Real initial commit

.gitignore

@@ -0,0 +1,7 @@
+# IDEs
+.idea/
+.vscode/
+
+# Dev files
+.env
+*.sql

app/Dockerfile

@@ -0,0 +1,87 @@
+FROM alpine:edge
+
+LABEL maintainer JJTC "docker@jjtc.eu"
+
+ENV version=1.0.2 \
+    http_version=1.0.2 \
+    BOOKSTACK=BookStack \
+    BOOKSTACK_VERSION=0.22.0 \
+    BOOKSTACK_HOME="/app"
+
+COPY docker-entrypoint.sh /app/docker-entrypoint.sh
+
+#COPY php.ini /usr/local/etc/php/conf.d/php.ini
+#COPY default.conf /etc/nginx/sites-enabled/default
+#COPY nginx.conf /etc/nginx/nginx.conf
+
+# Below the following PHP extensions are installed PCNTL, PDO_MYSQL, ZIP, GD, Tidy, XML, Redis, Memcached, msgpack, igbinary
+# PHP extensions such as DOM, OpenSSL, PDO, MBstring, Tokenizer are provided by the base image.
+RUN set -ex \
+  && chmod +x /app/docker-entrypoint.sh \
+  # ensure www-data user exists
+  # 82 is the standard uid/gid for "www-data" in Alpine
+  && addgroup -g 82 -S www-data \
+  && adduser -u 82 -D -S -G www-data www-data \
+  && apk update \
+  && echo "Setting up PHP extensions" \
+  && apk add --no-cache \
+     bash \
+     curl \
+     su-exec \
+     nginx \
+     tar \
+     php7 \
+     php7-cgi \
+     php7-ctype \
+     php7-curl \
+     php7-dom \
+     php7-exif \
+     php7-fileinfo \
+     php7-gd \
+     php7-iconv \
+     php7-intl \
+     php7-json \
+     php7-ldap \
+     php7-mbstring \
+     php7-mcrypt \
+     php7-opcache \
+     php7-openssl \
+     php7-pcntl \
+     php7-pdo_mysql \
+     php7-phar \
+     php7-posix \
+     php7-redis \
+     php7-session \
+     php7-simplexml \
+     php7-sockets \
+     php7-tidy \
+     php7-tokenizer \
+     php7-xml \
+     php7-xmlwriter \
+     php7-zip \
+     php7-zlib \
+     composer \
+  && echo "Setting up PPM:" \
+  && mkdir -p /ppm/run \
+  && cd /ppm \
+  && chmod -R 777 run/ \
+  && composer require php-pm/php-pm:${version} php-pm/httpkernel-adapter:${http_version} \
+  && echo "Get BookStack:" \
+  && mkdir -p ${BOOKSTACK_HOME} \
+  && cd ${BOOKSTACK_HOME} \
+  && curl -LJO https://github.com/BookStackApp/BookStack/archive/v${BOOKSTACK_VERSION}.tar.gz \
+  && tar --strip-components=1 -xzf BookStack-${BOOKSTACK_VERSION}.tar.gz \
+  && rm -rf ${BOOKSTACK}-${BOOKSTACK_VERSION}.tar.gz .env.example .gitattributes .github .gitignore .travis.yml tests/ public/index.php \
+  && curl https://raw.githubusercontent.com/BookStackApp/BookStack/873b1099f81f6a9d2619644aef0587e2b73d918a/bootstrap/autoload.php -o bootstrap/autoload.php \
+  && echo "Get Dependencies:" \
+  && composer install \
+  && echo "Changing ownership:" \
+  && chown -R www-data:www-data .
+
+WORKDIR $BOOKSTACK_HOME
+
+EXPOSE 80
+
+VOLUME ["$BOOKSTACK_HOME/public/uploads", "$BOOKSTACK_HOME/public/storage"]
+
+ENTRYPOINT ["./docker-entrypoint.sh"]

app/default.conf

@@ -0,0 +1,50 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name _;
+    root /app/public/;
+
+    client_max_body_size 1000m;
+    client_body_timeout 120s; # Default is 60, May need to be increased for very large uploads
+    client_body_buffer_size 128k;
+
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; report-uri https://<YOUR_ACCOUNT>.report-uri.com/r/d/csp/enforce;" always;
+    add_header Expect-CT "enforce; max-age=604800; report-uri=https://<YOUR_ACCOUNT>.report-uri.com/r/d/ct/enforce";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+    add_header Referrer-Policy "strict-origin";
+    add_header X-Xss-Protection "1; mode=block; report=https://<YOUR_ACCOUNT>.report-uri.com/r/d/xss/enforce" always;
+    add_header X-Frame-Options "DENY";
+    add_header X-Content-Type-Options nosniff;
+
+    location / {
+        try_files $uri @ppm;
+    }
+
+    location ~* \.(jpg|jpeg|gif|png|ico|css|js|html|xml|txt)$ {
+        access_log        off;
+        log_not_found     off;
+        expires           360d;
+    }
+
+    # PHP-PM is doing its thing
+    location @ppm {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://127.0.0.1:8080;
+    }
+
+    # Block access to PHP files
+    location ~* \.(php|php3|php4|php5|php7|phtml|inc)$ {
+        deny all;
+    }
+
+    # Block access to stuff begining with .
+    location ~ /\. {
+        access_log off;
+        log_not_found off; 
+        deny all;
+    }
+}

