kool-dev
diff --git a/‎.github/workflows/ci-cd.yml
+44-36 b/‎.github/workflows/ci-cd.yml
+44-36
diff --git a/‎8.0-nginx-swoole-prod/Dockerfile
-19 b/‎8.0-nginx-swoole-prod/Dockerfile
-19
diff --git a/‎8.0-swoole-nginx-prod/Dockerfile
+62 b/‎8.0-swoole-nginx-prod/Dockerfile
+62
diff --git a/‎8.0-swoole-nginx-prod/default.tmpl
+72 b/‎8.0-swoole-nginx-prod/default.tmpl
+72
diff --git a/‎8.0-swoole-nginx-prod/entrypoint
+25 b/‎8.0-swoole-nginx-prod/entrypoint
+25
diff --git a/‎8.0-swoole-nginx-prod/supervisor.conf
+12 b/‎8.0-swoole-nginx-prod/supervisor.conf
+12
diff --git a/‎8.0-swoole-nginx/Dockerfile
+62 b/‎8.0-swoole-nginx/Dockerfile
+62
@@ -3,57 +3,69 @@ name: CI/CD
 on:
   push:
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * 0'
-
-env:
-  DOCKER_BUILDKIT: 1
 
 jobs:
   build:
-    name: Build
     runs-on: ubuntu-latest
+
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+
     strategy:
       matrix:
-        version: ['8.0', '8.1', '8.2', '8.3']
-        type: ['-swoole', '-nginx-swoole-prod']
+        version: ['8.0-swoole', '8.1-swoole', '8.2-swoole', '8.3-swoole']
+        type: ['', '-prod']
 
     steps:
       - name: Checkout code
-        uses: actions/[email protected].1
+        uses: actions/[email protected].2
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@v3
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
-        if: github.ref == 'refs/heads/main' && github.repository == 'kool-dev/docker-php-swoole'
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          driver-opts: network=host # needed to push to local registry
 
       - name: Build and export to Docker
         uses: docker/build-push-action@v5
         with:
           context: ${{ matrix.version }}${{ matrix.type }}
-          load: true
-          tags: kooldev/php:${{ matrix.version }}${{ matrix.type }}
+          push: true
+          tags: localhost:5000/kooldev/php:${{ matrix.version }}${{ matrix.type }}
 
-      - name: Tests (dev)
-        if: matrix.type == '-swoole'
+      - name: Build and export to Docker (nginx)
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.version }}-nginx${{ matrix.type }}
+          push: true
+          tags: localhost:5000/kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }}
+          build-contexts: |
+            kooldev/php:${{ matrix.version }}${{ matrix.type }}=docker-image://localhost:5000/kooldev/php:${{ matrix.version }}${{ matrix.type }}
+
+      - name: Tests
         run: |
-          docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -r "extension_loaded('swoole') or die(1);"
-          docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} node -v
-          docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} yarn -v
+          docker run localhost:5000/kooldev/php:${{ matrix.version }}${{ matrix.type }} php -r "extension_loaded('swoole') or die(1);"
+          docker run localhost:5000/kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} nginx -v
 
-      - name: Tests (prod)
-        if: matrix.type == '-nginx-swoole-prod'
+      - name: Tests (dev)
+        if: matrix.type == ''
         run: |
-          docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} php -r "extension_loaded('swoole') or die(1);"
-          docker run kooldev/php:${{ matrix.version }}${{ matrix.type }} nginx -v
+          docker run localhost:5000/kooldev/php:${{ matrix.version }}${{ matrix.type }} node -v
+          docker run localhost:5000/kooldev/php:${{ matrix.version }}${{ matrix.type }} yarn -v
+          docker run localhost:5000/kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} node -v
+          docker run localhost:5000/kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }} yarn -v
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        if: github.ref == 'refs/heads/main' && github.repository == 'kool-dev/docker-php-swoole'
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Build and push
         uses: docker/build-push-action@v5
@@ -64,15 +76,11 @@ jobs:
           push: true
           tags: kooldev/php:${{ matrix.version }}${{ matrix.type }}
 
