build on every push

.drone.yml

@@ -1,47 +0,0 @@
----
-kind: pipeline
-type: docker
-name: default
-
-steps:
-  - name: build_and_publish
-    image: plugins/docker:linux-amd64
-    settings:
-      force_tag: true
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/webserver-nginx
-      context: .
-      dockerfile: ./Dockerfile
-      username:
-        from_secret: docker_username
-      tags:
-        - latest
-    when:
-      branch:
-        - master
-      event:
-        - push
-        - cron
-
-  - name: build_and_publish_php74
-    image: plugins/docker:linux-amd64
-    settings:
-      force_tag: true
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/webserver-nginx
-      context: .
-      dockerfile: ./Dockerfile-php74
-      username:
-        from_secret: docker_username
-      tags:
-        - latest-php74
-    when:
-      branch:
-        - master
-      event:
-        - push
-        - cron

.gitea/workflows/build_and_publish.yaml

@@ -0,0 +1,75 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/webserver-nginx
+
+on:
+  push:
+  schedule:
+    - cron: "0 12 * * 3"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
+
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
+

.gitea/workflows/build_and_publish_php74.yaml

@@ -0,0 +1,67 @@
+---
+name: Container Publish - php7.4 version
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/webserver-nginx
+
+on:
+  workflow_dispatch:
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish php74
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile-php74 .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }}
+
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74

.gitea/workflows/vulnscan.yaml

@@ -1,44 +1,51 @@
 ---
 name: Vulnerability Scan
 
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/webserver-nginx
+
 on:
   schedule:
     - cron: "0 14 * * *"
   workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
 
 jobs:
   scan:
     name: Daily Vulnerability Scan
-    runs-on: ubuntu-latest
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
     container:
       image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+        tag: [latest, latest-php74]
 
     steps:
       - name: Pull docker image
-        run: docker pull docker.asperti.com/paspo/webserver-nginx:latest
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}
-
-      - uses: actions/cache/restore@v4
-        with:
-          path: |
-            /root/.cache/trivy
-          key: trivy-db
 
       - name: Setup trivy
         run: |
-          wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
           dpkg -i /tmp/trivy.deb
 
       - name: Run Trivy vulnerability scanner
         id: scan
         run: |
-          trivy image --format json docker.asperti.com/paspo/webserver-nginx:latest > trivy-results.json
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }} > trivy-results.json
-
-      - uses: actions/cache/save@v4
-        if: always()  # salva in cache anche se trova vulnerabilità
-        with:
-          path: |
-            /root/.cache/trivy
-          key: trivy-db
 
       # if some vulnerability is found, we fail
       - name: check output
@@ -55,4 +62,4 @@ jobs:
           token: ${{ secrets.TELEGRAM_TOKEN }}
           format: markdown
           message: |
-            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}`

Dockerfile

@@ -1,8 +1,8 @@
-FROM alpine:3.21
+FROM alpine:3.22
 
 RUN \
-  apk -U upgrade && \
+  apk --no-cache upgrade && \
-  apk add tini nginx openssh-server \
+  apk --no-cache add tini nginx curl logrotate openssh-server nginx-mod-http-dav-ext goaccess \
     php84 php84-fpm php84-mbstring php84-curl php84-ctype php84-dom php84-gd php84-json php84-openssl php84-session php84-simplexml php84-xml php84-zip \
     php84-apcu php84-opcache php84-pecl-yaml php84-sqlite3 php84-mysqli \
     php83 php83-fpm php83-mbstring php83-curl php83-ctype php83-dom php83-gd php83-json php83-openssl php83-session php83-simplexml php83-xml php83-zip \
@@ -12,13 +12,17 @@ RUN \
 
 COPY rootfs /
 
-VOLUME [ "/data/www", "/ssh" ]
+VOLUME [ "/data" ]
 
 ENV \
   USERNAME=theuser \
+  GROUPNAME=thegroup \
   PHP=none \
   PUID=1000 \
   PGID=1000 \
+  WEBDAV_PORT=8080 \
   TZ=Etc/UTC
 
+HEALTHCHECK --timeout=10s --start-period=5s CMD curl --silent --fail -o /dev/null http://127.0.0.1:80/
+
 ENTRYPOINT [ "/sbin/tini", "/app/entrypoint.sh" ]

Dockerfile-php74

@@ -1,8 +1,8 @@
 FROM alpine:3.15
 
 RUN \
-  apk -U upgrade && \
+  apk --no-cache upgrade && \
-  apk add tini nginx openssh-server \
+  apk --no-cache add tini nginx openssh-server nginx-mod-http-dav-ext \
     php7 php7-fpm php7-mbstring php7-curl php7-ctype php7-dom php7-gd php7-json php7-openssl php7-session php7-simplexml php7-xml php7-zip \
     php7-apcu php7-opcache php7-pecl-yaml php7-sqlite3 php7-mysqli
 
@@ -12,9 +12,11 @@ VOLUME [ "/data/www", "/ssh" ]
 
 ENV \
   USERNAME=theuser \
+  GROUPNAME=thegroup \
   PHP=none \
   PUID=1000 \
   PGID=1000 \
+  WEBDAV_PORT=8080 \
   TZ=Etc/UTC
 
 ENTRYPOINT [ "/sbin/tini", "/app/entrypoint.sh" ]

README.md

@@ -1,7 +1,5 @@
 # webserver-nginx
 
-[![Build Status](https://drone.asperti.com/api/badges/paspo/docker-webserver-nginx/status.svg)](https://drone.asperti.com/paspo/docker-webserver-nginx)
-
 Small webserver with PHP support and SFTP access
 
 ## usage
@@ -13,21 +11,42 @@ services:
   web:
     image: docker.asperti.com/paspo/webserver-nginx
     ports:
-      - 8888:80
+      - 8888:80 # web server
-      - 2222:22
+      - 8890:8080 # webdav access
+      - 2222:22 # sftp access
     volumes:
-      - ./www:/data/www
+      - ./data:/data
-      - ./ssh:/ssh # add authorized_keys file here
       - ./extra_nginx.conf:/etc/nginx/custom.d/extra.conf # optional
     environment:
+      LOG_DAYS: 14              # default 7
+      WEBDAV_PORT: 8080         # default: 8080
       PHP: php84                # none (default), php82, php83, php84
+      POSTSIZE: 256M            # default: 256M
       PUID: 1000                # default: 1000
       PGID: 1000                # default: 1000
+      USERNAME: theuser         # default: theuser
+      GROUPNAME: thegroup       # default: thegroup
       TZ: Etc/UTC               # default: Etc/UTC
       FPM_MAX_CHILDREN: 5       # default: 5
       FPM_START_SERVERS: 1      # default: 1
       FPM_MIN_SPARE_SERVERS: 1  # default: 1
       FPM_MAX_SPARE_SERVERS: 3  # default: 3
+      DISABLE_WEBROOT_CHOWN: 1  # default: 0
+      DISABLE_SFTP: 1           # default: 0
+      DISABLE_STATS: 1          # default: 0
+      DISABLE_STATS_HOURLY: 1   # default: 0
+      DISABLE_WEBDAV: 1         # default: 0
 ```
 
-The `/data/www` directory and its contents will be chowned to `$PUID:$PGID` and chmodded to `0755` for directories and `0644` for files at container start.
+The `/data/www` and `/data/logs` directories and their contents will be chowned to `$PUID:$PGID` and chmodded to `0755` for directories and `0644` for files at container start.
+
+## data direcvtory layout
+
+| directory | content                                       |
+|-----------|-----------------------------------------------|
+| auth      | htpasswd files for stats and webdav           |
+| logs      | nginx access logs (logrotated) and error logs |
+| ssh       | host keys and authorized keys                 |
+| stats     | html statistical report                       |
+| stats.db  | internal statistical db                       |
+| www       | webroot                                       |

docker-compose-sample.yaml

@@ -1,11 +0,0 @@
-services:
-  web:
-    image: docker.asperti.com/paspo/webserver-nginx
-    ports:
-      - 8888:80
-      - 2222:22
-    volumes:
-      - ./www:/data/www
-      - ./ssh:/ssh # add authorized_keys file here
-    environment:
-      PHP: php84 # none (default), php82, php83, php84

rootfs-php74/app/entrypoint.sh

@@ -1,7 +1,9 @@
 #!/bin/sh
 
 WEBROOT=/data/www
+WEBDAV_PORT=${WEBDAV_PORT:-8080}
 PHP=${PHP:-none}
+POSTSIZE=${POSTSIZE:-256M}
 USERNAME=${USERNAME:-theuser}
 PUID=${PUID:-1000}
 GROUPNAME=${GROUPNAME:-thegroup}
@@ -35,11 +37,21 @@ pm.max_children = ${FPM_MAX_CHILDREN}
 pm.start_servers = ${FPM_START_SERVERS}
 pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS}
 pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS}
+EOF
+    cat >"/etc/${PHP}/conf.d/post_size.ini" <<EOF
+upload_max_size = ${POSTSIZE}
+post_max_size = ${POSTSIZE}
+upload_max_filesize = ${POSTSIZE}    
+upload_tmp_dir = /tmp
 EOF
     ;;
     *) ;;
 esac
 
+cat >"/etc/nginx/custom.d/post_size.conf" <<EOF
+client_max_body_size ${POSTSIZE};
+EOF
+
 # start php
 case "${PHP}" in
     "php7") 
@@ -60,8 +72,47 @@ for keytype in ecdsa rsa ed25519 ; do
   chmod 0600 "/ssh/ssh_host_${keytype}_key"
   chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
 done
-chmod 0700 "${WEBROOT}/.ssh"
+
+# set authorized_keys permissions
+if [ -f /ssh/authorized_keys ] ; then
+  chmod 0600 /ssh/authorized_keys
+  chown "${USERNAME}:${GROUPNAME}" /ssh/authorized_keys
+fi
+
+if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
+  chmod 0700 "${PATH_WEBROOT}/.ssh"
+fi
 /usr/sbin/sshd -e
 
+cat > /etc/nginx/conf.d/user.conf <<EOF
+user ${USERNAME} ${GROUPNAME};
+EOF
+
+# fix permissions for upload
+chown "${USERNAME}" /var/lib/nginx /var/lib/nginx/tmp
+
+cat > /etc/nginx/http.d/webdav.conf <<EOF
+server {
+    listen ${WEBDAV_PORT} default_server;
+    listen [::]:${WEBDAV_PORT} default_server;
+    root ${WEBROOT};
+
+    location / {
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+        dav_methods             PUT DELETE MKCOL COPY MOVE;
+        dav_ext_methods         PROPFIND OPTIONS;
+        create_full_put_path    on;
+        dav_access              user:rw;
+    }
+
+    auth_basic "Restricted area";
+    auth_basic_user_file /app/htpasswd;
+}
+EOF
+
+touch /app/htpasswd
+
 # start nginx
 nginx

rootfs-php74/app/nginx/default_nophp.conf

@@ -7,8 +7,6 @@ server {
     root   /data/www;
     # server_name  localhost;
 
-    #access_log  /var/log/nginx/host.access.log  main;
-
     location / {
         index index.html index.htm;
 

rootfs-php74/app/nginx/default_php.conf

@@ -7,8 +7,6 @@ server {
     root   /data/www;
     # server_name  localhost;
 
-    #access_log  /var/log/nginx/host.access.log  main;
-
     location / {
         index index.php index.html index.htm;
 

rootfs-php74/etc/nginx/nginx.conf

@@ -1,6 +1,6 @@
 # /etc/nginx/nginx.conf
 
-user nginx;
+# user nginx;
 
 # Set number of worker processes automatically based on number of CPU cores.
 worker_processes auto;
@@ -89,6 +89,10 @@ http {
                 '' close;
         }
 
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
 
         # Specifies the main log format.
         log_format main '$remote_addr - $remote_user [$time_local] "$request" '

rootfs/app/entrypoint.sh

@@ -1,77 +1,92 @@
 #!/bin/sh
 
-WEBROOT=/data/www
+PATH_BASE=/data
+PATH_WEBROOT=${PATH_BASE}/www
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+PATH_AUTH=${PATH_BASE}/auth
+PATH_SSH_HOST=${PATH_BASE}/ssh
+
+WEBDAV_PORT=${WEBDAV_PORT:-8080}
+LOG_DAYS=${LOG_DAYS:-7}
+
 PHP=${PHP:-none}
+POSTSIZE=${POSTSIZE:-256M}
 USERNAME=${USERNAME:-theuser}
 PUID=${PUID:-1000}
 GROUPNAME=${GROUPNAME:-thegroup}
 PGID=${PGID:-1000}
-RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
-addgroup -g "${PGID}" "${GROUPNAME}"
-addgroup nginx "${GROUPNAME}"
-adduser -DH -h "${WEBROOT}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
-printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
-echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"
-
-chown "${PUID}:${GROUPNAME}" "${WEBROOT}" -R
-find "${WEBROOT}" -type d -exec chmod 0755 {} \;
-find "${WEBROOT}" -type f -exec chmod 0644 {} \;
 
 FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-5}
 FPM_START_SERVERS=${FPM_START_SERVERS:-1}
 FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-1}
 FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-3}
 
-# set php config
+DISABLE_WEBROOT_CHOWN=${DISABLE_WEBROOT_CHOWN:-0}
-case "${PHP}" in
+DISABLE_SFTP=${DISABLE_SFTP:-0}
-  "php84"|"php83"|"php82")
+DISABLE_STATS=${DISABLE_STATS:-0}
-    cat >"/etc/${PHP}/php-fpm.d/www.conf" <<EOF
+DISABLE_STATS_HOURLY=${DISABLE_STATS_HOURLY:-0}
-[www]
+DISABLE_WEBDAV=${DISABLE_WEBDAV:-0}
-user = ${USERNAME}
+
-group = ${GROUPNAME}
+export USERNAME
-listen = 127.0.0.1:9000
+export GROUPNAME
-pm = dynamic
+export PATH_BASE
-pm.max_children = ${FPM_MAX_CHILDREN}
+export PATH_WEBROOT
-pm.start_servers = ${FPM_START_SERVERS}
+export PATH_STATS
-pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS}
+export PATH_STATSDB
-pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS}
+export PATH_LOGS
-EOF
+export PATH_AUTH
-    ;;
+export PATH_SSH_HOST
-    *) ;;
+export WEBDAV_PORT
-esac
+export POSTSIZE
+export LOG_DAYS
+export PHP
+export PUID
+export PGID
+
+export FPM_MAX_CHILDREN
+export FPM_START_SERVERS
+export FPM_MIN_SPARE_SERVERS
+export FPM_MAX_SPARE_SERVERS
+
+export DISABLE_WEBROOT_CHOWN
+export DISABLE_SFTP
+export DISABLE_STATS
+export DISABLE_STATS_HOURLY
+export DISABLE_WEBDAV
+
+# run all scripts in order
+run-parts /app/entrypoint.sh.d
 
 # start php
 case "${PHP}" in
     "php84") 
-      cp /app/nginx/php84.conf /etc/nginx/custom.d/
+      echo "# Starting PH 8.4"
-      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
       /usr/sbin/php-fpm84 -D
       ;;
     "php83") 
-      cp /app/nginx/php83.conf /etc/nginx/custom.d/
+      echo "# Starting PH 8.3"
-      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
       /usr/sbin/php-fpm83 -D
       ;;
     "php82")
-      cp /app/nginx/php82.conf /etc/nginx/custom.d/
+      echo "# Starting PH 8.2"
-      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
       /usr/sbin/php-fpm82 -D
       ;;
     *)
-      cp /app/nginx/default_nophp.conf /etc/nginx/http.d/default.conf
       ;;
 esac
 
+# start cron
+echo "# Starting cron"
+crond -b
+
 # start ssh
-for keytype in ecdsa rsa ed25519 ; do
+if [ "${DISABLE_SFTP}" -ne 1 ] ; then
-  if [ ! -r "/ssh/ssh_host_${keytype}_key" ] ; then
+  echo "# Starting ssh"
-    /usr/bin/ssh-keygen -t "${keytype}" -f "/ssh/ssh_host_${keytype}_key" -N ""
+  /usr/sbin/sshd -e
-  fi
+fi
-  chmod 0600 "/ssh/ssh_host_${keytype}_key"
-  chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
-done
-chmod 0700 "${WEBROOT}/.ssh"
-/usr/sbin/sshd -e
 
 # start nginx
+echo "# Starting nginx"
 nginx

rootfs/app/entrypoint.sh.d/10_user.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+echo "# Creating user and group"
+
+RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
+
+addgroup -g "${PGID}" "${GROUPNAME}"
+addgroup nginx "${GROUPNAME}"
+adduser -DH -h "${PATH_WEBROOT}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
+printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
+echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"

rootfs/app/entrypoint.sh.d/90_chown_webroot.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+echo "# Started background chowning of ${PATH_WEBROOT} to ${USERNAME}:${GROUPNAME} (${PUID}:${PGID})..."
+
+if [ ${DISABLE_WEBROOT_CHOWN} -eq 1 ] ; then
+  echo chowning skipped because of DISABLE_WEBROOT_CHOWN
+  exit 0
+fi
+
+chown "${USERNAME}:${GROUPNAME}" "${PATH_WEBROOT}" -R
+find "${PATH_WEBROOT}" -type d -exec chmod 0755 {} \; &
+find "${PATH_WEBROOT}" -type f -exec chmod 0644 {} \; &

rootfs/app/entrypoint.sh.d/90_logs.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+echo "# Configuring logrotate"
+
+# make sure path exists
+mkdir -p "${PATH_LOGS}"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_LOGS}"
+
+# configure logrotate
+cat >/etc/logrotate.d/nginx <<EOF
+${PATH_LOGS}/nginx-access.log {
+    missingok
+    daily
+    rotate ${LOG_DAYS}
+    compress
+    delaycompress
+    sharedscripts
+    nodateext
+    su ${USERNAME} ${GROUPNAME}
+    postrotate
+        /usr/sbin/nginx -s reopen
+        nice -n 19 /app/stats.sh
+    endscript
+}
+EOF

rootfs/app/entrypoint.sh.d/90_nginx.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo "# Configuring nginx"
+
+cat > /etc/nginx/conf.d/user.conf <<EOF
+user ${USERNAME} ${GROUPNAME};
+EOF
+
+# fix permissions for upload
+chown "${USERNAME}" /var/lib/nginx /var/lib/nginx/tmp
+
+cat >"/etc/nginx/custom.d/post_size.conf" <<EOF
+client_max_body_size ${POSTSIZE};
+EOF
+
+cat >"/etc/nginx/conf.d/errorlog.conf" <<EOF
+# Configures default error logger.
+error_log ${PATH_LOGS}/nginx-error.log warn;
+EOF
+
+cat >"/etc/nginx/http.d/accesslog.conf" <<EOF
+# Sets the path, format, and configuration for a buffered log write.
+access_log ${PATH_LOGS}/nginx-access.log main;
+EOF

rootfs/app/entrypoint.sh.d/90_php.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+echo "# Configuring PHP"
+
+# set php config
+case "${PHP}" in
+  "php84"|"php83"|"php82")
+    cat >"/etc/${PHP}/php-fpm.d/www.conf" <<EOF
+[www]
+user = ${USERNAME}
+group = ${GROUPNAME}
+listen = 127.0.0.1:9000
+pm = dynamic
+pm.max_children = ${FPM_MAX_CHILDREN}
+pm.start_servers = ${FPM_START_SERVERS}
+pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS}
+pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS}
+EOF
+    cat >"/etc/${PHP}/conf.d/post_size.ini" <<EOF
+upload_max_size = ${POSTSIZE}
+post_max_size = ${POSTSIZE}
+upload_max_filesize = ${POSTSIZE}    
+upload_tmp_dir = /tmp
+EOF
+    ;;
+    *) ;;
+esac
+
+case "${PHP}" in
+    "php84") 
+      cp /app/nginx/php84.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    "php83") 
+      cp /app/nginx/php83.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    "php82")
+      cp /app/nginx/php82.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    *)
+      cp /app/nginx/default_nophp.conf /etc/nginx/http.d/default.conf
+      ;;
+esac

rootfs/app/entrypoint.sh.d/90_ssh.sh

@@ -0,0 +1,56 @@
+#!/bin/sh
+
+if [ ${DISABLE_SFTP} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring ssh"
+
+# make sure directory exists
+mkdir -p "${PATH_SSH_HOST}"
+
+for keytype in ecdsa rsa ed25519 ; do
+  if [ ! -r "${PATH_SSH_HOST}/ssh_host_${keytype}_key" ] ; then
+    /usr/bin/ssh-keygen -t "${keytype}" -f "${PATH_SSH_HOST}/ssh_host_${keytype}_key" -N ""
+  fi
+  chmod 0600 "${PATH_SSH_HOST}/ssh_host_${keytype}_key"
+  chmod 0644 "${PATH_SSH_HOST}/ssh_host_${keytype}_key.pub"
+done
+
+# set authorized_keys permissions
+if [ -f "${PATH_SSH_HOST}/authorized_keys" ] ; then
+  chmod 0600 "${PATH_SSH_HOST}/authorized_keys"
+  chown "${USERNAME}:${GROUPNAME}" "${PATH_SSH_HOST}/authorized_keys"
+fi
+
+if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
+  chmod 0700 "${PATH_WEBROOT}/.ssh"
+fi
+
+# configure sshd
+cat >/etc/ssh/sshd_config.d/sshd.conf <<EOF
+HostKey ${PATH_SSH_HOST}/ssh_host_rsa_key
+HostKey ${PATH_SSH_HOST}/ssh_host_ecdsa_key
+HostKey ${PATH_SSH_HOST}/ssh_host_ed25519_key
+
+#SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 1m
+PermitRootLogin no
+PubkeyAuthentication yes
+MaxAuthTries 3
+PrintMotd no
+
+AuthorizedKeysFile      ${PATH_SSH_HOST}/authorized_keys
+PasswordAuthentication no
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
+Subsystem       sftp    internal-sftp
+
+ChrootDirectory ${PATH_BASE}
+ForceCommand internal-sftp -d ${PATH_WEBROOT}
+EOF

rootfs/app/entrypoint.sh.d/90_stats.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring stats"
+
+# make sure paths exists
+mkdir -p "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
+touch "${PATH_AUTH}/stats"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
+
+# stats endpoint
+cat > /etc/nginx/local.d/stats.conf <<EOF
+location ^~ /stats {
+    root ${PATH_STATS};
+    auth_basic "Restricted area";
+    auth_basic_user_file ${PATH_AUTH}/stats;
+    try_files /index.html =404;
+}
+EOF

rootfs/app/entrypoint.sh.d/90_stats_hourly.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
+if [ ${DISABLE_STATS_HOURLY} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring hourly stats"
+
+# stats endpoint
+ln -s /app/stats_hourly.sh /etc/periodic/hourly/stats

rootfs/app/entrypoint.sh.d/90_webdav.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+if [ ${DISABLE_WEBDAV} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring webdav"
+
+cat > /etc/nginx/http.d/webdav.conf <<EOF
+server {
+    listen ${WEBDAV_PORT} default_server;
+    listen [::]:${WEBDAV_PORT} default_server;
+    root ${PATH_WEBROOT};
+
+    location / {
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+        dav_methods             PUT DELETE MKCOL COPY MOVE;
+        dav_ext_methods         PROPFIND OPTIONS;
+        create_full_put_path    on;
+        dav_access              user:rw;
+    }
+
+    auth_basic "Restricted area";
+    auth_basic_user_file ${PATH_AUTH}/webdav;
+}
+EOF
+
+# authentication
+mkdir -p "${PATH_AUTH}"
+touch "${PATH_AUTH}/webdav"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}"

rootfs/app/nginx/default_nophp.conf

@@ -7,8 +7,6 @@ server {
     root   /data/www;
     # server_name  localhost;
 
-    #access_log  /var/log/nginx/host.access.log  main;
-
     location / {
         index index.html index.htm;
 
@@ -29,5 +27,6 @@ server {
     add_header Pragma "public";
     add_header Cache-Control "max-age=31536000, public";
 
+    include /etc/nginx/local.d/*.conf;
     include /etc/nginx/custom.d/*.conf;
 }

rootfs/app/nginx/default_php.conf

@@ -7,8 +7,6 @@ server {
     root   /data/www;
     # server_name  localhost;
 
-    #access_log  /var/log/nginx/host.access.log  main;
-
     location / {
         index index.php index.html index.htm;
 
@@ -29,5 +27,6 @@ server {
     add_header Pragma "public";
     add_header Cache-Control "max-age=31536000, public";
 
+    include /etc/nginx/local.d/*.conf;
     include /etc/nginx/custom.d/*.conf;
 }

rootfs/app/stats.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log.1" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/app/stats_hourly.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/etc/nginx/nginx.conf

@@ -0,0 +1,101 @@
+# /etc/nginx/nginx.conf
+
+# user nginx;
+
+# Set number of worker processes automatically based on number of CPU cores.
+worker_processes auto;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events {
+	# The maximum number of simultaneous connections that can be opened by
+	# a worker process.
+	worker_connections 1024;
+}
+
+http {
+	# Includes mapping of file name extensions to MIME types of responses
+	# and defines the default type.
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	# Name servers used to resolve names of upstream servers into addresses.
+	# It's also needed when using tcpsocket and udpsocket in Lua modules.
+	#resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
+
+	# Don't tell nginx version to the clients. Default is 'on'.
+	server_tokens off;
+
+	# Specifies the maximum accepted body size of a client request, as
+	# indicated by the request header Content-Length. If the stated content
+	# length is greater than this size, then the client receives the HTTP
+	# error code 413. Set to 0 to disable. Default is '1m'.
+	client_max_body_size 1m;
+
+	# Sendfile copies data between one FD and other from within the kernel,
+	# which is more efficient than read() + write(). Default is off.
+	sendfile on;
+
+	# Causes nginx to attempt to send its HTTP response head in one packet,
+	# instead of using partial frames. Default is 'off'.
+	tcp_nopush on;
+
+
+	# Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
+	# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+
+	# Path of the file with Diffie-Hellman parameters for EDH ciphers.
+	# TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
+	#ssl_dhparam /etc/ssl/nginx/dh2048.pem;
+
+	# Specifies that our cipher suits should be preferred over client ciphers.
+	# Default is 'off'.
+	ssl_prefer_server_ciphers on;
+
+	# Enables a shared SSL cache with size that can hold around 8000 sessions.
+	# Default is 'none'.
+	ssl_session_cache shared:SSL:2m;
+
+	# Specifies a time during which a client may reuse the session parameters.
+	# Default is '5m'.
+	ssl_session_timeout 1h;
+
+	# Disable TLS session tickets (they are insecure). Default is 'on'.
+	ssl_session_tickets off;
+
+
+	# Enable gzipping of responses.
+	#gzip on;
+
+	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+	gzip_vary on;
+
+
+	# Helper variable for proxying websockets.
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' close;
+	}
+
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
+
+	# Specifies the main log format.
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
+
+
+	# Includes virtual hosts configs.
+	include /etc/nginx/http.d/*.conf;
+}

rootfs/etc/ssh/sshd_config.d/sshd.conf

@@ -1,24 +0,0 @@
-HostKey /ssh/ssh_host_rsa_key
-HostKey /ssh/ssh_host_ecdsa_key
-HostKey /ssh/ssh_host_ed25519_key
-
-#SyslogFacility AUTH
-LogLevel INFO
-LoginGraceTime 1m
-PermitRootLogin no
-PubkeyAuthentication yes
-MaxAuthTries 3
-PrintMotd no
-
-AuthorizedKeysFile      /ssh/authorized_keys
-PasswordAuthentication no
-
-AllowAgentForwarding no
-AllowTcpForwarding no
-GatewayPorts no
-X11Forwarding no
-
-Subsystem       sftp    internal-sftp
-
-ChrootDirectory /data
-ForceCommand internal-sftp -d /data/www