Merge pull request #295 from freedomofpress/k8s-container

Add k8s container

deploy/Dockerfile

@@ -0,0 +1,19 @@
+# sha256 as of 2021-11-09
+FROM python:3.9-slim-bullseye@sha256:408de0cf1a057f5501ee6642ad24a4762738f63bacf09fb4c8d861669260b01e AS sphinx
+
+RUN apt-get -q update && apt-get -qy upgrade && apt-get -qy install git make latexmk texlive-latex-extra
+COPY ./ .
+RUN pip install -r requirements/requirements.txt
+RUN deploy/build
+
+# sha256 as of 2021-11-09
+FROM nginx:mainline-alpine@sha256:af466e4f12e3abe41fcfb59ca0573a3a5c640573b389d5287207a49d1324abd8
+
+COPY deploy/nginx.conf /etc/nginx
+RUN mkdir -p /opt/nginx/run /opt/nginx/webroot/en/latest /opt/nginx/webroot/en/stable && chown -R nginx:nginx /opt/nginx
+
+USER nginx
+COPY --from=sphinx --chown=nginx:nginx build/stable/html/html/ /opt/nginx/webroot/en/stable/
+COPY --from=sphinx --chown=nginx:nginx build/stable/html/latex/SecureDrop.pdf /opt/nginx/webroot/en/stable/
+COPY --from=sphinx --chown=nginx:nginx build/latest/html/html/ /opt/nginx/webroot/en/latest/
+COPY --from=sphinx --chown=nginx:nginx build/latest/html/latex/SecureDrop.pdf /opt/nginx/webroot/en/latest/

deploy/build

@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# Run the docs build process twice, producing `build/latest` and
+# `build/stable` instead of `docs/_build`.
+
+set -e
+
+
+latest_branch=main
+stable_tag=$(git tag --sort=version:refname | tail -1)
+
+do_build() {
+    git checkout "$1"
+    export SECUREDROP_DOCS_RELEASE="$2"
+
+    make html
+    # Due to remote SVG includes not working (they didn't work on RTD either),
+    # the LaTeX build will pause and wait for the user to press enter. It will
+    # also exit with an error status. Because of this failure, the TOC will
+    # not be correctly generated on the first run, and we must do it twice.
+    yes '' | make latexpdf || :
+    yes '' | make latexpdf || :
+
+    mkdir -p build
+    mv docs/_build "build/${2}"
+}
+
+do_build "$stable_tag" stable
+do_build "$latest_branch" latest

deploy/nginx.conf

@@ -0,0 +1,32 @@
+pid /opt/nginx/run/nginx.pid;
+
+events {
+}
+
+http {
+    include /etc/nginx/mime.types;
+    sendfile on;
+
+    server {
+        listen 5080;
+        absolute_redirect off;
+        port_in_redirect off;
+
+        client_body_temp_path /opt/nginx/run/client_temp;
+        proxy_temp_path /opt/nginx/run/proxy_temp_path;
+        fastcgi_temp_path /opt/nginx/run/fastcgi_temp;
+        uwsgi_temp_path /opt/nginx/run/uwsgi_temp;
+        scgi_temp_path /opt/nginx/run/scgi_temp;
+
+        merge_slashes off;
+
+        location / {
+            root /opt/nginx/webroot;
+            index index.html;
+
+            rewrite ^/$ /en/stable/ redirect;
+            rewrite ^/_/downloads/en/stable/pdf/$ /en/stable/SecureDrop.pdf permanent;
+            rewrite ^/_/downloads/en/latest/pdf/$ /en/latest/SecureDrop.pdf permanent;
+        }
+    }
+}

docs/_static/releases.css

@@ -0,0 +1 @@
+.rst-other-versions .current-release { font-weight: 700; }

docs/_templates/layout.html

@@ -0,0 +1,35 @@
+{% extends "!layout.html" %}
+
+{% block extrahead %}
+<link rel="stylesheet" href="_static/releases.css" type="text/css" />
+{% endblock %}
+
+{% block extrabody %}
+<div class="rst-versions" data-toggle="rst-versions" role="note" aria-label="versions">
+    <span class="rst-current-version" data-toggle="rst-current-version">
+        <span class="fa fa-book">SecureDrop Docs</span>
+        v: {{ release }}
+        <span class="fa fa-caret-down"></span>
+    </span>
+    <div class="rst-other-versions">
+        <dl>
+            <dt>Versions</dt>
+            <dd{% if release == "stable" %} class="current-release"{% endif %}>
+                <a href="/en/stable/{{ pagename }}.html">stable</a>
+            </dd>
+            <dd{% if release == "latest" %} class="current-release"{% endif %}>
+                <a href="/en/latest/{{ pagename }}.html">latest</a>
+            </dd>
+        </dl>
+        <dl>
+            <dt>Downloads</dt>
+            <dd><a href="/en/{{ release }}/SecureDrop.pdf">PDF</a></dd>
+        </dl>
+        <hr>
+        <small>
+            A project of <a href="https://freedom.press/">Freedom of the Press Foundation</a> ·
+            <a href="https://freedom.press/privacy-policy/">Privacy Policy</a>
+        </small>
+    </div>
+</div>
+{% endblock %}

docs/conf.py

@@ -51,7 +51,8 @@
 # The short X.Y version.
 version = "2.1.0"
 # The full version, including alpha/beta/rc tags.
-release = "2.1.0"
+# On the live site, this will be overridden to "stable" or "latest".
+release = os.environ.get("SECUREDROP_DOCS_RELEASE", version)
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
@@ -147,7 +148,7 @@
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
-# html_static_path = ['_static']
+html_static_path = ['_static']
 
 # Add any extra paths that contain custom files (such as robots.txt or
 # .htaccess) here, relative to this directory. These files are copied
@@ -220,7 +221,26 @@
     # The font size ('10pt', '11pt' or '12pt').
     # 'pointsize': '10pt',
     # Additional stuff for the LaTeX preamble.
-    # 'preamble': '',
+    # Neither of:
+    #     \usepackage[T1]{fontenc}
+    #     \usepackage{textcomp}
+    # seem to make this magically work, so define individual characters.
+    # Also,
+    #     \usepackage{svg}
+    # does not seem to allow inclusion of the Weblate status badge (over HTTPS,
+    # which may be the problem).
+    'preamble': r'''
+    \DeclareUnicodeCharacter{25B6}{$\blacktriangleright$}
+    \DeclareUnicodeCharacter{25B8}{$\blacktriangleright$}
+    \DeclareUnicodeCharacter{2B06}{$\uparrow$}
+    \DeclareUnicodeCharacter{2B07}{$\downarrow$}
+    \DeclareUnicodeCharacter{201C}{\textquotedblleft}
+    \DeclareUnicodeCharacter{201D}{\textquotedblright}
+    \DeclareUnicodeCharacter{00E2}{\^a}
+    \DeclareUnicodeCharacter{20AC}{\euro}
+    \DeclareUnicodeCharacter{0153}{\oe}
+    \DeclareUnicodeCharacter{FFFD}{$\blacklozenge$}
+    ''',
     # Latex figure (float) alignment
     # 'figure_align': 'htbp',
 }

docs/development/updating_ossec.rst

@@ -129,6 +129,15 @@ You can find this ``program_name`` value using the :ref:`"ossec-logtest" command
 <using_ossec_logtest>`.  Copy-paste the log event as input to this command, and
 it will give you some parsed output:
 
+..
+    Warning to editors:  The instances of "“" in this example come verbatim
+    from actual OSSEC alerts reported (and reproduced) in
+    freedomofpress/securedrop#5835.  Whether or not they should be considered
+    invalid *output* from OSSEC, they are valid *input* for the purpose of this
+    example and documentation.  See
+    <https://github.com/freedomofpress/securedrop-docs/pull/199#pullrequestreview-634460996>
+    for a prior discussion on this point.
+
 ::
 
     $ echo "Mar  1 13:22:53 app fwupd[133921]: 13:22:53:0883 FuPluginUefi         Error opening directory “/sys/firmware/efi/esrt/entries�: No such file or directory" | sudo /var/ossec/bin/ossec-logtest