Entrypoint tweaks

- Bump to Alpine 3.12
- Bump MariaDB to 10.5

.drone.yml

@@ -15,6 +15,7 @@ steps:
       from_secret: docker_username
     password:
       from_secret: docker_password
-  when:
+
+trigger:
   event:
   - tag

.env.example

@@ -0,0 +1,102 @@
+# Read the docs for more info:
+# - https://www.bookstackapp.com/docs/admin/cache-session-config/
+# - https://github.com/BookStackApp/BookStack/blob/master/.env.example.complete
+
+# Environment
+APP_ENV=production
+APP_DEBUG=false
+APP_KEY=------------REPLACE_ME------------
+
+# The below url has to be set if using social auth options
+# or if you are not using BookStack at the root path of your domain.
+APP_URL=https://bookstackapp.com ------------REPLACE_ME------------
+APP_URL_BASE=bookstackapp.com ------------REPLACE_ME------------
+
+# Application default language
+# The default language choice to show.
+# May be overridden by user-preference or visitor browser settings.
+APP_LANG=en
+
+# Auto-detect language for public visitors.
+# Uses browser-sent headers to infer a language.
+# APP_LANG will be used if such a header is not provided.
+APP_AUTO_LANG_PUBLIC=true
+
+# Application timezone
+# Used where dates are displayed such as on exported content.
+# Valid timezone values can be found here: https://www.php.net/manual/en/timezones.php
+APP_TIMEZONE=UTC
+
+# Database details
+DB_HOST=db:3306
+DB_DATABASE=bookstack
+DB_USERNAME=bookstack
+DB_PASSWORD=------------REPLACE_ME------------
+DB_ROOT_PASS=------------REPLACE_ME------------
+
+# Cache and session
+#CACHE_DRIVER=file
+#SESSION_DRIVER=file
+CACHE_DRIVER=redis
+SESSION_DRIVER=redis
+QUEUE_DRIVER=sync
+# A different prefix is useful when multiple BookStack instances use the same caching server
+CACHE_PREFIX=bookstack
+
+# Redis settings
+# Single Redis server
+REDIS_SERVERS=cache:6379:0
+# Example of using two Redis servers clustered together
+#REDIS_SERVERS=8.8.8.8:6379:0,8.8.4.4:6379:0
+
+# Storage
+STORAGE_TYPE=local
+# S3 (minio or AWS) Config
+STORAGE_S3_KEY=false
+STORAGE_S3_SECRET=false
+STORAGE_S3_REGION=false
+STORAGE_S3_BUCKET=false
+# Storage URL
+# Used to prefix image urls for when using custom domains/cdns
+STORAGE_URL=false
+
+# General auth
+AUTH_METHOD=standard
+
+# Social Authentication information. Defaults as off.
+GITHUB_APP_ID=false
+GITHUB_APP_SECRET=false
+GOOGLE_APP_ID=false
+GOOGLE_APP_SECRET=false
+OKTA_BASE_URL=false
+OKTA_APP_ID=false
+OKTA_APP_SECRET=false
+TWITCH_APP_ID=false
+TWITCH_APP_SECRET=false
+GITLAB_APP_ID=false
+GITLAB_APP_SECRET=false
+GITLAB_BASE_URI=false
+
+# External services such as Gravatar and Draw.IO
+DISABLE_EXTERNAL_SERVICES=false
+
+# LDAP Settings
+LDAP_SERVER=false
+LDAP_BASE_DN=false
+LDAP_DN=false
+LDAP_PASS=false
+LDAP_USER_FILTER=false
+LDAP_VERSION=false
+
+# Mail settings
+MAIL_DRIVER=smtp
+MAIL_HOST=localhost
+MAIL_PORT=1025
+MAIL_USERNAME=null
+MAIL_PASSWORD=null
+MAIL_ENCRYPTION=null
+MAIL_FROM=null
+MAIL_FROM_NAME=null
+
+# Only serving cookies over TLS
+SESSION_SECURE_COOKIE=true

