changed taiga path to /opt and improved first-run checks

Dockerfile

@@ -21,7 +21,7 @@ ENV USER taiga
 ENV UID 1000
 ENV GROUP www-data
 ENV HOME /home/$USER
-ENV DATA /usr/local/taiga
+ENV DATA /opt/taiga
 RUN useradd -u $UID -m -d $HOME -s /usr/sbin/nologin -g $GROUP $USER
 RUN mkdir -p $DATA $DATA/media $DATA/static $DATA/logs /var/log/taiga \
     && chown -Rh $USER:$GROUP $DATA /var/log/taiga

README.md

@@ -76,8 +76,8 @@ services:
     ports:
       - 80:80
     volumes:
-      - taiga_static:/usr/local/taiga/static
-      - taiga_media:/usr/local/taiga/media
+      - taiga_static:/opt/taiga/static
+      - taiga_media:/opt/taiga/media
     env_file:
       - ./taiga.env
       - ./taiga-db.env

TODO.md

@@ -1,6 +1,10 @@
 TODO
 ====
 
+* Security: make sure /already_installed script does not depend on 'admin' user
+ in case when someone wants to use alternative name (see TODO in
+ seeds/already_installed.tmpl file)
+
 * make sure Taiga sends emails, e.g. new user registered, password reset,
  general Taiga notifications
 

docker-compose.yml

@@ -30,8 +30,8 @@ services:
     ports:
       - 80:80
     volumes:
-      - taiga_static:/usr/local/taiga/static
-      - taiga_media:/usr/local/taiga/media
+      - taiga_static:/opt/taiga/static
+      - taiga_media:/opt/taiga/media
     env_file:
       - ./taiga.env
       - ./taiga-db.env

launch

@@ -30,6 +30,8 @@ envsubst < /tmp/taiga.tmpl > /etc/nginx/sites-enabled/taiga
 envsubst < /tmp/circus.ini.tmpl > $DATA/circus.ini
 envsubst < /tmp/conf.json.tmpl > $DATA/taiga-front-dist/dist/conf.json
 envsubst < /tmp/local.py.tmpl > $DATA/taiga-back/settings/local.py
+envsubst < /tmp/already_initialized.tmpl > /already_initialized
+chmod +x /already_initialized
 
 # Keep sensitive information out of here
 unset DJANGO_SECRET_KEY TAIGA_DB_PASSWORD
@@ -37,26 +39,34 @@ unset DJANGO_SECRET_KEY TAIGA_DB_PASSWORD
 # Make sure the data is readable
 chown -Rh $USER:$GROUP $DATA
 
-# Allow a little delay on the first run
-# to make sure Database is set and ready
-[ -e "/tmp/taiga.firstrun" ] || ( echo "Waiting for 10 seconds to let the DB initialize" \
-                                  && sleep 10 )
+# Make sure the PostgreSQL database is up and ready
+while ! ping -c 1 -W 1 $TAIGA_DB_HOST >/dev/null 2>&1; do
+  echo "Waiting for $TAIGA_DB_HOST to be Up ..."
+  sleep 1
+done
+
+while ! timeout 1 bash -c 'cat < /dev/null > /dev/tcp/$TAIGA_DB_HOST/$TAIGA_DB_PORT' >/dev/null 2>&1; do
+  echo "Waiting for $TAIGA_DB_HOST:$TAIGA_DB_PORT to be Ready ..."
+  sleep 1
+done
+
+# This will make a tiny delay which will help to ensure the database is up and
+# running before it will be seeded/updated
+/already_initialized
 
 # Upgrade DB schemas, etc...
 # This is important when Taiga's codebase gets updated
 su -s /bin/sh $USER -c '. $DATA/venvtaiga/bin/activate
 cd $DATA/taiga-back
 python manage.py migrate --noinput
-[ -e "/tmp/taiga.firstrun" ] || ( python manage.py loaddata initial_user \
-                                  && python manage.py loaddata initial_project_templates \
-                                  && python manage.py loaddata initial_role \
-                                  && echo "A new user admin with password 123123 has been created" )
+/already_initialized || ( python manage.py loaddata initial_user \
+                       && python manage.py loaddata initial_project_templates \
+                       && python manage.py loaddata initial_role \
+                       && echo "First run: A new user admin with password 123123 has been created. Please change the password once you login." )
 python manage.py compilemessages
 python manage.py collectstatic --noinput
 deactivate'
 
-touch /tmp/taiga.firstrun
-
 # (Optional) Fill Taiga with the Sample data
 # su -s /bin/sh $USER -c '. $DATA/venvtaiga/bin/activate
 # cd $DATA/taiga-back

seeds/already_initialized.tmpl

@@ -0,0 +1,36 @@
+#!$DATA/venvtaiga/bin/python
+# A simple script that checks whether the 'admin' user has been created.
+# It returns 0 on success and 1 on failure.
+# Based on this the /launch script will decide whether to create the default
+# admin user or not.
+# TODO: in some cases one may want to rename the 'admin' user, causing the
+# script to create a backdoor admin:123123. We need to take this into account!
+import os
+import sys
+sys.path.append('$DATA/taiga-back')
+
+from django.contrib.auth import get_user_model
+from django.core.wsgi import get_wsgi_application
+from django.db import utils
+
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "settings")
+application = get_wsgi_application()
+User = get_user_model()
+
+users_num = 0
+
+try:
+    users_num = User.objects.filter(username='admin').count()
+except utils.OperationalError as e:
+    print('(%s): Unable to connect to a database' % type(e))
+    pass
+except utils.ProgrammingError as e:
+    print('(%s): First run detected' % type(e))
+    pass
+
+if users_num > 0:
+    rc = 0
+else:
+    rc = 1
+
+sys.exit(rc)