build on every push

.gitea/workflows/build_and_publish.yaml

@@ -7,10 +7,8 @@ env:
 
 on:
   push:
-    tags:
-      - '*'
   schedule:
-    - cron: "0 12 3 * *"
+    - cron: "0 12 * * 3"
   workflow_dispatch:
   workflow_call:
   workflow_run:
@@ -48,16 +46,9 @@ jobs:
         run: |
           docker build \
             --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
-            --platform linux/${{ matrix.arch }} -f Dockerfile .
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile .
           docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
 
-      - name: Build and publish php74
-        run: |
-          docker build \
-            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \
-            --platform linux/${{ matrix.arch }} -f Dockerfile-php74 .
-          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }}
-
 
   manifest:
     name: update docker manifest
@@ -82,10 +73,3 @@ jobs:
             --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
           docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
 
-      - name: latest
-        run: |
-          docker manifest create \
-            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 \
-            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-amd64 \
-            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-arm64
-          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74

.gitea/workflows/build_and_publish_php74.yaml

@@ -0,0 +1,67 @@
+---
+name: Container Publish - php7.4 version
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/webserver-nginx
+
+on:
+  workflow_dispatch:
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish php74
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile-php74 .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }}
+
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74

.gitea/workflows/vulnscan.yaml

@@ -62,4 +62,4 @@ jobs:
           token: ${{ secrets.TELEGRAM_TOKEN }}
           format: markdown
           message: |
-            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}`

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.22
 
 RUN \
   apk --no-cache upgrade && \
@@ -12,7 +12,7 @@ RUN \
 
 COPY rootfs /
 
-VOLUME [ "/data/www", "/ssh" ]
+VOLUME [ "/data" ]
 
 ENV \
   USERNAME=theuser \
@@ -23,6 +23,6 @@ ENV \
   WEBDAV_PORT=8080 \
   TZ=Etc/UTC
 
-HEALTHCHECK --timeout=10s CMD curl --silent --fail -o /dev/null http://127.0.0.1:80/
+HEALTHCHECK --timeout=10s --start-period=5s CMD curl --silent --fail -o /dev/null http://127.0.0.1:80/
 
 ENTRYPOINT [ "/sbin/tini", "/app/entrypoint.sh" ]

