From 9c3734ac8f4005880dc0b48e35756b842b28199d Mon Sep 17 00:00:00 2001
From: William Hearn <sylus1984@gmail.com>
Date: Thu, 9 May 2024 22:18:06 -0400
Subject: [PATCH] feat(docker): Own the docker configuration instead of clone

---
 .github/workflows/build.yml                  |   3 +-
 .github/workflows/dev.yml                    |   3 +-
 .gitignore                                   |   1 -
 docker/.dockerignore                         |   6 +
 docker/.gitattributes                        |   1 +
 docker/.gitignore                            |   1 +
 docker/CHANGELOG.md                          |  27 +
 docker/Dockerfile                            | 117 +++
 docker/Makefile                              | 185 +++++
 docker/README.md                             |  97 +++
 docker/bin/behat                             |  52 ++
 docker/bin/cli                               | 194 +++++
 docker/bin/composer                          |  44 +
 docker/bin/drupal                            |  46 ++
 docker/bin/drush                             |  46 ++
 docker/bin/lint                              |  19 +
 docker/bin/php                               |  38 +
 docker/bin/phpcs                             |  38 +
 docker/bin/phpmd                             |  37 +
 docker/bin/phpunit                           |  46 ++
 docker/bin/source_config                     |   8 +
 docker/certs/BaltimoreCyberTrustRoot.crt.pem |  43 +
 docker/conf/drupal/default.settings.php      | 815 ++++++++++++++++++
 docker/conf/drupal/phpcs.xml                 | 399 +++++++++
 docker/conf/drupal/phpunit.xml               |  84 ++
 docker/conf/drupal/settings.php              | 825 +++++++++++++++++++
 docker/conf/my.cnf                           |   2 +
 docker/conf/nginx.conf                       | 165 ++++
 docker/conf/php-fpm/status.conf              |   2 +
 docker/conf/php.ini                          |   7 +
 docker/conf/postgresql/load-extensions.sh    |   7 +
 docker/conf/ssmtp.conf                       |  48 ++
 docker/conf/varnish/default.vcl              | 202 +++++
 docker/conf/varnish/splash.html              |  95 +++
 docker/docker-compose.base.yml               | 162 ++++
 docker/docker-compose.ci.yml                 |  51 ++
 docker/docker-compose.mutagen.yml            |  50 ++
 docker/docker-compose.yml                    |  47 ++
 docker/example.env                           |  15 +
 docker/images/appsvc/Dockerfile              |  60 ++
 docker/images/appsvc/conf/default.vcl        | 202 +++++
 docker/images/appsvc/conf/nginx.conf         | 165 ++++
 docker/images/appsvc/conf/splash.html        |  95 +++
 docker/images/appsvc/conf/sshd/sshd_config   |  16 +
 docker/images/appsvc/conf/sshd/sshd_init.sh  |  11 +
 docker/images/appsvc/conf/sshd/sshd_setup.sh |   8 +
 docker/images/appsvc/conf/supervisord.ini    |  43 +
 docker/images/appsvc/tasks/15min/.gitkeep    |   0
 docker/images/appsvc/tasks/daily/.gitkeep    |   0
 docker/images/appsvc/tasks/hourly/core-cron  |  16 +
 docker/images/appsvc/tasks/monthly/.gitkeep  |   0
 docker/images/ci/.dockerignore               |   6 +
 docker/images/ci/Dockerfile                  |  23 +
 docker/images/ci/php.ini                     |   7 +
 docker/images/cron/.dockerignore             |   6 +
 docker/images/cron/Dockerfile                |   8 +
 docker/images/cron/tasks/15min/test          |  16 +
 docker/images/cron/tasks/daily/.gitkeep      |   0
 docker/images/cron/tasks/hourly/.gitkeep     |   0
 docker/images/cron/tasks/monthly/.gitkeep    |   0
 docker/images/dev/.dockerignore              |   6 +
 docker/images/dev/Dockerfile                 |  47 ++
 docker/images/dev/php.ini                    |  10 +
 docker/images/nginx/Dockerfile               |   9 +
 docker/load.environment.php                  |  17 +
 docker/patches/.gitkeep                      |   0
 docker/patches/curl-legacy-endpoint.patch    |  30 +
 docker/scripts/ScriptHandler.php             | 147 ++++
 68 files changed, 4973 insertions(+), 3 deletions(-)
 create mode 100644 docker/.dockerignore
 create mode 100644 docker/.gitattributes
 create mode 100644 docker/.gitignore
 create mode 100644 docker/CHANGELOG.md
 create mode 100644 docker/Dockerfile
 create mode 100644 docker/Makefile
 create mode 100644 docker/README.md
 create mode 100755 docker/bin/behat
 create mode 100755 docker/bin/cli
 create mode 100755 docker/bin/composer
 create mode 100755 docker/bin/drupal
 create mode 100755 docker/bin/drush
 create mode 100755 docker/bin/lint
 create mode 100755 docker/bin/php
 create mode 100755 docker/bin/phpcs
 create mode 100755 docker/bin/phpmd
 create mode 100755 docker/bin/phpunit
 create mode 100644 docker/bin/source_config
 create mode 100644 docker/certs/BaltimoreCyberTrustRoot.crt.pem
 create mode 100644 docker/conf/drupal/default.settings.php
 create mode 100644 docker/conf/drupal/phpcs.xml
 create mode 100644 docker/conf/drupal/phpunit.xml
 create mode 100644 docker/conf/drupal/settings.php
 create mode 100644 docker/conf/my.cnf
 create mode 100644 docker/conf/nginx.conf
 create mode 100644 docker/conf/php-fpm/status.conf
 create mode 100644 docker/conf/php.ini
 create mode 100755 docker/conf/postgresql/load-extensions.sh
 create mode 100644 docker/conf/ssmtp.conf
 create mode 100644 docker/conf/varnish/default.vcl
 create mode 100644 docker/conf/varnish/splash.html
 create mode 100644 docker/docker-compose.base.yml
 create mode 100644 docker/docker-compose.ci.yml
 create mode 100644 docker/docker-compose.mutagen.yml
 create mode 100644 docker/docker-compose.yml
 create mode 100644 docker/example.env
 create mode 100644 docker/images/appsvc/Dockerfile
 create mode 100644 docker/images/appsvc/conf/default.vcl
 create mode 100644 docker/images/appsvc/conf/nginx.conf
 create mode 100644 docker/images/appsvc/conf/splash.html
 create mode 100644 docker/images/appsvc/conf/sshd/sshd_config
 create mode 100755 docker/images/appsvc/conf/sshd/sshd_init.sh
 create mode 100755 docker/images/appsvc/conf/sshd/sshd_setup.sh
 create mode 100644 docker/images/appsvc/conf/supervisord.ini
 create mode 100644 docker/images/appsvc/tasks/15min/.gitkeep
 create mode 100644 docker/images/appsvc/tasks/daily/.gitkeep
 create mode 100755 docker/images/appsvc/tasks/hourly/core-cron
 create mode 100644 docker/images/appsvc/tasks/monthly/.gitkeep
 create mode 100644 docker/images/ci/.dockerignore
 create mode 100644 docker/images/ci/Dockerfile
 create mode 100644 docker/images/ci/php.ini
 create mode 100644 docker/images/cron/.dockerignore
 create mode 100644 docker/images/cron/Dockerfile
 create mode 100755 docker/images/cron/tasks/15min/test
 create mode 100644 docker/images/cron/tasks/daily/.gitkeep
 create mode 100644 docker/images/cron/tasks/hourly/.gitkeep
 create mode 100644 docker/images/cron/tasks/monthly/.gitkeep
 create mode 100644 docker/images/dev/.dockerignore
 create mode 100644 docker/images/dev/Dockerfile
 create mode 100644 docker/images/dev/php.ini
 create mode 100644 docker/images/nginx/Dockerfile
 create mode 100644 docker/load.environment.php
 create mode 100644 docker/patches/.gitkeep
 create mode 100644 docker/patches/curl-legacy-endpoint.patch
 create mode 100644 docker/scripts/ScriptHandler.php

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a9b2108d7..fbbe33331 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,7 +20,8 @@ jobs:
       run: |
         export DB_TYPE=mysql
         export DB_PORT=3306
-        git clone --branch 10.1.x-php8.1 https://github.com/drupalwxt/docker-scaffold.git docker
+        # Cloned this repository so you own it
+        # git clone --branch 10.1.x-php8.1 https://github.com/drupalwxt/docker-scaffold.git docker
         make build
         docker compose -f docker-compose.ci.yml up -d
         docker ps -a
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 0e362bc13..c4a3de1af 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -24,7 +24,8 @@ jobs:
       run: |
         export DB_TYPE=mysql
         export DB_PORT=3306
-        git clone --branch 10.1.x-php8.1 https://github.com/drupalwxt/docker-scaffold.git docker
+        # Cloned this repository so you own it
+        # git clone --branch 10.1.x-php8.1 https://github.com/drupalwxt/docker-scaffold.git docker
         make build
         docker compose -f docker-compose.ci.yml up -d
         docker ps -a
diff --git a/.gitignore b/.gitignore
index db6b03737..534c69b07 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,6 +35,5 @@ ddev-cron-log.txt
 **/sass/*.css
 
 # Custom
-docker
 config/sync/openid_connect.client.keycloak.yml
 files-private
diff --git a/docker/.dockerignore b/docker/.dockerignore
new file mode 100644
index 000000000..e8e1f66bf
--- /dev/null
+++ b/docker/.dockerignore
@@ -0,0 +1,6 @@
+.git
+LICENSE
+VERSION
+README.md
+Changelog.md
+Makefile
diff --git a/docker/.gitattributes b/docker/.gitattributes
new file mode 100644
index 000000000..6313b56c5
--- /dev/null
+++ b/docker/.gitattributes
@@ -0,0 +1 @@
+* text=auto eol=lf
diff --git a/docker/.gitignore b/docker/.gitignore
new file mode 100644
index 000000000..3c3629e64
--- /dev/null
+++ b/docker/.gitignore
@@ -0,0 +1 @@
+node_modules
diff --git a/docker/CHANGELOG.md b/docker/CHANGELOG.md
new file mode 100644
index 000000000..7f5be5858
--- /dev/null
+++ b/docker/CHANGELOG.md
@@ -0,0 +1,27 @@
+# CHANGELOG
+
+## 10.0.x
+
+- TBD
+
+## 9.5.x
+
+- Instead of running `docker-compose` you must now call `docker compose`
+- The default password for a Drupal install is now set to the current year
+- You will need to update your symlinks to the new naming of the docker-compose files
+
+```sh
+ln -s docker/docker-compose.base.yml docker-compose.base.yml
+ln -s docker/docker-compose.ci.yml docker-compose.ci.yml
+ln -s docker/docker-compose.yml docker-compose.yml
+```
+
+- Please take not that docker images now using hyphens instead of underscores
+
+> "${DOCKER_IMAGE}_cli" in the `bin` folder now is called "${DOCKER_IMAGE}-cli"
+
+- The `settings.php` is no longer hardcoded and uses getenv for most parameters
+- The $DB_TYPE environment variable now controls which database is used
+- The $DB_PORT environment variable now controls which database port is used
+
+> You can see this in use by the [WxT CI Builds](https://github.com/drupalwxt/wxt/blob/4.5.x/.github/workflows/build.yml#L36)
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 000000000..453cb0ab8
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,117 @@
+# https://github.com/docker-library/drupal/blob/master/10.0/php8.1/fpm-alpine3.16/Dockerfile
+FROM drupal:10.0-php8.1-fpm-alpine
+
+ARG SSH_PRIVATE_KEY
+ARG GIT_USERNAME
+ARG GIT_PASSWORD
+
+RUN apk --update add fcgi \
+    && curl -o /usr/local/bin/php-fpm-healthcheck https://raw.githubusercontent.com/renatomefi/php-fpm-healthcheck/master/php-fpm-healthcheck \
+    && chmod +x /usr/local/bin/php-fpm-healthcheck
+COPY docker/conf/php-fpm/status.conf /usr/local/etc/php-fpm.d/
+
+HEALTHCHECK --interval=5s --timeout=10s --start-period=5s --retries=3 CMD [ "php-fpm-healthcheck" ]
+
+# Install additional extensions
+RUN apk --update add --no-cache bash \
+                                git \
+                                gzip \
+                                mysql-client \
+                                patch \
+                                postgresql-client \
+                                ssmtp \
+                                zlib-dev
+
+COPY docker/conf/ssmtp.conf /etc/ssmtp/ssmtp.conf
+RUN echo "hostname=drupalwxt.github.io" >> /etc/ssmtp/ssmtp.conf
+RUN echo 'sendmail_path = "/usr/sbin/ssmtp -t"' > /usr/local/etc/php/conf.d/mail.ini
+COPY docker/conf/php.ini /usr/local/etc/php/php.ini
+
+# Install additional php extensions
+RUN apk add --update --no-cache autoconf \
+                                icu \
+                                icu-libs \
+                                libzip-dev \
+                                gcc \
+                                g++ \
+                                make \
+                                libffi-dev \
+                                openssl-dev; \
+    \
+    apk add --no-cache --virtual .build-deps icu-dev; \
+    \
+    docker-php-ext-configure zip \
+        --with-zlib-dir=/usr; \
+    \
+    docker-php-ext-install -j "$(nproc)" \
+        bcmath \
+        intl \
+        zip; \
+    \
+    apk del .build-deps
+
+COPY docker/certs/BaltimoreCyberTrustRoot.crt.pem /etc/ssl/mysql/BaltimoreCyberTrustRoot.crt.pem
+
+# Redis
+ENV PHPREDIS_VERSION 5.3.7
+RUN mkdir -p /usr/src/php/ext/redis \
+    && curl -L https://github.com/phpredis/phpredis/archive/$PHPREDIS_VERSION.tar.gz | tar xvz -C /usr/src/php/ext/redis --strip 1 \
+    && echo 'redis' >> /usr/src/php-available-exts \
+    && docker-php-ext-install redis
+
+# Composer recommended settings
+ENV COMPOSER_ALLOW_SUPERUSER 1
+ENV COMPOSER_VERSION 2.4.4
+ENV COMPOSER_MEMORY_LIMIT -1
+ENV COMPOSER_EXIT_ON_PATCH_FAILURE 1
+
+# Check Composer
+RUN curl -o /tmp/composer-setup.php https://getcomposer.org/installer; \
+    curl -o /tmp/composer-setup.sig https://composer.github.io/installer.sig; \
+    php -r "if (hash('SHA384', file_get_contents('/tmp/composer-setup.php')) !== trim(file_get_contents('/tmp/composer-setup.sig'))) { unlink('/tmp/composer-setup.php'); echo 'Invalid installer' . PHP_EOL; exit(1); }"
+
+# Install Composer
+RUN php /tmp/composer-setup.php --no-ansi \
+                                --install-dir=/usr/local/bin \
+                                --filename=composer \
+                                --version=${COMPOSER_VERSION}; \
+    rm -rf /tmp/composer-setup.php
+
+# Install Drupal WxT
+RUN rm -f /var/www/composer.lock; \
+    rm -rf /root/.composer
+RUN rm -rf /var/www/*
+COPY scripts/ /var/www/scripts/
+COPY composer.json composer.lock /var/www/
+# Copy possible custom modules and custom themes
+COPY html/modules/custom/ /var/www/html/modules/custom/
+COPY html/themes/custom/ /var/www/html/themes/custom/
+# Copy possible config/sync and other config
+COPY config/ /var/www/config/
+# Copy possible load.environment.php
+COPY load.environment.php /var/www/
+
+WORKDIR /var/www
+
+RUN apk --update --no-cache add git openssh-client; \
+    mkdir -p /root/.ssh; echo $SSH_PRIVATE_KEY | base64 -d > /root/.ssh/id_rsa; \
+    chmod 700 /root/.ssh; chmod 600 /root/.ssh/id_rsa; \
+    ssh-keyscan github.com > /root/.ssh/known_hosts; \
+    composer install --prefer-dist \
+                     --ignore-platform-reqs \
+                     --no-interaction && \
+    rm -rf /root/.ssh && \
+    apk del openssh-client
+
+# Permissions
+WORKDIR /var/www/html
+RUN chown -R www-data:www-data sites/default
+
+# See: https://github.com/docker/docker/issues/9299
+RUN echo "export TERM=xterm" >> ~/.bashrc
+
+# Drush
+RUN ln -s /var/www/vendor/drush/drush/drush /usr/local/bin/drush
+
+# Reset Cache
+RUN php -r 'opcache_reset();'
diff --git a/docker/Makefile b/docker/Makefile
new file mode 100644
index 000000000..5d52df06a
--- /dev/null
+++ b/docker/Makefile
@@ -0,0 +1,185 @@
+include .env
+
+NAME := $(or $(BASE_IMAGE),$(BASE_IMAGE),drupalwxt/site-wxt)
+VERSION := $(or $(VERSION),$(VERSION),'latest')
+PLATFORM := $(shell uname -s)
+
+DB_NAME := $(or $(DB_NAME),$(DB_NAME),'wxt')
+DB_TYPE := $(or $(DB_TYPE),$(DB_TYPE),'mysql')
+DB_PORT := $(or $(DB_PORT),$(DB_PORT),'3306')
+PROFILE_NAME := $(or $(PROFILE_NAME),$(PROFILE_NAME),'wxt')
+
+all: base
+
+base:
+	mkdir -p config/sync html/modules/custom html/themes/custom
+	docker build -f docker/Dockerfile \
+	    -t $(NAME):$(VERSION) \
+	    --build-arg SSH_PRIVATE_KEY="$$(test -f $$HOME/.ssh/id_rsa && base64 $$HOME/.ssh/id_rsa)" \
+	    --no-cache \
+	    --build-arg http_proxy=$$HTTP_PROXY \
+	    --build-arg HTTP_PROXY=$$HTTP_PROXY \
+	    --build-arg https_proxy=$$HTTP_PROXY \
+	    --build-arg HTTPS_PROXY=$$HTTP_PROXY \
+	    --build-arg no_proxy=$$NO_PROXY \
+	    --build-arg NO_PROXY=$$NO_PROXY \
+	    --build-arg GIT_USERNAME=$(GIT_USERNAME) \
+	    --build-arg GIT_PASSWORD=$(GIT_PASSWORD) .
+
+behat:
+	./docker/bin/behat -vv -c behat.yml --colors
+
+build: all
+
+clean: clean_composer
+
+clean_composer:
+	rm -rf html
+	rm -rf vendor
+	rm -f composer.lock
+	composer clear-cache
+
+clean_docker:
+	rm -rf docker
+	git clone $(DOCKER_REPO) docker
+	[ "$(shell docker images -q --filter "dangling=true")" = "" ] || docker rmi -f $(shell docker images -q --filter "dangling=true")
+	[ "$(shell docker ps -a -q -f name=${DOCKER_NAME}_)" = "" ] || docker rm -f $(shell docker ps -a -q -f name=${DOCKER_NAME}_)
+	[ "$(shell docker images -q -f reference=${DOCKER_IMAGE}_*)" = "" ] || docker rmi -f $(shell docker images -q -f reference=*${DOCKER_IMAGE}_*)
+	[ "$(shell docker images -q -f reference=${NAME})" = "" ] || docker rmi -f $(shell docker images -q -f reference=${NAME})
+
+clean_drupal: clean_composer composer_install docker_stop docker_start drupal_install
+
+clean_site: clean_composer composer_install clean_docker base docker_build drupal_install
+	./docker/bin/drush cr
+
+composer_install:
+	composer install
+
+docker_build:
+	docker compose build --no-cache
+	docker compose up -d
+
+docker_start:
+	docker compose up -d
+
+docker_stop:
+	docker compose down
+
+drupal_cs:
+	mkdir -p html/core/
+	cp docker/conf/drupal/phpcs.xml html/core/phpcs.xml
+	cp docker/conf/drupal/phpunit.xml html/core/phpunit.xml
+
+drupal_install:
+	if [ "$(CI)" ]; then \
+		docker compose exec -T cli bash /var/www/docker/bin/cli drupal-first-run $(DB_NAME) $(DB_TYPE) $(DB_PORT) $(PROFILE_NAME); \
+	else \
+		docker compose exec cli bash /var/www/docker/bin/cli drupal-first-run $(DB_NAME) $(DB_TYPE) $(DB_PORT) $(PROFILE_NAME); \
+	fi
+
+drupal_init:
+	if [ "$(CI)" ]; then \
+		docker compose exec -T cli bash /var/www/docker/bin/cli drupal-init $(DB_NAME) $(DB_TYPE) $(DB_PORT) $(PROFILE_NAME); \
+	else \
+		docker compose exec cli bash /var/www/docker/bin/cli drupal-init $(DB_NAME) $(DB_TYPE) $(DB_PORT) $(PROFILE_NAME); \
+	fi
+
+drupal_migrate:
+	if [ "$(CI)" ]; then \
+		docker compose exec -T cli bash /var/www/docker/bin/cli drupal-migrate $(DB_NAME) $(DB_TYPE) $(DB_PORT) $(PROFILE_NAME); \
+	else \
+		docker compose exec cli bash /var/www/docker/bin/cli drupal-migrate $(DB_NAME) $(DB_TYPE) $(DB_PORT) $(PROFILE_NAME); \
+	fi
+
+drupal_perm:
+	if [ "$(CI)" ]; then \
+		docker compose exec -T cli bash /var/www/docker/bin/cli drupal-perm $(DB_NAME) $(DB_TYPE) $(DB_PORT) $(PROFILE_NAME); \
+	else \
+		docker compose exec cli bash /var/www/docker/bin/cli drupal-perm $(DB_NAME) $(DB_TYPE) $(DB_PORT) $(PROFILE_NAME); \
+	fi
+
+drush_archive:
+	./docker/bin/drush archive-dump --destination="/var/www/files_private/drupal$$(date +%Y%m%d_%H%M%S).tgz" \
+                                  --generator="Drupal"
+
+lint:
+	./docker/bin/lint
+
+# http://stackoverflow.com/questions/4219255/how-do-you-get-the-list-of-targets-in-a-makefile
+list:
+	@$(MAKE) -pRrq -f $(lastword $(MAKEFILE_LIST)) : 2>/dev/null | awk -v RS= -F: '/^# File/,/^# Finished Make data base/ {if ($$1 !~ "^[#.]") {print $$1}}' | sort | egrep -v -e '^[^[:alnum:]]' -e '^$@$$' | xargs
+
+phpcs: drupal_cs
+	./docker/bin/phpcs --config-set installed_paths /var/www/vendor/drupal/coder/coder_sniffer
+
+	./docker/bin/phpcs --standard=/var/www/html/core/phpcs.xml \
+	    --extensions=php,module,inc,install,test,profile,theme \
+	    --report=full \
+	    --colors \
+	    --ignore=/var/www/html/profiles/$(PROFILE_NAME)/modules/custom/wxt_test \
+	    --ignore=*.css \
+	    --ignore=*.txt \
+	    --ignore=*.md \
+	    --ignore=/var/www/html/*/custom/*/*.info.yml \
+	    /var/www/html/modules/contrib/wxt_library \
+	    /var/www/html/themes/contrib/wxt_bootstrap \
+	    /var/www/html/profiles/$(PROFILE_NAME)/modules/custom
+
+	./docker/bin/phpcs --standard=/var/www/html/core/phpcs.xml \
+	    --extensions=php,module,inc,install,test,profile,theme \
+	    --report=full \
+	    --colors \
+	    --ignore=*.md \
+	    -l \
+	    /var/www/html/profiles/$(PROFILE_NAME)
+
+phpunit:
+	./docker/bin/phpunit --colors=always \
+	    -c /var/www/html/core/phpunit.xml \
+	    --testsuite=kernel \
+	    --group=$(PROFILE_NAME)
+
+	./docker/bin/phpunit --colors=always \
+	    -c /var/www/html/core/phpunit.xml \
+	    --testsuite=unit \
+	    --group=$(PROFILE_NAME)
+
+release: tag_latest
+	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make base'"; false; fi
+	docker push $(NAME)
+	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
+
+tag_latest:
+	docker tag -f $(NAME):$(VERSION) $(NAME):latest
+
+test: phpcs phpunit behat
+
+update: base
+	git pull origin 8.x
+	composer update
+	docker compose build --no-cache
+	docker compose up -d
+
+.PHONY: \
+	all \
+	base \
+	behat \
+	build \
+	clean \
+	clean_composer \
+	clean_docker \
+	clean_site \
+	composer_install \
+	docker_build \
+	drupal_cs \
+	drupal_install \
+	drupal_migrate \
+	drush_archive \
+	lint \
+	list \
+	phpcs \
+	phpunit \
+	release \
+	tag_latest \
+	test \
+	update
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 000000000..83d6f03bc
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,97 @@
+# Docker Scaffold for Drupal
+
+Provides an barebones, fast, and lightweight local / CI docker environment to work with [Drupal][wxt].
+
+## Pre-Requisites
+
+You need to be using Docker Compose V2 and ensure the version >= v2.15.0.
+
+## Setup
+
+Installation is relatively straight forward as long as you are managing your site dependencies with Composer.
+
+All of these commands must be run at the root of the Composer Project where the `composer.json` file exists.
+
+Clone the docker-scaffold repository:
+
+```sh
+git clone https://github.com/drupalwxt/docker-scaffold.git docker
+```
+
+> **Note**: The `docker` folder should be added to your `.gitignore` file.
+
+Create the necessary symlinks:
+
+```sh
+ln -s docker/docker-compose.base.yml docker-compose.base.yml
+ln -s docker/docker-compose.ci.yml docker-compose.ci.yml
+ln -sf docker/docker-compose.yml docker-compose.yml
+```
+
+Create a Makefile and make any necessary adjustments:
+
+```sh
+include .env
+NAME := $(or $(BASE_IMAGE),$(BASE_IMAGE),drupalwxt/site-wxt)
+VERSION := $(or $(VERSION),$(VERSION),'latest')
+PLATFORM := $(shell uname -s)
+$(eval GIT_USERNAME := $(if $(GIT_USERNAME),$(GIT_USERNAME),github-token))
+$(eval GIT_PASSWORD := $(if $(GIT_PASSWORD),$(GIT_PASSWORD),$(CI_JOB_TOKEN)))
+DOCKER_REPO := https://github.com/drupalwxt/docker-scaffold.git
+GET_DOCKER := $(shell [ -d docker ] || git clone $(DOCKER_REPO) docker)
+include docker/Makefile
+```
+
+Create a `scripts/ScriptHandler.php` file and make any necessary adjustments:
+
+*  [ScriptHandler.php](scripts/ScriptHandler.php)
+
+Create a `load.environment.php` file and make any necessary adjustments:
+
+*  [load.environment.php](load.environment.php)
+
+Ensure your `composer.json` at the minimum has the following:
+
+```json
+"require": {
+    "vlucas/phpdotenv": "^5.1",
+    "webflo/drupal-finder": "^1.2"
+},
+"autoload": {
+    "classmap": [
+        "scripts/ScriptHandler.php"
+    ],
+    "files": ["load.environment.php"]
+},
+"scripts": {
+    "pre-install-cmd": [
+        "DrupalWxT\\WxT\\ScriptHandler::checkComposerVersion"
+    ],
+    "pre-update-cmd": [
+        "DrupalWxT\\WxT\\ScriptHandler::checkComposerVersion"
+    ],
+    "post-install-cmd": [
+        "DrupalWxT\\WxT\\ScriptHandler::createRequiredFiles"
+    ],
+    "post-update-cmd": [
+        "DrupalWxT\\WxT\\ScriptHandler::createRequiredFiles"
+    ]
+},
+```
+
+## Example
+
+You can see the docker-scaffold in use in the `site-wxt` repository:
+
+* https://github.com/drupalwxt/site-wxt
+
+## Documentation
+
+For more information please consult the documentation:
+
+* https://drupalwxt.github.io/docs/environment/containers/
+
+[composer]:                     https://getcomposer.org
+[docker-scaffold]:              https://github.com/drupalwxt/docker-scaffold.git
+[site-wxt]:                     https://github.com/drupalwxt/site-wxt
+[wxt]:                          https://github.com/drupalwxt/wxt
diff --git a/docker/bin/behat b/docker/bin/behat
new file mode 100755
index 000000000..8ed5d0635
--- /dev/null
+++ b/docker/bin/behat
@@ -0,0 +1,52 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+if ! type docker > /dev/null; then
+  echo "Docker is required to be present on $PATH"
+  exit 0
+fi
+
+if [ -z "${BEHAT_PATH-}" ]; then
+  echo "No behat configuration detected exiting..."
+  exit
+fi
+
+if [[ "${CI:-}" ]] ; then
+  vol="-v ${PWD}/docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php \
+       -v /tmp:/tmp/"
+else
+  vol="-v ${PWD}:/var/www \
+       -v /tmp:/tmp/"
+fi
+
+HTTP_PROXY="${HTTP_PROXY:-}"
+NO_PROXY="${NO_PROXY:-}"
+DB_TYPE="${DB_TYPE:-mysql}"
+DB_PORT="${DB_PORT:-3306}"
+DB_NAME="${DB_NAME:-wxt}"
+
+docker run -i \
+  --entrypoint=/var/www/vendor/bin/behat \
+  ${vol} \
+  -w "/var/www/html/${BEHAT_PATH}" \
+  -e HTTP_PROXY=$HTTP_PROXY \
+  -e HTTPS_PROXY=$HTTP_PROXY \
+  -e http_proxy=$HTTP_PROXY \
+  -e https_proxy=$HTTP_PROXY \
+  -e NO_PROXY=hub,$NO_PROXY \
+  -e no_proxy=hub,$NO_PROXY \
+  -e BEHAT_PARAMS='{"extensions":{"Drupal\\DrupalExtension":{"drupal":{"drupal_root":"/var/www/html"}, "drush":{"root":"/var/www/html"}}, "Behat\\MinkExtension":{"base_url" : "http://nginx", "selenium2":{"wd_host":"http://hub:4444/wd/hub"}}}}' \
+  -e DB_TYPE=$DB_TYPE \
+  -e DB_PORT=$DB_PORT \
+  -e DB_NAME=$DB_NAME \
+  --sig-proxy=true \
+  --pid=host \
+  --volumes-from "${DOCKER_NAME}_web" \
+  --net "${DOCKER_IMAGE}_default" \
+  --rm \
+  "${DOCKER_IMAGE}-cli" "$@"
diff --git a/docker/bin/cli b/docker/bin/cli
new file mode 100755
index 000000000..72b883565
--- /dev/null
+++ b/docker/bin/cli
@@ -0,0 +1,194 @@
+#!/bin/bash
+
+# Docroot.
+cd /var/www/html/;
+
+# Trap.
+if [[ $# -eq 0 ]]; then
+  exit 1
+fi
+
+COMMAND=$1
+export DB_NAME="${2:-wxt}"
+export DB_TYPE="${3:-mysql}"
+export DB_PORT="${4:-3306}"
+PROFILE_NAME="${5:-wxt}"
+NFS=$6
+EXIT_VALUE=0
+
+##
+# SCRIPT COMMANDS
+##
+
+# drupal_init
+#
+# Configure the initial Drupal f.s.
+#
+drupal_init() {
+  header Configure the initial Drupal f.s.
+
+  chmod 777 /var/www/html/sites/default
+
+  if [ -f /var/www/html/sites/default/settings.php ]; then
+    chmod 777 /var/www/html/sites/default/settings.php
+    rm /var/www/html/sites/default/settings.php
+  fi
+
+  if [ -f /var/www/html/sites/default/default.settings.php ]; then
+    chmod 777 /var/www/html/sites/default/default.settings.php
+    rm /var/www/html/sites/default/default.settings.php
+  fi
+
+  cp /var/www/docker/conf/drupal/default.settings.php /var/www/html/sites/default/default.settings.php
+}
+
+# drupal_install
+#
+# Installs Drupal distribution.
+#
+drupal_install() {
+  header Install Drupal distribution
+  # We will let bash manage errors with set -e (errexit)
+  set -e
+
+  if [[ "$DB_TYPE" == "pgsql" ]]; then
+    DB_CONNECTION="pgsql://root:root@db:5432"
+  else
+    DB_CONNECTION="mysql://root:root@db:3306"
+  fi
+
+  time drush si "${PROFILE_NAME}" \
+    --sites-subdir=default \
+    --db-url="${DB_CONNECTION}"/"${DB_NAME}" \
+    --account-name=admin \
+    --account-pass=Drupal@`date +'%Y'` \
+    --site-mail=admin@example.com \
+    --site-name="Drupal Install Profile (${PROFILE_NAME})" \
+    wxt_extension_configure_form.select_all='TRUE' \
+    install_configure_form.update_status_module='array(FALSE,FALSE)' \
+    --yes
+  set +e
+}
+
+# drupal_migrate
+#
+# Initialize migrate along with default content.
+#
+drupal_migrate() {
+  header Initialize migrate and default content
+  cd /var/www/html/sites/default
+  drush migrate:import --group wxt --tag 'Core'
+  drush migrate:import --group gcweb --tag 'Core'
+  drush migrate:import --group gcweb --tag 'Menu'
+}
+
+# drupal_perm
+#
+# Configure the settings.php and files directory permissions.
+#
+drupal_perm() {
+  header Configure the settings.php and files directory permissions
+
+  if [[ $NFS != "nfs" ]]; then
+    chown -R -f :www-data /var/www/html/
+    sleep 5
+  fi
+
+  php -r 'opcache_reset();';
+
+  sleep 5
+
+  chmod 444 sites/default/settings.php
+
+  if [ ! -d /var/www/files_private ]; then
+    mkdir /var/www/files_private;
+  fi
+
+  chmod 777 -R /var/www/files_private;
+  chmod 777 -R sites/default/files
+}
+
+# drupal_updatedb
+#
+# Update Drupal with database updates.
+#
+drupal_updatedb() {
+  header Update Drupal with database updates.
+  # We will let bash manage errors with set -e (errexit)
+  set -e
+  drush -y updatedb
+  set +e
+}
+
+##
+# UTILITY FUNCTIONS:
+##
+
+# Prints a message about the section of the script.
+header() {
+  set +xv
+  echo
+  echo "** $@"
+  echo
+  set -xv
+}
+
+# Sets the exit level to error.
+set_error() {
+  EXIT_VALUE=1
+}
+
+# Runs a command and sets an error if it fails.
+run_test() {
+  if ! $@; then
+    set_error
+  fi
+}
+
+# Runs a command showing all the lines executed
+run_command() {
+  set -xv
+  $@
+  set +xv
+}
+
+##
+# SCRIPT MAIN:
+##
+
+# Capture all errors and set our overall exit value.
+trap 'set_error' ERR
+
+case $COMMAND in
+  drupal-first-run)
+    run_command drupal_init
+    run_command drupal_install
+    run_command drupal_perm
+    ;;
+
+  drupal-init)
+    run_command drupal_init
+    ;;
+
+  drupal-install)
+    run_command drupal_install
+    ;;
+
+  drupal-migrate)
+    run_command drupal_migrate
+    ;;
+
+  drupal-perm)
+    run_command drupal_perm
+    ;;
+
+  drupal-updatedb)
+    run_command drupal_updatedb
+    ;;
+
+  run-test)
+    run_command run_test
+    ;;
+esac
+
+exit $EXIT_VALUE
diff --git a/docker/bin/composer b/docker/bin/composer
new file mode 100755
index 000000000..dd65e9a69
--- /dev/null
+++ b/docker/bin/composer
@@ -0,0 +1,44 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+if ! type docker > /dev/null; then
+  echo "Docker is required to be present on $PATH"
+  exit 0
+fi
+
+if [[ "${CI:-}" ]] ; then
+  vol="${PWD}/docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php"
+else
+  vol="${PWD}:/var/www"
+fi
+
+HTTP_PROXY="${HTTP_PROXY:-}"
+NO_PROXY="${NO_PROXY:-}"
+DB_TYPE="${DB_TYPE:-mysql}"
+DB_PORT="${DB_PORT:-3306}"
+DB_NAME="${DB_NAME:-wxt}"
+
+docker run -it \
+  --entrypoint=/usr/local/bin/composer \
+  -v ${vol} \
+  -v /tmp/:/tmp/ \
+  -e HTTP_PROXY=$HTTP_PROXY \
+  -e HTTPS_PROXY=$HTTP_PROXY \
+  -e http_proxy=$HTTP_PROXY \
+  -e https_proxy=$HTTP_PROXY \
+  -e NO_PROXY=$NO_PROXY \
+  -e no_proxy=$NO_PROXY \
+  -e DB_TYPE=$DB_TYPE \
+  -e DB_PORT=$DB_PORT \
+  -e DB_NAME=$DB_NAME \
+  --sig-proxy=true \
+  --pid=host \
+  --volumes-from "${DOCKER_NAME}_web" \
+  --net "${DOCKER_IMAGE}_default" \
+  --rm \
+  "${DOCKER_IMAGE}-cli" "$@"
diff --git a/docker/bin/drupal b/docker/bin/drupal
new file mode 100755
index 000000000..e20db30ff
--- /dev/null
+++ b/docker/bin/drupal
@@ -0,0 +1,46 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+if ! type docker > /dev/null; then
+  echo "Docker is required to be present on $PATH"
+  exit 0
+fi
+
+if [[ "${CI:-}" ]] ; then
+  vol="-v ${PWD}/docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php \
+       -v /tmp:/tmp/"
+else
+  vol="-v ${PWD}:/var/www \
+       -v /tmp:/tmp/"
+fi
+
+HTTP_PROXY="${HTTP_PROXY:-}"
+NO_PROXY="${NO_PROXY:-}"
+DB_TYPE="${DB_TYPE:-mysql}"
+DB_PORT="${DB_PORT:-3306}"
+DB_NAME="${DB_NAME:-wxt}"
+
+docker run -it \
+  --entrypoint=/var/www/vendor/bin/drupal \
+  ${vol} \
+  -w "/var/www/html" \
+  -e HTTP_PROXY=$HTTP_PROXY \
+  -e HTTPS_PROXY=$HTTP_PROXY \
+  -e http_proxy=$HTTP_PROXY \
+  -e https_proxy=$HTTP_PROXY \
+  -e NO_PROXY=$NO_PROXY \
+  -e no_proxy=$NO_PROXY \
+  -e DB_TYPE=$DB_TYPE \
+  -e DB_PORT=$DB_PORT \
+  -e DB_NAME=$DB_NAME \
+  --sig-proxy=true \
+  --pid=host \
+  --volumes-from "${DOCKER_NAME}_web" \
+  --net "${DOCKER_IMAGE}_default" \
+  --rm \
+  "${DOCKER_IMAGE}-cli" "$@"
diff --git a/docker/bin/drush b/docker/bin/drush
new file mode 100755
index 000000000..a5c993c93
--- /dev/null
+++ b/docker/bin/drush
@@ -0,0 +1,46 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+if ! type docker > /dev/null; then
+  echo "Docker is required to be present on $PATH"
+  exit 0
+fi
+
+if [[ "${CI:-}" ]] ; then
+  vol="-v ${PWD}/docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php \
+       -v /tmp:/tmp/"
+else
+  vol="-v ${PWD}:/var/www \
+       -v /tmp:/tmp/"
+fi
+
+HTTP_PROXY="${HTTP_PROXY:-}"
+NO_PROXY="${NO_PROXY:-}"
+DB_TYPE="${DB_TYPE:-mysql}"
+DB_PORT="${DB_PORT:-3306}"
+DB_NAME="${DB_NAME:-wxt}"
+
+docker run -i \
+  --entrypoint=/var/www/vendor/drush/drush/drush \
+  ${vol} \
+  -w "/var/www/html" \
+  -e HTTP_PROXY=$HTTP_PROXY \
+  -e HTTPS_PROXY=$HTTP_PROXY \
+  -e http_proxy=$HTTP_PROXY \
+  -e https_proxy=$HTTP_PROXY \
+  -e NO_PROXY=$NO_PROXY \
+  -e no_proxy=$NO_PROXY \
+  -e DB_TYPE=$DB_TYPE \
+  -e DB_PORT=$DB_PORT \
+  -e DB_NAME=$DB_NAME \
+  --sig-proxy=true \
+  --pid=host \
+  --volumes-from "${DOCKER_NAME}_web" \
+  --net "${DOCKER_IMAGE}_default" \
+  --rm \
+  "${DOCKER_IMAGE}-cli" "$@"
diff --git a/docker/bin/lint b/docker/bin/lint
new file mode 100755
index 000000000..c041f49b9
--- /dev/null
+++ b/docker/bin/lint
@@ -0,0 +1,19 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+IFS=$'\n\t'
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+echo "Linting Drupal Dockerfile(s) ..."
+
+find docker -type f \
+       -name Dockerfile \
+       -exec sh -c 'ls {} && \
+                    printf "\n" && \
+                    docker run \
+                               -v ${PWD}/{}:/Dockerfile:ro \
+                               --rm \
+                               hadolint/hadolint hadolint --ignore DL3006 Dockerfile' \;
diff --git a/docker/bin/php b/docker/bin/php
new file mode 100755
index 000000000..9cabf3f25
--- /dev/null
+++ b/docker/bin/php
@@ -0,0 +1,38 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+if ! type docker > /dev/null; then
+  echo "Docker is required to be present on $PATH"
+  exit 0
+fi
+
+if [[ "${CI:-}" ]] ; then
+  vol="-v ${PWD}/docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php \
+       -v /tmp:/tmp/"
+else
+  vol="-v ${PWD}:/var/www \
+       -v /tmp:/tmp/"
+fi
+
+DB_TYPE="${DB_TYPE:-mysql}"
+DB_PORT="${DB_PORT:-3306}"
+DB_NAME="${DB_NAME:-wxt}"
+
+docker run -i \
+  --entrypoint=/usr/local/bin/php \
+  ${vol} \
+  -w "/var/www/html" \
+  -e DB_TYPE=$DB_TYPE \
+  -e DB_PORT=$DB_PORT \
+  -e DB_NAME=$DB_NAME \
+  --sig-proxy=true \
+  --pid=host \
+  --volumes-from "${DOCKER_NAME}_web" \
+  --net "${DOCKER_IMAGE}_default" \
+  --rm \
+  "${DOCKER_IMAGE}-cli" "$@"
diff --git a/docker/bin/phpcs b/docker/bin/phpcs
new file mode 100755
index 000000000..5fba68939
--- /dev/null
+++ b/docker/bin/phpcs
@@ -0,0 +1,38 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+if ! type docker > /dev/null; then
+  echo "Docker is required to be present on $PATH"
+  exit 0
+fi
+
+if [[ "${CI:-}" ]] ; then
+  vol="-v ${PWD}/docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php \
+       -v /tmp:/tmp/ \
+       -v ${PWD}/docker/conf/drupal/phpcs.xml:/var/www/html/core/phpcs.xml"
+else
+  vol="-v ${PWD}:/var/www \
+       -v /tmp:/tmp/"
+fi
+
+DB_TYPE="${DB_TYPE:-mysql}"
+DB_PORT="${DB_PORT:-3306}"
+DB_NAME="${DB_NAME:-wxt}"
+
+docker run -i \
+  --entrypoint=/var/www/vendor/bin/phpcs \
+  ${vol} \
+  -e DB_TYPE=$DB_TYPE \
+  -e DB_PORT=$DB_PORT \
+  -e DB_NAME=$DB_NAME \
+  --sig-proxy=true \
+  --pid=host \
+  --volumes-from "${DOCKER_NAME}_web" \
+  --net "${DOCKER_IMAGE}_default" \
+  --rm \
+  "${DOCKER_IMAGE}-cli" "$@"
diff --git a/docker/bin/phpmd b/docker/bin/phpmd
new file mode 100755
index 000000000..b7d392576
--- /dev/null
+++ b/docker/bin/phpmd
@@ -0,0 +1,37 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+if ! type docker > /dev/null; then
+  echo "Docker is required to be present on $PATH"
+  exit 0
+fi
+
+if [[ "${CI:-}" ]] ; then
+  vol="-v ${PWD}/docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php \
+       -v /tmp:/tmp/"
+else
+  vol="-v ${PWD}:/var/www \
+       -v /tmp:/tmp/"
+fi
+
+DB_TYPE="${DB_TYPE:-mysql}"
+DB_PORT="${DB_PORT:-3306}"
+DB_NAME="${DB_NAME:-wxt}"
+
+docker run -i \
+  --entrypoint=/var/www/vendor/bin/phpmd \
+  ${vol} \
+  -e DB_TYPE=$DB_TYPE \
+  -e DB_PORT=$DB_PORT \
+  -e DB_NAME=$DB_NAME \
+  --sig-proxy=true \
+  --pid=host \
+  --volumes-from "${DOCKER_NAME}_web" \
+  --net "${DOCKER_IMAGE}_default" \
+  --rm \
+  "${DOCKER_IMAGE}-cli" "$@"
diff --git a/docker/bin/phpunit b/docker/bin/phpunit
new file mode 100755
index 000000000..a85bbbd48
--- /dev/null
+++ b/docker/bin/phpunit
@@ -0,0 +1,46 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Source all the configuration environment variables from the .env file.
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+. ${dir}/source_config
+
+if ! type docker > /dev/null; then
+  echo "Docker is required to be present on $PATH"
+  exit 0
+fi
+
+if [[ "${CI:-}" ]] ; then
+  vol="-v ${PWD}/docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php \
+       -v /tmp:/tmp/ \
+       -v ${PWD}/docker/conf/drupal/phpunit.xml:/var/www/html/core/phpunit.xml"
+else
+  vol="-v ${PWD}:/var/www \
+       -v /tmp:/tmp/"
+fi
+
+DB_TYPE="${DB_TYPE:-mysql}"
+DB_PORT="${DB_PORT:-3306}"
+DB_NAME="${DB_NAME:-wxt}"
+
+if [[ "$DB_TYPE" == "pgsql" ]]; then
+  DB_CONNECTION="pgsql://root:root@db:5432"
+else
+  DB_CONNECTION="mysql://root:root@db:3306"
+fi
+
+docker run -i \
+  --entrypoint=/var/www/vendor/bin/phpunit \
+  ${vol} \
+  -w "/var/www/html" \
+  -e "SIMPLETEST_DB=${DB_CONNECTION}/${DB_NAME}" \
+  -e DB_TYPE=$DB_TYPE \
+  -e DB_PORT=$DB_PORT \
+  -e DB_NAME=$DB_NAME \
+  --sig-proxy=true \
+  --pid=host \
+  --volumes-from "${DOCKER_NAME}_web" \
+  --net "${DOCKER_IMAGE}_default" \
+  --rm \
+  "${DOCKER_IMAGE}-cli" "$@"
diff --git a/docker/bin/source_config b/docker/bin/source_config
new file mode 100644
index 000000000..6087a7a60
--- /dev/null
+++ b/docker/bin/source_config
@@ -0,0 +1,8 @@
+#!/bin/bash
+# strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Source all the configuration environment variables from the .env file.
+. ${dir}/../../.env
diff --git a/docker/certs/BaltimoreCyberTrustRoot.crt.pem b/docker/certs/BaltimoreCyberTrustRoot.crt.pem
new file mode 100644
index 000000000..1c5c71ac2
--- /dev/null
+++ b/docker/certs/BaltimoreCyberTrustRoot.crt.pem
@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
+MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
+2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
+1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
+q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
+tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
+vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
+BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
+5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
+1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
+NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
+Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
+8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
+pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
+MrY=
+-----END CERTIFICATE-----
diff --git a/docker/conf/drupal/default.settings.php b/docker/conf/drupal/default.settings.php
new file mode 100644
index 000000000..015d06402
--- /dev/null
+++ b/docker/conf/drupal/default.settings.php
@@ -0,0 +1,815 @@
+<?php
+
+// phpcs:ignoreFile
+
+/**
+ * @file
+ * Drupal site-specific configuration file.
+ *
+ * IMPORTANT NOTE:
+ * This file may have been set to read-only by the Drupal installation program.
+ * If you make changes to this file, be sure to protect it again after making
+ * your modifications. Failure to remove write permissions to this file is a
+ * security risk.
+ *
+ * In order to use the selection rules below the multisite aliasing file named
+ * sites/sites.php must be present. Its optional settings will be loaded, and
+ * the aliases in the array $sites will override the default directory rules
+ * below. See sites/example.sites.php for more information about aliases.
+ *
+ * The configuration directory will be discovered by stripping the website's
+ * hostname from left to right and pathname from right to left. The first
+ * configuration file found will be used and any others will be ignored. If no
+ * other configuration file is found then the default configuration file at
+ * 'sites/default' will be used.
+ *
+ * For example, for a fictitious site installed at
+ * https://www.drupal.org:8080/mysite/test/, the 'settings.php' file is searched
+ * for in the following directories:
+ *
+ * - sites/8080.www.drupal.org.mysite.test
+ * - sites/www.drupal.org.mysite.test
+ * - sites/drupal.org.mysite.test
+ * - sites/org.mysite.test
+ *
+ * - sites/8080.www.drupal.org.mysite
+ * - sites/www.drupal.org.mysite
+ * - sites/drupal.org.mysite
+ * - sites/org.mysite
+ *
+ * - sites/8080.www.drupal.org
+ * - sites/www.drupal.org
+ * - sites/drupal.org
+ * - sites/org
+ *
+ * - sites/default
+ *
+ * Note that if you are installing on a non-standard port number, prefix the
+ * hostname with that number. For example,
+ * https://www.drupal.org:8080/mysite/test/ could be loaded from
+ * sites/8080.www.drupal.org.mysite.test/.
+ *
+ * @see example.sites.php
+ * @see \Drupal\Core\DrupalKernel::getSitePath()
+ *
+ * In addition to customizing application settings through variables in
+ * settings.php, you can create a services.yml file in the same directory to
+ * register custom, site-specific service definitions and/or swap out default
+ * implementations with custom ones.
+ */
+
+/**
+ * Database settings:
+ *
+ * The $databases array specifies the database connection or
+ * connections that Drupal may use.  Drupal is able to connect
+ * to multiple databases, including multiple types of databases,
+ * during the same request.
+ *
+ * One example of the simplest connection array is shown below. To use the
+ * sample settings, copy and uncomment the code below between the @code and
+ * @endcode lines and paste it after the $databases declaration. You will need
+ * to replace the database username and password and possibly the host and port
+ * with the appropriate credentials for your database system.
+ *
+ * The next section describes how to customize the $databases array for more
+ * specific needs.
+ *
+ * @code
+ * $databases['default']['default'] = [
+ *   'database' => 'databasename',
+ *   'username' => 'sqlusername',
+ *   'password' => 'sqlpassword',
+ *   'host' => 'localhost',
+ *   'port' => '3306',
+ *   'driver' => 'mysql',
+ *   'prefix' => '',
+ *   'collation' => 'utf8mb4_general_ci',
+ * ];
+ * @endcode
+ */
+$databases = [];
+
+/**
+ * Customizing database settings.
+ *
+ * Many of the values of the $databases array can be customized for your
+ * particular database system. Refer to the sample in the section above as a
+ * starting point.
