diff --git a/grav-nginx/Dockerfile b/grav-nginx/Dockerfile new file mode 100644 index 0000000..fd75884 --- /dev/null +++ b/grav-nginx/Dockerfile @@ -0,0 +1,61 @@ +FROM nginx:latest +LABEL maintainer="gushmazuko " +LABEL description="Docker Image for Grav based on NGINX" + +# Install dependencies +RUN apt update && apt install -y --no-install-recommends \ + vim\ + zip \ + unzip \ + git \ + php-fpm \ + php-cli \ + php-gd \ + php-curl \ + php-mbstring \ + php-xml \ + php-zip \ + php-apcu \ + cron + +# Configure PHP FPM +# https://learn.getgrav.org/17/webservers-hosting/vps/digitalocean#configure-php7-2-fpm +RUN sed -i "s/.*cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php/7.*/fpm/php.ini + +# Set user to www-data +RUN chown www-data:www-data /usr/share/nginx +RUN rm -rf /usr/share/nginx/html +USER www-data + +# Define a specific version of Grav or use latest stable +ENV GRAV_VERSION latest + +# Install grav +WORKDIR /usr/share/nginx +RUN curl -o grav-admin.zip -SL https://getgrav.org/download/core/grav-admin/${GRAV_VERSION} && \ + unzip grav-admin.zip && \ + mv -T /usr/share/nginx/grav-admin /usr/share/nginx/html && \ + rm grav-admin.zip + +# Create cron job for Grav maintenance scripts +# https://learn.getgrav.org/17/advanced/scheduler +RUN (crontab -l; echo "* * * * * cd /usr/share/nginx/html;/usr/bin/php bin/grav scheduler 1>> /dev/null 2>&1") | crontab - + +# Return to root user +USER root + +# Add nginx to www-data group +RUN usermod -aG www-data nginx + +# Replace dafault config files by provided by Grav +# https://learn.getgrav.org/17/webservers-hosting/vps/digitalocean#configure-nginx-connection-pool +RUN rm /etc/php/7.3/fpm/pool.d/www.conf +RUN rm /etc/nginx/conf.d/default.conf +COPY conf/php/grav.conf /etc/php/7.3/fpm/pool.d/ +COPY conf/nginx/grav.conf /etc/nginx/conf.d/ + +# Provide container inside image for data persistence +VOLUME ["/usr/share/nginx/html"] + +# Run startup script +CMD bash -c "service php7.3-fpm start && nginx -g 'daemon off;'" diff --git a/grav-nginx/README.md b/grav-nginx/README.md new file mode 100644 index 0000000..0c595a1 --- /dev/null +++ b/grav-nginx/README.md @@ -0,0 +1,161 @@ +# Docker Grav based on NGINX +![https://hub.docker.com/r/gushmazuko/docker-grav-nginx](https://img.shields.io/docker/cloud/build/gushmazuko/grav-nginx.svg) ![https://hub.docker.com/r/gushmazuko/docker-grav-nginx](https://img.shields.io/docker/cloud/automated/gushmazuko/grav-nginx.svg) + +## Persisting data +To save the Grav site data to the host file system (so that it persists even after the container has been removed), simply map the container's `/usr/share/nginx/html` directory to a named Docker volume or to a directory on the host. + +> If the mapped directory or named volume is empty, it will be automatically populated with a fresh install of Grav the first time that the container starts. However, once the directory/volume has been populated, the data will persist and will not be overwritten the next time the container starts. + +## Building the image from Dockerfile +``` +docker build -t gushmazuko/grav-nginx:latest . +``` + +## Running Grav Image with Latest Grav + Admin with a named volume (can be used in production) +``` +docker run -d -p 8000:80 --restart always -v grav_data:/usr/share/nginx/html gushmazuko/grav-nginx:latest +``` +Point browser to `http://localhost:8000` and create user account... + +## Running Grav Image with docker-compose and a volume mapped to a local directory +Run `docker-compose up -d` with the following docker-compose configuration. Then the Grav container will be started with all of the site data persisted to a named volume (stored in the `./grav_data` directory). + +``` +version: "3.8" +services: + grav: + image: gushmazuko/grav-nginx:latest + container_name: ${SERVICE}_grav + restart: unless-stopped + environment: + TZ: ${TZ} + ports: + - 80:80 + - 443:443 + volumes: + - grav:/usr/share/nginx/html +# - ./conf/nginx/:/etc/nginx/conf.d/ +# - ./conf/php/:/etc/php/7.3/fpm/pool.d/ + networks: + - web +networks: + web: + external: true +volumes: + grav: + driver: local + driver_opts: + type: none + device: $PWD/grav_data + o: bind +``` + +* Edit `.env` environment file +``` +SERVICE=mysite +DOMAIN_NAME=example.com +SERVICE_PORT=80 +TZ=Europe/Berlin +``` + +## Editing `NGINX` & `FPM` configuration (Optional) + +* Uncomment theses lines in `docker-compose.yml` +``` +# - ./conf/nginx/:/etc/nginx/conf.d/ +# - ./conf/php/:/etc/php/7.3/fpm/pool.d/ +``` + +* Then modify `NGINX` site config `./conf/nginx/grav.conf` + +``` +server { + listen 80; + index index.html index.php; + + ## Begin - Server Info + root /usr/share/nginx/html; + server_name gravsite; + ## End - Server Info + + ## Begin - Index + # for subfolders, simply adjust: + # `location /subfolder {` + # and the rewrite to use `/subfolder/index.php` + location / { + try_files $uri $uri/ /index.php?$query_string; + } + ## End - Index + + ## Begin - Security + # deny all direct access for these folders + location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } + # deny running scripts inside core system folders + location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny running scripts inside user folder + location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny access to specific files in the root folder + location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } + ## End - Security + + ## Begin - PHP + location ~ \.php$ { + # Choose either a socket or TCP/IP address + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy + # fastcgi_pass 127.0.0.1:9000; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; + } + ## End - PHP +} +``` +* And `FPM` config `./conf/php/grav.conf` + +``` +[grav] + +user = www-data +group = www-data + +listen = /var/run/php/php7.3-fpm.sock + +listen.owner = www-data +listen.group = www-data + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +chdir = / +```` + +## Using `Traefik` instead `port mapping` (Optional) +* Comment theses lines in `docker-compose.yml` + +``` +ports: + - 80:80 + - 443:443 +``` + +* And add `Traefik` labels into `docker-compose.yml` [More Info About](https://github.com/gushmazuko/dockers_template/tree/master/traefik) +``` +labels: + - "traefik.enable=true" + # http + - "traefik.http.routers.${SERVICE}.rule=Host(`${DOMAIN_NAME}`)" + - "traefik.http.services.${SERVICE}.loadbalancer.server.port=${SERVICE_PORT}" + - "traefik.http.routers.${SERVICE}_redirect.rule=Host(`${DOMAIN_NAME}`)" + - "traefik.http.routers.${SERVICE}_redirect.entrypoints=web" + # redirect to https + - "traefik.http.routers.${SERVICE}.tls.certresolver=le" + - "traefik.http.routers.${SERVICE}.entrypoints=web-secure" + - "traefik.http.middlewares.${SERVICE}_https.redirectscheme.scheme=https" + - "traefik.http.routers.${SERVICE}_redirect.middlewares=${SERVICE}_https" +``` diff --git a/grav-nginx/conf/nginx/grav.conf b/grav-nginx/conf/nginx/grav.conf new file mode 100755 index 0000000..c120982 --- /dev/null +++ b/grav-nginx/conf/nginx/grav.conf @@ -0,0 +1,43 @@ +server { + listen 80; + index index.html index.php; + + ## Begin - Server Info + root /usr/share/nginx/html; + server_name gravsite; + ## End - Server Info + + ## Begin - Index + # for subfolders, simply adjust: + # `location /subfolder {` + # and the rewrite to use `/subfolder/index.php` + location / { + try_files $uri $uri/ /index.php?$query_string; + } + ## End - Index + + ## Begin - Security + # deny all direct access for these folders + location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } + # deny running scripts inside core system folders + location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny running scripts inside user folder + location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + # deny access to specific files in the root folder + location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } + ## End - Security + + ## Begin - PHP + location ~ \.php$ { + # Choose either a socket or TCP/IP address + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + # fastcgi_pass unix:/var/run/php5-fpm.sock; #legacy + # fastcgi_pass 127.0.0.1:9000; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; + } + ## End - PHP +} diff --git a/grav-nginx/conf/php/grav.conf b/grav-nginx/conf/php/grav.conf new file mode 100755 index 0000000..5f333de --- /dev/null +++ b/grav-nginx/conf/php/grav.conf @@ -0,0 +1,17 @@ +[grav] + +user = www-data +group = www-data + +listen = /var/run/php/php7.3-fpm.sock + +listen.owner = www-data +listen.group = www-data + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +chdir = / diff --git a/grav-nginx/docker-compose.yml b/grav-nginx/docker-compose.yml new file mode 100644 index 0000000..259abee --- /dev/null +++ b/grav-nginx/docker-compose.yml @@ -0,0 +1,39 @@ +version: "3.8" +services: + grav: + image: gushmazuko/grav-nginx:latest + container_name: ${SERVICE}_grav + restart: unless-stopped + environment: + TZ: ${TZ} + volumes: + - grav:/usr/share/nginx/html +# - ./conf/nginx/:/etc/nginx/conf.d/ +# - ./conf/php/:/etc/php/7.3/fpm/pool.d/ + labels: + - "traefik.enable=true" + # http + - "traefik.http.routers.${SERVICE}.rule=Host(`${DOMAIN_NAME}`)" + - "traefik.http.services.${SERVICE}.loadbalancer.server.port=${SERVICE_PORT}" + - "traefik.http.routers.${SERVICE}_redirect.rule=Host(`${DOMAIN_NAME}`)" + - "traefik.http.routers.${SERVICE}_redirect.entrypoints=web" + # redirect to https + - "traefik.http.routers.${SERVICE}.tls.certresolver=le" + - "traefik.http.routers.${SERVICE}.entrypoints=web-secure" + - "traefik.http.middlewares.${SERVICE}_https.redirectscheme.scheme=https" + - "traefik.http.routers.${SERVICE}_redirect.middlewares=${SERVICE}_https" + # auth with authelia + # - "traefik.http.routers.${SERVICE}.middlewares=authelia@file" + networks: + - web +networks: + web: + external: true + +volumes: + grav: + driver: local + driver_opts: + type: none + device: $PWD/grav_data + o: bind diff --git a/grav-nginx/grav_data/.gitkeep b/grav-nginx/grav_data/.gitkeep new file mode 100644 index 0000000..e69de29