app/docker-entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -ex
+
+php artisan key:generate --no-interaction --force
+php artisan migrate --no-interaction --force
+
+echo "Setting folder permissions for uploads"
+chown -R www-data:www-data public/uploads storage/uploads /ppm
+
+php artisan cache:clear
+php artisan view:clear
+
+echo "Starting Nginx:"
+nginx
+
+echo "Getting PPM ready:"
+trapIt () { "$@"& pid="$!"; trap 'kill -INT $pid' INT TERM; while kill -0 $pid > /dev/null 2>&1; do wait $pid; ec="$?"; done; exit $ec;};
+
+echo "Starting PPM:"
+trapIt su-exec www-data:www-data /ppm/vendor/bin/ppm start --ansi --port=8080 --socket-path=/ppm/run --pidfile=/ppm/ppm.pid --bootstrap=laravel --static-directory=public/ --app-env=prod

app/nginx.conf

@@ -0,0 +1,57 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;    
+daemon on;
+
+events {
+         worker_connections  1024;
+}
+
+http {
+        ##
+        # Basic Settings
+        ##
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        server_tokens off; # Do not announce nginx's version to the world!
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        resolver 1.1.1.1 8.8.8.8 8.4.4.4;
+
+        ##
+        # Logging Settings
+        ##
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        ##
+        # Proxy Settings
+        ##
+        proxy_buffering off;
+
+        ##
+        # Gzip Settings
+        ##
+        gzip on;
+        gzip_disable "msie6";
+
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+        include /etc/nginx/sites-enabled/*;
+}

app/php.ini

@@ -0,0 +1,24 @@
+date.timezone = UTC
+memory_limit = -1
+
+disable_functions =
+
+max_execution_time = 0
+max_input_time = 0
+
+post_max_size = 64M
+upload_max_filesize = 64M
+
+expose_php=0
+
+session.save_handler = redis
+session.save_path = "tcp://redis:6379"
+
+opcache.enable=1
+opcache.enable_cli=1
+opcache.interned_strings_buffer=8
+opcache.max_accelerated_files=10000
+opcache.memory_consumption=256
+opcache.interned_string_buffer=16
+opcache.save_comments=1
+opcache.revalidate_freq=1

bookstack.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Setup process
+
+
+# Check if .env exists
+
+
+## if not create .env and start guided setup
+### Check dependencies e.g. openssl/libressl
+
+#### Generate key 
+openssl rand -base64 32
+
+# Check is there is new version and offer to download
+## if .env exists but is and old version then Update and get user input
+
+
+

docker-compose.yml

@@ -0,0 +1,91 @@
+version: '3.6'
+services:
+  db:
+    image: mariadb:10.2
+    restart: unless-stopped
+    environment:
+      - TZ=${TZ}
+      - MYSQL_ROOT_PASSWORD=${DB_ROOT_PASS}
+      - MYSQL_DATABASE=${DB_DATABASE}
+      - MYSQL_USER=${DB_USERNAME}
+      - MYSQL_PASSWORD=${DB_PASSWORD}
+    volumes:
+      - db-data:/var/lib/mysql
+    networks:
+      - backend
+
+  cache:
+    image: redis:4-alpine
+    restart: unless-stopped
+    environment:
+      - TZ=${TZ}
+    volumes:
+      - cache:/data/
+    networks:
+      - backend
+    labels:
+      - "traefik.enable=false"
+
+  app:
+#    image: jjtc/bookstack-ppm:0.22-r0
+    build: ./app/
+    restart: unless-stopped
+    depends_on:
+      - db
+      - cache
+    volumes:
+      - .env:/app/.env:rw
+      - ./app/php.ini:/usr/local/etc/php/conf.d/php.ini
+      - ./app/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./app/default.conf:/etc/nginx/sites-enabled/default:ro
+      - uploads:/var/www/html/public/uploads:rw
+      - storage:/var/www/html/public/storage:rw
+    expose:
+      - "80/tcp"
+    networks:
+      - web
+      - backend
+    labels:
+      - "traefik.frontend.headers.STSPreload=true"
+      - "traefik.frontend.headers.STSSeconds=31536000"
+      - "traefik.backend=bookstack"
+      - "traefik.docker.network=web"
+      - "traefik.frontend.rule=Host:${APP_URL_BASE}"
+      - "traefik.enable=true"
+      - "traefik.port=80"
+      - "traefik.default.protocol=http"
+
+  # av:
+  #   image: jjtc/av:0.100.0-r0
+  #   build: ./av/
+  #   restart: unless-stopped
+  #   tty: true
+  #   environment:
+  #     - TZ=${TZ}
+  #   volumes:
+  #     - ./av/conf/:/etc/clamav/
+  #   networks:
+  #     - backend
+  #   labels:
+  #     - "traefik.enable=false"
+
+  #traefik:
+  #  image: traefik:latest
+  #  restart: unless-stopped
+  #  command: traefik --docker --acme=true --acme.domains='your.domain.tld' --acme.email='your@email.tld' --acme.entrypoint=https --acme.storagefile=acme.json --defaultentrypoints=http --defaultentrypoints=https --entryPoints='Name$
+  #  ports:
+  #    - 80:80
+  #    - 443:443
+  #  volumes:
+  #    - /var/run/docker.sock:/var/run/docker.sock
+
+networks:
+  backend:
+  web:
+    external: true
+
+volumes:
+  db-data:
+  cache:
+  uploads:
+  storage: