diff --git a/Dockerfile b/Dockerfile
index c90bfd94..adfcebf1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,9 @@
FROM debian:stable-slim
+ARG BRANCH=25.x
+ARG UID=1000
+ARG GID=1000
+
RUN apt update && apt dist-upgrade -y
RUN apt-get -y install lsb-release ca-certificates curl
@@ -12,7 +16,8 @@ RUN apt install -y \
sqlite3 php7.4-sqlite3 build-essential elinks unzip xlsx2csv psutils \
php7.4-memcached php7.4-memcached php7.4-opcache php7.4-intl php7.4-gd \
php7.4-mysql php7.4-ldap php7.4-dom php7.4-zip php7.4-ldap \
- php7.4-fpm php7.4-mysql php7.4-mbstring \
+ php7.4-fpm php7.4-mysql php7.4-mbstring php7.4-bz2 \
+ php-dompdf \
composer curl
RUN apt install -y \
@@ -20,20 +25,37 @@ RUN apt install -y \
RUN a2enmod rewrite alias authz_user ssl
-WORKDIR /var/www/html/
-
-RUN git clone https://gitlab.com/tikiwiki/tiki.git
-
-WORKDIR ./tiki
-
-RUN chown -R www-data:www-data /var/www/html/tiki
-
-COPY conf/www.conf /etc/php/7.4/fpm/pool.d/www.conf
-COPY conf/php-fpm.conf /etc/php/7.4/fpm/php-fpm.conf
+RUN apt install -y \
+ tesseract-ocr
ADD start.sh /start.sh
+
ADD entrypoint.sh /entrypoint.sh
+RUN addgroup --gid ${GID} tikiwiki
+
+RUN adduser \
+ --system \
+ --uid ${UID} \
+ --gid ${GID} \
+ --shell /usr/sbin/nologin \
+ --gecos 'Tikiwiki' \
+ --disabled-password \
+ --home /var/www/html/tiki \
+ tikiwiki
+
+RUN adduser www-data tikiwiki
+
+WORKDIR /var/www/html/tiki
+
+USER tikiwiki
+
+RUN git clone -b ${BRANCH} https://gitlab.com/tikiwiki/tiki.git .
+
+USER root
+
+RUN mkdir -p files/forums && chmod -R 777 files/forums
+
VOLUME ["/uploads"]
ENTRYPOINT [ "/bin/sh", "/entrypoint.sh" ]
diff --git a/conf/default-ssl.conf b/conf/default-ssl.conf
index 76aa43a9..9e09e579 100644
--- a/conf/default-ssl.conf
+++ b/conf/default-ssl.conf
@@ -1,3 +1,520 @@
+
+#
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html/tiki/
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+
+ DirectoryIndex index.php
+
+
+
+
+ # Make sure proxies don't deliver the wrong content.
+ Header append Vary User-Agent env=!dont-vary
+
+ AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
+
+ # DEFLATE by extension.
+ AddOutputFilter DEFLATE js css htm html xml svg
+
+
+
+FileETag none
+
+
+ Header unset Cache-Control
+
+
+ # Mod_headers, y u no match by Content-Type?!
+
+ SetEnvIf Origin ":" IS_CORS
+ Header set Access-Control-Allow-Origin "*" env=IS_CORS
+
+
+
+
+ Header set Access-Control-Allow-Origin "*"
+
+
+
+
+
+
+ ExpiresActive on
+ ExpiresDefault "access plus 1 month"
+
+
+ ExpiresActive on
+ ExpiresDefault "access plus 1 month"
+
+
+
+
+
+ RewriteEngine On
+
+ # -- Apache Authorization Header -- #
+ # Rewrite rules for passing authorization with Apache running in CGI or FastCGI mode
+ RewriteCond %{HTTP:Authorization} ^(.*)
+ RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
+
+ # -- SVN Checkout Enabled Tiki -- #
+ # Prevents reading of SVN specific files, if your website is using this. (Development only normally)
+ RewriteRule .*/\.svn/.* - [F,L]
+
+ # -- If the URL Points to a File Then do Nothing -- #
+ RewriteCond %{REQUEST_FILENAME} -s [OR]
+ RewriteCond %{REQUEST_FILENAME} -l [OR]
+ RewriteCond %{REQUEST_FILENAME} -f [OR]
+ RewriteCond %{REQUEST_FILENAME} -d
+ RewriteRule (.*) - [L]
+
+ # -- Tiki URL Rewriting -- #
+ # Read more: https://dev.tiki.org/URL+Rewriting+Revamp
+ RewriteRule .* route.php [L]
+
+
+
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+
+ Require all granted
+
+
+ order deny,allow
+ allow from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+
+
+ Require all granted
+
+
+ Allow from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+
+
+
+ Require all granted
+
+
+ Allow from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+#remaining files - unknown browser access
+
+
+ Require all granted
+
+
+ Allow from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+AuthUserFile /PATH_TO_TIKI_PERMISSIONCHECK/.htpasswd
+AuthName "permissioncheck prepare password protection first"
+AuthType Basic
+
+ require valid-user
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all granted
+
+
+ order deny,allow
+ allow from all
+
+
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+
+ Require all granted
+
+
+ order deny,allow
+ allow from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all granted
+
+
+ order deny,allow
+ allow from all
+
+
+
+
+ ExpiresActive on
+ ExpiresDefault "modification"
+
+
+
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+
+ #the map and less files are allowed for developer deugging tools.
+
+ Require all granted
+
+
+ Allow from all
+
+
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+
+ RewriteEngine On
+
+ # -- Always Allow These File Types -- #
+ RewriteRule "\.(jpe?g|png|ico|gif|svgz?|ttf|eot|woff2?|otf|js|css)$" "-" [PT,L]
+
+ # -- Allow Access to files used by Developer Dubugging Tools -- #
+ RewriteRule "\.(map|less|scss)$" "-" [PT,L]
+
+ # -- Deny Everything Not Matched Above -- #
+ RewriteRule "/*" "-" [F]
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+
+
+ RewriteEngine On
+
+ # -- Always Allow These File Types -- #
+ RewriteRule "\.(jpe?g|png|ico|gif|svgz?|ttf|eot|woff2?|otf|js|css)$" "-" [PT,L]
+
+ # -- Allow Access to files used by Developer Dubugging Tools -- #
+ RewriteRule "\.(map|less|scss)$" "-" [PT,L]
+
+ # -- Vendor Exception List -- #
+ # These are file types by vendor file that will bypass the default filtering
+ #
+ # If you are adding a new vendor that needs browser access, adding a file
+ # type exception will be required.
+
+ RewriteRule "^(vendor/player/).*/.*\.swf$" "-" [PT,L]
+ RewriteRule "^(vendor/fortawesome/).*/.*\.swf$" "-" [PT,L]
+ RewriteRule "^(vendor/jquery/).*/.*\.swf$" "-" [PT,L]
+ RewriteRule "^(vendor/studio-42/).*/.*\.wav$" "-" [PT,L]
+
+ # -- Deny Everything Not Matched Above -- #
+ RewriteRule "/*" "-" [F]
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+Deny from all
+
+
+
+Deny from all
+
+
+
+#deny from all
+
+
+order deny,allow
+deny from all
+
+
+
+
+
+ Require all denied
+
+
+ order deny,allow
+ deny from all
+
+
+
+
+
+ Require all granted
+
+
+ Allow from all
+
+
+
+# -- Prevent Directory Browsing -- #
+Options -Indexes
+
+
+
+#
+
+#
ServerAdmin webmaster@localhost
@@ -523,4 +1040,4 @@ Options -Indexes
-
+#
diff --git a/conf/envvars b/conf/envvars
index d761cf48..8d6c2c12 100644
--- a/conf/envvars
+++ b/conf/envvars
@@ -6,8 +6,8 @@ else
SUFFIX=
fi
-export APACHE_RUN_USER=www-data
-export APACHE_RUN_GROUP=www-data
+export APACHE_RUN_USER=tikiwiki
+export APACHE_RUN_GROUP=tikiwiki
export APACHE_PID_FILE=/tmp/apache2$SUFFIX/apache2.pid
export APACHE_RUN_DIR=/tmp/apache2$SUFFIX
export APACHE_LOCK_DIR=/tmp/apache2$SUFFIX
diff --git a/docker-compose.yml b/docker-compose.yml
index 5e1b87f7..a15e436d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,28 +1,52 @@
version: '3'
-volumes:
- uploads:
- db:
-
services:
+ phpmyadmin:
+ image: phpmyadmin
+ restart: always
+ ports:
+ - 8080:80
+ environment:
+ - PMA_ARBITRARY=1
tikiwiki:
image: registry.audio-lab.org/tikiwiki:latest
- build: .
+ build:
+ context: .
+ args:
+ - BRANCH=25.x
+ - UID=1000
+ - GID=1000
ports:
- - 8443:443
- - 8480:80
+ - 443:443
+ - 80:80
volumes:
- - uploads:/uploads
+ - ./uploads:/var/www/html/uploads
+ - /tmp:/tmp
- ./conf/envvars:/etc/apache2/envvars:ro
- ./conf/default-ssl.conf:/etc/apache2/sites-available/000-default.conf:ro
restart: always
- db:
- image: mariadb:10
- restart: always
- volumes:
- - db:/var/lib/mysql
environment:
- MYSQL_DATABASE: tikiwiki
+ MYSQL_DATABASE: dockertiki
MYSQL_USER: tiki
- MYSQL_RANDOM_ROOT_PASSWORD: '1'
- MYSQL_PASSWORD: wiki # CHANGE PASSW
+ MYSQL_PASSWORD: wiki
+ MYSQL_HOST: 172.16.0.240
+ manticore:
+ container_name: manticore
+ image: manticoresearch/manticore
+ environment:
+ - EXTRA=1
+ restart: always
+ ports:
+ - 172.16.0.240:9306:9306
+ - 172.16.0.240:9308:9308
+ ulimits:
+ nproc: 65535
+ nofile:
+ soft: 65535
+ hard: 65535
+ memlock:
+ soft: -1
+ hard: -1
+ volumes:
+ - ./manticore:/var/lib/manticore
+ - /tmp:/tmp
diff --git a/entrypoint.sh b/entrypoint.sh
index c8602276..5592d324 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,5 +1,36 @@
#!/bin/bash
-sudo -u www-data setup.sh -n composer
+set -e
+
+echo "Starting Tikiwiki"
+
+bash setup.sh -n composer
+
+install() {
+ echo "Install"
+ echo $MYSQL_HOST $MYSQL_USER $MYSQL_PASSWORD $MYSQL_DATABASE
+ php7.4 console.php database:configure --host $MYSQL_HOST $MYSQL_USER $MYSQL_PASSWORD $MYSQL_DATABASE
+ php7.4 console.php database:install
+ php7.4 console.php installer:lock
+ update
+}
+
+update() {
+ echo "Update"
+ php7.4 console.php database:update
+ php7.4 console.php package:install TikiManager
+ php7.4 console.php package:install PDFjsViewer
+ php7.4 console.php package:install MediaAlchemyst
+ php7.4 console.php package:install diagram
+ php7.4 console.php package:install mPDF
+ php7.4 console.php package:install Lozad
+ php7.4 console.php package:install FakerPHP
+ php7.4 console.php package:install Expose
+ php7.4 console.php package:install CasperJS
+ php7.4 console.php package:update
+}
+
+[ -s ./db/local.php ] && update || install
+
exec $@