SECRET_KEY: make it required

Considered: having a fall-back that is generated on-server-start. That doesn't
fly because we have gunicorn, and each server gets their own value.

Generating once on first run (in the Docker container), writing to a file: way
too fragile. i.e. on-container-restart you'd get the same (and this would be
surprising).

Given the sensitive nature of all of this, I'd say being explicit

The actual effect of changes is limited to sessions invalidating (but that bad
enough).

And the current setup is more broad, since it does a general check.

See https://stackoverflow.com/a/30266422/339144 (note: PasswordResetView
isn't used by us, we have our own)

bugsink/conf_templates/docker.py.template

@@ -1,10 +1,11 @@
+import os
+
 from bugsink.settings.default import *  # noqa
 from bugsink.settings.default import DATABASES
 
 DEBUG = True
 
-# SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = "q47jh!sj-y4+6i4_fj*tyj1ej2&wl6st+@^ycgs7kl81dg^33h"
+SECRET_KEY = os.getenv("SECRET_KEY")
 
 # Alternatively, pass the SECRET_KEY as an environment variable. (although that has security implications too!)
 # i.e. those may leak in shared server setups.

bugsink/scripts/server_unified.py

@@ -22,6 +22,8 @@ class ParentProcess:
         """
         print("Server-unified starting with pid", os.getpid())
 
+        self.pre_start()
+
         self.children = []
 
         # I think Docker will send a SIGTERM to the main process when it wants to stop the container; SIGINT is for
@@ -36,6 +38,22 @@ class ParentProcess:
             for child in self.children:
                 child.wait()
 
+    def pre_start(self):
+        # I'd rather pull this out of server_unified.py, but I don't know how to do that in a way that works with
+        # Docker: The recommended way of running CMD in a Dockerfile is to use the exec form, which doesn't allow for
+        # running a script that does some setup before starting the main process, i.e. doesn't allow for '&&').
+        # Recommended here means: warning about signal-handling if you choose the other form.
+        #
+        # I also don't want to introduce further arg-parsing (distinguishing between serial and parallel start) so here
+        # we have it.
+        if sys.argv[1:2] == ["NO_DEPLOY_CHECK"]:
+            check = subprocess.run(["bugsink-manage", "check", "--fail-level", "WARNING"])
+        else:
+            check = subprocess.run(["bugsink-manage", "check", "--deploy", "--fail-level", "WARNING"])
+        if check.returncode != 0:
+            # print("Server-unified failed to start because 'bugsink-manage check' failed.")  superfluous
+            sys.exit(1)
+
     def start_children(self):
         # Start the server
         # Leaving stdout and stderr as None will make the output of the child processes be passed as our own.
@@ -74,6 +92,9 @@ class ParentProcess:
         # We don't want to pass the first argument, as that is the script name
         args = sys.argv[1:]
 
+        if args[:1] == ["NO_DEPLOY_CHECK"]:
+            args = args[1:]
+
         result = [[]]
         for arg in args:
             if arg == "UNIFIED_WITH":

bugsink/settings/default.py

@@ -205,6 +205,21 @@ WHITENOISE_USE_FINDERS = True
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 
 
+SILENCED_SYSTEM_CHECKS = [
+    # in the recommended setup this is done at the proxy level; in Docker telling people about it is a TODO
+    "security.W004",  # SECURE_HSTS_SECONDS
+
+    # in the recommended setup this is done at the proxy level; in Docker telling people about it is a TODO
+    "security.W008",  # SECURE_SSL_REDIRECT
+
+    # TODO correct this for the recommended setup; in Docker telling people about it is a TODO
+    "security.W012",  # SESSION_COOKIE_SECURE
+
+    # TODO correct this for the recommended setup; in Docker telling people about it is a TODO
+    "security.W016",  # CSRF_COOKIE_SECURE
+]
+
+
 LOGGING = deepcopy(DEFAULT_LOGGING)
 
 if I_AM_RUNNING != "TEST":