From 82cdc6a2ad70ef0dd6fe09d4628b7cd33c289990 Mon Sep 17 00:00:00 2001 From: Elijah Duffy Date: Sun, 7 Dec 2025 22:45:10 -0800 Subject: [PATCH] clean up & simplify structure w/ separate build workflows Independent NGINX & PHP-FPM build workflows & directory structure for cleaner and simpler workflow logic. --- .github/workflows/build.yml | 221 ---------------------------- .github/workflows/nginx.yml | 106 +++++++++++++ .github/workflows/php-fpm.yml | 161 ++++++++++++++++++++ docker/nginx/Dockerfile | 11 -- docker/nginx/nginx.conf | 69 --------- docker/php-fpm/entrypoint.sh | 19 --- nginx/Dockerfile | 10 ++ {docker => php-fpm}/7.4/Dockerfile | 31 +--- shared/php-fpm/entrypoint.sh | 12 ++ {docker => shared}/php-fpm/www.conf | 12 -- 10 files changed, 292 insertions(+), 360 deletions(-) delete mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/nginx.yml create mode 100644 .github/workflows/php-fpm.yml delete mode 100644 docker/nginx/Dockerfile delete mode 100644 docker/nginx/nginx.conf delete mode 100644 docker/php-fpm/entrypoint.sh create mode 100644 nginx/Dockerfile rename {docker => php-fpm}/7.4/Dockerfile (58%) create mode 100644 shared/php-fpm/entrypoint.sh rename {docker => shared}/php-fpm/www.conf (51%) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 33172fb..0000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,221 +0,0 @@ -name: build - -on: - push: - branches: [main] - pull_request: - branches: [main] - workflow_dispatch: - workflow_call: - inputs: - REGISTRY_USER: - required: true - type: string - secrets: - REGISTRY_TOKEN: - required: true - -jobs: - plan: - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.compute.outputs.matrix }} - should_build: ${{ steps.compute.outputs.should_build }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - id: compute - shell: bash - run: | - set -euo pipefail - - # Discover lanes: immediate subdirs under docker/ - mapfile -t ALL_LANES < <(find docker -mindepth 1 -maxdepth 1 -type d | sort) - # Filter to only directories that contain a Dockerfile (real lanes) - FILTERED_LANES=() - SKIPPED_LANES=() - build: - needs: plan - if: needs.plan.outputs.should_build == 'true' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: docker/setup-buildx-action@v3 - - - name: DEBUG registry username source - run: | - echo "Selected registry username source: $SOURCE" - env: - SOURCE: ${{ inputs.REGISTRY_USER != '' && 'inputs' || secrets.REGISTRY_USER != '' && 'secrets' || vars.REGISTRY_USER != '' && 'vars' || 'actor' }} - - - uses: docker/login-action@v3 - with: - registry: gitea.auvem.com - username: ${{ inputs.REGISTRY_USER != '' && inputs.REGISTRY_USER || secrets.REGISTRY_USER != '' && secrets.REGISTRY_USER || vars.REGISTRY_USER != '' && vars.REGISTRY_USER || github.actor }} - password: ${{ secrets.REGISTRY_TOKEN }} - - - name: Show plan matrix - run: | - echo "Plan matrix: $MATRIX_JSON" - jq -C . dir <<< "$MATRIX_JSON" 2>/dev/null || true - env: - MATRIX_JSON: ${{ needs.plan.outputs.matrix }} - - - name: Loop: build and push per-lane - shell: bash - env: - MATRIX_JSON: ${{ needs.plan.outputs.matrix }} - GIT_SHA_SHORT: ${GITHUB_SHA::7} - run: | - set -euo pipefail - - if [[ -z "$MATRIX_JSON" ]]; then - echo "ERROR: plan matrix is empty. Aborting." >&2 - exit 1 - fi - - # Iterate lanes - lanes=$(jq -r '.dir[]' <<< "$MATRIX_JSON") - echo "Lanes to build:" - echo "$lanes" - - for lane in $lanes; do - echo "\n--- Building lane: $lane ---" - if [[ ! -f "$lane/Dockerfile" ]]; then - echo "ERROR: No Dockerfile at $lane/Dockerfile" >&2 - exit 1 - fi - - NAME=$(basename "$lane") - - if [[ "$NAME" == "nginx" ]]; then - IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx" - TAG="stable" - else - IMAGE="gitea.auvem.com/auvem/wordpress-docker/php-fpm" - if [[ "$NAME" =~ ^([0-9]+\.[0-9]+)$ ]]; then - VERSION="${BASH_REMATCH[1]}" - TAG="${VERSION}-stable" - elif [[ "$NAME" =~ ^([0-9]+)$ ]]; then - VERSION="${BASH_REMATCH[1]}" - TAG="${VERSION}-stable" - else - echo "ERROR: Cannot deterministically derive a version tag from lane name '$NAME'." >&2 - exit 1 - fi - fi - - echo "Computed: lane='$lane' name='$NAME' image='$IMAGE' tags='$IMAGE:${TAG},$IMAGE:git-${GIT_SHA_SHORT}'" - - # Buildx build and push - docker buildx build \ - --push \ - --platform linux/amd64 \ - --tag "$IMAGE:${TAG}" \ - --tag "$IMAGE:git-${GIT_SHA_SHORT}" \ - --file "$lane/Dockerfile" \ - . - done - echo "No lane directories changed. Skipping build." - echo "should_build=false" >> $GITHUB_OUTPUT - echo 'matrix={"dir":[]}' >> $GITHUB_OUTPUT - exit 0 - fi - - # Produce JSON matrix - JSON=$(jq -nc --argjson arr "$(printf '%s\n' "${TARGET_DIRS[@]}" | jq -R . | jq -s .)" '{dir: $arr}') - echo "Matrix: $JSON" - echo "should_build=true" >> $GITHUB_OUTPUT - echo "matrix=$JSON" >> $GITHUB_OUTPUT - - build: - needs: plan - if: needs.plan.outputs.should_build == 'true' - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: ${{ fromJson(needs.plan.outputs.matrix) }} - steps: - - uses: actions/checkout@v4 - - - uses: docker/setup-buildx-action@v3 - - - name: DEBUG registry username source - run: | - echo "Selected registry username source: $SOURCE" - # Do NOT echo the username or any secret values — only indicate which source will be used - env: - SOURCE: ${{ inputs.REGISTRY_USER != '' && 'inputs' || secrets.REGISTRY_USER != '' && 'secrets' || vars.REGISTRY_USER != '' && 'vars' || 'actor' }} - - - uses: docker/login-action@v3 - with: - registry: gitea.auvem.com - # Resolve username in this order: workflow input -> repo/secret -> repo var -> actor - username: ${{ inputs.REGISTRY_USER != '' && inputs.REGISTRY_USER || secrets.REGISTRY_USER != '' && secrets.REGISTRY_USER || vars.REGISTRY_USER != '' && vars.REGISTRY_USER || github.actor }} - password: ${{ secrets.REGISTRY_TOKEN }} - - - name: Show matrix payload received by this job - run: | - echo "Expression toJson(matrix): ${{ toJson(matrix) }}" - echo "Expression matrix.dir: '${{ matrix.dir }}'" - echo "ENV MATRIX_DIR: '${MATRIX_DIR}'" - echo "Dockerfile path expression: '${{ matrix.dir }}/Dockerfile'" - env: - MATRIX_DIR: ${{ matrix.dir }} - - - name: Derive image name and tags - id: meta - shell: bash - run: | - set -euo pipefail - DIR="${{ matrix.dir }}" - - # Fail fast on ambiguous/empty matrix.dir. We require a deterministic lane. - if [[ -z "${DIR}" || "${DIR}" == "." ]]; then - echo "ERROR: Ambiguous lane: matrix.dir is empty or '.'." - echo "Provide a specific lane directory under docker/ (e.g. '7.4' or 'nginx')." - exit 1 - fi - - NAME="$(basename "${DIR}")" # e.g. '7.4' or 'nginx' - SHA=${GITHUB_SHA::7} - - # Decide repository and tag scheme. Must be deterministic. - if [[ "${NAME}" == "nginx" ]]; then - IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx" - TAG="stable" - else - IMAGE="gitea.auvem.com/auvem/wordpress-docker/php-fpm" - # Accept only lanes that encode a numeric version like '7.4' or '8'. - if [[ "${NAME}" =~ ^([0-9]+\.[0-9]+)$ ]]; then - VERSION="${BASH_REMATCH[1]}" - TAG="${VERSION}-stable" - elif [[ "${NAME}" =~ ^([0-9]+)$ ]]; then - VERSION="${BASH_REMATCH[1]}" - TAG="${VERSION}-stable" - else - echo "ERROR: Cannot deterministically derive a version tag from lane name '${NAME}'." - echo "Expected lane names like '7.4' or '8' for php-fpm lanes." - exit 1 - fi - fi - - # Debug output for name resolution - echo "Computed values: DIR='${DIR}', NAME='${NAME}', IMAGE='${IMAGE}', TAG='${TAG}', SHA='${SHA}'" - - echo "image=$IMAGE" >> $GITHUB_OUTPUT - echo "tags=$IMAGE:${TAG},$IMAGE:git-${SHA}" >> $GITHUB_OUTPUT - - - name: Build and push - uses: docker/build-push-action@v6 - with: - context: . - file: ${{ matrix.dir }}/Dockerfile - push: true - tags: ${{ steps.meta.outputs.tags }} - platforms: linux/amd64 - cache-from: type=registry,ref=${{ steps.meta.outputs.image }}:cache - cache-to: type=registry,ref=${{ steps.meta.outputs.image }}:cache,mode=max diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml new file mode 100644 index 0000000..dba58ba --- /dev/null +++ b/.github/workflows/nginx.yml @@ -0,0 +1,106 @@ +name: nginx-build + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + inputs: + force: + description: "Set to true to force a build even if no files changed." + required: false + default: "false" + workflow_call: + secrets: + REGISTRY_TOKEN: + required: true + description: "Token for registry authentication." + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: docker/setup-buildx-action@v3 + + - uses: docker/login-action@v3 + with: + registry: gitea.auvem.com + username: ${{ vars.REGISTRY_USER || github.actor }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Decide and build nginx if needed + shell: bash + env: + GIT_SHA_SHORT: ${GITHUB_SHA::7} + FORCE: ${{ github.event.inputs.force || 'false' }} + run: | + set -euo pipefail + + if [[ ! -f nginx/Dockerfile ]]; then + echo "No nginx/Dockerfile present; nothing to build." + exit 0 + fi + + BUILD=false + # Manual trigger or explicit force -> build + if [[ "${{ github.event_name }}" == "workflow_dispatch" ]] || [[ "$FORCE" == "true" ]]; then + echo "Manual/forced trigger -> building nginx" + BUILD=true + else + # detect changed files between base/head (or list all files for shallow contexts) + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + BASE_SHA="${{ github.event.pull_request.base.sha }}" + HEAD_SHA="${{ github.event.pull_request.head.sha }}" + elif [[ "${{ github.event_name }}" == "push" ]]; then + BASE_SHA="$(git rev-parse HEAD~1 2>/dev/null || true)" + HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)" + else + BASE_SHA="" + HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)" + fi + + if [[ -n "$BASE_SHA" ]]; then + CHANGED=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA") + else + CHANGED=$(git ls-files) + fi + + echo "Changed files:\n$CHANGED" + + if grep -q "^.github/workflows/" <<< "$CHANGED"; then + echo "Workflow changed; building nginx" + BUILD=true + elif grep -q "^nginx/" <<< "$CHANGED"; then + echo "nginx directory changed; building nginx" + BUILD=true + else + BUILD=false + fi + fi + + if [[ "$BUILD" != "true" ]]; then + echo "No relevant changes; skipping nginx build." + exit 0 + fi + + IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx" + TAG="latest" + echo "Building $IMAGE:$TAG" + docker buildx build --push --platform linux/amd64 \ + --tag "${IMAGE}:${TAG}" \ + --tag "${IMAGE}:git-${GIT_SHA_SHORT}" \ + --file nginx/Dockerfile \ + . + IMAGE="gitea.auvem.com/auvem/wordpress-docker/nginx" + TAG="latest" + echo "Building nginx image ${IMAGE}:${TAG}" + docker buildx build --push --platform linux/amd64 \ + --tag "${IMAGE}:${TAG}" \ + --tag "${IMAGE}:git-${GIT_SHA_SHORT}" \ + --file "nginx/Dockerfile" . + done diff --git a/.github/workflows/php-fpm.yml b/.github/workflows/php-fpm.yml new file mode 100644 index 0000000..24720df --- /dev/null +++ b/.github/workflows/php-fpm.yml @@ -0,0 +1,161 @@ +name: php-fpm-build + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + inputs: + lane: + description: 'Lane to build (e.g. 7.4). Use "all" to build all lanes.' + required: false + default: "" + workflow_call: + secrets: + REGISTRY_TOKEN: + required: true + description: "Token for registry authentication." + +jobs: + plan: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.compute.outputs.matrix }} + should_build: ${{ steps.compute.outputs.should_build }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - id: compute + shell: bash + run: | + set -euo pipefail + + # discover lanes under php-fpm/* that contain a Dockerfile + mapfile -t ALL_LANES < <(find php-fpm -mindepth 1 -maxdepth 1 -type d | sort) + FILTERED=() + for d in "${ALL_LANES[@]}"; do + if [[ -f "${d}/Dockerfile" ]]; then + FILTERED+=("${d}") + fi + done + ALL_LANES=("${FILTERED[@]}") + + if [[ ${#ALL_LANES[@]} -eq 0 ]]; then + echo "No php-fpm lanes found. Nothing to do." + echo "should_build=false" >> $GITHUB_OUTPUT + echo 'matrix={"dir":[]}' >> $GITHUB_OUTPUT + exit 0 + fi + + # allow workflow_dispatch lane selection + SELECTED=() + REQ_LANE="${{ github.event.inputs.lane || '' }}" + if [[ -n "$REQ_LANE" ]]; then + if [[ "$REQ_LANE" == "all" ]]; then + SELECTED=("${ALL_LANES[@]}") + else + candidate="php-fpm/$REQ_LANE" + if [[ -d "$candidate" && -f "$candidate/Dockerfile" ]]; then + SELECTED=("$candidate") + else + echo "ERROR: Requested lane '$REQ_LANE' not found under php-fpm/" >&2 + exit 1 + fi + fi + else + # Determine changed files + if [[ "${{ github.event_name }}" == "push" ]]; then + BASE_SHA="$(git rev-parse HEAD~1 2>/dev/null || true)" + HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)" + elif [[ "${{ github.event_name }}" == "pull_request" ]]; then + BASE_SHA="${{ github.event.pull_request.base.sha }}" + HEAD_SHA="${{ github.event.pull_request.head.sha }}" + else + BASE_SHA="" + HEAD_SHA="$(git rev-parse HEAD 2>/dev/null || true)" + fi + + if [[ -n "$BASE_SHA" ]]; then + CHANGED=$(git diff --name-only "$BASE_SHA" "$HEAD_SHA") + else + CHANGED=$(git ls-files) + fi + + # If workflow files changed, rebuild all lanes + if grep -q "^.github/workflows/" <<< "$CHANGED"; then + SELECTED=("${ALL_LANES[@]}") + else + for d in "${ALL_LANES[@]}"; do + if grep -q "^${d}/" <<< "$CHANGED"; then + SELECTED+=("${d}") + fi + done + fi + fi + + # Dedupe and validate + mapfile -t SELECTED < <(printf "%s\n" "${SELECTED[@]}" | awk 'NF && !x[$0]++') + if [[ ${#SELECTED[@]} -eq 0 ]]; then + echo "No php-fpm lanes to build." + echo "should_build=false" >> $GITHUB_OUTPUT + echo 'matrix={"dir":[]}' >> $GITHUB_OUTPUT + exit 0 + fi + + JSON=$(jq -nc --argjson arr "$(printf '%s\n' "${SELECTED[@]}" | jq -R . | jq -s .)" '{dir: $arr}') + echo "Matrix: $JSON" + echo "should_build=true" >> $GITHUB_OUTPUT + echo "matrix=$JSON" >> $GITHUB_OUTPUT + + build: + needs: plan + if: needs.plan.outputs.should_build == 'true' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: docker/setup-buildx-action@v3 + + - uses: docker/login-action@v3 + with: + registry: gitea.auvem.com + username: ${{ vars.REGISTRY_USER || github.actor }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Show plan matrix + run: | + echo "Plan matrix: $MATRIX_JSON" + jq -C . dir <<< "$MATRIX_JSON" 2>/dev/null || true + env: + MATRIX_JSON: ${{ needs.plan.outputs.matrix }} + + - name: Build lanes + shell: bash + env: + MATRIX_JSON: ${{ needs.plan.outputs.matrix }} + GIT_SHA_SHORT: ${GITHUB_SHA::7} + run: | + set -euo pipefail + lanes=$(jq -r '.dir[]' <<< "$MATRIX_JSON") + for lane in $lanes; do + echo "Building lane: $lane" + if [[ ! -f "$lane/Dockerfile" ]]; then + echo "ERROR: missing Dockerfile for $lane" >&2 + exit 1 + fi + NAME=$(basename "$lane") + if [[ ! "$NAME" =~ ^([0-9]+\.?[0-9]*)$ ]]; then + echo "ERROR: php-fpm lane name '$NAME' is not a numeric version" >&2 + exit 1 + fi + IMAGE="gitea.auvem.com/auvem/wordpress-docker/php-fpm" + TAG="$NAME" + echo "Computed: image=${IMAGE}, tags=${IMAGE}:${TAG},${IMAGE}:git-${GIT_SHA_SHORT}" + docker buildx build --push --platform linux/amd64 \ + --tag "${IMAGE}:${TAG}" \ + --tag "${IMAGE}:git-${GIT_SHA_SHORT}" \ + --file "$lane/Dockerfile" . + done diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile deleted file mode 100644 index 037b098..0000000 --- a/docker/nginx/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -FROM nginx:alpine-slim - -# Add a minimal, secure nginx config that works with the php-fpm service -COPY nginx.conf /etc/nginx/conf.d/default.conf - -# Create directories for logs and ensure permissions (nginx user is nginx) -RUN mkdir -p /var/www/html /var/log/nginx && chown -R nginx:nginx /var/www/html /var/log/nginx - -EXPOSE 80 - -CMD ["nginx", "-g", "daemon off;"] diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf deleted file mode 100644 index 06e4610..0000000 --- a/docker/nginx/nginx.conf +++ /dev/null @@ -1,69 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name _; - root /var/www/html; - index index.php index.html index.htm; - - # Basic security headers (can be extended per-site) - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - # Deny access to hidden files and directories - location ~ (^|/)[.] { - deny all; - access_log off; - log_not_found off; - } - - # Static files: long cache, immutable where appropriate - location ~* \.(?:css|js|gif|jpe?g|png|ico|svg|woff2?|ttf|eot)$ { - try_files $uri =404; - access_log off; - expires 30d; - add_header Cache-Control "public, max-age=2592000, immutable"; - } - - location = /favicon.ico { access_log off; log_not_found off; } - location = /robots.txt { access_log off; log_not_found off; allow all; } - - # Main front controller; fall back to index.php - location / { - try_files $uri $uri/ /index.php$is_args$args; - } - - # PHP-FPM handling; pass to php-fpm:9000 (docker service name) - location ~ [^/] - \.php(/|$) { - # Prevent direct access to PHP files in uploads or other writable dirs if necessary - try_files $document_root$fastcgi_script_name =404; - - fastcgi_split_path_info ^(.+\.php)(/.+)$; - # Use TCP FPM backend service name. Matches the php-fpm image we built. - fastcgi_pass php-fpm:9000; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS $https if_not_empty; - fastcgi_read_timeout 300; - } - - # Block access to .ht* files - location ~* /\.(?:ht|git) { - deny all; - } - - # Optional: small buffer for large headers (WordPress with many cookies/plugins) - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - - # Prevent clickjacking on all responses - add_header X-Frame-Options "SAMEORIGIN"; -} - -# Default server; allow override by mounting /etc/nginx/conf.d/default.conf diff --git a/docker/php-fpm/entrypoint.sh b/docker/php-fpm/entrypoint.sh deleted file mode 100644 index 7c2215f..0000000 --- a/docker/php-fpm/entrypoint.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -set -euo pipefail - -# Entrypoint for php-fpm images. -# If CHOWN_ON_START is set to '1' or 'true', recursively chown the webroot -# to the 'app' user (UID 1000). This is optional and must be explicitly enabled -# via environment (safer for multi-tenant hosts). - -: ${CHOWN_ON_START:=} -if [ "${CHOWN_ON_START}" = "1" ] || [ "${CHOWN_ON_START}" = "true" ]; then - echo "[entrypoint] CHOWN_ON_START enabled — fixing ownership of /var/www/html" - # Only run chown if the directory exists - if [ -d /var/www/html ]; then - chown -R 1000:1000 /var/www/html || true - fi -fi - -# Exec the given command (php-fpm by default) -exec "$@" diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..9c08f40 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,10 @@ +FROM nginx:alpine-slim + +# Copy nginx config from repo +COPY --chown=root:root nginx/nginx.conf /etc/nginx/conf.d/default.conf + +RUN mkdir -p /var/www/html /var/log/nginx && chown -R nginx:nginx /var/www/html /var/log/nginx + +EXPOSE 80 + +CMD ["nginx", "-g", "daemon off;"] diff --git a/docker/7.4/Dockerfile b/php-fpm/7.4/Dockerfile similarity index 58% rename from docker/7.4/Dockerfile rename to php-fpm/7.4/Dockerfile index dae1d90..681341e 100644 --- a/docker/7.4/Dockerfile +++ b/php-fpm/7.4/Dockerfile @@ -1,10 +1,4 @@ # Multi-stage Alpine-based PHP 7.4 FPM image optimized for WordPress -# - builds extensions in a builder stage (isolation) -# - copies only runtime bits into the final image -# - minimal runtime packages, production php.ini and opcache tuned -# - includes common WordPress extensions: pdo_mysql, mysqli, gd, zip, exif, -# intl, xml, xmlrpc (if compiled), bcmath, opcache, mbstring, curl, fileinfo - ARG BASE_TAG=7.4-fpm-alpine3.16 FROM php:${BASE_TAG} AS build @@ -27,7 +21,6 @@ RUN set -eux; \ oniguruma-dev \ mariadb-dev \ ; \ - # Configure and build common extensions required by WordPress docker-php-ext-configure gd --with-freetype --with-jpeg; \ docker-php-ext-install -j"$(nproc)" \ gd \ @@ -47,15 +40,12 @@ RUN set -eux; \ ; \ pecl channel-update pecl.php.net; \ pecl install redis && docker-php-ext-enable redis; \ - # Use production php.ini as a base cp "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"; \ - # Clean build deps (we'll copy only runtime artifacts to final image) apk del .build-deps; \ rm -rf /var/cache/apk/* /tmp/* FROM php:${BASE_TAG} AS runtime -# Install only runtime library packages (no -dev) RUN set -eux; \ apk add --no-cache \ freetype \ @@ -81,7 +71,6 @@ RUN addgroup -g 1000 app || true; \ adduser -D -u 1000 -G app app || true; \ mkdir -p /var/www/html; \ chown -R app:app /var/www/html; \ - # Ensure php-fpm runtime directories exist and are writable by the app user mkdir -p /var/run/php /run/php /var/log/php; \ chown -R app:app /var/run/php /run/php /var/log/php @@ -103,33 +92,19 @@ RUN set -eux; \ echo 'error_log = /proc/self/fd/2'; \ } > /usr/local/etc/php/conf.d/zz-hardening.ini -# Expose FPM socket port (if using TCP); keep default