-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
230 lines (152 loc) · 6.68 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
FROM ministryofjustice/wordpress-base-fpm:latest AS base-fpm
# Make the Nginx user available in this container
RUN addgroup -g 101 -S nginx; adduser -u 101 -S -D -G nginx nginx
RUN mkdir /sock && \
chown nginx:nginx /sock
# Copy our healthcheck scripts and set them to executable
COPY bin/fpm-*.sh /usr/local/bin/fpm-health/
RUN chmod +x /usr/local/bin/fpm-health/*
## Change directory
WORKDIR /usr/local/etc/php-fpm.d
## Clean PHP pools; leave docker.conf in situe
RUN rm zz-docker.conf && \
rm www.conf.default && \
rm www.conf
## Set our pool configuration
COPY deploy/config/php-pool.conf pool.conf
# Create volumes for so that the directories are writeable when the container is in read-only mode.
VOLUME /tmp /var/www/html/public/app/uploads
WORKDIR /var/www/html
###
FROM nginx:1.26.2-alpine AS nginx-module-builder
SHELL ["/bin/ash", "-exo", "pipefail", "-c"]
RUN apk update \
&& apk add linux-headers openssl-dev pcre2-dev zlib-dev openssl abuild \
musl-dev libxslt libxml2-utils make mercurial gcc unzip git \
xz g++ coreutils \
# allow abuild as a root user \
&& printf "#!/bin/sh\\nSETFATTR=true /usr/bin/abuild -F \"\$@\"\\n" > /usr/local/bin/abuild \
&& chmod +x /usr/local/bin/abuild \
&& hg clone -r ${NGINX_VERSION}-${PKG_RELEASE} https://hg.nginx.org/pkg-oss/ \
&& cd pkg-oss \
&& mkdir /tmp/packages && \
/pkg-oss/build_module.sh -v $NGINX_VERSION -f -y -o /tmp/packages -n cachepurge https://github.com/nginx-modules/ngx_cache_purge/archive/2.5.3.tar.gz; \
BUILT_MODULES="$BUILT_MODULES $(echo cachepurge | tr '[A-Z]' '[a-z]' | tr -d '[/_\-\.\t ]')"; \
echo "BUILT_MODULES=\"$BUILT_MODULES\"" > /tmp/packages/modules.env
###
FROM nginxinc/nginx-unprivileged:1.26-alpine AS base-nginx
USER root
RUN --mount=type=bind,target=/tmp/packages/,source=/tmp/packages/,from=nginx-module-builder \
. /tmp/packages/modules.env \
&& apk add --no-cache --allow-untrusted /tmp/packages/nginx-module-cachepurge-${NGINX_VERSION}*.apk;
RUN mkdir /var/run/nginx-cache && \
chown nginx:nginx /var/run/nginx-cache
# contains gzip and module include
COPY --chown=nginx:nginx deploy/config/nginx.conf /etc/nginx/nginx.conf
COPY deploy/config/init/* /docker-entrypoint.d/
RUN chmod +x /docker-entrypoint.d/*
RUN echo "# This file is configured at runtime." > /etc/nginx/real_ip.conf
USER 101
###
## target: dev
FROM base-fpm AS dev
RUN apk add --update nano nodejs npm inotify-tools
COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
VOLUME ["/sock"]
# nginx
USER 101
## target: local-ssh
FROM base-fpm AS local-ssh
ARG LOCAL_SSH_PASSWORD
RUN apk add --no-cache openssh bash
RUN ssh-keygen -A && \
adduser -h /home/ssh-user -s /bin/bash -D ssh-user && \
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config && \
echo -n "ssh-user:${LOCAL_SSH_PASSWORD}" | chpasswd && \
echo "ssh-user:${LOCAL_SSH_PASSWORD}" && \
echo 'cd /var/www/html' >> /home/ssh-user/.bash_profile
RUN mkdir -p /home/ssh-user/.ssh && \
chown -R ssh-user:ssh-user /home/ssh-user/.ssh && \
chmod 700 /home/ssh-user/.ssh
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-e"]
###
## target: production
FROM base-fpm AS build-fpm-composer
WORKDIR /var/www/html
ARG COMPOSER_USER
ARG COMPOSER_PASS
COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
COPY ./bin/composer-auth.sh ./bin/composer-post-install.sh ./bin/
RUN chmod +x ./bin/composer-auth.sh && \
./bin/composer-auth.sh
RUN chmod +x ./bin/composer-post-install.sh
# non-root
USER 101
COPY ./composer.json ./composer.lock /var/www/html/
RUN composer install --no-dev
RUN composer dump-autoload -o
ARG regex_files='\(js\|css\|png\|jpg\|jpeg\|gif\|ico\|svg\|webmanifest\)'
ARG regex_path='\(app\/mu\-plugins\|app\/plugins\|wp\)'
RUN mkdir -p ./vendor-assets && \
# Copy the theme's error pages
find public/ -regex "public\/app\/themes\/justice\/error\-pages\.*\.html" -exec cp --parent "{}" vendor-assets/ \; && \
