Fixing and improving build scripts and docs (#72)

* Fixing and improving build scripts and docs

* Updating composer packages

* Removing composer hash check

Author: aldavigdis

.github/workflows/ci.yml

@@ -17,7 +17,6 @@ jobs:
         run: |
           sudo apt-get update && sudo apt-get install php-cli
           php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
-          php -r "if (hash_file('sha384', 'composer-setup.php') === '55ce33d7678c5a611085589f1f3ddf8b3c52d662cd01d4ba75c0ee0459970c2200a51f492d557530c71c15d8dba01eae') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
           php composer-setup.php
           php -r "unlink('composer-setup.php');"
           sudo mv composer.phar /usr/local/bin/composer

Dockerfile

@@ -2,14 +2,12 @@ FROM ubuntu:lunar
 
 EXPOSE 80
 
-ENV NR_PHP_AGENT_URL 'https://download.newrelic.com/php_agent/archive/10.6.0.318/newrelic-php5-10.6.0.318-linux.tar.gz'
+ENV NR_PHP_AGENT_URL 'https://download.newrelic.com/php_agent/archive/10.16.0.5/newrelic-php5-10.16.0.5-linux.tar.gz'
+ENV GHOSTSCRIPT_URL 'https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10021/ghostscript-10.02.1.tar.gz'
 
-ENV INSTALL_GHOSTSCRIPT true
+# ENV INSTALL_GHOSTSCRIPT true
 
 ENV WP_INSTALL_IF_NOT_FOUND true
-# ENV FORCE_WP_CONFIG true
-ENV WP_DEBUG true
-ENV WP_SCRIPT_DEBUG true
 ENV WP_MEMORY_LIMIT = '448M'
 
 ENV PHP_UPLOAD_MAX_FILESIZE '256M'
@@ -18,9 +16,10 @@ ENV PHP_MEMORY_LIMIT '512M'
 ENV PHP_MAX_EXECUTION_TIME '240'
 
 ENV PHP_ERROR_REPORTING 'E_ALL \& ~E_STRICT'
+ENV WP_DEBUG true
 
 # ENV WP_UPLOADS_URL 'https://cdn.aldavigdis.dev'
-ENV WP_CONTENT_URL 'https://cdn.aldavigdis.dev'
+# ENV WP_CONTENT_URL 'https://cdn.aldavigdis.dev'
 
 # Remove Akismet and hello.php during deployment
 ENV REMOVE_CRAP_PLUGINS true
@@ -31,11 +30,11 @@ ENV PREVENT_UPDATES true
 # Wether we should fix file permissions on deployment or not
 # ENV NUKE_PERMISSIONS true
 
-# The "Hardening WordPress" article at https://wordpress.org/documentation/article/hardening-wordpress/
-# recommends 755 and 644.
-ENV FILE_OWNER 'root:root'
-ENV FILE_MODE 444
-ENV DIRECTORY_MODE 555
+ENV FILE_OWNER 'wp-services'
+ENV FILE_GROUP 'www-data'
+ENV FILE_MODE 0644
+ENV DIRECTORY_MODE 0644
+RUN useradd wp-services -r -m --shell=/bin/false --uid=699
 
 ENV DEBIAN_FRONTEND=noninteractive
 

Dockerfile.production

@@ -0,0 +1,46 @@
+FROM ubuntu:lunar
+
+EXPOSE 80
+
+ENV NR_PHP_AGENT_URL 'https://download.newrelic.com/php_agent/archive/10.9.0.324/newrelic-php5-10.9.0.324-linux.tar.gz'
+
+ENV INSTALL_GHOSTSCRIPT true
+
+ENV PHP_UPLOAD_MAX_FILESIZE '256M'
+ENV PHP_POST_MAX_SIZE '384M'
+ENV PHP_MEMORY_LIMIT '512M'
+ENV PHP_MAX_EXECUTION_TIME '240'
+
+# The "Hardening WordPress" article at https://wordpress.org/documentation/article/hardening-wordpress/
+# recommends 755 and 644.
+ENV FILE_OWNER 'wp-services'
+ENV FILE_GROUP 'www-data'
+ENV FILE_MODE 0644
+ENV DIRECTORY_MODE 0644
+RUN useradd wp-services -r -m --shell=/bin/false --uid=699
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install PHP and related packages, plus locales
+COPY ./bin/install_packages.sh /root/install_packages.sh
+RUN bash /root/install_packages.sh
+ENV LANG en_US.utf8
+
+# Install Ghostscript
+COPY ./bin/install_ghostscript.sh /root/install_ghostscript.sh
+RUN if [ $INSTALL_GHOSTSCRIPT ]; then bash /root/install_ghostscript.sh; fi
+
+# Copy over our nginx site config
+COPY ./nginx_config/default_site /etc/nginx/sites-enabled/default
+
+# Run further nginx configurations
+COPY bin/configure_nginx.sh /root/configure_nginx.sh
+RUN /root/configure_nginx.sh
+
+WORKDIR /var/www/html
+
+COPY mu-plugins/ /root/mu-plugins/
+
+COPY bin/* /root/
+
+ENTRYPOINT /root/entrypoint.sh

bin/configure_nginx.sh

@@ -1,10 +1,10 @@
 #!/bin/bash
 
-sed -i -e "s/access_log \/var\/log\/nginx\/access.log;/access_log \/dev\/stdout;/" /etc/nginx/nginx.conf
-sed -i -e "s/error_log \/var\/log\/nginx\/error.log;/error_log \/dev\/stderr;/" /etc/nginx/nginx.conf
+# sed -i -e "s/access_log \/var\/log\/nginx\/access.log;/access_log \/dev\/stdout;/" /etc/nginx/nginx.conf
+# sed -i -e "s/error_log \/var\/log\/nginx\/error.log;/error_log \/dev\/stderr;/" /etc/nginx/nginx.conf
 
 if [ $PHP_MAX_EXECUTION_TIME ]
 then
     sed -i -e "s/fastcgi_read_timeout 30;/fastcgi_read_timeout ${PHP_MAX_EXECUTION_TIME};/" /etc/nginx/sites-enabled/default
     sed -i -e "s/fastcgi_send_timeout 30;/fastcgi_send_timeout ${PHP_MAX_EXECUTION_TIME};/" /etc/nginx/sites-enabled/default
-fi
+fi

bin/configure_wordpress.sh

@@ -49,18 +49,18 @@ then
     wp config set DISALLOW_FILE_EDIT true --raw --allow-root
     wp config set WP_AUTO_UPDATE_CORE false --raw --allow-root
 
-    if [ $WP_DEBUG ]
+    if [ "$WP_DEBUG" ]
     then
         wp config set WP_DEBUG true --raw --allow-root
         wp config set WP_DEBUG_DISPLAY false --raw --allow-root
     fi
 
-    if [ $WP_SCRIPT_DEBUG ]
+    if [ "$WP_SCRIPT_DEBUG" ]
     then
         wp config set SCRIPT_DEBUG false --raw --allow-root
     fi
 
-    if [ -v $WP_MEMORY_LIMIT ]
+    if [ "$WP_MEMORY_LIMIT" ]
     then
         wp config set WP_MEMORY_LIMIT "$WP_MEMORY_LIMIT" --allow-root
         wp config set WP_MAX_MEMORY_LIMIT "$WP_MEMORY_LIMIT" --allow-root
@@ -69,54 +69,62 @@ then
         wp config set WP_MAX_MEMORY_LIMIT "ini_get( 'memory_limit' )" --raw --allow-root
     fi
 
-    if [ $DISABLE_WP_CRON ]
+    if [ "$DISABLE_WP_CRON" ]
     then
         wp config set DISABLE_WP_CRON true --allow-root
     fi
 
-    if [ $WP_UPLOADS_URL ]
+    if [ "$WP_UPLOADS_URL" ]
     then
         wp config set UPLOADS_URL "$WP_UPLOADS_URL" --allow-root
     fi
 
     # Enable Memcached object storage
-    export MEMCACHED_HOST=$(jq -r '.memcached_servers[0]' /secrets/credentials.json)
-    if [ $MEMCACHED_HOST ]
+    memcached_host=$(jq -r '.memcached_servers[0]' /secrets/credentials.json)
+    if [ "$memcached_host" ]
     then
         sed -i "/Add any custom values between this line/a \$memcached_servers = array( 'default' => \$credentials->memcached_servers );" wp-config.php
         curl -s https://plugins.trac.wordpress.org/export/HEAD/memcached/trunk/object-cache.php > ./wp-content/object-cache.php
-        chmod $FILE_MODE ./wp-content/object-cache.php
-        chown $FILE_OWNER ./wp-content/object-cache.php
+        if [ "$FILE_MODE" ]
+        then
+            chmod "$FILE_MODE" ./wp-content/object-cache.php
+        fi
+        if [ "$FILE_OWNER" ]
+        then
+            chown "$FILE_OWNER" ./wp-content/object-cache.php
+        fi
     fi
 
-    if [ $WP_CONTENT_URL ]
+    if [ "$WP_CONTENT_URL" ]
     then
         wp config set WP_CONTENT_URL "$WP_CONTENT_URL" --allow-root
     fi
+fi
 
-    if [ $WP_THEME_INSTALL ]
-    then
-        wp theme install "$WP_THEME_INSTALL" --allow-root
-    fi
+wp core install --url="localhost" --title="DockPress Site" --admin_user="admin" --admin_password="password" --admin_email="[email protected]" --skip-email --allow-root
 
-    if [ $WP_THEME_ACTIVATE ]
-    then
-        wp theme activate "$WP_THEME_ACTIVATE" --allow-root
-    fi
+if [ "$WP_THEME_INSTALL" ]
+then
+    wp theme install "$WP_THEME_INSTALL" --allow-root
+fi
 
-    if [ $WP_PLUGIN_INSTALL ]
-    then
-        wp plugin install "$WP_PLUGIN_INSTALL" --allow-root
-    fi
+if [ "$WP_THEME_ACTIVATE" ]
+then
+    wp theme activate "$WP_THEME_ACTIVATE" --allow-root
+fi
 
-    if [ $WP_PLUGIN_ACTIVATE ]
-    then
-        wp plugin activate "$WP_PLUGIN_ACTIVATE" --allow-root
-    fi
+if [ "$WP_PLUGIN_INSTALL" ]
+then
+    wp plugin install "$WP_PLUGIN_INSTALL" --allow-root
+fi
+
+if [ "$WP_PLUGIN_ACTIVATE" ]
+then
+    wp plugin activate "$WP_PLUGIN_ACTIVATE" --allow-root
 fi
 
 # Remove crapware plugins from the WordPress installation
-if [ $REMOVE_CRAP_PLUGINS ]
+if [ "$REMOVE_CRAP_PLUGINS" ]
 then
     rm -rf wp-content/plugins/akismet/
     rm -rf wp-content/plugins/hello.php
@@ -126,5 +134,4 @@ if [ ! -d wp-content/uploads ]
 then
     echo "📁 Creating uploads directory"
     mkdir wp-content/uploads
-    chmod a+rw wp-content/uploads
 fi

bin/install_new_relic.sh

@@ -1,10 +1,10 @@
 #!/bin/bash
 
-export NR_KEY=$(jq -r '.new_relic_key' /secrets/credentials.json)
-export NR_APP_NAME=$(jq -r '.new_relic_app_name' /secrets/credentials.json)
+nr_key=$(jq -r '.new_relic_key' /secrets/credentials.json)
+nr_app_name=$(jq -r '.new_relic_app_name' /secrets/credentials.json)
 
 # The installation will not happen unless the credentials and ENV variables are set
-if [ $NR_KEY ] && [ "${NR_APP_NAME}" ] && [ $NR_PHP_AGENT_URL ]
+if [ "$nr_key" ] && [ "${NR_APP_NAME}" ] && [ "$NR_PHP_AGENT_URL" ]
 then
     curl -s -L ${NR_PHP_AGENT_URL} | tar -C /tmp -zx
 
@@ -15,9 +15,9 @@ then
 
     rm -rf /tmp/newrelic-php5-* /tmp/nrinstall*
 
-    sed -i -e "s/\"REPLACE_WITH_REAL_KEY\"/\"${NR_KEY}\"/" \
+    sed -i -e "s/\"REPLACE_WITH_REAL_KEY\"/\"${nr_key}\"/" \
         -e "s/;newrelic.framework = \"\"/newrelic.framework = \"wordpress\"/" \
-        -e "s/newrelic.appname = \"PHP Application\"/newrelic.appname = \"${NR_APP_NAME}\"/" \
+        -e "s/newrelic.appname = \"PHP Application\"/newrelic.appname = \"${nr_app_name}\"/" \
         -e 's/;newrelic.daemon.app_connect_timeout =.*/newrelic.daemon.app_connect_timeout=15s/' \
         -e 's/;newrelic.daemon.start_timeout =.*/newrelic.daemon.start_timeout=5s/' \
         /etc/php/8.1/fpm/conf.d/newrelic.ini

bin/install_packages.sh

@@ -6,12 +6,9 @@ apt-get install nginx php8.1-fpm php8.1 \
                 php8.1-mysql php8.1-curl php8.1-memcached php8.1-memcache \
                 php8.1-zip php8.1-xml php8.1-mbstring php8.1-imagick \
                 php8.1-redis php8.1-bc php8.1-intl php8.1-ssh2 \
-                mariadb-client curl locales jq less python3-pip -y
+                mariadb-client curl locales jq less vim -y
 
 rm -rf /var/lib/apt/lists/*
 localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 
 curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && chmod +x wp-cli.phar && mv wp-cli.phar /usr/local/bin/wp
-
-# Update Python packages with known security vulnerabilities
-python3 -m pip install cryptography --break-system-packages --upgrade

bin/nuke_permissions.sh

@@ -1,5 +1,20 @@
 #!/bin/bash
 
-chown -R $FILE_OWNER .
-find . -type f -not -path "./.git/*" -not -path "./wp-content/uploads/*" -exec chmod $DIRECTORY_MODE {} \;
-find . -type f -not -path "./.git/*" -not -path "./wp-content/uploads/*" -exec chmod $FILE_MODE {} \;
+if [ "$FILE_OWNER" ]
+then
+    if [ ! "$FILE_GROUP" ]
+    then
+        FILE_GROUP=$FILE_OWNER
+    fi
+    chown -R "$FILE_OWNER:$FILE_GROUP" .
+fi
+
+if [ "$DIRECTORY_MODE" ]
+then
+    find . -type d -not -path "./.git/*" -not -path "./wp-content/uploads/*" -exec chmod "$DIRECTORY_MODE" {} \;
+fi
+
+if [ "$FILE_MODE" ]
+then
+    find . -type f -not -path "./.git/*" -not -path "./wp-content/uploads/*" -exec chmod "$FILE_MODE" {} \;
+fi

compose.yml

@@ -0,0 +1,21 @@
+services:
+  dockpress:
+    image: dockpress
+    volumes:
+      - ./secrets:/secrets
+    ports:
+      - 80:80
+  mariadb:
+    image: mariadb
+    restart: always
+    ports:
+      - 3306:3306
+    environment:
+      - MARIADB_DATABASE=wordpress
+      - MARIADB_USER=wordpress
+      - MARIADB_PASSWORD=password
+      - MARIADB_ROOT_PASSWORD=password
+  memcached:
+    image: memcached
+    ports:
+      - 11211:11211