-  trigger-build-oci8:
-    name: Trigger OCI8 Build
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - name: Trigger build on kool-dev/docker-php-oci8
-        uses: benc-uk/[email protected]
+      - name: Build and push (nginx)
+        uses: docker/build-push-action@v5
         if: github.ref == 'refs/heads/main' && github.repository == 'kool-dev/docker-php-swoole'
         with:
-          workflow: CI/CD
-          repo: kool-dev/docker-php-oci8
-          token: ${{ secrets.WORKFLOW_TOKEN }}
+          context: ${{ matrix.version }}-nginx${{ matrix.type }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: kooldev/php:${{ matrix.version }}-nginx${{ matrix.type }}
@@ -0,0 +1,62 @@
+FROM debian AS cert
+
+WORKDIR /kool/ssl
+
+RUN apt-get update && \
+    apt-get install -y openssl && \
+    openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 && \
+    openssl rsa -passin pass:x -in server.pass.key -out _.localhost.key && \
+    rm server.pass.key && \
+    openssl req -new -key _.localhost.key -out server.csr \
+        -subj "/C=XX/ST=XX/L=XX/O=Kool-Local/OU=Localhost/CN=*.localhost" && \
+    openssl x509 -req -days 365 -in server.csr -signkey _.localhost.key -out _.localhost.crt && \
+    openssl x509 -in _.localhost.crt -out _.localhost.pem
+
+FROM kooldev/php:8.0-swoole-prod
+
+ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
+    NGINX_LISTEN=80 \
+    NGINX_HTTPS=false \
+    NGINX_LISTEN_HTTPS=443 \
+    NGINX_HTTPS_CERT=/kool/ssl/_.localhost.pem \
+    NGINX_HTTPS_CERT_KEY=/kool/ssl/_.localhost.key \
+    NGINX_ROOT=/app/public \
+    NGINX_INDEX=index.php \
+    NGINX_CLIENT_MAX_BODY_SIZE=25M \
+    NGINX_PHP_FPM=unix:/run/php-fpm.sock \
+    NGINX_FASTCGI_READ_TIMEOUT=60s \
+    NGINX_FASTCGI_BUFFERS='8 8k' \
+    NGINX_FASTCGI_BUFFER_SIZE='16k' \
+    NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE=true
+
+RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/supervisord_static_0.6.3_linux_amd64 -o /usr/local/bin/supervisord \
+    && chmod +x /usr/local/bin/supervisord \
+    && apk add --no-cache nginx \
+    && chown -R kool:kool /var/lib/nginx \
+    && chmod 770 /var/lib/nginx/tmp \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    # add h5bp/server-configs-nginx
+    && mkdir -p /etc/nginx/conf.d \
+    && mkdir /etc/nginx/h5bp \
+    && cd /etc/nginx/h5bp \
+    && wget https://github.com/h5bp/server-configs-nginx/archive/refs/tags/3.3.0.tar.gz -O h5bp.tgz \
+    && tar xzvf h5bp.tgz \
+    && rm -f h5bp.tgz \
+    && mv server-configs-nginx-*/h5bp/* . \
+    && mv server-configs-nginx-*/nginx.conf /etc/nginx/nginx.conf \
+    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
+    && mv server-configs-nginx-*/mime.types /etc/nginx/mime.types \
+    && rm -rf server-configs-nginx-* \
+    && curl -L https://raw.githubusercontent.com/nginxinc/docker-nginx/master/entrypoint/30-tune-worker-processes.sh -o /kool/30-tune-worker-processes.sh \
+    && chmod +x /kool/30-tune-worker-processes.sh
+
+COPY supervisor.conf /kool/supervisor.conf
+COPY default.tmpl /kool/default.tmpl
+COPY entrypoint /kool/entrypoint
+COPY --from=cert /kool/ssl /kool/ssl
+RUN chmod +x /kool/entrypoint
+
+EXPOSE 80
+
+CMD [ "supervisord", "-c", "/kool/supervisor.conf" ]
@@ -0,0 +1,72 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+    listen {{ .Env.NGINX_LISTEN }} default_server;
+    server_name _;
+{{ if isTrue .Env.NGINX_HTTPS }}
+    listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
+    ssl_certificate     {{ .Env.NGINX_HTTPS_CERT }};
+    ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+{{ end }}
+    root {{ .Env.NGINX_ROOT }};
+    index {{ .Env.NGINX_INDEX }};
+    charset utf-8;
+
+    location = /favicon.ico { log_not_found off; access_log off; }
+    location = /robots.txt  { log_not_found off; access_log off; }
+
+    client_max_body_size {{ .Env.NGINX_CLIENT_MAX_BODY_SIZE }};
+
+    error_page 404 /index.php;
+
+    location /index.php {
+        try_files /not_exists @octane;
+    }
+
+    location / {
+        try_files $uri $uri/ @octane;
+
+        add_header X-Served-By kool.dev;
+    }
+
+    location @octane  {
+        set $suffix "";
+
+        if ($uri = /index.php) {
+            set $suffix ?$query_string;
+        }
+
+        proxy_http_version 1.1;
+        proxy_set_header Host $http_host;
+        proxy_set_header Scheme $scheme;
+        proxy_set_header SERVER_PORT $server_port;
+        proxy_set_header REMOTE_ADDR $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        proxy_pass http://127.0.0.1:8000$suffix;
+    }
+
+    location ~ /\.ht {
+        deny all;
+    }
+
+    # good practices
+    add_header X-Frame-Options "SAMEORIGIN";
+
+    # basic H5BP suggestions
+    include h5bp/internet_explorer/x-ua-compatible.conf;
+    include h5bp/security/referrer-policy.conf;
+    include h5bp/security/x-content-type-options.conf;
+    include h5bp/security/x-xss-protection.conf;
+
+    # performance enhancements (mostly for caching static data)
+    include h5bp/web_performance/cache-file-descriptors.conf;
+    include h5bp/web_performance/pre-compressed_content_gzip.conf;
+}
@@ -0,0 +1,25 @@
+#!/bin/sh
+set -e
+
+
+# Run as current user
+CURRENT_USER=${ASUSER:-${UID:-0}}
+
+if [ ! -z "$CURRENT_USER" ] && [ "$CURRENT_USER" != "0" ]; then
+    usermod -u $CURRENT_USER kool
+fi
+
+dockerize -template /kool/kool.tmpl:/usr/local/etc/php/conf.d/kool.ini -template /kool/zz-docker.tmpl:/usr/local/etc/php-fpm.d/zz-docker.conf -template /kool/default.tmpl:/etc/nginx/conf.d/default.conf
+
+/kool/30-tune-worker-processes.sh
+
+# Run entrypoint if provided
+if [ ! -z "$ENTRYPOINT" ] && [ -f "$ENTRYPOINT" ]; then
+    bash $ENTRYPOINT
+fi
+
+if [ "$1" = "sh" ] || [ "$1" = "bash" ] || [ "$1" = "php-fpm" ] || [ "$1" = "nginx" ] || [ "$1" = "supervisord" ]; then
+    exec "$@"
+else
+    exec su-exec kool "$@"
+fi
@@ -0,0 +1,12 @@
+[program:nginx]
+depends_on = php-fpm
+command = nginx -g "daemon off;"
+stopasgroup = true
+stderr_logfile = /dev/stderr
+stdout_logfile = /dev/stdout
+
+[program:octane]
+command = php artisan octane:start --server=swoole
+stopasgroup = true
+stderr_logfile = /dev/stderr
+stdout_logfile = /dev/stdout
@@ -0,0 +1,62 @@
+FROM debian AS cert
+
+WORKDIR /kool/ssl
+
+RUN apt-get update && \
+    apt-get install -y openssl && \
+    openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 && \
+    openssl rsa -passin pass:x -in server.pass.key -out _.localhost.key && \
+    rm server.pass.key && \
+    openssl req -new -key _.localhost.key -out server.csr \
+        -subj "/C=XX/ST=XX/L=XX/O=Kool-Local/OU=Localhost/CN=*.localhost" && \
+    openssl x509 -req -days 365 -in server.csr -signkey _.localhost.key -out _.localhost.crt && \
+    openssl x509 -in _.localhost.crt -out _.localhost.pem
+
+FROM kooldev/php:8.0-swoole
+
+ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
+    NGINX_LISTEN=80 \
+    NGINX_HTTPS=false \
+    NGINX_LISTEN_HTTPS=443 \
+    NGINX_HTTPS_CERT=/kool/ssl/_.localhost.pem \
+    NGINX_HTTPS_CERT_KEY=/kool/ssl/_.localhost.key \
+    NGINX_ROOT=/app/public \
+    NGINX_INDEX=index.php \
+    NGINX_CLIENT_MAX_BODY_SIZE=25M \
+    NGINX_PHP_FPM=unix:/run/php-fpm.sock \
+    NGINX_FASTCGI_READ_TIMEOUT=60s \
+    NGINX_FASTCGI_BUFFERS='8 8k' \
+    NGINX_FASTCGI_BUFFER_SIZE='16k' \
+    NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE=true
+
+RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/supervisord_static_0.6.3_linux_amd64 -o /usr/local/bin/supervisord \
+    && chmod +x /usr/local/bin/supervisord \
+    && apk add --no-cache nginx \
+    && chown -R kool:kool /var/lib/nginx \
+    && chmod 770 /var/lib/nginx/tmp \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log \
+    # add h5bp/server-configs-nginx
+    && mkdir -p /etc/nginx/conf.d \
+    && mkdir /etc/nginx/h5bp \
+    && cd /etc/nginx/h5bp \
+    && wget https://github.com/h5bp/server-configs-nginx/archive/refs/tags/3.3.0.tar.gz -O h5bp.tgz \
+    && tar xzvf h5bp.tgz \
+    && rm -f h5bp.tgz \
+    && mv server-configs-nginx-*/h5bp/* . \
+    && mv server-configs-nginx-*/nginx.conf /etc/nginx/nginx.conf \
+    && sed -i "s|^user .*|user\ kool kool;|g" /etc/nginx/nginx.conf \
+    && mv server-configs-nginx-*/mime.types /etc/nginx/mime.types \
+    && rm -rf server-configs-nginx-* \
+    && curl -L https://raw.githubusercontent.com/nginxinc/docker-nginx/master/entrypoint/30-tune-worker-processes.sh -o /kool/30-tune-worker-processes.sh \
+    && chmod +x /kool/30-tune-worker-processes.sh
+
+COPY supervisor.conf /kool/supervisor.conf
+COPY default.tmpl /kool/default.tmpl
+COPY entrypoint /kool/entrypoint
+COPY --from=cert /kool/ssl /kool/ssl
+RUN chmod +x /kool/entrypoint
+
+EXPOSE 80
+
+CMD [ "supervisord", "-c", "/kool/supervisor.conf" ]