README.md

@@ -12,27 +12,41 @@ services:
     image: docker.asperti.com/paspo/webserver-nginx
     ports:
       - 8888:80 # web server
-      - 8889:8081 # stats page
       - 8890:8080 # webdav access
       - 2222:22 # sftp access
     volumes:
       - ./data:/data
-      - ./ssh:/ssh # add authorized_keys file here
       - ./extra_nginx.conf:/etc/nginx/custom.d/extra.conf # optional
-      - ./htpasswd:/app/htpasswd # optional, for webdav auth
     environment:
-      LOG_DAYS: 14 # default 7
-      WEBDAV_PORT: 8080 # default: 8080
-      STATS_PORT: 8081 # default: 8081
-      PHP: php84 # none (default), php82, php83, php84
-      POSTSIZE: 256M # default: 256M
-      PUID: 1000 # default: 1000
-      PGID: 1000 # default: 1000
-      TZ: Etc/UTC  # default: Etc/UTC
-      FPM_MAX_CHILDREN: 5 # default: 5
-      FPM_START_SERVERS: 1 # default: 1
-      FPM_MIN_SPARE_SERVERS: 1 # default: 1
-      FPM_MAX_SPARE_SERVERS: 3 # default: 3      
+      LOG_DAYS: 14              # default 7
+      WEBDAV_PORT: 8080         # default: 8080
+      PHP: php84                # none (default), php82, php83, php84
+      POSTSIZE: 256M            # default: 256M
+      PUID: 1000                # default: 1000
+      PGID: 1000                # default: 1000
+      USERNAME: theuser         # default: theuser
+      GROUPNAME: thegroup       # default: thegroup
+      TZ: Etc/UTC               # default: Etc/UTC
+      FPM_MAX_CHILDREN: 5       # default: 5
+      FPM_START_SERVERS: 1      # default: 1
+      FPM_MIN_SPARE_SERVERS: 1  # default: 1
+      FPM_MAX_SPARE_SERVERS: 3  # default: 3
+      DISABLE_WEBROOT_CHOWN: 1  # default: 0
+      DISABLE_SFTP: 1           # default: 0
+      DISABLE_STATS: 1          # default: 0
+      DISABLE_STATS_HOURLY: 1   # default: 0
+      DISABLE_WEBDAV: 1         # default: 0
 ```
 
 The `/data/www` and `/data/logs` directories and their contents will be chowned to `$PUID:$PGID` and chmodded to `0755` for directories and `0644` for files at container start.
+
+## data direcvtory layout
+
+| directory | content                                       |
+|-----------|-----------------------------------------------|
+| auth      | htpasswd files for stats and webdav           |
+| logs      | nginx access logs (logrotated) and error logs |
+| ssh       | host keys and authorized keys                 |
+| stats     | html statistical report                       |
+| stats.db  | internal statistical db                       |
+| www       | webroot                                       |

docker-compose-sample.yaml

@@ -1,11 +0,0 @@
-services:
-  web:
-    image: docker.asperti.com/paspo/webserver-nginx
-    ports:
-      - 8888:80
-      - 2222:22
-    volumes:
-      - ./www:/data/www
-      - ./ssh:/ssh # add authorized_keys file here
-    environment:
-      PHP: php84 # none (default), php82, php83, php84

rootfs-php74/app/entrypoint.sh

@@ -79,7 +79,9 @@ if [ -f /ssh/authorized_keys ] ; then
   chown "${USERNAME}:${GROUPNAME}" /ssh/authorized_keys
 fi
 
-chmod 0700 "${WEBROOT}/.ssh"
+if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
+  chmod 0700 "${PATH_WEBROOT}/.ssh"
+fi
 /usr/sbin/sshd -e
 
 cat > /etc/nginx/conf.d/user.conf <<EOF

rootfs-php74/etc/nginx/nginx.conf

@@ -9,7 +9,7 @@ worker_processes auto;
 pcre_jit on;
 
 # Configures default error logger.
-error_log /data/logs/nginx-error.log warn;
+error_log /var/log/nginx/error.log warn;
 
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
@@ -89,6 +89,10 @@ http {
                 '' close;
         }
 
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
 
         # Specifies the main log format.
         log_format main '$remote_addr - $remote_user [$time_local] "$request" '
