Merge branch 'feature/docker-revamp' into feature/docker-revamp-non-root

Dockerfile

@@ -4,8 +4,10 @@ LABEL maintainer="Passbolt SA <contact@passbolt.com>"
 
 ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
 ENV PASSBOLT_PKG=passbolt-ce-server
+ENV PHP_VERSION=7.3
 ENV GNUPGHOME=/var/lib/passbolt/.gnupg
 
+
 RUN apt-get update \
     && DEBIAN_FRONTEND=non-interactive apt-get -y install \
       ca-certificates \
@@ -16,10 +18,17 @@ RUN apt-get update \
     && DEBIAN_FRONTEND=non-interactive apt-get -y install --no-install-recommends \
       nginx \
       $PASSBOLT_PKG \
-      supervisor
+      supervisor \
+      php-apcu
 
 RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
     && rm /etc/nginx/sites-enabled/default \
+    && cp /usr/share/passbolt/examples/nginx-passbolt-ssl.conf /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i 's,;clear_env = no,clear_env = no,' /etc/php/$PHP_VERSION/fpm/pool.d/www.conf \
+    && sed -i 's,# include __PASSBOLT_SSL__,include /etc/nginx/snippets/passbolt-ssl.conf;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+    && sed -i 's,ssl on;,listen 4443 ssl;,' /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i 's,__CERT_PATH__,/etc/passbolt/certs/certificate.crt;,' /etc/nginx/snippets/passbolt-ssl.conf \
+    && sed -i 's,__KEY_PATH__,/etc/passbolt/certs/certificate.key;,' /etc/nginx/snippets/passbolt-ssl.conf \
     && sed -i '/user www-data;/d' /etc/nginx/nginx.conf \
     && sed -i 's,/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
     && sed -i "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \

bin/docker-entrypoint.sh

@@ -2,15 +2,16 @@
 
 set -euo pipefail
 
-passbolt_base='/usr/share/php/passbolt'
 passbolt_config="/etc/passbolt"
-
+passbolt_base="/usr/share/php/passbolt"
 gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}"
 gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}"
 
 ssl_key="$passbolt_config/certs/certificate.key"
 ssl_cert="$passbolt_config/certs/certificate.crt"
 
+export GNUPGHOME="/var/lib/passbolt/.gnupg"
+
 entropy_check() {
   local entropy_avail
 
@@ -72,12 +73,11 @@ gen_ssl_cert() {
 
 install() {
   if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f  "$passbolt_config/passbolt.php" ]; then
-    gpg_auto_fingerprint="$(gpg  --list-keys --with-colons "${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com}" |grep fpr |head -1| cut -f10 -d:)"
+    gpg_auto_fingerprint="$(gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:)"
     export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
-    declare -p | grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT > ~/.profile
   fi
 
-  "$passbolt_base/bin/cake" passbolt install --no-admin || "$passbolt_base/bin/cake" passbolt migrate && echo "Enjoy! ☮"
+  $passbolt_base/bin/cake passbolt install --no-admin || $passbolt_base/bin/cake passbolt migrate && echo "Enjoy! ☮"
 }
 
 

docker-compose.yml

@@ -10,17 +10,15 @@ services:
       - "127.0.0.1:3306:3306"
 
   passbolt:
-    image: localpassbolt
+    image: localpassbolt-nonroot
     tty: true
     depends_on:
       - db
     env_file:
       - env/passbolt.env
     volumes:
-      - gpg_volume:/var/www/passbolt/config/gpg
-      - images_volume:/var/www/passbolt/webroot/img/public
-    tmpfs:
-      - /run
+      - gpg_volume:/var/lib/passbolt/.gnupg
+      - images_volume:/usr/share/php/passbolt/webroot/img/public
     command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
     ports:
       - 80:8080