Initial commit

.drone.yml

@@ -0,0 +1,18 @@
+kind: pipeline
+name: default
+
+steps:
+- name: docker  
+  image: plugins/docker
+  settings:
+    tags: 
+      - latest
+      - ${DRONE_TAG}
+    repo: jjtc/zola
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      - tag

.gitignore

@@ -0,0 +1,7 @@
+# IDEs
+.idea/
+.vscode/
+
+# Dev files
+.env
+*.sql

Dockerfile

@@ -0,0 +1,36 @@
+FROM alpine:3.10
+
+LABEL maintainer="JJTC <docker@jjtc.eu>"
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN set -ex \
+  && echo "Getting software ready:" \
+  && apk add -U --no-cache zola
+
+VOLUME [ "~/zola/public" ]
+
+ENTRYPOINT [ "./docker-entrypoint.sh" ]
+
+
+
+----------------------------------------------------
+
+FROM nginx:1.17-alpine
+
+ENV APP_HOME="/app"
+
+# RUN mkdir -p $APP_HOME
+# RUN set -ex \
+#   && echo "Changing ownership:" \
+#   && chown -R nginx:nginx $APP_HOME
+
+COPY --chown=nginx:nginx /tmp/zola/public/* $APP_HOME
+
+USER nginx:nginx
+
+WORKDIR $APP_HOME
+
+EXPOSE 80
+
+CMD [ "nginx" ]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 JJTC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,48 @@
+# Zola
+[![Build Status](https://cloud.drone.io/api/badges/JJTC-Docker/zola/status.svg)](https://cloud.drone.io/JJTC-Docker/zola)
+[![Docker Pulls](https://img.shields.io/docker/pulls/jjtc/zola.svg?style=flat)](https://hub.docker.com/r/jjtc/zola/) 
+[![Github Stars](https://img.shields.io/github/stars/jjtc-docker/zola.svg?style=flat)](https://github.com/jjtc-docker/zola) 
+[![Github Forks](https://img.shields.io/github/forks/jjtc-docker/zola.svg?style=flat?label=github%20forks)](https://github.com/jjtc-docker/zola)
+
+## Intro
+Zola setup based on Alpine, Nginx & Drone CI for use with Træfik
+
+This design has two distinct parts.
+
+The first part is the `jjtc/zola image` (main purpose of this repo) which is used for generating the static site (`zola build`).
+
+The second part (see the `site-example` folder) is the files used to maintain/generate your site.
+
+## Setup
+### Requirements
+- zola installed locally for first time setup
+- Git repo
+- Drone CI (Cloud with GH or git + own instance)
+- Docker image repo
+
+### Description
+The Zola files, your content, Drone CI and Nginx files will live in a git repo dedicated to a specific site (e.g. testsite_com).
+
+Drone CI will use the zola image (jjtc/zola:latest) to generate the static output and then build a new "website" image based on Nginx, static output and the Nginx config files (found in `site-example`). 
+
+### Steps
+#### Init
+To get started, do the following: run `zola init`, copy all of the files from `site-example` into the newly created site project folder, `cd` to the folder and init a new repo (`git init`).
+
+Update .drone.yml to match your Docker Hub repo. Update Drone CI with the `docker_username` and `docker_password` info and lastly modify the Nginx files to fit your needs.
+
+Remember to add, commit and push.
+
+#### Update content
+Push all of the content changes you desire, when the "website" image should be updated push a git tag and Drone CI will take care of the rest. I recommend using the current date for the tag.
+
+#### Update production
+Either configure the CD part of .drone.yml to make Drone CI handle the rollout of the new Docker image or access your production box (ssh...) and run
+```
+docker-compose pull && docker-compose up -d
+```
+
+See docker-compose.yml found in `site-example`.
+
+## Note
+Currently you have to manually init the site locally with `zola init` and go through the interactive setup process. Atm it is not worth the effort to automate the process, that might change in the future in which case the setup instructions above will be updated.

docker-entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -ex
+
+echo "Building site:"
+zola check || exit 1
+
+echo "Building site:"
+zola build

site-example/.drone.yml

@@ -0,0 +1,18 @@
+kind: pipeline
+name: default
+
+steps:
+- name: docker  
+  image: plugins/docker
+  settings:
+    tags: 
+      - latest
+      - ${DRONE_TAG}
+    repo: jjtc/zola <------ private repo
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    event:
+      - tag

site-example/.gitignore

@@ -0,0 +1,7 @@
+# IDEs
+.idea/
+.vscode/
+
+# Dev files
+.env
+*.sql

site-example/Dockerfile

@@ -0,0 +1,17 @@
+FROM nginx:1.17-alpine
+
+ENV APP_HOME="/app"
+
+COPY /tmp/zola/public $APP_HOME
+
+RUN set -ex \
+  && echo "Changing ownership:" \
+  && chown -R nginx:nginx $APP_HOME
+
+USER nginx:nginx
+
+WORKDIR $APP_HOME
+
+EXPOSE 80
+
+CMD ["nginx", "-g", "daemon off;"]

site-example/app/default.conf

@@ -0,0 +1,44 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name _;
+    root /app/public/;
+
+    client_max_body_size 0m;
+    client_body_timeout 60s; # Default is 60, May need to be increased for very large uploads
+    client_body_buffer_size 128k;
+
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; report-uri https://<YOUR_ACCOUNT>.report-uri.com/r/d/csp/enforce;" always;
+    add_header Expect-CT "enforce; max-age=604800; report-uri=https://<YOUR_ACCOUNT>.report-uri.com/r/d/ct/enforce";
+    add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; encrypted-media 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; sync-xhr 'none'; usb 'none'; vr 'none'";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+    add_header Referrer-Policy "strict-origin";
+    add_header X-Xss-Protection "1; mode=block; report=https://<YOUR_ACCOUNT>.report-uri.com/r/d/xss/enforce" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options nosniff;
+
+    # Firefox CSP bug workaround - https://bugzilla.mozilla.org/show_bug.cgi?id=1262842
+    location ~ \.svg$ {
+       add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'";
+    }
+
+    location ~* \.(jpg|jpeg|gif|png|ico|css|js|html|xml|txt)$ {
+        access_log        off;
+        log_not_found     off;
+        expires           360d;
+    }
+
+
+    # Block access to PHP files
+    location ~* \.(php|php3|php4|php5|php7|phtml|inc)$ {
+        deny all;
+    }
+
+    # Block access to stuff begining with .
+    location ~ /\. {
+        access_log off;
+        log_not_found off; 
+        deny all;
+    }
+}

site-example/app/nginx.conf

@@ -0,0 +1,55 @@
+user nginx;
+worker_processes auto;
+pid /run/nginx.pid;    
+daemon off;
+
+events {
+        worker_connections  1024;
+}
+
+http {
+        ##
+        # Basic Settings
+        ##
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        server_tokens off; # Do not announce nginx's version to the world!
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # Logging Settings
+        ##
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        ##
+        # Proxy Settings
+        ##
+        proxy_buffering off;
+
+        ##
+        # Gzip Settings
+        ##
+        gzip on;
+        gzip_disable "msie6";
+
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+        include /etc/nginx/sites-enabled/*;
+}

site-example/docker-compose.yml

@@ -0,0 +1,29 @@
+version: '3.5'
+services:
+  app:
+    image: jjtc/inventorstale-com:0.8.0-r0
+    restart: unless-stopped
+    volumes:
+      - ./app/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./app/default.conf:/etc/nginx/sites-enabled/default:ro
+      - data:/app/public:ro
+    expose:
+      - "80/tcp"
+    networks:
+      - web
+    labels:
+      - "traefik.frontend.headers.STSPreload=true"
+      - "traefik.frontend.headers.STSSeconds=31536000"
+      - "traefik.backend=zola"
+      - "traefik.docker.network=web"
+      - "traefik.frontend.rule=Host:${APP_URL_BASE}"
+      - "traefik.enable=true"
+      - "traefik.port=80"
+      - "traefik.default.protocol=http"
+
+networks:
+  web:
+    external: true
+
+volumes:
+  data: