diff options
| author | Andrew Dolgov <[email protected]> | 2023-03-25 22:41:47 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2023-03-25 22:41:47 +0300 |
| commit | 723323d7462954a262368d621811a045710cd1ed (patch) | |
| tree | d1c4031e09d11d8af9e39def52ad743c35084a45 | |
| parent | d305532bcef91061c39db13872d44c4f859054b7 (diff) | |
add gitea-CI docker builder
| -rw-r--r-- | .docker/app/Dockerfile | 79 | ||||
| -rw-r--r-- | .docker/app/backup.sh | 31 | ||||
| -rw-r--r-- | .docker/app/config.docker.php | 8 | ||||
| -rw-r--r-- | .docker/app/dcron.sh | 5 | ||||
| -rw-r--r-- | .docker/app/index.php | 3 | ||||
| -rw-r--r-- | .docker/app/startup.sh | 153 | ||||
| -rw-r--r-- | .docker/app/updater.sh | 33 | ||||
| -rw-r--r-- | .docker/web-nginx/Dockerfile | 15 | ||||
| -rw-r--r-- | .docker/web-nginx/nginx.conf | 61 | ||||
| -rw-r--r-- | .gitea/workflows/build.yml | 124 |
10 files changed, 512 insertions, 0 deletions
diff --git a/.docker/app/Dockerfile b/.docker/app/Dockerfile new file mode 100644 index 000000000..1ccc5f764 --- /dev/null +++ b/.docker/app/Dockerfile @@ -0,0 +1,79 @@ +FROM registry.fakecake.org/alpine:3.17 +EXPOSE 9000/tcp + +ENV SCRIPT_ROOT=/opt/tt-rss +ENV SRC_DIR=/src/tt-rss/ + +COPY --from=app-src . ${SRC_DIR} + +RUN apk add --no-cache dcron php81 php81-fpm php81-phar \ + php81-pdo php81-gd php81-pgsql php81-pdo_pgsql php81-xmlwriter \ + php81-mbstring php81-intl php81-xml php81-curl php81-simplexml \ + php81-session php81-tokenizer php81-dom php81-fileinfo php81-ctype \ + php81-json php81-iconv php81-pcntl php81-posix php81-zip php81-exif \ + php81-openssl git postgresql-client sudo php81-pecl-xdebug rsync tzdata && \ + sed -i 's/\(memory_limit =\) 128M/\1 256M/' /etc/php81/php.ini && \ + sed -i -e 's/^listen = 127.0.0.1:9000/listen = 9000/' \ + -e 's/;\(clear_env\) = .*/\1 = no/i' \ + -e 's/^\(user\|group\) = .*/\1 = app/i' \ + -e 's/;\(php_admin_value\[error_log\]\) = .*/\1 = \/tmp\/error.log/' \ + -e 's/;\(php_admin_flag\[log_errors\]\) = .*/\1 = on/' \ + /etc/php81/php-fpm.d/www.conf && \ + mkdir -p /var/www ${SCRIPT_ROOT}/config.d + +ADD --chmod=0755 startup.sh ${SCRIPT_ROOT} +ADD --chmod=0755 updater.sh ${SCRIPT_ROOT} +ADD --chmod=0755 dcron.sh ${SCRIPT_ROOT} +ADD --chmod=0755 backup.sh /etc/periodic/weekly/backup + +ADD index.php ${SCRIPT_ROOT} +ADD config.docker.php ${SCRIPT_ROOT} + +ARG ORIGIN_REPO_MAIN=https://git.tt-rss.org/fox/tt-rss.git +ARG ORIGIN_REPO_XACCEL=https://git.tt-rss.org/fox/ttrss-nginx-xaccel.git +ARG ORIGIN_COMMIT= + +ENV ORIGIN_REPO_MAIN=${ORIGIN_REPO_MAIN} +ENV ORIGIN_REPO_XACCEL=${ORIGIN_REPO_XACCEL} +ENV ORIGIN_COMMIT=${ORIGIN_COMMIT} + +ENV OWNER_UID=1000 +ENV OWNER_GID=1000 + +ENV PHP_WORKER_MAX_CHILDREN=5 +ENV PHP_WORKER_MEMORY_LIMIT=256M + +# these are applied on every startup, if set +ENV ADMIN_USER_PASS="" +# see classes/UserHelper.php ACCESS_LEVEL_* +# setting this to -2 would effectively disable built-in admin user +# unless single user mode is enabled +ENV ADMIN_USER_ACCESS_LEVEL="" + +# these are applied unless user already exists +ENV AUTO_CREATE_USER="" +ENV AUTO_CREATE_USER_PASS="" +ENV AUTO_CREATE_USER_ACCESS_LEVEL="0" + +# TODO: remove prefix from container variables not used by tt-rss itself: +# +# - TTRSS_NO_STARTUP_PLUGIN_UPDATES -> NO_STARTUP_PLUGIN_UPDATES +# - TTRSS_XDEBUG_... -> XDEBUG_... + +# don't try to update local plugins on startup +ENV TTRSS_NO_STARTUP_PLUGIN_UPDATES="" + +# TTRSS_XDEBUG_HOST defaults to host IP if unset +ENV TTRSS_XDEBUG_ENABLED="" +ENV TTRSS_XDEBUG_HOST="" +ENV TTRSS_XDEBUG_PORT="9000" + +ENV TTRSS_DB_TYPE="pgsql" +ENV TTRSS_DB_HOST="db" +ENV TTRSS_DB_PORT="5432" + +ENV TTRSS_MYSQL_CHARSET="UTF8" +ENV TTRSS_PHP_EXECUTABLE="/usr/bin/php81" +ENV TTRSS_PLUGINS="auth_internal, note, nginx_xaccel" + +CMD ${SCRIPT_ROOT}/startup.sh diff --git a/.docker/app/backup.sh b/.docker/app/backup.sh new file mode 100644 index 000000000..a28c39544 --- /dev/null +++ b/.docker/app/backup.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e + +DST_DIR=/backups +KEEP_DAYS=28 +APP_ROOT=/var/www/html/tt-rss + +if pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER; then + DST_FILE=ttrss-backup-$(date +%Y%m%d).sql.gz + + echo backing up tt-rss database to $DST_DIR/$DST_FILE... + + export PGPASSWORD=$TTRSS_DB_PASS + + pg_dump --clean -h $TTRSS_DB_HOST -U $TTRSS_DB_USER $TTRSS_DB_NAME | gzip > $DST_DIR/$DST_FILE + + DST_FILE=ttrss-backup-$(date +%Y%m%d).tar.gz + + echo backing up tt-rss local directories to $DST_DIR/$DST_FILE... + + tar -cz -f $DST_DIR/$DST_FILE $APP_ROOT/*.local \ + $APP_ROOT/feed-icons/ \ + $APP_ROOT/config.php + + echo cleaning up... + + find $DST_DIR -type f -name '*.gz' -mtime +$KEEP_DAYS -delete + + echo done. +else + echo backup failed: database is not ready. +fi diff --git a/.docker/app/config.docker.php b/.docker/app/config.docker.php new file mode 100644 index 000000000..fbf42e43b --- /dev/null +++ b/.docker/app/config.docker.php @@ -0,0 +1,8 @@ +<?php + + $snippets = glob(getenv("SCRIPT_ROOT")."/config.d/*.php"); + + foreach ($snippets as $snippet) { + require_once $snippet; + } + diff --git a/.docker/app/dcron.sh b/.docker/app/dcron.sh new file mode 100644 index 000000000..b16f15a9c --- /dev/null +++ b/.docker/app/dcron.sh @@ -0,0 +1,5 @@ +#!/bin/sh +# https://github.com/dubiousjim/dcron/issues/13 +set -e + +/usr/sbin/crond "$@" diff --git a/.docker/app/index.php b/.docker/app/index.php new file mode 100644 index 000000000..78e5c3f88 --- /dev/null +++ b/.docker/app/index.php @@ -0,0 +1,3 @@ +<?php + header("Location: /tt-rss/"); + return; diff --git a/.docker/app/startup.sh b/.docker/app/startup.sh new file mode 100644 index 000000000..134428276 --- /dev/null +++ b/.docker/app/startup.sh @@ -0,0 +1,153 @@ +#!/bin/sh -e + +while ! pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER; do + echo waiting until $TTRSS_DB_HOST is ready... + sleep 3 +done + +# We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures) +unset HTTP_PORT +unset HTTP_HOST + +if ! id app >/dev/null 2>&1; then + addgroup -g $OWNER_GID app + adduser -D -h /var/www/html -G app -u $OWNER_UID app +fi + +update-ca-certificates || true + +DST_DIR=/var/www/html/tt-rss + +[ -e $DST_DIR ] && rm -f $DST_DIR/.app_is_ready + +export PGPASSWORD=$TTRSS_DB_PASS + +[ ! -e /var/www/html/index.php ] && cp ${SCRIPT_ROOT}/index.php /var/www/html + +if [ ! -d $DST_DIR ]; then + mkdir -p $DST_DIR + chown $OWNER_UID:$OWNER_GID $DST_DIR + + sudo -u app rsync -a \ + $SRC_DIR/ $DST_DIR/ +else + chown -R $OWNER_UID:$OWNER_GID $DST_DIR + + sudo -u app rsync -a --delete \ + --exclude /cache \ + --exclude /lock \ + --exclude /feed-icons \ + --exclude /plugins/af_comics/filters.local \ + --exclude /plugins.local \ + --exclude /templates.local \ + --exclude /themes.local \ + $SRC_DIR/ $DST_DIR/ + + sudo -u app rsync -a --delete \ + $SRC_DIR/plugins.local/nginx_xaccel \ + $DST_DIR/plugins.local/nginx_xaccel +fi + +for d in cache lock feed-icons plugins.local themes.local; do + sudo -u app mkdir -p $DST_DIR/$d +done + +for d in cache lock feed-icons; do + chmod 777 $DST_DIR/$d + find $DST_DIR/$d -type f -exec chmod 666 {} \; +done + +sudo -u app cp ${SCRIPT_ROOT}/config.docker.php $DST_DIR/config.php +chmod 644 $DST_DIR/config.php + +chown -R $OWNER_UID:$OWNER_GID $DST_DIR \ + /var/log/php81 + +if [ -z "$TTRSS_NO_STARTUP_PLUGIN_UPDATES" ]; then + echo updating all local plugins... + + find $DST_DIR/plugins.local -mindepth 1 -maxdepth 1 -type d | while read PLUGIN; do + if [ -d $PLUGIN/.git ]; then + echo updating $PLUGIN... + + cd $PLUGIN && \ + sudo -u app git config core.filemode false && \ + sudo -u app git config pull.rebase false && \ + sudo -u app git pull origin master || echo warning: attempt to update plugin $PLUGIN failed. + fi + done +else + echo skipping local plugin updates, disabled. +fi + +PSQL="psql -q -h $TTRSS_DB_HOST -U $TTRSS_DB_USER $TTRSS_DB_NAME" + +$PSQL -c "create extension if not exists pg_trgm" + +RESTORE_SCHEMA=${SCRIPT_ROOT}/restore-schema.sql.gz + +if [ -r $RESTORE_SCHEMA ]; then + $PSQL -c "drop schema public cascade; create schema public;" + zcat $RESTORE_SCHEMA | $PSQL +fi + +# this was previously generated +rm -f $DST_DIR/config.php.bak + +if [ ! -z "${TTRSS_XDEBUG_ENABLED}" ]; then + if [ -z "${TTRSS_XDEBUG_HOST}" ]; then + export TTRSS_XDEBUG_HOST=$(ip ro sh 0/0 | cut -d " " -f 3) + fi + echo enabling xdebug with the following parameters: + env | grep TTRSS_XDEBUG + cat > /etc/php81/conf.d/50_xdebug.ini <<EOF +zend_extension=xdebug.so +xdebug.mode=develop,trace,debug +xdebug.start_with_request = yes +xdebug.client_port = ${TTRSS_XDEBUG_PORT} +xdebug.client_host = ${TTRSS_XDEBUG_HOST} +EOF +fi + +sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \ + /etc/php81/php.ini + +sed -i.bak "s/^\(pm.max_children\) = \(.*\)/\1 = ${PHP_WORKER_MAX_CHILDREN}/" \ + /etc/php81/php-fpm.d/www.conf + +sudo -Eu app php81 $DST_DIR/update.php --update-schema=force-yes + +if [ ! -z "$ADMIN_USER_PASS" ]; then + sudo -Eu app php81 $DST_DIR/update.php --user-set-password "admin:$ADMIN_USER_PASS" +else + if sudo -Eu app php81 $DST_DIR/update.php --user-check-password "admin:password"; then + RANDOM_PASS=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16 ; echo '') + + echo "*****************************************************************************" + echo "* Setting initial built-in admin user password to '$RANDOM_PASS' *" + echo "* If you want to set it manually, use ADMIN_USER_PASS environment variable. *" + echo "*****************************************************************************" + + sudo -Eu app php81 $DST_DIR/update.php --user-set-password "admin:$RANDOM_PASS" + fi +fi + +if [ ! -z "$ADMIN_USER_ACCESS_LEVEL" ]; then + sudo -Eu app php81 $DST_DIR/update.php --user-set-access-level "admin:$ADMIN_USER_ACCESS_LEVEL" +fi + +if [ ! -z "$AUTO_CREATE_USER" ]; then + sudo -Eu app /bin/sh -c "php81 $DST_DIR/update.php --user-exists $AUTO_CREATE_USER || + php81 $DST_DIR/update.php --force-yes --user-add \"$AUTO_CREATE_USER:$AUTO_CREATE_USER_PASS:$AUTO_CREATE_USER_ACCESS_LEVEL\"" +fi + +rm -f /tmp/error.log && mkfifo /tmp/error.log && chown app:app /tmp/error.log + +(tail -q -f /tmp/error.log >> /proc/1/fd/2) & + +unset ADMIN_USER_PASS +unset AUTO_CREATE_USER_PASS + +touch $DST_DIR/.app_is_ready + +exec /usr/sbin/php-fpm81 --nodaemonize --force-stderr diff --git a/.docker/app/updater.sh b/.docker/app/updater.sh new file mode 100644 index 000000000..219041a59 --- /dev/null +++ b/.docker/app/updater.sh @@ -0,0 +1,33 @@ +#!/bin/sh -e + +# We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures) +unset HTTP_PORT +unset HTTP_HOST + +unset ADMIN_USER_PASS +unset AUTO_CREATE_USER_PASS + +# wait for the app container to delete .app_is_ready and perform rsync, etc. +sleep 30 + +if ! id app; then + addgroup -g $OWNER_GID app + adduser -D -h /var/www/html -G app -u $OWNER_UID app +fi + +while ! pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER; do + echo waiting until $TTRSS_DB_HOST is ready... + sleep 3 +done + +sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \ + /etc/php81/php.ini + +DST_DIR=/var/www/html/tt-rss + +while [ ! -s $DST_DIR/config.php -a -e $DST_DIR/.app_is_ready ]; do + echo waiting for app container... + sleep 3 +done + +sudo -E -u app /usr/bin/php81 /var/www/html/tt-rss/update_daemon2.php diff --git a/.docker/web-nginx/Dockerfile b/.docker/web-nginx/Dockerfile new file mode 100644 index 000000000..49b1232b4 --- /dev/null +++ b/.docker/web-nginx/Dockerfile @@ -0,0 +1,15 @@ +FROM registry.fakecake.org/nginx:alpine + +HEALTHCHECK CMD curl --fail http://localhost/tt-rss/index.php || exit 1 + +COPY nginx.conf /etc/nginx/templates/nginx.conf.template + +# By default, nginx will send the php requests to "app" server, but this server +# name can be overridden at runtime by passing an APP_UPSTREAM env var +ENV APP_UPSTREAM=${APP_UPSTREAM:-app} + +# It's necessary to set the following NGINX_ENVSUBST_OUTPUT_DIR env var to tell +# nginx to replace the env vars of /etc/nginx/templates/nginx.conf.template +# and put the result in /etc/nginx/nginx.conf (instead of /etc/nginx/conf.d/nginx.conf) +# See https://github.com/docker-library/docs/tree/master/nginx#using-environment-variables-in-nginx-configuration-new-in-119 +ENV NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx diff --git a/.docker/web-nginx/nginx.conf b/.docker/web-nginx/nginx.conf new file mode 100644 index 000000000..f7d47c453 --- /dev/null +++ b/.docker/web-nginx/nginx.conf @@ -0,0 +1,61 @@ +worker_processes auto; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/stdout; + error_log /dev/stderr warn; + + sendfile on; + + index index.php; + + upstream app { + server ${APP_UPSTREAM}:9000; + } + + server { + listen 80; + listen [::]:80; + + root /var/www/html; + + location /tt-rss/cache { + aio threads; + internal; + } + + location /tt-rss/backups { + internal; + } + + location ~ \.php$ { + # regex to split $uri to $fastcgi_script_name and $fastcgi_path + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + + # Check that the PHP script exists before passing it + try_files $fastcgi_script_name =404; + + # Bypass the fact that try_files resets $fastcgi_path_info + # see: http://trac.nginx.org/nginx/ticket/321 + set $path_info $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; + + fastcgi_index index.php; + include fastcgi.conf; + + fastcgi_pass app; + } + + location / { + try_files $uri $uri/ =404; + } + + } +} diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml new file mode 100644 index 000000000..da72774a8 --- /dev/null +++ b/.gitea/workflows/build.yml @@ -0,0 +1,124 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: build + +on: + push: + branches: + - "master" + workflow_dispatch: {} + +defaults: + run: + shell: sh + +jobs: + build: + runs-on: alpine-3.16 + steps: + - uses: https://gitea.com/actions/checkout@v3 + + - name: npm install + run: npm install + + - name: eslint + run: npx eslint js plugins + + - name: phpunit + run: php81 ./vendor/bin/phpunit + + - name: calculate cache key hash + uses: actions/[email protected] + id: cache-hash + with: + patterns: | + classes/*.php + include/*.php + plugins/**/*.php + + - uses: https://github.com/actions/cache/restore@v3 + id: cache-phpstan + with: + path: /tmp/phpstan + key: ${{ runner.os }}-phpstan-${{ steps.cache-hash.outputs.hash }} + + - name: phpstan + run: php81 -d memory_limit=-1 ./vendor/bin/phpstan --memory-limit=2G + + - uses: https://github.com/actions/cache/save@v3 + with: + path: /tmp/phpstan + key: ${{ steps.cache-phpstan.outputs.cache-primary-key }} + + - run: echo REPO_TIMESTAMP=$(git --git-dir '.git' --no-pager log --pretty='%ct' -n1 HEAD) >> $GITHUB_ENV + - run: echo REPO_COMMIT=$(git --git-dir '.git' --no-pager log --pretty='%h' -n1 HEAD) >> $GITHUB_ENV + - run: echo REPO_COMMIT_FULL=$(git --git-dir '.git' --no-pager log --pretty='%H' -n1 HEAD) >> $GITHUB_ENV + - run: echo BUILD_TAG=$(date -d @${REPO_TIMESTAMP} +%y.%m)-${REPO_COMMIT} >> $GITHUB_ENV + + - name: setup buildx + uses: https://github.com/docker/setup-buildx-action@v2 + + - name: login into registry + run: | + BASE64_AUTH=`echo -n "$REGISTRY_USER:$REGISTRY_PASSWORD" | base64` + mkdir -p ~/.docker + echo "{\"auths\": {\"registry-rw.fakecake.org\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json + env: + REGISTRY_USER: ${{ secrets.REGISTRY_USER }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} + if: ${{ !!secrets.REGISTRY_PUSH_ENABLED }} + + - name: build web-nginx image + uses: https://github.com/docker/build-push-action@v4 + with: + push: ${{ !!secrets.REGISTRY_PUSH_ENABLED }} + context: .docker/web-nginx + tags: | + registry-rw.fakecake.org/cthulhoo/ttrss-web-nginx:latest + registry-rw.fakecake.org/cthulhoo/ttrss-web-nginx:${{ env.BUILD_TAG }} + provenance: false + + - name: build app image + uses: https://github.com/docker/build-push-action@v4 + with: + push: ${{ !!secrets.REGISTRY_PUSH_ENABLED }} + context: .docker/app + build-contexts: + app-src=. + tags: | + registry-rw.fakecake.org/cthulhoo/ttrss-fpm-pgsql-static:latest + registry-rw.fakecake.org/cthulhoo/ttrss-fpm-pgsql-static:${{ env.BUILD_TAG }} + provenance: false + + - name: login into docker hub + run: | + BASE64_AUTH=`echo -n "$REGISTRY_USER:$REGISTRY_PASSWORD" | base64` + mkdir -p ~/.docker + echo "{\"auths\": {\"$REGISTRY_HOST\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json + env: + REGISTRY_USER: ${{ secrets.REGISTRY_GITHUB_USER }} + REGISTRY_PASSWORD: ${{ secrets.REGISTRY_GITHUB_ACCESS_TOKEN }} + REGISTRY_HOST: https://index.docker.io/v1/ + if: ${{ !!secrets.REGISTRY_GITHUB_PUSH_ENABLED }} + + - name: build web-nginx image + uses: https://github.com/docker/build-push-action@v4 + with: + push: ${{ !!secrets.REGISTRY_GITHUB_PUSH_ENABLED }} + context: .docker/web-nginx + tags: | + cthulhoo/ttrss-web-nginx:latest + cthulhoo/ttrss-web-nginx:${{ env.BUILD_TAG }} + provenance: false + + - name: build app image + uses: https://github.com/docker/build-push-action@v4 + with: + push: ${{ !!secrets.REGISTRY_GITHUB_PUSH_ENABLED }} + context: .docker/app + build-contexts: + app-src=. + tags: | + cthulhoo/ttrss-fpm-pgsql-static:latest + cthulhoo/ttrss-fpm-pgsql-static:${{ env.BUILD_TAG }} + provenance: false |