README.md

@@ -1,7 +1,8 @@
 # bookstack-ppm
-[![Build Status](https://cloud.drone.io/api/badges/JJTC-Docker/bookstack-ppm/status.svg)](https://cloud.drone.io/JJTC-Docker/bookstack-ppm)
+[![Build Status](https://cloud.drone.io/api/badges/JJTC-Containers/bookstack-ppm/status.svg)](https://cloud.drone.io/JJTC-Containers/bookstack-ppm)
 [![Docker Pulls](https://img.shields.io/docker/pulls/jjtc/bookstack-ppm.svg?style=flat)](https://hub.docker.com/r/jjtc/bookstack-ppm/) 
-[![Github Stars](https://img.shields.io/github/stars/jjtc-docker/bookstack-ppm.svg?style=flat)](https://github.com/jjtc-docker/bookstack-ppm) 
-[![Github Forks](https://img.shields.io/github/forks/jjtc-docker/bookstack-ppm.svg?style=flat?label=github%20forks)](https://github.com/jjtc-docker/bookstack-ppm)
+[![Github Stars](https://img.shields.io/github/stars/jjtc-containers/bookstack-ppm.svg?style=flat)](https://github.com/jjtc-containers/bookstack-ppm) 
+[![Github Forks](https://img.shields.io/github/forks/jjtc-containers/bookstack-ppm.svg?style=flat?label=github%20forks)](https://github.com/jjtc-containers/bookstack-ppm)
+[![PPM Compatible](https://raw.githubusercontent.com/php-pm/ppm-badge/master/ppm-badge.png)](https://github.com/php-pm/php-pm)
 
 Bookstack setup based on Alpine, Nginx, PHP-PM, MariaDB, Redis & ClamAV for use with Træfik

app/Dockerfile

@@ -1,27 +1,28 @@
-FROM alpine:edge
+FROM alpine:3.13
 
-LABEL maintainer="JJTC <docker@jjtc.eu>"
+LABEL maintainer="JJTC <oci@jjtc.eu>"
 
-ENV PPM_VERSION=2.0.0 \
-    PPM_HTTP_VERSION=2.0.1 \
+ENV PPM_VERSION=2.2.1 \
+    PPM_HTTP_VERSION=2.0.6 \
     BOOKSTACK=BookStack \
-    BOOKSTACK_VERSION=0.26.1 \
+    BOOKSTACK_VERSION=0.31.6 \
     BOOKSTACK_HOME="/app"
 
-COPY docker-entrypoint.sh /app/docker-entrypoint.sh
+COPY entrypoint.sh /app/entrypoint.sh
 
 RUN set -ex \
-  && chmod +x /app/docker-entrypoint.sh \
+  && chmod +x /app/entrypoint.sh \
   # ensure www-data user exists
   # 82 is the standard uid/gid for "www-data" in Alpine
   && addgroup -g 82 -S www-data \
   && adduser -u 82 -D -S -G www-data www-data \
+  && addgroup -S bookstack \
+  && adduser -S -D -H -s /sbin/nologin  -G bookstack  -g bookstack bookstack \
   && apk update \
-  && echo "Setting up PHP extensions" \
+  && echo "Getting packages:" \
   && apk add --no-cache \
-     bash \
      curl \
-     su-exec \
+     multirun \
      nginx \
      tar \
      php7 \
@@ -49,7 +50,6 @@ RUN set -ex \
      php7-session \
      php7-simplexml \
      php7-sockets \
-     php7-tidy \
      php7-tokenizer \
      php7-xml \
      php7-xmlwriter \
@@ -58,27 +58,37 @@ RUN set -ex \
      composer \
   && echo "Setting up PPM:" \
   && mkdir -p /ppm/run \
+  && chmod 0777 /ppm/run \
   && cd /ppm \
-  && chmod -R 777 run/ \
   && composer require php-pm/php-pm:${PPM_VERSION} php-pm/httpkernel-adapter:${PPM_HTTP_VERSION} \
-  && echo "Get BookStack:" \
+  && chown www-data:www-data -R . \
+  && echo "Getting BookStack:" \
   && mkdir -p ${BOOKSTACK_HOME} \
   && cd ${BOOKSTACK_HOME} \
   && curl -LJO https://github.com/BookStackApp/BookStack/archive/v${BOOKSTACK_VERSION}.tar.gz \
   && tar --strip-components=1 -xzf BookStack-${BOOKSTACK_VERSION}.tar.gz \
-  && rm -rf ${BOOKSTACK}-${BOOKSTACK_VERSION}.tar.gz .env.example .gitattributes .github .gitignore .travis.yml tests/ public/index.php \
-  && curl https://raw.githubusercontent.com/BookStackApp/BookStack/873b1099f81f6a9d2619644aef0587e2b73d918a/bootstrap/autoload.php -o bootstrap/autoload.php \
-  && echo "Get Dependencies:" \
+  && rm -rf ${BOOKSTACK}-${BOOKSTACK_VERSION}.tar.gz .env.example .env.example.complete .gitattributes .github .gitignore .travis.yml tests/ public/index.php \
+  && ln -s init.php bootstrap/autoload.php \
+  && echo "Getting BookStack Dependencies:" \
   && composer install \
   && echo "Changing ownership:" \
-  && chown -R www-data:www-data . \
-  && echo "Ensure Nginx got access to tmp folder:" \
-  && chown www-data:root -R /var/tmp/nginx/
+  && chown bookstack:bookstack -R . \
+  && echo "Setting folder permissions for www-data:" \
+  && chown www-data:bookstack -R bootstrap/cache public/uploads storage \
+  && echo "Ensuring www-data got access to Nginx folders:" \
+  && chown www-data:www-data -R /var/lib/nginx /var/log/nginx \
+  && echo "Redirecting Nginx logs to stdout and stderr:" \
+  && ln -sf /dev/stdout /var/log/nginx/access.log \
+  && ln -sf /dev/stderr /var/log/nginx/error.log \
+  && echo "Giving all system users access to multirun:" \
+  && chmod 0755 /usr/bin/multirun
+
+USER www-data
 
 WORKDIR $BOOKSTACK_HOME
 
-EXPOSE 80
+EXPOSE 8080/tcp
 
 VOLUME ["$BOOKSTACK_HOME/public/uploads", "$BOOKSTACK_HOME/public/storage"]
 
-ENTRYPOINT ["./docker-entrypoint.sh"]
+ENTRYPOINT ["multirun", "nginx", "./entrypoint.sh"]

app/default.conf

@@ -1,6 +1,6 @@
 server {
-    listen 80;
-    listen [::]:80;
+    listen 8888;
+    listen [::]:8888;
 
     server_name _;
     root /app/public/;
@@ -9,13 +9,13 @@ server {
     client_body_timeout 120s; # Default is 60, May need to be increased for very large uploads
     client_body_buffer_size 128k;
 
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; report-uri https://<YOUR_ACCOUNT>.report-uri.com/r/d/csp/enforce;" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' blob:; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; report-uri https://<YOUR_ACCOUNT>.report-uri.com/r/d/csp/enforce; report-to default;" always;
     add_header Expect-CT "enforce; max-age=604800; report-uri=https://<YOUR_ACCOUNT>.report-uri.com/r/d/ct/enforce";
     add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; encrypted-media 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; sync-xhr 'none'; usb 'none'; vr 'none'";
     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
     add_header Referrer-Policy "strict-origin";
-    add_header X-Xss-Protection "1; mode=block; report=https://<YOUR_ACCOUNT>.report-uri.com/r/d/xss/enforce" always;
-    add_header X-Frame-Options "DENY" always;
+    add_header Report-To "{'group':'default','max_age':31536000,'endpoints':[{'url':'https://<YOUR_ACCOUNT>.report-uri.com/a/d/g'}],'include_subdomains':true}";
+    add_header NEL "{'report_to':'default','max_age':31536000,'include_subdomains':true}";
     add_header X-Content-Type-Options nosniff;
 
     # Firefox CSP bug workaround - https://bugzilla.mozilla.org/show_bug.cgi?id=1262842

app/docker-entrypoint.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-set -ex
-
-php artisan key:generate --no-interaction --force
-php artisan migrate --no-interaction --force
-
-echo "Setting folder permissions for uploads"
-chown -R www-data:www-data public/uploads storage/uploads /ppm
-
-php artisan cache:clear
-php artisan view:clear
-
-echo "Starting Nginx:"
-nginx
-
-echo "Getting PPM ready:"
-trapIt () { "$@"& pid="$!"; trap 'kill -INT $pid' INT TERM; while kill -0 $pid > /dev/null 2>&1; do wait $pid; ec="$?"; done; exit $ec;};
-
-echo "Starting PPM:"
-trapIt su-exec www-data:www-data /ppm/vendor/bin/ppm start --ansi --port=8080 --socket-path=/ppm/run --pidfile=/ppm/ppm.pid --bootstrap=laravel --static-directory=public/ --app-env=prod

app/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -ex
+
+if [ ! -f .env ]; then
+    php artisan key:generate --no-interaction --force
+fi
+php artisan migrate --no-interaction --force
+
+php artisan cache:clear
+php artisan view:clear
+
+echo "Starting PPM:"
+/ppm/vendor/bin/ppm start --ansi --no-interaction --config=ppm.json

app/nginx.conf

@@ -1,6 +1,5 @@
-user www-data;
 worker_processes auto;
-pid /run/nginx.pid;    
+pid /tmp/nginx.pid;
 daemon on;
 
 events {

app/php.ini

@@ -12,7 +12,7 @@ upload_max_filesize = 64M
 expose_php=0
 
 session.save_handler = redis
-session.save_path = "tcp://redis:6379"
+session.save_path = "tcp://cache:6379?database=1"
 
 opcache.enable=1
 opcache.enable_cli=1

app/ppm.json

@@ -0,0 +1,20 @@
+{
+    "bridge": "HttpKernel",
+    "host": "127.0.0.1",
+    "port": 8080,
+    "workers": 8,
+    "app-env": "production",
+    "debug": 0,
+    "logging": 1,
+    "static-directory": "public\/",
+    "bootstrap": "laravel",
+    "max-requests": 1000,
+    "max-execution-time": 30,
+    "memory-limit": -1,
+    "ttl": 0,
+    "populate-server-var": 1,
+    "socket-path": "\/ppm\/run\/",
+    "pidfile": "\/ppm\/ppm.pid",
+    "reload-timeout": 30,
+    "cgi-path": "\/usr\/bin\/php-cgi7"
+}

bookstack.sh

@@ -2,10 +2,8 @@
 
 # Setup process
 
-
 # Check if .env exists
 
-
 ## if not create .env and start guided setup
 ### Check dependencies e.g. openssl/libressl
 
@@ -14,6 +12,3 @@ openssl rand -base64 32
 
 # Check is there is new version and offer to download
 ## if .env exists but is and old version then Update and get user input
-
-
-

docker-compose.yml

@@ -1,10 +1,11 @@
-version: '3.5'
+version: '3.7'
+
 services:
   db:
-    image: mariadb:10.3
+    image: mariadb:10.5
     restart: unless-stopped
     environment:
-      - TZ=${TZ}
+      - TZ=${APP_TIMEZONE}
       - MYSQL_ROOT_PASSWORD=${DB_ROOT_PASS}
       - MYSQL_DATABASE=${DB_DATABASE}
       - MYSQL_USER=${DB_USERNAME}
@@ -15,19 +16,18 @@ services:
       - backend
 
