App image

app/Dockerfile

@@ -0,0 +1,50 @@
+# syntax=docker/dockerfile:1
+
+#
+# App image
+#
+FROM php-base
+
+ENV KIND=druid-docker-image \
+    APP_PATH=/app \
+    DEFAULT_USER=druid \
+    DEFAULT_USER_UID=1000 \
+    APP_ENV=prod \
+    COMPOSER_HOME=/home/druid/.composer \
+    COMPOSER_AUDIT_ABANDONED=report \
+    COMPOSER_FUND=0 \
+    PATH="${PATH}:/home/druid/.composer/vendor/bin:/app/vendor/bin" \
+    SSH_AUTH_SOCK=/tmp/ssh-agent
+
+WORKDIR ${APP_PATH}
+
+COPY --link --from=composer/composer:2.8-bin /composer /usr/local/bin/
+COPY --link --from=amazeeio/envplate:v1.0.3 /usr/local/bin/ep /usr/local/bin/ep
+COPY --link --from=mlocati/php-extension-installer /usr/bin/install-php-extensions /usr/local/bin/
+
+RUN apk --no-cache add \
+    bash curl doas git make mariadb-client mariadb-connector-c neofetch nginx openssh-client patch tar tini && \
+    install-php-extensions \
+    apcu bcmath exif gd igbinary msgpack mysqli opcache pdo_mysql redis sockets uploadprogress xdebug zip && \
+    addgroup -S ${DEFAULT_USER} -g ${DEFAULT_USER_UID} && \
+    adduser -D -S -G ${DEFAULT_USER} -u ${DEFAULT_USER_UID} -s /bin/bash ${DEFAULT_USER} && \
+    adduser ${DEFAULT_USER} www-data && \
+    mkdir -p /home/${DEFAULT_USER}/.composer && \
+    chown -R ${DEFAULT_USER}:${DEFAULT_USER} /home/${DEFAULT_USER} ${APP_PATH} && \
+    chmod -R a+rwx /var/lib/nginx /var/log/nginx
+
+COPY --chown=${DEFAULT_USER}:${DEFAULT_USER} files/home/druid/ /home/druid
+COPY files/entrypoints/ /entrypoints/
+COPY files/etc/ /etc/
+COPY files/usr/local/ /usr/local/
+
+# See https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-certificate-rotation#what-change-was-scheduled-to-be-performed-starting-december-2022-122022
+ADD --checksum=sha256:5d550643b6400d4341550a9b14aedd0b4fac33ae5deb7d8247b6b4f799c13306 --chmod=0644 \
+    https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem /opt/ssl/
+
+EXPOSE 8080/tcp
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["entrypoint"]
+USER ${DEFAULT_USER}
+SHELL ["/bin/bash", "-c"]

app/build.mk

@@ -0,0 +1,27 @@
+BAKE_FLAGS := --pull --no-cache --push
+
+PHONY += app-bake-all
+app-bake-all: ## Bake all PHP images
+	@PHP82_MINOR=$(call get_php_minor,8.2) PHP83_MINOR=$(call get_php_minor,8.3) PHP84_MINOR=$(call get_php_minor,8.4) \
+		docker buildx bake -f app/docker-bake.hcl $(BAKE_FLAGS)
+
+PHONY += app-bake-print
+app-bake-print: BAKE_FLAGS := --print
+app-bake-print: app-bake-all ## Print bake plan for App images
+
+PHONY += app-bake-local
+app-bake-local: BAKE_FLAGS := --pull --progress plain --no-cache --load --set *.platform=linux/$(CURRENT_ARCH)
+app-bake-local: app-bake-all run-app-tests ## Bake all App images locally
+
+PHONY += app-bake-test
+app-bake-test: BAKE_FLAGS := --pull --progress plain --no-cache
+app-bake-test: app-bake-all run-app-tests ## CI test for App images
+
+PHONY += run-app-tests
+run-app-tests:
+	$(call step,Run tests in druidfi/app:php-8.2)
+	@docker run --rm -t -v $(CURDIR)/tests/scripts:/app/scripts druidfi/app:php-8.2 /app/scripts/tests.sh
+	$(call step,Run tests in druidfi/app:php-8.3)
+	@docker run --rm -t -v $(CURDIR)/tests/scripts:/app/scripts druidfi/app:php-8.3 /app/scripts/tests.sh
+#	$(call step,Run tests in druidfi/app:php-8.4)
+#	@docker run --rm -t -v $(CURDIR)/tests/scripts:/app/scripts druidfi/app:php-8.4 /app/scripts/tests.sh

app/docker-bake.hcl

@@ -0,0 +1,84 @@
+variable "REPO_BASE" {
+  default = "druidfi/app"
+}
+
+variable "PHP82_MINOR" {}
+variable "PHP83_MINOR" {}
+variable "PHP84_MINOR" {}
+
+group "default" {
+  targets = ["php-82", "php-83"]
+}
+
+target "common" {
+  platforms = ["linux/amd64", "linux/arm64"]
+  labels = {
+    "org.opencontainers.image.url" = "https://github.com/druidfi/docker-images"
+    "org.opencontainers.image.source" = "https://github.com/druidfi/docker-images"
+    "org.opencontainers.image.licenses" = "MIT"
+    "org.opencontainers.image.vendor" = "Druid Oy"
+    "org.opencontainers.image.created" = "${timestamp()}"
+  }
+}
+
+#
+# PHP
+#
+
+target "php" {
+  context = "./app"
+}
+
+target "php-82" {
+  inherits = ["common", "php"]
+  args = {
+    PHP_VERSION = "8.2"
+    PHP_SHORT_VERSION = "82"
+  }
+  contexts = {
+    php-base = "docker-image://php:${PHP82_MINOR}-fpm-alpine"
+  }
+  labels = {
+    "org.opencontainers.image.title" = "Druid App image with PHP 8.2"
+    "org.opencontainers.image.description" = "Base PHP 8.2 image"
+    #"org.opencontainers.image.version" = VERSION
+    #"org.opencontainers.image.revision" = SHA
+  }
+  tags = ["${REPO_BASE}:php-8", "${REPO_BASE}:php-8.2", "${REPO_BASE}:latest"]
+}
+
+target "php-83" {
+  inherits = ["common", "php"]
+  args = {
+    PHP_VERSION = "8.3"
+    PHP_SHORT_VERSION = "83"
+  }
+  contexts = {
+    php-base = "docker-image://php:${PHP83_MINOR}-fpm-alpine"
+  }
+  labels = {
+    "org.opencontainers.image.title" = "Druid App image with PHP 8.3"
+    "org.opencontainers.image.description" = "Base PHP 8.3 image"
+    #"org.opencontainers.image.version" = VERSION
+    #"org.opencontainers.image.revision" = SHA
+  }
+  tags = ["${REPO_BASE}:php-8.3"]
+}
+
+target "php-84" {
+  inherits = ["common", "php"]
+  args = {
+    PHP_VERSION = "8.4"
+    PHP_SHORT_VERSION = "84"
+  }
+  contexts = {
+    php-base = "docker-image://php:${PHP84_MINOR}-fpm-alpine"
+  }
+  labels = {
+    "org.opencontainers.image.title" = "Druid App image with PHP 8.4"
+    "org.opencontainers.image.description" = "Base PHP 8.4 image"
+    #"org.opencontainers.image.version" = VERSION
+    #"org.opencontainers.image.revision" = SHA
+  }
+  tags = ["${REPO_BASE}:php-8.4"]
+}

app/files/entrypoints/00-umask.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Make sure that new files generated by Docker have group write permission
+umask 002

app/files/entrypoints/10-ssh-agent.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+SOCKET_NAMES="druid amazeeio"
+SOCKET_FOUND=0
+
+for i in ${SOCKET_NAMES}
+do
+   :
+   SOCKET="/tmp/${i}_ssh-agent/socket"
+
+   if [ -S "${SOCKET}" ]; then
+    echo "Found socket from ${SOCKET}"
+    echo "Symlink ${SSH_AUTH_SOCK} to ${SOCKET}..."
+    ln -sf "${SOCKET}" "$SSH_AUTH_SOCK"
+    SOCKET_FOUND=1
+  fi
+done
+
+if [ ${SOCKET_FOUND} = 0 ]; then
+  echo "No socket found"
+fi

app/files/entrypoints/15-xdebug.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+XDEBUG_INI=/usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini
+
+if [ "$XDEBUG_ENABLE" = "true" ]; then
+  echo "Start with Xdebug enabled. Remove XDEBUG_ENABLE=true ENV variable to disable it."
+  if [ -f "$XDEBUG_INI" ]; then
+    echo "Already enabled..."
+  else
+    doas mv "$XDEBUG_INI".disabled "$XDEBUG_INI"
+  fi
+else
+  echo "Start with Xdebug disabled. Add XDEBUG_ENABLE=true ENV variable to enable it."
+  if [ -f "$XDEBUG_INI" ]; then
+    doas mv "$XDEBUG_INI" "$XDEBUG_INI".disabled
+  else
+    echo "Already disabled..."
+  fi
+fi

app/files/entrypoints/19-php_ini.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+TEMPLATE=/usr/local/etc/php/conf.d/docker-php-ext-zzz-dynamic.ini.ep
+TARGET=/usr/local/etc/php/conf.d/docker-php-ext-zzz-dynamic.ini
+
+if [ -f "$TEMPLATE" ]; then
+  echo "Prepare PHP docker-php-ext-zzz-dynamic.ini conf..."
+
+  doas ep -v "$TEMPLATE"
+  doas mv "$TEMPLATE" "$TARGET"
+fi

app/files/entrypoints/20-php-fpm.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+echo "Start up PHP-FPM..."
+
+php-fpm &
+
+# Usage: php [-n] [-e] [-h] [-i] [-m] [-v] [-t] [-p <prefix>] [-g <pid>] [-c <file>] [-d foo[=bar]] [-y <file>] [-D] [-F [-O]]
+#  -c <path>|<file> Look for php.ini file in this directory
+#  -n               No php.ini file will be used
+#  -d foo[=bar]     Define INI entry foo with value 'bar'
+#  -e               Generate extended information for debugger/profiler
+#  -h               This help
+#  -i               PHP information
+#  -m               Show compiled in modules
+#  -v               Version number
+#  -p, --prefix <dir>
+#                   Specify alternative prefix path to FastCGI process manager (default: /usr).
+#  -g, --pid <file>
+#                   Specify the PID file location.
+#  -y, --fpm-config <file>
+#                   Specify alternative path to FastCGI process manager config file.
+#  -t, --test       Test FPM configuration and exit
+#  -D, --daemonize  force to run in background, and ignore daemonize option from config file
+#  -F, --nodaemonize
+#                   force to stay in foreground, and ignore daemonize option from config file
+#  -O, --force-stderr
+#                   force output to stderr in nodaemonize even if stderr is not a TTY
+#  -R, --allow-to-run-as-root
+#                   Allow pool to run as root (disabled by default)

app/files/entrypoints/30-nginx.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+echo "Prepare Nginx conf..."
+
+doas ep -v /etc/nginx/conf.d/default.conf
+
+echo "Start up Nginx..."
+
+nginx

app/files/etc/doas.d/doas.conf

@@ -0,0 +1 @@
+permit nopass keepenv druid as root

app/files/etc/nginx/conf.d/default.conf

@@ -0,0 +1,128 @@
+server {
+  listen [::]:8080 default_server;
+  listen 8080 default_server;
+  server_name _;
+
+  root /app/${WEBROOT:-public};
+  index index.php;
+
+  # rewriting /index.php to / because after https://www.drupal.org/node/2599326
+  # autocomplete URLs are forced to go to index.php
+  rewrite ^/index.php / last;
+
+  # The 'default' location.
+  location / {
+    # This has to come before any *.txt path-based blocking
+    # Support for the securitytxt module
+    # http://drupal.org/project/securitytxt.
+    # RFC8615 standard path.
+    location ~* /\.well-known/security\.txt(\.sig)?$ {
+      access_log off;
+      try_files $uri @rewrite;
+    }
+
+    location ~ ^/(status|ping)$ {
+        include fastcgi_params;
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
+        allow 127.0.0.1;
+        deny all;
+    }
+
+    # Do not allow access to .txt and .md unless inside sites/*/files/
+    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md)$ {
+      deny all;
+      access_log off;
+      log_not_found off;
+    }
+
+    # Replicate the Apache <FilesMatch> directive of Drupal standard
+    # .htaccess. Disable access to any code files. Return a 404 to curtail
+    # information disclosure.
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^\/(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|web\.config)$|composer\.(json|lock)$|^\/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+      deny all;
+      access_log off;
+      log_not_found off;
+      return 404;
+    }
+
+    ## Directives for installing drupal.
+    #location ~* ^(/install.php|/core/install.php) {
+    #  try_files /dev/null @php;
+    #}
+
+    # Disallow access to any dot files, but send the request to Drupal
+    location ~* /\. {
+      try_files /dev/null @rewrite;
+    }
+
+    # Direct Access to .php files is not allowed and is sent to Drupal instead
+    location ~* ^.+\.php$ {
+      try_files /dev/null @rewrite;
+    }
+
+    # Try to find a file with given URL, if not pass to Drupal
+    try_files $uri @rewrite;
+  }
+
+  # PHP Location.
+  # Warning: This allows to execute any PHP files, use with care!
+  location @php {
+    include        /etc/nginx/fastcgi.conf;
+    fastcgi_pass   127.0.0.1:9000;
+  }
+
+  location @rewrite {
+    include        /etc/nginx/fastcgi.conf;
+    fastcgi_param  SCRIPT_NAME        /index.php;
+    fastcgi_param  SCRIPT_FILENAME    $realpath_root/index.php;
+    fastcgi_pass   127.0.0.1:9000;
+  }
+
+  # Trying to access private files directly returns a 404.
+  location /sites/default/files/private/ {
+    internal;
+  }
+
+  # Disallow access to vendor directory.
+  location ^~ /core/vendor/ {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  # Disallow access to vendor directory.
+  location ^~ /vendor/ {
+    deny all;
+    access_log off;
+    log_not_found off;
+  }
+
+  # Support for the robotstxt module
+  # http://drupal.org/project/robotstxt.
+  location = /robots.txt {
+    access_log off;
+    try_files $uri @rewrite;
+  }
+
+  # Add support for the humanstxt module
+  # http://drupal.org/project/humanstxt.
+  location = /humans.txt {
+    access_log off;
+    try_files $uri @rewrite;
+  }
+
+  # Support for favicon. Return an 1x1 transparent GIF if it doesn't
+  # exist.
+  location = /favicon.ico {
+    expires 30d;
+    try_files /favicon.ico @empty;
+  }
+
+  # Return an in memory 1x1 transparent GIF.
+  location @empty {
+    expires 30d;
+    empty_gif;
+  }
+
+}