@@ -96,7 +100,7 @@ http {
                         '"$http_user_agent" "$http_x_forwarded_for"';
 
         # Sets the path, format, and configuration for a buffered log write.
-        access_log /data/logs/nginx-access.log main;
+        access_log /var/log/nginx/access.log main;
 
 
         # Includes virtual hosts configs.

rootfs/app/entrypoint.sh

@@ -1,178 +1,92 @@
 #!/bin/sh
 
-WEBROOT=/data/www
+PATH_BASE=/data
+PATH_WEBROOT=${PATH_BASE}/www
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+PATH_AUTH=${PATH_BASE}/auth
+PATH_SSH_HOST=${PATH_BASE}/ssh
+
 WEBDAV_PORT=${WEBDAV_PORT:-8080}
-STATS_PORT=${STATS_PORT:-8081}
+LOG_DAYS=${LOG_DAYS:-7}
+
 PHP=${PHP:-none}
 POSTSIZE=${POSTSIZE:-256M}
 USERNAME=${USERNAME:-theuser}
 PUID=${PUID:-1000}
 GROUPNAME=${GROUPNAME:-thegroup}
 PGID=${PGID:-1000}
-RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
-addgroup -g "${PGID}" "${GROUPNAME}"
-addgroup nginx "${GROUPNAME}"
-adduser -DH -h "${WEBROOT}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
-printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
-echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"
-
-echo "chowning to ${PUID}:${GROUPNAME}..."
-chown "${PUID}:${GROUPNAME}" "${WEBROOT}" -R
-find "${WEBROOT}" -type d -exec chmod 0755 {} \;
-find "${WEBROOT}" -type f -exec chmod 0644 {} \;
-echo "...done"
 
 FPM_MAX_CHILDREN=${FPM_MAX_CHILDREN:-5}
 FPM_START_SERVERS=${FPM_START_SERVERS:-1}
 FPM_MIN_SPARE_SERVERS=${FPM_MIN_SPARE_SERVERS:-1}
 FPM_MAX_SPARE_SERVERS=${FPM_MAX_SPARE_SERVERS:-3}
 
-# set php config
-case "${PHP}" in
-  "php84"|"php83"|"php82")
-    cat >"/etc/${PHP}/php-fpm.d/www.conf" <<EOF
-[www]
-user = ${USERNAME}
-group = ${GROUPNAME}
-listen = 127.0.0.1:9000
-pm = dynamic
-pm.max_children = ${FPM_MAX_CHILDREN}
-pm.start_servers = ${FPM_START_SERVERS}
-pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS}
-pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS}
-EOF
-    cat >"/etc/${PHP}/conf.d/post_size.ini" <<EOF
-upload_max_size = ${POSTSIZE}
-post_max_size = ${POSTSIZE}
-upload_max_filesize = ${POSTSIZE}    
-upload_tmp_dir = /tmp
-EOF
-    ;;
-    *) ;;
-esac
+DISABLE_WEBROOT_CHOWN=${DISABLE_WEBROOT_CHOWN:-0}
+DISABLE_SFTP=${DISABLE_SFTP:-0}
+DISABLE_STATS=${DISABLE_STATS:-0}
+DISABLE_STATS_HOURLY=${DISABLE_STATS_HOURLY:-0}
+DISABLE_WEBDAV=${DISABLE_WEBDAV:-0}
 
-cat >"/etc/nginx/custom.d/post_size.conf" <<EOF
-client_max_body_size ${POSTSIZE};
-EOF
+export USERNAME
+export GROUPNAME
+export PATH_BASE
+export PATH_WEBROOT
+export PATH_STATS
+export PATH_STATSDB
+export PATH_LOGS
+export PATH_AUTH
+export PATH_SSH_HOST
+export WEBDAV_PORT
+export POSTSIZE
+export LOG_DAYS
+export PHP
+export PUID
+export PGID
+
+export FPM_MAX_CHILDREN
+export FPM_START_SERVERS
+export FPM_MIN_SPARE_SERVERS
+export FPM_MAX_SPARE_SERVERS
+
+export DISABLE_WEBROOT_CHOWN
+export DISABLE_SFTP
+export DISABLE_STATS
+export DISABLE_STATS_HOURLY
+export DISABLE_WEBDAV
+
+# run all scripts in order
+run-parts /app/entrypoint.sh.d
 
 # start php
 case "${PHP}" in
     "php84") 
-      cp /app/nginx/php84.conf /etc/nginx/custom.d/
-      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      echo "# Starting PH 8.4"
       /usr/sbin/php-fpm84 -D
       ;;
     "php83") 
-      cp /app/nginx/php83.conf /etc/nginx/custom.d/
-      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      echo "# Starting PH 8.3"
       /usr/sbin/php-fpm83 -D
       ;;
     "php82")
-      cp /app/nginx/php82.conf /etc/nginx/custom.d/
-      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      echo "# Starting PH 8.2"
       /usr/sbin/php-fpm82 -D
       ;;
     *)
-      cp /app/nginx/default_nophp.conf /etc/nginx/http.d/default.conf
       ;;
 esac
 
-# start ssh
-for keytype in ecdsa rsa ed25519 ; do
