From d06d9e2aaf1975d40a17e5fd8fe1301e555bd1ca Mon Sep 17 00:00:00 2001 From: Chris Marslender Date: Wed, 25 Oct 2023 09:56:02 -0500 Subject: [PATCH] Add wordpress init container + nginx + php container (#50) --- .github/workflows/build-aptly.yml | 1 + .github/workflows/build-centos7.yml | 1 + .github/workflows/build-nginx.yml | 77 +++++++++++++++++++ .github/workflows/build-phpfpm.yml | 29 +++++++ .github/workflows/build-rocky8.yml | 1 + .github/workflows/build-ubuntu-18.04.yml | 1 + .github/workflows/build-ubuntu-20.04.yml | 1 + .github/workflows/build-ubuntu-22.04-risc.yml | 1 + .github/workflows/build-ubuntu-22.04.yml | 1 + .github/workflows/build-wordpress.yml | 45 +++++++++++ .github/workflows/super-linter.yaml | 1 + .gitignore | 2 + nginx/Dockerfile | 7 ++ nginx/nginx.conf | 42 ++++++++++ nginx/security/automattic-ipv6.txt | 2 + nginx/security/automatticips.inc.j2 | 12 +++ phpfpm/Dockerfile | 42 ++++++++++ phpfpm/opcache.ini | 9 +++ phpfpm/php.ini | 5 ++ phpfpm/zz-docker.conf | 13 ++++ wordpress/Dockerfile | 15 ++++ wordpress/copy.sh | 9 +++ 22 files changed, 317 insertions(+) create mode 100644 .github/workflows/build-nginx.yml create mode 100644 .github/workflows/build-phpfpm.yml create mode 100644 .github/workflows/build-wordpress.yml create mode 100644 nginx/Dockerfile create mode 100644 nginx/nginx.conf create mode 100644 nginx/security/automattic-ipv6.txt create mode 100644 nginx/security/automatticips.inc.j2 create mode 100644 phpfpm/Dockerfile create mode 100644 phpfpm/opcache.ini create mode 100644 phpfpm/php.ini create mode 100644 phpfpm/zz-docker.conf create mode 100644 wordpress/Dockerfile create mode 100644 wordpress/copy.sh diff --git a/.github/workflows/build-aptly.yml b/.github/workflows/build-aptly.yml index d43d6ff..7613a54 100644 --- a/.github/workflows/build-aptly.yml +++ b/.github/workflows/build-aptly.yml @@ -27,6 +27,7 @@ jobs: docker-context: "./aptly" dockerfile: "./aptly/Dockerfile" dockerhub_imagename: "chianetwork/aptly" + image_subpath: "aptly" secrets: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }} diff --git a/.github/workflows/build-centos7.yml b/.github/workflows/build-centos7.yml index 7a75f32..989de04 100644 --- a/.github/workflows/build-centos7.yml +++ b/.github/workflows/build-centos7.yml @@ -29,6 +29,7 @@ jobs: dockerfile: "./centos7/Dockerfile" dockerhub_imagename: "chianetwork/centos7-builder" docker-platforms: linux/amd64 + image_subpath: "centos7-builder" secrets: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }} diff --git a/.github/workflows/build-nginx.yml b/.github/workflows/build-nginx.yml new file mode 100644 index 0000000..4627140 --- /dev/null +++ b/.github/workflows/build-nginx.yml @@ -0,0 +1,77 @@ +name: Build Nginx WordPress Image + +on: + push: + branches: + - main + paths: + - 'nginx/*' + - '.github/workflows/build-nginx.yml' + pull_request: + paths: + - 'nginx/*' + - '.github/workflows/build-nginx.yml' + workflow_dispatch: + schedule: + - cron: '30 12 * * 5' + +concurrency: + # SHA is added to the end if on `main` to let all main workflows run + group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == 'refs/heads/main' && github.sha || '' }} + cancel-in-progress: true + +jobs: + package: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/checkout@v4 + with: + repository: '10up/nginx_configs' + path: nginx/nginx_configs + + - name: Install j2 + run: | + sudo apt-get update + sudo apt-get install -y j2cli + + - name: Template security configs + run: | + export AUTOMATTIC_IPV4_BLOCKS=$(curl -s https://jetpack.com/ips-v4.txt) + export AUTOMATTIC_IPV6_BLOCKS=$(cat nginx/security/automattic-ipv6.txt) + j2 -o nginx/security/automatticips.inc nginx/security/automatticips.inc.j2 + # Also remove the 10up version of automattic ips that doesn't automatically update + rm nginx/nginx_configs/security/automatticips.inc + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + images: | + ghcr.io/${{ github.repository }}/nginx + tags: | + type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} + type=sha,format=long + + - name: Build Docker Container + uses: docker/build-push-action@v3 + with: + context: nginx + file: nginx/Dockerfile + platforms: "linux/amd64,linux/arm64" + push: true + tags: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/build-phpfpm.yml b/.github/workflows/build-phpfpm.yml new file mode 100644 index 0000000..195e350 --- /dev/null +++ b/.github/workflows/build-phpfpm.yml @@ -0,0 +1,29 @@ +name: Build PHPFPM Image + +on: + push: + branches: + - main + paths: + - 'phpfpm/*' + - '.github/workflows/build-phpfpm.yml' + pull_request: + paths: + - 'phpfpm/*' + - '.github/workflows/build-phpfpm.yml' + workflow_dispatch: + schedule: + - cron: '30 12 * * 5' + +concurrency: + # SHA is added to the end if on `main` to let all main workflows run + group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == 'refs/heads/main' && github.sha || '' }} + cancel-in-progress: true + +jobs: + build: + uses: Chia-Network/actions/.github/workflows/docker-build.yaml@main + with: + docker-context: "./phpfpm" + dockerfile: "./phpfpm/Dockerfile" + image_subpath: "phpfpm" diff --git a/.github/workflows/build-rocky8.yml b/.github/workflows/build-rocky8.yml index ed8367d..268ea86 100644 --- a/.github/workflows/build-rocky8.yml +++ b/.github/workflows/build-rocky8.yml @@ -27,6 +27,7 @@ jobs: docker-context: "./rocky8" dockerfile: "./rocky8/Dockerfile" dockerhub_imagename: "chianetwork/rocky8-builder" + image_subpath: "rocky8-builder" secrets: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }} diff --git a/.github/workflows/build-ubuntu-18.04.yml b/.github/workflows/build-ubuntu-18.04.yml index 19ba99e..4264de2 100644 --- a/.github/workflows/build-ubuntu-18.04.yml +++ b/.github/workflows/build-ubuntu-18.04.yml @@ -27,6 +27,7 @@ jobs: docker-context: "./ubuntu-18.04" dockerfile: "./ubuntu-18.04/Dockerfile" dockerhub_imagename: "chianetwork/ubuntu-18.04-builder" + image_subpath: "ubuntu-18.04-builder" secrets: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }} diff --git a/.github/workflows/build-ubuntu-20.04.yml b/.github/workflows/build-ubuntu-20.04.yml index 6e1fd4f..fdc2012 100644 --- a/.github/workflows/build-ubuntu-20.04.yml +++ b/.github/workflows/build-ubuntu-20.04.yml @@ -27,6 +27,7 @@ jobs: docker-context: "./ubuntu-20.04" dockerfile: "./ubuntu-20.04/Dockerfile" dockerhub_imagename: "chianetwork/ubuntu-20.04-builder" + image_subpath: "ubuntu-20.04-builder" secrets: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }} diff --git a/.github/workflows/build-ubuntu-22.04-risc.yml b/.github/workflows/build-ubuntu-22.04-risc.yml index d270a50..3889bdd 100644 --- a/.github/workflows/build-ubuntu-22.04-risc.yml +++ b/.github/workflows/build-ubuntu-22.04-risc.yml @@ -30,6 +30,7 @@ jobs: dockerfile: "./ubuntu-22.04-risc/Dockerfile" dockerhub_imagename: "chianetwork/ubuntu-22.04-risc-builder" docker-platforms: linux/riscv64 + image_subpath: "ubuntu-22.04-risc-builder" secrets: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }} diff --git a/.github/workflows/build-ubuntu-22.04.yml b/.github/workflows/build-ubuntu-22.04.yml index 0a1ddf0..da17857 100644 --- a/.github/workflows/build-ubuntu-22.04.yml +++ b/.github/workflows/build-ubuntu-22.04.yml @@ -27,6 +27,7 @@ jobs: docker-context: "./ubuntu-22.04" dockerfile: "./ubuntu-22.04/Dockerfile" dockerhub_imagename: "chianetwork/ubuntu-22.04-builder" + image_subpath: "ubuntu-22.04-builder" secrets: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_PAT: ${{ secrets.DOCKERHUB_PAT }} diff --git a/.github/workflows/build-wordpress.yml b/.github/workflows/build-wordpress.yml new file mode 100644 index 0000000..fe1025c --- /dev/null +++ b/.github/workflows/build-wordpress.yml @@ -0,0 +1,45 @@ +name: Build WordPress Image + +on: + push: + branches: + - main + paths: + - 'wordpress/*' + - '.github/workflows/build-wordpress.yml' + pull_request: + paths: + - 'wordpress/*' + - '.github/workflows/build-wordpress.yml' + workflow_dispatch: + schedule: + - cron: '30 12 * * 5' + +concurrency: + # SHA is added to the end if on `main` to let all main workflows run + group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}-${{ github.ref == 'refs/heads/main' && github.sha || '' }} + cancel-in-progress: true + +jobs: + get_version: + runs-on: ubuntu-latest + outputs: + WP_VERSION: ${{ steps.wp-version.outputs.WP_VERSION }} + steps: + - name: Get latest WP version + id: wp-version + run: | + WP_VERSION=$(curl -s https://latest.cmm.io/wordpress) + echo "WP_VERSION=$WP_VERSION" >$GITHUB_OUTPUT + + build: + uses: Chia-Network/actions/.github/workflows/docker-build.yaml@main + needs: + - get_version + with: + docker-context: "./wordpress" + dockerfile: "./wordpress/Dockerfile" + image_subpath: "wordpress" + build-args: | + WORDPRESS_VERSION="${{ needs.get_version.outputs.WP_VERSION }}" + additional-tag: ${{ needs.get_version.outputs.WP_VERSION }} diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 1426fe8..6ee36ec 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -26,3 +26,4 @@ jobs: DEFAULT_BRANCH: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_DOCKERFILE_HADOLINT: false + VALIDATE_GITHUB_ACTIONS: false diff --git a/.gitignore b/.gitignore index 0bb838e..51d99e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ super-linter.log +nginx/security/automatticips.inc +nginx/nginx_configs diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..54b9bdf --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,7 @@ +FROM nginx:latest + +RUN mkdir -p /etc/nginx/nginx_configs +COPY nginx_configs/security /etc/nginx/nginx_configs/security +COPY nginx_configs/includes /etc/nginx/nginx_configs/includes +COPY security/automatticips.inc /etc/nginx/nginx_configs/security/automatticips.inc +COPY nginx.conf /etc/nginx/nginx.conf diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..8d0d564 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,42 @@ +user www-data; +worker_processes auto; + +error_log stderr warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"' + '"$request_time" "$upstream_response_time" $upstream_cache_status'; + + access_log /dev/stdout main; + + # Additional settings + server_names_hash_bucket_size 64; + + # Include mapping of Automattic IPs to $is_automattic_ip for use in block_xmlrpc.inc. + # This uses the "geo" directive which can only be done in the http block. + include nginx_configs/security/automatticips.inc; + + # List of IPs to allow to connect to xmlrpc.php. For use with block_xmlrpc.inc. + geo $is_xmlrpc_whitelist_ip { + default 0; # Block everything not in the ranges below + #216.151.209.64/26 1; + #127.0.0.1 1; + } + + # Define PHP + upstream php { + server unix:/php-sock/php-fpm.sock; + } + + include /etc/nginx/conf.d/*.conf; +} diff --git a/nginx/security/automattic-ipv6.txt b/nginx/security/automattic-ipv6.txt new file mode 100644 index 0000000..9ef4c2b --- /dev/null +++ b/nginx/security/automattic-ipv6.txt @@ -0,0 +1,2 @@ +2001:1978:1e00:3::/64 +2620:115:c000::/40 diff --git a/nginx/security/automatticips.inc.j2 b/nginx/security/automatticips.inc.j2 new file mode 100644 index 0000000..01f99d6 --- /dev/null +++ b/nginx/security/automatticips.inc.j2 @@ -0,0 +1,12 @@ +# Automattic IP Blocks http://whois.arin.net/rest/org/AUTOM-93/nets. +# Can also get from https://jetpack.com/ips-v4.(txt|json) +# The ticket here has more context on ips https://github.com/Automattic/jetpack/issues/1719 +geo $is_automattic_ip { + default 0; # Block everything not in the ranges below + {% for block in AUTOMATTIC_IPV4_BLOCKS.split('\n') if block -%} + {{ block }} 1; + {% endfor -%} + {% for block in AUTOMATTIC_IPV6_BLOCKS.split('\n') if block -%} + {{ block }} 1; + {% endfor %} +} diff --git a/phpfpm/Dockerfile b/phpfpm/Dockerfile new file mode 100644 index 0000000..8e3d443 --- /dev/null +++ b/phpfpm/Dockerfile @@ -0,0 +1,42 @@ +FROM php:8.2-fpm + +RUN apt-get update \ + && apt-get install -y \ + libfreetype6-dev \ + libjpeg62-turbo-dev \ + libpng-dev \ + libz-dev \ + less \ + imagemagick \ + libmagickwand-dev \ + default-mysql-client \ + libmemcached11 \ + libmemcachedutil2 \ + libmemcached-dev \ + libssl-dev \ + libzip-dev \ + && pecl install imagick memcached \ + && docker-php-ext-configure opcache --enable-opcache \ + && docker-php-ext-enable imagick memcached \ + && docker-php-ext-install \ + exif \ + gd \ + intl \ + mysqli \ + pdo_mysql \ + soap \ + sockets \ + zip \ + && apt-get remove -y build-essential libz-dev libmemcached-dev libssl-dev \ + && apt-get autoremove -y \ + && apt-get clean + +RUN curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar \ + && chmod +x wp-cli.phar \ + && mv wp-cli.phar /usr/local/bin/wp \ + && mkdir /var/www/.wp-cli \ + && chown www-data:www-data /var/www/.wp-cli + +COPY zz-docker.conf /usr/local/etc/php-fpm.d/zz-docker.conf +COPY php.ini /usr/local/etc/php/conf.d/99-chia-php.ini +COPY opcache.ini /usr/local/etc/php/conf.d/opcache.ini diff --git a/phpfpm/opcache.ini b/phpfpm/opcache.ini new file mode 100644 index 0000000..88cb7ce --- /dev/null +++ b/phpfpm/opcache.ini @@ -0,0 +1,9 @@ +[opcache] +opcache.enable=1 +opcache.revalidate_freq=0 +opcache.validate_timestamps=0 +opcache.max_accelerated_files=10000 +opcache.memory_consumption=192 +opcache.max_wasted_percentage=10 +opcache.interned_strings_buffer=16 +opcache.jit_buffer_size=100M diff --git a/phpfpm/php.ini b/phpfpm/php.ini new file mode 100644 index 0000000..0efc49e --- /dev/null +++ b/phpfpm/php.ini @@ -0,0 +1,5 @@ +[PHP] +post_max_size = 100M +upload_max_filesize = 100M +variables_order = EGPCS +display_errors = Off diff --git a/phpfpm/zz-docker.conf b/phpfpm/zz-docker.conf new file mode 100644 index 0000000..dcf21a0 --- /dev/null +++ b/phpfpm/zz-docker.conf @@ -0,0 +1,13 @@ +[global] +daemonize = no + +[www] +listen = /php-sock/php-fpm.sock +listen.owner = www-data +listen.group = www-data +listen.mode = 0660 + +pm.max_children = 15 +pm.start_servers = 5 +pm.min_spare_servers = 2 +pm.max_spare_servers = 5 diff --git a/wordpress/Dockerfile b/wordpress/Dockerfile new file mode 100644 index 0000000..698d648 --- /dev/null +++ b/wordpress/Dockerfile @@ -0,0 +1,15 @@ +FROM alpine:latest +ARG WORDPRESS_VERSION +ENV WEBROOT=/var/www/html +ENV USERID=33 +ENV GROUPID=33 + +RUN wget https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar.gz \ + && tar -xvzf wordpress-${WORDPRESS_VERSION}.tar.gz \ + && rm -f wordpress-${WORDPRESS_VERSION}.tar.gz \ + && rm -rf /wordpress/wp-content + +COPY copy.sh /copy.sh +RUN chmod +x /copy.sh + +ENTRYPOINT ["/copy.sh"] diff --git a/wordpress/copy.sh b/wordpress/copy.sh new file mode 100644 index 0000000..efab48e --- /dev/null +++ b/wordpress/copy.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +mkdir -p "$WEBROOT" + +# Chown before copy, so we don't run into conflicts with the mounted configmaps and other read-only filesystems +chown -R "$USERID":"$GROUPID" /wordpress + +cp -rf /wordpress/* "$WEBROOT/" +