# Copy frontend assets from mu-plugins, plugins and wp.
find public/ -regex "public\/${regex_path}.*\.${regex_files}" -exec cp --parent "{}" vendor-assets/ \;
###
FROM node:20 AS assets-build
WORKDIR /node
COPY ./public/app/themes/justice/src ./src
COPY ./public/app/themes/justice/style.css ./style.css
COPY ./public/app/themes/justice/jsconfig.json ./jsconfig.json
COPY ./public/app/themes/justice/package.json ./package.json
COPY ./public/app/themes/justice/package-lock.json ./package-lock.json
COPY ./public/app/themes/justice/webpack.mix.js ./webpack.mix.js
RUN npm ci
RUN npm run production
RUN rm -rf node_modules
###
FROM ruby:3 AS jekyll-dev
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
git \
&& rm -rf /var/lib/apt/lists/*
# Update the Ruby bundler and install Jekyll
RUN gem update bundler && gem install bundler jekyll
WORKDIR /home
###
FROM base-fpm AS build-fpm
WORKDIR /var/www/html
COPY --chown=nginx:nginx ./config ./config
COPY --chown=nginx:nginx ./public ./public
# Replace paths with dependencies from build-fpm-composer
ARG path="/var/www/html"
COPY --from=build-fpm-composer ${path}/public/app/mu-plugins public/app/mu-plugins
COPY --from=build-fpm-composer ${path}/public/app/plugins public/app/plugins
COPY --from=build-fpm-composer ${path}/public/app/languages public/app/languages
COPY --from=build-fpm-composer ${path}/public/wp public/wp
COPY --from=build-fpm-composer ${path}/vendor vendor
COPY --from=assets-build --chown=nginx:nginx /node/dist/php public/app/themes/justice/dist/php
# non-root
USER 101
###
FROM base-nginx AS nginx-dev
###
FROM base-nginx AS build-nginx
# Grab server configurations
COPY deploy/config/php-fpm.conf /etc/nginx/php-fpm.conf
COPY deploy/config/php-fpm-auth.conf /etc/nginx/php-fpm-auth.conf
COPY deploy/config/auth-request.conf /etc/nginx/auth-request.conf
COPY deploy/config/redirects.conf /etc/nginx/redirects.conf
COPY deploy/config/server.conf /etc/nginx/conf.d/default.conf
WORKDIR /var/www/html
# WordPress view bootstrapper
COPY public/index.php public/index.php
COPY public/app/themes/justice/error-pages public/app/themes/justice/error-pages/
COPY public/app/themes/justice/screenshot.png public/app/themes/justice/screenshot.png
# Only take what Nginx needs (current configuration)
COPY --from=build-fpm-composer --chown=nginx:nginx /var/www/html/public/wp/wp-admin/index.php public/wp/wp-admin/index.php
COPY --from=build-fpm-composer --chown=nginx:nginx /var/www/html/vendor-assets ./
# Grab assets for Nginx
COPY --from=assets-build /node/dist public/app/themes/justice/dist/
COPY --from=assets-build /node/style.css public/app/themes/justice/