5 years ago · c63b735846
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,14 +37,13 @@ RUN docker-php-ext-install -j$(nproc) \
 
				 RUN a2enmod headers rewrite
			
 
				 RUN a2disconf other-vhosts-access-log
			
 
				 COPY ./apache2.conf /etc/apache2/apache2.conf
			
 
				+RUN chmod o+r /etc/apache2/apache2.conf
			
 
				 EXPOSE 8080
			
 
				 COPY --from=js-build /koel /koel
			
 
				 WORKDIR /koel
			
 
				-# TODO chown on entire ./storage ?
			
 
				-RUN mkdir ./storage/logs \
			
 
				-    && chown --changes www-data ./storage/logs \
			
 
				-    && chown --changes --recursive www-data ./storage/framework
			
 
				+RUN chown --changes --recursive www-data .env storage/
			
 
				 # TODO production php.ini
			
 
				-# TODO run as non-root
			
 
				 COPY ./run-koel.sh /
			
 
				+RUN chmod o+rx /run-koel.sh
			
 
				+USER www-data
			
 
				 CMD ["/run-koel.sh"]
			
--- a/README.md
+++ b/README.md
@@ -20,8 +20,7 @@ $ sudo docker run --rm --interactive --tty \
 
				     --env DB_DATABASE=koel \
			
 
				     --env DB_PASSWORD=secret \
			
 
				     --network koel --publish=8080:8080 \
			
 
				-    --security-opt=no-new-privileges \
			
 
				-    --cap-drop=all --cap-add=setuid --cap-add=setgid \
			
 
				+    --security-opt=no-new-privileges --cap-drop=all \
			
 
				     koel
			
 
				 + php artisan koel:init
			
 
				 Attempting to install or upgrade Koel.
			
--- a/apache2.conf
+++ b/apache2.conf
@@ -2,14 +2,13 @@ ErrorLog /dev/stderr
 
				 LogLevel warn
			
 
				 # LogLevel info rewrite:trace3
			
 
				 
			
 
				-# need to be set in /etc/apache2/envvars
			
 
				-User ${APACHE_RUN_USER}
			
 
				-Group ${APACHE_RUN_GROUP}
			
 
				+# Permission denied: AH00099: could not create /var/run/apache2.pid
			
 
				+PidFile /tmp/apache2.pid
			
 
				 
			
 
				 IncludeOptional mods-enabled/*.load
			
 
				 IncludeOptional mods-enabled/*.conf
			
 
				 
			
 
				-Timeout 256
			
 
				+Timeout 128
			
 
				 KeepAlive On
			
 
				 MaxKeepAliveRequests 32
			
 
				 KeepAliveTimeout 8
			
@@ -24,7 +23,10 @@ Listen 8080
 
				 
			
 
				 ServerTokens Prod
			
 
				 ServerSignature Off
			
 
				-Header set X-Frame-Options: "sameorigin"
			
 
				+FileETag None
			
 
				+TraceEnable off
			
 
				+Header always set X-Frame-Options "sameorigin"
			
 
				+Header set X-XSS-Protection "1; mode=block"
			
 
				 
			
 
				 LogFormat "%{%Y-%m-%dT%H:%M:%S%z}t %h \"%r\" %>s" neat
			
 
				 CustomLog /dev/stdout neat
			
@@ -36,9 +38,8 @@ CustomLog /dev/stdout neat
 
				 </VirtualHost>
			
 
				 
			
 
				 <Directory />
			
 
				-	Options FollowSymLinks
			
 
				-	AllowOverride None
			
 
				-	Require all denied
			
 
				+    AllowOverride None
			
 
				+    Require all denied
			
 
				 </Directory>
			
 
				 
			
 
				 AccessFileName .htaccess
			
@@ -48,8 +49,10 @@ AccessFileName .htaccess
 
				 
			
 
				 <Directory /koel>
			
 
				     # TODO check
			
 
				-	AllowOverride All
			
 
				-	Require all granted
			
 
				+    Options -Indexes -Includes -FollowSymLinks +SymLinksIfOwnerMatch
			
 
				+    # TODO check
			
 
				+    AllowOverride All
			
 
				+    Require all granted
			
 
				 </Directory>
			
 
				 
			
 
				 IncludeOptional conf-enabled/*.conf
			
--- a/run-koel.sh
+++ b/run-koel.sh
@@ -1,4 +1,10 @@
 
				-set -ex
			
 
				+set -e
			
 
				+
			
 
				+if [ "$(id -u)" = "0" ]; then
			
 
				+    exit 1
			
 
				+fi
			
 
				+
			
 
				+set -x
			
 
				 
			
 
				 # TODO run non-interactively
			
 
				 php artisan koel:init