Fix build scripts (#2)

* Add scripts
* Updated code for the first release
* Updated config

.github/workflows/build-production.yml

@@ -5,7 +5,7 @@ name: Publish Docker (shinsenter/php)
 
 on:
   schedule:
-    - cron: '0 0 * * 2'
+    - cron: "0 0 * * 2"
   push:
     branches:
       - main
@@ -14,9 +14,8 @@ on:
 ################################################################################
 
 jobs:
-
-################################################################################
-################################################################################
+  ##############################################################################
+  ##############################################################################
 
   base_image:
     runs-on: ubuntu-latest
@@ -26,106 +25,112 @@ jobs:
         base:
           - ubuntu
         version:
+          - "20.04"
           - focal
-        platform:
-          - linux/amd64
-        name:
-          - shinsenter/s6-ubuntu
+          - latest
     env:
       DOCKER_BUILDKIT: "1"
-      BUILD_TAG: "main-${{ github.sha }}"
       OS_BASE: ${{ matrix.base }}
       OS_VERSION: ${{ matrix.version }}
-      OS_PLATFORM: ${{ matrix.platform }}
-      IMAGE_NAME: ${{ matrix.name }}
-      IMAGE_TAG: ${{ matrix.image }}:${{ matrix.version }}
     steps:
       - uses: actions/checkout@v2
         with:
           ref: main
       - name: Set up Docker
         uses: docker/setup-buildx-action@v1
-      - name: Cache layers
+      - name: Restore cache layers
         uses: actions/cache@v2
         with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-$BUILD_TAG
+          path: /tmp/.buildx
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+      - name: Create cache path
+        run: |
+          mkdir -p /tmp/.buildx
+          docker buildx create --use
       - name: Build and push
         uses: docker/build-push-action@v2
         with:
+          platforms: linux/amd64
+          tags: shinsenter/s6-ubuntu:${{ matrix.version }}
           context: "{{defaultContext}}:src/base/"
-          push: false
-          tags: ${IMAGE_TAG}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+          cache-from: type=local,src=/tmp/.buildx
+          cache-to: type=local,dest=/tmp/.buildx-new,mode=max
+          push: true
+          pull: true
+      - name: Swap cache path
+        run: |
+          rm -rf /tmp/.buildx
+          mv /tmp/.buildx-new /tmp/.buildx
 
-################################################################################
-################################################################################
+  ##############################################################################
+  ##############################################################################
 
   php_images:
+    needs: base_image
     runs-on: ubuntu-latest
     strategy:
       max-parallel: 3
       matrix:
-        variation:
+        php_variation:
           - cli
           - fpm
           - fpm-apache
           - fpm-nginx
-        version:
+        php_version:
           - "7.4"
           - "8.0"
           - "8.1"
         base:
+          - shinsenter/s6-ubuntu:20.04
           - shinsenter/s6-ubuntu:focal
-        platform:
-          - linux/amd64
-        name:
-          - shinsenter/php
+          - shinsenter/s6-ubuntu:latest
     env:
-      DOCKER_BUILDKIT: "1"
-      BUILD_TAG: "main-${{ github.sha }}"
-      PHP_VERSION: ${{ matrix.version }}
+      PHP_VERSION: ${{ matrix.php_version }}
       IMAGE_BASE: ${{ matrix.base }}
-      IMAGE_NAME: ${{ matrix.name }}
-      IMAGE_TAG: ${{ matrix.name }}:${{ matrix.version }}-${{ matrix.variation }}
+      IMAGE_NAME: shinsenter/php
     steps:
       - uses: actions/checkout@v2
         with:
           ref: main
       - name: Set up Docker
         uses: docker/setup-buildx-action@v1
-      - name: Cache layers
+      - name: Restore cache layers
         uses: actions/cache@v2
         with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-$BUILD_TAG
+          path: /tmp/.buildx
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+      - name: Create cache path
+        run: |
+          mkdir -p /tmp/.buildx
+          docker buildx create --use
       - name: Build and push
         uses: docker/build-push-action@v2
         with:
-          context: "{{defaultContext}}:src/php/${{ matrix.variation }}/"
-          push: false
-          tags: ${IMAGE_TAG}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
-      - name: Move cache
+          platforms: linux/amd64
+          tags: shinsenter/php:${{ matrix.php_version }}-${{ matrix.php_variation }}
+          context: "{{defaultContext}}:src/php/${{ matrix.php_variation }}/"
+          cache-from: type=local,src=/tmp/.buildx
+          cache-to: type=local,dest=/tmp/.buildx-new,mode=max
+          push: true
+          pull: true
+      - name: Swap cache path
         run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+          rm -rf /tmp/.buildx
+          mv /tmp/.buildx-new /tmp/.buildx
 
 ################################################################################
 ################################################################################

src/php/cli/Dockerfile

@@ -7,7 +7,7 @@ FROM ${BASE_IMAGE:-shinsenter/s6-ubuntu:focal} as base
 ARG PHP_PPA_URL="http://ppa.launchpad.net/ondrej/php/ubuntu"
 ARG PHP_PPA_KEY="14AA40EC0831756756D7F66C4F4EA0AAE5267A6C"
 ARG PHP_SOURCES="/etc/apt/sources.list.d/ondrej-php.list"
-ARG PHP_BUILD_DEP="ca-certificates"
+ARG PHP_BUILD_DEP="ca-certificates unzip"
 
 # php version
 ENV PHP_VERSION=${PHP_VERSION:-7.4}

src/php/fpm-apache/etc/apache2/sites-available/000-default.conf

@@ -80,6 +80,6 @@
 
     # SSL Settings
     SSLEngine on
-    SSLCertificateFile /etc/ssl/web/ssl.crt
-    SSLCertificateKeyFile /etc/ssl/web/ssl.key
+    SSLCertificateFile /etc/ssl/web/server.crt
+    SSLCertificateKeyFile /etc/ssl/web/server.key
 </VirtualHost>

src/php/fpm-apache/etc/cont-init.d/20-generate-ssl

@@ -1,9 +1,9 @@
 #!/command/with-contenv bash
 
-if [ ! -f /etc/ssl/web/ssl.key ]; then
+if [ ! -f /etc/ssl/web/server.key ]; then
     echo "🔐 Generating a self-signed SSL certificate..."
     mkdir -p /etc/ssl/web/
-    openssl req -x509 -subj "/C=US/ST=Wisconsin/L=Milwaukee/O=IT/CN=default.test" \
-                -nodes -newkey rsa:2048 -keyout /etc/ssl/web/ssl.key \
-                -out /etc/ssl/web/ssl.crt -days 365
+    openssl req -x509 -subj "/C=VN/ST=Ho_Chi_Minh/L=Ho_Chi_Minh/O=AppSeeds/OU=R&D/CN=local.dev" \
+                -nodes -newkey rsa:2048 -keyout /etc/ssl/web/server.key \
+                -out /etc/ssl/web/server.crt -days 365
 fi

src/php/fpm-apache/etc/ssl/dhparam.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

src/php/fpm-nginx/Dockerfile

@@ -19,6 +19,8 @@ RUN apt-update \
     && apt-install msmtp msmtp-mta \
     && apt-install nginx-extras \
     && service nginx stop && update-rc.d nginx disable \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
     \
     # cleanup
     && apt-cleanup
@@ -28,6 +30,8 @@ ENV DEBUG_MODE=false
 ENV MSMTP_RELAY_SERVER_HOSTNAME=mailhog
 ENV MSMTP_RELAY_SERVER_PORT=1025
 
+ENV NGINX_DOCUMENT_ROOT=${NGINX_DOCUMENT_ROOT:-$WEBHOME}
+
 ################################################################################
 
 # main image

src/php/fpm-nginx/etc/cont-init.d/20-generate-ssl

@@ -1,9 +1,9 @@
 #!/command/with-contenv bash
 
-if [ ! -f /etc/ssl/web/ssl.key ]; then
+if [ ! -f /etc/ssl/web/server.key ]; then
     echo "🔐 Generating a self-signed SSL certificate..."
     mkdir -p /etc/ssl/web/
-    openssl req -x509 -subj "/C=US/ST=Wisconsin/L=Milwaukee/O=IT/CN=default.test" \
-                -nodes -newkey rsa:2048 -keyout /etc/ssl/web/ssl.key \
-                -out /etc/ssl/web/ssl.crt -days 365
+    openssl req -x509 -subj "/C=VN/ST=Ho_Chi_Minh/L=Ho_Chi_Minh/O=AppSeeds/OU=R&D/CN=local.dev" \
+                -nodes -newkey rsa:2048 -keyout /etc/ssl/web/server.key \
+                -out /etc/ssl/web/server.crt -days 365
 fi

src/php/fpm-nginx/etc/nginx/server-opts.d/performance.conf → src/php/fpm-nginx/etc/nginx/extra.d/performance.conf

@@ -1,38 +1,33 @@
 # favicon.ico
 location = /favicon.ico {
-    expires       max;
-    log_not_found off;
-    access_log    off;
+    expires    max;
+    access_log off;
 }
 
 # robots.txt
 location = /robots.txt {
-    expires       7d;
-    log_not_found off;
-    access_log    off;
+    expires    7d;
+    access_log off;
 }
 
-# js, css
-location ~* \.(?:css(\.map)?|js(\.map)?)$ {
-    expires         7d;
-    access_log      off;
-    log_not_found   off;
-    try_files $uri /index.php?$query_string; 
-}
-
-# assets, media
+# media
 location ~* \.(jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
-    expires         max;
-    access_log      off;
-    log_not_found   off;
+    expires    max;
+    access_log off;
 }
 
 # svg, fonts
 location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
-    add_header      Access-Control-Allow-Origin "*";
-    expires         max;
-    access_log      off;
-    log_not_found   off;
+    add_header Access-Control-Allow-Origin "*";
+    expires    max;
+    access_log off;
+}
+
+# assets
+location ~* \.(?:css(\.map)?|js(\.map)?)$ {
+    expires    7d;
+    access_log off;
+    try_files  $uri /index.php?$query_string;
 }
 
 # gzip

src/php/fpm-nginx/etc/nginx/extra.d/remoteip.conf

@@ -0,0 +1,28 @@
+# Set RealIP header
+real_ip_header CF-Connecting-IP;
+real_ip_recursive on;
+set_real_ip_from 10.0.0.0/8;
+set_real_ip_from 172.16.0.0/12;
+set_real_ip_from 192.168.0.0/16;
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;

src/php/fpm-nginx/etc/nginx/server-opts.d/security.conf → src/php/fpm-nginx/etc/nginx/extra.d/security.conf

@@ -1,3 +1,4 @@
+# Block access to dot files
 location ~ /\.(?!well-known) {
     deny all;
 }