[DOCKER] Added preliminary docker container

DOCKER_INSTALL.md

@@ -0,0 +1,7 @@
+
+Make sure to set the permissions of this folder to group and group 82, as that's what php-fpm uses
+
+# groupadd -g 82 www-data
+# useradd -u 82 -g 82 -r -s /usr/bin/nologin www-data
+# chown $USER:www-data social file public public/install.php public/index.php
+# chmod -R g=wrx social file public public/install.php public/index.php

docker-compose.yml

@@ -0,0 +1,39 @@
+version: '3.3'
+
+services:
+  nginx:
+    image: nginx:latest
+    restart: always
+    tty: false
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - .:/var/www/gnusocial
+      - ./nginx.conf:/etc/nginx/conf.d/gnusocial.conf
+
+  php:
+    build: docker/php
+    restart: always
+    tty: true
+    ports:
+      - 9000:9000
+    volumes:
+      - .:/var/www/gnusocial
+
+  postgres:
+    image: postgres:alpine
+    restart: always
+    tty: false
+    ports:
+      - 5432:5432
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=foobar
+      - POSTGRES_DB=social
+      - PGDATA=/var/lib/postgresql/data
+    volumes:
+      - database:/var/lib/postgresql/data
+
+volumes:
+  database:

docker/php/Dockerfile

@@ -0,0 +1,8 @@
+FROM php:fpm-alpine
+
+RUN apk update && apk add gettext-dev icu-dev zlib-dev libpng-dev gmp-dev postgresql-dev
+
+ARG exts="bcmath exif gd gettext gmp intl mysqli opcache pdo pdo_pgsql pgsql"
+
+RUN docker-php-ext-install ${exts} \
+    && docker-php-ext-enable ${exts}

nginx.conf

@@ -0,0 +1,90 @@
+# server {
+
+#     server_name social.localhost;
+
+#     # redirect all traffic to HTTPS
+#     rewrite ^ https://$host$request_uri? permanent;
+# }
+
+server {
+    listen [::]:80;
+    listen 80;
+
+    # Root
+    root /var/www/gnusocial/public;
+
+    # Server name
+    server_name social.localhost;
+
+    # Index
+    index index.php;
+
+    # X-Accel/X-Sendfile. Still needs to be enabled in the config
+    location /file {
+        internal;
+        # FIXME: Change "/path/to/gnusocial/root/" to the folder where
+        # attachments are stored (normally the same as the site root)
+        root /var/www/gnusocial;
+    }
+
+    # PHP
+    location ~ ^/(index|install)\.php(/.*)?$ {
+        include fastcgi_params;
+
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+        try_files $fastcgi_script_name =404;
+
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    }
+
+    # Don't allow any PHP file other than index.php to be executed
+    # This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
+    # And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
+    location ~ \.php$ {
+        deny all;
+    }
+
+    # Location
+    location / {
+        try_files $uri $uri/ @index_handler;
+    }
+
+    # Fancy URLs
+    error_page 404 @index_handler;
+    location @index_handler {
+        rewrite ^(.*)$ /index.php?p=$1 last;
+    }
+
+    # Restrict access that is unnecessary anyway
+    location ~ /\.(ht|git) {
+        deny all;
+    }
+
+#
+# Hardening (optional)
+#
+#    add_header Strict-Transport-Security "max-age=15768000; preload;";
+#    add_header X-Content-Type-Options nosniff;
+#    add_header Referrer-Policy strict-origin-when-cross-origin;
+#    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
+#    add_header X-Permitted-Cross-Domain-Policies none;
+#    add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
+#
+#    client_max_body_size 15M;
+#    client_body_buffer_size 128k;
+#    gzip_vary on;
+#
+#    location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
+#        gzip on;
+#        gzip_comp_level 4;
+#        add_header Cache-Control "public";
+#        expires 30d;
+#        access_log off;
+#        log_not_found off;
+#    }
+}