From 89adf2251e98fb9442719ec7513eab73cc29eda5 Mon Sep 17 00:00:00 2001 From: Ken Johnson Date: Mon, 2 Nov 2020 13:11:39 -0800 Subject: [PATCH] Initial install --- README.md | 1 + .../etc/nginx/conf.d/wordpress.conf.template | 118 ++++ overlay/usr/local/etc/nginx/nginx.conf | 93 +++ overlay/usr/local/etc/php-fpm.conf | 544 ++++++++++++++++++ .../usr/local/etc/php-fpm.d/wordpress.conf | 12 + post_install.sh | 138 +++++ settings.json | 38 ++ ui.json | 4 + 8 files changed, 948 insertions(+) create mode 100644 overlay/usr/local/etc/nginx/conf.d/wordpress.conf.template create mode 100644 overlay/usr/local/etc/nginx/nginx.conf create mode 100644 overlay/usr/local/etc/php-fpm.conf create mode 100644 overlay/usr/local/etc/php-fpm.d/wordpress.conf create mode 100755 post_install.sh create mode 100644 settings.json create mode 100644 ui.json diff --git a/README.md b/README.md index 2a5f1a4..200ab41 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,3 @@ # iocage-plugin-wordpress +Artifact file(s) for Wordpress iocage plugin diff --git a/overlay/usr/local/etc/nginx/conf.d/wordpress.conf.template b/overlay/usr/local/etc/nginx/conf.d/wordpress.conf.template new file mode 100644 index 0000000..4bece8b --- /dev/null +++ b/overlay/usr/local/etc/nginx/conf.d/wordpress.conf.template @@ -0,0 +1,118 @@ +upstream php-handler { + server unix:/var/run/wordpress-php-fpm.sock; +} + +server { + listen 80; + server_name _; + + # HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is supported by Wordpress, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to enable it. + pagespeed on; + pagespeed RedisServer "localhost:6379"; + pagespeed LRUCacheKbPerProcess 8192; + pagespeed LRUCacheByteLimit 16384; + pagespeed CreateSharedMemoryMetadataCache "/var/cache/pagespeed/" 51200; + location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; } + location ~ "^/ngx_pagespeed_static/" { } + location ~ "^/ngx_pagespeed_beacon$" { } + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /usr/local/www/wordpress/; + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Default Cache-Control policy + expires 1m; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + # fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } +} diff --git a/overlay/usr/local/etc/nginx/nginx.conf b/overlay/usr/local/etc/nginx/nginx.conf new file mode 100644 index 0000000..938d3a2 --- /dev/null +++ b/overlay/usr/local/etc/nginx/nginx.conf @@ -0,0 +1,93 @@ +load_module /usr/local/libexec/nginx/ngx_mail_module.so; +load_module /usr/local/libexec/nginx/ngx_stream_module.so; + +user www; +worker_processes auto; + +pid /var/run/nginx.pid; + +events { + use kqueue; + worker_connections 1024; + multi_accept on; +} +http { + + # Basic settings + # ---------- + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + reset_timedout_connection on; + keepalive_timeout 65; + keepalive_requests 1000; + types_hash_max_size 2048; + server_tokens off; + send_timeout 30; + server_names_hash_max_size 4096; + + # Common limits + # ---------- + + client_max_body_size 100m; # upload size + client_body_buffer_size 1m; + client_header_timeout 3m; + client_body_timeout 3m; + + client_body_temp_path /var/tmp/nginx/client_body_temp; + + proxy_connect_timeout 5; + proxy_send_timeout 10; + proxy_read_timeout 10; + + proxy_buffer_size 4k; + proxy_buffers 8 16k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + + proxy_temp_path /var/tmp/nginx/proxy_temp; + + include mime.types; + default_type application/octet-stream; + + # Logs format + # ---------- + + log_format main '$remote_addr - $host [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"' + 'rt=$request_time ut=$upstream_response_time ' + 'cs=$upstream_cache_status'; + + log_format cache '$remote_addr - $host [$time_local] "$request" $status ' + '$body_bytes_sent "$http_referer" ' + 'rt=$request_time ut=$upstream_response_time ' + 'cs=$upstream_cache_status'; + + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log warn; + + # GZip config + # ---------- + + gzip on; + gzip_static on; + gzip_types text/plain text/css text/javascript text/xml application/x-javascript application/javascript application/xml application/json image/x-icon; + gzip_comp_level 9; + gzip_buffers 16 8k; + gzip_proxied expired no-cache no-store private auth; + gzip_min_length 1000; + gzip_disable "msie6" + gzip_vary on; + + # Cache config + # ---------- + + proxy_cache_valid 1m; + + # Virtual host config + # ---------- + + include /usr/local/etc/nginx/conf.d/*.conf; +} diff --git a/overlay/usr/local/etc/php-fpm.conf b/overlay/usr/local/etc/php-fpm.conf new file mode 100644 index 0000000..6f0a7b6 --- /dev/null +++ b/overlay/usr/local/etc/php-fpm.conf @@ -0,0 +1,544 @@ +;;;;;;;;;;;;;;;;;;;;; +; FPM Configuration ; +;;;;;;;;;;;;;;;;;;;;; + +; All relative paths in this configuration file are relative to PHP's install +; prefix (/usr/local). This prefix can be dynamically changed by using the +; '-p' argument from the command line. + +; Include one or more files. If glob(3) exists, it is used to include a bunch of +; files from a glob(3) pattern. This directive can be used everywhere in the +; file. +; Relative path can also be used. They will be prefixed by: +; - the global prefix if it's been set (-p argument) +; - /usr/local otherwise +include=/usr/local/etc/php-fpm.d/*.conf + +;;;;;;;;;;;;;;;;;; +; Global Options ; +;;;;;;;;;;;;;;;;;; + +[global] +; Pid file +; Note: the default prefix is /var +; Default Value: none +pid = run/php-fpm.pid + +; Error log file +; If it's set to "syslog", log is sent to syslogd instead of being written +; in a local file. +; Note: the default prefix is /var +; Default Value: log/php-fpm.log +;error_log = log/php-fpm.log + +; syslog_facility is used to specify what type of program is logging the +; message. This lets syslogd specify that messages from different facilities +; will be handled differently. +; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) +; Default Value: daemon +;syslog.facility = daemon + +; syslog_ident is prepended to every message. If you have multiple FPM +; instances running on the same server, you can change the default value +; which must suit common needs. +; Default Value: php-fpm +;syslog.ident = php-fpm + +; Log level +; Possible Values: alert, error, warning, notice, debug +; Default Value: notice +;log_level = notice + +; If this number of child processes exit with SIGSEGV or SIGBUS within the time +; interval set by emergency_restart_interval then FPM will restart. A value +; of '0' means 'Off'. +; Default Value: 0 +;emergency_restart_threshold = 0 + +; Interval of time used by emergency_restart_interval to determine when +; a graceful restart will be initiated. This can be useful to work around +; accidental corruptions in an accelerator's shared memory. +; Available Units: s(econds), m(inutes), h(ours), or d(ays) +; Default Unit: seconds +; Default Value: 0 +;emergency_restart_interval = 0 + +; Time limit for child processes to wait for a reaction on signals from master. +; Available units: s(econds), m(inutes), h(ours), or d(ays) +; Default Unit: seconds +; Default Value: 0 +;process_control_timeout = 0 + +; The maximum number of processes FPM will fork. This has been design to control +; the global number of processes when using dynamic PM within a lot of pools. +; Use it with caution. +; Note: A value of 0 indicates no limit +; Default Value: 0 +; process.max = 128 + +; Specify the nice(2) priority to apply to the master process (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool process will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. +; Default Value: yes +;daemonize = yes + +; Set open file descriptor rlimit for the master process. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit for the master process. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Specify the event mechanism FPM will use. The following is available: +; - select (any POSIX os) +; - poll (any POSIX os) +; - epoll (linux >= 2.5.44) +; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) +; - /dev/poll (Solaris >= 7) +; - port (Solaris >= 10) +; Default Value: not set (auto detection) +;events.mechanism = epoll + +; When FPM is build with systemd integration, specify the interval, +; in second, between health report notification to systemd. +; Set to 0 to disable. +; Available Units: s(econds), m(inutes), h(ours) +; Default Unit: seconds +; Default value: 10 +;systemd_interval = 10 + +;;;;;;;;;;;;;;;;;;;; +; Pool Definitions ; +;;;;;;;;;;;;;;;;;;;; + +; Multiple pools of child processes may be started with different listening +; ports and different management options. The name of the pool will be +; used in logs and stats. There is no limitation on the number of pools which +; FPM can handle. Your system will tell you anyway :) + +; Start a new pool named 'www'. +; the variable $pool can we used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr/local) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = www +group = www + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all IPv4 addresses on a +; specific port; +; '[::]:port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = 127.0.0.1:9000 + +; Set listen(2) backlog. +; Default Value: 65535 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 65535 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0660 +;listen.owner = www +;listen.group = www +;listen.mode = 0660 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 5 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 2 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 1 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 3 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/local/share/php/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; exectute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp +env[HOSTNAME] = $HOSTNAME +env[PATH] = /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp +php_admin_value[session.save_path] = "/usr/local/www/nextcloud-sessions-tmp" + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr/local) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M + diff --git a/overlay/usr/local/etc/php-fpm.d/wordpress.conf b/overlay/usr/local/etc/php-fpm.d/wordpress.conf new file mode 100644 index 0000000..cb80195 --- /dev/null +++ b/overlay/usr/local/etc/php-fpm.d/wordpress.conf @@ -0,0 +1,12 @@ +[nextcloud] +user = www +group = www +listen = /var/run/wordpress-php-fpm.sock +listen.owner = www +listen.group = www +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +php_admin_value[session.save_path] = "/usr/local/www/wordpress-sessions-tmp" diff --git a/post_install.sh b/post_install.sh new file mode 100755 index 0000000..fd0e192 --- /dev/null +++ b/post_install.sh @@ -0,0 +1,138 @@ +#!/bin/sh + +# Enable the service +sysrc -f /etc/rc.conf nginx_enable="YES" +sysrc -f /etc/rc.conf mysql_enable="YES" +sysrc -f /etc/rc.conf php_fpm_enable="YES" + +# Install fresh nextcloud.conf if user hasn't upgraded +CPCONFIG=0 +if [ -e "/usr/local/etc/nginx/conf.d/nextcloud.conf" ] ; then + # Confirm the config doesn't have user-changes. Update if not + if [ "$(md5 -q /usr/local/etc/nginx/conf.d/nextcloud.conf)" = "$(cat /usr/local/etc/nginx/conf.d/nextcloud.conf.checksum)" ] ; then + CPCONFIG=1 + fi +else + CPCONFIG=1 +fi + +# Copy over the nginx config template +if [ "$CPCONFIG" = "1" ] ; then + cp /usr/local/etc/nginx/conf.d/nextcloud.conf.template /usr/local/etc/nginx/conf.d/nextcloud.conf + md5 -q /usr/local/etc/nginx/conf.d/nextcloud.conf > /usr/local/etc/nginx/conf.d/nextcloud.conf.checksum +fi + +cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini +# Modify opcache settings in php.ini according to Nextcloud documentation (remove comment and set recommended value) +# https://docs.nextcloud.com/server/15/admin_manual/configuration_server/server_tuning.html#enable-php-opcache +sed -i '' 's/.*opcache.enable=.*/opcache.enable=1/' /usr/local/etc/php.ini +sed -i '' 's/.*opcache.enable_cli=.*/opcache.enable_cli=1/' /usr/local/etc/php.ini +sed -i '' 's/.*opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/' /usr/local/etc/php.ini +sed -i '' 's/.*opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/' /usr/local/etc/php.ini +sed -i '' 's/.*opcache.memory_consumption=.*/opcache.memory_consumption=128/' /usr/local/etc/php.ini +sed -i '' 's/.*opcache.save_comments=.*/opcache.save_comments=1/' /usr/local/etc/php.ini +sed -i '' 's/.*opcache.revalidate_freq=.*/opcache.revalidate_freq=1/' /usr/local/etc/php.ini +# recommended value of 512MB for php memory limit (avoid warning when running occ) +sed -i '' 's/.*memory_limit.*/memory_limit=512M/' /usr/local/etc/php.ini +# recommended value of 10 (instead of 5) to avoid timeout +sed -i '' 's/.*pm.max_children.*/pm.max_children=10/' /usr/local/etc/php-fpm.d/nextcloud.conf +# Nextcloud wants PATH environment variable set. +echo "env[PATH] = $PATH" >> /usr/local/etc/php-fpm.d/nextcloud.conf + +# Start the service +service nginx start 2>/dev/null +service php-fpm start 2>/dev/null +service mysql-server start 2>/dev/null + +#https://docs.nextcloud.com/server/13/admin_manual/installation/installation_wizard.html do not use the same name for user and db +USER="dbadmin" +DB="nextcloud" +NCUSER="ncadmin" + +# Save the config values +echo "$DB" > /root/dbname +echo "$USER" > /root/dbuser +echo "$NCUSER" > /root/ncuser +export LC_ALL=C +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1 > /root/dbpassword +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1 > /root/ncpassword +PASS=`cat /root/dbpassword` +NCPASS=`cat /root/ncpassword` + +if [ -e "/root/.mysql_secret" ] ; then + # Mysql > 57 sets a default PW on root + TMPPW=$(cat /root/.mysql_secret | grep -v "^#") + echo "SQL Temp Password: $TMPPW" + +# Configure mysql +mysql -u root -p"${TMPPW}" --connect-expired-password <<-EOF +ALTER USER 'root'@'localhost' IDENTIFIED BY '${PASS}'; +CREATE USER '${USER}'@'localhost' IDENTIFIED BY '${PASS}'; +GRANT ALL PRIVILEGES ON *.* TO '${USER}'@'localhost' WITH GRANT OPTION; +GRANT ALL PRIVILEGES ON ${DB}.* TO '${USER}'@'localhost'; +FLUSH PRIVILEGES; +EOF + +# Make the default log directory +mkdir /var/log/zm +chown www:www /var/log/zm + +else + # Mysql <= 56 does not + +# Configure mysql +mysql -u root <<-EOF +UPDATE mysql.user SET Password=PASSWORD('${PASS}') WHERE User='root'; +DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); +DELETE FROM mysql.user WHERE User=''; +DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'; +CREATE USER '${USER}'@'localhost' IDENTIFIED BY '${PASS}'; +GRANT ALL PRIVILEGES ON *.* TO '${USER}'@'localhost' WITH GRANT OPTION; +GRANT ALL PRIVILEGES ON ${DB}.* TO '${USER}'@'localhost'; +FLUSH PRIVILEGES; +EOF +fi + +# If on NAT, we need to use the HOST address as the IP +if [ -e "/etc/iocage-env" ] ; then + IOCAGE_PLUGIN_IP=$(cat /etc/iocage-env | grep HOST_ADDRESS= | cut -d '=' -f 2) + echo "Using NAT Address: $IOCAGE_PLUGIN_IP" +fi + +#Use occ to complete Nextcloud installation +su -m www -c "php /usr/local/www/nextcloud/occ maintenance:install --database=\"mysql\" --database-name=\"nextcloud\" --database-user=\"$USER\" --database-pass=\"$PASS\" --database-host=\"localhost\" --admin-user=\"$NCUSER\" --admin-pass=\"$NCPASS\" --data-dir=\"/usr/local/www/nextcloud/data\"" +su -m www -c "php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value=\"${IOCAGE_PLUGIN_IP}\"" + +#workaround for occ (in shell just use occ instead of su -m www -c "....") +echo >> .cshrc +echo alias occ ./occ.sh >> .cshrc +echo 'su -m www -c php\ ``/usr/local/www/nextcloud/occ\ "$*"``' > ~/occ.sh +chmod u+x ~/occ.sh + +#workaround for app-pkg +sed -i '' "s|false|true|g" /usr/local/www/nextcloud/config/config.php + +# create sessions tmp dir outside nextcloud installation +mkdir -p /usr/local/www/nextcloud-sessions-tmp >/dev/null 2>/dev/null +chmod o-rwx /usr/local/www/nextcloud-sessions-tmp +chown -R www:www /usr/local/www/nextcloud-sessions-tmp +chown -R www:www /usr/local/www/nextcloud/app-pkgs + +chmod -R o-rwx /usr/local/www/nextcloud + +#updater needs this +chown -R www:www /usr/local/www/nextcloud + +#restart the services to make sure we have pick up the new permission +service php-fpm restart 2>/dev/null +#nginx restarts to fast while php is not fully started yet +sleep 5 +service nginx restart 2>/dev/null + +echo "Database Name: $DB" > /root/PLUGIN_INFO +echo "Database User: $USER" >> /root/PLUGIN_INFO +echo "Database Password: $PASS" >> /root/PLUGIN_INFO + +echo "Nextcloud Admin User: $NCUSER" >> /root/PLUGIN_INFO +echo "Nextcloud Admin Password: $NCPASS" >> /root/PLUGIN_INFO + diff --git a/settings.json b/settings.json new file mode 100644 index 0000000..4ae120f --- /dev/null +++ b/settings.json @@ -0,0 +1,38 @@ +{ + "servicerestart":"service nginx restart", + "serviceget": "/usr/local/bin/pluginget", + "serviceset": "/usr/local/bin/pluginset", + "options": { + "dbname": { + "type": "string", + "name": "Database Name", + "description": "Database to use for NextCloud setup", + "readonly": true + }, + "dbuser": { + "type": "string", + "name": "Database Username", + "description": "Username to use for NextCloud Database setup", + "readonly": true + }, + "dbpassword": { + "type": "string", + "name": "Database Password", + "description": "Password to use for NextCloud Database setup", + "readonly": true + } + "ncuser": { + "type": "string", + "name": "Nextcloud Username", + "description": "Username of Nextcloud administrator", + "readonly": true + }, + "ncpassword": { + "type": "string", + "name": "Nextcloud Admin Password", + "description": "Default Nextcloud administrator password", + "readonly": true + } + } +} + diff --git a/ui.json b/ui.json new file mode 100644 index 0000000..5668416 --- /dev/null +++ b/ui.json @@ -0,0 +1,4 @@ +{ + "adminportal": "http://%%IP%%" +} +