From e928339d3d535e7bfb6774dd58d62cb7901d1983 Mon Sep 17 00:00:00 2001 From: Joe Corall Date: Mon, 29 Dec 2025 08:50:54 -0500 Subject: [PATCH 1/2] Update base images Add recaptcha support --- docker-compose.yaml | 12 +++++-- rootfs/etc/confd/conf.d/ojs.conf.toml | 7 ++++ rootfs/etc/confd/templates/config.inc.tmpl | 40 +++------------------ rootfs/etc/confd/templates/ojs.conf.tmpl | 42 ++++++++++++++++++++++ rootfs/etc/nginx/shared/fpm.conf | 24 +++++++++++++ rootfs/etc/s6-overlay/scripts/ojs-setup.sh | 16 ++++----- scripts/generate-secrets.sh | 13 +++++++ scripts/test.sh | 10 ++++-- 8 files changed, 114 insertions(+), 50 deletions(-) create mode 100644 rootfs/etc/confd/conf.d/ojs.conf.toml create mode 100644 rootfs/etc/confd/templates/ojs.conf.tmpl create mode 100644 rootfs/etc/nginx/shared/fpm.conf diff --git a/docker-compose.yaml b/docker-compose.yaml index dcfee01..ba6c7d8 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,4 +1,6 @@ --- +networks: + default: volumes: mariadb-data: {} ojs-cache: {} @@ -21,7 +23,7 @@ secrets: services: init: - image: islandora/base:6.0.10@sha256:00f16e56a20950f7b85e690b03c1e6e167625236bc77c56f4cd121dafd9ef578 + image: islandora/base:6.2.3@sha256:010f7e422ad4563f91335106215a72c7485635b0a1125c651b4e76cb6d7efbd4 restart: no volumes: - ./secrets:/secrets:rw @@ -32,12 +34,16 @@ services: ojs: image: ghcr.io/libops/ojs:main build: . + networks: + - default ports: - 80:80 environment: OJS_OAI_REPOSITORY_ID: ${DOMAIN:-localhost} OJS_ENABLE_BEACON: 1 OJS_SMTP_SERVER: ${OJS_SMTP_SERVER:-} + OJS_ENABLE_HTTPS: "true" + OJS_BASE_URL: "https://${DOMAIN:-localhost}" secrets: - source: DB_ROOT_PASSWORD - source: OJS_API_KEY_SECRET @@ -54,7 +60,9 @@ services: mariadb: condition: service_started mariadb: - image: islandora/mariadb:6.0.10@sha256:a89a1152abe0fc3d5de66d071b4391dd8f18e5f4883bfa32a82caf45a46d96da + image: islandora/mariadb:6.2.3@sha256:3c6e7cbed734310f4d9fea7a4f08e7e282ecb1a5e73aec0ab79b4167930380ab + networks: + - default volumes: - mariadb-data:/var/lib/mysql:rw secrets: diff --git a/rootfs/etc/confd/conf.d/ojs.conf.toml b/rootfs/etc/confd/conf.d/ojs.conf.toml new file mode 100644 index 0000000..710cab5 --- /dev/null +++ b/rootfs/etc/confd/conf.d/ojs.conf.toml @@ -0,0 +1,7 @@ +[template] +src = "ojs.conf.tmpl" +dest = "/etc/nginx/shared/ojs.conf" +uid = 0 +gid = 0 +mode = "0644" +keys = [ "/" ] diff --git a/rootfs/etc/confd/templates/config.inc.tmpl b/rootfs/etc/confd/templates/config.inc.tmpl index 1478059..8434d11 100644 --- a/rootfs/etc/confd/templates/config.inc.tmpl +++ b/rootfs/etc/confd/templates/config.inc.tmpl @@ -102,7 +102,7 @@ restful_urls = On {{- $cleaned := replace $temp "http://" "" -1 -}} {{- $host := index (split $cleaned "/") 0 -}} -{{- $domain := index (split $host ":") 0 -}} +{{ $domain := index (split $host ":") 0 }} allowed_hosts = '["localhost", "{{ $domain }}"]' @@ -431,45 +431,13 @@ page_links = 10 [captcha] ; Whether or not to enable ReCaptcha -recaptcha = off - -; Public key for reCaptcha (see http://www.google.com/recaptcha) -recaptcha_public_key = your_public_key - -; Private key for reCaptcha (see http://www.google.com/recaptcha) -recaptcha_private_key = your_private_key - -; Whether or not to use Captcha on user registration +recaptcha = {{ if getenv "RECAPTCHA_PUBLIC_KEY" }}on{{ else }}off{{ end }} +recaptcha_public_key = {{ getenv "RECAPTCHA_PUBLIC_KEY" }} +recaptcha_private_key = {{ getenv "RECAPTCHA_PRIVATE_KEY" }} captcha_on_register = on - -; Whether or not to use Captcha on user login captcha_on_login = on - -; Validate the hostname in the ReCaptcha response recaptcha_enforce_hostname = Off -; ALTCHA is a free and open-source alternative to Google's ReCaptcha -; The options below will manage all the required configurations used to -; work with ALTCHA instead of ReCaptcha on system - -; Whether or not to enable ALTCHA -altcha = off - -; Private key for ALTCHA -altcha_hmackey = 'Example key' - -; Whether or not to use ALTCHA on user registration -altcha_on_register = on - -; Whether or not to use ALTCHA on user login -altcha_on_login = on - -; Whether or not to use ALTCHA on user lost password -altcha_on_lost_password = on - -; The quantity of encryption cycles performed by the ALTCHA system -altcha_encrypt_number = 10000 - ;;;;;;;;;;;;;;;;;;;;; ; External Commands ; ;;;;;;;;;;;;;;;;;;;;; diff --git a/rootfs/etc/confd/templates/ojs.conf.tmpl b/rootfs/etc/confd/templates/ojs.conf.tmpl new file mode 100644 index 0000000..360d2f2 --- /dev/null +++ b/rootfs/etc/confd/templates/ojs.conf.tmpl @@ -0,0 +1,42 @@ +root /var/www/ojs; +index index.php; + +error_log /dev/stderr; +access_log /dev/stdout combined; + +error_log /dev/stderr; +access_log /dev/stdout combined; + +# API rewrite with redirect +location ~ ^/api/v1(.*)$ { + return 307 /index.php/api/v1$1; +} + +# Main location block +location / { + # Try to serve file directly, otherwise pass to index.php + try_files $uri $uri/ /index.php/$uri?$query_string; +} + +# PHP processing +location ~ \.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass unix:/var/run/php-fpm83/php-fpm83.sock; + {{ if eq (getenv "OJS_ENABLE_HTTPS") "true" }} + fastcgi_param HTTPS on; + fastcgi_param HTTP_SCHEME https; + {{ end }} + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + include fastcgi_params; +} + +# Deny access to hidden files +location ~ /\. { + deny all; +} diff --git a/rootfs/etc/nginx/shared/fpm.conf b/rootfs/etc/nginx/shared/fpm.conf new file mode 100644 index 0000000..b06c57d --- /dev/null +++ b/rootfs/etc/nginx/shared/fpm.conf @@ -0,0 +1,24 @@ +# Used to validate that PHP-FPM is in a ready state. +# Not accessible outside of the container. +location ~ ^/(status|ping)$ { + access_log off; + allow 127.0.0.1; + allow ::1; + deny all; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_pass unix:/var/run/php-fpm83/php-fpm83.sock; +} + +location = /opcache_stat.php { + access_log off; + allow 127.0.0.1; + allow ::1; + allow 128.180.0.0/16; + deny all; + fastcgi_pass unix:/var/run/php-fpm83/php-fpm83.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; +} diff --git a/rootfs/etc/s6-overlay/scripts/ojs-setup.sh b/rootfs/etc/s6-overlay/scripts/ojs-setup.sh index 8682a91..d793557 100755 --- a/rootfs/etc/s6-overlay/scripts/ojs-setup.sh +++ b/rootfs/etc/s6-overlay/scripts/ojs-setup.sh @@ -70,20 +70,18 @@ function install_ojs { } function main { - mysql_create_database - # wait for nginx if ! timeout 300 wait-for-open-port.sh localhost 80; then echo "Could not connect to nginx at localhost:80" exit 1 fi - - if ! check_ojs_installed; then - install_ojs & - echo "OJS installation started." - else - echo "OJS is already installed. Skipping installation." - set_ojs_installed + if [ "${DB_HOST}" = "mariadb" ]; then + mysql_create_database + install_ojs & + echo "OJS installation started." + exit 0 fi + + set_ojs_installed } main diff --git a/scripts/generate-secrets.sh b/scripts/generate-secrets.sh index e336111..7aa6fd1 100755 --- a/scripts/generate-secrets.sh +++ b/scripts/generate-secrets.sh @@ -16,3 +16,16 @@ yq -r '.secrets[].file' docker-compose.yaml | uniq | while read -r SECRET; do (grep -ao "${CHARACTERS}" < /dev/urandom || true) | head "-${LENGTH}" | tr -d '\n' > "${SECRET}" fi done + +if [ -f docker-compose.override.yaml ]; then + yq -r '.secrets[].file' docker-compose.override.yaml | uniq | while read -r SECRET; do + if [ ! -f "${SECRET}" ]; then + echo "Creating: ${SECRET}" >&2 + DIR=$(dirname "${SECRET}") + if [ ! -d "${DIR}" ]; then + mkdir -p "$DIR" + fi + (grep -ao "${CHARACTERS}" < /dev/urandom || true) | head "-${LENGTH}" | tr -d '\n' > "${SECRET}" + fi + done +fi diff --git a/scripts/test.sh b/scripts/test.sh index d052162..c79f8c5 100755 --- a/scripts/test.sh +++ b/scripts/test.sh @@ -2,20 +2,24 @@ set -eou pipefail -max_attempts=10 +max_attempts=20 attempt=0 while [ $attempt -lt $max_attempts ]; do attempt=$(( attempt + 1 )) echo "Attempt $attempt of $max_attempts..." - sleep 60 + sleep 10 - if curl -sf http://localhost | grep " Date: Mon, 29 Dec 2025 13:53:36 +0000 Subject: [PATCH 2/2] chore(deps): update bump-dependencies --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8b35919..7de1485 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM islandora/nginx:6.0.10@sha256:57f9e680cc7515ba0025c2e5ba5f1f16dc6bb0810810684556805431af5fd962 +FROM islandora/nginx:6.2.3@sha256:1e85a1f0a222289a3079d5740ce8156d36c325c1f8477fb96806fa157cfb666b SHELL ["/bin/ash", "-eo", "pipefail", "-c"] @@ -12,11 +12,11 @@ ARG \ # renovate: datasource=repology depName=alpine_3_22/ghostscript GHOSTSCRIPT_VERSION=10.05.1-r0 \ # renovate: datasource=repology depName=alpine_3_22/npm - NPM_VERSION=11.4.2-r0 \ + NPM_VERSION=11.6.4-r0 \ # renovate: datasource=github-tags depName=ojs packageName=pkp/ojs OJS_VERSION=3_5_0rc2 \ # renovate: datasource=repology depName=alpine_3_22/php83 - PHP_VERSION=8.3.27-r0 \ + PHP_VERSION=8.3.29-r0 \ # renovate: datasource=repology depName=alpine_3_22/poppler-utils POPPLER_VERSION=25.04.0-r0