of Stanford JavaScript Crypto Library ([SJCL](https://crypto.stanford.edu/sjcl/)) on client-side.
 
-## Security
-
-How safe Tornote compared with other similar services? More than.
-
-- All private data in the clear text is not leaving the client-side (without encryption).
+The server stores only encrypted data. JavaScript must be enabled, because notes are decrypted in the web browser using the key from the secret link. After reading the encrypted note, it is immediately removed from the database.
 
-- Server stored only anonymous encrypted data (without any reference to author or reader).
+## Security
 
-- Note decryption executed on the client-side via the SJCL. After reading the encrypted data removed on server.
+How safe Tornote is compared with other similar services? More than many of them.
 
-If you have ideas to improve the our safety/security so far as possible please post the issue.
++ All private data in clear text doesn't leave the client-side without being encrypted first
++ Server stores only anonymous encrypted data, without any reference to it's author or reader
++ Note decryption is executed on the client-side via the SJCL. After reading the encrypted note, it's data is removed from the server
 
-## Getting started
-
-```bash
-$ go get -u github.com/osminogin/tornote
-$ cd $GOPATH/src/github.com/osminogin/tornote
-$ bower install
-$ make install
-$ tornote &
-```
+If you have ideas to improve safety/security please open a new issue.
 
 ## Running with Docker
 
@@ -38,3 +28,31 @@ $ docker run -p 80:8080 --name tornote tornote-app
 ## License
 
 AGPLv3 or later
+
+----
+
+### TO DO (in no particular order)
+
+```diff
++ [ DONE ] Move away from any 'latest' declaration for packages versions
++ [ DONE ] Migrate from golang:1.12.4-stretch to a smaller base
++ [ DONE ] Added package.json for future migration from Bower to Yarn
++ [ DONE ] Tornote is now running as a limited user (instead of as root) for enhanced security
++ [ DONE ] Create a multi-stage Dockerfile
+- Migrate from Bower to Yarn
+- Fix testing & badges
+```
+
+### Repo notice
+
+#### Branches description
+
++ **master**: production-ready branch; this is the branch that should be pulled when running this app in production
++ **stage**: a.k.a. release branch
++ **dev**: development branch; all work branches have to be merged here
+
+#### How to contribute
+
+Fork the repo and PR against `dev` branch.
+
+All credits goes to the original author, thank you [Vladimir Osintsev](https://github.com/osminogin) for sharing!

resources/screenshot.png

@@ -23,7 +23,7 @@
     <nav class="navbar navbar-default navbar-fixed-top">
         <div class="container">
             <div class="navbar-header">
-                <a class="navbar-brand" href="/">tornote<span class="text-muted">.org</span></a>
+                <a class="navbar-brand" href="/">tornote<span class="text-muted">| Anonymous self-destructing notes</span></a>
             </div>
         </div>
     </nav>
@@ -36,10 +36,10 @@
     <!-- Footer -->
     <footer class="footer">
         <div class="container">
-            <p class="text-muted">
-                Tornote is open source software licensed under <a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPLv3</a>.
-                Source code available on <a href="https://github.com/osminogin/tornote">GitHub</a>
-                <span class="glyphicon glyphicon-link small"></span>.
+            <p class="text-muted" align="center">
+                Tornote is open source software licensed under <a href="https://www.gnu.org/licenses/agpl-3.0.html">AGPLv3</a>
+                Source code available on <a href="https://github.com/cig0/tornote">GitHub</a>
+                <span class="glyphicon glyphicon-link small"></span>
             </p>
         </div>
     </footer>

templates/layout/base.html

@@ -22,7 +22,7 @@ import (
 	"log"
 	"os"
 
-	"github.com/osminogin/tornote"
+	"github.com/cig0/tornote"
 )
 
 var (