   cache:
-    image: redis:5-alpine
+    image: redis:6-alpine
     restart: unless-stopped
     environment:
-      - TZ=${TZ}
+      - TZ=${APP_TIMEZONE}
     volumes:
       - cache:/data/
     networks:
       - backend
-    labels:
-      - "traefik.enable=false"
 
   app:
-    image: jjtc/bookstack-ppm:0.26.1-r0
+    image: jjtc/bookstack-ppm:0.31.6-r0
+    init: true
     build: ./app/
     restart: unless-stopped
     depends_on:
@@ -35,25 +35,28 @@ services:
       - cache
     volumes:
       - .env:/app/.env:rw
-      - ./app/php.ini:/usr/local/etc/php/conf.d/php.ini
+      - ./app/ppm.json:/app/ppm.json:ro
+      - ./app/php.ini:/etc/php7/php.ini:ro
       - ./app/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./app/default.conf:/etc/nginx/sites-enabled/default:ro
       - uploads:/app/public/uploads:rw
       - storage:/app/public/storage:rw
     expose:
-      - "80/tcp"
+      - "8888/tcp"
     networks:
       - web
       - backend
     labels:
-      - "traefik.frontend.headers.STSPreload=true"
-      - "traefik.frontend.headers.STSSeconds=31536000"
-      - "traefik.backend=bookstack"
-      - "traefik.docker.network=web"
-      - "traefik.frontend.rule=Host:${APP_URL_BASE}"
       - "traefik.enable=true"
-      - "traefik.port=80"
-      - "traefik.default.protocol=http"
+      - "traefik.http.routers.bookstack.entrypoints=http"
+      - "traefik.http.routers.bookstack.rule=Host(`${APP_URL_BASE}`)"
+      - "traefik.http.routers.bookstack-secure.entrypoints=https"
+      - "traefik.http.routers.bookstack-secure.rule=Host(`${APP_URL_BASE}`)"
+      - "traefik.http.routers.bookstack-secure.tls=true"
+      - "traefik.http.routers.bookstack-secure.tls.certresolver=default"
+      - "traefik.http.routers.bookstack-secure.service=bookstack"
+      - "traefik.http.services.bookstack.loadbalancer.server.scheme=http"
+      - "traefik.http.services.bookstack.loadbalancer.server.port=8888"
 
   # av:
   #   image: jjtc/av:0.100.0-r0
@@ -70,14 +73,24 @@ services:
   #     - "traefik.enable=false"
 
   #traefik:
-  #  image: traefik:latest
+  #  image: traefik:2.4
   #  restart: unless-stopped
-  #  command: traefik --docker --acme=true --acme.domains='your.domain.tld' --acme.email='your@email.tld' --acme.entrypoint=https --acme.storagefile=acme.json --defaultentrypoints=http --defaultentrypoints=https --entryPoints='Name$
+  #  security_opt:
+  #   - no-new-privileges:true
+  #  command: 
+  #    - --entrypoints.web.address=:80
+  #    - --entrypoints.websecure.address=:443
+  #    - --providers.docker=true
+- #    - --certificatesresolvers.leresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
+  #    - --certificatesresolvers.leresolver.acme.email=your@email.com
+  #    - --certificatesresolvers.leresolver.acme.storage=/acme.json
+  #    - --certificatesresolvers.leresolver.acme.tlschallenge=true
   #  ports:
-  #    - 80:80
-  #    - 443:443
+  #    - "80:80/tcp"
+  #    - "443:443/tcp
   #  volumes:
-  #    - /var/run/docker.sock:/var/run/docker.sock
+  #    - "/var/run/docker.sock:/var/run/docker.sock:ro"
+  #    - "./acme.json:/acme.json:rw"
 
 networks:
   backend: