Dockerfile.rocky8

# Default ARG values which may be overriden in build command with
# docker-compose build --build-arg KEY=VAL
#  as in 
# make init && make build ARGS="--build-arg MIG_SVN_REV=HEAD"
#  or using
# docker-compose build
# with .env file in place
#
# IMPORTANT: all ARGS here that should allow being overriden from .env MUST be
#            explicitly listed in docker-compose.yml *args* list, too.
#            Furthermore they must be declared after FROM in each stage used.

ARG DOCKER_MIGRID_ROOT=.
ARG ARCH=amd64
ARG UID=1000
ARG GID=1000
ARG DOMAIN=migrid.test
ARG WILDCARD_DOMAIN=*.migrid.test
ARG PUBLIC_DOMAIN=www.migrid.test
ARG PUBLIC_ALIAS_DOMAIN=
ARG MIGCERT_DOMAIN=cert.migrid.test
ARG EXTCERT_DOMAIN=
ARG MIGOID_DOMAIN=ext.migrid.test
ARG EXTOID_DOMAIN=
ARG EXTOIDC_DOMAIN=
ARG SID_DOMAIN=sid.migrid.test
ARG IO_DOMAIN=io.migrid.test
ARG OPENID_DOMAIN=openid.migrid.test
ARG FTPS_DOMAIN=ftps.migrid.test
ARG SFTP_DOMAIN=sftp.migrid.test
ARG WEBDAVS_DOMAIN=webdavs.migrid.test
ARG MIG_OID_PROVIDER=https://ext.migrid.test/openid/
ARG EXT_OID_PROVIDER=unset
ARG EXT_OIDC_PROVIDER_META_URL=unset
ARG EXT_OIDC_CLIENT_NAME=unset
ARG EXT_OIDC_CLIENT_ID=unset
ARG EXT_OIDC_SCOPE=unset
ARG EXT_OIDC_REMOTE_USER_CLAIM=unset
ARG EXT_OIDC_PASS_CLAIM_AS=unset
ARG PUBLIC_HTTP_PORT=80
ARG PUBLIC_HTTPS_PORT=444
ARG MIGCERT_HTTPS_PORT=446
ARG EXTCERT_HTTPS_PORT=447
ARG MIGOID_HTTPS_PORT=443
ARG EXTOID_HTTPS_PORT=445
ARG EXTOIDC_HTTPS_PORT=449
ARG SID_HTTPS_PORT=448
ARG SFTP_SUBSYS_PORT=22222
ARG SFTP_PORT=2222
ARG SFTP_SHOW_PORT=22
ARG DAVS_PORT=4443
ARG DAVS_SHOW_PORT=443
ARG FTPS_CTRL_PORT=8021
ARG FTPS_CTRL_SHOW_PORT=21
ARG OPENID_PORT=8443
ARG OPENID_SHOW_PORT=443
ARG MIG_SVN_REPO=https://svn.code.sf.net/p/migrid/code/trunk
ARG MIG_SVN_REV=HEAD
ARG MIG_GIT_REPO=https://github.com/ucphhpc/migrid-sync.git
ARG MIG_GIT_BRANCH=main
ARG MIG_GIT_REV=HEAD
ARG ADMIN_EMAIL=mig
ARG ADMIN_LIST=
ARG SUPPORT_EMAIL=mig
ARG SMTP_SENDER=
ARG SMTP_SERVER=localhost
ARG SMTP_PORT=25
ARG LOG_LEVEL=info
ARG TITLE="Minimum intrusion Grid"
ARG SHORT_TITLE=MiG
ARG MIG_OID_TITLE=MiG
ARG EXT_OID_TITLE=External
ARG PEERS_PERMIT="distinguished_name:.*"
ARG VGRID_CREATORS="distinguished_name:.*"
ARG VGRID_MANAGERS="distinguished_name:.*"
ARG DEFAULT_VGRID_LINKS="files web"
ARG ADVANCED_VGRID_LINKS="files web scm tracker workflows monitor"
ARG HG_PATH=/usr/bin/hg
ARG HGWEB_SCRIPTS=/usr/share/doc/mercurial
ARG TRAC_ADMIN_PATH=""
ARG TRAC_INI_PATH=""
ARG EMULATE_FLAVOR=migrid
ARG EMULATE_FQDN=migrid.org
ARG SKIN_SUFFIX=basic
ARG ENABLE_OPENID=True
ARG ENABLE_SFTP=True
ARG ENABLE_SFTP_SUBSYS=True
ARG ENABLE_DAVS=True
ARG ENABLE_FTPS=True
ARG ENABLE_SHARELINKS=True
ARG ENABLE_TRANSFERS=True
ARG ENABLE_DUPLICATI=True
ARG ENABLE_SEAFILE=False
ARG SEAFILE_FQDN=
ARG SEAFILE_RO_ACCESS=False
ARG ENABLE_SANDBOXES=False
ARG ENABLE_VMACHINES=False
ARG ENABLE_CRONTAB=True
ARG ENABLE_JOBS=True
ARG ENABLE_RESOURCES=True
ARG ENABLE_EVENTS=True
ARG ENABLE_GRAVATARS=True
ARG ENABLE_SITESTATUS=True
ARG STATUS_SYSTEM_MATCH="ANY"
ARG ENABLE_FREEZE=False
ARG PERMANENT_FREEZE=""
ARG ENABLE_CRACKLIB=True
ARG ENABLE_IMNOTIFY=False
ARG ENABLE_NOTIFY=True
ARG ENABLE_PREVIEW=False
ARG ENABLE_WORKFLOWS=False
ARG ENABLE_VERIFY_CERTS=True
ARG ENABLE_JUPYTER=True
ARG ENABLE_CLOUD=False
ARG CLOUD_ACCESS=cloud-access.yaml
ARG CLOUD_JUMPHOST_KEY=cloud-jumphost-key
ARG OPENSTACKSDK_VERSION_OVERRIDE=
ARG ENABLE_MIGADMIN=False
ARG ENABLE_GDP=False
ARG ENABLE_TWOFACTOR=True
ARG ENABLE_TWOFACTOR_STRICT_ADDRESS=False
ARG TWOFACTOR_AUTH_APPS=""
ARG ENABLE_PEERS=True
ARG ENABLE_QUOTA=False
ARG PEERS_MANDATORY=False
ARG PEERS_EXPLICIT_FIELDS=""
ARG PEERS_CONTACT_HINT="authorized to invite you as peer"
ARG ENABLE_SELF_SIGNED_CERTS=False
ARG MIG_PASSWORD_POLICY="MEDIUM"
ARG ENABLE_LOGROTATE="False"
# TODO: logrotate conf needs to be adjusted to the manual docker service launch 
#ARG LOGROTATE_MIGRID="True"
ARG LOGROTATE_MIGRID="False"
ARG BUILD_MOD_AUTH_OPENID=False
# NOTE: mod auth openidc is a bit dated in OS repo - allow optional upgrade
ARG UPGRADE_MOD_AUTH_OPENIDC=False
# NOTE: source for optional mod auth openidc upgrade
#       Defaults to a relatively recent upstream release if left unset.
#       Alternatives are available at
#       https://github.com/OpenIDC/cjose/releases
#       https://github.com/OpenIDC/mod_auth_openidc/releases
ARG UPGRADE_OIDC_CJOSE_SRC=""
ARG UPGRADE_OIDC_AUTH_MOD_SRC=""
ARG UPGRADE_PARAMIKO=False
ARG PUBKEY_FROM_DNS=False
# NOTE: python2 support is going away in rocky8+
ARG WITH_PY3=True
ARG PREFER_PYTHON3=False
ARG SIGNUP_METHODS=migoid
ARG LOGIN_METHODS=migoid
ARG USER_INTERFACES=V3
# TODO: expose and enable new user default UI
#ARG NEW_USER_DEFAULT_UI=V3
ARG AUTO_ADD_CERT_USER=False
ARG AUTO_ADD_OID_USER=False
ARG AUTO_ADD_OIDC_USER=False
ARG AUTO_ADD_FILTER_FIELDS=
ARG AUTO_ADD_FILTER_METHOD=
ARG AUTO_ADD_USER_PERMIT="distinguished_name:.*"
ARG CERT_VALID_DAYS=365
ARG OID_VALID_DAYS=365
ARG GENERIC_VALID_DAYS=365
ARG EXT_OIDC_PKCE_METHOD=""
ARG EXT_OIDC_PROVIDER_ISSUER=""
ARG EXT_OIDC_PROVIDER_AUTHORIZATION_ENDPOINT=""
ARG EXT_OIDC_PROVIDER_TOKEN_ENDPOINT=""
ARG EXT_OIDC_PROVIDER_USER_INFO_ENDPOINT=""
ARG EXT_OIDC_PROVIDER_TOKEN_ENDPOINT_AUTH=""
ARG EXT_OIDC_USER_INFO_TOKEN_METHOD=""
ARG EXT_OIDC_USER_INFO_SIGNED_RESPONSE_ALG=""
ARG EXT_OIDC_COOKIE_SAME_SITE=""
ARG EXT_OIDC_PASS_COOKIES=""
ARG EXT_OIDC_RESPONSE_MODE=""
ARG EXT_OIDC_PROVIDER_VERIFY_CERT_FILES=""
ARG EXT_OIDC_PRIVATE_KEY_FILES=""
ARG EXT_OIDC_PUBLIC_KEY_FILES=""
ARG EXT_OIDC_ID_TOKEN_ENCRYPTED_RESPONSE_ALG=""
ARG EXT_OIDC_ID_TOKEN_ENCRYPTED_RESPONSE_ENC=""
ARG EXT_OIDC_REWRITE_COOKIE=""
ARG EXT_OIDC_TITLE=""
ARG DEFAULT_MENU=
ARG USER_MENU=jupyter
ARG CA_FQDN=""
ARG CA_SMTP="localhost"
ARG CA_USER="mig-ca"
ARG FTPS_PASV_PORTS="8100:8400"
ARG SECSCAN_ADDR=""
# TODO: expose and enable notify protocols
#ARG NOTIFY_PROTOCOLS="email"
ARG IMNOTIFY_ADDRESS=""
ARG IMNOTIFY_CHANNEL=""
ARG IMNOTIFY_USERNAME=""
ARG IMNOTIFY_PASSWD=""
ARG EXTERNAL_DOC="https://sourceforge.net/p/migrid/wiki"
ARG IO_ACCOUNT_EXPIRE="False"
# TODO: expose and enable these UI vars
#ARG PEERS_NOTICE=""
#ARG LOGO_CENTER=""
#ARG SUPPORT_TEXT=""
#ARG PRIVACY_TEXT=""
ARG DATASAFETY_LINK=""
ARG DATASAFETY_TEXT=""
# NOTE: stay with wsgidav-1.3 for python2 to avoid CVE-2022-41905, we already get 4.3+ for python3
ARG MODERN_WSGIDAV=False
ARG WITH_GIT=False
ARG OPENSSH_VERSION=7.4
ARG VGRID_LABEL=VGrid
ARG DIGEST_SALT="AUTO"
ARG CRYPTO_SALT="AUTO"
ARG EXTRA_USERPAGE_SCRIPTS=""
ARG EXTRA_USERPAGE_STYLES=""
ARG GDP_EMAIL_NOTIFY=True
ARG GDP_ID_SCRAMBLE=safe_hash
ARG GDP_PATH_SCRAMBLE=safe_encrypt
ARG STORAGE_PROTOCOLS=AUTO
ARG WWWSERVE_MAX_BYTES=-1
ARG SFTP_MAX_SESSIONS=32
ARG WSGI_PROCS=25
ARG APACHE_WORKER_PROCS=256
ARG QUOTA_BACKEND=""
ARG QUOTA_USER_LIMIT=1099511627776
ARG QUOTA_VGRID_LIMIT=1099511627776
ARG QUOTA_LUSTRE_VERSION="2.15.4"
ARG QUOTA_LUSTRE_BASE="/dev/null"
ARG QUOTA_GOCRYPTFS_XRAY="/dev/null"
ARG QUOTA_GOCRYPTFS_SOCK="/dev/null"

# Jupyter Arguments
ARG JUPYTER_SERVICES=""
ARG JUPYTER_SERVICES_DESC="{}"
# Cloud Arguments
ARG CLOUD_SERVICES=""
ARG CLOUD_SERVICES_DESC="{}"

#------------------------- first stage -----------------------------#
FROM --platform=linux/$ARCH rockylinux:8 AS init
ARG UID
ARG GID
ARG DOMAIN
ARG WILDCARD_DOMAIN
ARG PUBLIC_DOMAIN
ARG MIGCERT_DOMAIN
ARG EXTCERT_DOMAIN
ARG MIGOID_DOMAIN
ARG EXTOID_DOMAIN
ARG EXTOIDC_DOMAIN
ARG SID_DOMAIN
ARG IO_DOMAIN
ARG OPENID_DOMAIN
ARG FTPS_DOMAIN
ARG SFTP_DOMAIN
ARG WEBDAVS_DOMAIN
ARG PUBLIC_HTTP_PORT
ARG PUBLIC_HTTPS_PORT
ARG MIGCERT_HTTPS_PORT
ARG EXTCERT_HTTPS_PORT
ARG MIGOID_HTTPS_PORT
ARG EXTOID_HTTPS_PORT
ARG EXTOIDC_HTTPS_PORT
ARG SID_HTTPS_PORT
ARG SFTP_PORT
ARG SFTP_SUBSYS_PORT
ARG DAVS_PORT
ARG FTPS_CTRL_PORT
ARG OPENID_PORT
#ARG MIG_SVN_REPO
#ARG MIG_SVN_REV
#ARG MIG_GIT_REPO
#ARG MIG_GIT_BRANCH
#ARG MIG_GIT_REV
#ARG EMULATE_FLAVOR
#ARG EMULATE_FQDN
ARG WITH_PY3
ARG JUPYTER_SERVICES
ARG CLOUD_SERVICES
#ARG WITH_GIT

RUN echo "UID and GID: $UID $GID"
RUN echo "Domains: $DOMAIN" "${PUBLIC_DOMAIN}" "${MIGCERT_DOMAIN}" \
           "${EXTCERT_DOMAIN}" "${MIGOID_DOMAIN}" "${EXTOID_DOMAIN}" \
           "${EXTOIDC_DOMAIN}" "${SID_DOMAIN}" "${IO_DOMAIN}" \
           "${OPENID_DOMAIN}" "${SFTP_DOMAIN}" "${FTPS_DOMAIN}" \
           "${WEBDAVS_DOMAIN}"
RUN echo "Ports: " "${PUBLIC_HTTP_PORT} ${PUBLIC_HTTPS_PORT}" \
    "${MIGOID_HTTPS_PORT} ${EXTOID_HTTPS_PORT} ${EXTOIDC_HTTPS_PORT}" \
    "${MIGCERT_HTTPS_PORT} ${EXTCERT_HTTPS_PORT}" \
    "${SID_HTTPS_PORT} ${SFTP_PORT} ${SFTP_SUBSYS_PORT}" \
    "${FTPS_CTRL_PORT} ${DAVS_PORT} ${OPENID_PORT}"
#RUN echo "MiG svn repo and revision: $MIG_SVN_REPO $MIG_SVN_REV"
#RUN echo "MiG git repo , branch and revision: $MIG_GIT_REPO $MIG_GIT_BRANCH $MIG_GIT_REV"
#RUN echo "Emulate flavor: $EMULATE_FLAVOR"
#RUN echo "Emulate FQDN: $EMULATE_FQDN"
RUN echo "Enable python3 support: $WITH_PY3"
#RUN echo "Designated jupyter services: $JUPYTER_SERVICES"
#RUN echo "Designated cloud services: $CLOUD_SERVICES"
#RUN echo "Enable git checkout: $WITH_GIT"

#------------------------- next stage -----------------------------#
FROM --platform=linux/$ARCH init AS base
ARG DOMAIN
ARG WILDCARD_DOMAIN
ARG ENABLE_GDP
ARG ENABLE_SELF_SIGNED_CERTS
ARG BUILD_MOD_AUTH_OPENID
ARG UPGRADE_MOD_AUTH_OPENIDC
ARG UPGRADE_OIDC_CJOSE_SRC
ARG UPGRADE_OIDC_AUTH_MOD_SRC
ARG UPGRADE_PARAMIKO
ARG ENABLE_CLOUD
ARG WITH_PY3
ARG PREFER_PYTHON3
ARG UID
ARG GID
ARG SMTP_SERVER
ARG SMTP_PORT
ARG ADMIN_EMAIL

WORKDIR /tmp

# Add common shell aliases
COPY shell-aliases.sh /etc/profile.d/

# TODO: is this also a problem with rocky8+?
# Centos image default yum configs prevent docs installation
# https://superuser.com/questions/784451/centos-on-docker-how-to-install-doc-files
RUN sed -i '/nodocs/d' /etc/yum.conf

# NOTE: Enable powertools repo by default on Rocky for cracklib-devel, sshfs, ...
RUN dnf update -y \
    && dnf install -y epel-release dnf-plugins-core \
    && dnf config-manager --set-enabled powertools \
    && dnf clean all \
    && rm -fr /var/cache/dnf

RUN dnf update -y \
    && dnf module enable -y mod_auth_openidc \
    && dnf install -y \
    gcc \
    make \
    glibc-langpack-en \
    pam-devel \
    nss-devel \
    openssl-devel \
    httpd \
    htop \
    openssh \
    cronie \
    crontabs \
    nano \
    mod_ssl \
    # NOTE: python2 wsgi is no longer available here - prepare for pip2 build
    #mod_wsgi \
    httpd-devel \
    # NOTE: mod_proxy is included in base httpd now
    #mod_proxy \
    # NOTE: OpenID 2.0 needs special care here
    #mod_auth_openid \
    mod_auth_openidc \
    tzdata \
    initscripts \
    svn \
    git \
    vim \
    net-tools \
    telnet \
    ca-certificates \
    mercurial \
    openssh-server \
    openssh-clients \
    rsyslog \
    rsyslog-gnutls \
    lsof \
    python2-pip \
    python2-devel \
    # NOTE: several packages are only available through pip
    #python2-paramiko \
    #python2-enchant \
    #python2-jsonrpclib \
    python2-requests \
    python2-psutil \
    #python2-email-validator \
    #python2-future \
    #python2-cffi \
    #pysendfile \
    #pyOpenSSL \
    python2-pyyaml \
    # NOTE: generally install cracklib from pip as yum/dnf only has py2 version
    #cracklib-python \
    cracklib-devel \
    # NOTE: extra dependencies required for paramiko pip install
    redhat-rpm-config pkg-config rust cargo libffi-devel \
    lftp \
    rsync \
    fail2ban \
    ipset \
    wget \
    patch \
    esmtp \
    # NOTE: no default paramiko for python2 here
    #&& [ "${UPGRADE_PARAMIKO}" = True ] || dnf install -y python-paramiko \
    # NOTE: no default openstack client for python2 here
    #&& [ "${ENABLE_CLOUD}" != "True" ] || dnf install -y python-openstackclient \
    && dnf clean all \
    && rm -fr /var/cache/dnf

RUN if [ "${WITH_PY3}" = "True" ]; then \
      echo "install py3 deps" \
      && dnf update -y \
      && dnf install -y \
      python3-pip \
      python3-devel \
      python3-mod_wsgi \
      python3-enchant \
      #python3-jsonrpclib \
      python3-requests \
      python3-psutil \
      python3-email-validator \
      python3-future \
      python3-cffi \
      python3-pyOpenSSL \
      # NOTE: lxml and libxslt-devel required to build python-openid2
      python3-lxml \
      python3-pycurl \
      python3-PyYAML \
      # NOTE: setuptools_rust requires typing-extensions and pip3 pulls in a
      #       slightly incompatible version 4.1.1 causing random errors like
      #       https://github.com/python/typing_extensions/issues/10
      #       We explicitly install the slightly older but stable 3.7.4 version
      #       here or with pip3 instead.
      #       Rocky 8 repos include it so just install here.
      python3-typing-extensions \
      # NOTE: only install default paramiko if upgrade not requested
      && [ "${UPGRADE_PARAMIKO}" = "True" ] || dnf install -y python3-paramiko \
      # NOTE: no default openstack client for python3 here
      #&& [ "${ENABLE_CLOUD}" != "True" ] || dnf install -y python3-openstackclient \
      && dnf clean all \
      && rm -fr /var/cache/dnf; \
    else \
      echo "no py3 deps"; \
    fi;

# Containers have esmtp installed by default but we explicitly include it above
# and configure it for host SMTP delivery for cronjobs etc to be able to route
# mail outside containers.
RUN if [ -n "${SMTP_SERVER}" ]; then \
      [ -z "${SMTP_PORT}" ] && SMTP_PORT=25; \
      echo "# Simple SMTP setup to route all local mail to host SMTP" > /etc/esmtprc && \
      echo "hostname ${SMTP_SERVER}:${SMTP_PORT}" >> /etc/esmtprc && \
      echo "qualifydomain ${DOMAIN}" >> /etc/esmtprc ; \
    fi

# NOTE: python extensions libpam and libnss need matching python-config
RUN if [ "${PREFER_PYTHON3}" = "True" ]; then \
      echo "set up py3 as default python and python-config" && \
      update-alternatives --set python /usr/bin/python3; \
      update-alternatives --install /usr/bin/python-config python-config /usr/bin/python3-config 10; \
    else \
      echo "set up py2 as default python" && \
      update-alternatives --set python /usr/bin/python2; \
      update-alternatives --install /usr/bin/python-config python-config /usr/bin/python2-config 10; \
    fi;


# Install GDP dependencies
RUN if [ "${ENABLE_GDP}" = "True" ]; then \
      echo "install GDP deps" \
      && dnf update -y \
      && dnf install -y \
      python-xvfbwrapper \
      wkhtmltopdf \
      xorg-x11-server-Xvfb \
      && dnf clean all \
      && rm -fr /var/cache/dnf \
      && pip2 install pdfkit; \
      if [ "${WITH_PY3}" = "True" ]; then \
         echo "install py3 deps" && \
	 dnf update -y && \
	 dnf install -y python3-xvfbwrapper \
         && dnf clean all \
         && rm -fr /var/cache/dnf \
	 && pip3 install pdfkit; \
      fi; \
    else \
      echo "no GDP deps"; \
    fi;

# Prepare mod WSGI for py2 (no longer in dnf here)
# See standalone notes on https://pypi.org/project/mod-wsgi/
#RUN dnf install -y apr-devel && dnf clean all && rm -fr /var/cache/dnf
#RUN pip2 install mod_wsgi-standalone
RUN pip2 install mod_wsgi && \
    #find /usr/lib64/python2.7/site-packages/mod_wsgi && \
    cp /usr/lib64/python2.7/site-packages/mod_wsgi/server/mod_wsgi-py27.so \
        /etc/httpd/modules/mod_wsgi.so && \
    pip2 uninstall -y mod_wsgi

