Add wordpress init container + nginx + php container (#50)

Chia-Network · Oct 25, 2023 · d06d9e2 · d06d9e2
1 parent 410db62
commit d06d9e2
Show file tree

Hide file tree

Showing 22 changed files with 317 additions and 0 deletions.
diff --git a/.github/workflows/build-aptly.yml b/.github/workflows/build-aptly.yml
@@ -27,6 +27,7 @@ jobs:
       docker-context: "./aptly"
       dockerfile: "./aptly/Dockerfile"
       dockerhub_imagename: "chianetwork/aptly"
+      image_subpath: "aptly"
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }}
diff --git a/.github/workflows/build-centos7.yml b/.github/workflows/build-centos7.yml
@@ -29,6 +29,7 @@ jobs:
       dockerfile: "./centos7/Dockerfile"
       dockerhub_imagename: "chianetwork/centos7-builder"
       docker-platforms: linux/amd64
+      image_subpath: "centos7-builder"
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }}
diff --git a/.github/workflows/build-nginx.yml b/.github/workflows/build-nginx.yml
@@ -0,0 +1,77 @@
+name: Build Nginx WordPress Image
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'nginx/*'
+      - '.github/workflows/build-nginx.yml'
+  pull_request:
+    paths:
+      - 'nginx/*'
+      - '.github/workflows/build-nginx.yml'
+  workflow_dispatch:
+  schedule:
+    - cron: '30 12 * * 5'
+
+concurrency:
+  # SHA is added to the end if on `main` to let all main workflows run
+  group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == 'refs/heads/main' && github.sha || '' }}
+  cancel-in-progress: true
+
+jobs:
+  package:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/checkout@v4
+        with:
+          repository: '10up/nginx_configs'
+          path: nginx/nginx_configs
+
+      - name: Install j2
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y j2cli
+
+      - name: Template security configs
+        run: |
+          export AUTOMATTIC_IPV4_BLOCKS=$(curl -s https://jetpack.com/ips-v4.txt)
+          export AUTOMATTIC_IPV6_BLOCKS=$(cat nginx/security/automattic-ipv6.txt)
+          j2 -o nginx/security/automatticips.inc nginx/security/automatticips.inc.j2
+          # Also remove the 10up version of automattic ips that doesn't automatically update
+          rm nginx/nginx_configs/security/automatticips.inc
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}/nginx
+          tags: |
+            type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
+            type=sha,format=long
+
+      - name: Build Docker Container
+        uses: docker/build-push-action@v3
+        with:
+          context: nginx
+          file: nginx/Dockerfile
+          platforms: "linux/amd64,linux/arm64"
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
diff --git a/.github/workflows/build-phpfpm.yml b/.github/workflows/build-phpfpm.yml
@@ -0,0 +1,29 @@
+name: Build PHPFPM Image
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'phpfpm/*'
+      - '.github/workflows/build-phpfpm.yml'
+  pull_request:
+    paths:
+      - 'phpfpm/*'
+      - '.github/workflows/build-phpfpm.yml'
+  workflow_dispatch:
+  schedule:
+    - cron: '30 12 * * 5'
+
+concurrency:
+  # SHA is added to the end if on `main` to let all main workflows run
+  group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == 'refs/heads/main' && github.sha || '' }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    uses: Chia-Network/actions/.github/workflows/docker-build.yaml@main
+    with:
+      docker-context: "./phpfpm"
+      dockerfile: "./phpfpm/Dockerfile"
+      image_subpath: "phpfpm"
diff --git a/.github/workflows/build-rocky8.yml b/.github/workflows/build-rocky8.yml
@@ -27,6 +27,7 @@ jobs:
       docker-context: "./rocky8"
       dockerfile: "./rocky8/Dockerfile"
       dockerhub_imagename: "chianetwork/rocky8-builder"
+      image_subpath: "rocky8-builder"
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }}
diff --git a/.github/workflows/build-ubuntu-18.04.yml b/.github/workflows/build-ubuntu-18.04.yml
@@ -27,6 +27,7 @@ jobs:
       docker-context: "./ubuntu-18.04"
       dockerfile: "./ubuntu-18.04/Dockerfile"
       dockerhub_imagename: "chianetwork/ubuntu-18.04-builder"
+      image_subpath: "ubuntu-18.04-builder"
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }}
diff --git a/.github/workflows/build-ubuntu-20.04.yml b/.github/workflows/build-ubuntu-20.04.yml
@@ -27,6 +27,7 @@ jobs:
       docker-context: "./ubuntu-20.04"
       dockerfile: "./ubuntu-20.04/Dockerfile"
       dockerhub_imagename: "chianetwork/ubuntu-20.04-builder"
+      image_subpath: "ubuntu-20.04-builder"
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }}
diff --git a/.github/workflows/build-ubuntu-22.04-risc.yml b/.github/workflows/build-ubuntu-22.04-risc.yml
@@ -30,6 +30,7 @@ jobs:
       dockerfile: "./ubuntu-22.04-risc/Dockerfile"
       dockerhub_imagename: "chianetwork/ubuntu-22.04-risc-builder"
       docker-platforms: linux/riscv64
+      image_subpath: "ubuntu-22.04-risc-builder"
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }}
diff --git a/.github/workflows/build-ubuntu-22.04.yml b/.github/workflows/build-ubuntu-22.04.yml
@@ -27,6 +27,7 @@ jobs:
       docker-context: "./ubuntu-22.04"
       dockerfile: "./ubuntu-22.04/Dockerfile"
       dockerhub_imagename: "chianetwork/ubuntu-22.04-builder"
+      image_subpath: "ubuntu-22.04-builder"
     secrets:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }}
diff --git a/.github/workflows/build-wordpress.yml b/.github/workflows/build-wordpress.yml
@@ -0,0 +1,45 @@
+name: Build WordPress Image
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'wordpress/*'
+      - '.github/workflows/build-wordpress.yml'
+  pull_request:
+    paths:
+      - 'wordpress/*'
+      - '.github/workflows/build-wordpress.yml'
+  workflow_dispatch:
+  schedule:
+    - cron: '30 12 * * 5'
+
+concurrency:
+  # SHA is added to the end if on `main` to let all main workflows run
+  group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == 'refs/heads/main' && github.sha || '' }}
+  cancel-in-progress: true
+
+jobs:
+  get_version:
+    runs-on: ubuntu-latest
+    outputs:
+      WP_VERSION: ${{ steps.wp-version.outputs.WP_VERSION }}
+    steps:
+      - name: Get latest WP version
+        id: wp-version
+        run: |
+          WP_VERSION=$(curl -s https://latest.cmm.io/wordpress)
+          echo "WP_VERSION=$WP_VERSION" >$GITHUB_OUTPUT
+
+  build:
+    uses: Chia-Network/actions/.github/workflows/docker-build.yaml@main
+    needs:
+      - get_version
+    with:
+      docker-context: "./wordpress"
+      dockerfile: "./wordpress/Dockerfile"
+      image_subpath: "wordpress"
+      build-args: |
+        WORDPRESS_VERSION="${{ needs.get_version.outputs.WP_VERSION }}"
+      additional-tag: ${{ needs.get_version.outputs.WP_VERSION }}
diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml
@@ -26,3 +26,4 @@ jobs:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_DOCKERFILE_HADOLINT: false
+          VALIDATE_GITHUB_ACTIONS: false
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 super-linter.log
+nginx/security/automatticips.inc
+nginx/nginx_configs
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -0,0 +1,7 @@
+FROM nginx:latest
+
+RUN mkdir -p /etc/nginx/nginx_configs
+COPY nginx_configs/security /etc/nginx/nginx_configs/security
+COPY nginx_configs/includes /etc/nginx/nginx_configs/includes
+COPY security/automatticips.inc /etc/nginx/nginx_configs/security/automatticips.inc
+COPY nginx.conf /etc/nginx/nginx.conf
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -0,0 +1,42 @@
+user www-data;
+worker_processes  auto;
+
+error_log  stderr warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"'
+                      '"$request_time" "$upstream_response_time" $upstream_cache_status';
+
+    access_log  /dev/stdout main;
+
+    # Additional settings
+    server_names_hash_bucket_size 64;
+
+    # Include mapping of Automattic IPs to $is_automattic_ip for use in block_xmlrpc.inc.
+    # This uses the "geo" directive which can only be done in the http block.
+    include nginx_configs/security/automatticips.inc;
+
+    # List of IPs to allow to connect to xmlrpc.php. For use with block_xmlrpc.inc.
+    geo $is_xmlrpc_whitelist_ip {
+            default         0; # Block everything not in the ranges below
+            #216.151.209.64/26    1;
+            #127.0.0.1            1;
+    }
+
+    # Define PHP
+    upstream php {
+        server unix:/php-sock/php-fpm.sock;
+    }
+
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/nginx/security/automattic-ipv6.txt b/nginx/security/automattic-ipv6.txt
@@ -0,0 +1,2 @@
+2001:1978:1e00:3::/64
+2620:115:c000::/40
diff --git a/nginx/security/automatticips.inc.j2 b/nginx/security/automatticips.inc.j2
@@ -0,0 +1,12 @@
+# Automattic IP Blocks http://whois.arin.net/rest/org/AUTOM-93/nets.
+# Can also get from https://jetpack.com/ips-v4.(txt|json)
+# The ticket here has more context on ips https://github.com/Automattic/jetpack/issues/1719
+geo $is_automattic_ip {
+  default         0; # Block everything not in the ranges below
+  {% for block in AUTOMATTIC_IPV4_BLOCKS.split('\n') if block -%}
+  {{ block }} 1;
+  {% endfor -%}
+  {% for block in AUTOMATTIC_IPV6_BLOCKS.split('\n') if block -%}
+  {{ block }} 1;
+  {% endfor %}
+}
diff --git a/phpfpm/Dockerfile b/phpfpm/Dockerfile
@@ -0,0 +1,42 @@
+FROM php:8.2-fpm
+
+RUN apt-get update \
+    && apt-get install -y \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        libpng-dev \
+        libz-dev \
+        less \
+        imagemagick \
+        libmagickwand-dev \
+        default-mysql-client \
+        libmemcached11 \
+        libmemcachedutil2 \
+        libmemcached-dev \
+        libssl-dev \
+        libzip-dev \
+    && pecl install imagick memcached \
+    && docker-php-ext-configure opcache --enable-opcache \
+    && docker-php-ext-enable imagick memcached \
+    && docker-php-ext-install \
+        exif \
+        gd \
+        intl \
+        mysqli \
+        pdo_mysql \
+        soap \
+        sockets \
+        zip \
+    && apt-get remove -y build-essential libz-dev libmemcached-dev libssl-dev \
+    && apt-get autoremove -y \
+    && apt-get clean
+
+RUN curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar \
+    && chmod +x wp-cli.phar \
+    && mv wp-cli.phar /usr/local/bin/wp \
+    && mkdir /var/www/.wp-cli \
+    && chown www-data:www-data /var/www/.wp-cli
+
+COPY zz-docker.conf /usr/local/etc/php-fpm.d/zz-docker.conf
+COPY php.ini /usr/local/etc/php/conf.d/99-chia-php.ini
+COPY opcache.ini /usr/local/etc/php/conf.d/opcache.ini
diff --git a/phpfpm/opcache.ini b/phpfpm/opcache.ini
@@ -0,0 +1,9 @@
+[opcache]
+opcache.enable=1
+opcache.revalidate_freq=0
+opcache.validate_timestamps=0
+opcache.max_accelerated_files=10000
+opcache.memory_consumption=192
+opcache.max_wasted_percentage=10
+opcache.interned_strings_buffer=16
+opcache.jit_buffer_size=100M
diff --git a/phpfpm/php.ini b/phpfpm/php.ini
@@ -0,0 +1,5 @@
+[PHP]
+post_max_size = 100M
+upload_max_filesize = 100M
+variables_order = EGPCS
+display_errors = Off
diff --git a/phpfpm/zz-docker.conf b/phpfpm/zz-docker.conf
@@ -0,0 +1,13 @@
+[global]
+daemonize = no
+
+[www]
+listen = /php-sock/php-fpm.sock
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0660
+
+pm.max_children = 15
+pm.start_servers = 5
+pm.min_spare_servers = 2
+pm.max_spare_servers = 5
diff --git a/wordpress/Dockerfile b/wordpress/Dockerfile
@@ -0,0 +1,15 @@
+FROM alpine:latest
+ARG WORDPRESS_VERSION
+ENV WEBROOT=/var/www/html
+ENV USERID=33
+ENV GROUPID=33
+
+RUN wget https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz \
+    && tar -xvzf wordpress-${WORDPRESS_VERSION}.tar.gz \
+    && rm -f wordpress-${WORDPRESS_VERSION}.tar.gz \
+    && rm -rf /wordpress/wp-content
+
+COPY copy.sh /copy.sh
+RUN chmod +x /copy.sh
+
+ENTRYPOINT ["/copy.sh"]
diff --git a/wordpress/copy.sh b/wordpress/copy.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+mkdir -p "$WEBROOT"
+
+# Chown before copy, so we don't run into conflicts with the mounted configmaps and other read-only filesystems
+chown -R "$USERID":"$GROUPID" /wordpress
+
+cp -rf /wordpress/* "$WEBROOT/"
+