make taiga grsec-friendly

Dockerfile

@@ -25,20 +25,23 @@ ENV HOME /home/$USER
 ENV DATA /opt/taiga
 RUN useradd -u $UID -m -d $HOME -s /usr/sbin/nologin -g $GROUP $USER
 RUN mkdir -p $DATA $DATA/media $DATA/static $DATA/logs /var/log/taiga \
-    && chown -Rh $USER:$GROUP $DATA /var/log/taiga
+    && chown -Rh $USER:$GROUP /var/log/taiga
+
+WORKDIR $DATA
 
 # Install taiga-back
-USER $USER
-WORKDIR $DATA
-RUN git clone -b stable https://github.com/taigaio/taiga-back.git $DATA/taiga-back \
+RUN git clone -b stable https://github.com/taigaio/taiga-back.git taiga-back \
     && virtualenv -p /usr/bin/python3.4 venvtaiga \
     && . venvtaiga/bin/activate \
-    && cd $DATA/taiga-back \
+    && cd taiga-back \
     && pip3 install -r requirements.txt \
     && deactivate
 
 # Install taiga-front (compiled)
-RUN git clone -b stable https://github.com/taigaio/taiga-front-dist.git $DATA/taiga-front-dist
+RUN git clone -b stable https://github.com/taigaio/taiga-front-dist.git taiga-front-dist
+COPY robots.txt taiga-front-dist/dist/robots.txt
+
+USER $USER
 
 USER root
 

launch

@@ -44,8 +44,8 @@ chmod +x /already_initialized
 # Keep sensitive information out of here
 unset DJANGO_SECRET_KEY TAIGA_DB_PASSWORD
 
-# Make sure the data is readable
-chown -Rh $USER:$GROUP $DATA
+# Make sure the dynamic data is writable by the circus/gunicorn
+chown -Rh $USER:$GROUP $DATA/media $DATA/taiga-back/taiga/locale $DATA/logs
 
 # Make sure the PostgreSQL database is up and ready
 while ! ping -c 1 -W 1 $TAIGA_DB_HOST >/dev/null 2>&1; do

robots.txt

@@ -0,0 +1,7 @@
+# Tell robots we don't want indexation
+User-agent: *
+Disallow: /
+
+# You rush a miracle man, you get rotten miracles.
+#
+#                            -- Miracle Max --