paspo/docker-webserver-nginx
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases Activity

moved config steps into separate scripts
All checks were successful
Container Publish / on-success-skip (push) Has been skipped
Details
Container Publish / build-image (arm64) (push) Successful in 37s
Details
Container Publish / build-image (amd64) (push) Successful in 50s
Details
Container Publish / update docker manifest (push) Successful in 16s
Details

Browse Source
This commit is contained in:
Paolo Asperti
2025-07-31 09:29:04 +02:00
parent d5a452dbf8
commit 13d29c224a
9 changed files with 222 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
rootfs/app/entrypoint.sh
View File

@@ -10,189 +10,68 @@ PATH_AUTH=${PATH_BASE}/auth
WEBDAV_PORT=${WEBDAV_PORT:-8080} WEBDAV_PORT=${WEBDAV_PORT:-8080}
STATS_PORT=${STATS_PORT:-8081} STATS_PORT=${STATS_PORT:-8081}
LOG_DAYS=${LOG_DAYS:-7} LOG_DAYS=${LOG_DAYS:-7}
PHP=${PHP:-none} PHP=${PHP:-none}
POSTSIZE=${POSTSIZE:-256M} POSTSIZE=${POSTSIZE:-256M}
USERNAME=${USERNAME:-theuser} USERNAME=${USERNAME:-theuser}
PUID=${PUID:-1000} PUID=${PUID:-1000}
GROUPNAME=${GROUPNAME:-thegroup} GROUPNAME=${GROUPNAME:-thegroup}
PGID=${PGID:-1000} PGID=${PGID:-1000}
RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
addgroup -g "${PGID}" "${GROUPNAME}"
addgroup nginx "${GROUPNAME}"
adduser -DH -h "${PATH_WEBROOT}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"
echo "chowning to ${PUID}:${GROUPNAME}..."
chown "${PUID}:${GROUPNAME}" "${PATH_WEBROOT}" -R
find "${PATH_WEBROOT}" -type d -exec chmod 0755 {} \;
find "${PATH_WEBROOT}" -type f -exec chmod 0644 {} \;
echo "...done"
FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-5} FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-5}
FPM_START_SERVERS=${FPM_START_SERVERS:-1} FPM_START_SERVERS=${FPM_START_SERVERS:-1}
FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-1} FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-1}
FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-3} FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-3}
# set php config export USERNAME
case "${PHP}" in export GROUPNAME
"php84"|"php83"|"php82") export PATH_WEBROOT
cat >"/etc/${PHP}/php-fpm.d/www.conf" <<EOF export PATH_STATS
[www] export PATH_STATSDB
user = ${USERNAME} export PATH_LOGS
group = ${GROUPNAME} export PATH_AUTH
listen = 127.0.0.1:9000 export WEBDAV_PORT
pm = dynamic export STATS_PORT
pm.max_children = ${FPM_MAX_CHILDREN} export POSTSIZE
pm.start_servers = ${FPM_START_SERVERS} export LOG_DAYS
pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS} export PHP
pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS} export PUID
EOF export PGID
cat >"/etc/${PHP}/conf.d/post_size.ini" <<EOF
upload_max_size = ${POSTSIZE}
post_max_size = ${POSTSIZE}
upload_max_filesize = ${POSTSIZE}
upload_tmp_dir = /tmp
EOF
;;
*) ;;
esac
cat >"/etc/nginx/custom.d/post_size.conf" <<EOF export FPM_MAX_CHILDREN
client_max_body_size ${POSTSIZE}; export FPM_START_SERVERS
EOF export FPM_MIN_SPARE_SERVERS
export FPM_MAX_SPARE_SERVERS
cat >"/etc/nginx/conf.d/errorlog.conf" <<EOF # run all scripts in order
# Configures default error logger. run-parts /app/entrypoint.sh.d
error_log ${PATH_LOGS}/nginx-error.log warn;
EOF
cat >"/etc/nginx/httpd.d/accesslog.conf" <<EOF
# Sets the path, format, and configuration for a buffered log write.
access_log ${PATH_LOGS}/nginx-access.log main;
EOF
# start php # start php
case "${PHP}" in case "${PHP}" in
"php84") "php84")
cp /app/nginx/php84.conf /etc/nginx/custom.d/ echo "# Starting PH 8.4"
cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
/usr/sbin/php-fpm84 -D /usr/sbin/php-fpm84 -D
;; ;;
"php83") "php83")
cp /app/nginx/php83.conf /etc/nginx/custom.d/ echo "# Starting PH 8.3"
cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
/usr/sbin/php-fpm83 -D /usr/sbin/php-fpm83 -D
;; ;;
"php82") "php82")
cp /app/nginx/php82.conf /etc/nginx/custom.d/ echo "# Starting PH 8.2"
cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
/usr/sbin/php-fpm82 -D /usr/sbin/php-fpm82 -D
;; ;;
*) *)
cp /app/nginx/default_nophp.conf /etc/nginx/http.d/default.conf
;; ;;
esac esac
# start ssh # start cron
for keytype in ecdsa rsa ed25519 ; do echo "# Starting cron"
if [ ! -r "/ssh/ssh_host_${keytype}_key" ] ; then
/usr/bin/ssh-keygen -t "${keytype}" -f "/ssh/ssh_host_${keytype}_key" -N ""
fi
chmod 0600 "/ssh/ssh_host_${keytype}_key"
chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
done
# set authorized_keys permissions
if [ -f /ssh/authorized_keys ] ; then
chmod 0600 /ssh/authorized_keys
chown "${USERNAME}:${GROUPNAME}" /ssh/authorized_keys
fi
chmod 0700 "${PATH_WEBROOT}/.ssh"
/usr/sbin/sshd -e
cat > /etc/nginx/conf.d/user.conf <<EOF
user ${USERNAME} ${GROUPNAME};
EOF
# fix permissions for upload
chown "${USERNAME}" /var/lib/nginx /var/lib/nginx/tmp
cat > /etc/nginx/http.d/webdav.conf <<EOF
server {
listen ${WEBDAV_PORT} default_server;
listen [::]:${WEBDAV_PORT} default_server;
root ${PATH_WEBROOT};
location / {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
dav_access user:rw;
}
auth_basic "Restricted area";
auth_basic_user_file ${PATH_AUTH}/webdav;
}
EOF
# authentication
mkdir -p "${PATH_AUTH}"
touch "${PATH_AUTH}/stats" "${PATH_AUTH}/webdav"
chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}"
# make sure nginx can log
mkdir -p "${PATH_LOGS}" "${PATH_STATS}" "${PATH_STATSDB}"
chown -R "${USERNAME}:${GROUPNAME}" "${PATH_LOGS}" "${PATH_STATS}" "${PATH_STATSDB}"
# configure logrotate
cat >/etc/logrotate.d/nginx <<EOF
${PATH_LOGS}/nginx-access.log {
missingok
daily
rotate ${LOG_DAYS}
compress
delaycompress
sharedscripts
su ${USERNAME} ${GROUPNAME}
postrotate
/usr/sbin/nginx -s reopen
nice -n 19 /usr/bin/goaccess ${PATH_LOGS}/nginx-access.log.1 --agent-list --anonymize-ip --real-os --output ${PATH_STATS}/index.html --log-format COMBINED --tz="${TZ}" --db-path=${PATH_STATSDB} --persist --restore
endscript
}
EOF
crond -b crond -b
# stats endpoint # start ssh
cat > /etc/nginx/http.d/stats.conf <<EOF echo "# Starting ssh"
server { /usr/sbin/sshd -e
listen ${STATS_PORT} default_server;
listen [::]:${STATS_PORT} default_server;
root ${PATH_STATS};
location = / {
index index.html;
try_files /index.html =404;
}
location /index.html {
try_files /index.html =404;
}
location / {
return 404;
}
auth_basic "Restricted area";
auth_basic_user_file ${PATH_AUTH}/stats;
}
EOF
# start nginx # start nginx
echo starting nginx echo "# Starting nginx"
nginx nginx

11
rootfs/app/entrypoint.sh.d/10_user.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/bin/sh
echo "# Creating user and group"
RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
addgroup -g "${PGID}" "${GROUPNAME}"
addgroup nginx "${GROUPNAME}"
adduser -DH -h "${PATH_WEBROOT}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"

7
rootfs/app/entrypoint.sh.d/90_chown_webroot.sh Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/sh
echo "# chowning ${PATH_WEBROOT} to ${PUID}:${GROUPNAME}..."
chown "${PUID}:${GROUPNAME}" "${PATH_WEBROOT}" -R
find "${PATH_WEBROOT}" -type d -exec chmod 0755 {} \;
find "${PATH_WEBROOT}" -type f -exec chmod 0644 {} \;

24
rootfs/app/entrypoint.sh.d/90_logs.sh Executable file
View File

@@ -0,0 +1,24 @@
#!/bin/sh
echo "# Configuring logrotate"
# make sure path exists
mkdir -p "${PATH_LOGS}"
chown -R "${USERNAME}:${GROUPNAME}" "${PATH_LOGS}"
# configure logrotate
cat >/etc/logrotate.d/nginx <<EOF
${PATH_LOGS}/nginx-access.log {
missingok
daily
rotate ${LOG_DAYS}
compress
delaycompress
sharedscripts
su ${USERNAME} ${GROUPNAME}
postrotate
/usr/sbin/nginx -s reopen
nice -n 19 /usr/bin/goaccess ${PATH_LOGS}/nginx-access.log.1 --agent-list --anonymize-ip --real-os --output ${PATH_STATS}/index.html --log-format COMBINED --tz="${TZ}" --db-path=${PATH_STATSDB} --persist --restore
endscript
}
EOF

24
rootfs/app/entrypoint.sh.d/90_nginx.sh Executable file
View File

@@ -0,0 +1,24 @@
#!/bin/sh
echo "# Configuring nginx"
cat > /etc/nginx/conf.d/user.conf <<EOF
user ${USERNAME} ${GROUPNAME};
EOF
# fix permissions for upload
chown "${USERNAME}" /var/lib/nginx /var/lib/nginx/tmp
cat >"/etc/nginx/custom.d/post_size.conf" <<EOF
client_max_body_size ${POSTSIZE};
EOF
cat >"/etc/nginx/conf.d/errorlog.conf" <<EOF
# Configures default error logger.
error_log ${PATH_LOGS}/nginx-error.log warn;
EOF
cat >"/etc/nginx/httpd.d/accesslog.conf" <<EOF
# Sets the path, format, and configuration for a buffered log write.
access_log ${PATH_LOGS}/nginx-access.log main;
EOF

45
rootfs/app/entrypoint.sh.d/90_php.sh Executable file
View File

@@ -0,0 +1,45 @@
#!/bin/sh
echo "# Configuring PHP"
# set php config
case "${PHP}" in
"php84"|"php83"|"php82")
cat >"/etc/${PHP}/php-fpm.d/www.conf" <<EOF
[www]
user = ${USERNAME}
group = ${GROUPNAME}
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = ${FPM_MAX_CHILDREN}
pm.start_servers = ${FPM_START_SERVERS}
pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS}
pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS}
EOF
cat >"/etc/${PHP}/conf.d/post_size.ini" <<EOF
upload_max_size = ${POSTSIZE}
post_max_size = ${POSTSIZE}
upload_max_filesize = ${POSTSIZE}
upload_tmp_dir = /tmp
EOF
;;
*) ;;
esac
case "${PHP}" in
"php84")
cp /app/nginx/php84.conf /etc/nginx/custom.d/
cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
;;
"php83")
cp /app/nginx/php83.conf /etc/nginx/custom.d/
cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
;;
"php82")
cp /app/nginx/php82.conf /etc/nginx/custom.d/
cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
;;
*)
cp /app/nginx/default_nophp.conf /etc/nginx/http.d/default.conf
;;
esac

19
rootfs/app/entrypoint.sh.d/90_ssh.sh Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/sh
echo "# Configuring ssh"
for keytype in ecdsa rsa ed25519 ; do
if [ ! -r "/ssh/ssh_host_${keytype}_key" ] ; then
/usr/bin/ssh-keygen -t "${keytype}" -f "/ssh/ssh_host_${keytype}_key" -N ""
fi
chmod 0600 "/ssh/ssh_host_${keytype}_key"
chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
done
# set authorized_keys permissions
if [ -f /ssh/authorized_keys ] ; then
chmod 0600 /ssh/authorized_keys
chown "${USERNAME}:${GROUPNAME}" /ssh/authorized_keys
fi
chmod 0700 "${PATH_WEBROOT}/.ssh"

33
rootfs/app/entrypoint.sh.d/90_stats.sh Executable file
View File

@@ -0,0 +1,33 @@
#!/bin/sh
echo "# Configuring stats"
# make sure paths exists
mkdir -p "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
touch "${PATH_AUTH}/stats"
chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
# stats endpoint
cat > /etc/nginx/http.d/stats.conf <<EOF
server {
listen ${STATS_PORT} default_server;
listen [::]:${STATS_PORT} default_server;
root ${PATH_STATS};
location = / {
index index.html;
try_files /index.html =404;
}
location /index.html {
try_files /index.html =404;
}
location / {
return 404;
}
auth_basic "Restricted area";
auth_basic_user_file ${PATH_AUTH}/stats;
}
EOF

29
rootfs/app/entrypoint.sh.d/90_webdav.sh Executable file
View File

@@ -0,0 +1,29 @@
#!/bin/sh
echo "# Configuring webdav"
cat > /etc/nginx/http.d/webdav.conf <<EOF
server {
listen ${WEBDAV_PORT} default_server;
listen [::]:${WEBDAV_PORT} default_server;
root ${PATH_WEBROOT};
location / {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
dav_access user:rw;
}
auth_basic "Restricted area";
auth_basic_user_file ${PATH_AUTH}/webdav;
}
EOF
# authentication
mkdir -p "${PATH_AUTH}"
touch "${PATH_AUTH}/webdav"
chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}"