feat: simplify stack

Added supervisor, healthcheck, fpm-ping. Removed nginx image.

Author: lucien144

.gitignore

@@ -4,3 +4,6 @@ uploads/*
 !uploads/.gitkeep
 .env*
 !*.example
+volumes/mysql-data/*
+!volumes/mysql-data/.gitkeep
+

wordpress/Dockerfile renamed to Dockerfile

@@ -3,6 +3,7 @@ ARG COMPOSER_VERSION=2.0
 FROM composer:${COMPOSER_VERSION} as composer
 FROM php:8.0-fpm
 
+
 RUN apt-get update -y && apt-get install -y \
     pkg-config libssl-dev \
     curl \
@@ -13,7 +14,9 @@ RUN apt-get update -y && apt-get install -y \
     libjpeg-dev \
     libzip-dev \
     libmagickwand-dev \
-    nasm
+    nasm \
+    nginx \
+    supervisor
 
 # Clear cache
 RUN apt-get clean && rm -rf /var/lib/apt/lists/*
@@ -28,10 +31,28 @@ RUN docker-php-ext-configure gd --enable-gd --with-jpeg --with-webp && docker-ph
 # Installing composer
 COPY --from=composer /usr/bin/composer /usr/local/bin/composer
 
+# Configure nginx
+COPY /config/nginx/nginx.conf /etc/nginx/nginx.conf
+COPY /config/nginx/50x.html /var/www/localhost/htdocs/50x.html
+COPY /config/nginx/index.html /var/www/localhost/htdocs/index.html
+
+# Configure php-fpm
+COPY /config/fpm-pool.conf /usr/local/etc/php-fpm.d/fpm-pool.conf
+
+# Configure supervisor
+COPY /config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
 WORKDIR /var/www/html
-COPY . /var/www/html
+COPY wordpress/ /var/www/html
 
 # RUN composer install
 # Replaced by "docker exec"
 
-VOLUME /var/www/html
+VOLUME /var/www/html
+
+EXPOSE 80
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+
+# Configure a healthcheck to validate that everything is up&running
+HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1:80/fpm-ping

config/fpm-pool.conf

@@ -0,0 +1,53 @@
+[global]
+; Log to stderr
+error_log = /dev/stderr
+
+[www]
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = 127.0.0.1:9000
+
+; Enable status page
+pm.status_path = /fpm-status
+
+; Ondemand process manager
+pm = ondemand
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 100
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+pm.max_requests = 1000
+
+; Make sure the FPM workers can reach the environment variables for configuration
+clear_env = no
+
+; Catch output from PHP
+catch_workers_output = yes
+
+; Enable ping page to use in healthcheck
+ping.path = /fpm-ping

mysql/low-memory-mysql-8.cnf renamed to config/low-memory-mysql-8.cnf

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Error</title>
+    <style>
+        body {
+            width: 35em;
+            margin: 0 auto;
+            font-family: Tahoma, Verdana, Arial, sans-serif;
+        }
+    </style>
+</head>
+<body>
+<h1>An error occurred.</h1>
+</body>
+</html>

config/nginx/50x.html

@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<html>
+<body>
+</body>
+</html>

config/nginx/index.html

@@ -0,0 +1,109 @@
+worker_processes  1;
+error_log stderr warn;
+pid /run/nginx.pid;
+
+events {
+    use epoll;
+    worker_connections 1024;
+    multi_accept on;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    # Request entity too large fix
+    client_max_body_size 100M;
+
+    log_format  main_timed  '$remote_addr - $remote_user [$time_local] "$request" '
+                            '$status $body_bytes_sent "$http_referer" '
+                            '"$http_user_agent" "$http_x_forwarded_for" '
+                            '$request_time $upstream_response_time $pipe $upstream_cache_status';
+
+    access_log /dev/stdout main_timed;
+    error_log /dev/stderr notice;
+
+    keepalive_timeout  65;
+
+    # Remove nginx version
+    server_tokens off;
+
+    # BREACH vulnerability fix
+    gzip off;
+
+    # BEAST vulearbility fix
+    ssl_protocols TLSv1.2;
+
+    # Enable optional HSTS
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # X-Frame-Options Protection
+    add_header X-Frame-Options "SAMEORIGIN";
+
+    # X-XSS-Protection
+    add_header X-XSS-Protection "1; mode=block";
+
+    # X-Content-Type-Options
+    add_header X-Content-Type-Options nosniff;
+
+    # Secure cookie flag
+    add_header Set-Cookie "Path=/; HttpOnly; Secure";
+
+    server {
+        listen [::]:80 default_server;
+        listen 80 default_server;
+        server_name _;
+
+        sendfile off;
+
+        root /var/www/html/web;
+        index index.php;
+
+        location / {
+            try_files $uri $uri/ /index.php?$args;
+        }
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            #root /var/lib/nginx/html;
+            root /var/www/localhost/htdocs;
+        }
+
+        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+        #
+        location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass 127.0.0.1:9000;
+            fastcgi_index index.php;
+            fastcgi_read_timeout 300s;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+        }
+
+        location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
+            expires 5d;
+        }
+
+        # deny access to . files, for security
+        location ~ /\.(?!well-known).* {
+            deny all;
+            access_log off;
+            log_not_found off;
+        }
+
+        # allow fpm ping and status from localhost
+        #
+        location ~ ^/(fpm-status|fpm-ping)$ {
+            access_log off;
+            allow 127.0.0.1;
+            deny all;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            include fastcgi_params;
+            fastcgi_pass 127.0.0.1:9000;
+        }
+    }
+}

config/nginx/nginx.conf

@@ -0,0 +1,23 @@
+[supervisord]
+nodaemon=true
+logfile=/dev/null
+logfile_maxbytes=0
+pidfile=/run/supervisord.pid
+
+[program:php-fpm]
+command=php-fpm -F
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=false
+startretries=0
+
+[program:nginx]
+command=nginx -g 'daemon off;'
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=false
+startretries=0

config/supervisord.conf

@@ -14,13 +14,13 @@ services:
   mysql:
     container_name: ${PROJECT_NAME}__mysql
     image: mysql:8.0
-    restart: always
+    restart: unless-stopped
     env_file: .env.mysql
     ports:
       - ${PORT_MYSQL}:3306
     volumes:
-      - ./mysql/data:/var/lib/mysql
-      - ./mysql/low-memory-mysql-8.cnf:/etc/mysql/conf.d/low-memory-my.cnf
+      - ./volumes/mysql-data:/var/lib/mysql
+      - ./config/low-memory-mysql-8.cnf:/etc/mysql/conf.d/low-memory-my.cnf
     networks:
       - internal
 
@@ -42,47 +42,31 @@ services:
   wordpress:
     container_name: ${PROJECT_NAME}__wordpress
     build:
-      context: ./wordpress/
+      context: .
     env_file: .env.wordpress
-    restart: always
+    environment:
+      - PROJECT_NAME=${PROJECT_NAME}
+    restart: unless-stopped
     volumes:
       - "${VOLUME}:/var/www/html"
-      - ./uploads:/var/www/html/web/app/uploads
+      - ./volumes/uploads:/var/www/html/web/app/uploads
     depends_on:
       - mysql
     networks:
       - internal
       - web
-
-  nginx:
-    container_name: ${PROJECT_NAME}__nginx
-    build:
-      context: ./nginx/
     ports:
       - ${PORT_NGINX}:80
-    volumes:
-      - "${VOLUME}:/var/www/html"
-      - ./uploads:/var/www/html/web/app/uploads
-      - ./nginx/templates:/etc/nginx/templates
-    restart: always
-    environment:
-      - PROJECT_NAME=${PROJECT_NAME}
-    depends_on:
-      - wordpress
-      - mysql
     labels:
       - traefik.http.routers.${PROJECT_NAME}__nginx.rule=Host(`${HOST_WORDPRESS}`)
       - traefik.http.routers.${PROJECT_NAME}__nginx.tls=true
       - traefik.http.routers.${PROJECT_NAME}__nginx.tls.certresolver=lets-encrypt
       - traefik.port=${PORT_NGINX}
-    networks:
-      - internal
-      - web
 
   adminer:
     container_name: ${PROJECT_NAME}__adminer
     image: adminer:latest
-    restart: always
+    restart: unless-stopped
     environment:
       ADMINER_DEFAULT_SERVER: ${PROJECT_NAME}__mysql
     ports:
@@ -104,7 +88,7 @@ services:
   backup:
     container_name: ${PROJECT_NAME}__backup
     image: futurice/docker-volume-backup
-    restart: always
+    restart: unless-stopped
     env_file:
       - .env.backup
     volumes: