diff --git a/.examples/full/docker-compose.yml b/.examples/full/docker-compose.yml index b8a1cfb..f47b37b 100644 --- a/.examples/full/docker-compose.yml +++ b/.examples/full/docker-compose.yml @@ -11,7 +11,7 @@ version: "3.9" services: - app: + app: &app build: ./app image: monica-app env_file: .env @@ -36,7 +36,7 @@ services: - MYSQL_USER=monica - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password volumes: - - mysql:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always secrets: - mysql_password @@ -46,47 +46,19 @@ services: restart: always cron: - build: ./app - image: monica-app + <<: *app command: cron.sh - env_file: .env - environment: - - APP_KEY_FILE=/run/secrets/app_key - - DB_PASSWORD_FILE=/run/secrets/mysql_password - restart: always - volumes: - - data:/var/www/html/storage - depends_on: - - db - - redis - secrets: - - app_key - - mysql_password queue: - build: ./app - image: monica-app + <<: *app command: queue.sh - env_file: .env - environment: - - APP_KEY_FILE=/run/secrets/app_key - - DB_PASSWORD_FILE=/run/secrets/mysql_password - restart: always - volumes: - - data:/var/www/html/storage - depends_on: - - db - - redis - secrets: - - app_key - - mysql_password web: build: ./web image: monica-web restart: always ports: - - 8081:80 + - 80:80 volumes: - data:/var/www/html/storage:ro depends_on: @@ -95,7 +67,9 @@ services: volumes: data: - mysql: + driver: local + mysqldata: + driver: local secrets: diff --git a/.examples/full_v5/.env b/.examples/full_v5/.env new file mode 100644 index 0000000..4de6e5f --- /dev/null +++ b/.examples/full_v5/.env @@ -0,0 +1,32 @@ +# The URL of your application. +APP_URL=http://localhost + +# Database information +DB_CONNECTION=mysql +DB_HOST=db +DB_DATABASE=monica +DB_USERNAME=monica + +LOG_STACK=stderr + +CACHE_STORE=memcached +QUEUE_CONNECTION=redis +SESSION_DRIVER=database +REDIS_HOST=redis + +# Mail credentials used to send emails from the application. +MAIL_MAILER=smtp +MAIL_HOST=smtp.domain.com +MAIL_PORT=587 +MAIL_USERNAME=username +MAIL_PASSWORD=password +MAIL_ENCRYPTION=tls +# Outgoing emails will be sent with these identity +MAIL_FROM_ADDRESS=hello@example.com +MAIL_FROM_NAME="${APP_NAME}" +MAIL_REPLY_TO_ADDRESS=hello@example.com +MAIL_REPLY_TO_NAME="${APP_NAME}" + +SCOUT_DRIVER=meilisearch +SCOUT_QUEUE=true +MEILISEARCH_HOST=http://meilisearch:7700 diff --git a/.examples/full_v5/app/Dockerfile b/.examples/full_v5/app/Dockerfile new file mode 100644 index 0000000..313bd7e --- /dev/null +++ b/.examples/full_v5/app/Dockerfile @@ -0,0 +1,6 @@ +FROM monica:5.0-fpm-alpine + +# Use the default production configuration +RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" + +ENV PHP_UPLOAD_LIMIT="10G" diff --git a/.examples/full_v5/docker-compose.yml b/.examples/full_v5/docker-compose.yml new file mode 100644 index 0000000..97f3b0b --- /dev/null +++ b/.examples/full_v5/docker-compose.yml @@ -0,0 +1,110 @@ +# Run Monica with fpm flavor, mariadb, cron, queue, redis, and nginx +# +# You first need to generate the secrets for the encryption key and db password: +# `{ echo -n 'base64:'; openssl rand -base64 32; } | docker secret create app_key -` +# `openssl rand -hex 24 | docker secret create mysql_password -` +# +# You might want to set these variables in you .env file: +#- APP_URL with your domain (https scheme) +# + +services: + app: &app + build: ./app + image: monica-app + env_file: .env + environment: + - APP_KEY_FILE=/run/secrets/app_key + - DB_PASSWORD_FILE=/run/secrets/mysql_password + - MEILISEARCH_KEY=ChangeMe_ChangeMe + volumes: + - data:/var/www/html/storage + networks: + - monica + restart: always + depends_on: + - db + - redis + - memcached + - meilisearch + secrets: + - app_key + - mysql_password + + db: + image: mariadb:11 + environment: + - MYSQL_RANDOM_ROOT_PASSWORD=true + - MYSQL_DATABASE=monica + - MYSQL_USER=monica + - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password + volumes: + - mysqldata:/var/lib/mysql + networks: + - monica + restart: always + secrets: + - mysql_password + + redis: + image: redis:alpine + restart: always + networks: + - monica + + cron: + <<: *app + command: cron.sh + + queue: + <<: *app + command: queue.sh + + memcached: + image: memcached:alpine + networks: + - monica + + meilisearch: + image: getmeili/meilisearch:latest + environment: + - MEILI_MASTER_KEY=ChangeMe_ChangeMe + - MEILISEARCH_NO_ANALYTICS=true + volumes: + - meili_data:/meili_data + networks: + - monica + + web: + build: ./web + image: monica-web + restart: always + ports: + - 80:80 + volumes: + - data:/var/www/html/storage:ro + networks: + - monica + depends_on: + - app + + +networks: + monica: + driver: overlay + + +volumes: + data: + driver: local + mysqldata: + driver: local + meili_data: + driver: local + + +secrets: + app_key: + external: true + mysql_password: + external: true diff --git a/.examples/full_v5/web/Dockerfile b/.examples/full_v5/web/Dockerfile new file mode 100644 index 0000000..27847a5 --- /dev/null +++ b/.examples/full_v5/web/Dockerfile @@ -0,0 +1,9 @@ +FROM monica:5.0-fpm-alpine AS monica + +FROM nginx:alpine + +COPY nginx.conf /etc/nginx/nginx.conf + +# Copy content of monica image +COPY --from=monica /var/www/html /var/www/html +RUN ln -sf /var/www/html/storage/app/public /var/www/html/public/storage diff --git a/.examples/full_v5/web/nginx.conf b/.examples/full_v5/web/nginx.conf new file mode 100644 index 0000000..985ca53 --- /dev/null +++ b/.examples/full_v5/web/nginx.conf @@ -0,0 +1,161 @@ +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Real-IP; + + # Connect to app service + upstream php-handler { + server app:9000; + } + + server { + listen 80; + + server_name monica; + + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + root /var/www/html/public; + + index index.html index.htm index.php; + + charset utf-8; + + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + location ~ ^/(?:robots.txt|security.txt) { + allow all; + log_not_found off; + access_log off; + } + + error_page 404 500 502 503 504 /index.php; + + location ~ /\.well-known/(?:carddav|caldav) { + return 301 $scheme://$host/dav; + } + location = /.well-known/security.txt { + return 301 $scheme://$host/security.txt; + } + location ~ /\.(?!well-known).* { + deny all; + } + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location ~ \.php(/|$) { + # regex to split $uri to $fastcgi_script_name and $fastcgi_path + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + + # Check that the PHP script exists before passing it + try_files $fastcgi_script_name =404; + + fastcgi_pass php-handler; + fastcgi_index index.php; + + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # Bypass the fact that try_files resets $fastcgi_path_info + # see: http://trac.nginx.org/nginx/ticket/321 + set $path_info $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|json)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + + ## HSTS ## + # Add the 'Strict-Transport-Security' headers to enable HSTS protocol. + # Note it is intended to have those duplicated to the ones above. + # WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/. + # This form will add the domain to a hardcoded list that is shipped in all major browsers and getting + # removed from this list could take several months. + # + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + + # Optional: Don't log access to assets + access_log off; + } + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } + } +} diff --git a/.examples/maxsize/docker-compose.yml b/.examples/maxsize/docker-compose.yml index a584246..0ce98ce 100644 --- a/.examples/maxsize/docker-compose.yml +++ b/.examples/maxsize/docker-compose.yml @@ -48,9 +48,12 @@ services: - MYSQL_USER=monica - MYSQL_PASSWORD=secret volumes: - - mysql:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always + volumes: data: - mysql: + driver: local + mysqldata: + driver: local diff --git a/.examples/nginx-proxy-self-signed-ssl/docker-compose.yml b/.examples/nginx-proxy-self-signed-ssl/docker-compose.yml index 41eb3f0..1d7363e 100644 --- a/.examples/nginx-proxy-self-signed-ssl/docker-compose.yml +++ b/.examples/nginx-proxy-self-signed-ssl/docker-compose.yml @@ -25,7 +25,7 @@ version: "3.9" services: - app: + app: &app build: ./app image: monica-app env_file: .env @@ -44,7 +44,7 @@ services: - MYSQL_USER=monica - MYSQL_PASSWORD=secret volumes: - - db:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always redis: @@ -52,28 +52,12 @@ services: restart: always cron: - build: ./app - image: monica-app + <<: *app command: cron.sh - env_file: .env - restart: always - volumes: - - data:/var/www/html/storage - depends_on: - - db - - redis queue: - build: ./app - image: monica-app + <<: *app command: queue.sh - env_file: .env - restart: always - volumes: - - data:/var/www/html/storage - depends_on: - - db - - redis web: build: ./web @@ -117,10 +101,16 @@ services: networks: - proxy-tier -volumes: - data: - db: - certs: networks: proxy-tier: + driver: bridge + + +volumes: + data: + driver: local + mysqldata: + driver: local + certs: + driver: local diff --git a/.examples/nginx-proxy/docker-compose.yml b/.examples/nginx-proxy/docker-compose.yml index 068904b..4b4dfb7 100644 --- a/.examples/nginx-proxy/docker-compose.yml +++ b/.examples/nginx-proxy/docker-compose.yml @@ -21,7 +21,7 @@ version: "3.9" services: - app: + app: &app build: ./app image: monica-app env_file: .env @@ -40,7 +40,7 @@ services: - MYSQL_USER=monica - MYSQL_PASSWORD=secret volumes: - - mysql:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always redis: @@ -48,28 +48,12 @@ services: restart: always cron: - build: ./app - image: monica-app + <<: *app command: cron.sh - env_file: .env - restart: always - volumes: - - data:/var/www/html/storage - depends_on: - - db - - redis queue: - build: ./app - image: monica-app + <<: *app command: queue.sh - env_file: .env - restart: always - volumes: - - data:/var/www/html/storage - depends_on: - - db - - redis web: build: ./web @@ -116,12 +100,20 @@ services: depends_on: - proxy + +networks: + proxy-tier: + driver: bridge + + volumes: data: - mysql: + driver: local + mysqldata: + driver: local certs: + driver: local vhost.d: + driver: local html: - -networks: - proxy-tier: + driver: local diff --git a/.examples/raspberrypi/docker-compose.yml b/.examples/raspberrypi/docker-compose.yml index e736d2b..fcc177f 100644 --- a/.examples/raspberrypi/docker-compose.yml +++ b/.examples/raspberrypi/docker-compose.yml @@ -30,11 +30,12 @@ services: MYSQL_USER: homestead MYSQL_PASSWORD: secret volumes: - - mysql:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always + volumes: data: - name: data - mysql: - name: mysql + driver: local + mysqldata: + driver: local diff --git a/.examples/readme.md b/.examples/readme.md index 1cd9b2c..007facf 100644 --- a/.examples/readme.md +++ b/.examples/readme.md @@ -6,6 +6,7 @@ In this section you will find some examples about how to use monica's docker ima |---------|-------------| | [`simple`](simple) | simple example that run a container. | [`full`](full) | example that run `fpm-alpine` with nginx, redis, separate cron and queue containers, and uses secrets. +| [`full_v5`](full_v5) | example for v5 of monica (a.k.a chandler) that run `fpm-alpine` with nginx, redis, separate cron and queue containers, and uses secrets. | [`supervisor`](supervisor) | uses supervisor to run a cron and a queue inside your container. | [`nginx-proxy-self-signed-ssl`](nginx-proxy-self-signed-ssl) | shows you how to run monica with a self signed ssl certificate. | [`nginx-proxy`](nginx-proxy) | shows you how to run monica with https and generate a [Let's Encrypt](https://letsencrypt.org/) certificate. diff --git a/.examples/simple/apache/docker-compose.yml b/.examples/simple/apache/docker-compose.yml index d17ce11..b46b145 100644 --- a/.examples/simple/apache/docker-compose.yml +++ b/.examples/simple/apache/docker-compose.yml @@ -31,11 +31,12 @@ services: - MYSQL_USER=monica - MYSQL_PASSWORD=secret volumes: - - mysql:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always + volumes: data: - name: data - mysql: - name: mysql + driver: local + mysqldata: + driver: local diff --git a/.examples/simple/fpm/docker-compose.yml b/.examples/simple/fpm/docker-compose.yml index 5938a94..9b5f47c 100644 --- a/.examples/simple/fpm/docker-compose.yml +++ b/.examples/simple/fpm/docker-compose.yml @@ -42,8 +42,9 @@ services: - mysql:/var/lib/mysql restart: always + volumes: data: - name: data + driver: local mysql: - name: mysql + driver: local diff --git a/.examples/supervisor/apache/docker-compose.yml b/.examples/supervisor/apache/docker-compose.yml index fad0c2d..a7d2c63 100644 --- a/.examples/supervisor/apache/docker-compose.yml +++ b/.examples/supervisor/apache/docker-compose.yml @@ -36,9 +36,12 @@ services: - MYSQL_USER=monica - MYSQL_PASSWORD=secret volumes: - - mysql:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always + volumes: data: - mysql: + driver: local + mysqldata: + driver: local diff --git a/.examples/supervisor/fpm-alpine/docker-compose.yml b/.examples/supervisor/fpm-alpine/docker-compose.yml index b484860..f0ae9bb 100644 --- a/.examples/supervisor/fpm-alpine/docker-compose.yml +++ b/.examples/supervisor/fpm-alpine/docker-compose.yml @@ -43,9 +43,12 @@ services: - MYSQL_USER=monica - MYSQL_PASSWORD=secret volumes: - - mysql:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always + volumes: data: + driver: local mysql: + driver: local diff --git a/.examples/supervisor/fpm/docker-compose.yml b/.examples/supervisor/fpm/docker-compose.yml index da49094..7b92fc1 100644 --- a/.examples/supervisor/fpm/docker-compose.yml +++ b/.examples/supervisor/fpm/docker-compose.yml @@ -45,9 +45,12 @@ services: - MYSQL_USER=monica - MYSQL_PASSWORD=secret volumes: - - mysql:/var/lib/mysql + - mysqldata:/var/lib/mysql restart: always + volumes: data: + driver: local mysql: + driver: local diff --git a/.templates/scripts/5/env.production b/.templates/scripts/5/env.production index 8a19cdf..a447751 100644 --- a/.templates/scripts/5/env.production +++ b/.templates/scripts/5/env.production @@ -9,7 +9,7 @@ DB_CONNECTION=sqlite # DB_DATABASE=/var/www/html/storage/database.sqlite # Drivers -CACHE_DRIVER=database +CACHE_STORE=database QUEUE_CONNECTION=sync SESSION_DRIVER=database diff --git a/5/apache/env.production b/5/apache/env.production index 8a19cdf..a447751 100644 --- a/5/apache/env.production +++ b/5/apache/env.production @@ -9,7 +9,7 @@ DB_CONNECTION=sqlite # DB_DATABASE=/var/www/html/storage/database.sqlite # Drivers -CACHE_DRIVER=database +CACHE_STORE=database QUEUE_CONNECTION=sync SESSION_DRIVER=database diff --git a/5/fpm-alpine/env.production b/5/fpm-alpine/env.production index 8a19cdf..a447751 100644 --- a/5/fpm-alpine/env.production +++ b/5/fpm-alpine/env.production @@ -9,7 +9,7 @@ DB_CONNECTION=sqlite # DB_DATABASE=/var/www/html/storage/database.sqlite # Drivers -CACHE_DRIVER=database +CACHE_STORE=database QUEUE_CONNECTION=sync SESSION_DRIVER=database diff --git a/5/fpm/env.production b/5/fpm/env.production index 8a19cdf..a447751 100644 --- a/5/fpm/env.production +++ b/5/fpm/env.production @@ -9,7 +9,7 @@ DB_CONNECTION=sqlite # DB_DATABASE=/var/www/html/storage/database.sqlite # Drivers -CACHE_DRIVER=database +CACHE_STORE=database QUEUE_CONNECTION=sync SESSION_DRIVER=database