From bfe71edc4423579ad1d291315a44f9359bf6d105 Mon Sep 17 00:00:00 2001
From: Deon George <deon@dege.au>
Date: Wed, 1 Jan 2025 17:35:58 +1100
Subject: [PATCH] Swap out base docker container for dunglas/frankenphp,
 enabling us to run as non-root, addressing #271. By default the container web
 address is now port 8080, so port mapping of -p 80:8080 will now be required

---
 .dockerignore      |   8 +++
 docker/Dockerfile  |  41 +++++++++--
 docker/init-docker | 172 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 214 insertions(+), 7 deletions(-)
 create mode 100755 docker/init-docker

diff --git a/.dockerignore b/.dockerignore
index 6089cff..9dabfc4 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,10 +1,18 @@
 .dockerignore
 .editorconfig
 .env.testing
+.idea
 .git*
 docker/
+node_modules/
+storage/debugbar
+storage/framework/cache/data
+storage/framework/sessions
+storage/framework/views
+storage/logs
 package.json
 package-lock.json
 phpunit.xml
+vendor/
 webpack.mix.js
 yarn.lock
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 2be14ec..bf74fc1 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,10 +1,37 @@
-FROM registry.dege.au/leenooks/php:8.3-fpm-ldap
+FROM dunglas/frankenphp:latest-php8.3-alpine
+
+# Base
+RUN apk add --no-cache bash
+
+# Additional extensions:
+RUN install-php-extensions \
+    ldap \
+    memcached
+
+RUN curl -4 https://getcomposer.org/installer|php -- --install-dir=/usr/local/bin --filename=composer
+ENV COMPOSER_HOME=/var/cache/composer
+
+ENV SITE_USER=www-data
+
+COPY init-docker /sbin/init-docker
+RUN chmod 550 /sbin/init-docker && chown ${SITE_USER}:0 /sbin/init-docker
 
 COPY . /var/www/html/
+WORKDIR /var/www/html
 
-RUN mkdir -p ${COMPOSER_HOME} && \
-	([ -r auth.json ] && mv auth.json ${COMPOSER_HOME}) || true && \
-	touch .composer.refresh && \
-	mv .env.example .env && \
-	FORCE_PERMS=1 NGINX_START=FALSE /sbin/init && \
-	rm -rf ${COMPOSER_HOME}/* composer.lock
+RUN mkdir -p ${COMPOSER_HOME} \
+	&& ([ -r auth.json ] && mv auth.json ${COMPOSER_HOME}) || true \
+	&& touch .composer.refresh \
+	&& mv .env.example .env \
+	&& FORCE_PERMS=1 /sbin/init-docker \
+	&& rm -rf ${COMPOSER_HOME}/* composer.lock
+
+# Fix start up items
+RUN sed -i -e 's/^{$CADDY_EXTRA_CONFIG}$/{$CADDY_EXTRA_CONFIG} /' /etc/caddy/Caddyfile
+RUN chown ${SITE_USER} /config/caddy /data/caddy
+
+USER ${SITE_USER}
+
+# Control which port to open
+ENV SERVER_NAME=:8080
+EXPOSE 8080
diff --git a/docker/init-docker b/docker/init-docker
new file mode 100755
index 0000000..ad3e720
--- /dev/null
+++ b/docker/init-docker
@@ -0,0 +1,172 @@
+#!/bin/bash
+
+set -e
+role=${CONTAINER_ROLE:-app}
+env=${APP_ENV:-production}
+php=${PHP_DIR:-/var/www/html}
+composer=${COMPOSER_HOME:-/var/cache/composer}
+
+SITE_USER=${SITE_USER:-www-data}
+MEMCACHED_START=${MEMCACHED_START:-FALSE}
+
+# To run a local queue, running jobs from the queue "hostname"
+LOCAL_QUEUE=${LOCAL_QUEUE:-FALSE}
+# Optional additional queues to run for
+#LOCAL_QUEUES=
+
+function mp() {
+	set +e
+	mountpoint -q $1
+	local mp=$?
+	set -e
+	echo ${mp}
+}
+
+function wait_for_db() {
+	# Wait for DB to be active
+	if [ -n "${DB_HOST}" -a -n "${DB_PORT}" ]; then
+		while ! wait-for-it -h ${DB_HOST} -p ${DB_PORT} -t 5 -q; do
+			echo "? Waiting for database at ${DB_HOST}:${DB_PORT}"
+			sleep 1;
+		done
+		echo "- DB is active on ${DB_HOST}:${DB_PORT}"
+	fi
+}
+
+# Run any container setup
+[ -x /sbin/init-container ] && /sbin/init-container
+
+# General Setup
+if [ -x /usr/bin/memcached -a "${MEMCACHED_START}" == "TRUE" ]; then
+	echo "* Starting MEMCACHED..."
+	/usr/bin/memcached -d -P /run/memcached/memcached.pid -u memcached
+fi
+
+# Laravel Specific
+if [ -r artisan -a -e ${php}/.env ]; then
+	echo "* Laravel Setup..."
+	mp=$(mp ${php})
+	echo "  - [${php}] is a mount point [${mp}]"
+
+	# Only adjust perms if this is an external mountpoint
+	if [ -n "${FORCE_PERMS}" -o ${mp} -eq 0 ]; then
+		if [ -n "${FORCE_PERMS}" -o "${env}" != "local" -a -z "${SKIP_PERM}" ]; then
+			echo "  - Setting Permissions..."
+			# Make sure our permissions are appropraite
+			find ${php} -type f -exec chmod 640 {} \;
+			find ${php} -type d -exec chmod 750 {} \;
+			find ${php}/public -type f -exec chmod 644 {} \;
+			find ${php}/public -type d -exec chmod 755 {} \;
+			chmod o+rx ${php}
+			chmod a+rx ${php}/artisan
+			chown -R ${SITE_USER}:www-data ${php}
+
+			#if [ "${SITE_USER}" -ne "www-data" ]; then
+			#	echo " - Extended Permissions for ${SITE_USER}..."
+			#	chown -R www-data:www-data ${php}/storage ${php}/bootstrap ${php}/composer.*
+			#	[ -e ${php}/vendor ] && chown -R www-data:www-data ${php}/vendor
+			#fi
+		fi
+	fi
+
+	# See if we need to refresh our dependancies (only need if web dir is externally mounted)
+	if [[ -r composer.json && ( -e .composer.refresh || ! -d vendor ) ]]; then
+		echo "  - Composer installing dependancies..."
+
+		rm -f ${php}/bootstrap/cache/*.php
+		if [ "${env}" != "local" ]; then
+			NODEV="--no-dev"
+		fi
+
+		mp=$(mp ${composer})
+		echo "  - [${composer}] is a mount point [${mp}]"
+
+		if [ -n "${FORCE_PERMS}" -o ${mp} -eq 0 ]; then
+			[ -n "${FORCE_PERMS}" -o "${env}" != "local" -a -z "${SKIP_PERM}" ] && chown -R ${SITE_USER}:www-data ${composer}
+			[ ! -d ${php}/vendor ] && mkdir -m 750 ${php}/vendor && chown ${SITE_USER}:www-data ${php}/vendor
+			[ -n "${FORCE_PERMS}" -o "${env}" != "local" -a -z "${SKIP_PERM}" ] && chmod g+w ${php}
+		fi
+
+		su ${SITE_USER} -s /bin/sh -c "composer install --optimize-autoloader ${NODEV}" && ( test -e .composer.refresh && rm -f .composer.refresh )
+		[ -n "${FORCE_PERMS}" -o "${env}" != "local" -a -z "${SKIP_PERM}" ] && [ ${mp} -eq 0 ] && chmod g-w ${php}
+	fi
+
+	# We only check for non mount points, in case this container has the app inside
+	mp=$(mp ${php})
+	if [ ${mp} -eq 1 ]; then
+		echo "  - Caching configuration..."
+		su ${SITE_USER} -s /bin/sh -c "(php artisan optimize)"
+	fi
+
+	if [ "${role}" = "app" ]; then
+		if [ "${env}" != "local" ]; then
+			if [ -z "${IGNORE_MIGRATION}" ]; then
+				if [ -r .migrate ]; then
+					echo "  - Running migration..."
+					# If DB_HOST not set, source the env file
+					[ -z "${DB_HOST}" -a -r .env ] && . .env
+
+					wait_for_db
+
+					su ${SITE_USER} -s /bin/sh -c "php artisan migrate" && rm -f .migrate
+				fi
+			else
+				[ -r .migrate ] && echo "! NOTE: Migration ignored due to IGNORE_MIGRATION"
+			fi
+
+			# If passport is installed
+			if [ -d ${php}/vendor/laravel/passport ]; then
+				echo "  - Generating OAUTH keys ..."
+				set +e
+				su ${SITE_USER} -s /bin/sh -c "php artisan passport:keys"
+				set -e
+			fi
+		fi
+
+		if [ "${LOCAL_QUEUE}" = "TRUE" ]; then
+			echo "  - Starting local queue for [$(hostname)${LOCAL_QUEUES:+,${LOCAL_QUEUES}}] with job timeout of [${WORK_TIMEOUT:-90}], trying [${WORK_TRIES:-1}] times..."
+			su ${SITE_USER} -s /bin/sh -c "
+				(while true; do php ${PHP_OPTIONS} artisan queue:work --verbose --tries=${WORK_TRIES:-1} --timeout=${WORK_TIMEOUT:-90} --queue=$(hostname)${LOCAL_QUEUES:+,${LOCAL_QUEUES}} ${WORK_MEMORY:+--memory=${WORK_MEMORY}} ${WORK_ONCE:+--once}; done) &
+			"
+		fi
+
+		set +e
+		[ -x init-php.sh ] && su ${SITE_USER} -s /bin/sh "init-php.sh" &
+
+		exec /usr/local/bin/docker-php-entrypoint "$@"
+
+	elif [ "$role" = "queue" ]; then
+		QUEUE_CMD=work
+
+		if [ "${env}" == "local" ]; then
+			QUEUE_CMD=listen
+		fi
+
+		echo "  - Running the queue..."
+		# We'll delay starting in case the app is caching
+		sleep 15
+
+		wait_for_db
+
+		su ${SITE_USER} -s /bin/sh -c "
+		while true; do
+			php ${PHP_OPTIONS} artisan queue:${QUEUE_CMD} --verbose --tries=${WORK_TRIES:-1} --timeout=${WORK_TIMEOUT:-90} ${WORK_QUEUES:+--queue=${WORK_QUEUES}} ${WORK_MEMORY:+--memory=${WORK_MEMORY}} ${WORK_ONCE:+--once}
+		done
+		"
+
+	elif [ "$role" = "scheduler" ]; then
+		echo "  - Running the scheduler..."
+		# We'll delay starting in case the app is caching
+		sleep 15
+
+		su ${SITE_USER} -s /bin/sh -c "
+		while true; do
+			php ${PHP_OPTIONS} artisan schedule:work --verbose --no-interaction
+		done
+		"
+	fi
+
+else
+	echo "? NO container role \"${role}\", AND/OR no laravel install, just starting php-fpm"
+	exec /usr/local/bin/docker-php-entrypoint "$@"
+fi