unix socket when preferred EXPOSE 9000 -# Healthcheck: ensure php-fpm master process exists HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 CMD pgrep -f "php-fpm" || exit 1 WORKDIR /var/www/html -# Copy pool configuration from build context (keep a copy in each lane to -# allow building with context set to the lane directory). -COPY --chown=root:root docker/php-fpm/www.conf /usr/local/etc/php-fpm.d/www.conf -# Copy a shared entrypoint that can optionally fix permissions on the mounted webroot -COPY --chown=root:root docker/php-fpm/entrypoint.sh /usr/local/bin/entrypoint.sh +# Copy pool configuration and entrypoint from shared path in repo root +COPY --chown=root:root shared/php-fpm/www.conf /usr/local/etc/php-fpm.d/www.conf +COPY --chown=root:root shared/php-fpm/entrypoint.sh /usr/local/bin/entrypoint.sh RUN chmod 755 /usr/local/bin/entrypoint.sh -# Use a small entrypoint to optionally chown mounted volumes at container start. ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] -# Run php-fpm master as root and have workers drop to the non-root `app` user. -# This avoids permission surprises while keeping workers unprivileged. USER root CMD ["php-fpm"] - -# Notes: -# - The build stage compiles extensions and leaves a production php.ini in place. -# - The final image copies only the runtime artifacts and installs only runtime libs -# to keep it small. -# - If you want to run PHP-FPM as a non-root user in container, you will need to -# adjust the php-fpm pool user/group configuration in /usr/local/etc/php-fpm.d/www.conf diff --git a/shared/php-fpm/entrypoint.sh b/shared/php-fpm/entrypoint.sh new file mode 100644 index 0000000..c1f419a --- /dev/null +++ b/shared/php-fpm/entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/sh +set -euo pipefail + +: ${CHOWN_ON_START:=} +if [ "${CHOWN_ON_START}" = "1" ] || [ "${CHOWN_ON_START}" = "true" ]; then + echo "[entrypoint] CHOWN_ON_START enabled — fixing ownership of /var/www/html" + if [ -d /var/www/html ]; then + chown -R 1000:1000 /var/www/html || true + fi +fi + +exec "$@" diff --git a/docker/php-fpm/www.conf b/shared/php-fpm/www.conf similarity index 51% rename from docker/php-fpm/www.conf rename to shared/php-fpm/www.conf index a7bb646..aa79f57 100644 --- a/docker/php-fpm/www.conf +++ b/shared/php-fpm/www.conf @@ -1,20 +1,15 @@ ; Shared php-fpm pool configuration for containers -; Designed to be reused across php-fpm versions in this repo [www] -; Listen on TCP to be container-friendly listen = 0.0.0.0:9000 -; Run workers as the unprivileged 'app' user user = app group = app -; Ensure socket ownership/mode if a socket is used listen.owner = app listen.group = app listen.mode = 0660 -; Process management pm = dynamic pm.max_children = 10 pm.start_servers = 2 @@ -22,22 +17,15 @@ pm.min_spare_servers = 1 pm.max_spare_servers = 3 pm.max_requests = 500 -; Timeouts and logging request_terminate_timeout = 300s request_slowlog_timeout = 5s slowlog = /var/log/php/www-slow.log -; Helpful logging for debugging worker crashes catch_workers_output = yes access.log = /var/log/php/www-access.log -; Keep environment variables (useful if you pass DB credentials via env) clear_env = no -; Security and restart behaviour emergency_restart_threshold = 10 emergency_restart_interval = 1m process_control_timeout = 10s - -; Ensure stdout/stderr are visible in container logs -; php-fpm will already write logs to paths above; ensure the directory exists in image