-  if [ ! -r "/ssh/ssh_host_${keytype}_key" ] ; then
-    /usr/bin/ssh-keygen -t "${keytype}" -f "/ssh/ssh_host_${keytype}_key" -N ""
-  fi
-  chmod 0600 "/ssh/ssh_host_${keytype}_key"
-  chmod 0644 "/ssh/ssh_host_${keytype}_key.pub"
-done
-
-# set authorized_keys permissions
-if [ -f /ssh/authorized_keys ] ; then
-  chmod 0600 /ssh/authorized_keys
-  chown "${USERNAME}:${GROUPNAME}" /ssh/authorized_keys
-fi
-
-chmod 0700 "${WEBROOT}/.ssh"
-/usr/sbin/sshd -e
-
-cat > /etc/nginx/conf.d/user.conf <<EOF
-user ${USERNAME} ${GROUPNAME};
-EOF
-
-# fix permissions for upload
-chown "${USERNAME}" /var/lib/nginx /var/lib/nginx/tmp
-
-cat > /etc/nginx/http.d/webdav.conf <<EOF
-server {
-    listen ${WEBDAV_PORT} default_server;
-    listen [::]:${WEBDAV_PORT} default_server;
-    root ${WEBROOT};
-
-    location / {
-        autoindex on;
-        autoindex_exact_size off;
-        autoindex_localtime on;
-        dav_methods             PUT DELETE MKCOL COPY MOVE;
-        dav_ext_methods         PROPFIND OPTIONS;
-        create_full_put_path    on;
-        dav_access              user:rw;
-    }
-
-    auth_basic "Restricted area";
-    auth_basic_user_file /app/htpasswd;
-}
-EOF
-
-touch /app/htpasswd
-
-# make sure nginx can log
-mkdir -p /data/logs /data/stats /data/stats.db
-chown -R "${USERNAME}:${GROUPNAME}" /data/logs /data/stats /data/stats.db
-
-# configure logrotate
-LOG_DAYS=${LOG_DAYS:-7}
-cat >/etc/logrotate.d/nginx <<EOF
-/data/logs/nginx-access.log {
-    missingok
-    daily
-    rotate ${LOG_DAYS}
-    compress
-    delaycompress
-    sharedscripts
-    su ${USERNAME} ${GROUPNAME}
-    postrotate
-        /usr/sbin/nginx -s reopen
-        nice -n 19 /usr/bin/goaccess /data/logs/nginx-access.log.1 --agent-list --anonymize-ip --real-os --output /data/stats/index.html --log-format COMBINED --tz="${TZ}" --db-path=/data/stats.db --persist --restore 
-    endscript
-}
-EOF
+# start cron
+echo "# Starting cron"
 crond -b
 
-# stats endpoint
-cat > /etc/nginx/http.d/stats.conf <<EOF
-server {
-    listen ${STATS_PORT} default_server;
-    listen [::]:${STATS_PORT} default_server;
-    root /data/stats;
-
-    location / {
-        index index.html;
-        try_files /index.html =404;
-    }
-
-    location /index.html {
-        try_files /index.html =404;
-    }
-
-    location / {
-        return 404;
-    }
-
-    auth_basic "Restricted area";
-    auth_basic_user_file /app/htpasswd;
-}
-EOF
+# start ssh
+if [ "${DISABLE_SFTP}" -ne 1 ] ; then
+  echo "# Starting ssh"
+  /usr/sbin/sshd -e
+fi
 
 # start nginx
-echo starting nginx
+echo "# Starting nginx"
 nginx

rootfs/app/entrypoint.sh.d/10_user.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+echo "# Creating user and group"
+
+RANDOMPWD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13)
+
+addgroup -g "${PGID}" "${GROUPNAME}"
+addgroup nginx "${GROUPNAME}"
+adduser -DH -h "${PATH_WEBROOT}" -G "${GROUPNAME}" -u "${PUID}" "${USERNAME}"
+printf '%s\n%s' "${RANDOMPWD}" "${RANDOMPWD}" | passwd "${USERNAME}"
+echo "password for the user \"${USERNAME}\" is: ${RANDOMPWD}"

rootfs/app/entrypoint.sh.d/90_chown_webroot.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+echo "# Started background chowning of ${PATH_WEBROOT} to ${USERNAME}:${GROUPNAME} (${PUID}:${PGID})..."
+
+if [ ${DISABLE_WEBROOT_CHOWN} -eq 1 ] ; then
+  echo chowning skipped because of DISABLE_WEBROOT_CHOWN
+  exit 0
+fi
+
+chown "${USERNAME}:${GROUPNAME}" "${PATH_WEBROOT}" -R
+find "${PATH_WEBROOT}" -type d -exec chmod 0755 {} \; &
+find "${PATH_WEBROOT}" -type f -exec chmod 0644 {} \; &

rootfs/app/entrypoint.sh.d/90_logs.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+echo "# Configuring logrotate"
+
+# make sure path exists
+mkdir -p "${PATH_LOGS}"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_LOGS}"
+
+# configure logrotate
+cat >/etc/logrotate.d/nginx <<EOF
+${PATH_LOGS}/nginx-access.log {
+    missingok
+    daily
+    rotate ${LOG_DAYS}
+    compress
+    delaycompress
+    sharedscripts
+    nodateext
+    su ${USERNAME} ${GROUPNAME}
+    postrotate
+        /usr/sbin/nginx -s reopen
+        nice -n 19 /app/stats.sh
+    endscript
+}
+EOF

rootfs/app/entrypoint.sh.d/90_nginx.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo "# Configuring nginx"
+
+cat > /etc/nginx/conf.d/user.conf <<EOF
+user ${USERNAME} ${GROUPNAME};
+EOF
+
+# fix permissions for upload
+chown "${USERNAME}" /var/lib/nginx /var/lib/nginx/tmp
+
+cat >"/etc/nginx/custom.d/post_size.conf" <<EOF
+client_max_body_size ${POSTSIZE};
+EOF
+
+cat >"/etc/nginx/conf.d/errorlog.conf" <<EOF
+# Configures default error logger.
+error_log ${PATH_LOGS}/nginx-error.log warn;
+EOF
+
+cat >"/etc/nginx/http.d/accesslog.conf" <<EOF
+# Sets the path, format, and configuration for a buffered log write.
+access_log ${PATH_LOGS}/nginx-access.log main;
+EOF

rootfs/app/entrypoint.sh.d/90_php.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+echo "# Configuring PHP"
+
+# set php config
+case "${PHP}" in
+  "php84"|"php83"|"php82")
+    cat >"/etc/${PHP}/php-fpm.d/www.conf" <<EOF
+[www]
+user = ${USERNAME}
+group = ${GROUPNAME}
+listen = 127.0.0.1:9000
+pm = dynamic
+pm.max_children = ${FPM_MAX_CHILDREN}
+pm.start_servers = ${FPM_START_SERVERS}
+pm.min_spare_servers = ${FPM_MIN_SPARE_SERVERS}
+pm.max_spare_servers = ${FPM_MAX_SPARE_SERVERS}
+EOF
+    cat >"/etc/${PHP}/conf.d/post_size.ini" <<EOF
+upload_max_size = ${POSTSIZE}
+post_max_size = ${POSTSIZE}
+upload_max_filesize = ${POSTSIZE}    
+upload_tmp_dir = /tmp
+EOF
+    ;;
+    *) ;;
+esac
+
+case "${PHP}" in
+    "php84") 
+      cp /app/nginx/php84.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    "php83") 
+      cp /app/nginx/php83.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    "php82")
+      cp /app/nginx/php82.conf /etc/nginx/custom.d/
+      cp /app/nginx/default_php.conf /etc/nginx/http.d/default.conf
+      ;;
+    *)
+      cp /app/nginx/default_nophp.conf /etc/nginx/http.d/default.conf
+      ;;
+esac

rootfs/app/entrypoint.sh.d/90_ssh.sh

@@ -0,0 +1,56 @@
+#!/bin/sh
+
+if [ ${DISABLE_SFTP} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring ssh"
+
+# make sure directory exists
+mkdir -p "${PATH_SSH_HOST}"
+
+for keytype in ecdsa rsa ed25519 ; do
+  if [ ! -r "${PATH_SSH_HOST}/ssh_host_${keytype}_key" ] ; then
+    /usr/bin/ssh-keygen -t "${keytype}" -f "${PATH_SSH_HOST}/ssh_host_${keytype}_key" -N ""
+  fi
+  chmod 0600 "${PATH_SSH_HOST}/ssh_host_${keytype}_key"
+  chmod 0644 "${PATH_SSH_HOST}/ssh_host_${keytype}_key.pub"
+done
+
+# set authorized_keys permissions
+if [ -f "${PATH_SSH_HOST}/authorized_keys" ] ; then
+  chmod 0600 "${PATH_SSH_HOST}/authorized_keys"
+  chown "${USERNAME}:${GROUPNAME}" "${PATH_SSH_HOST}/authorized_keys"
+fi
+
+if [ -d "${PATH_WEBROOT}/.ssh" ] ; then
+  chmod 0700 "${PATH_WEBROOT}/.ssh"
+fi
+
+# configure sshd
+cat >/etc/ssh/sshd_config.d/sshd.conf <<EOF
+HostKey ${PATH_SSH_HOST}/ssh_host_rsa_key
+HostKey ${PATH_SSH_HOST}/ssh_host_ecdsa_key
+HostKey ${PATH_SSH_HOST}/ssh_host_ed25519_key
+
+#SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 1m
+PermitRootLogin no
+PubkeyAuthentication yes
+MaxAuthTries 3
+PrintMotd no
+
+AuthorizedKeysFile      ${PATH_SSH_HOST}/authorized_keys
+PasswordAuthentication no
+
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+
+Subsystem       sftp    internal-sftp
+
+ChrootDirectory ${PATH_BASE}
+ForceCommand internal-sftp -d ${PATH_WEBROOT}
+EOF

rootfs/app/entrypoint.sh.d/90_stats.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring stats"
+
+# make sure paths exists
+mkdir -p "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
+touch "${PATH_AUTH}/stats"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}" "${PATH_STATS}" "${PATH_STATSDB}"
+
+# stats endpoint
+cat > /etc/nginx/local.d/stats.conf <<EOF
+location ^~ /stats {
+    root ${PATH_STATS};
+    auth_basic "Restricted area";
+    auth_basic_user_file ${PATH_AUTH}/stats;
+    try_files /index.html =404;
+}
+EOF

rootfs/app/entrypoint.sh.d/90_stats_hourly.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ ${DISABLE_STATS} -eq 1 ] ; then
+  exit 0
+fi
+
+if [ ${DISABLE_STATS_HOURLY} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring hourly stats"
+
+# stats endpoint
+ln -s /app/stats_hourly.sh /etc/periodic/hourly/stats

rootfs/app/entrypoint.sh.d/90_webdav.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+if [ ${DISABLE_WEBDAV} -eq 1 ] ; then
+  exit 0
+fi
+
+echo "# Configuring webdav"
+
+cat > /etc/nginx/http.d/webdav.conf <<EOF
+server {
+    listen ${WEBDAV_PORT} default_server;
+    listen [::]:${WEBDAV_PORT} default_server;
+    root ${PATH_WEBROOT};
+
+    location / {
+        autoindex on;
+        autoindex_exact_size off;
+        autoindex_localtime on;
+        dav_methods             PUT DELETE MKCOL COPY MOVE;
+        dav_ext_methods         PROPFIND OPTIONS;
+        create_full_put_path    on;
+        dav_access              user:rw;
+    }
+
+    auth_basic "Restricted area";
+    auth_basic_user_file ${PATH_AUTH}/webdav;
+}
+EOF
+
+# authentication
+mkdir -p "${PATH_AUTH}"
+touch "${PATH_AUTH}/webdav"
+chown -R "${USERNAME}:${GROUPNAME}" "${PATH_AUTH}"

rootfs/app/stats.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log.1" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/app/stats_hourly.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ "${DISABLE_STATS:-0}" -eq 1 ] ; then
+  exit 0
+fi
+
+PATH_BASE=/data
+PATH_STATS=${PATH_BASE}/stats
+PATH_STATSDB=${PATH_BASE}/stats.db
+PATH_LOGS=${PATH_BASE}/logs
+
+/usr/bin/goaccess "${PATH_LOGS}/nginx-access.log" \
+    --agent-list --anonymize-ip --real-os --exclude-ip 127.0.0.1 \
+    --output "${PATH_STATS}/index.html" --log-format COMBINED \
+    --tz="${TZ}" "--db-path=${PATH_STATSDB}" --persist --restore 

rootfs/etc/nginx/nginx.conf

@@ -8,9 +8,6 @@ worker_processes auto;
 # Enables the use of JIT for regular expressions to speed-up their processing.
 pcre_jit on;
 
-# Configures default error logger.
-error_log /data/logs/nginx-error.log warn;
-
 # Includes files with directives to load dynamic modules.
 include /etc/nginx/modules/*.conf;
 
@@ -88,15 +85,16 @@ http {
 		'' close;
 	}
 
+	# use real IPs instead of docker ones
+	set_real_ip_from 172.18.0.0/16;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
 
 	# Specifies the main log format.
 	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 			'$status $body_bytes_sent "$http_referer" '
 			'"$http_user_agent" "$http_x_forwarded_for"';
 
-	# Sets the path, format, and configuration for a buffered log write.
-	access_log /data/logs/nginx-access.log main;
-
 
 	# Includes virtual hosts configs.
 	include /etc/nginx/http.d/*.conf;

rootfs/etc/ssh/sshd_config.d/sshd.conf

@@ -1,24 +0,0 @@
-HostKey /ssh/ssh_host_rsa_key
-HostKey /ssh/ssh_host_ecdsa_key
-HostKey /ssh/ssh_host_ed25519_key
-
-#SyslogFacility AUTH
-LogLevel INFO
-LoginGraceTime 1m
-PermitRootLogin no
-PubkeyAuthentication yes
-MaxAuthTries 3
-PrintMotd no
-
-AuthorizedKeysFile      /ssh/authorized_keys
-PasswordAuthentication no
-
-AllowAgentForwarding no
-AllowTcpForwarding no
-GatewayPorts no
-X11Forwarding no
-
-Subsystem       sftp    internal-sftp
-
-ChrootDirectory /data
-ForceCommand internal-sftp -d /data/www