Commit 709aa0d3 authored by ale's avatar ale

Initial commit

parents
[submodule "noblogs"]
path = noblogs
url = git@git.autistici.org:ai/noblogs-wp.git
FROM bitnami/minideb:stretch
COPY noblogs /opt/noblogs/www
COPY conf /tmp/conf
COPY build.sh /tmp/build.sh
RUN /tmp/build.sh && rm /tmp/build.sh
EXPOSE 83
ENTRYPOINT ["/usr/local/bin/chaperone"]
#!/bin/sh
#
# Install script for git.autistici.org/ai/website
# inside a Docker container.
#
# The installation procedure requires installing some
# dedicated packages, so we have split it out to a script
# for legibility.
# Packages that are only used to build the site. These will be
# removed once we're done.
BUILD_PACKAGES="rsync"
# Packages required to serve the website and run the services.
# We have to keep the python3 packages around in order to run
# chaperone (installed via pip).
PACKAGES="
apache2
apache-exporter
libapache2-mod-removeip
libapache2-mod-xsendfile
libapache2-mod-security2
modsecurity-crs
php-cli
php-fpm
php-mysql
php-gd
php-memcache
php-mcrypt
python3-pip
python3-setuptools
python3-wheel
"
# Apache modules to enable.
APACHE_MODULES_ENABLE="
headers
proxy_fcgi
removeip
rewrite
security2
setenvif
xsendfile
"
# Apache modules that are enabled by default by the Debian package,
# and that we want to disable.
APACHE_MODULES_DISABLE="
ssl
"
# Config snippets to enable for Apache.
APACHE_CONFIG_ENABLE="
metrics
php7.0-fpm
"
# Config snippets to disable.
APACHE_CONFIG_DISABLE="
other-vhosts-access-log
serve-cgi-bin
"
# Sites to enable.
APACHE_SITES="
noblogs.org
noblogs.ai-cdn.net
"
# The default bitnami/minideb image defines an 'install_packages'
# command which is just a convenient helper. Define our own in
# case we are using some other Debian image.
if [ "x$(which install_packages)" = "x" ]; then
install_packages() {
env DEBIAN_FRONTEND=noninteractive apt-get install -qqy --no-install-recommends "$@"
}
fi
set -e
# Install the main A/I package repository.
install_packages curl gnupg
echo "deb http://deb.autistici.org/urepo stretch-ai/" > /etc/apt/sources.list.d/ai.list
curl -s http://deb.autistici.org/repo.key | apt-key add -
apt-get -q update
install_packages ${BUILD_PACKAGES} ${PACKAGES}
# Install the configuration, overlayed over /etc.
rsync -a /tmp/conf/ /etc/
# Create the directories that Apache will need at runtime,
# since we won't be using the init script.
#mkdir /var/run/apache2 /var/lock/apache2
# Enable/disable Apache modules and configs.
a2enmod -q ${APACHE_MODULES_ENABLE}
a2dismod -q -f ${APACHE_MODULES_DISABLE}
a2enconf -q ${APACHE_CONFIG_ENABLE}
a2disconf -q ${APACHE_CONFIG_DISABLE}
a2ensite ${APACHE_SITES}
mkdir -p /var/run/apache2 /var/run/php
# Set up modsecurity.
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# Install Chaperone (minimalistic init service).
pip3 install chaperone
rm -fr /root/.cache/pip
# Remove packages used for installation.
apt-get remove -y --purge curl gnupg ${BUILD_PACKAGES}
apt-get autoremove -y
apt-get clean
rm -fr /var/lib/apt/lists/*
rm -fr /tmp/conf
# Forward Prometheus scrapes to the apache-exporter.
ProxyPass /metrics http://127.0.0.1:9117/metrics
<Directory />
AllowOverride None
Require all denied
</Directory>
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header set X-Content-Type-Options: "nosniff"
<VirtualHost *:83>
DocumentRoot /var/www/html
</VirtualHost>
<VirtualHost *:83>
ServerName noblogs.ai-cdn.net
DocumentRoot /opt/noblogs/www
<Directory /opt/noblogs/www>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# Do not send Etag header, nginx cache does not
# (yet?) handle it correctly (TODO: verify this).
FileETag None
</VirtualHost>
<VirtualHost *:83>
ServerName noblogs.org
ServerAlias *.noblogs.org
DocumentRoot /opt/noblogs/www
SetEnvIf X-Forwarded-Proto https HTTPS=on
LogFormat "%{X-AI-Noblogs-Site}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" http_host_combined
CustomLog "|/usr/bin/logger -t apache -p local3.info" http_host_combined
<Directory /opt/noblogs/www>
Options FollowSymLinks Indexes
AllowOverride All
Require all granted
RewriteEngine On
XSendFile On
XSendFilePath /opt/noblogs/www/wp-content
</Directory>
<Directory /opt/noblogs/www/wp-content>
Options FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
apache2.service: {
command: "bash -c 'source /etc/apache2/envvars && exec /usr/sbin/apache2 -DFOREGROUND'",
kill_signal: SIGWINCH
}
fpm.service: {
command: "/usr/sbin/php-fpm7.0 --force-stderr --nodaemonize"
}
#fakemail.service: {
# command: "python3 -m smtpd -n -c DebuggingServer 0.0.0.0:25",
# env_set: {
# 'PYTHONUNBUFFERED': '1'
# }
#}
console.logging: {
selector: '*.warn',
stdout: true,
}
settings: {
env_set: {
"LANG": "en_us.UTF-8",
"LC_CTYPE": "$(LANG)",
}
}
SecRuleRemoveById 960015
[www]
user = www-data
group = www-data
listen = /run/php/php7.0-fpm.sock
listen.owner = www-data
listen.group = www-data
pm = dynamic
pm.max_children = 125
pm.start_servers = 3
pm.min_spare_servers = 3
pm.max_spare_servers = 10
pm.max_requests = 10000
pm.status_path = /status
chdir = /
php_admin_value[opcache.enable] = 1
php_admin_value[opcache.memory_consumption] = 256
php_admin_value[opcache.interned_strings_buffer] = 16
php_admin_value[opcache.max_accelerated_files] = 4000
php_admin_value[opcache.validate_timestamps] = 0
php_admin_value[opcache.fast_shutdown] = 1
Subproject commit 32a1582bef8f97b8b7801d8b807ef390144e2574
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment