docker: extract the vichan directory and make it optionally exposable

1 month ago · 67f461b22f
6 changed files with 131 additions and 40 deletions
--- a/docker/common-setup.sh
+++ b/docker/common-setup.sh
@ -1,31 +1,32 @@
 #!/bin/sh

-set -eu
-
-install -m 544 -o www-data -g www-data -d /var/www
-ln -s \
-   /code/banners/ \
-   /code/static/ \
-   /code/stylesheets/ \
-   /code/tools/ \
-   /code/walls/ \
-   /code/*.php \
-   /code/404.html \
-   /code/LICENSE.* \
-   /code/robots.txt \
-   /code/install.sql \
-   /var/www/
-
-install -m 540 -o www-data -g www-data -d /var/tmp/leftypol
-install -m 540 -o www-data -g www-data -d /var/tmp/leftypol/cache
-ln -s /var/tmp/leftypol /var/www/tmp
-
-install -m 544 -o www-data -g www-data -d /var/www/js
-ln -s /code/js/* /var/www/js/
-
-install -m 544 -o www-data -g www-data -d /var/www/templates
-install -m 544 -o www-data -g www-data -d /var/www/templates/cache
-ln -s /code/templates/* /var/www/templates/
-
-install -m 544 -o www-data -g www-data -d /var/www/inc
-ln -s /code/inc/* /var/www/inc/
+#set -eu
+#
+#install -m 544 -o www-data -g www-data -d /var/www
+#ln -s \
+#   /code/banners/ \
+#   /code/static/ \
+#   /code/stylesheets/ \
+#   /code/tools/ \
+#   /code/walls/ \
+#   /code/*.php \
+#   /code/404.html \
+#   /code/LICENSE.* \
+#   /code/robots.txt \
+#   /code/install.sql \
+#   /var/www/
+#
+#install -m 540 -o www-data -g www-data -d /var/tmp/leftypol
+#install -m 540 -o www-data -g www-data -d /var/tmp/leftypol/cache
+#ln -s /var/tmp/leftypol /var/www/tmp
+#
+#install -m 544 -o www-data -g www-data -d /var/www/js
+#ln -s /code/js/* /var/www/js/
+#
+#install -m 544 -o www-data -g www-data -d /var/www/templates
+#install -m 544 -o www-data -g www-data -d /var/www/templates/cache
+#ln -s /code/templates/* /var/www/templates/
+#
+#install -m 544 -o www-data -g www-data -d /var/www/inc
+#ln -s /code/inc/* /var/www/inc/
+#
--- a/docker/doc.md
+++ b/docker/doc.md
@ -0,0 +1,4 @@
+The `php-fpm` process runs containerized.
+The php application always uses `/var/www` as it's work directory and home folder, and if `/var/www` is bind mounted it
+is necessary to adjust the path passed via FastCGI to `php-fpm` by changing the root directory to `/var/www`.
+This can achieved in nginx by setting the `fastcgi_param SCRIPT_FILENAME` to `/var/www/$fastcgi_script_name;`
--- a/docker/nginx/Dockerfile
+++ b/docker/nginx/Dockerfile
@ -2,9 +2,7 @@ FROM nginx:1.25.3-alpine

 COPY . /code
 RUN adduser --system www-data \
-  && adduser www-data www-data \
-  && /code/docker/common-setup.sh
-
+  && adduser www-data www-data

 CMD [ "nginx", "-g", "daemon off;" ]
 EXPOSE 80
--- a/docker/nginx/leftypol.conf
+++ b/docker/nginx/leftypol.conf
@ -6,7 +6,7 @@ server {
 	listen 80 default_server;
 	listen [::]:80 default_server ipv6only=on;
 	server_name leftypol;
-	root /var/www;
+	root /var/www/html;
 	add_header X-Frame-Options "SAMEORIGIN";
 	add_header X-Content-Type-Options "nosniff";

@ -56,7 +56,7 @@ server {
 		proxy_set_header Forwarded-Request-Id $x_request_id;
 		fastcgi_pass php-upstream;
 		fastcgi_index index.php;
-		fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+		fastcgi_param SCRIPT_FILENAME /var/www/$fastcgi_script_name;
 		fastcgi_read_timeout 600;
 		include fastcgi_params;
 	}
--- a/docker/php/Dockerfile
+++ b/docker/php/Dockerfile
@ -33,15 +33,29 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \
    && pecl install imagick \
    && pecl install -o -f igbinary \
    && docker-php-ext-install gd zip opcache intl pdo pdo_mysql mysqli bcmath gettext iconv mbstring curl \
-    && docker-php-ext-enable igbinary redis imagick
+    && docker-php-ext-enable igbinary redis imagick \
+    && rm -rf /var/cache/* \
+    && rmdir /var/www/html \
+    && install -d -m 744 -o www-data -g www-data /var/www \
+    && install -d -m 700 -o www-data -g www-data /var/tmp/leftypol \
+    && install -d -m 700 -o www-data -g www-data /var/cache/gen-cache \
+    && install -d -m 700 -o www-data -g www-data /var/cache/template-cache

-COPY --from=composer /usr/bin/composer /usr/bin/composer
+COPY --from=composer /usr/bin/composer /usr/local/bin/composer
+
+# Copy the bootstrap script.
+COPY ./docker/php/bootstrap.sh /usr/local/bin/bootstrap.sh
+
+# Copy the actual project (use .dockerignore to exclude stuff).
 COPY . /code

-RUN /code/docker/common-setup.sh \
-    && ln -s /code/composer.json /code/composer.lock /var/www/ \
-    && cd /var/www && composer install
+# Make the instance configuration owned by www-data.
+# Make it writable by php.
+# Install the compose depedencies.
+RUN chown www-data /code/inc/instance-config.php && chgrp www-data /code/inc/instance-config.php \
+    && chmod 660 /code/inc/instance-config.php \
+    && cd /code && composer install

 WORKDIR "/var/www"
-CMD [ "php-fpm" ]
+CMD [ "bootstrap.sh" ]
 EXPOSE 9000
--- a/docker/php/bootstrap.sh
+++ b/docker/php/bootstrap.sh
@ -0,0 +1,74 @@
+#!/bin/sh
+
+set -eu
+
+if ! mountpoint -q /var/www; then
+    echo "WARNING: '/var/www' is not a mountpoint. All the data will remain inside the container!"
+fi
+
+if [ ! -w /var/www ] ; then
+    echo "ERROR: '/var/www' is not writable. Closing."
+    exit 1
+fi
+
+# Link the entrypoints from the exposed directory.
+ln -nfs \
+    /code/banners/ \
+    /code/static/ \
+    /code/stylesheets/ \
+    /code/tools/ \
+    /code/walls/ \
+    /code/*.php \
+    /code/LICENSE.* \
+    /code/404.html \
+    /code/install.sql \
+    /var/www/
+# Ensure correct permissions are set, since this might be bind mount.
+chown www-data /var/www
+chgrp www-data /var/www
+
+# Initialize robots.txt with the default if it doesn't exist.
+cp -n /code/robots.txt /var/www
+
+# Link the cache and tmp files directory.
+ln -nfs /var/tmp/leftypol /var/www/tmp
+
+# Link the javascript directory.
+ln -nfs /code/js /var/www/
+
+# Link the html templates directory and it's cache.
+ln -nfs /code/templates /var/www/
+ln -nfs -T /var/cache/template-cache /var/www/templates/cache
+chown -h www-data /var/www/templates/cache
+chgrp -h www-data /var/www/templates/cache
+
+# Link the generic cache.
+ln -nfs -T /var/cache/gen-cache /var/www/tmp/cache
+chown -h www-data /var/www/tmp/cache
+chgrp -h www-data /var/www/tmp/cache
+
+# Create the included files directory and link them
+install -d -m 700 -o www-data -g www-data /var/www/inc
+for file in /code/inc/*; do
+    file="${file##*/}"
+    if [ ! -e /var/www/inc/$file ]; then
+        ln -s /code/inc/$file /var/www/inc/
+    fi
+done
+# Copy an empty instance configuration if the file is a link (it was linked because it did not exist before).
+if [ -L '/var/www/inc/instance-config.php' ]; then
+    echo 'INFO: Resetting instance configuration'
+    rm /var/www/inc/instance-config.php
+    cp /code/inc/instance-config.php /var/www/inc/instance-config.php
+    chown www-data /var/www/inc/instance-config.php
+    chgrp www-data /var/www/inc/instance-config.php
+    chmod 600 /var/www/inc/instance-config.php
+else
+    echo 'INFO: Using existing instance configuration'
+fi
+
+# Link the composer dependencies.
+ln -nfs /code/vendor /var/www/
+
+# Start the php-fpm server.
+exec php-fpm