# Apache OpenID (provided by epel for centos7) is unavailable here - build instead.
#RUN dnf update -y  && dnf install -y mod_auth_openid \
#        && dnf clean all \
#        && rm -fr /var/cache/dnf

# Build mod_auth_openid from source if requested - mainly for rocky8+ or self-signed hack
RUN echo "BUILD_MOD_AUTH_OPENID: $BUILD_MOD_AUTH_OPENID"
RUN echo "ENABLE_SELF_SIGNED_CERTS: $ENABLE_SELF_SIGNED_CERTS"
RUN if [ "$BUILD_MOD_AUTH_OPENID" = "True" -o "$ENABLE_SELF_SIGNED_CERTS" = "True" ]; then \
        echo "building mod_auth_openid from centos7 source rpm" \
        && dnf update -y \
        && dnf install -y gcc-c++ \
            rpm-build \
            mock \
            make \
            autoconf \
            automake \
            httpd-devel \
            libcurl-devel \
            libtidy-devel \
            pcre-devel \
            openssl-devel \
            libtool \
            sqlite-devel \
            boost-devel \
            libxslt \
            expat-devel \
            tidy-devel \
            libuuid-devel \
        && dnf clean all \
        && rm -fr /var/cache/dnf \
        # NOTE: add EPEL CentOS 7 repos here but completely disabled
        && cat /etc/yum.repos.d/epel.repo | \
                sed 's/\[epel/\[epel7/g;s/\(epel[a-z-]*\)-8/\1-7/g;s/8/7/g;s/enabled=1/enabled=0/g' \
                > /etc/yum.repos.d/epel7.repo \
        && echo "build libopkele from centos7 source rpm" \
        # NOTE: avoid hard-coded version using yumdownloader from yum-utils
        && yumdownloader -y --enablerepo=epel7-source --source --resolve --destdir /root/rpmbuild/SRPMS libopkele \
        && rpm -ivh /root/rpmbuild/SRPMS/libopkele-*.src.rpm \
        # Optionally pull more recent gcc4.9 patch from Debian on rocky8+ (local copy in patches)
        && wget -O /root/rpmbuild/SOURCES/fix-ftbfs-gcc4.9.diff https://sources.debian.org/data/main/libo/libopkele/2.0.4%2Bgit20140305.9651b55-4/debian/patches/fix-ftbfs-gcc4.9.diff \
        # Pull the more recent required OpenSSL-1.1 patch from Debian on rocky8+ (local copy in patches)
        && wget -O /root/rpmbuild/SOURCES/fix-openssl-1.1.0.diff https://sources.debian.org/data/main/libo/libopkele/2.0.4%2Bgit20140305.9651b55-4/debian/patches/fix-openssl-1.1.0.diff \
        # Pull patch from own repo to rpmbuild with Debian patches on rocky8+ (local copy in patches)
        && wget -O /tmp/rpmbuild-opkele-with-gcc4.9-openssl-1.1.0-patches.diff https://github.com/ucphhpc/docker-migrid/raw/master/patches/rpmbuild-opkele-with-gcc4.9-openssl-1.1.0-patches.diff \
        && cd /root && patch -p 0 < /tmp/rpmbuild-opkele-with-gcc4.9-openssl-1.1.0-patches.diff && cd - \
        # TODO: is this security crippling needed or a matter of proper apache proxying?
        # Disable Apache OpenID ssl-certificate verification if self-signed
        # (recompile libopkele with --disable-ssl-verify-host --disable-ssl-verify-peer)
        && if [ "$ENABLE_SELF_SIGNED_CERTS" = "True" ]; then \
              echo "Re-building libopkele with ssl verification disabled"; \
              sed -i 's/^%configure$/%configure --disable-ssl-verify-host --disable-ssl-verify-peer/g' /root/rpmbuild/SPECS/libopkele.spec; fi \
        && rpmbuild -v -ba /root/rpmbuild/SPECS/libopkele.spec \
        && rm -f /root/rpmbuild/RPMS/*/libopkele-*debug*.rpm \
        #&& dnf erase -y 'libopkele-*' \
        && dnf install -y /root/rpmbuild/RPMS/*/libopkele-*.rpm \
        && echo "install mod_auth_openid centos7 source rpm" \
        #&& rpm -e --nodeps mod_auth_openid \
        # NOTE: avoid hard-coded version using yumdownloader from yum-utils
        && yumdownloader -y --enablerepo=epel7-source --source --resolve --destdir /root/rpmbuild/SRPMS mod_auth_openid \
        && rpm -ivh /root/rpmbuild/SRPMS/mod_auth_openid-*.src.rpm \
        && echo "build mod_auth_openid centos7 source rpm" \
        && rpmbuild -v -ba /root/rpmbuild/SPECS/mod_auth_openid.spec \
        && rm -f /root/rpmbuild/RPMS/*/mod_auth_openid-*debug*.rpm \
        && echo "install the rebuilt mod_auth_openid rpm" \
        #&& dnf erase -y 'mod_auth_openid-*' \
        && dnf install -y /root/rpmbuild/RPMS/*/mod_auth_openid-*.rpm \
        && echo "cleaning up after rebuilding and installing mod_auth_openid rpm" \
        && rm -rf /root/rpmbuild \
        && dnf clean all \
        && rm -fr /var/cache/dnf; \
    fi;


# Upgrade mod_auth_openidc from upstream github packages if requested - mainly needed for rhel/centos7
# https://stackoverflow.com/questions/68742362/how-to-install-mod-auth-openidc-on-rhel-7
# The module requires a recent cjose library version. Packaged versions are
# also available on the upstream releases page under the 2.4.0 release Assets.
# Version 2.4.12.1+ is needed to support the OIDCPassClaimsAs encoding setting in apache conf
RUN echo "UPGRADE_MOD_AUTH_OPENIDC: $UPGRADE_MOD_AUTH_OPENIDC"
RUN if [ "$UPGRADE_MOD_AUTH_OPENIDC" = "True" ]; then \
        if [ -z "${UPGRADE_OIDC_AUTH_MOD_SRC}" ]; then \
		echo "upgrading mod_auth_openidc from upstream release package"; \
		UPGRADE_OIDC_AUTH_MOD_SRC="https://github.com/OpenIDC/mod_auth_openidc/releases/download/v2.4.16.5/mod_auth_openidc-2.4.16.5-1.el8.x86_64.rpm"; \
	else \
		echo "upgrading mod_auth_openidc from ${UPGRADE_OIDC_AUTH_MOD_SRC}"; \
	fi; \ 
        if [ -z "${UPGRADE_OIDC_CJOSE_SRC}" ]; then \
		# NOTE: recent cjose is already included in rocky8+ but lacks security fix
		#echo "installing cjose dependency from OS package"; \
		#UPGRADE_OIDC_CJOSE_SRC="cjose"; \
		echo "upgrading cjose from upstream release package"; \
		UPGRADE_OIDC_CJOSE_SRC="https://github.com/OpenIDC/cjose/releases/download/v0.6.2.3/cjose-0.6.2.3-1.el8.x86_64.rpm"; \
	else \
		echo "upgrading cjose from ${UPGRADE_OIDC_CJOSE_SRC}"; \
	fi; \
	dnf update -y \
	# IMPORTANT: fail hard if any of these installs don't succeed e.g. due
	#            to missing upstream packages to avoid silent errors later.
	&& dnf install -y jansson-devel \
	&& dnf install -y \
		"${UPGRADE_OIDC_CJOSE_SRC}" \
	&& dnf install -y \
		"${UPGRADE_OIDC_AUTH_MOD_SRC}" \
	&& dnf clean all \
	&& rm -fr /var/cache/dnf; \
	if [ $? -ne 0 ]; then \
		echo "Upgrade Apache OpenID Connect module failed!"; exit 1; \
	fi; \
    fi;


# Setup container default language to make sure UTF8 is available in wsgi app.
# Otherwise sys.getfilesystemencoding will return ascii despite utf8 FS, and
# thus result e.g. in broken user path and client_id for users with accented
# chars e.g. in their name.
# https://stackoverflow.com/a/28212946
# NOTE: it looks like we don't need to generate this rather common locale here
#       but on some platforms it's needed to install an English language pack
#       to avoid various LC_X locale warnings and errors.
#RUN localedef -c -i en_US -f UTF-8 en_US.UTF-8
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

# Setup user
ENV USER=mig
ENV GROUP=mig

RUN groupadd -g $GID $USER
RUN useradd -u $UID -g $GID -ms /bin/bash $USER

# MiG environment
ENV MIG_ROOT=/home/$USER
ENV WEB_DIR=/etc/httpd
ENV CERT_DIR=$WEB_DIR/MiG-certificates

USER root

RUN mkdir -p ${CERT_DIR}/MiG/${WILDCARD_DOMAIN} \
    && chown $USER:$GROUP ${CERT_DIR} \
    && chmod 775 ${CERT_DIR}

#------------------------- next stage -----------------------------#
# Certs and keys
FROM --platform=linux/$ARCH base AS setup_security
ARG DOMAIN
ARG WILDCARD_DOMAIN
ARG PUBLIC_DOMAIN
ARG PUBLIC_ALIAS_DOMAIN
ARG MIGCERT_DOMAIN
ARG EXTCERT_DOMAIN
ARG MIGOID_DOMAIN
ARG EXTOID_DOMAIN
ARG EXTOIDC_DOMAIN
ARG SID_DOMAIN
ARG IO_DOMAIN
ARG OPENID_DOMAIN
ARG FTPS_DOMAIN
ARG SFTP_DOMAIN
ARG WEBDAVS_DOMAIN
ARG OS_CA_CERT_SOURCE_PATH=/etc/pki/ca-trust/source/anchors

# Copy in any existing keys+certificates that should be used in containers
COPY certs/ ${CERT_DIR}/

# Dhparam - https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0
RUN if [ ! -e "${CERT_DIR}/.persistent" ]; then \
    curl https://ssl-config.mozilla.org/ffdhe4096.txt -o ${CERT_DIR}/dhparams.pem ; fi

# CA
# https://gist.github.com/Soarez/9688998
RUN if [ ! -e "${CERT_DIR}/.persistent" ]; then \
    openssl genrsa -des3 -passout pass:qwerty -out ca.key 2048 \
    && openssl rsa -passin pass:qwerty -in ca.key -out ca.key \
    && openssl req -x509 -new -key ca.key \
    -subj "/C=DK/ST=NA/L=NA/O=MiGrid-Test/OU=NA/CN=${WILDCARD_DOMAIN}" -out ca.crt \
    && openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 \
    -subj "/C=DK/ST=NA/L=NA/O=MiGrid-Test/OU=NA/CN=${WILDCARD_DOMAIN}" -out ca.pem ; fi

# Server key/ca
# https://gist.github.com/Soarez/9688998
RUN if [ ! -e "${CERT_DIR}/.persistent" ]; then \
    openssl genrsa -out server.key 2048 \
    && openssl req -new -key server.key -out server.csr \
    -subj "/C=DK/ST=NA/L=NA/O=MiGrid-Test/OU=NA/CN=${WILDCARD_DOMAIN}" \
    && openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt ; fi

# Certificate Revocation List (CRL)
RUN if [ ! -e "${CERT_DIR}/.persistent" ]; then \
    mkdir -p /etc/pki/CA \
    && touch /etc/pki/CA/index.txt \
    && echo '00' > /etc/pki/CA/crlnumber \
    && openssl ca -gencrl -keyfile ca.key -cert ca.pem -out crl.pem ; fi

# Daemon keys
RUN if [ ! -e "${CERT_DIR}/.persistent" ]; then \
    cat server.{key,crt} > combined.pem \
    && cat server.crt > server.ca.pem \
    && cat ca.pem >> server.ca.pem \
    && chown $USER:$GROUP combined.pem \
    && chown $USER:$GROUP server.ca.pem \
    && ssh-keygen -y -f combined.pem > combined.pub \
    && chown 0:0 *.key server.crt ca.pem \
    && chmod 400 *.key server.crt ca.pem combined.pem server.ca.pem \
    && openssl x509 -noout -fingerprint -sha256 -in combined.pem | \
       sed 's/.* Fingerprint=//g' > combined.pem.sha256 \
    && ssh-keygen -l -E md5 -f combined.pub | \
       sed 's/.* MD5://g;s/ .*//g' > combined.pub.md5 \
    && ssh-keygen -l -f combined.pub | \
       sed 's/.* SHA256://g;s/ .*//g' > combined.pub.sha256; fi

# Prepare keys for mig
RUN if [ ! -e "${CERT_DIR}/.persistent" ]; then \
    mv server.crt ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ \
    && mv server.key ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ \
    && mv crl.pem ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ \
    && mv ca.pem ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/cacert.pem \
    && mv combined.pem ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ \
    && mv combined.pem.sha256 ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ \
    && mv combined.pub ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ \
    && mv combined.pub.md5 ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ \
    && mv combined.pub.sha256 ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ \
    && mv server.ca.pem ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/ ; fi

WORKDIR ${CERT_DIR}

RUN if [ ! -e "${CERT_DIR}/.persistent" ]; then \
    ln -s MiG/${WILDCARD_DOMAIN}/server.crt server.crt \
    && ln -s MiG/${WILDCARD_DOMAIN}/server.key server.key \
    && ln -s MiG/${WILDCARD_DOMAIN}/crl.pem crl.pem \
    && ln -s MiG/${WILDCARD_DOMAIN}/cacert.pem cacert.pem \
    && ln -s MiG/${WILDCARD_DOMAIN}/combined.pem combined.pem \
    && ln -s MiG/${WILDCARD_DOMAIN}/combined.pem.sha256 combined.pem.sha256 \
    && ln -s MiG/${WILDCARD_DOMAIN}/server.ca.pem server.ca.pem \
    && ln -s MiG/${WILDCARD_DOMAIN}/combined.pub combined.pub \
    && ln -s MiG/${WILDCARD_DOMAIN}/combined.pub.md5 combined.pub.md5 \
    && ln -s MiG/${WILDCARD_DOMAIN}/combined.pub.sha256 combined.pub.sha256 \
    && for domain in "${PUBLIC_DOMAIN}" "${PUBLIC_ALIAS_DOMAIN}" \
	   "${MIGCERT_DOMAIN}" "${EXTCERT_DOMAIN}" "${MIGOID_DOMAIN}" \
	   "${EXTOID_DOMAIN}" "${EXTOIDC_DOMAIN}" "${SID_DOMAIN}" \
	   "${IO_DOMAIN}" "${OPENID_DOMAIN}" "${SFTP_DOMAIN}" \
           "${FTPS_DOMAIN}" "${WEBDAVS_DOMAIN}"; do \
               [ -L "$domain" ] || ln -s MiG/${WILDCARD_DOMAIN} $domain; \
       done ; fi

# Upgrade pip2, required by cryptography - pip-21+ dropped python2 support, however
RUN python2 -m pip install -U 'pip<21'
# Upgrade pip3, required by cryptography - pip-22+ dropped py3.6 support, however
RUN if [ "${WITH_PY3}" = "True" ]; then \
      python3 -m pip install -U 'pip<22'; \
    fi;

# NOTE: make certs as mig user
WORKDIR $MIG_ROOT
USER $USER

RUN mkdir -p MiG-certificates \
    && cd MiG-certificates \
    && ln -s ${CERT_DIR}/MiG/${WILDCARD_DOMAIN}/cacert.pem cacert.pem \
    && ln -s ${CERT_DIR}/MiG MiG \
    && ln -s ${CERT_DIR}/combined.pem combined.pem \
    && ln -s ${CERT_DIR}/combined.pem.sha256 combined.pem.sha256 \
    && ln -s ${CERT_DIR}/combined.pub combined.pub \
    && ln -s ${CERT_DIR}/combined.pub.md5 combined.pub.md5 \
    && ln -s ${CERT_DIR}/combined.pub.sha256 combined.pub.sha256 \
    && ln -s ${CERT_DIR}/dhparams.pem dhparams.pem

USER root
WORKDIR /tmp
# Copy in any external certificates that should be part of the OS trusted ca bundle
COPY external-certificates/ $OS_CA_CERT_SOURCE_PATH/
RUN update-ca-trust

WORKDIR $MIG_ROOT
USER $USER

#------------------------- next stage -----------------------------#
FROM --platform=linux/$ARCH setup_security AS mig_dependencies
ARG DOMAIN
ARG WITH_PY3
ARG MODERN_WSGIDAV
ARG UPGRADE_PARAMIKO
ARG ENABLE_CLOUD
ARG OPENSTACKSDK_VERSION_OVERRIDE
ARG TRAC_ADMIN_PATH

# NOTE: Switch back to root for system-wide pip install here
USER root

# Prepare py2 dependencies no longer in dnf or just outdated there

# NOTE: use jsonrpclib and pysendfile from pip both for py2 and py3 here
RUN pip2 install 'jsonrpclib<0.2' pysendfile; \
    if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install 'jsonrpclib<0.2' pysendfile; \
    fi;

# NOTE: recent paramiko is required for modern host key algo
# NOTE: paramiko is unavailable for py2 in dnf here so always install it with pip2
RUN if [ "${UPGRADE_PARAMIKO}" = "True" ]; then \
      # NOTE: paramiko-3.0.0 & pyOpenSSL-22.0 dropped python2 support
      pip2 install 'pyOpenSSL<22' 'paramiko<3'; \
      if [ "${WITH_PY3}" = "True" ]; then \
        # NOTE: paramiko-3.0.0 & pyOpenSSL-22.0 deps dropped python3.6 support
        # NOTE: a newer setuptools MAY be needed and setuptools_rust MUST be 
        #       installed separately here for whatever reason.
        # IMPORTANT: sftp_subsys.py is explicitly called with 'python -s' to
        #            prevent loading arbitrary code libs from user home, but
        #            with python3 that also excludes packages installed in
        #            /usr/local, which is now the default install location for
        #            pip3. Thus, we force pip3 to install the paramiko plus
        #            dependencies specifically into /usr instead.
        #pip3 install -U setuptools; \
        # NOTE: explicitly install typing-extensions 3.7 to avoid the
        #  compatibility issues mentioned in note above.
        #  Just use distro package on Rocky 8.
        #pip3 install 'typing-extensions<3.8'; \
        pip3 install setuptools_rust; \
        pip3 install --prefix=$(python3-config --prefix) pynacl bcrypt cryptography \
	                           'pyOpenSSL<22' 'paramiko<3'; \
      fi; \
    else \
      # NOTE: mimic python3 dnf versions in this case
      pip2 install 'pyOpenSSL<20' 'cryptography<3.3' 'paramiko<2.5'; \
    fi;

# NOTE: openstackclient is unavailable in dnf here so always install with pip
# NOTE: openstackclient dropped support for python2.7 in 5.x and python3.6 in 6.x
# NOTE: we need to force preservation of the distro PyYAML package
# NOTE: the rocky8 and centos7 python builds differ for some reason!
# NOTE: openstacksdk-1.5 may have introduced typing conflicts here
# NOTE: cinderclient-6.x introduced python-requests conflict on py2 here
RUN if [ "${ENABLE_CLOUD}" = "True" ]; then \
      pip2 install PyYAML==3.12 'openstacksdk<2' 'python-cinderclient<6' \
                   'python-openstackclient<5'; \
      if [ -n "${OPENSTACKSDK_VERSION_OVERRIDE}" ]; then \
        pip2 install "openstacksdk==${OPENSTACKSDK_VERSION_OVERRIDE}" ; \
      fi; \
      if [ "${WITH_PY3}" = "True" ]; then \
        pip3 install PyYAML==3.12 'openstacksdk<1.5' 'python-openstackclient<6'; \
        if [ -n "${OPENSTACKSDK_VERSION_OVERRIDE}" ]; then \
          pip3 install "openstacksdk==${OPENSTACKSDK_VERSION_OVERRIDE}" ; \
        fi; \
      fi; \
    fi;

# Prepare OpenID (python-openid for py2 and python-openid2 for py3)
#RUN pip2 install python-openid
RUN pip2 install https://github.com/openid/python-openid/archive/master.zip
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install python-openid2; \
    fi;

# Modules required by grid_events.py
# NOTE: watchdog-1.0 dropped python2 support
RUN pip2 install 'watchdog<1.0' scandir
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install watchdog scandir; \
    fi;

# Modules required by grid_webdavs
# NOTE: on python 2 we require either wsgidav 1.3 bundled with cherrypy or 
#       wsgidav 3.x using standalone cheroot
RUN if [ "${MODERN_WSGIDAV}" = "False" ]; then \
      pip2 install 'wsgidav<2'; \
    else \
      pip2 install 'more-itertools<6' 'jaraco.functools<3' 'jinja2<3' \
               'markupsafe<2' 'pyyaml<6' 'cheroot<10.0.1' 'wsgidav<4'; \
    fi;
RUN if [ "${WITH_PY3}" = "True" ]; then \
      # IMPORTANT: use at least 4.1 here to avoid a potential security issue 
      # https://github.com/mar10/wsgidav/security/advisories/GHSA-xx6g-jj35-pxjv
      # IMPORTANT: use cheroot before 10.0.1 as it currently crashes webdavs
      #            One can trigger the crash with a simple testssl.sh run
      # TODO: investigate if the problem is in cheroot, wsgidav or migrid.
      pip3 install 'cheroot<10.0.1' 'wsgidav>=4.1.0'; \
    fi;
# Prefer sslkeylog as session tracking helper in webdavs daemon if available.
# Automatic fallback  to our _sslsession C-extension when not.
RUN python2 -V 2>&1 | egrep -q 'Python 2\.7\.[0-8]$' || pip2 install sslkeylog
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install sslkeylog ; \
    fi;

# Modules required by grid_ftps
# NOTE: relies on pyOpenSSL and Cryptography from yum/dnf for now
# NOTE: python-3.6 fails with unsupported OpenSSL attribute in pyftpdlib-2.x
RUN pip2 install 'pyftpdlib<2.0'
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install 'pyftpdlib<2.0'; \
    fi;

# Modules required by grid_X IO daemons (not available in yum/dnf for python3)
# IMPORTANT: install in main python site-packages to work with 'python -s'
#            Otherwise sftpsubsys will fail to import it because the /usr/local
#            dir used as prefix by default in pip is outside sys.path
RUN pip2 install --prefix=$(python2-config --prefix) cracklib
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install --prefix=$(python3-config --prefix) cracklib; \
    fi;

# Module required to run pytests
# NOTE: pytest-5.0 dropped python2 support
RUN pip2 install 'pytest<5.0'
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install pytest; \
    fi;

# Modules required by 2FA
# NOTE: pyotp-2.4 dropped python2 support
RUN pip2 install 'pyotp<2.4'
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install pyotp; \
    fi;

# Modules required for smart country selection
# NOTE: iso3361-2.0 dropped python2 support
RUN pip2 install 'iso3166<2.0'
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install iso3166; \
    fi;

# Modules required for email validation (not available in yum/dnf for python2)
# NOTE: latest version advertizing python-2.7 support is 1.3.0, but it fails
#       with SyntaxError on import, so force the previous version on py2.
#       https://github.com/JoshData/python-email-validator/issues/91
# NOTE: email-validator relies on dnspython which dropped py2 support in the
#       2.x series, so we force a previous version there.
RUN pip2 install 'dnspython<2.0' 'email-validator<1.3.0'
# IMPORTANT: install in main python site-packages to work with 'python -s'
#            Otherwise sftpsubsys will fail to import it because the /usr/local
#            dir used as prefix by default in pip is outside sys.path
#RUN if [ "${WITH_PY3}" = "True" ]; then \
#      pip3 install --prefix=$(python3-config --prefix) email-validator; \
#    fi;

# Modules required for Trac integration 
RUN if [ -n "${TRAC_ADMIN_PATH}" ]; then \
      echo "install Trac and plugins" \
      && pip2 install Trac TracMercurial TracWikiPrint TracGraphviz TracFullBlog TracWikiCssPlugin; \
      if [ "${WITH_PY3}" = "True" ]; then \
          pip3 install Trac TracWikiPrint TracGraphviz TracFullBlog TracWikiCssPlugin \
          # IMPORTANT: Mercurial plugin is required for our repos and only recent
          #            stable releases support current python and Trac versions.
          #            We need 1.0.0.11+ for the default Python 3 and Trac-1.6.
          && pip3 install 'TracMercurial>=1.0.0.11' \
          # NOTE: these plugins would be nice but have gone stale and only support
          #       older Trac versions.
          #&& pip3 install TracStats TracMasterTickets TracDiscussion TracDownloads TracWysiwyg \
          #&& pip3 install https://trac-hacks.org/svn/tracwysiwygplugin/0.12
          # NOTE: install more recent dev versions of those with Trac-1.6+ support
          # latest tag https://github.com/trac-hacks/tracstats/releases/tag/v0.6.1 is pre 1.6
          && pip3 install https://github.com/trac-hacks/tracstats/archive/refs/heads/master.zip ; \
      fi; \
    else \
      echo "no Trac deps"; \
    fi;

# Modules required for workflows
# NOTE: nbformat-5.0, nbconvert-6.0 and papermill-2.0 dropped python2 support
RUN pip2 install 'nbformat<5.0' 'nbconvert<6.0' 'papermill<2.0'
RUN if [ "${WITH_PY3}" = "True" ]; then \
      pip3 install nbformat nbconvert papermill; \
    fi;

#------------------------- next stage -----------------------------#
FROM --platform=linux/$ARCH mig_dependencies AS download_mig
LABEL MIGRID=true
ARG DOMAIN
ARG MIG_SVN_REPO
ARG MIG_SVN_REV
ARG WITH_GIT
ARG MIG_GIT_REPO
ARG MIG_GIT_BRANCH
ARG MIG_GIT_REV
ARG PREFER_PYTHON3
ARG MODERN_WSGIDAV

WORKDIR $MIG_ROOT
USER $USER

# Install and configure MiG
# NOTE: git refuses to clone into non-empty dir - use tmp

RUN if [ "$WITH_GIT" = "True" ]; then \
      git clone ${MIG_GIT_REPO} migrid.git && \
        cd migrid.git && \
        git checkout -B ${MIG_GIT_BRANCH} --track origin/${MIG_GIT_BRANCH} && \
        git checkout ${MIG_GIT_REV} && cd .. && \
        rsync -a migrid.git/ ./ && \
        rm -rf migrid.git/ && \
	echo "migrid version: ${MIG_GIT_REPO} ${MIG_GIT_BRANCH} ${MIG_GIT_REV}" > ./active-migrid-version.txt; \
    else \
      svn checkout -r ${MIG_SVN_REV} ${MIG_SVN_REPO} . && \
	echo "migrid version: ${MIG_SVN_REPO} trunk ${MIG_SVN_REV}" > ./active-migrid-version.txt; \
    fi;

# NOTE: we manually need to toggle grid_webdavs.py link here for now.
#       Replace any existing symlink with one to the 1.x or 3.x script.
RUN if [ "${PREFER_PYTHON3}" = "True" -o "${MODERN_WSGIDAV}" = "True" ]; then \
      rm -f ${MIG_ROOT}/mig/server/grid_webdavs.py ; \
      ln -s grid_webdavs-3.x.py ${MIG_ROOT}/mig/server/grid_webdavs.py; \
    else \
      rm -f ${MIG_ROOT}/mig/server/grid_webdavs.py ; \
      ln -s grid_webdavs-1.x.py ${MIG_ROOT}/mig/server/grid_webdavs.py; \
    fi;


#------------------------- next stage -----------------------------#
FROM --platform=linux/$ARCH download_mig AS install_mig
ARG DOMAIN
ARG PUBLIC_DOMAIN
ARG PUBLIC_ALIAS_DOMAIN
ARG MIGCERT_DOMAIN
ARG EXTCERT_DOMAIN
ARG MIGOID_DOMAIN
ARG EXTOID_DOMAIN
ARG EXTOIDC_DOMAIN
ARG SID_DOMAIN
ARG IO_DOMAIN
ARG OPENID_DOMAIN
ARG FTPS_DOMAIN
ARG SFTP_DOMAIN
ARG WEBDAVS_DOMAIN
ARG PUBLIC_HTTP_PORT
ARG PUBLIC_HTTPS_PORT
ARG MIGCERT_HTTPS_PORT
ARG EXTCERT_HTTPS_PORT
ARG MIGOID_HTTPS_PORT
ARG EXTOID_HTTPS_PORT
ARG EXTOIDC_HTTPS_PORT
ARG SID_HTTPS_PORT
ARG SFTP_PORT
ARG SFTP_SUBSYS_PORT
ARG SFTP_SHOW_PORT
ARG DAVS_PORT
ARG DAVS_SHOW_PORT
ARG FTPS_CTRL_PORT
ARG FTPS_CTRL_SHOW_PORT
ARG OPENID_PORT
ARG OPENID_SHOW_PORT
ARG ADMIN_EMAIL
ARG ADMIN_LIST
ARG SUPPORT_EMAIL
ARG SMTP_SENDER
ARG SMTP_SERVER
ARG SMTP_PORT
ARG LOG_LEVEL
ARG TITLE
ARG SHORT_TITLE
ARG PEERS_PERMIT
ARG VGRID_CREATORS
ARG VGRID_MANAGERS
ARG DEFAULT_VGRID_LINKS
ARG ADVANCED_VGRID_LINKS
ARG HG_PATH
ARG HGWEB_SCRIPTS
ARG TRAC_ADMIN_PATH
ARG TRAC_INI_PATH
ARG MIG_OID_TITLE
ARG EXT_OID_TITLE
ARG MIG_OID_PROVIDER
ARG EXT_OID_PROVIDER
ARG EXT_OIDC_PROVIDER_META_URL
ARG EXT_OIDC_CLIENT_NAME
ARG EXT_OIDC_CLIENT_ID
ARG EXT_OIDC_SCOPE
ARG EXT_OIDC_REMOTE_USER_CLAIM
ARG EXT_OIDC_PASS_CLAIM_AS
ARG EMULATE_FLAVOR
ARG EMULATE_FQDN
ARG SKIN_SUFFIX
ARG ENABLE_OPENID
ARG ENABLE_SFTP
ARG ENABLE_SFTP_SUBSYS
ARG ENABLE_DAVS
ARG ENABLE_FTPS
ARG ENABLE_SHARELINKS
ARG ENABLE_TRANSFERS
ARG ENABLE_DUPLICATI
ARG ENABLE_SEAFILE
ARG SEAFILE_FQDN
ARG SEAFILE_RO_ACCESS
ARG ENABLE_SANDBOXES
ARG ENABLE_VMACHINES
ARG ENABLE_CRONTAB
ARG ENABLE_JOBS
ARG ENABLE_RESOURCES
ARG ENABLE_EVENTS
ARG ENABLE_GRAVATARS
ARG ENABLE_SITESTATUS
ARG STATUS_SYSTEM_MATCH
ARG ENABLE_FREEZE
ARG PERMANENT_FREEZE
ARG ENABLE_CRACKLIB
ARG ENABLE_IMNOTIFY
ARG ENABLE_NOTIFY
ARG ENABLE_PREVIEW
ARG ENABLE_WORKFLOWS
ARG ENABLE_VERIFY_CERTS
ARG ENABLE_JUPYTER
ARG ENABLE_CLOUD
ARG CLOUD_ACCESS
ARG CLOUD_JUMPHOST_KEY
ARG ENABLE_MIGADMIN
ARG ENABLE_GDP
ARG ENABLE_TWOFACTOR
ARG ENABLE_TWOFACTOR_STRICT_ADDRESS
ARG TWOFACTOR_AUTH_APPS
ARG ENABLE_PEERS
ARG ENABLE_QUOTA
ARG PEERS_MANDATORY
ARG PEERS_EXPLICIT_FIELDS
ARG PEERS_CONTACT_HINT
ARG MIG_PASSWORD_POLICY
ARG PUBKEY_FROM_DNS
ARG PREFER_PYTHON3
ARG SIGNUP_METHODS
ARG LOGIN_METHODS
ARG USER_INTERFACES
ARG AUTO_ADD_CERT_USER
ARG AUTO_ADD_OID_USER
ARG AUTO_ADD_OIDC_USER
ARG AUTO_ADD_FILTER_FIELDS
ARG AUTO_ADD_FILTER_METHOD
ARG AUTO_ADD_USER_PERMIT
ARG CERT_VALID_DAYS
ARG OID_VALID_DAYS
ARG GENERIC_VALID_DAYS
ARG EXT_OIDC_PKCE_METHOD
ARG EXT_OIDC_PROVIDER_ISSUER
ARG EXT_OIDC_PROVIDER_AUTHORIZATION_ENDPOINT
ARG EXT_OIDC_PROVIDER_TOKEN_ENDPOINT
ARG EXT_OIDC_PROVIDER_USER_INFO_ENDPOINT
ARG EXT_OIDC_PROVIDER_TOKEN_ENDPOINT_AUTH
ARG EXT_OIDC_USER_INFO_TOKEN_METHOD
ARG EXT_OIDC_USER_INFO_SIGNED_RESPONSE_ALG
ARG EXT_OIDC_COOKIE_SAME_SITE
ARG EXT_OIDC_PASS_COOKIES
ARG EXT_OIDC_RESPONSE_MODE
ARG EXT_OIDC_PROVIDER_VERIFY_CERT_FILES
ARG EXT_OIDC_PRIVATE_KEY_FILES
ARG EXT_OIDC_PUBLIC_KEY_FILES
ARG EXT_OIDC_ID_TOKEN_ENCRYPTED_RESPONSE_ALG
ARG EXT_OIDC_ID_TOKEN_ENCRYPTED_RESPONSE_ENC
ARG EXT_OIDC_REWRITE_COOKIE
ARG EXT_OIDC_TITLE
ARG DEFAULT_MENU
ARG USER_MENU
ARG CA_FQDN
ARG CA_SMTP
ARG CA_USER
ARG FTPS_PASV_PORTS
ARG SECSCAN_ADDR
#ARG NOTIFY_PROTOCOLS
ARG IMNOTIFY_ADDRESS
ARG IMNOTIFY_CHANNEL
ARG IMNOTIFY_USERNAME
ARG IMNOTIFY_PASSWD
ARG EXTERNAL_DOC
ARG IO_ACCOUNT_EXPIRE
#ARG PEERS_NOTICE
#ARG LOGO_CENTER
#ARG SUPPORT_TEXT
#ARG PRIVACY_TEXT
ARG DATASAFETY_LINK
ARG DATASAFETY_TEXT
ARG JUPYTER_SERVICES
ARG JUPYTER_SERVICES_DESC
ARG CLOUD_SERVICES
ARG CLOUD_SERVICES_DESC
ARG OPENSSH_VERSION
ARG DIGEST_SALT
ARG CRYPTO_SALT
ARG VGRID_LABEL
ARG EXTRA_USERPAGE_SCRIPTS
ARG EXTRA_USERPAGE_STYLES
ARG GDP_EMAIL_NOTIFY
ARG GDP_ID_SCRAMBLE
ARG GDP_PATH_SCRAMBLE
ARG STORAGE_PROTOCOLS
ARG WWWSERVE_MAX_BYTES
ARG SFTP_MAX_SESSIONS
ARG WSGI_PROCS
ARG APACHE_WORKER_PROCS
ARG QUOTA_BACKEND
ARG QUOTA_LUSTRE_VERSION
ARG QUOTA_USER_LIMIT
ARG QUOTA_VGRID_LIMIT

# TODO: do we still need the ~/.local/ wrapper now that update-alternatives run?
ENV PYTHONPATH=${MIG_ROOT}
ENV PATH=/home/$USER/.local/bin:$PATH
# Ensure that the $USER sets it during session start
RUN echo "PYTHONPATH=${MIG_ROOT}" >> ~/.bash_profile \
    && echo "export PYTHONPATH" >> ~/.bash_profile
RUN echo "PATH=$HOME/.local/bin:${PATH}" >> ~/.bash_profile \
    && echo "export PATH" >> ~/.bash_profile

# TODO: remove next lines once fully migrated to python3 or switch to rocky
# Silence noisy python 2 and 3.6 deprecation warning from cryptography module
# We are fully aware and working on switching to recent py3 ASAP. 
RUN if [ "${PREFER_PYTHON3}" = "True" ]; then \
      # TODO: the comma in string breaks -W because it splits on that. Ignore prefix for now.
      #echo "PYTHONWARNINGS='ignore:Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography:UserWarning'" >> ~/.bash_profile ; \    
      echo "PYTHONWARNINGS='ignore:Python 3.6 is no longer supported by the Python core team.:UserWarning'" >> ~/.bash_profile ; \    
    else \
      echo "PYTHONWARNINGS='ignore:Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography:UserWarning'" >> ~/.bash_profile ; \
    fi; echo "export PYTHONWARNINGS" >> ~/.bash_profile

WORKDIR $MIG_ROOT/mig/install

RUN echo "Designated jupyter services: ${JUPYTER_SERVICES}"
RUN echo "Designated jupyter services descriptions: ${JUPYTER_SERVICES_DESC}"
RUN echo "Designated cloud services: ${CLOUD_SERVICES}"
RUN echo "Designated cloud services descriptions: ${CLOUD_SERVICES_DESC}"

# TODO: do we still need the ~/.local/ wrapper now that update-alternatives run?
RUN mkdir -p ${MIG_ROOT}/.local/bin; \
    if [ "${PREFER_PYTHON3}" = "True" ]; then \
      echo "setup python3 as default python in ${MIG_ROOT}" && \
      ln -s /usr/bin/python3 ${MIG_ROOT}/.local/bin/python; \
      ln -s /usr/bin/python3-config ${MIG_ROOT}/.local/bin/python-config; \
    else \
      echo "setup python2 as default python in $MIG_ROOT" && \
      ln -s /usr/bin/python2 ${MIG_ROOT}/.local/bin/python; \
      ln -s /usr/bin/python2-config ${MIG_ROOT}/.local/bin/python-config; \
    fi;

RUN ./generateconfs.py --source=. \
    --destination=generated-confs \
    --base_fqdn=$DOMAIN \
    --public_fqdn=${PUBLIC_DOMAIN} \
    --public_alias_fqdn=${PUBLIC_ALIAS_DOMAIN} \
    --mig_cert_fqdn=${MIGCERT_DOMAIN} \
    --ext_cert_fqdn=${EXTCERT_DOMAIN} \
    --mig_oid_fqdn=${MIGOID_DOMAIN} \
    --ext_oid_fqdn=${EXTOID_DOMAIN} \
    --ext_oidc_fqdn=${EXTOIDC_DOMAIN} \
    --sid_fqdn=${SID_DOMAIN} \
    --io_fqdn=${IO_DOMAIN} \
    --user=$USER --group=$GROUP --log_level=${LOG_LEVEL} \
    --admin_email="${ADMIN_EMAIL}" --admin_list="${ADMIN_LIST}" \
    --support_email="${SUPPORT_EMAIL}" --smtp_sender="${SMTP_SENDER}" \
    --smtp_server="${SMTP_SERVER}" \
    # TODO: expose smtp_port in generateconfs and enable here
    #--smtp_port="${SMTP_PORT}" \
    --apache_version=2.4 \
    --apache_etc=${WEB_DIR} \
    --apache_run=/var/run/httpd \
    --apache_lock=/var/lock/subsys/httpd \
    --apache_log=/var/log/httpd \
    --openssh_version=${OPENSSH_VERSION} \
    --mig_code=$MIG_ROOT/mig \
    --mig_state=$MIG_ROOT/state \
    --mig_certs=${CERT_DIR} \
    --hg_path="${HG_PATH}"  \
    --hgweb_scripts="${HGWEB_SCRIPTS}" \
    --trac_admin_path="${TRAC_ADMIN_PATH}" \
    --trac_ini_path="${TRAC_INI_PATH}" \
    #--trac_id_field=${TRAC_ID_FIELD} \
    --openid_address=${OPENID_DOMAIN} \
    --sftp_address=${SFTP_DOMAIN} \
    --sftp_subsys_address=${SFTP_DOMAIN} \
    --ftps_address=${FTPS_DOMAIN} \
    --davs_address=${WEBDAVS_DOMAIN} \
    --public_http_port=${PUBLIC_HTTP_PORT} --public_https_port=${PUBLIC_HTTPS_PORT} \
    --mig_oid_port=${MIGOID_HTTPS_PORT} --ext_oid_port=${EXTOID_HTTPS_PORT} \
    --ext_oidc_port=${EXTOIDC_HTTPS_PORT} --mig_cert_port=${MIGCERT_HTTPS_PORT} \
    --ext_cert_port=${EXTCERT_HTTPS_PORT} --sid_port=${SID_HTTPS_PORT} \
    --sftp_port=${SFTP_PORT} --sftp_subsys_port=${SFTP_SUBSYS_PORT} \
    --sftp_show_port=${SFTP_SHOW_PORT} \
    --davs_port=${DAVS_PORT} --davs_show_port=${DAVS_SHOW_PORT} \
    --ftps_ctrl_port=${FTPS_CTRL_PORT} --ftps_ctrl_show_port=${FTPS_CTRL_SHOW_PORT} \
    --ftps_pasv_ports=${FTPS_PASV_PORTS} \
    --openid_port=${OPENID_PORT} --openid_show_port=${OPENID_SHOW_PORT} \
    --io_account_expire=${IO_ACCOUNT_EXPIRE} \
    --mig_oid_title="${MIG_OID_TITLE}" --ext_oid_title="${EXT_OID_TITLE}" \
    --mig_oid_provider=${MIG_OID_PROVIDER} \
    --ext_oid_provider=${EXT_OID_PROVIDER} \
    --ext_oidc_provider_meta_url=${EXT_OIDC_PROVIDER_META_URL} \
    --ext_oidc_client_name="${EXT_OIDC_CLIENT_NAME}" \
    --ext_oidc_client_id="${EXT_OIDC_CLIENT_ID}" \
    --ext_oidc_scope="${EXT_OIDC_SCOPE}" \
    --ext_oidc_remote_user_claim="${EXT_OIDC_REMOTE_USER_CLAIM}" \
    --ext_oidc_pass_claim_as="${EXT_OIDC_PASS_CLAIM_AS}" \
    --ext_oidc_pkce_method=${EXT_OIDC_PKCE_METHOD} \
    --ext_oidc_provider_issuer=${EXT_OIDC_PROVIDER_ISSUER} \
    --ext_oidc_provider_authorization_endpoint=${EXT_OIDC_PROVIDER_AUTHORIZATION_ENDPOINT} \
    --ext_oidc_provider_token_endpoint=${EXT_OIDC_PROVIDER_TOKEN_ENDPOINT} \
    --ext_oidc_provider_user_info_endpoint=${EXT_OIDC_PROVIDER_USER_INFO_ENDPOINT} \
    --ext_oidc_provider_token_endpoint_auth=${EXT_OIDC_PROVIDER_TOKEN_ENDPOINT_AUTH} \
    --ext_oidc_user_info_token_method=${EXT_OIDC_USER_INFO_TOKEN_METHOD} \
    --ext_oidc_user_info_signed_response_alg=${EXT_OIDC_USER_INFO_SIGNED_RESPONSE_ALG} \
    --ext_oidc_cookie_same_site="${EXT_OIDC_COOKIE_SAME_SITE}" \
    --ext_oidc_pass_cookies="${EXT_OIDC_PASS_COOKIES}" \
    --ext_oidc_response_mode=${EXT_OIDC_RESPONSE_MODE} \
    --ext_oidc_provider_verify_cert_files="${EXT_OIDC_PROVIDER_VERIFY_CERT_FILES}" \
    --ext_oidc_private_key_files="${EXT_OIDC_PRIVATE_KEY_FILES}" \
    --ext_oidc_public_key_files="${EXT_OIDC_PUBLIC_KEY_FILES}" \
    --ext_oidc_id_token_encrypted_response_alg=${EXT_OIDC_ID_TOKEN_ENCRYPTED_RESPONSE_ALG} \
    --ext_oidc_id_token_encrypted_response_enc=${EXT_OIDC_ID_TOKEN_ENCRYPTED_RESPONSE_ENC} \
    --ext_oidc_rewrite_cookie="${EXT_OIDC_REWRITE_COOKIE}" \
    --ext_oidc_title="${EXT_OIDC_TITLE}" \
    --enable_openid=${ENABLE_OPENID} --enable_wsgi=True \
    --enable_sftp=${ENABLE_SFTP} --enable_sftp_subsys=${ENABLE_SFTP_SUBSYS} \
    --enable_davs=${ENABLE_DAVS} --enable_ftps=${ENABLE_FTPS} \
    --enable_sharelinks=${ENABLE_SHARELINKS} --enable_transfers=${ENABLE_TRANSFERS} \
    --enable_duplicati=${ENABLE_DUPLICATI} --enable_seafile=${ENABLE_SEAFILE} \
    --seafile_fqdn=${SEAFILE_FQDN} --seafile_ro_access=${SEAFILE_RO_ACCESS} \
    --enable_sandboxes=${ENABLE_SANDBOXES} --enable_vmachines=${ENABLE_VMACHINES} \
    --enable_crontab=${ENABLE_CRONTAB} --enable_jobs=${ENABLE_JOBS} \
    --enable_resources=${ENABLE_RESOURCES} --enable_events=${ENABLE_EVENTS} \
    --enable_gravatars=${ENABLE_GRAVATARS} --enable_sitestatus=${ENABLE_SITESTATUS} \
    --status_system_match="${STATUS_SYSTEM_MATCH}" --enable_freeze=${ENABLE_FREEZE} \
    --permanent_freeze="${PERMANENT_FREEZE}" --enable_imnotify=${ENABLE_IMNOTIFY} \
    --enable_cracklib=${ENABLE_CRACKLIB} --enable_twofactor=${ENABLE_TWOFACTOR} \
    --enable_twofactor_strict_address=${ENABLE_TWOFACTOR_STRICT_ADDRESS} \
    --twofactor_auth_apps="${TWOFACTOR_AUTH_APPS}" \
    --enable_peers=${ENABLE_PEERS} --peers_mandatory=${PEERS_MANDATORY} \
    --peers_explicit_fields="${PEERS_EXPLICIT_FIELDS}" \
    --peers_contact_hint="${PEERS_CONTACT_HINT}" \
    --enable_notify=${ENABLE_NOTIFY} --enable_preview=${ENABLE_PREVIEW} \
    --enable_workflows=${ENABLE_WORKFLOWS} --enable_hsts=True \
    --enable_vhost_certs=True --enable_verify_certs=${ENABLE_VERIFY_CERTS} \
    --enable_jupyter=${ENABLE_JUPYTER} --enable_cloud=${ENABLE_CLOUD} \
    # TODO: expose additional cloud conf including jumphost key and use here
    --enable_migadmin=${ENABLE_MIGADMIN} \
    --enable_gdp=${ENABLE_GDP} --gdp_email_notify=${GDP_EMAIL_NOTIFY} \
    --gdp_id_scramble=${GDP_ID_SCRAMBLE} --gdp_path_scramble=${GDP_PATH_SCRAMBLE} \
    --enable_quota=${ENABLE_QUOTA} --quota_backend="${QUOTA_BACKEND}" \
    --quota_user_limit=${QUOTA_USER_LIMIT} --quota_vgrid_limit=${QUOTA_VGRID_LIMIT} \
    --storage_protocols="${STORAGE_PROTOCOLS}" \
    --wwwserve_max_bytes=${WWWSERVE_MAX_BYTES} \
    --password_policy=${MIG_PASSWORD_POLICY} \
    --jupyter_services="${JUPYTER_SERVICES}" \
    --jupyter_services_desc="${JUPYTER_SERVICES_DESC}" \
    --cloud_services="${CLOUD_SERVICES}" \
    --cloud_services_desc="${CLOUD_SERVICES_DESC}" \
    --prefer_python3=${PREFER_PYTHON3} \
    --user_clause=User --group_clause=Group \
    --listen_clause='#Listen' \
    --serveralias_clause='ServerAlias' --alias_field=email \
    --dhparams_path="${CERT_DIR}/dhparams.pem" \
    --daemon_keycert="${CERT_DIR}/combined.pem" \
    --daemon_keycert_sha256="FILE::${CERT_DIR}/combined.pem.sha256" \
    --daemon_pubkey="${CERT_DIR}/combined.pub" \
    --daemon_pubkey_md5="FILE::${CERT_DIR}/combined.pub.md5" \
    --daemon_pubkey_sha256="FILE::${CERT_DIR}/combined.pub.sha256" \
    --daemon_pubkey_from_dns=${PUBKEY_FROM_DNS} \
    --daemon_show_address=${IO_DOMAIN} \
    --signup_methods="${SIGNUP_METHODS}" \
    --login_methods="${LOGIN_METHODS}" \
    --distro=rocky --user_interface="${USER_INTERFACES}" \
    #--new_user_default_ui=${NEW_USER_DEFAULT_UI} \
    --skin="${EMULATE_FLAVOR}-${SKIN_SUFFIX}" \
    --title="${TITLE}" --short_title="${SHORT_TITLE}" \
    --digest_salt="${DIGEST_SALT}" --crypto_salt="${CRYPTO_SALT}" \
    --vgrid_label="${VGRID_LABEL}" --peers_permit="${PEERS_PERMIT}" \
    --vgrid_creators="${VGRID_CREATORS}" --vgrid_managers="${VGRID_MANAGERS}" \
    --default_vgrid_links="${DEFAULT_VGRID_LINKS}" \
    --advanced_vgrid_links="${ADVANCED_VGRID_LINKS}" \
    --auto_add_cert_user=${AUTO_ADD_CERT_USER} \
    --auto_add_oid_user=${AUTO_ADD_OID_USER} \
    --auto_add_oidc_user=${AUTO_ADD_OIDC_USER} \
    --auto_add_filter_fields="${AUTO_ADD_FILTER_FIELDS}" \
    --auto_add_filter_method=${AUTO_ADD_FILTER_METHOD} \
    --auto_add_user_permit="${AUTO_ADD_USER_PERMIT}" \
    --cert_valid_days=${CERT_VALID_DAYS} --oid_valid_days=${OID_VALID_DAYS} \
    --generic_valid_days=${GENERIC_VALID_DAYS} \
    --default_menu="${DEFAULT_MENU}" --user_menu="${USER_MENU}" \
    --ca_fqdn=${CA_FQDN} --ca_smtp=${CA_SMTP} --ca_user=${CA_USER} \
    --secscan_addr="${SECSCAN_ADDR}" \
    #--notify_protocols="${NOTIFY_PROTOCOLS}" \
    --imnotify_address=${IMNOTIFY_ADDRESS} --imnotify_channel=${IMNOTIFY_CHANNEL} \
    --imnotify_username=${IMNOTIFY_USERNAME} --imnotify_password=${IMNOTIFY_PASSWD} \
    --external_doc=${EXTERNAL_DOC} \
    #--peers_notice="${PEERS_NOTICE}" --logo_center="${LOGO_CENTER}" \
    #--support-text="${SUPPORT_TEXT}" --privacy_text="${PRIVACY_TEXT}" \
    --datasafety_link="${DATASAFETY_LINK}" --datasafety_text="${DATASAFETY_TEXT}" \
    --extra_userpage_scripts="${EXTRA_USERPAGE_SCRIPTS}" \
    --extra_userpage_styles="${EXTRA_USERPAGE_STYLES}" \
    --sftp_max_sessions=${SFTP_MAX_SESSIONS} \
    --apache_worker_procs=${APACHE_WORKER_PROCS} --wsgi_procs=${WSGI_PROCS}

RUN cp generated-confs/MiGserver.conf $MIG_ROOT/mig/server/ \
    && cp generated-confs/static-skin.css $MIG_ROOT/mig/images/ \
    && cp generated-confs/index.html $MIG_ROOT/state/user_home/ \
    && cp $MIG_ROOT/mig/images/site-conf-${EMULATE_FQDN}.js $MIG_ROOT/mig/images/site-conf.js

# Add a couple of named pipes for communicating with grid_X daemons
RUN cd $MIG_ROOT && mkfifo mig/server/server.stdin && mkfifo mig/server/notify.stdin

# Prepare oiddiscover for httpd
RUN cd $MIG_ROOT && python mig/server/genoiddiscovery.py \
    > $MIG_ROOT/state/wwwpublic/oiddiscover.xml

# link relevant cloud access helpers into default locations if ENABLE_CLOUD is set here
# IMPORTANT: the actual cloud access tokens/keys should NEVER enter repos etc.
# NOTE: openstack client expects details in fixed cloud.yaml file.
RUN if [ "${ENABLE_CLOUD}" = "True" ]; then \
        cd $MIG_ROOT ; mkdir -m 0750 -p .config/openstack .ssh ; \
        [ -n "${CLOUD_ACCESS}" ] || CLOUD_ACCESS="cloud-access.yaml" ; \
        ln -s ../../state/secrets/${CLOUD_ACCESS} .config/openstack/clouds.yaml ; \
        [ -n "${CLOUD_JUMPHOST_KEY}" ] || CLOUD_JUMPHOST_KEY="cloud-jumphost-key" ; \ 
        ln -s ../state/secrets/${CLOUD_JUMPHOST_KEY} .ssh/${CLOUD_JUMPHOST_KEY} ; \
        ln -s ../state/secrets/${CLOUD_JUMPHOST_KEY}.pub .ssh/${CLOUD_JUMPHOST_KEY}.pub ; \
    fi;

# link relevant py trac ini into default location if no TRAC_INI_PATH is set here
RUN if [ -n "${TRAC_ADMIN_PATH}" -a -z "${TRAC_INI_PATH}" ]; then \
        cd $MIG_ROOT ; \
        if [ "${PREFER_PYTHON3}" = "True" ]; then \
            ln -s trac-py3.ini mig/server/trac.ini; \
        else \
            ln -s trac-py2.ini mig/server/trac.ini; \
        fi; \
    fi;


#------------------------- next stage -----------------------------#
FROM --platform=linux/$ARCH install_mig AS setup_mig_configs
ARG DOMAIN
ARG PUBLIC_DOMAIN
ARG MIGCERT_DOMAIN
ARG EXTCERT_DOMAIN
ARG MIGOID_DOMAIN
ARG EXTOID_DOMAIN
ARG EXTOIDC_DOMAIN
ARG SID_DOMAIN
ARG EMULATE_FLAVOR
ARG EMULATE_FQDN
ARG ENABLE_SELF_SIGNED_CERTS
ARG BUILD_MOD_AUTH_OPENID
ARG WITH_PY3
ARG PREFER_PYTHON3
ARG ENABLE_LOGROTATE
ARG LOGROTATE_MIGRID
ARG ENABLE_GDP
ARG WITH_GIT
ARG MIG_GIT_BRANCH
ARG ENABLE_QUOTA
ARG QUOTA_BACKEND
ARG QUOTA_LUSTRE_VERSION

USER root

# Sftp subsys config
RUN cp generated-confs/sshd_config-MiG-sftp-subsys /etc/ssh/ \
    && chown 0:0 /etc/ssh/sshd_config-MiG-sftp-subsys

# PAM and NSS setup for sftpsubsys login to work
RUN cd $MIG_ROOT/mig/src/libpam-mig \
    && make && make install
RUN cd $MIG_ROOT/mig/src/libnss-mig \
    && make && make install
# Python sslsession C-extension or sslkeylog is needed to avoid repeat SSL/TLS
# negotiation in WebDAVS
# NOTE: both require openssl-devel to build and sslkeylog is only supported
# on python 2.7.9+ and 3. The sslsession module generally builds but fails at
# runtime when used with OpenSSL-1.1+, however.
RUN cd $MIG_ROOT/mig/src/sslsession \
    && pip2 install . ;
RUN if [ "${WITH_PY3}" = "True" ]; then \
      cd $MIG_ROOT/mig/src/sslsession \
      && pip3 install . ; \
    fi;

RUN cp generated-confs/libnss_mig.conf /etc/ \
    #&& cp /etc/pam.d/sshd /etc/pam.d/sshd.backup \
    && cp generated-confs/pam-sshd /etc/pam.d/sshd \
    #&& cp /etc/nsswitch.conf /etc/nsswitch.conf.backup
    && cp generated-confs/nsswitch.conf /etc/

RUN chmod 755 generated-confs/envvars \
    && chmod 755 generated-confs/httpd.conf

# Apache base confs - the systemd one and maybe sysconfig is not really used
RUN cp generated-confs/MiG.conf $WEB_DIR/conf.d/ \
    && cp generated-confs/httpd.conf $WEB_DIR/ \
    && cp generated-confs/mimic-deb.conf $WEB_DIR/conf/httpd.conf \
    && cp generated-confs/envvars /etc/sysconfig/httpd \
    && cp generated-confs/apache2.service /lib/systemd/system/httpd.service

# Disable missing mod auth openid in this case
RUN if [ "$BUILD_MOD_AUTH_OPENID" = "True" ]; then \
        echo "Keep mod_auth_openid in apache"; \
    else \
        echo "Disable missing mod_auth_openid in apache" && \
	sed -i 's@LoadModule authopenid_mod@#LoadModule authopenid_mod@g' $WEB_DIR/conf/httpd.conf; \
    fi

# Apache Jupyter inclusion confs
RUN mkdir -p $WEB_DIR/conf.extras.d/ \
    && cp generated-confs/MiG-jupyter-def.conf $WEB_DIR/conf.extras.d \
    && cp generated-confs/MiG-jupyter-openid.conf $WEB_DIR/conf.extras.d \
    && cp generated-confs/MiG-jupyter-oidc.conf $WEB_DIR/conf.extras.d \
    && cp generated-confs/MiG-jupyter-proxy.conf $WEB_DIR/conf.extras.d \
    && cp generated-confs/MiG-jupyter-rewrite.conf $WEB_DIR/conf.extras.d

# Root confs
RUN cp generated-confs/apache2.conf $WEB_DIR/ \
    && cp generated-confs/ports.conf $WEB_DIR/ \
    && cp generated-confs/envvars $WEB_DIR/

# Disable certificate check for OID if self-signed certs
RUN if [ "$ENABLE_SELF_SIGNED_CERTS" = "True" ]; then \
        sed -i '/\/server.ca.pem/ a SSLProxyCheckPeerName off' $WEB_DIR/conf.d/MiG.conf \
        && sed -i '/SSLProxyCheckPeerName off/ a SSLProxyCheckPeerCN off' \
        $WEB_DIR/conf.d/MiG.conf; \
    fi

# Front page
RUN [ "${EMULATE_FQDN}" = "${DOMAIN}" ] || \
	cp -a $MIG_ROOT/state/wwwpublic/index-${EMULATE_FQDN}.html \
		$MIG_ROOT/state/wwwpublic/index-${DOMAIN}.html

RUN ln -s index-${DOMAIN}.html $MIG_ROOT/state/wwwpublic/index.html && \
    ln -s about-${EMULATE_FQDN}.html $MIG_ROOT/state/wwwpublic/about-snippet.html && \
    ln -s support-${EMULATE_FQDN}.html $MIG_ROOT/state/wwwpublic/support-snippet.html && \
    ln -s tips-${EMULATE_FQDN}.html $MIG_ROOT/state/wwwpublic/tips-snippet.html && \
    ln -s terms-${EMULATE_FQDN}.html $MIG_ROOT/state/wwwpublic/terms-snippet.html && \
    # Make an empty template for status popup and status page to use.
    # For inspiration on how to use it please refer to the samples at
    # https://github.com/ucphhpc/migrid-ucph-sites/tree/main/state/wwwpublic
    echo '[]' > $MIG_ROOT/state/wwwpublic/status-events-${DOMAIN}.json && \
    ln -s status-events-${DOMAIN}.json $MIG_ROOT/state/wwwpublic/status-events.json && \
    ln -s status-dynamic.html $MIG_ROOT/state/wwwpublic/status.html && \
    chown -R $USER:$GROUP $MIG_ROOT/state/wwwpublic/*.html

# TODO: improve this very crude and hard-coded translation
# Replace index.html redirects to instance domains
RUN sed -i -e "s@https://ext\.${EMULATE_FQDN}@https://${MIGOID_DOMAIN}@g;s@https://oid\.${EMULATE_FQDN}@https://${EXTOID_DOMAIN}@g;s@https://oidc\.${EMULATE_FQDN}@https://${EXTOIDC_DOMAIN}@g;s@https://${EMULATE_FQDN}@https://${PUBLIC_DOMAIN}@g;s@https://cert\.${EMULATE_FQDN}@https://${EXTCERT_DOMAIN}@g;s@https://sid\.${EMULATE_FQDN}@https://${SID_DOMAIN}@g" $MIG_ROOT/state/wwwpublic/index-${DOMAIN}.html

# Various cron jobs e.g. to clean stale state and inform migoid account users near expiry
# TODO: add migverifyarchives, migimportdoi, migindexdoi and migsftpmon?
# TODO: make sure native scripts like migerrors deliver mail outside container
RUN chmod 755 generated-confs/{migstateclean,mignotifyexpire,migerrors} \
    && cp generated-confs/{migstateclean,mignotifyexpire,migerrors} /etc/cron.daily/

# Logrotate config if enabled
RUN if [ "${ENABLE_LOGROTATE}" = "True" ]; then \
      if [ "${LOGROTATE_MIGRID}" = "True" ]; then \
        cp generated-confs/logrotate-migrid /etc/logrotate.d/migrid; \
      fi; \
    else \
        [ ! -f /etc/cron.daily/logrotate ] || rm -f /etc/cron.daily/logrotate; \
    fi;

# Init scripts
RUN cp generated-confs/migrid-init.d-rh /etc/init.d/migrid
COPY migrid-httpd-init.sh /etc/sysconfig/apache-minimal
COPY apache-init-helper /etc/init.d/apache-minimal

WORKDIR $MIG_ROOT

# Prepare default conf.d
RUN mv $WEB_DIR/conf.d/autoindex.conf $WEB_DIR/conf.d/autoindex.conf.disabled \
    && mv $WEB_DIR/conf.d/ssl.conf $WEB_DIR/conf.d/ssl.conf.disabled \
    && mv $WEB_DIR/conf.d/userdir.conf $WEB_DIR/conf.d/userdir.conf.disabled \
    && mv $WEB_DIR/conf.d/welcome.conf $WEB_DIR/conf.d/welcome.conf.disabled

# Add generated certificate to trust store
RUN update-ca-trust force-enable \
    && cp ${CERT_DIR}/combined.pem /etc/pki/ca-trust/source/anchors/ \
    && update-ca-trust extract

# rsyslog: Disable systemd and enable /dev/log
# NOTE: rsyslog.conf module loading changed between centos 7 and centos/rocky 8
# https://projectatomic.io/blog/2014/09/running-syslog-within-a-docker-container/
# New format and no listen.conf
RUN sed -i -e 's/^module(load="imjournal"/#module(load="imjournal"/g' \
	-e 's/       UsePid="system"/#       UsePid="system"/g' \
        -e 's/       StateFile="imjournal.state"/#       StateFile="imjournal.state"/g' \
        -e 's/       FileCreateMode="0644" # Set the access permissions for the state file/#       FileCreateMode="0644" # Set the access permissions for the state file/g' \
	-e 's/SysSock.Use="off"/SysSock.Use="on"/g' /etc/rsyslog.conf

# Enable GDP log 
# NOTE: on RHEL clones the default messages log will also get a copy unless we
#       explicitly exclude local0 there with local0.none in the line:
#*.info;mail.none;authpriv.none;cron.none               /var/log/messages
RUN if [ "${ENABLE_GDP}" = "True" ]; then \
      GDP_LOG_DIR="${MIG_ROOT}/state/log" ; \
      GDP_LOG_PATH="${GDP_LOG_DIR}/gdp.log" ; \
      [ ! -d "${GDP_LOG_DIR}" ] \
        && mkdir ${GDP_LOG_DIR} \
        && chmod 700 ${GDP_LOG_DIR} ; \
      [ ! -f "${GDP_LOG_PATH}" ] \
        && touch ${GDP_LOG_PATH} \
        && chmod 600 ${GDP_LOG_PATH}; \
      if ! grep -q "${GDP_LOG_PATH}" /etc/rsyslog.conf ; then \
        sed -i -E "s@^(\*\.info;.*;cron\.none) @\1;local0.none @g" \
                /etc/rsyslog.conf ; \
        echo "" >> /etc/rsyslog.conf ; \
        echo "# MiG GDP messages" >> /etc/rsyslog.conf ; \
        echo "local0.*               ${GDP_LOG_PATH}" >> /etc/rsyslog.conf ; \
      fi; \
    fi;

# Install pylustrequota
# NOTE: Requires py3 and git next branch
RUN if [ "${ENABLE_QUOTA}" = "True" ] \
            && [ "${PREFER_PYTHON3}" = "True" ] \
            && [ "${WITH_GIT}" = "True" ] \
            && [ "${MIG_GIT_BRANCH}" = "next" ]; then \
        if [ "${QUOTA_BACKEND}" = "lustre" ] \
            || [ "${QUOTA_BACKEND}" = "lustre-gocryptfs" ]; then \
            echo "install pylustrequota" \
            && dnf update -y \
            && dnf install -y \
            python3-devel.x86_64 \
            libtool.x86_64 \
            kernel-devel.x86_64 \
            kernel-abi-stablelists \
            flex.x86_64 \
            bison.x86_64 \
            keyutils-libs-devel.x86_64 \
            libmount-devel.x86_64 \
            libnl3-devel.x86_64 \
            libyaml-devel \
            krb5-devel.x86_64 \
            && cd ${MIG_ROOT}/mig/src/pylustrequota \
            && git clone git://git.whamcloud.com/fs/lustre-release.git \
            && cd ${MIG_ROOT}/mig/src/pylustrequota/lustre-release \
            && git checkout ${QUOTA_LUSTRE_VERSION} \
            && sh ./autogen.sh \
            && ./configure --disable-server --enable-quota --enable-utils --enable-gss \
            && make undef.h \
            && cd ${MIG_ROOT}/mig/src/pylustrequota/lustre-release/libcfs/libcfs \
            && make libcfs.la \
            && cd ${MIG_ROOT}/mig/src/pylustrequota/lustre-release/lnet/utils/lnetconfig \
            && make liblnetconfig.la \
            && cd ${MIG_ROOT}/mig/src/pylustrequota/lustre-release/lustre/utils \
            && make liblustreapi.la \
            && cd ${MIG_ROOT}/mig/src/pylustrequota \
            && python3 setup.py install; \
        fi; \
    fi;
#------------------------- next stage -----------------------------#
FROM --platform=linux/$ARCH setup_mig_configs AS start_mig
ARG DOMAIN

# Reap defuncted/orphaned processes
ARG TINI_VERSION=v0.18.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
RUN chmod +x /tini
ENTRYPOINT ["/tini", "--"]

ADD docker-entry.sh /app/docker-entry.sh
ADD migrid-httpd.env /app/migrid-httpd.env
ADD migrid-httpd-init.sh /app/migrid-httpd-init.sh
RUN chown $USER:$GROUP /app/docker-entry.sh \
    && chmod +x /app/docker-entry.sh

USER root
WORKDIR /app

# EXPOSE is not important but keep in sync with active ports for the record
EXPOSE 80 443 444 445 446 447 448 449 2222 4443 8021 22222

CMD ["bash", "/app/docker-entry.sh"]
LABEL MIGRID=false