+ *
+ * The "driver" property indicates what Drupal database driver the
+ * connection should use.  This is usually the same as the name of the
+ * database type, such as mysql or sqlite, but not always.  The other
+ * properties will vary depending on the driver.  For SQLite, you must
+ * specify a database file name in a directory that is writable by the
+ * webserver.  For most other drivers, you must specify a
+ * username, password, host, and database name.
+ *
+ * Drupal core implements drivers for mysql, pgsql, and sqlite. Other drivers
+ * can be provided by contributed or custom modules. To use a contributed or
+ * custom driver, the "namespace" property must be set to the namespace of the
+ * driver. The code in this namespace must be autoloadable prior to connecting
+ * to the database, and therefore, prior to when module root namespaces are
+ * added to the autoloader. To add the driver's namespace to the autoloader,
+ * set the "autoload" property to the PSR-4 base directory of the driver's
+ * namespace. This is optional for projects managed with Composer if the
+ * driver's namespace is in Composer's autoloader.
+ *
+ * For each database, you may optionally specify multiple "target" databases.
+ * A target database allows Drupal to try to send certain queries to a
+ * different database if it can but fall back to the default connection if not.
+ * That is useful for primary/replica replication, as Drupal may try to connect
+ * to a replica server when appropriate and if one is not available will simply
+ * fall back to the single primary server (The terms primary/replica are
+ * traditionally referred to as master/slave in database server documentation).
+ *
+ * The general format for the $databases array is as follows:
+ * @code
+ * $databases['default']['default'] = $info_array;
+ * $databases['default']['replica'][] = $info_array;
+ * $databases['default']['replica'][] = $info_array;
+ * $databases['extra']['default'] = $info_array;
+ * @endcode
+ *
+ * In the above example, $info_array is an array of settings described above.
+ * The first line sets a "default" database that has one primary database
+ * (the second level default).  The second and third lines create an array
+ * of potential replica databases.  Drupal will select one at random for a given
+ * request as needed.  The fourth line creates a new database with a name of
+ * "extra".
+ *
+ * For MySQL, MariaDB or equivalent databases the 'isolation_level' option can
+ * be set. The recommended transaction isolation level for Drupal sites is
+ * 'READ COMMITTED'. The 'REPEATABLE READ' option is supported but can result
+ * in deadlocks, the other two options are 'READ UNCOMMITTED' and 'SERIALIZABLE'.
+ * They are available but not supported; use them at your own risk. For more
+ * info:
+ * https://dev.mysql.com/doc/refman/5.7/en/innodb-transaction-isolation-levels.html
+ *
+ * On your settings.php, change the isolation level:
+ * @code
+ * $databases['default']['default']['init_commands'] = [
+ *   'isolation_level' => 'SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED',
+ * ];
+ * @endcode
+ *
+ * You can optionally set a prefix for all database table names by using the
+ * 'prefix' setting. If a prefix is specified, the table name will be prepended
+ * with its value. Be sure to use valid database characters only, usually
+ * alphanumeric and underscore. If no prefix is desired, do not set the 'prefix'
+ * key or set its value to an empty string ''.
+ *
+ * For example, to have all database table prefixed with 'main_', set:
+ * @code
+ *   'prefix' => 'main_',
+ * @endcode
+ *
+ * Advanced users can add or override initial commands to execute when
+ * connecting to the database server, as well as PDO connection settings. For
+ * example, to enable MySQL SELECT queries to exceed the max_join_size system
+ * variable, and to reduce the database connection timeout to 5 seconds:
+ * @code
+ * $databases['default']['default'] = [
+ *   'init_commands' => [
+ *     'big_selects' => 'SET SQL_BIG_SELECTS=1',
+ *   ],
+ *   'pdo' => [
+ *     PDO::ATTR_TIMEOUT => 5,
+ *   ],
+ * ];
+ * @endcode
+ *
+ * WARNING: The above defaults are designed for database portability. Changing
+ * them may cause unexpected behavior, including potential data loss. See
+ * https://www.drupal.org/developing/api/database/configuration for more
+ * information on these defaults and the potential issues.
+ *
+ * More details can be found in the constructor methods for each driver:
+ * - \Drupal\mysql\Driver\Database\mysql\Connection::__construct()
+ * - \Drupal\pgsql\Driver\Database\pgsql\Connection::__construct()
+ * - \Drupal\sqlite\Driver\Database\sqlite\Connection::__construct()
+ *
+ * Sample Database configuration format for PostgreSQL (pgsql):
+ * @code
+ *   $databases['default']['default'] = [
+ *     'driver' => 'pgsql',
+ *     'database' => 'databasename',
+ *     'username' => 'sqlusername',
+ *     'password' => 'sqlpassword',
+ *     'host' => 'localhost',
+ *     'prefix' => '',
+ *   ];
+ * @endcode
+ *
+ * Sample Database configuration format for SQLite (sqlite):
+ * @code
+ *   $databases['default']['default'] = [
+ *     'driver' => 'sqlite',
+ *     'database' => '/path/to/databasefilename',
+ *   ];
+ * @endcode
+ *
+ * Sample Database configuration format for a driver in a contributed module:
+ * @code
+ *   $databases['default']['default'] = [
+ *     'driver' => 'my_driver',
+ *     'namespace' => 'Drupal\my_module\Driver\Database\my_driver',
+ *     'autoload' => 'modules/my_module/src/Driver/Database/my_driver/',
+ *     'database' => 'databasename',
+ *     'username' => 'sqlusername',
+ *     'password' => 'sqlpassword',
+ *     'host' => 'localhost',
+ *     'prefix' => '',
+ *   ];
+ * @endcode
+ */
+
+/**
+ * Location of the site configuration files.
+ *
+ * The $settings['config_sync_directory'] specifies the location of file system
+ * directory used for syncing configuration data. On install, the directory is
+ * created. This is used for configuration imports.
+ *
+ * The default location for this directory is inside a randomly-named
+ * directory in the public files path. The setting below allows you to set
+ * its location.
+ */
+$settings["config_sync_directory"] = '/var/www/config';
+
+/**
+ * Settings:
+ *
+ * $settings contains environment-specific configuration, such as the files
+ * directory and reverse proxy address, and temporary configuration, such as
+ * security overrides.
+ *
+ * @see \Drupal\Core\Site\Settings::get()
+ */
+
+/**
+ * Salt for one-time login links, cancel links, form tokens, etc.
+ *
+ * This variable will be set to a random value by the installer. All one-time
+ * login links will be invalidated if the value is changed. Note that if your
+ * site is deployed on a cluster of web servers, you must ensure that this
+ * variable has the same value on each server.
+ *
+ * For enhanced security, you may set this variable to the contents of a file
+ * outside your document root; you should also ensure that this file is not
+ * stored with backups of your database.
+ *
+ * Example:
+ * @code
+ *   $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
+ * @endcode
+ */
+$settings['hash_salt'] = 'default';
+
+/**
+ * Deployment identifier.
+ *
+ * Drupal's dependency injection container will be automatically invalidated and
+ * rebuilt when the Drupal core version changes. When updating contributed or
+ * custom code that changes the container, changing this identifier will also
+ * allow the container to be invalidated as soon as code is deployed.
+ */
+# $settings['deployment_identifier'] = \Drupal::VERSION;
+
+/**
+ * Access control for update.php script.
+ *
+ * If you are updating your Drupal installation using the update.php script but
+ * are not logged in using either an account with the "Administer software
+ * updates" permission or the site maintenance account (the account that was
+ * created during installation), you will need to modify the access check
+ * statement below. Change the FALSE to a TRUE to disable the access check.
+ * After finishing the upgrade, be sure to open this file again and change the
+ * TRUE back to a FALSE!
+ */
+$settings['update_free_access'] = FALSE;
+
+/**
+ * Fallback to HTTP for Update Manager and for fetching security advisories.
+ *
+ * If your site fails to connect to updates.drupal.org over HTTPS (either when
+ * fetching data on available updates, or when fetching the feed of critical
+ * security announcements), you may uncomment this setting and set it to TRUE to
+ * allow an insecure fallback to HTTP. Note that doing so will open your site up
+ * to a potential man-in-the-middle attack. You should instead attempt to
+ * resolve the issues before enabling this option.
+ * @see https://www.drupal.org/docs/system-requirements/php-requirements#openssl
+ * @see https://en.wikipedia.org/wiki/Man-in-the-middle_attack
+ * @see \Drupal\update\UpdateFetcher
+ * @see \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher
+ */
+# $settings['update_fetch_with_http_fallback'] = TRUE;
+
+/**
+ * External access proxy settings:
+ *
+ * If your site must access the Internet via a web proxy then you can enter the
+ * proxy settings here. Set the full URL of the proxy, including the port, in
+ * variables:
+ * - $settings['http_client_config']['proxy']['http']: The proxy URL for HTTP
+ *   requests.
+ * - $settings['http_client_config']['proxy']['https']: The proxy URL for HTTPS
+ *   requests.
+ * You can pass in the user name and password for basic authentication in the
+ * URLs in these settings.
+ *
+ * You can also define an array of host names that can be accessed directly,
+ * bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
+ */
+# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
+# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
+# $settings['http_client_config']['proxy']['no'] = ['127.0.0.1', 'localhost'];
+
+/**
+ * Reverse Proxy Configuration:
+ *
+ * Reverse proxy servers are often used to enhance the performance
+ * of heavily visited sites and may also provide other site caching,
+ * security, or encryption benefits. In an environment where Drupal
+ * is behind a reverse proxy, the real IP address of the client should
+ * be determined such that the correct client IP address is available
+ * to Drupal's logging, statistics, and access management systems. In
+ * the most simple scenario, the proxy server will add an
+ * X-Forwarded-For header to the request that contains the client IP
+ * address. However, HTTP headers are vulnerable to spoofing, where a
+ * malicious client could bypass restrictions by setting the
+ * X-Forwarded-For header directly. Therefore, Drupal's proxy
+ * configuration requires the IP addresses of all remote proxies to be
+ * specified in $settings['reverse_proxy_addresses'] to work correctly.
+ *
+ * Enable this setting to get Drupal to determine the client IP from the
+ * X-Forwarded-For header. If you are unsure about this setting, do not have a
+ * reverse proxy, or Drupal operates in a shared hosting environment, this
+ * setting should remain commented out.
+ *
+ * In order for this setting to be used you must specify every possible
+ * reverse proxy IP address in $settings['reverse_proxy_addresses'].
+ * If a complete list of reverse proxies is not available in your
+ * environment (for example, if you use a CDN) you may set the
+ * $_SERVER['REMOTE_ADDR'] variable directly in settings.php.
+ * Be aware, however, that it is likely that this would allow IP
+ * address spoofing unless more advanced precautions are taken.
+ */
+$settings['reverse_proxy'] = TRUE;
+
+/**
+ * Reverse proxy addresses.
+ *
+ * Specify every reverse proxy IP address in your environment, as an array of
+ * IPv4/IPv6 addresses or subnets in CIDR notation. This setting is required if
+ * $settings['reverse_proxy'] is TRUE.
+ */
+$settings['reverse_proxy_addresses'] = ['0.0.0.0/0'];
+
+/**
+ * Reverse proxy trusted headers.
+ *
+ * Sets which headers to trust from your reverse proxy.
+ *
+ * Common values are:
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
+ *
+ * Note the default value of
+ * @code
+ * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
+ * @endcode
+ * is not secure by default. The value should be set to only the specific
+ * headers the reverse proxy uses. For example:
+ * @code
+ * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
+ * @endcode
+ * This would trust the following headers:
+ * - X_FORWARDED_FOR
+ * - X_FORWARDED_HOST
+ * - X_FORWARDED_PROTO
+ * - X_FORWARDED_PORT
+ *
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
+ * @see \Symfony\Component\HttpFoundation\Request::setTrustedProxies
+ */
+# $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED;
+
+
+/**
+ * Page caching:
+ *
+ * By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page
+ * views. This tells a HTTP proxy that it may return a page from its local
+ * cache without contacting the web server, if the user sends the same Cookie
+ * header as the user who originally requested the cached page. Without "Vary:
+ * Cookie", authenticated users would also be served the anonymous page from
+ * the cache. If the site has mostly anonymous users except a few known
+ * editors/administrators, the Vary header can be omitted. This allows for
+ * better caching in HTTP proxies (including reverse proxies), i.e. even if
+ * clients send different cookies, they still get content served from the cache.
+ * However, authenticated users should access the site directly (i.e. not use an
+ * HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid
+ * getting cached pages from the proxy.
+ */
+# $settings['omit_vary_cookie'] = TRUE;
+
+
+/**
+ * Cache TTL for client error (4xx) responses.
+ *
+ * Items cached per-URL tend to result in a large number of cache items, and
+ * this can be problematic on 404 pages which by their nature are unbounded. A
+ * fixed TTL can be set for these items, defaulting to one hour, so that cache
+ * backends which do not support LRU can purge older entries. To disable caching
+ * of client error responses set the value to 0. Currently applies only to
+ * page_cache module.
+ */
+# $settings['cache_ttl_4xx'] = 3600;
+
+/**
+ * Expiration of cached forms.
+ *
+ * Drupal's Form API stores details of forms in a cache and these entries are
+ * kept for at least 6 hours by default. Expired entries are cleared by cron.
+ *
+ * @see \Drupal\Core\Form\FormCache::setCache()
+ */
+# $settings['form_cache_expiration'] = 21600;
+
+/**
+ * Class Loader.
+ *
+ * If the APCu extension is detected, the classloader will be optimized to use
+ * it. Set to FALSE to disable this.
+ *
+ * @see https://getcomposer.org/doc/articles/autoloader-optimization.md
+ */
+# $settings['class_loader_auto_detect'] = FALSE;
+
+/**
+ * Authorized file system operations:
+ *
+ * The Update Manager module included with Drupal provides a mechanism for
+ * site administrators to securely install missing updates for the site
+ * directly through the web user interface. On securely-configured servers,
+ * the Update manager will require the administrator to provide SSH or FTP
+ * credentials before allowing the installation to proceed; this allows the
+ * site to update the new files as the user who owns all the Drupal files,
+ * instead of as the user the webserver is running as. On servers where the
+ * webserver user is itself the owner of the Drupal files, the administrator
+ * will not be prompted for SSH or FTP credentials (note that these server
+ * setups are common on shared hosting, but are inherently insecure).
+ *
+ * Some sites might wish to disable the above functionality, and only update
+ * the code directly via SSH or FTP themselves. This setting completely
+ * disables all functionality related to these authorized file operations.
+ *
+ * @see https://www.drupal.org/node/244924
+ *
+ * Remove the leading hash signs to disable.
+ */
+# $settings['allow_authorize_operations'] = FALSE;
+
+/**
+ * Default mode for directories and files written by Drupal.
+ *
+ * Value should be in PHP Octal Notation, with leading zero.
+ */
+# $settings['file_chmod_directory'] = 0775;
+# $settings['file_chmod_file'] = 0664;
+
+/**
+ * Public file base URL:
+ *
+ * An alternative base URL to be used for serving public files. This must
+ * include any leading directory path.
+ *
+ * A different value from the domain used by Drupal to be used for accessing
+ * public files. This can be used for a simple CDN integration, or to improve
+ * security by serving user-uploaded files from a different domain or subdomain
+ * pointing to the same server. Do not include a trailing slash.
+ */
+# $settings['file_public_base_url'] = 'http://downloads.example.com/files';
+
+/**
+ * Public file path:
+ *
+ * A local file system path where public files will be stored. This directory
+ * must exist and be writable by Drupal. This directory must be relative to
+ * the Drupal installation directory and be accessible over the web.
+ */
+# $settings['file_public_path'] = 'sites/default/files';
+
+/**
+ * Additional public file schemes:
+ *
+ * Public schemes are URI schemes that allow download access to all users for
+ * all files within that scheme.
+ *
+ * The "public" scheme is always public, and the "private" scheme is always
+ * private, but other schemes, such as "https", "s3", "example", or others,
+ * can be either public or private depending on the site. By default, they're
+ * private, and access to individual files is controlled via
+ * hook_file_download().
+ *
+ * Typically, if a scheme should be public, a module makes it public by
+ * implementing hook_file_download(), and granting access to all users for all
+ * files. This could be either the same module that provides the stream wrapper
+ * for the scheme, or a different module that decides to make the scheme
+ * public. However, in cases where a site needs to make a scheme public, but
+ * is unable to add code in a module to do so, the scheme may be added to this
+ * variable, the result of which is that system_file_download() grants public
+ * access to all files within that scheme.
+ */
+# $settings['file_additional_public_schemes'] = ['example'];
+
+/**
+ * Private file path:
+ *
+ * A local file system path where private files will be stored. This directory
+ * must be absolute, outside of the Drupal installation directory and not
+ * accessible over the web.
+ *
+ * Note: Caches need to be cleared when this value is changed to make the
+ * private:// stream wrapper available to the system.
+ *
+ * See https://www.drupal.org/documentation/modules/file for more information
+ * about securing private files.
+ */
+# $settings['file_private_path'] = '';
+
+/**
+ * Temporary file path:
+ *
+ * A local file system path where temporary files will be stored. This directory
+ * must be absolute, outside of the Drupal installation directory and not
+ * accessible over the web.
+ *
+ * If this is not set, the default for the operating system will be used.
+ *
+ * @see \Drupal\Component\FileSystem\FileSystem::getOsTemporaryDirectory()
+ */
+# $settings['file_temp_path'] = '/tmp';
+
+/**
+ * Session write interval:
+ *
+ * Set the minimum interval between each session write to database.
+ * For performance reasons it defaults to 180.
+ */
+# $settings['session_write_interval'] = 180;
+
+/**
+ * String overrides:
+ *
+ * To override specific strings on your site with or without enabling the Locale
+ * module, add an entry to this list. This functionality allows you to change
+ * a small number of your site's default English language interface strings.
+ *
+ * Remove the leading hash signs to enable.
+ *
+ * The "en" part of the variable name, is dynamic and can be any langcode of
+ * any added language. (eg locale_custom_strings_de for german).
+ */
+# $settings['locale_custom_strings_en'][''] = [
+#   'forum'      => 'Discussion board',
+#   '@count min' => '@count minutes',
+# ];
+
+/**
+ * A custom theme for the offline page:
+ *
+ * This applies when the site is explicitly set to maintenance mode through the
+ * administration page or when the database is inactive due to an error.
+ * The template file should also be copied into the theme. It is located inside
+ * 'core/modules/system/templates/maintenance-page.html.twig'.
+ *
+ * Note: This setting does not apply to installation and update pages.
+ */
+# $settings['maintenance_theme'] = 'claro';
+
+/**
+ * PHP settings:
+ *
+ * To see what PHP settings are possible, including whether they can be set at
+ * runtime (by using ini_set()), read the PHP documentation:
+ * http://php.net/manual/ini.list.php
+ * See \Drupal\Core\DrupalKernel::bootEnvironment() for required runtime
+ * settings and the .htaccess file for non-runtime settings.
+ * Settings defined there should not be duplicated here so as to avoid conflict
+ * issues.
+ */
+
+/**
+ * If you encounter a situation where users post a large amount of text, and
+ * the result is stripped out upon viewing but can still be edited, Drupal's
+ * output filter may not have sufficient memory to process it.  If you
+ * experience this issue, you may wish to uncomment the following two lines
+ * and increase the limits of these variables.  For more information, see
+ * http://php.net/manual/pcre.configuration.php.
+ */
+# ini_set('pcre.backtrack_limit', 200000);
+# ini_set('pcre.recursion_limit', 200000);
+
+/**
+ * Configuration overrides.
+ *
+ * To globally override specific configuration values for this site,
+ * set them here. You usually don't need to use this feature. This is
+ * useful in a configuration file for a vhost or directory, rather than
+ * the default settings.php.
+ *
+ * Note that any values you provide in these variable overrides will not be
+ * viewable from the Drupal administration interface. The administration
+ * interface displays the values stored in configuration so that you can stage
+ * changes to other environments that don't have the overrides.
+ *
+ * There are particular configuration values that are risky to override. For
+ * example, overriding the list of installed modules in 'core.extension' is not
+ * supported as module install or uninstall has not occurred. Other examples
+ * include field storage configuration, because it has effects on database
+ * structure, and 'core.menu.static_menu_link_overrides' since this is cached in
+ * a way that is not config override aware. Also, note that changing
+ * configuration values in settings.php will not fire any of the configuration
+ * change events.
+ */
+# $config['system.site']['name'] = 'My Drupal site';
+# $config['user.settings']['anonymous'] = 'Visitor';
+
+/**
+ * Load services definition file.
+ */
+$settings['container_yamls'][] = $app_root . '/' . $site_path . '/services.yml';
+
+/**
+ * Override the default service container class.
+ *
+ * This is useful for example to trace the service container for performance
+ * tracking purposes, for testing a service container with an error condition or
+ * to test a service container that throws an exception.
+ */
+# $settings['container_base_class'] = '\Drupal\Core\DependencyInjection\Container';
+
+/**
+ * Override the default yaml parser class.
+ *
+ * Provide a fully qualified class name here if you would like to provide an
+ * alternate implementation YAML parser. The class must implement the
+ * \Drupal\Component\Serialization\SerializationInterface interface.
+ */
+# $settings['yaml_parser_class'] = NULL;
+
+/**
+ * Trusted host configuration.
+ *
+ * Drupal core can use the Symfony trusted host mechanism to prevent HTTP Host
+ * header spoofing.
+ *
+ * To enable the trusted host mechanism, you enable your allowable hosts
+ * in $settings['trusted_host_patterns']. This should be an array of regular
+ * expression patterns, without delimiters, representing the hosts you would
+ * like to allow.
+ *
+ * For example:
+ * @code
+ * $settings['trusted_host_patterns'] = [
+ *   '^www\.example\.com$',
+ * ];
+ * @endcode
+ * will allow the site to only run from www.example.com.
+ *
+ * If you are running multisite, or if you are running your site from
+ * different domain names (eg, you don't redirect http://www.example.com to
+ * http://example.com), you should specify all of the host patterns that are
+ * allowed by your site.
+ *
+ * For example:
+ * @code
+ * $settings['trusted_host_patterns'] = [
+ *   '^example\.com$',
+ *   '^.+\.example\.com$',
+ *   '^example\.org$',
+ *   '^.+\.example\.org$',
+ * ];
+ * @endcode
+ * will allow the site to run off of all variants of example.com and
+ * example.org, with all subdomains included.
+ *
+ * @see https://www.drupal.org/docs/installing-drupal/trusted-host-settings
+ */
+
+/**
+ * The default list of directories that will be ignored by Drupal's file API.
+ *
+ * By default ignore node_modules and bower_components folders to avoid issues
+ * with common frontend tools and recursive scanning of directories looking for
+ * extensions.
+ *
+ * @see \Drupal\Core\File\FileSystemInterface::scanDirectory()
+ * @see \Drupal\Core\Extension\ExtensionDiscovery::scanDirectory()
+ */
+$settings['file_scan_ignore_directories'] = [
+  'node_modules',
+  'bower_components',
+];
+
+/**
+ * The default number of entities to update in a batch process.
+ *
+ * This is used by update and post-update functions that need to go through and
+ * change all the entities on a site, so it is useful to increase this number
+ * if your hosting configuration (i.e. RAM allocation, CPU speed) allows for a
+ * larger number of entities to be processed in a single batch run.
+ */
+$settings['entity_update_batch_size'] = 50;
+
+/**
+ * Entity update backup.
+ *
+ * This is used to inform the entity storage handler that the backup tables as
+ * well as the original entity type and field storage definitions should be
+ * retained after a successful entity update process.
+ */
+$settings['entity_update_backup'] = TRUE;
+
+/**
+ * Node migration type.
+ *
+ * This is used to force the migration system to use the classic node migrations
+ * instead of the default complete node migrations. The migration system will
+ * use the classic node migration only if there are existing migrate_map tables
+ * for the classic node migrations and they contain data. These tables may not
+ * exist if you are developing custom migrations and do not want to use the
+ * complete node migrations. Set this to TRUE to force the use of the classic
+ * node migrations.
+ */
+$settings['migrate_node_migrate_type_classic'] = FALSE;
+
+/**
+ * The default settings for migration sources.
+ *
+ * These settings are used as the default settings on the Credential form at
+ * /upgrade/credentials.
+ *
+ * - migrate_source_version - The version of the source database. This can be
+ *   '6' or '7'. Defaults to '7'.
+ * - migrate_source_connection - The key in the $databases array for the source
+ *   site.
+ * - migrate_file_public_path - The location of the source Drupal 6 or Drupal 7
+ *   public files. This can be a local file directory containing the source
+ *   Drupal 6 or Drupal 7 site (e.g /var/www/docroot), or the site address
+ *   (e.g http://example.com).
+ * - migrate_file_private_path - The location of the source Drupal 7 private
+ *   files. This can be a local file directory containing the source Drupal 7
+ *   site (e.g /var/www/docroot), or empty to use the same value as Public
+ *   files directory.
+ *
+ * Sample configuration for a drupal 6 source site with the source files in a
+ * local directory.
+ *
+ * @code
+ * $settings['migrate_source_version'] = '6';
+ * $settings['migrate_source_connection'] = 'migrate';
+ * $settings['migrate_file_public_path'] = '/var/www/drupal6';
+ * @endcode
+ *
+ * Sample configuration for a drupal 7 source site with public source files on
+ * the source site and the private files in a local directory.
+ *
+ * @code
+ * $settings['migrate_source_version'] = '7';
+ * $settings['migrate_source_connection'] = 'migrate';
+ * $settings['migrate_file_public_path'] = 'https://drupal7.com';
+ * $settings['migrate_file_private_path'] = '/var/www/drupal7';
+ * @endcode
+ */
+# $settings['migrate_source_connection'] = '';
+# $settings['migrate_source_version'] = '';
+# $settings['migrate_file_public_path'] = '';
+# $settings['migrate_file_private_path'] = '';
+
+/**
+ * Load local development override configuration, if available.
+ *
+ * Create a settings.local.php file to override variables on secondary (staging,
+ * development, etc.) installations of this site.
+ *
+ * Typical uses of settings.local.php include:
+ * - Disabling caching.
+ * - Disabling JavaScript/CSS compression.
+ * - Rerouting outgoing emails.
+ *
+ * Keep this code block at the end of this file to take full effect.
+ */
+#
+# if (file_exists($app_root . '/' . $site_path . '/settings.local.php')) {
+#   include $app_root . '/' . $site_path . '/settings.local.php';
+# }
diff --git a/docker/conf/drupal/phpcs.xml b/docker/conf/drupal/phpcs.xml
new file mode 100644
index 000000000..c8a0dbdf8
--- /dev/null
+++ b/docker/conf/drupal/phpcs.xml
@@ -0,0 +1,399 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ruleset name="drupal_core">
+  <arg name="extensions" value="inc,install,module,php,profile,test,theme,yml"/>
+  <description>Default PHP CodeSniffer configuration for Drupal core.</description>
+
+  <!--Exclude folders used by common frontend tools. These folders match the file_scan_ignore_directories setting in default.settings.php-->
+  <exclude-pattern>*/bower_components/*</exclude-pattern>
+  <exclude-pattern>*/node_modules/*</exclude-pattern>
+  <!--Exclude third party code.-->
+  <exclude-pattern>./assets/vendor/*</exclude-pattern>
+  <!-- Exclude third-party code maintained within core that does not follow our standards. -->
+  <!-- @todo This rule may be removed when https://www.drupal.org/node/1848264 is resolved. -->
+  <exclude-pattern>./core/lib/Drupal/Component/Diff/</exclude-pattern>
+  <exclude-pattern>./core/tests/Drupal/Tests/Component/Annotation/Doctrine/</exclude-pattern>
+
+  <!--Exclude test files that are intentionally empty, or intentionally violate coding standards.-->
+  <exclude-pattern>./modules/system/tests/fixtures/HtaccessTest</exclude-pattern>
+
+  <file>.</file>
+  <file>../composer</file>
+  <file>scripts/drupal.sh</file>
+  <file>scripts/password-hash.sh</file>
+  <file>scripts/rebuild_token_calculator.sh</file>
+  <file>scripts/run-tests.sh</file>
+  <file>scripts/update-countries.sh</file>
+
+  <!-- Only include specific sniffs that pass. This ensures that, if new sniffs are added, HEAD does not fail.-->
+
+  <!-- Drupal sniffs -->
+  <rule ref="Drupal.Arrays.Array">
+    <!-- Sniff for these errors: CommaLastItem -->
+    <exclude name="Drupal.Arrays.Array.ArrayClosingIndentation"/>
+    <exclude name="Drupal.Arrays.Array.ArrayIndentation"/>
+    <exclude name="Drupal.Arrays.Array.LongLineDeclaration"/>
+  </rule>
+  <rule ref="Drupal.CSS.ClassDefinitionNameSpacing"/>
+  <rule ref="Drupal.CSS.ColourDefinition"/>
+  <rule ref="Drupal.Classes.ClassCreateInstance"/>
+  <rule ref="Drupal.Classes.ClassDeclaration"/>
+  <rule ref="Drupal.Classes.ClassFileName"/>
+  <rule ref="Drupal.Classes.FullyQualifiedNamespace"/>
+  <rule ref="Drupal.Classes.InterfaceName"/>
+  <rule ref="Drupal.Classes.PropertyDeclaration"/>
+  <rule ref="Drupal.Classes.UnusedUseStatement"/>
+  <rule ref="Drupal.Classes.UseGlobalClass"/>
+  <rule ref="Drupal.Classes.UseLeadingBackslash"/>
+  <rule ref="Drupal.Commenting.ClassComment">
+    <exclude name="Drupal.Commenting.ClassComment.Missing"/>
+  </rule>
+  <rule ref="Drupal.Commenting.DataTypeNamespace"/>
+  <rule ref="Drupal.Commenting.Deprecated"/>
+  <rule ref="Drupal.Commenting.DocComment">
+    <!-- Sniff for these errors: SpacingAfterTagGroup, WrongEnd, SpacingBetween,
+      ContentAfterOpen, SpacingBeforeShort, TagValueIndent, ShortStartSpace,
+      SpacingAfter, LongNotCapital, ShortFullStop, TagGroupSpacing, Empty,
+      TagsNotGrouped, ParamGroup -->
+    <!-- ParamNotFirst still not decided for PHPUnit-based tests.
+      @see https://www.drupal.org/node/2253915 -->
+    <exclude name="Drupal.Commenting.DocComment.LongFullStop"/>
+    <exclude name="Drupal.Commenting.DocComment.MissingShort"/>
+    <exclude name="Drupal.Commenting.DocComment.ParamNotFirst"/>
+    <exclude name="Drupal.Commenting.DocComment.ShortNotCapital"/>
+    <exclude name="Drupal.Commenting.DocComment.ShortSingleLine"/>
+    <exclude name="Drupal.Commenting.DocComment.SpacingBeforeTags"/>
+  </rule>
+  <rule ref="Drupal.Commenting.DocCommentAlignment"/>
+  <rule ref="Drupal.Commenting.DocCommentStar"/>
+  <rule ref="Drupal.Commenting.FileComment"/>
+  <rule ref="Drupal.Commenting.FunctionComment">
+    <exclude name="Drupal.Commenting.FunctionComment.InvalidNoReturn"/>
+    <exclude name="Drupal.Commenting.FunctionComment.Missing"/>
+    <exclude name="Drupal.Commenting.FunctionComment.MissingParamType"/>
+    <exclude name="Drupal.Commenting.FunctionComment.MissingReturnComment"/>
+    <exclude name="Drupal.Commenting.FunctionComment.MissingReturnType"/>
+    <exclude name="Drupal.Commenting.FunctionComment.ParamCommentFullStop"/>
+    <exclude name="Drupal.Commenting.FunctionComment.TypeHintMissing"/>
+  </rule>
+  <rule ref="Drupal.Commenting.GenderNeutralComment"/>
+  <rule ref="Drupal.Commenting.HookComment"/>
+  <rule ref="Drupal.Commenting.InlineComment">
+    <!-- Sniff for: NoSpaceBefore, SpacingBefore, WrongStyle -->
+    <exclude name="Drupal.Commenting.InlineComment.DocBlock"/>
+    <exclude name="Drupal.Commenting.InlineComment.InvalidEndChar"/>
+    <exclude name="Drupal.Commenting.InlineComment.NotCapital"/>
+    <exclude name="Drupal.Commenting.InlineComment.SpacingAfter"/>
+  </rule>
+  <rule ref="Drupal.Commenting.InlineVariableComment"/>
+  <rule ref="Drupal.Commenting.PostStatementComment"/>
+  <rule ref="Drupal.Commenting.VariableComment">
+    <!-- Sniff for: DuplicateVar, EmptyVar, InlineVariableName, WrongStyle -->
+    <exclude name="Drupal.Commenting.VariableComment.IncorrectVarType"/>
+    <exclude name="Drupal.Commenting.VariableComment.Missing"/>
+    <exclude name="Drupal.Commenting.VariableComment.MissingVar"/>
+    <exclude name="Drupal.Commenting.VariableComment.VarOrder"/>
+  </rule>
+  <rule ref="Drupal.ControlStructures.ControlSignature"/>
+  <rule ref="Drupal.ControlStructures.ElseIf"/>
+  <rule ref="Drupal.ControlStructures.InlineControlStructure"/>
+  <rule ref="Drupal.Files.EndFileNewline"/>
+  <rule ref="Drupal.Files.FileEncoding"/>
+  <rule ref="Drupal.Files.TxtFileLineLength"/>
+  <rule ref="Drupal.Formatting.MultiLineAssignment"/>
+  <rule ref="Drupal.Formatting.MultipleStatementAlignment"/>
+  <rule ref="Drupal.Formatting.SpaceInlineIf"/>
+  <rule ref="Drupal.Formatting.SpaceUnaryOperator"/>
+  <rule ref="Drupal.Functions.DiscouragedFunctions"/>
+  <rule ref="Drupal.Functions.FunctionDeclaration"/>
+  <rule ref="Drupal.InfoFiles.AutoAddedKeys"/>
+  <rule ref="Drupal.InfoFiles.ClassFiles"/>
+  <rule ref="Drupal.InfoFiles.DuplicateEntry"/>
+  <rule ref="Drupal.InfoFiles.Required"/>
+  <rule ref="Drupal.Methods.MethodDeclaration">
+    <!-- Silence method name underscore warning which is covered already in
+      Drupal.NamingConventions.ValidFunctionName.ScopeNotCamelCaps. -->
+    <exclude name="Drupal.Methods.MethodDeclaration.Underscore"/>
+  </rule>
+  <rule ref="Drupal.NamingConventions.ValidClassName"/>
+  <rule ref="Drupal.NamingConventions.ValidGlobal"/>
+  <rule ref="Drupal.NamingConventions.ValidVariableName">
+    <!-- Sniff for: LowerStart -->
+    <exclude name="Drupal.NamingConventions.ValidVariableName.LowerCamelName"/>
+  </rule>
+  <rule ref="Drupal.Scope.MethodScope"/>
+  <rule ref="Drupal.Semantics.EmptyInstall"/>
+  <rule ref="Drupal.Semantics.FunctionAlias"/>
+  <rule ref="Drupal.Semantics.FunctionT">
+    <exclude name="Drupal.Semantics.FunctionT.NotLiteralString"/>
+  </rule>
+  <rule ref="Drupal.Semantics.FunctionWatchdog"/>
+  <rule ref="Drupal.Semantics.InstallHooks"/>
+  <rule ref="Drupal.Semantics.LStringTranslatable"/>
+  <rule ref="Drupal.Semantics.PregSecurity"/>
+  <rule ref="Drupal.Semantics.RemoteAddress"/>
+  <rule ref="Drupal.Semantics.TInHookMenu"/>
+  <rule ref="Drupal.Semantics.TInHookSchema"/>
+  <rule ref="Drupal.Strings.UnnecessaryStringConcat"/>
+  <rule ref="Drupal.WhiteSpace.CloseBracketSpacing"/>
+  <rule ref="Drupal.WhiteSpace.Comma"/>
+  <rule ref="Drupal.WhiteSpace.EmptyLines"/>
+  <rule ref="Drupal.WhiteSpace.Namespace"/>
+  <rule ref="Drupal.WhiteSpace.ObjectOperatorIndent"/>
+  <rule ref="Drupal.WhiteSpace.ObjectOperatorSpacing"/>
+  <rule ref="Drupal.WhiteSpace.OpenBracketSpacing"/>
+  <rule ref="Drupal.WhiteSpace.OpenTagNewline"/>
+  <rule ref="Drupal.WhiteSpace.ScopeClosingBrace"/>
+  <rule ref="Drupal.WhiteSpace.ScopeIndent"/>
+
+  <!-- Drupal Practice sniffs -->
+  <rule ref="DrupalPractice.CodeAnalysis.VariableAnalysis">
+    <!-- @todo exclude tests -->
+    <exclude-pattern>*/tests/*</exclude-pattern>
+    <!-- Do not run this sniff on API files or transliteration data. -->
+    <exclude-pattern>*.api.php</exclude-pattern>
+    <exclude-pattern>core/lib/Drupal/Component/Transliteration/data/*.php</exclude-pattern>
+    <properties>
+      <property name="allowUnusedFunctionParameters" value="true"/>
+    </properties>
+  </rule>
+  <rule ref="DrupalPractice.CodeAnalysis.VariableAnalysis.UndefinedUnsetVariable">
+    <severity>0</severity>
+  </rule>
+  <rule ref="DrupalPractice.CodeAnalysis.VariableAnalysis.UndefinedVariable">
+    <!-- Setting severity to 0 to completely disable an error message in this sniff, without excluding the whole sniff -->
+    <!-- See https://github.com/squizlabs/PHP_CodeSniffer/wiki/Configuration-Options#changing-the-default-severity-levels -->
+    <severity>0</severity>
+  </rule>
+  <rule ref="DrupalPractice.Commenting.ExpectedException"/>
+  <rule ref="DrupalPractice.General.ExceptionT"/>
+  <rule ref="DrupalPractice.InfoFiles.NamespacedDependency"/>
+
+  <!-- Generic sniffs -->
+  <rule ref="Generic.Arrays.DisallowLongArraySyntax"/>
+  <rule ref="Generic.CodeAnalysis.EmptyPHPStatement"/>
+  <rule ref="Generic.Files.ByteOrderMark"/>
+  <rule ref="Generic.Files.LineEndings"/>
+  <rule ref="Generic.Formatting.DisallowMultipleStatements"/>
+  <rule ref="Generic.Formatting.SpaceAfterCast"/>
+  <rule ref="Generic.Functions.FunctionCallArgumentSpacing"/>
+  <rule ref="Generic.Functions.OpeningFunctionBraceKernighanRitchie">
+    <properties>
+      <property name="checkClosures" value="true"/>
+    </properties>
+  </rule>
+  <rule ref="Generic.NamingConventions.ConstructorName"/>
+  <rule ref="Generic.NamingConventions.UpperCaseConstantName"/>
+  <rule ref="Generic.PHP.DeprecatedFunctions"/>
+  <rule ref="Generic.PHP.DisallowShortOpenTag"/>
+  <rule ref="Generic.PHP.LowerCaseKeyword"/>
+  <rule ref="Generic.PHP.UpperCaseConstant"/>
+  <rule ref="Generic.WhiteSpace.DisallowTabIndent"/>
+
+  <!-- Internal sniffs -->
+  <rule ref="Internal.NoCodeFound">
+    <!-- No PHP code in *.yml -->
+    <exclude-pattern>*.yml</exclude-pattern>
+  </rule>
+
+  <!-- MySource sniffs -->
+  <rule ref="MySource.Debug.DebugCode"/>
+
+  <!-- PEAR sniffs -->
+  <rule ref="PEAR.Files.IncludingFile"/>
+  <!-- Disable some error messages that we do not want. -->
+  <rule ref="PEAR.Files.IncludingFile.UseInclude">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Files.IncludingFile.UseIncludeOnce">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Files.IncludingFile.UseRequire">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Files.IncludingFile.UseRequireOnce">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Functions.FunctionCallSignature"/>
+  <!-- The sniffs inside PEAR.Functions.FunctionCallSignature silenced below are
+    also silenced in Drupal CS' ruleset.xml. The code below is a 1-on-1 copy
+    from that file. -->
+  <rule ref="PEAR.Functions.FunctionCallSignature.CloseBracketLine">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Functions.FunctionCallSignature.ContentAfterOpenBracket">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Functions.FunctionCallSignature.EmptyLine">
+    <severity>0</severity>
+  </rule>
+  <!-- Disable some error messages that we do not want. -->
+  <rule ref="PEAR.Functions.FunctionCallSignature.Indent">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Functions.FunctionCallSignature.OpeningIndent">
+    <severity>0</severity>
+  </rule>
+  <!-- Disable some error messages that we already cover. -->
+  <rule ref="PEAR.Functions.FunctionCallSignature.SpaceAfterOpenBracket">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Functions.FunctionCallSignature.SpaceBeforeCloseBracket">
+    <severity>0</severity>
+  </rule>
+  <rule ref="PEAR.Functions.ValidDefaultValue"/>
+
+  <!-- PSR-2 sniffs -->
+  <rule ref="PSR2.Classes.PropertyDeclaration">
+     <!-- Silence method name underscore warning which is covered already in
+       Drupal.Classes.PropertyDeclaration. -->
+    <exclude name="PSR2.Classes.PropertyDeclaration.Underscore"/>
+  </rule>
+  <rule ref="PSR2.Namespaces.NamespaceDeclaration"/>
+  <rule ref="PSR2.Namespaces.UseDeclaration"/>
+
+  <!-- Squiz sniffs -->
+  <rule ref="Squiz.Arrays.ArrayBracketSpacing"/>
+  <rule ref="Squiz.Arrays.ArrayDeclaration">
+    <exclude name="Squiz.Arrays.ArrayDeclaration.KeySpecified"/>
+    <exclude name="Squiz.Arrays.ArrayDeclaration.NoKeySpecified"/>
+  </rule>
+  <!-- Disable some error messages that we do not want. -->
+  <rule ref="Squiz.Arrays.ArrayDeclaration.CloseBraceNotAligned">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.DoubleArrowNotAligned">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.FirstValueNoNewline">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.KeyNotAligned">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.MultiLineNotAllowed">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.NoComma">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.NoCommaAfterLast">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.NotLowerCase">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.SingleLineNotAllowed">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.ValueNoNewline">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Arrays.ArrayDeclaration.ValueNotAligned">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.ForEachLoopDeclaration"/>
+  <!-- Disable some error messages that we already cover. -->
+  <rule ref="Squiz.ControlStructures.ForEachLoopDeclaration.AsNotLower">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.ForEachLoopDeclaration.SpaceAfterOpen">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.ForEachLoopDeclaration.SpaceBeforeClose">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.ForLoopDeclaration"/>
+  <!-- Disable some error messages that we already cover. -->
+  <rule ref="Squiz.ControlStructures.ForLoopDeclaration.SpacingAfterOpen">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.ForLoopDeclaration.SpacingBeforeClose">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration"/>
+  <!-- Disable some error messages that we do not want. -->
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.BreakIndent">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.CaseIndent">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.CloseBraceAlign">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.DefaultIndent">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.DefaultNoBreak">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.EmptyCase">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.EmptyDefault">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.MissingDefault">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.SpacingAfterCase">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.SpacingAfterDefaultBreak">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.ControlStructures.SwitchDeclaration.SpacingBeforeBreak">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Functions.FunctionDeclarationArgumentSpacing">
+    <properties>
+      <property name="equalsSpacing" value="1"/>
+    </properties>
+  </rule>
+  <rule ref="Squiz.Functions.FunctionDeclarationArgumentSpacing.NoSpaceBeforeArg">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Functions.MultiLineFunctionDeclaration"/>
+  <rule ref="Squiz.Functions.MultiLineFunctionDeclaration.BraceOnSameLine">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Functions.MultiLineFunctionDeclaration.CloseBracketLine">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Functions.MultiLineFunctionDeclaration.ContentAfterBrace">
+    <severity>0</severity>
+  </rule>
+  <!-- Standard yet to be finalized on this (https://www.drupal.org/node/1539712). -->
+  <rule ref="Squiz.Functions.MultiLineFunctionDeclaration.FirstParamSpacing">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.Functions.MultiLineFunctionDeclaration.Indent">
+    <severity>0</severity>
+  </rule>
+  <rule ref="Squiz.PHP.LowercasePHPFunctions"/>
+  <rule ref="Squiz.PHP.NonExecutableCode"/>
+  <rule ref="Squiz.Strings.ConcatenationSpacing">
+    <properties>
+      <property name="spacing" value="1"/>
+      <property name="ignoreNewlines" value="true"/>
+    </properties>
+  </rule>
+  <rule ref="Squiz.WhiteSpace.FunctionSpacing">
+    <properties>
+      <property name="spacing" value="1"/>
+    </properties>
+  </rule>
+  <rule ref="Squiz.WhiteSpace.LanguageConstructSpacing"/>
+  <rule ref="Squiz.WhiteSpace.OperatorSpacing">
+    <properties>
+      <property name="ignoreNewlines" value="true"/>
+    </properties>
+  </rule>
+  <rule ref="Squiz.WhiteSpace.ScopeKeywordSpacing"/>
+  <rule ref="Squiz.WhiteSpace.SemicolonSpacing"/>
+  <rule ref="Squiz.WhiteSpace.SuperfluousWhitespace"/>
+
+  <!-- Zend sniffs -->
+  <rule ref="Zend.Files.ClosingTag"/>
+
+</ruleset>
diff --git a/docker/conf/drupal/phpunit.xml b/docker/conf/drupal/phpunit.xml
new file mode 100644
index 000000000..66bcf0084
--- /dev/null
+++ b/docker/conf/drupal/phpunit.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- For how to customize PHPUnit configuration, see core/tests/README.md. -->
+<!-- TODO set checkForUnintentionallyCoveredCode="true" once https://www.drupal.org/node/2626832 is resolved. -->
+<!-- PHPUnit expects functional tests to be run with either a privileged user
+ or your current system user. See core/tests/README.md and
+ https://www.drupal.org/node/2116263 for details.
+-->
+<phpunit bootstrap="tests/bootstrap.php" colors="true"
+         beStrictAboutTestsThatDoNotTestAnything="true"
+         beStrictAboutOutputDuringTests="true"
+         beStrictAboutChangesToGlobalState="true"
+         failOnWarning="true"
+         printerClass="\Drupal\Tests\Listeners\HtmlOutputPrinter"
+         cacheResult="false">
+  <php>
+    <!-- Set error reporting to E_ALL. -->
+    <ini name="error_reporting" value="32767"/>
+    <!-- Do not limit the amount of memory tests take to run. -->
+    <ini name="memory_limit" value="-1"/>
+    <!-- Example SIMPLETEST_BASE_URL value: http://localhost -->
+    <env name="SIMPLETEST_BASE_URL" value=""/>
+    <!-- Example SIMPLETEST_DB value: mysql://username:password@localhost/databasename#table_prefix -->
+    <env name="SIMPLETEST_DB" value=""/>
+    <!-- Example BROWSERTEST_OUTPUT_DIRECTORY value: /path/to/webroot/sites/simpletest/browser_output -->
+    <env name="BROWSERTEST_OUTPUT_DIRECTORY" value=""/>
+    <!-- To have browsertest output use an alternative base URL. For example if
+     SIMPLETEST_BASE_URL is an internal DDEV URL, you can set this to the
+     external DDev URL so you can follow the links directly.
+    -->
+    <env name="BROWSERTEST_OUTPUT_BASE_URL" value=""/>
+    <!-- To disable deprecation testing completely uncomment the next line. -->
+    <env name="SYMFONY_DEPRECATIONS_HELPER" value="weak"/>
+    <!-- Example for changing the driver class for mink tests MINK_DRIVER_CLASS value: 'Drupal\FunctionalJavascriptTests\DrupalSelenium2Driver' -->
+    <env name="MINK_DRIVER_CLASS" value=''/>
+    <!-- Example for changing the driver args to mink tests MINK_DRIVER_ARGS value: '["http://127.0.0.1:8510"]' -->
+    <env name="MINK_DRIVER_ARGS" value=''/>
+    <!-- Example for changing the driver args to webdriver tests MINK_DRIVER_ARGS_WEBDRIVER value: '["chrome", { "chromeOptions": { "w3c": false } }, "http://localhost:4444/wd/hub"]' For using the Firefox browser, replace "chrome" with "firefox" -->
+    <env name="MINK_DRIVER_ARGS_WEBDRIVER" value=''/>
+  </php>
+  <testsuites>
+    <testsuite name="unit">
+      <file>./tests/TestSuites/UnitTestSuite.php</file>
+    </testsuite>
+    <testsuite name="kernel">
+      <file>./tests/TestSuites/KernelTestSuite.php</file>
+    </testsuite>
+    <testsuite name="functional">
+      <file>./tests/TestSuites/FunctionalTestSuite.php</file>
+    </testsuite>
+    <testsuite name="functional-javascript">
+      <file>./tests/TestSuites/FunctionalJavascriptTestSuite.php</file>
+    </testsuite>
+    <testsuite name="build">
+      <file>./tests/TestSuites/BuildTestSuite.php</file>
+    </testsuite>
+  </testsuites>
+  <listeners>
+    <listener class="\Drupal\Tests\Listeners\DrupalListener">
+    </listener>
+  </listeners>
+  <!-- Filter for coverage reports. -->
+  <filter>
+    <whitelist>
+      <directory>./includes</directory>
+      <directory>./lib</directory>
+      <!-- Extensions can have their own test directories, so exclude those. -->
+      <directory>./modules</directory>
+      <exclude>
+        <directory>./modules/*/src/Tests</directory>
+        <directory>./modules/*/tests</directory>
+      </exclude>
+      <directory>../modules</directory>
+      <exclude>
+        <directory>../modules/*/src/Tests</directory>
+        <directory>../modules/*/tests</directory>
+        <directory>../modules/*/*/src/Tests</directory>
+        <directory>../modules/*/*/tests</directory>
+      </exclude>
+      <directory>../sites</directory>
+      <directory>../profiles</directory>
+     </whitelist>
+  </filter>
+</phpunit>
diff --git a/docker/conf/drupal/settings.php b/docker/conf/drupal/settings.php
new file mode 100644
index 000000000..23e0942eb
--- /dev/null
+++ b/docker/conf/drupal/settings.php
@@ -0,0 +1,825 @@
+<?php
+
+// phpcs:ignoreFile
+
+/**
+ * @file
+ * Drupal site-specific configuration file.
+ *
+ * IMPORTANT NOTE:
+ * This file may have been set to read-only by the Drupal installation program.
+ * If you make changes to this file, be sure to protect it again after making
+ * your modifications. Failure to remove write permissions to this file is a
+ * security risk.
+ *
+ * In order to use the selection rules below the multisite aliasing file named
+ * sites/sites.php must be present. Its optional settings will be loaded, and
+ * the aliases in the array $sites will override the default directory rules
+ * below. See sites/example.sites.php for more information about aliases.
+ *
+ * The configuration directory will be discovered by stripping the website's
+ * hostname from left to right and pathname from right to left. The first
+ * configuration file found will be used and any others will be ignored. If no
+ * other configuration file is found then the default configuration file at
+ * 'sites/default' will be used.
+ *
+ * For example, for a fictitious site installed at
+ * https://www.drupal.org:8080/mysite/test/, the 'settings.php' file is searched
+ * for in the following directories:
+ *
+ * - sites/8080.www.drupal.org.mysite.test
+ * - sites/www.drupal.org.mysite.test
+ * - sites/drupal.org.mysite.test
+ * - sites/org.mysite.test
+ *
+ * - sites/8080.www.drupal.org.mysite
+ * - sites/www.drupal.org.mysite
+ * - sites/drupal.org.mysite
+ * - sites/org.mysite
+ *
+ * - sites/8080.www.drupal.org
+ * - sites/www.drupal.org
+ * - sites/drupal.org
+ * - sites/org
+ *
+ * - sites/default
+ *
+ * Note that if you are installing on a non-standard port number, prefix the
+ * hostname with that number. For example,
+ * https://www.drupal.org:8080/mysite/test/ could be loaded from
+ * sites/8080.www.drupal.org.mysite.test/.
+ *
+ * @see example.sites.php
+ * @see \Drupal\Core\DrupalKernel::getSitePath()
+ *
+ * In addition to customizing application settings through variables in
+ * settings.php, you can create a services.yml file in the same directory to
+ * register custom, site-specific service definitions and/or swap out default
+ * implementations with custom ones.
+ */
+
+/**
+ * Database settings:
+ *
+ * The $databases array specifies the database connection or
+ * connections that Drupal may use.  Drupal is able to connect
+ * to multiple databases, including multiple types of databases,
+ * during the same request.
+ *
+ * One example of the simplest connection array is shown below. To use the
+ * sample settings, copy and uncomment the code below between the @code and
+ * @endcode lines and paste it after the $databases declaration. You will need
+ * to replace the database username and password and possibly the host and port
+ * with the appropriate credentials for your database system.
+ *
+ * The next section describes how to customize the $databases array for more
+ * specific needs.
+ *
+ * @code
+ * $databases['default']['default'] = [
+ *   'database' => 'databasename',
+ *   'username' => 'sqlusername',
+ *   'password' => 'sqlpassword',
+ *   'host' => 'localhost',
+ *   'port' => '3306',
+ *   'driver' => 'mysql',
+ *   'prefix' => '',
+ *   'collation' => 'utf8mb4_general_ci',
+ * ];
+ * @endcode
+ */
+$databases['default']['default'] = [
+  'database' => getenv('DB_NAME') ?: 'wxt',
+  'username' => 'root',
+  'password' => 'root',
+  'host' => 'db',
+  'port' => getenv('DB_PORT') ?: '3306',
+  'driver' => getenv('DB_TYPE') ?: 'mysql',
+  'prefix' => '',
+  'namespace' => 'Drupal\Core\Database\Driver\\'.getenv('DB_TYPE') ?: 'mysql',
+  'collation' => 'utf8mb4_general_ci',
+];
+
+/**
+ * Customizing database settings.
+ *
+ * Many of the values of the $databases array can be customized for your
+ * particular database system. Refer to the sample in the section above as a
+ * starting point.
+ *
+ * The "driver" property indicates what Drupal database driver the
+ * connection should use.  This is usually the same as the name of the
+ * database type, such as mysql or sqlite, but not always.  The other
+ * properties will vary depending on the driver.  For SQLite, you must
+ * specify a database file name in a directory that is writable by the
+ * webserver.  For most other drivers, you must specify a
+ * username, password, host, and database name.
+ *
+ * Drupal core implements drivers for mysql, pgsql, and sqlite. Other drivers
+ * can be provided by contributed or custom modules. To use a contributed or
+ * custom driver, the "namespace" property must be set to the namespace of the
+ * driver. The code in this namespace must be autoloadable prior to connecting
+ * to the database, and therefore, prior to when module root namespaces are
+ * added to the autoloader. To add the driver's namespace to the autoloader,
+ * set the "autoload" property to the PSR-4 base directory of the driver's
+ * namespace. This is optional for projects managed with Composer if the
+ * driver's namespace is in Composer's autoloader.
+ *
+ * For each database, you may optionally specify multiple "target" databases.
+ * A target database allows Drupal to try to send certain queries to a
+ * different database if it can but fall back to the default connection if not.
+ * That is useful for primary/replica replication, as Drupal may try to connect
+ * to a replica server when appropriate and if one is not available will simply
+ * fall back to the single primary server (The terms primary/replica are
+ * traditionally referred to as master/slave in database server documentation).
+ *
+ * The general format for the $databases array is as follows:
+ * @code
+ * $databases['default']['default'] = $info_array;
+ * $databases['default']['replica'][] = $info_array;
+ * $databases['default']['replica'][] = $info_array;
+ * $databases['extra']['default'] = $info_array;
+ * @endcode
+ *
+ * In the above example, $info_array is an array of settings described above.
+ * The first line sets a "default" database that has one primary database
+ * (the second level default).  The second and third lines create an array
+ * of potential replica databases.  Drupal will select one at random for a given
+ * request as needed.  The fourth line creates a new database with a name of
+ * "extra".
+ *
+ * For MySQL, MariaDB or equivalent databases the 'isolation_level' option can
+ * be set. The recommended transaction isolation level for Drupal sites is
+ * 'READ COMMITTED'. The 'REPEATABLE READ' option is supported but can result
+ * in deadlocks, the other two options are 'READ UNCOMMITTED' and 'SERIALIZABLE'.
+ * They are available but not supported; use them at your own risk. For more
+ * info:
+ * https://dev.mysql.com/doc/refman/5.7/en/innodb-transaction-isolation-levels.html
+ *
+ * On your settings.php, change the isolation level:
+ * @code
+ * $databases['default']['default']['init_commands'] = [
+ *   'isolation_level' => 'SET SESSION TRANSACTION ISOLATION LEVEL READ COMMITTED',
+ * ];
+ * @endcode
+ *
+ * You can optionally set a prefix for all database table names by using the
+ * 'prefix' setting. If a prefix is specified, the table name will be prepended
+ * with its value. Be sure to use valid database characters only, usually
+ * alphanumeric and underscore. If no prefix is desired, do not set the 'prefix'
+ * key or set its value to an empty string ''.
+ *
+ * For example, to have all database table prefixed with 'main_', set:
+ * @code
+ *   'prefix' => 'main_',
+ * @endcode
+ *
+ * Advanced users can add or override initial commands to execute when
+ * connecting to the database server, as well as PDO connection settings. For
+ * example, to enable MySQL SELECT queries to exceed the max_join_size system
+ * variable, and to reduce the database connection timeout to 5 seconds:
+ * @code
+ * $databases['default']['default'] = [
+ *   'init_commands' => [
+ *     'big_selects' => 'SET SQL_BIG_SELECTS=1',
+ *   ],
+ *   'pdo' => [
+ *     PDO::ATTR_TIMEOUT => 5,
+ *   ],
+ * ];
+ * @endcode
+ *
+ * WARNING: The above defaults are designed for database portability. Changing
+ * them may cause unexpected behavior, including potential data loss. See
+ * https://www.drupal.org/developing/api/database/configuration for more
+ * information on these defaults and the potential issues.
+ *
+ * More details can be found in the constructor methods for each driver:
+ * - \Drupal\mysql\Driver\Database\mysql\Connection::__construct()
+ * - \Drupal\pgsql\Driver\Database\pgsql\Connection::__construct()
+ * - \Drupal\sqlite\Driver\Database\sqlite\Connection::__construct()
+ *
+ * Sample Database configuration format for PostgreSQL (pgsql):
+ * @code
+ *   $databases['default']['default'] = [
+ *     'driver' => 'pgsql',
+ *     'database' => 'databasename',
+ *     'username' => 'sqlusername',
+ *     'password' => 'sqlpassword',
+ *     'host' => 'localhost',
+ *     'prefix' => '',
+ *   ];
+ * @endcode
+ *
+ * Sample Database configuration format for SQLite (sqlite):
+ * @code
+ *   $databases['default']['default'] = [
+ *     'driver' => 'sqlite',
+ *     'database' => '/path/to/databasefilename',
+ *   ];
+ * @endcode
+ *
+ * Sample Database configuration format for a driver in a contributed module:
+ * @code
+ *   $databases['default']['default'] = [
+ *     'driver' => 'my_driver',
+ *     'namespace' => 'Drupal\my_module\Driver\Database\my_driver',
+ *     'autoload' => 'modules/my_module/src/Driver/Database/my_driver/',
+ *     'database' => 'databasename',
+ *     'username' => 'sqlusername',
+ *     'password' => 'sqlpassword',
+ *     'host' => 'localhost',
+ *     'prefix' => '',
+ *   ];
+ * @endcode
+ */
+
+/**
+ * Location of the site configuration files.
+ *
+ * The $settings['config_sync_directory'] specifies the location of file system
+ * directory used for syncing configuration data. On install, the directory is
+ * created. This is used for configuration imports.
+ *
+ * The default location for this directory is inside a randomly-named
+ * directory in the public files path. The setting below allows you to set
+ * its location.
+ */
+$settings["config_sync_directory"] = '/var/www/config';
+
+/**
+ * Settings:
+ *
+ * $settings contains environment-specific configuration, such as the files
+ * directory and reverse proxy address, and temporary configuration, such as
+ * security overrides.
+ *
+ * @see \Drupal\Core\Site\Settings::get()
+ */
+
+/**
+ * Salt for one-time login links, cancel links, form tokens, etc.
+ *
+ * This variable will be set to a random value by the installer. All one-time
+ * login links will be invalidated if the value is changed. Note that if your
+ * site is deployed on a cluster of web servers, you must ensure that this
+ * variable has the same value on each server.
+ *
+ * For enhanced security, you may set this variable to the contents of a file
+ * outside your document root; you should also ensure that this file is not
+ * stored with backups of your database.
+ *
+ * Example:
+ * @code
+ *   $settings['hash_salt'] = file_get_contents('/home/example/salt.txt');
+ * @endcode
+ */
+$settings['hash_salt'] = 'default';
+
+/**
+ * Deployment identifier.
+ *
+ * Drupal's dependency injection container will be automatically invalidated and
+ * rebuilt when the Drupal core version changes. When updating contributed or
+ * custom code that changes the container, changing this identifier will also
+ * allow the container to be invalidated as soon as code is deployed.
+ */
+# $settings['deployment_identifier'] = \Drupal::VERSION;
+
+/**
+ * Access control for update.php script.
+ *
+ * If you are updating your Drupal installation using the update.php script but
+ * are not logged in using either an account with the "Administer software
+ * updates" permission or the site maintenance account (the account that was
+ * created during installation), you will need to modify the access check
+ * statement below. Change the FALSE to a TRUE to disable the access check.
+ * After finishing the upgrade, be sure to open this file again and change the
+ * TRUE back to a FALSE!
+ */
+$settings['update_free_access'] = FALSE;
+
+/**
+ * Fallback to HTTP for Update Manager and for fetching security advisories.
+ *
+ * If your site fails to connect to updates.drupal.org over HTTPS (either when
+ * fetching data on available updates, or when fetching the feed of critical
+ * security announcements), you may uncomment this setting and set it to TRUE to
+ * allow an insecure fallback to HTTP. Note that doing so will open your site up
+ * to a potential man-in-the-middle attack. You should instead attempt to
+ * resolve the issues before enabling this option.
+ * @see https://www.drupal.org/docs/system-requirements/php-requirements#openssl
+ * @see https://en.wikipedia.org/wiki/Man-in-the-middle_attack
+ * @see \Drupal\update\UpdateFetcher
+ * @see \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher
+ */
+# $settings['update_fetch_with_http_fallback'] = TRUE;
+
+/**
+ * External access proxy settings:
+ *
+ * If your site must access the Internet via a web proxy then you can enter the
+ * proxy settings here. Set the full URL of the proxy, including the port, in
+ * variables:
+ * - $settings['http_client_config']['proxy']['http']: The proxy URL for HTTP
+ *   requests.
+ * - $settings['http_client_config']['proxy']['https']: The proxy URL for HTTPS
+ *   requests.
+ * You can pass in the user name and password for basic authentication in the
+ * URLs in these settings.
+ *
+ * You can also define an array of host names that can be accessed directly,
+ * bypassing the proxy, in $settings['http_client_config']['proxy']['no'].
+ */
+# $settings['http_client_config']['proxy']['http'] = 'http://proxy_user:proxy_pass@example.com:8080';
+# $settings['http_client_config']['proxy']['https'] = 'http://proxy_user:proxy_pass@example.com:8080';
+# $settings['http_client_config']['proxy']['no'] = ['127.0.0.1', 'localhost'];
+
+/**
+ * Reverse Proxy Configuration:
+ *
+ * Reverse proxy servers are often used to enhance the performance
+ * of heavily visited sites and may also provide other site caching,
+ * security, or encryption benefits. In an environment where Drupal
+ * is behind a reverse proxy, the real IP address of the client should
+ * be determined such that the correct client IP address is available
+ * to Drupal's logging, statistics, and access management systems. In
+ * the most simple scenario, the proxy server will add an
+ * X-Forwarded-For header to the request that contains the client IP
+ * address. However, HTTP headers are vulnerable to spoofing, where a
+ * malicious client could bypass restrictions by setting the
+ * X-Forwarded-For header directly. Therefore, Drupal's proxy
+ * configuration requires the IP addresses of all remote proxies to be
+ * specified in $settings['reverse_proxy_addresses'] to work correctly.
+ *
+ * Enable this setting to get Drupal to determine the client IP from the
+ * X-Forwarded-For header. If you are unsure about this setting, do not have a
+ * reverse proxy, or Drupal operates in a shared hosting environment, this
+ * setting should remain commented out.
+ *
+ * In order for this setting to be used you must specify every possible
+ * reverse proxy IP address in $settings['reverse_proxy_addresses'].
+ * If a complete list of reverse proxies is not available in your
+ * environment (for example, if you use a CDN) you may set the
+ * $_SERVER['REMOTE_ADDR'] variable directly in settings.php.
+ * Be aware, however, that it is likely that this would allow IP
+ * address spoofing unless more advanced precautions are taken.
+ */
+$settings['reverse_proxy'] = TRUE;
+
+/**
+ * Reverse proxy addresses.
+ *
+ * Specify every reverse proxy IP address in your environment, as an array of
+ * IPv4/IPv6 addresses or subnets in CIDR notation. This setting is required if
+ * $settings['reverse_proxy'] is TRUE.
+ */
+$settings['reverse_proxy_addresses'] = ['0.0.0.0/0'];
+
+/**
+ * Reverse proxy trusted headers.
+ *
+ * Sets which headers to trust from your reverse proxy.
+ *
+ * Common values are:
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
+ * - \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
+ *
+ * Note the default value of
+ * @code
+ * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
+ * @endcode
+ * is not secure by default. The value should be set to only the specific
+ * headers the reverse proxy uses. For example:
+ * @code
+ * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
+ * @endcode
+ * This would trust the following headers:
+ * - X_FORWARDED_FOR
+ * - X_FORWARDED_HOST
+ * - X_FORWARDED_PROTO
+ * - X_FORWARDED_PORT
+ *
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO
+ * @see \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED
+ * @see \Symfony\Component\HttpFoundation\Request::setTrustedProxies
+ */
+# $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED;
+
+
+/**
+ * Page caching:
+ *
+ * By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page
+ * views. This tells a HTTP proxy that it may return a page from its local
+ * cache without contacting the web server, if the user sends the same Cookie
+ * header as the user who originally requested the cached page. Without "Vary:
+ * Cookie", authenticated users would also be served the anonymous page from
+ * the cache. If the site has mostly anonymous users except a few known
+ * editors/administrators, the Vary header can be omitted. This allows for
+ * better caching in HTTP proxies (including reverse proxies), i.e. even if
+ * clients send different cookies, they still get content served from the cache.
+ * However, authenticated users should access the site directly (i.e. not use an
+ * HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid
+ * getting cached pages from the proxy.
+ */
+# $settings['omit_vary_cookie'] = TRUE;
+
+
+/**
+ * Cache TTL for client error (4xx) responses.
+ *
+ * Items cached per-URL tend to result in a large number of cache items, and
+ * this can be problematic on 404 pages which by their nature are unbounded. A
+ * fixed TTL can be set for these items, defaulting to one hour, so that cache
+ * backends which do not support LRU can purge older entries. To disable caching
+ * of client error responses set the value to 0. Currently applies only to
+ * page_cache module.
+ */
+# $settings['cache_ttl_4xx'] = 3600;
+
+/**
+ * Expiration of cached forms.
+ *
+ * Drupal's Form API stores details of forms in a cache and these entries are
+ * kept for at least 6 hours by default. Expired entries are cleared by cron.
+ *
+ * @see \Drupal\Core\Form\FormCache::setCache()
+ */
+# $settings['form_cache_expiration'] = 21600;
+
+/**
+ * Class Loader.
+ *
+ * If the APCu extension is detected, the classloader will be optimized to use
+ * it. Set to FALSE to disable this.
+ *
+ * @see https://getcomposer.org/doc/articles/autoloader-optimization.md
+ */
+# $settings['class_loader_auto_detect'] = FALSE;
+
+/**
+ * Authorized file system operations:
+ *
+ * The Update Manager module included with Drupal provides a mechanism for
+ * site administrators to securely install missing updates for the site
+ * directly through the web user interface. On securely-configured servers,
+ * the Update manager will require the administrator to provide SSH or FTP
+ * credentials before allowing the installation to proceed; this allows the
+ * site to update the new files as the user who owns all the Drupal files,
+ * instead of as the user the webserver is running as. On servers where the
+ * webserver user is itself the owner of the Drupal files, the administrator
+ * will not be prompted for SSH or FTP credentials (note that these server
+ * setups are common on shared hosting, but are inherently insecure).
+ *
+ * Some sites might wish to disable the above functionality, and only update
+ * the code directly via SSH or FTP themselves. This setting completely
+ * disables all functionality related to these authorized file operations.
+ *
+ * @see https://www.drupal.org/node/244924
+ *
+ * Remove the leading hash signs to disable.
+ */
+# $settings['allow_authorize_operations'] = FALSE;
+
+/**
+ * Default mode for directories and files written by Drupal.
+ *
+ * Value should be in PHP Octal Notation, with leading zero.
+ */
+# $settings['file_chmod_directory'] = 0775;
+# $settings['file_chmod_file'] = 0664;
+
+/**
+ * Public file base URL:
+ *
+ * An alternative base URL to be used for serving public files. This must
+ * include any leading directory path.
+ *
+ * A different value from the domain used by Drupal to be used for accessing
+ * public files. This can be used for a simple CDN integration, or to improve
+ * security by serving user-uploaded files from a different domain or subdomain
+ * pointing to the same server. Do not include a trailing slash.
+ */
+# $settings['file_public_base_url'] = 'http://downloads.example.com/files';
+
+/**
+ * Public file path:
+ *
+ * A local file system path where public files will be stored. This directory
+ * must exist and be writable by Drupal. This directory must be relative to
+ * the Drupal installation directory and be accessible over the web.
+ */
+# $settings['file_public_path'] = 'sites/default/files';
+
+/**
+ * Additional public file schemes:
+ *
+ * Public schemes are URI schemes that allow download access to all users for
+ * all files within that scheme.
+ *
+ * The "public" scheme is always public, and the "private" scheme is always
+ * private, but other schemes, such as "https", "s3", "example", or others,
+ * can be either public or private depending on the site. By default, they're
+ * private, and access to individual files is controlled via
+ * hook_file_download().
+ *
+ * Typically, if a scheme should be public, a module makes it public by
+ * implementing hook_file_download(), and granting access to all users for all
+ * files. This could be either the same module that provides the stream wrapper
+ * for the scheme, or a different module that decides to make the scheme
+ * public. However, in cases where a site needs to make a scheme public, but
+ * is unable to add code in a module to do so, the scheme may be added to this
+ * variable, the result of which is that system_file_download() grants public
+ * access to all files within that scheme.
+ */
+# $settings['file_additional_public_schemes'] = ['example'];
+
+/**
+ * Private file path:
+ *
+ * A local file system path where private files will be stored. This directory
+ * must be absolute, outside of the Drupal installation directory and not
+ * accessible over the web.
+ *
+ * Note: Caches need to be cleared when this value is changed to make the
+ * private:// stream wrapper available to the system.
+ *
+ * See https://www.drupal.org/documentation/modules/file for more information
+ * about securing private files.
+ */
+# $settings['file_private_path'] = '';
+
+/**
+ * Temporary file path:
+ *
+ * A local file system path where temporary files will be stored. This directory
+ * must be absolute, outside of the Drupal installation directory and not
+ * accessible over the web.
+ *
+ * If this is not set, the default for the operating system will be used.
+ *
+ * @see \Drupal\Component\FileSystem\FileSystem::getOsTemporaryDirectory()
+ */
+# $settings['file_temp_path'] = '/tmp';
+
+/**
+ * Session write interval:
+ *
+ * Set the minimum interval between each session write to database.
+ * For performance reasons it defaults to 180.
+ */
+# $settings['session_write_interval'] = 180;
+
+/**
+ * String overrides:
+ *
+ * To override specific strings on your site with or without enabling the Locale
+ * module, add an entry to this list. This functionality allows you to change
+ * a small number of your site's default English language interface strings.
+ *
+ * Remove the leading hash signs to enable.
+ *
+ * The "en" part of the variable name, is dynamic and can be any langcode of
+ * any added language. (eg locale_custom_strings_de for german).
+ */
+# $settings['locale_custom_strings_en'][''] = [
+#   'forum'      => 'Discussion board',
+#   '@count min' => '@count minutes',
+# ];
+
+/**
+ * A custom theme for the offline page:
+ *
+ * This applies when the site is explicitly set to maintenance mode through the
+ * administration page or when the database is inactive due to an error.
+ * The template file should also be copied into the theme. It is located inside
+ * 'core/modules/system/templates/maintenance-page.html.twig'.
+ *
+ * Note: This setting does not apply to installation and update pages.
+ */
+# $settings['maintenance_theme'] = 'claro';
+
+/**
+ * PHP settings:
+ *
+ * To see what PHP settings are possible, including whether they can be set at
+ * runtime (by using ini_set()), read the PHP documentation:
+ * http://php.net/manual/ini.list.php
+ * See \Drupal\Core\DrupalKernel::bootEnvironment() for required runtime
+ * settings and the .htaccess file for non-runtime settings.
+ * Settings defined there should not be duplicated here so as to avoid conflict
+ * issues.
+ */
+
+/**
+ * If you encounter a situation where users post a large amount of text, and
+ * the result is stripped out upon viewing but can still be edited, Drupal's
+ * output filter may not have sufficient memory to process it.  If you
+ * experience this issue, you may wish to uncomment the following two lines
+ * and increase the limits of these variables.  For more information, see
+ * http://php.net/manual/pcre.configuration.php.
+ */
+# ini_set('pcre.backtrack_limit', 200000);
+# ini_set('pcre.recursion_limit', 200000);
+
+/**
+ * Configuration overrides.
+ *
+ * To globally override specific configuration values for this site,
+ * set them here. You usually don't need to use this feature. This is
+ * useful in a configuration file for a vhost or directory, rather than
+ * the default settings.php.
+ *
+ * Note that any values you provide in these variable overrides will not be
+ * viewable from the Drupal administration interface. The administration
+ * interface displays the values stored in configuration so that you can stage
+ * changes to other environments that don't have the overrides.
+ *
+ * There are particular configuration values that are risky to override. For
+ * example, overriding the list of installed modules in 'core.extension' is not
+ * supported as module install or uninstall has not occurred. Other examples
+ * include field storage configuration, because it has effects on database
+ * structure, and 'core.menu.static_menu_link_overrides' since this is cached in
+ * a way that is not config override aware. Also, note that changing
+ * configuration values in settings.php will not fire any of the configuration
+ * change events.
+ */
+# $config['system.site']['name'] = 'My Drupal site';
+# $config['user.settings']['anonymous'] = 'Visitor';
+
+/**
+ * Load services definition file.
+ */
+$settings['container_yamls'][] = $app_root . '/' . $site_path . '/services.yml';
+
+/**
+ * Override the default service container class.
+ *
+ * This is useful for example to trace the service container for performance
+ * tracking purposes, for testing a service container with an error condition or
+ * to test a service container that throws an exception.
+ */
+# $settings['container_base_class'] = '\Drupal\Core\DependencyInjection\Container';
+
+/**
+ * Override the default yaml parser class.
+ *
+ * Provide a fully qualified class name here if you would like to provide an
+ * alternate implementation YAML parser. The class must implement the
+ * \Drupal\Component\Serialization\SerializationInterface interface.
+ */
+# $settings['yaml_parser_class'] = NULL;
+
+/**
+ * Trusted host configuration.
+ *
+ * Drupal core can use the Symfony trusted host mechanism to prevent HTTP Host
+ * header spoofing.
+ *
+ * To enable the trusted host mechanism, you enable your allowable hosts
+ * in $settings['trusted_host_patterns']. This should be an array of regular
+ * expression patterns, without delimiters, representing the hosts you would
+ * like to allow.
+ *
+ * For example:
+ * @code
+ * $settings['trusted_host_patterns'] = [
+ *   '^www\.example\.com$',
+ * ];
+ * @endcode
+ * will allow the site to only run from www.example.com.
+ *
+ * If you are running multisite, or if you are running your site from
+ * different domain names (eg, you don't redirect http://www.example.com to
+ * http://example.com), you should specify all of the host patterns that are
+ * allowed by your site.
+ *
+ * For example:
+ * @code
+ * $settings['trusted_host_patterns'] = [
+ *   '^example\.com$',
+ *   '^.+\.example\.com$',
+ *   '^example\.org$',
+ *   '^.+\.example\.org$',
+ * ];
+ * @endcode
+ * will allow the site to run off of all variants of example.com and
+ * example.org, with all subdomains included.
+ *
+ * @see https://www.drupal.org/docs/installing-drupal/trusted-host-settings
+ */
+
+/**
+ * The default list of directories that will be ignored by Drupal's file API.
+ *
+ * By default ignore node_modules and bower_components folders to avoid issues
+ * with common frontend tools and recursive scanning of directories looking for
+ * extensions.
+ *
+ * @see \Drupal\Core\File\FileSystemInterface::scanDirectory()
+ * @see \Drupal\Core\Extension\ExtensionDiscovery::scanDirectory()
+ */
+$settings['file_scan_ignore_directories'] = [
+  'node_modules',
+  'bower_components',
+];
+
+/**
+ * The default number of entities to update in a batch process.
+ *
+ * This is used by update and post-update functions that need to go through and
+ * change all the entities on a site, so it is useful to increase this number
+ * if your hosting configuration (i.e. RAM allocation, CPU speed) allows for a
+ * larger number of entities to be processed in a single batch run.
+ */
+$settings['entity_update_batch_size'] = 50;
+
+/**
+ * Entity update backup.
+ *
+ * This is used to inform the entity storage handler that the backup tables as
+ * well as the original entity type and field storage definitions should be
+ * retained after a successful entity update process.
+ */
+$settings['entity_update_backup'] = TRUE;
+
+/**
+ * Node migration type.
+ *
+ * This is used to force the migration system to use the classic node migrations
+ * instead of the default complete node migrations. The migration system will
+ * use the classic node migration only if there are existing migrate_map tables
+ * for the classic node migrations and they contain data. These tables may not
+ * exist if you are developing custom migrations and do not want to use the
+ * complete node migrations. Set this to TRUE to force the use of the classic
+ * node migrations.
+ */
+$settings['migrate_node_migrate_type_classic'] = FALSE;
+
+/**
+ * The default settings for migration sources.
+ *
+ * These settings are used as the default settings on the Credential form at
+ * /upgrade/credentials.
+ *
+ * - migrate_source_version - The version of the source database. This can be
+ *   '6' or '7'. Defaults to '7'.
+ * - migrate_source_connection - The key in the $databases array for the source
+ *   site.
+ * - migrate_file_public_path - The location of the source Drupal 6 or Drupal 7
+ *   public files. This can be a local file directory containing the source
+ *   Drupal 6 or Drupal 7 site (e.g /var/www/docroot), or the site address
+ *   (e.g http://example.com).
+ * - migrate_file_private_path - The location of the source Drupal 7 private
+ *   files. This can be a local file directory containing the source Drupal 7
+ *   site (e.g /var/www/docroot), or empty to use the same value as Public
+ *   files directory.
+ *
+ * Sample configuration for a drupal 6 source site with the source files in a
+ * local directory.
+ *
+ * @code
+ * $settings['migrate_source_version'] = '6';
+ * $settings['migrate_source_connection'] = 'migrate';
+ * $settings['migrate_file_public_path'] = '/var/www/drupal6';
+ * @endcode
+ *
+ * Sample configuration for a drupal 7 source site with public source files on
+ * the source site and the private files in a local directory.
+ *
+ * @code
+ * $settings['migrate_source_version'] = '7';
+ * $settings['migrate_source_connection'] = 'migrate';
+ * $settings['migrate_file_public_path'] = 'https://drupal7.com';
+ * $settings['migrate_file_private_path'] = '/var/www/drupal7';
+ * @endcode
+ */
+# $settings['migrate_source_connection'] = '';
+# $settings['migrate_source_version'] = '';
+# $settings['migrate_file_public_path'] = '';
+# $settings['migrate_file_private_path'] = '';
+
+/**
+ * Load local development override configuration, if available.
+ *
+ * Create a settings.local.php file to override variables on secondary (staging,
+ * development, etc.) installations of this site.
+ *
+ * Typical uses of settings.local.php include:
+ * - Disabling caching.
+ * - Disabling JavaScript/CSS compression.
+ * - Rerouting outgoing emails.
+ *
+ * Keep this code block at the end of this file to take full effect.
+ */
+#
+# if (file_exists($app_root . '/' . $site_path . '/settings.local.php')) {
+#   include $app_root . '/' . $site_path . '/settings.local.php';
+# }
diff --git a/docker/conf/my.cnf b/docker/conf/my.cnf
new file mode 100644
index 000000000..a24d11cd5
--- /dev/null
+++ b/docker/conf/my.cnf
@@ -0,0 +1,2 @@
+[mysqld]
+max_allowed_packet = 256M
diff --git a/docker/conf/nginx.conf b/docker/conf/nginx.conf
new file mode 100644
index 000000000..c60f8e2d2
--- /dev/null
+++ b/docker/conf/nginx.conf
@@ -0,0 +1,165 @@
+# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
+error_log /proc/self/fd/2;
+pid /var/run/nginx.pid;
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 100000;
+
+events {
+  multi_accept on;
+  use epoll;
+  worker_connections 8192;
+}
+
+http {
+  access_log /proc/self/fd/1;
+  client_max_body_size 20m;
+  default_type application/octet-stream;
+  fastcgi_buffers 8 16k;
+  fastcgi_buffer_size 32k;
+  gzip on;
+  gzip_buffers 16 8k;
+  gzip_comp_level 4;
+  gzip_disable msie6;
+  gzip_proxied off;
+  gzip_types application/json;
+  gzip_vary on;
+  include /etc/nginx/mime.types;
+  index index.html index.htm;
+  keepalive_timeout 120;
+  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=one:8m max_size=3000m inactive=600m;
+  proxy_temp_path /var/tmp;
+  sendfile on;
+  server_tokens off;
+  tcp_nopush on;
+  types_hash_max_size 2048;
+
+  server {
+      # IPv4
+      listen 80;
+
+      # IPv6
+      listen [::]:80;
+
+      # Filesystem root of the site and index with fallback.
+      root /var/www/html;
+      index index.php index.html index.htm;
+
+      # Make site accessible.
+      server_name drupal.dev;
+
+      location = /favicon.ico {
+          log_not_found off;
+          access_log off;
+      }
+
+      location = /robots.txt {
+          allow all;
+          log_not_found off;
+          access_log off;
+      }
+
+      location ~ \..*/.*\.php$ {
+          return 403;
+      }
+
+      location ~ ^/sites/.*/private/ {
+          return 403;
+      }
+
+      # Block access to scripts in site files directory
+      location ~ ^/sites/[^/]+/files/.*\.php$ {
+          deny all;
+      }
+
+      # Allow "Well-Known URIs" as per RFC 5785
+      location ~* ^/.well-known/ {
+          allow all;
+      }
+
+      # Block access to "hidden" files and directories whose names begin with a
+      # period. This includes directories used by version control systems such
+      # as Subversion or Git to store control files.
+      location ~ (^|/)\. {
+          return 403;
+      }
+
+      location / {
+          # First attempt to serve request as file, then
+          # as directory, then fall back to displaying a 404.
+          try_files $uri $uri/ /index.html /index.php?$query_string;
+      }
+
+      location @rewrite {
+          # For Drupal >= 7
+          rewrite ^ /index.php;
+      }
+
+      # Don't allow direct access to PHP files in the vendor directory.
+      location ~ /vendor/.*\.php$ {
+          deny all;
+          return 404;
+      }
+
+      # Protect files and directories from prying eyes.
+      location ~* \.(engine|ht|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|/(\.(?!well-known).*)|composer\.(json|lock)|web\.config$|/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+          deny all;
+          return 404;
+      }
+
+      # In Drupal 8, we must also match new paths where the '.php' appears in
+      # the middle, such as update.php/selection. The rule we use is strict,
+      # and only allows this pattern with the update.php front controller.
+      # This allows legacy path aliases in the form of
+      # blog/index.php/legacy-path to continue to route to Drupal nodes. If
+      # you do not have any paths like that, then you might prefer to use a
+      # laxer rule, such as:
+      #   location ~ \.php(/|$) {
+      # The laxer rule will continue to work if Drupal uses this new URL
+      # pattern with front controllers other than update.php in a future
+      # release.
+      location ~ '\.php$|^/update.php' {
+        proxy_intercept_errors on;
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        # Ensure the php file exists. Mitigates CVE-2019-11043
+        try_files $fastcgi_script_name =404;
+        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+        include fastcgi_params;
+        # Block httpoxy attacks. See https://httpoxy.org/.
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param QUERY_STRING $query_string;
+        fastcgi_intercept_errors on;
+        # For the appsvc image please use
+        # fastcgi_pass 127.0.0.1:9000
+        fastcgi_pass web:9000;
+      }
+
+      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+          try_files $uri @rewrite;
+          expires max;
+          log_not_found off;
+      }
+
+      # Fighting with Styles
+      location ~ ^/sites/.*/files/styles/ {
+          # For Drupal >= 7
+          try_files $uri @rewrite;
+      }
+
+      # Handle private files through Drupal. Private file's path can come
+      # with a language prefix.
+      location ~ ^(/[a-z\-]+)?/system/files/ {
+          # For Drupal >= 7
+          try_files $uri /index.php?$query_string;
+      }
+
+      # Enforce clean URLs
+      # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+      # Could be done with 301 for permanent or other redirect codes.
+      if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+          return 307 $1$2;
+      }
+  }
+}
diff --git a/docker/conf/php-fpm/status.conf b/docker/conf/php-fpm/status.conf
new file mode 100644
index 000000000..66d1f8b64
--- /dev/null
+++ b/docker/conf/php-fpm/status.conf
@@ -0,0 +1,2 @@
+[www]
+pm.status_path = /status
diff --git a/docker/conf/php.ini b/docker/conf/php.ini
new file mode 100644
index 000000000..37ec3af5c
--- /dev/null
+++ b/docker/conf/php.ini
@@ -0,0 +1,7 @@
+[PHP]
+date.timezone = UTC
+zend.assertions	= 0
+upload_max_filesize = 32M
+post_max_size = 32M
+file_uploads = On
+memory_limit = 2048M
diff --git a/docker/conf/postgresql/load-extensions.sh b/docker/conf/postgresql/load-extensions.sh
new file mode 100755
index 000000000..793a15b5a
--- /dev/null
+++ b/docker/conf/postgresql/load-extensions.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+echo "enabling pg_trgm on database $POSTGRES_DB"
+psql -U $POSTGRES_USER --dbname="$POSTGRES_DB" <<-'EOSQL'
+  create extension if not exists pg_trgm;
+EOSQL
+echo "finished with exit code $?"
diff --git a/docker/conf/ssmtp.conf b/docker/conf/ssmtp.conf
new file mode 100644
index 000000000..6daaaf059
--- /dev/null
+++ b/docker/conf/ssmtp.conf
@@ -0,0 +1,48 @@
+#
+# /etc/ssmtp.conf -- a config file for sSMTP sendmail.
+#
+
+# The person who gets all mail for userids < MinUserId
+# Make this empty to disable rewriting.
+root=postmaster
+
+# All mail delivered to userid >= MinUserId goes to user, not root.
+#MinUserId=1000
+
+# The place where the mail goes. The actual machine name is required
+# no MX records are consulted. Commonly mailhosts are named mail.domain.com
+# The example will fit if you are in domain.com and your mailhub is so named.
+mailhub=mail:1025
+
+# Example for SMTP port number 2525
+# mailhub=mail.your.domain:2525
+# Example for SMTP port number 25 (Standard/RFC)
+# mailhub=mail.your.domain
+# Example for SSL encrypted connection
+# mailhub=mail.your.domain:465
+
+# Where will the mail seem to come from?
+#rewriteDomain=
+
+# The full hostname.
+# Commenting the following line will force ssmtp to figure out the
+# hostname itself
+#hostname=_HOSTNAME_
+
+# Set this to never rewrite the "From:" line (unless not given) and to
+# use that address in the "from line" of the envelope.
+FromLineOverride=YES
+
+# Use SSL/TLS to send secure messages to server.
+#UseTLS=YES
+
+# Use SSL/TLS certificate to authenticate against smtp host.
+#UseTLSCert=YES
+
+# Use this RSA certificate.
+#TLSCert=/etc/ssl/certs/ssmtp.pem
+
+# Get enhanced (*really* enhanced) debugging information in the logs
+# If you want to have debugging of the config file parsing, move this option
+# to the top of the config file and uncomment
+#Debug=YES
diff --git a/docker/conf/varnish/default.vcl b/docker/conf/varnish/default.vcl
new file mode 100644
index 000000000..f2a6bf3ca
--- /dev/null
+++ b/docker/conf/varnish/default.vcl
@@ -0,0 +1,202 @@
+vcl 4.0;
+
+import std;
+import directors;
+
+backend nginx {
+  .host = "nginx";
+  .host_header = "nginx";
+  .port = "80";
+}
+
+sub vcl_init {
+  new backends = directors.round_robin();
+  backends.add_backend(nginx);
+}
+
+sub vcl_recv {
+  set req.http.X-Forwarded-Host = req.http.Host;
+  if (!req.http.X-Forwarded-Proto) {
+    set req.http.X-Forwarded-Proto = "http";
+  }
+
+  # Answer healthcheck
+  if (req.url == "/_healthcheck" || req.url == "/healthcheck.txt") {
+    return (synth(700, "HEALTHCHECK"));
+  }
+
+  # Answer splashpage
+  if (req.url == "/") {
+    return (synth(701, "SPLASH"));
+  }
+
+  set req.backend_hint = backends.backend();
+
+  # Always cache certain file types
+  # Remove cookies that Drupal doesn't care about
+  if (req.url ~ "(?i)\.(asc|dat|tgz|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {
+    unset req.http.Cookie;
+  } else if (req.http.Cookie) {
+    set req.http.Cookie = ";" + req.http.Cookie;
+    set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
+    set req.http.Cookie = regsuball(req.http.Cookie, ";(SESS[a-z0-9]+|SSESS[a-z0-9]+|NO_CACHE)=", "; \1=");
+    set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
+    set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
+    if (req.http.Cookie == "") {
+        unset req.http.Cookie;
+    } else {
+        return (pass);
+    }
+  }
+  # If POST, PUT or DELETE, then don't cache
+  if (req.method == "POST" || req.method == "PUT" || req.method == "DELETE") {
+    return (pass);
+  }
+  # Happens before we check if we have this in cache already.
+  #
+  # Typically you clean up the request here, removing cookies you don't need,
+  # rewriting the request, etc.
+  return (hash);
+  #return (pass);
+}
+
+sub vcl_backend_fetch {
+  # NEW
+  set bereq.http.Host = "nginx";
+
+  # Don't add 127.0.0.1 to X-Forwarded-For
+  set bereq.http.X-Forwarded-For = regsub(bereq.http.X-Forwarded-For, "(, )?127\.0\.0\.1$", "");
+}
+
+sub vcl_backend_response {
+  if (beresp.http.Location && beresp.http.Location !~ "^https://api.twitter.com/") {
+    set beresp.http.Location = regsub(
+      beresp.http.Location,
+      "^https?://[^/]+/",
+      bereq.http.X-Forwarded-Proto + "://" + bereq.http.X-Forwarded-Host + "/"
+    );
+  }
+  # Only cache select response codes
+  if (beresp.status == 200 || beresp.status == 203 || beresp.status == 204 || beresp.status == 206 || beresp.status == 300 || beresp.status == 301 || beresp.status == 404 || beresp.status == 405 || beresp.status == 410 || beresp.status == 414 || beresp.status == 501) {
+    # Cache for 5 minutes
+    set beresp.ttl = 5m;
+    set beresp.grace = 12h;
+    set beresp.keep = 24h;
+  } else {
+    set beresp.ttl = 0s;
+  }
+}
+
+sub vcl_deliver {
+  # Remove identifying information
+  unset resp.http.Server;
+  unset resp.http.X-Powered-By;
+  unset resp.http.X-Varnish;
+  unset resp.http.Via;
+
+  # Comment these for easier Drupal cache tag debugging in development.
+  unset resp.http.Cache-Tags;
+  unset resp.http.X-Drupal-Cache-Contexts;
+
+  # Add Content-Security-Policy
+  # set resp.http.Content-Security-Policy = "default-src 'self' *.example.ca *.example.ca; style-src 'self' 'unsafe-inline' *.example.ca https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.example.ca  *.adobedtm.com use.fontawesome.com blob:; connect-src 'self' *.example.ca *.omtrdc.net *.demdex.net *.everesttech.net; img-src 'self' *.example.ca *.omtrdc.net *.demdex.net *.everesttech.net data:; font-src 'self' *.example.ca https://fonts.gstatic.com";
+
+  # Add CORS Headers
+  # if (req.http.Origin ~ "(?i)\.example\.ca$") {
+  #   if (req.url ~ "\.(ttd|woff|woff2)(\?.*)?$") {
+  #     set resp.http.Access-Control-Allow-Origin = "*";
+  #     set resp.http.Access-Control-Allow-Methods = "GET";
+  #   }
+  # }
+
+  # Add X-Frame-Options
+  # if (req.url ~ "^/(en/|fr/)?media/") {
+  #   set resp.http.X-Frame-Options = "SAMEORIGIN";
+  # } else {
+  #   set resp.http.X-Frame-Options = "DENY";
+  # }
+
+  set resp.http.X-Content-Type-Options = "nosniff";
+  set resp.http.X-XSS-Protection = "1; mode=block";
+  set resp.http.Strict-Transport-Security = "max-age=2629800";
+
+  if (req.url ~ "^/(en/|fr/)?(search/|recherche/)site/") {
+    set resp.http.X-Robots-Tag = "noindex, nofollow";
+  }
+
+  # Happens when we have all the pieces we need, and are about to send the
+  # response to the client.
+  #
+  # You can do accounting or modifying the final object here.
+  if (obj.hits > 0) {
+    set resp.http.X-Cache = "HIT";
+  } else {
+    set resp.http.X-Cache = "MISS";
+  }
+  # Handle errors
+  # if ( (resp.status >= 500 && resp.status <= 599)
+  #   || resp.status == 400
+  #   || resp.status == 401
+  #   || resp.status == 403
+  #   || resp.status == 404) {
+  #   return (synth(resp.status));
+  # }
+}
+
+sub vcl_synth {
+  # Remove identifying information
+  unset resp.http.Server;
+  unset resp.http.X-Powered-By;
+  unset resp.http.X-Varnish;
+  unset resp.http.Via;
+
+  # Add Content-Security-Policy
+  # set resp.http.Content-Security-Policy = "default-src 'self' *.example.ca; style-src 'self' 'unsafe-inline' *.example.ca; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.example.ca *.adobedtm.com use.fontawesome.com blob:; connect-src 'self' *.example.ca *.omtrdc.net *.demdex.net *.everesttech.net; img-src 'self' *.example.ca data:;";
+  # set resp.http.X-Content-Type-Options = "nosniff";
+  # set resp.http.X-Frame-Options = "DENY";
+  # set resp.http.X-XSS-Protection = "1; mode=block";
+
+  set resp.http.Strict-Transport-Security = "max-age=2629800";
+
+  # if (resp.status >= 500 && resp.status <= 599) {
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/503.html"));
+  #   return (deliver);
+  # } elseif (resp.status == 400) { # 400 - Bad Request
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/400.html"));
+  #   return (deliver);
+  # } elseif (resp.status == 401) { # 401 - Unauthorized
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/401.html"));
+  #   return (deliver);
+  # } elseif (resp.status == 403) { # 403 - Forbidden
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/403.html"));
+  #   return (deliver);
+  # } elseif (resp.status == 404) { # 404 - Not Found
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/404.html"));
+  #   return (deliver);
+  # } else
+  if (resp.status == 700) { # Respond to healthcheck
+    set resp.status = 200;
+    set resp.http.Content-Type = "text/plain";
+    synthetic ( {"OK"} );
+    return (deliver);
+  } elseif (resp.status == 701) { # Respond to splash
+    set resp.status = 200;
+    set resp.http.Content-Type = "text/html";
+    synthetic(std.fileread("/etc/varnish/splash.html"));
+    return (deliver);
+  }
+}
+
+##
+# ERROR HANDLING
+##
+# sub vcl_backend_error {
+#   set beresp.http.Content-Type = "text/html; charset=utf-8";
+#   synthetic(std.fileread("/data/configuration/varnish/errors/503.html"));
+#   return (deliver);
+# }
diff --git a/docker/conf/varnish/splash.html b/docker/conf/varnish/splash.html
new file mode 100644
index 000000000..345c8069d
--- /dev/null
+++ b/docker/conf/varnish/splash.html
@@ -0,0 +1,95 @@
+<!DOCTYPE html>
+  <!--[if lt IE 9]><html class="no-js lt-ie9" lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml"><![endif]-->
+  <!--[if gt IE 8]><!-->
+  <html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" lang="en">
+  <!--<![endif]-->
+  <head>
+    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta charset="utf-8">
+    <!-- Web Experience Toolkit (WET) / Boîte à outils de l'expérience Web (BOEW) wet-boew.github.io/wet-boew/License-en.html / wet-boew.github.io/wet-boew/Licence-fr.html -->
+    <title>Canada.ca</title>
+    <meta content="width=device-width,initial-scale=1" name="viewport">
+    <meta name="description"
+      content="The Government of Canada website is a single point of access to all programs, services, departments, ministries and organizations of the Government of Canada.">
+    <meta name="description" lang="fr"
+      content="Le site Web du gouvernement du Canada fournit un point d'accès complet à tous les programmes, services, départements, ministères et organismes du gouvernement du Canada.">
+    <meta name="dcterms.creator"
+      content="Government of Canada">
+    <meta name="dcterms.creator" lang="fr"
+      content="Gouvernement du Canada">
+    <meta name="dcterms.title" content="Canada.ca">
+    <meta name="dcterms.title" lang="fr" content="Canada.ca">
+    <meta name="dcterms.issued" title="W3CDTF" content="2021-11-01">
+    <meta name="dcterms.modified" title="W3CDTF" content="2021-11-01">
+    <meta name="dcterms.subject" title="gccore"
+      content="GV Government and Politics">
+    <meta name="dcterms.subject" lang="fr" title="gccore"
+      content="GV Gouvernement et vie politique">
+    <meta name="dcterms.language" title="ISO639-2" content="eng">
+    <meta name="dcterms.language" lang="fr" title="ISO639-2" content="fra">
+    <meta name="dcterms.spatial" content="Canada" />
+    <meta name="dcterms.spatial" lang="fr" content="Canada" />
+    <meta name="dcterms.type" content="navigation page" />
+    <meta name="dcterms.type" lang="fr" content="page de navigation" />
+    <meta name="robots" content="noindex, follow" />
+    <!--[if gte IE 9 | !IE ]><!-->
+    <link rel="apple-touch-icon" sizes="57x57 72x72 114x114 144x144 150x150" class="wb-favicon"
+      href="/libraries/theme-gcweb/assets/favicon-mobile.png">
+    <link href="/libraries/theme-gcweb/assets/favicon.ico" rel="icon" type="image/x-icon"
+      class="wb-init wb-favicon-inited">
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/wet-boew.css">
+    <script src="/core/assets/vendor/jquery/jquery.min.js?v=3.4.1"></script>
+    <script src="/libraries/wet-boew/js/wet-boew.min.js"></script>
+    <script src="/libraries/theme-gcweb/js/theme.min.js"></script>
+    <!--<![endif]-->
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/theme.css">
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/messages.css">
+    <!--[if lt IE 9]>
+    <link href="/libraries/theme-gcweb/assets/favicon.ico" rel="shortcut icon" />
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/messages-ie.min.css">
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/ie8-wet-boew.min.css" />
+    <script src="/libraries/theme-gcweb/js/ie8-wet-boew.min.js"></script>
+    <![endif]-->
+  </head>
+  <body class="splash">
+    <main>
+      <div id="bg"><img id="splash-image" src="/libraries/theme-gcweb/assets/sp-bg-2.jpg" alt=""></div>
+      <main property="mainContentOfPage" typeof="WebPageElement">
+        <div class="sp-hb">
+          <div class="sp-bx col-xs-12">
+            <h1 property="name" class="wb-inv">Canada.ca</h1>
+            <div class="row">
+              <div class="col-xs-11 col-md-8">
+                <img src="/libraries/theme-gcweb/assets/sig-spl.svg" alt="Government of Canada / Gouvernement du Canada">
+              </div>
+            </div>
+            <div class="row">
+              <section class="col-xs-6 text-right">
+                <h2>Canada.ca</h2>
+                <p><a href="/en" class="btn btn-primary">English</a></p>
+              </section>
+              <section class="col-xs-6" lang="fr">
+                <h2>Canada.ca</h2>
+                <p><a href="/fr" class="btn btn-primary">Français</a></p>
+              </section>
+            </div>
+          </div>
+          <div class="sp-bx-bt col-xs-12">
+            <div class="row">
+              <div class="col-xs-7 col-md-8">
+                <a href="https://www.canada.ca/en/transparency/terms.html" class="sp-lk">Terms &amp; conditions</a> <span
+                  class="glyphicon glyphicon-asterisk"></span> <a href="https://www.canada.ca/fr/transparence/avis.html"
+                  class="sp-lk" lang="fr">Avis</a>
+              </div>
+
+              <div class="col-xs-5 col-md-4 text-right mrgn-bttm-md">
+                <img src="/libraries/theme-gcweb/assets/wmms-spl.svg"
+                  alt="Symbol of the Government of Canada / Symbole du gouvernement du Canada">
+              </div>
+            </div>
+          </div>
+        </div>
+      </main>
+  </body>
+</html>
diff --git a/docker/docker-compose.base.yml b/docker/docker-compose.base.yml
new file mode 100644
index 000000000..c12fa1ca7
--- /dev/null
+++ b/docker/docker-compose.base.yml
@@ -0,0 +1,162 @@
+# Docker Compose (v2)
+
+version: "2"
+services:
+  web:
+    build:
+      context: docker/images/ci
+      args:
+        - BASE_IMAGE=${BASE_IMAGE}
+        - http_proxy=${HTTP_PROXY:-}
+        - https_proxy=${HTTP_PROXY:-}
+        - HTTP_PROXY=${HTTP_PROXY:-}
+        - HTTPS_PROXY=${HTTP_PROXY:-}
+        - NO_PROXY=hub,${NO_PROXY:-}
+        - no_proxy=hub,${NO_PROXY:-}
+    environment:
+      - http_proxy=${HTTP_PROXY:-}
+      - https_proxy=${HTTP_PROXY:-}
+      - HTTP_PROXY=${HTTP_PROXY:-}
+      - HTTPS_PROXY=${HTTP_PROXY:-}
+      - NO_PROXY=${NO_PROXY:-}
+      - no_proxy=${NO_PROXY:-}
+      - DB_TYPE=${DB_TYPE:-mysql}
+      - DB_PORT=${DB_PORT:-3306}
+      - DB_NAME=${DB_NAME:-wxt}
+    env_file: .env
+    depends_on:
+      db:
+        condition: service_healthy
+    ports:
+      - "9000"
+    container_name: ${DOCKER_NAME}_web
+
+  cli:
+    build:
+      context: docker/images/ci
+      args:
+        - BASE_IMAGE=${BASE_IMAGE}
+    entrypoint: ["/bin/sleep", "3650d"]
+    environment:
+      - http_proxy=${HTTP_PROXY:-}
+      - https_proxy=${HTTP_PROXY:-}
+      - HTTP_PROXY=${HTTP_PROXY:-}
+      - HTTPS_PROXY=${HTTP_PROXY:-}
+      - NO_PROXY=hub,${NO_PROXY:-}
+      - no_proxy=hub,${NO_PROXY:-}
+      - DB_TYPE=${DB_TYPE:-mysql}
+      - DB_PORT=${DB_PORT:-3306}
+      - DB_NAME=${DB_NAME:-wxt}
+    env_file: .env
+    depends_on:
+      web:
+        condition: service_started
+    container_name: ${DOCKER_NAME}_cli
+
+  nginx:
+    build:
+      context: docker/images/nginx
+      args:
+        - BASE_IMAGE=${BASE_IMAGE}
+    env_file: .env
+    depends_on:
+      web:
+        condition: service_started
+    restart: always
+    ports:
+      - "80:80"
+    container_name: ${DOCKER_NAME}_nginx
+
+  mysql:
+    image: mysql:8.0
+    environment:
+      - MYSQL_ROOT_PASSWORD=root
+      - MYSQL_DATABASE=${DB_NAME}
+    env_file: .env
+    volumes:
+      - db_data:/var/lib/mysql
+      - files_private_data:/var/www/files_private
+    ports:
+      - "3308:3306"
+    container_name: ${DOCKER_NAME}_db
+    command: mysqld --max_allowed_packet=32M
+    healthcheck:
+      test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
+      timeout: 45s
+      interval: 10s
+      retries: 10
+
+  pgsql:
+    image: postgres:12-alpine
+    environment:
+      - POSTGRES_DB=${DB_NAME}
+      - POSTGRES_USER=root
+      - POSTGRES_PASSWORD=root
+      - PGDATA=/var/lib/postgresql/data/pgdata
+    env_file: .env
+    volumes:
+      - ./docker/conf/postgresql/load-extensions.sh:/docker-entrypoint-initdb.d/load-extensions.sh
+      - db_data:/var/lib/postgresql/data
+      - files_private_data:/var/www/files_private
+    ports:
+      - "5432:5432"
+    container_name: ${DOCKER_NAME}_db
+    command:
+      [
+        "-c",
+        "shared_buffers=512MB",
+        "-c",
+        "max_connections=200",
+        "-c",
+        "work_mem=2048MB",
+        "-c",
+        "effective_cache_size=512MB",
+        "-c",
+        "maintenance_work_mem=32MB",
+        "-c",
+        "min_wal_size=512MB",
+        "-c",
+        "max_wal_size=512MB",
+        "-c",
+        "wal_buffers=8048kB",
+      ]
+    healthcheck:
+      test: [ "CMD", "pg_isready", "-q", "-d", "${DB_NAME}", "-U", "root" ]
+      timeout: 45s
+      interval: 10s
+      retries: 10
+
+  hub:
+    image: selenium/hub:4.1.4
+    env_file: .env
+    ports:
+      - "4444:4444"
+    depends_on:
+      db:
+        condition: service_healthy
+      web:
+        condition: service_started
+    container_name: ${DOCKER_NAME}_hub
+    platform: linux/amd64
+
+  firefox:
+    image: selenium/node-firefox:4.1.4
+    environment:
+      SE_EVENT_BUS_HOST: hub
+      SE_EVENT_BUS_PUBLISH_PORT: 4442
+      SE_EVENT_BUS_SUBSCRIBE_PORT: 4443
+    env_file: .env
+    depends_on:
+      db:
+        condition: service_healthy
+      web:
+        condition: service_started
+      hub:
+        condition: service_started
+    container_name: ${DOCKER_NAME}_firefox
+    platform: linux/amd64
+
+volumes:
+  db_data:
+  files_data:
+  files_private_data:
diff --git a/docker/docker-compose.ci.yml b/docker/docker-compose.ci.yml
new file mode 100644
index 000000000..0e6206ca6
--- /dev/null
+++ b/docker/docker-compose.ci.yml
@@ -0,0 +1,51 @@
+# Docker Compose (v2)
+
+version: "2"
+services:
+  web:
+    extends:
+      file: docker-compose.base.yml
+      service: web
+    volumes:
+      - ./docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php:ro
+      - files_data:/var/www/html/sites/default/files
+      - files_private_data:/var/www/files_private
+
+  cli:
+    extends:
+      file: docker-compose.base.yml
+      service: cli
+    volumes:
+      - ./docker/conf/drupal/settings.php:/var/www/html/sites/default/settings.php:ro
+      - ./docker/conf/drupal/default.settings.php:/var/www/html/sites/default/default.settings.php:ro
+      - ./docker/bin:/var/www/docker/bin
+      - files_data:/var/www/html/sites/default/files
+      - files_private_data:/var/www/files_private
+
+  nginx:
+    extends:
+      file: docker-compose.base.yml
+      service: nginx
+    volumes:
+      - ./docker/conf/nginx.conf:/etc/nginx/nginx.conf:ro
+      - files_data:/var/www/html/sites/default/files
+
+  db:
+    extends:
+      file: docker-compose.base.yml
+      service: ${DB_TYPE:-mysql}
+
+  hub:
+    extends:
+      file: docker-compose.base.yml
+      service: hub
+
+  firefox:
+    extends:
+      file: docker-compose.base.yml
+      service: firefox
+
+volumes:
+  db_data:
+  files_data:
+  files_private_data:
diff --git a/docker/docker-compose.mutagen.yml b/docker/docker-compose.mutagen.yml
new file mode 100644
index 000000000..586d22f2b
--- /dev/null
+++ b/docker/docker-compose.mutagen.yml
@@ -0,0 +1,50 @@
+# Docker Compose (v2)
+
+version: "2"
+services:
+  web:
+    extends:
+      file: docker-compose.base.yml
+      service: web
+    build:
+      context: docker/images/dev
+    volumes:
+      - mutagen-cache:/var/www
+
+  cli:
+    extends:
+      file: docker-compose.base.yml
+      service: cli
+    volumes:
+      - mutagen-cache:/var/www
+
+  nginx:
+    extends:
+      file: docker-compose.base.yml
+      service: nginx
+    volumes:
+      - ./docker/conf/nginx.conf:/etc/nginx/nginx.conf:ro
+      - mutagen-cache:/var/www
+
+  db:
+    extends:
+      file: docker-compose.base.yml
+      service: ${DB_TYPE:-mysql}
+
+  hub:
+    extends:
+      file: docker-compose.base.yml
+      service: hub
+
+  firefox:
+    extends:
+      file: docker-compose.base.yml
+      service: firefox
+
+volumes:
+  db_data:
+  files_data:
+  files_private_data:
+  mutagen-cache:
+    external: true
+    name: ${MUTAGEN_VOLUME}
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
new file mode 100644
index 000000000..28c0e85f3
--- /dev/null
+++ b/docker/docker-compose.yml
@@ -0,0 +1,47 @@
+# Docker Compose (v2)
+
+version: "2"
+services:
+  web:
+    extends:
+      file: docker-compose.base.yml
+      service: web
+    build:
+      context: docker/images/dev
+    volumes:
+      - .:/var/www
+
+  cli:
+    extends:
+      file: docker-compose.base.yml
+      service: cli
+    volumes:
+      - ./:/var/www
+
+  nginx:
+    extends:
+      file: docker-compose.base.yml
+      service: nginx
+    volumes:
+      - ./html:/var/www/html
+      - ./docker/conf/nginx.conf:/etc/nginx/nginx.conf:ro
+
+  db:
+    extends:
+      file: docker-compose.base.yml
+      service: ${DB_TYPE:-mysql}
+
+  hub:
+    extends:
+      file: docker-compose.base.yml
+      service: hub
+
+  firefox:
+    extends:
+      file: docker-compose.base.yml
+      service: firefox
+
+volumes:
+  db_data:
+  files_data:
+  files_private_data:
diff --git a/docker/example.env b/docker/example.env
new file mode 100644
index 000000000..069565d79
--- /dev/null
+++ b/docker/example.env
@@ -0,0 +1,15 @@
+BASE_IMAGE=drupalwxt/site-wxt
+DOCKER_NAME=sitewxt
+# This must match the name of your folder
+DOCKER_IMAGE=site-wxt
+# The database name
+DB_NAME=wxt
+# The database type (mysql or pgsql)
+# DB_TYPE=mysql
+# DB_PORT=3306
+# The installation profile (standard, minimal)
+PROFILE_NAME=wxt
+# The relative location of the Behat tests
+BEHAT_PATH=profiles/wxt/tests
+# This must match the name of your mutagen volume
+# MUTAGEN_VOLUME=site-wxt-mutagen-cache
diff --git a/docker/images/appsvc/Dockerfile b/docker/images/appsvc/Dockerfile
new file mode 100644
index 000000000..afad842d6
--- /dev/null
+++ b/docker/images/appsvc/Dockerfile
@@ -0,0 +1,60 @@
+# https://github.com/drupalwxt/docker-scaffold/blob/10.0.x/Dockerfile
+ARG BASE_IMAGE
+FROM $BASE_IMAGE as src
+
+ARG VARNISH=false
+
+# Configure supervisor
+RUN apk add --no-cache supervisor
+RUN mkdir -p /etc/supervisor.d/
+RUN mkdir -p /var/log/supervisord/
+COPY conf/supervisord.ini /etc/supervisor.d/supervisord.ini
+
+# Configure nginx
+RUN apk add --no-cache nginx
+RUN mkdir -p /etc/nginx
+
+COPY conf/nginx.conf /etc/nginx/nginx.conf
+
+# Configure cron
+COPY tasks/ /etc/periodic/
+RUN chmod -R +x /etc/periodic/
+
+# Configure varnish
+RUN mkdir -p /etc/varnish
+COPY conf/default.vcl /etc/varnish/default.vcl
+COPY conf/splash.html /etc/varnish/splash.html
+
+RUN if [ "$VARNISH" = "true" ]; then \
+    apk add --no-cache varnish; \
+fi
+
+RUN if [ "$REDIS" = "true" ]; then \
+    apk --update add redis; \
+fi
+
+# ------------------------
+# SSH Server support
+# Alpine Reference: https://docs.microsoft.com/en-us/azure/app-service/configure-custom-container?pivots=container-linux#enable-ssh
+# This is a specfic feature of Azure Web Apps which has its own isolation and should not be used in any other scenario.
+# ------------------------
+
+# Install OpenSSH and set the password for root to "Docker!"
+RUN apk add openssh \
+     && echo "root:Docker!" | chpasswd
+
+# Copy the sshd_config file to the /etc/ssh/ directory
+COPY conf/sshd/sshd_config /etc/ssh/
+
+# Copy and configure the ssh_setup file
+RUN mkdir -p /tmp
+COPY conf/sshd/sshd_setup.sh /tmp
+RUN chmod +x /tmp/sshd_setup.sh \
+    && (sleep 1;/tmp/sshd_setup.sh 2>&1 > /dev/null)
+
+COPY conf/sshd/sshd_init.sh /etc/ssh/
+
+# Open port 2222 for SSH access
+EXPOSE 80 2222
+ENTRYPOINT ["/etc/ssh/sshd_init.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor.d/supervisord.ini"]
diff --git a/docker/images/appsvc/conf/default.vcl b/docker/images/appsvc/conf/default.vcl
new file mode 100644
index 000000000..3c9978364
--- /dev/null
+++ b/docker/images/appsvc/conf/default.vcl
@@ -0,0 +1,202 @@
+vcl 4.0;
+
+import std;
+import directors;
+
+backend nginx {
+  .host = "localhost";
+  .host_header = "nginx";
+  .port = "8080";
+}
+
+sub vcl_init {
+  new backends = directors.round_robin();
+  backends.add_backend(nginx);
+}
+
+sub vcl_recv {
+  set req.http.X-Forwarded-Host = req.http.Host;
+  if (!req.http.X-Forwarded-Proto) {
+    set req.http.X-Forwarded-Proto = "http";
+  }
+
+  # Answer healthcheck
+  if (req.url == "/_healthcheck" || req.url == "/healthcheck.txt") {
+    return (synth(700, "HEALTHCHECK"));
+  }
+
+  # Answer splashpage
+  if (req.url == "/") {
+    return (synth(701, "SPLASH"));
+  }
+
+  set req.backend_hint = backends.backend();
+
+  # Always cache certain file types
+  # Remove cookies that Drupal doesn't care about
+  if (req.url ~ "(?i)\.(asc|dat|tgz|png|gif|jpeg|jpg|ico|swf|css|js)(\?.*)?$") {
+    unset req.http.Cookie;
+  } else if (req.http.Cookie) {
+    set req.http.Cookie = ";" + req.http.Cookie;
+    set req.http.Cookie = regsuball(req.http.Cookie, "; +", ";");
+    set req.http.Cookie = regsuball(req.http.Cookie, ";(SESS[a-z0-9]+|SSESS[a-z0-9]+|NO_CACHE)=", "; \1=");
+    set req.http.Cookie = regsuball(req.http.Cookie, ";[^ ][^;]*", "");
+    set req.http.Cookie = regsuball(req.http.Cookie, "^[; ]+|[; ]+$", "");
+    if (req.http.Cookie == "") {
+        unset req.http.Cookie;
+    } else {
+        return (pass);
+    }
+  }
+  # If POST, PUT or DELETE, then don't cache
+  if (req.method == "POST" || req.method == "PUT" || req.method == "DELETE") {
+    return (pass);
+  }
+  # Happens before we check if we have this in cache already.
+  #
+  # Typically you clean up the request here, removing cookies you don't need,
+  # rewriting the request, etc.
+  return (hash);
+  #return (pass);
+}
+
+sub vcl_backend_fetch {
+  # NEW
+  set bereq.http.Host = "nginx";
+
+  # Don't add 127.0.0.1 to X-Forwarded-For
+  set bereq.http.X-Forwarded-For = regsub(bereq.http.X-Forwarded-For, "(, )?127\.0\.0\.1$", "");
+}
+
+sub vcl_backend_response {
+  if (beresp.http.Location && beresp.http.Location !~ "^https://api.twitter.com/") {
+    set beresp.http.Location = regsub(
+      beresp.http.Location,
+      "^https?://[^/]+/",
+      bereq.http.X-Forwarded-Proto + "://" + bereq.http.X-Forwarded-Host + "/"
+    );
+  }
+  # Only cache select response codes
+  if (beresp.status == 200 || beresp.status == 203 || beresp.status == 204 || beresp.status == 206 || beresp.status == 300 || beresp.status == 301 || beresp.status == 404 || beresp.status == 405 || beresp.status == 410 || beresp.status == 414 || beresp.status == 501) {
+    # Cache for 5 minutes
+    set beresp.ttl = 5m;
+    set beresp.grace = 12h;
+    set beresp.keep = 24h;
+  } else {
+    set beresp.ttl = 0s;
+  }
+}
+
+sub vcl_deliver {
+  # Remove identifying information
+  unset resp.http.Server;
+  unset resp.http.X-Powered-By;
+  unset resp.http.X-Varnish;
+  unset resp.http.Via;
+
+  # Comment these for easier Drupal cache tag debugging in development.
+  unset resp.http.Cache-Tags;
+  unset resp.http.X-Drupal-Cache-Contexts;
+
+  # Add Content-Security-Policy
+  # set resp.http.Content-Security-Policy = "default-src 'self' *.example.ca *.example.ca; style-src 'self' 'unsafe-inline' *.example.ca https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.example.ca  *.adobedtm.com use.fontawesome.com blob:; connect-src 'self' *.example.ca *.omtrdc.net *.demdex.net *.everesttech.net; img-src 'self' *.example.ca *.omtrdc.net *.demdex.net *.everesttech.net data:; font-src 'self' *.example.ca https://fonts.gstatic.com";
+
+  # Add CORS Headers
+  # if (req.http.Origin ~ "(?i)\.example\.ca$") {
+  #   if (req.url ~ "\.(ttd|woff|woff2)(\?.*)?$") {
+  #     set resp.http.Access-Control-Allow-Origin = "*";
+  #     set resp.http.Access-Control-Allow-Methods = "GET";
+  #   }
+  # }
+
+  # Add X-Frame-Options
+  # if (req.url ~ "^/(en/|fr/)?media/") {
+  #   set resp.http.X-Frame-Options = "SAMEORIGIN";
+  # } else {
+  #   set resp.http.X-Frame-Options = "DENY";
+  # }
+
+  set resp.http.X-Content-Type-Options = "nosniff";
+  set resp.http.X-XSS-Protection = "1; mode=block";
+  set resp.http.Strict-Transport-Security = "max-age=2629800";
+
+  if (req.url ~ "^/(en/|fr/)?(search/|recherche/)site/") {
+    set resp.http.X-Robots-Tag = "noindex, nofollow";
+  }
+
+  # Happens when we have all the pieces we need, and are about to send the
+  # response to the client.
+  #
+  # You can do accounting or modifying the final object here.
+  if (obj.hits > 0) {
+    set resp.http.X-Cache = "HIT";
+  } else {
+    set resp.http.X-Cache = "MISS";
+  }
+  # Handle errors
+  # if ( (resp.status >= 500 && resp.status <= 599)
+  #   || resp.status == 400
+  #   || resp.status == 401
+  #   || resp.status == 403
+  #   || resp.status == 404) {
+  #   return (synth(resp.status));
+  # }
+}
+
+sub vcl_synth {
+  # Remove identifying information
+  unset resp.http.Server;
+  unset resp.http.X-Powered-By;
+  unset resp.http.X-Varnish;
+  unset resp.http.Via;
+
+  # Add Content-Security-Policy
+  # set resp.http.Content-Security-Policy = "default-src 'self' *.example.ca; style-src 'self' 'unsafe-inline' *.example.ca; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.example.ca *.adobedtm.com use.fontawesome.com blob:; connect-src 'self' *.example.ca *.omtrdc.net *.demdex.net *.everesttech.net; img-src 'self' *.example.ca data:;";
+  # set resp.http.X-Content-Type-Options = "nosniff";
+  # set resp.http.X-Frame-Options = "DENY";
+  # set resp.http.X-XSS-Protection = "1; mode=block";
+
+  set resp.http.Strict-Transport-Security = "max-age=2629800";
+
+  # if (resp.status >= 500 && resp.status <= 599) {
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/503.html"));
+  #   return (deliver);
+  # } elseif (resp.status == 400) { # 400 - Bad Request
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/400.html"));
+  #   return (deliver);
+  # } elseif (resp.status == 401) { # 401 - Unauthorized
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/401.html"));
+  #   return (deliver);
+  # } elseif (resp.status == 403) { # 403 - Forbidden
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/403.html"));
+  #   return (deliver);
+  # } elseif (resp.status == 404) { # 404 - Not Found
+  #   set resp.http.Content-Type = "text/html; charset=utf-8";
+  #   synthetic(std.fileread("/data/configuration/varnish/errors/404.html"));
+  #   return (deliver);
+  # } else
+  if (resp.status == 700) { # Respond to healthcheck
+    set resp.status = 200;
+    set resp.http.Content-Type = "text/plain";
+    synthetic ( {"OK"} );
+    return (deliver);
+  } elseif (resp.status == 701) { # Respond to splash
+    set resp.status = 200;
+    set resp.http.Content-Type = "text/html";
+    synthetic(std.fileread("/etc/varnish/splash.html"));
+    return (deliver);
+  }
+}
+
+##
+# ERROR HANDLING
+##
+# sub vcl_backend_error {
+#   set beresp.http.Content-Type = "text/html; charset=utf-8";
+#   synthetic(std.fileread("/data/configuration/varnish/errors/503.html"));
+#   return (deliver);
+# }
diff --git a/docker/images/appsvc/conf/nginx.conf b/docker/images/appsvc/conf/nginx.conf
new file mode 100644
index 000000000..62a12f94f
--- /dev/null
+++ b/docker/images/appsvc/conf/nginx.conf
@@ -0,0 +1,165 @@
+# https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
+error_log /proc/self/fd/2;
+pid /var/run/nginx.pid;
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 100000;
+
+events {
+  multi_accept on;
+  use epoll;
+  worker_connections 8192;
+}
+
+http {
+  access_log /proc/self/fd/1;
+  client_max_body_size 20m;
+  default_type application/octet-stream;
+  fastcgi_buffers 8 16k;
+  fastcgi_buffer_size 32k;
+  gzip on;
+  gzip_buffers 16 8k;
+  gzip_comp_level 4;
+  gzip_disable msie6;
+  gzip_proxied off;
+  gzip_types application/json;
+  gzip_vary on;
+  include /etc/nginx/mime.types;
+  index index.html index.htm;
+  keepalive_timeout 120;
+  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=one:8m max_size=3000m inactive=600m;
+  proxy_temp_path /var/tmp;
+  sendfile on;
+  server_tokens off;
+  tcp_nopush on;
+  types_hash_max_size 2048;
+
+  server {
+      # IPv4
+      listen 8080;
+
+      # IPv6
+      listen [::]:8080;
+
+      # Filesystem root of the site and index with fallback.
+      root /var/www/html;
+      index index.php index.html index.htm;
+
+      # Make site accessible.
+      server_name drupal.dev;
+
+      location = /favicon.ico {
+          log_not_found off;
+          access_log off;
+      }
+
+      location = /robots.txt {
+          allow all;
+          log_not_found off;
+          access_log off;
+      }
+
+      location ~ \..*/.*\.php$ {
+          return 403;
+      }
+
+      location ~ ^/sites/.*/private/ {
+          return 403;
+      }
+
+      # Block access to scripts in site files directory
+      location ~ ^/sites/[^/]+/files/.*\.php$ {
+          deny all;
+      }
+
+      # Allow "Well-Known URIs" as per RFC 5785
+      location ~* ^/.well-known/ {
+          allow all;
+      }
+
+      # Block access to "hidden" files and directories whose names begin with a
+      # period. This includes directories used by version control systems such
+      # as Subversion or Git to store control files.
+      location ~ (^|/)\. {
+          return 403;
+      }
+
+      location / {
+          # First attempt to serve request as file, then
+          # as directory, then fall back to displaying a 404.
+          try_files $uri $uri/ /index.html /index.php?$query_string;
+      }
+
+      location @rewrite {
+          # For Drupal >= 7
+          rewrite ^ /index.php;
+      }
+
+      # Don't allow direct access to PHP files in the vendor directory.
+      location ~ /vendor/.*\.php$ {
+          deny all;
+          return 404;
+      }
+
+      # Protect files and directories from prying eyes.
+      location ~* \.(engine|ht|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|/(\.(?!well-known).*)|composer\.(json|lock)|web\.config$|/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+          deny all;
+          return 404;
+      }
+
+      # In Drupal 8, we must also match new paths where the '.php' appears in
+      # the middle, such as update.php/selection. The rule we use is strict,
+      # and only allows this pattern with the update.php front controller.
+      # This allows legacy path aliases in the form of
+      # blog/index.php/legacy-path to continue to route to Drupal nodes. If
+      # you do not have any paths like that, then you might prefer to use a
+      # laxer rule, such as:
+      #   location ~ \.php(/|$) {
+      # The laxer rule will continue to work if Drupal uses this new URL
+      # pattern with front controllers other than update.php in a future
+      # release.
+      location ~ '\.php$|^/update.php' {
+        proxy_intercept_errors on;
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+        # Ensure the php file exists. Mitigates CVE-2019-11043
+        try_files $fastcgi_script_name =404;
+        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+        include fastcgi_params;
+        # Block httpoxy attacks. See https://httpoxy.org/.
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param QUERY_STRING $query_string;
+        fastcgi_intercept_errors on;
+        # For the appsvc image please use
+        fastcgi_pass 127.0.0.1:9000;
+        # fastcgi_pass web:9000;
+      }
+
+      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+          try_files $uri @rewrite;
+          expires max;
+          log_not_found off;
+      }
+
+      # Fighting with Styles
+      location ~ ^/sites/.*/files/styles/ {
+          # For Drupal >= 7
+          try_files $uri @rewrite;
+      }
+
+      # Handle private files through Drupal. Private file's path can come
+      # with a language prefix.
+      location ~ ^(/[a-z\-]+)?/system/files/ {
+          # For Drupal >= 7
+          try_files $uri /index.php?$query_string;
+      }
+
+      # Enforce clean URLs
+      # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+      # Could be done with 301 for permanent or other redirect codes.
+      if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+          return 307 $1$2;
+      }
+  }
+}
diff --git a/docker/images/appsvc/conf/splash.html b/docker/images/appsvc/conf/splash.html
new file mode 100644
index 000000000..345c8069d
--- /dev/null
+++ b/docker/images/appsvc/conf/splash.html
@@ -0,0 +1,95 @@
+<!DOCTYPE html>
+  <!--[if lt IE 9]><html class="no-js lt-ie9" lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml"><![endif]-->
+  <!--[if gt IE 8]><!-->
+  <html dir="ltr" xmlns="http://www.w3.org/1999/xhtml" lang="en">
+  <!--<![endif]-->
+  <head>
+    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta charset="utf-8">
+    <!-- Web Experience Toolkit (WET) / Boîte à outils de l'expérience Web (BOEW) wet-boew.github.io/wet-boew/License-en.html / wet-boew.github.io/wet-boew/Licence-fr.html -->
+    <title>Canada.ca</title>
+    <meta content="width=device-width,initial-scale=1" name="viewport">
+    <meta name="description"
+      content="The Government of Canada website is a single point of access to all programs, services, departments, ministries and organizations of the Government of Canada.">
+    <meta name="description" lang="fr"
+      content="Le site Web du gouvernement du Canada fournit un point d'accès complet à tous les programmes, services, départements, ministères et organismes du gouvernement du Canada.">
+    <meta name="dcterms.creator"
+      content="Government of Canada">
+    <meta name="dcterms.creator" lang="fr"
+      content="Gouvernement du Canada">
+    <meta name="dcterms.title" content="Canada.ca">
+    <meta name="dcterms.title" lang="fr" content="Canada.ca">
+    <meta name="dcterms.issued" title="W3CDTF" content="2021-11-01">
+    <meta name="dcterms.modified" title="W3CDTF" content="2021-11-01">
+    <meta name="dcterms.subject" title="gccore"
+      content="GV Government and Politics">
+    <meta name="dcterms.subject" lang="fr" title="gccore"
+      content="GV Gouvernement et vie politique">
+    <meta name="dcterms.language" title="ISO639-2" content="eng">
+    <meta name="dcterms.language" lang="fr" title="ISO639-2" content="fra">
+    <meta name="dcterms.spatial" content="Canada" />
+    <meta name="dcterms.spatial" lang="fr" content="Canada" />
+    <meta name="dcterms.type" content="navigation page" />
+    <meta name="dcterms.type" lang="fr" content="page de navigation" />
+    <meta name="robots" content="noindex, follow" />
+    <!--[if gte IE 9 | !IE ]><!-->
+    <link rel="apple-touch-icon" sizes="57x57 72x72 114x114 144x144 150x150" class="wb-favicon"
+      href="/libraries/theme-gcweb/assets/favicon-mobile.png">
+    <link href="/libraries/theme-gcweb/assets/favicon.ico" rel="icon" type="image/x-icon"
+      class="wb-init wb-favicon-inited">
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/wet-boew.css">
+    <script src="/core/assets/vendor/jquery/jquery.min.js?v=3.4.1"></script>
+    <script src="/libraries/wet-boew/js/wet-boew.min.js"></script>
+    <script src="/libraries/theme-gcweb/js/theme.min.js"></script>
+    <!--<![endif]-->
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/theme.css">
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/messages.css">
+    <!--[if lt IE 9]>
+    <link href="/libraries/theme-gcweb/assets/favicon.ico" rel="shortcut icon" />
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/messages-ie.min.css">
+    <link rel="stylesheet" href="/libraries/theme-gcweb/css/ie8-wet-boew.min.css" />
+    <script src="/libraries/theme-gcweb/js/ie8-wet-boew.min.js"></script>
+    <![endif]-->
+  </head>
+  <body class="splash">
+    <main>
+      <div id="bg"><img id="splash-image" src="/libraries/theme-gcweb/assets/sp-bg-2.jpg" alt=""></div>
+      <main property="mainContentOfPage" typeof="WebPageElement">
+        <div class="sp-hb">
+          <div class="sp-bx col-xs-12">
+            <h1 property="name" class="wb-inv">Canada.ca</h1>
+            <div class="row">
+              <div class="col-xs-11 col-md-8">
+                <img src="/libraries/theme-gcweb/assets/sig-spl.svg" alt="Government of Canada / Gouvernement du Canada">
+              </div>
+            </div>
+            <div class="row">
+              <section class="col-xs-6 text-right">
+                <h2>Canada.ca</h2>
+                <p><a href="/en" class="btn btn-primary">English</a></p>
+              </section>
+              <section class="col-xs-6" lang="fr">
+                <h2>Canada.ca</h2>
+                <p><a href="/fr" class="btn btn-primary">Français</a></p>
+              </section>
+            </div>
+          </div>
+          <div class="sp-bx-bt col-xs-12">
+            <div class="row">
+              <div class="col-xs-7 col-md-8">
+                <a href="https://www.canada.ca/en/transparency/terms.html" class="sp-lk">Terms &amp; conditions</a> <span
+                  class="glyphicon glyphicon-asterisk"></span> <a href="https://www.canada.ca/fr/transparence/avis.html"
+                  class="sp-lk" lang="fr">Avis</a>
+              </div>
+
+              <div class="col-xs-5 col-md-4 text-right mrgn-bttm-md">
+                <img src="/libraries/theme-gcweb/assets/wmms-spl.svg"
+                  alt="Symbol of the Government of Canada / Symbole du gouvernement du Canada">
+              </div>
+            </div>
+          </div>
+        </div>
+      </main>
+  </body>
+</html>
diff --git a/docker/images/appsvc/conf/sshd/sshd_config b/docker/images/appsvc/conf/sshd/sshd_config
new file mode 100644
index 000000000..590075bca
--- /dev/null
+++ b/docker/images/appsvc/conf/sshd/sshd_config
@@ -0,0 +1,16 @@
+#
+# /etc/ssh/sshd_config
+#
+
+Port                   2222
+ListenAddress          0.0.0.0
+LoginGraceTime         180
+X11Forwarding          yes
+Ciphers                aes128-cbc,3des-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
+MACs                   hmac-sha1,hmac-sha1-96
+StrictModes            yes
+SyslogFacility         DAEMON
+PasswordAuthentication yes
+PermitEmptyPasswords   no
+PermitRootLogin        yes
+Subsystem              sftp internal-sftp
diff --git a/docker/images/appsvc/conf/sshd/sshd_init.sh b/docker/images/appsvc/conf/sshd/sshd_init.sh
new file mode 100755
index 000000000..e11981ee2
--- /dev/null
+++ b/docker/images/appsvc/conf/sshd/sshd_init.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+echo "Starting SSH..."
+/usr/sbin/sshd
+
+# Get environment variables to show up in SSH session
+# https://docs.microsoft.com/en-us/answers/questions/179503/webapp-for-containers-app-settings-not-passed-thro.html
+eval $(printenv | sed -n "s/^\([^=]\+\)=\(.*\)$/export \1=\2/p" | sed 's/"/\\\"/g' | sed '/=/s//="/' | sed 's/$/"/' >> /etc/profile)
+
+echo "Starting PHP-FPM..."
+exec docker-php-entrypoint "$@"
diff --git a/docker/images/appsvc/conf/sshd/sshd_setup.sh b/docker/images/appsvc/conf/sshd/sshd_setup.sh
new file mode 100755
index 000000000..b0eb88657
--- /dev/null
+++ b/docker/images/appsvc/conf/sshd/sshd_setup.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+ssh-keygen -A
+
+#prepare run dir
+if [ ! -d "/var/run/sshd" ]; then
+    mkdir -p /var/run/sshd
+fi
diff --git a/docker/images/appsvc/conf/supervisord.ini b/docker/images/appsvc/conf/supervisord.ini
new file mode 100644
index 000000000..e18764246
--- /dev/null
+++ b/docker/images/appsvc/conf/supervisord.ini
@@ -0,0 +1,43 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/log/supervisord/supervisord.pid
+
+[program:cron]
+command=/usr/sbin/crond -f
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+autorestart=true
+
+[program:nginx]
+command=nginx
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=false
+startretries=0
+
+[program:php-fpm]
+command=php-fpm
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:varnish]
+command=varnishd -f /etc/varnish/default.vcl
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:redis]
+command=/usr/bin/redis-server
+autostart=true
+autorestart=true
+stdout_logfile=/var/log/redis/stdout.log
+stderr_logfile=/var/log/redis/stderr.log
\ No newline at end of file
diff --git a/docker/images/appsvc/tasks/15min/.gitkeep b/docker/images/appsvc/tasks/15min/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/docker/images/appsvc/tasks/daily/.gitkeep b/docker/images/appsvc/tasks/daily/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/docker/images/appsvc/tasks/hourly/core-cron b/docker/images/appsvc/tasks/hourly/core-cron
new file mode 100755
index 000000000..ddac72e4d
--- /dev/null
+++ b/docker/images/appsvc/tasks/hourly/core-cron
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin
+CRON=core-cron
+DRUPAL=/var/www/html
+DRUSH=`which drush`
+
+if [ ! -f $DRUSH ]
+then
+  echo `date`" - Drush not found: Skipping Cron"
+  exit
+fi
+
+# Run the cron.
+echo `date`" - Drush: Running Cron"
+$DRUSH --root=$DRUPAL $CRON
diff --git a/docker/images/appsvc/tasks/monthly/.gitkeep b/docker/images/appsvc/tasks/monthly/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/docker/images/ci/.dockerignore b/docker/images/ci/.dockerignore
new file mode 100644
index 000000000..e8e1f66bf
--- /dev/null
+++ b/docker/images/ci/.dockerignore
@@ -0,0 +1,6 @@
+.git
+LICENSE
+VERSION
+README.md
+Changelog.md
+Makefile
diff --git a/docker/images/ci/Dockerfile b/docker/images/ci/Dockerfile
new file mode 100644
index 000000000..0177c0e3e
--- /dev/null
+++ b/docker/images/ci/Dockerfile
@@ -0,0 +1,23 @@
+ARG BASE_IMAGE
+FROM $BASE_IMAGE
+
+COPY php.ini /usr/local/etc/php/php.ini
+
+## START CI
+
+WORKDIR /var/www
+
+RUN ln -s /var/www/vendor/bin/behat /usr/local/bin/behat; \
+    ln -s /var/www/vendor/bin/phpcs /usr/local/bin/phpcs; \
+    ln -s /var/www/vendor/bin/phpmd /usr/local/bin/phpmd; \
+    ln -s /var/www/vendor/bin/phpunit /usr/local/bin/phpunit; \
+    ln -s /var/www/vendor/bin/drupal /usr/local/bin/drupal
+
+RUN phpcs --config-set installed_paths /var/www/vendor/drupal/coder/coder_sniffer
+
+## END CI
+
+WORKDIR /var/www/html
+
+# Reset Cache
+RUN php -r 'opcache_reset();'
diff --git a/docker/images/ci/php.ini b/docker/images/ci/php.ini
new file mode 100644
index 000000000..e1d3e4b85
--- /dev/null
+++ b/docker/images/ci/php.ini
@@ -0,0 +1,7 @@
+[PHP]
+date.timezone = UTC
+zend.assertions = 1
+upload_max_filesize = 32M
+post_max_size = 32M
+file_uploads = On
+memory_limit = 2048M
diff --git a/docker/images/cron/.dockerignore b/docker/images/cron/.dockerignore
new file mode 100644
index 000000000..e8e1f66bf
--- /dev/null
+++ b/docker/images/cron/.dockerignore
@@ -0,0 +1,6 @@
+.git
+LICENSE
+VERSION
+README.md
+Changelog.md
+Makefile
diff --git a/docker/images/cron/Dockerfile b/docker/images/cron/Dockerfile
new file mode 100644
index 000000000..123e4ea5d
--- /dev/null
+++ b/docker/images/cron/Dockerfile
@@ -0,0 +1,8 @@
+ARG BASE_IMAGE
+FROM $BASE_IMAGE
+
+COPY tasks/ /etc/periodic/
+
+RUN chmod -R +x /etc/periodic/
+
+CMD ["crond", "-f", "-d", "8"]
diff --git a/docker/images/cron/tasks/15min/test b/docker/images/cron/tasks/15min/test
new file mode 100755
index 000000000..ddac72e4d
--- /dev/null
+++ b/docker/images/cron/tasks/15min/test
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin
+CRON=core-cron
+DRUPAL=/var/www/html
+DRUSH=`which drush`
+
+if [ ! -f $DRUSH ]
+then
+  echo `date`" - Drush not found: Skipping Cron"
+  exit
+fi
+
+# Run the cron.
+echo `date`" - Drush: Running Cron"
+$DRUSH --root=$DRUPAL $CRON
diff --git a/docker/images/cron/tasks/daily/.gitkeep b/docker/images/cron/tasks/daily/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/docker/images/cron/tasks/hourly/.gitkeep b/docker/images/cron/tasks/hourly/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/docker/images/cron/tasks/monthly/.gitkeep b/docker/images/cron/tasks/monthly/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/docker/images/dev/.dockerignore b/docker/images/dev/.dockerignore
new file mode 100644
index 000000000..e8e1f66bf
--- /dev/null
+++ b/docker/images/dev/.dockerignore
@@ -0,0 +1,6 @@
+.git
+LICENSE
+VERSION
+README.md
+Changelog.md
+Makefile
diff --git a/docker/images/dev/Dockerfile b/docker/images/dev/Dockerfile
new file mode 100644
index 000000000..67309d1ea
--- /dev/null
+++ b/docker/images/dev/Dockerfile
@@ -0,0 +1,47 @@
+ARG BASE_IMAGE
+FROM $BASE_IMAGE
+
+COPY php.ini /usr/local/etc/php/php.ini
+
+## START CI
+
+WORKDIR /var/www
+
+RUN ln -s /var/www/vendor/bin/behat /usr/local/bin/behat; \
+    ln -s /var/www/vendor/bin/phpcs /usr/local/bin/phpcs; \
+    ln -s /var/www/vendor/bin/phpmd /usr/local/bin/phpmd; \
+    ln -s /var/www/vendor/bin/phpunit /usr/local/bin/phpunit; \
+    ln -s /var/www/vendor/bin/drupal /usr/local/bin/drupal
+
+RUN phpcs --config-set installed_paths /var/www/vendor/drupal/coder/coder_sniffer
+
+## END CI
+
+# XDebug
+# RUN git clone https://github.com/xdebug/xdebug.git /tmp/xdebug; \
+#     mkdir -p /usr/src/php/ext; \
+#     mv /tmp/xdebug /usr/src/php/ext/; \
+#     docker-php-ext-install xdebug
+
+# RUN sed -i '1 a xdebug.remote_autostart=true' /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
+#     sed -i '1 a xdebug.remote_mode=req' /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
+#     sed -i '1 a xdebug.remote_handler=dbgp' /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
+#     sed -i '1 a xdebug.remote_connect_back=1 ' /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
+#     sed -i '1 a xdebug.remote_port=9000' /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
+#     sed -i '1 a xdebug.remote_host=127.0.0.1' /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
+#     sed -i '1 a xdebug.remote_enable=1' /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
+#     sed -i '1 a xdebug.idekey=phpstorm' /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini
+
+# Mac hack to get permissions to work.
+# Set user 1000 and group staff to www-data.
+# https://github.com/boot2docker/boot2docker/issues/581#issuecomment-114804894
+RUN echo "@community http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories
+RUN apk add --update --no-cache shadow@community; \
+    addgroup staff; \
+    usermod -u 1000 www-data; \
+    usermod -G staff www-data
+
+WORKDIR /var/www/html
+
+# Reset Cache
+RUN php -r 'opcache_reset();'
diff --git a/docker/images/dev/php.ini b/docker/images/dev/php.ini
new file mode 100644
index 000000000..f12f140ac
--- /dev/null
+++ b/docker/images/dev/php.ini
@@ -0,0 +1,10 @@
+[PHP]
+date.timezone = UTC
+zend.assertions	= 0
+upload_max_filesize = 32M
+post_max_size = 32M
+file_uploads = On
+memory_limit = 2048M
+xdebug.max_nesting_level = 1000
+opcache.enable = 0
+max_execution_time = 0
diff --git a/docker/images/nginx/Dockerfile b/docker/images/nginx/Dockerfile
new file mode 100644
index 000000000..7df49804d
--- /dev/null
+++ b/docker/images/nginx/Dockerfile
@@ -0,0 +1,9 @@
+ARG BASE_IMAGE
+FROM $BASE_IMAGE as src
+
+FROM nginx:alpine
+
+RUN chgrp -R root /var/cache/nginx /var/run /var/log/nginx && \
+    chmod -R 770 /var/cache/nginx /var/run /var/log/nginx
+
+COPY --from=src /var/www/html /var/www/html
diff --git a/docker/load.environment.php b/docker/load.environment.php
new file mode 100644
index 000000000..eb5e3a0f8
--- /dev/null
+++ b/docker/load.environment.php
@@ -0,0 +1,17 @@
+<?php
+
+/**
+ * This file is included very early. See autoload.files in composer.json and
+ * https://getcomposer.org/doc/04-schema.md#files
+ */
+
+use Dotenv\Dotenv;
+
+/**
+ * Load any .env file. See /.env.example.
+ *
+ * Drupal has no official method for loading environment variables and uses
+ * getenv() in some places.
+ */
+$dotenv = Dotenv::createUnsafeImmutable(__DIR__);
+$dotenv->safeLoad();
diff --git a/docker/patches/.gitkeep b/docker/patches/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/docker/patches/curl-legacy-endpoint.patch b/docker/patches/curl-legacy-endpoint.patch
new file mode 100644
index 000000000..82f183e49
--- /dev/null
+++ b/docker/patches/curl-legacy-endpoint.patch
@@ -0,0 +1,30 @@
+From aa6ff7d1aa04f55d8a4a4be1c6c14b146c984e9c Mon Sep 17 00:00:00 2001
+From: sylus <sylus1984@gmail.com>
+Date: Wed, 3 May 2023 15:54:07 -0400
+Subject: [PATCH] feat(openssl): Support for legacy endpoints
+
+---
+ Dockerfile | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/Dockerfile b/Dockerfile
+index 00d29b2..f2a816a 100644
+--- a/docker/Dockerfile
++++ b/docker/Dockerfile
+@@ -113,3 +113,13 @@ RUN ln -s /var/www/vendor/drush/drush/drush /usr/local/bin/drush
+
+ # Reset Cache
+ RUN php -r 'opcache_reset();'
++
++# OpenSSL 3.0 disables UnsafeLegacyRenegotiation by default, must re-enable it for some endpoints
++RUN sed -i 's/providers = provider_sect/providers = provider_sect\n\
++ssl_conf = ssl_sect\n\
++\n\
++[ssl_sect]\n\
++system_default = system_default_sect\n\
++\n\
++[system_default_sect]\n\
++Options = UnsafeLegacyRenegotiation/' /etc/ssl/openssl.cnf
+--
+2.37.1 (Apple Git-137.1)
+
diff --git a/docker/scripts/ScriptHandler.php b/docker/scripts/ScriptHandler.php
new file mode 100644
index 000000000..202e9e342
--- /dev/null
+++ b/docker/scripts/ScriptHandler.php
@@ -0,0 +1,147 @@
+<?php
+
+/**
+ * @file
+ * Contains \DrupalProject\composer\ScriptHandler.
+ */
+
+namespace DrupalWxT\WxT;
+
+use Composer\Script\Event;
+use Composer\Semver\Comparator;
+use Drupal\Core\Site\Settings;
+use Drupal\Core\Site\SettingsEditor;
+use DrupalFinder\DrupalFinder;
+use Symfony\Component\Filesystem\Filesystem;
+use Symfony\Component\Filesystem\Path;
+
+class ScriptHandler {
+
+  /**
+   * Retrieves the Drupal root directory.
+   *
+   * @param string $project_root
+   *   Drupal root directory.
+   */
+  protected static function getDrupalRoot($project_root) {
+    return $project_root . '/html';
+  }
+
+  /**
+   * Creates the required directory structure.
+   *
+   * @param \Composer\Script\Event $event
+   *   The script event.
+   */
+  public static function createRequiredFiles(Event $event) {
+    $fs = new Filesystem();
+    $drupalFinder = new DrupalFinder();
+    $drupalFinder->locateRoot(getcwd());
+    $drupalRoot = $drupalFinder->getDrupalRoot();
+
+    $dirs = [
+      'modules',
+      'profiles',
+      'themes',
+    ];
+
+    // Required for unit testing
+    foreach ($dirs as $dir) {
+      if (!$fs->exists($drupalRoot . '/'. $dir)) {
+        $fs->mkdir($drupalRoot . '/'. $dir);
+        $fs->touch($drupalRoot . '/'. $dir . '/.gitkeep');
+      }
+    }
+
+    // Prepare the settings file for installation
+    if (!$fs->exists($drupalRoot . '/sites/default/settings.php') && $fs->exists($drupalRoot . '/sites/default/default.settings.php')) {
+      $fs->copy($drupalRoot . '/sites/default/default.settings.php', $drupalRoot . '/sites/default/settings.php');
+      require_once $drupalRoot . '/core/includes/bootstrap.inc';
+      require_once $drupalRoot . '/core/includes/install.inc';
+      new Settings([]);
+      $settings['settings']['config_sync_directory'] = (object) [
+        'value' => Path::makeRelative($drupalFinder->getComposerRoot() . '/config/sync', $drupalRoot),
+        'required' => TRUE,
+      ];
+      SettingsEditor::rewrite($drupalRoot . '/sites/default/settings.php', $settings);
+      $fs->chmod($drupalRoot . '/sites/default/settings.php', 0666);
+      $event->getIO()->write("Created a sites/default/settings.php file with chmod 0666");
+    }
+
+    // Create the files directory with chmod 0777
+    if (!$fs->exists($drupalRoot . '/sites/default/files')) {
+      $oldmask = umask(0);
+      $fs->mkdir($drupalRoot . '/sites/default/files', 0777);
+      umask($oldmask);
+      $event->getIO()->write("Created a sites/default/files directory with chmod 0777");
+    }
+  }
+
+  /**
+   * Checks if the installed version of Composer is compatible.
+   *
+   * Composer 1.0.0 and higher consider a `composer install` without having a
+   * lock file present as equal to `composer update`. We do not ship with a lock
+   * file to avoid merge conflicts downstream, meaning that if a project is
+   * installed with an older version of Composer the scaffolding of Drupal will
+   * not be triggered. We check this here instead of in drupal-scaffold to be
+   * able to give immediate feedback to the end user, rather than failing the
+   * installation after going through the lengthy process of compiling and
+   * downloading the Composer dependencies.
+   *
+   * @see https://github.com/composer/composer/pull/5035
+   */
+  public static function checkComposerVersion(Event $event) {
+    $composer = $event->getComposer();
+    $io = $event->getIO();
+
+    $version = $composer::VERSION;
+
+    // The dev-channel of composer uses the git revision as version number,
+    // try to the branch alias instead.
+    if (preg_match('/^[0-9a-f]{40}$/i', $version)) {
+      $version = $composer::BRANCH_ALIAS_VERSION;
+    }
+
+    // If Composer is installed through git we have no easy way to determine if
+    // it is new enough, just display a warning.
+    if ($version === '@package_version@' || $version === '@package_branch_alias_version@') {
+      $io->writeError('<warning>You are running a development version of Composer. If you experience problems, please update Composer to the latest stable version.</warning>');
+    }
+    elseif (Comparator::lessThan($version, '1.0.0')) {
+      $io->writeError('<error>Drupal-project requires Composer version 1.0.0 or higher. Please update your Composer before continuing</error>.');
+      exit(1);
+    }
+  }
+
+  /**
+   * Post create project script.
+   *
+   * @param \Composer\Script\Event $event
+   *   The script event.
+   */
+  public static function postCreateProject(Event $event) {
+    $composer = $event->getComposer();
+    $composerFile = Factory::getComposerFile();
+    $io = $event->getIO();
+    $name = $composer->getPackage()->getName();
+
+    $projDir = realpath(dirname($composerFile));
+    $projectName = $io->ask('Enter composer project name (drupalwxt/site-wxt): ', 'drupalwxt/site-wxt');
+
+    $finder = new Finder();
+    foreach ($finder->files()->name('/composer\.(json|lock)/i')->in($projDir) as $file) {
+      if (!empty($projectName)) {
+        $file_contents = str_replace("$name", $projectName, $file->getContents());
+        file_put_contents($file->getRealPath(), $file_contents);
+        // reset the project name via reflection.
+        $package = $composer->getPackage();
+        $refl = new \ReflectionProperty(get_class($package), 'name');
+        $refl->setAccessible(true);
+        $refl->setValue($package, $projectName);
+      }
+    }
+
+  }
+
+}