Merge branch 'develop'

Author: martinyde

.docker/data/.gitignore

@@ -0,0 +1,5 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
+!Readme.md

.docker/data/README.md

@@ -0,0 +1,26 @@
+# .docker/data
+
+Please map persistent volumes to this directory on the servers.
+
+If a container needs to persist data between restarts you can map the relevant files in the container to ``docker/data/<container-name>`.
+
+## RabbitMQ example
+If you are using RabbitMQ running in a container as a message broker you need to configure a persistent volume for RabbitMQs data directory to avoid losing message on container restarts.
+
+```yaml
+# docker-compose.server.override.yml
+
+services:
+  rabbit:
+    image: rabbitmq:3.9-management-alpine
+    hostname: "${COMPOSE_PROJECT_NAME}"
+    networks:
+      - app
+      - frontend
+    environment:
+      - "RABBITMQ_DEFAULT_USER=${RABBITMQ_USER}"
+      - "RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD}"
+      - "RABBITMQ_ERLANG_COOKIE=${RABBITMQ_ERLANG_COOKIE}"
+    volumes:
+      - ".docker/data/rabbitmq:/var/lib/rabbitmq/mnesia/"
+```

.docker/nginx.conf

@@ -0,0 +1,37 @@
+worker_processes  auto;
+
+error_log  /dev/stderr notice;
+pid        /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    proxy_temp_path /tmp/proxy_temp;
+    client_body_temp_path /tmp/client_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    set_real_ip_from 172.16.0.0/8;
+    real_ip_recursive on;
+    real_ip_header X-Forwarded-For;
+
+    log_format  main  '$http_x_real_ip - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /dev/stdout main;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

.docker/templates/default.conf.template

@@ -0,0 +1,98 @@
+server {
+    listen ${NGINX_PORT};
+    server_name localhost;
+
+    root ${NGINX_WEB_ROOT};
+
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~* \.(txt|log)$ {
+        deny all;
+    }
+
+    location ~ \..*/.*\.php$ {
+        return 403;
+    }
+
+    location ~ ^/sites/.*/private/ {
+        return 403;
+    }
+
+    # Block access to scripts in site files directory
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+
+    # Block access to "hidden" files and directories whose names begin with a
+    # period.
+    location ~ (^|/)\. {
+        return 403;
+    }
+
+    location / {
+        try_files $uri /index.php?$query_string;
+    }
+
+    location @rewrite {
+        rewrite ^ /index.php;
+    }
+
+    # Don't allow direct access to PHP files in the vendor directory.
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }
+
+    # Protect files and directories from prying eyes.
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.tar|.gz|.bz2|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+        deny all;
+        return 404;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        include fastcgi_params;
+
+        fastcgi_buffers 16 32k;
+        fastcgi_buffer_size 64k;
+        fastcgi_busy_buffers_size 64k;
+
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+
+        # Ensure the php file exists. Mitigates CVE-2019-11043
+        try_files $fastcgi_script_name =404;
+
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param QUERY_STRING $query_string;
+
+        fastcgi_intercept_errors on;
+        fastcgi_pass ${NGINX_FPM_SERVICE};
+
+        # @TODO Can we fall back to the default value here if NGINX_FASTCGI_READ_TIMEOUT is not defined?
+        # Cf. https://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_read_timeout
+        fastcgi_read_timeout ${NGINX_FASTCGI_READ_TIMEOUT};
+    }
+
+    # Enforce clean URLs
+    #
+    # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+    # Could be done with 301 for permanent or other redirect codes.
+    if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+        return 307 $1$2;
+    }
+
+    error_log /dev/stderr;
+    access_log /dev/stdout main;
+}

.docker/vhost.conf

@@ -1,6 +1,5 @@
-# @see https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
 server {
-    listen 80;
+    listen 8080;
     server_name localhost;
 
     root /app/web;
@@ -16,9 +15,7 @@ server {
         access_log off;
     }
 
-    # Very rarely should these ever be accessed outside of your lan
     location ~* \.(txt|log)$ {
-        allow 192.168.0.0/16;
         deny all;
     }
 
@@ -35,25 +32,18 @@ server {
         deny all;
     }
 
-    # Allow "Well-Known URIs" as per RFC 5785
-    location ~* ^/.well-known/ {
-        allow all;
-    }
-
     # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
+    # period.
     location ~ (^|/)\. {
         return 403;
     }
 
     location / {
-        # try_files $uri @rewrite; # For Drupal <= 6
-        try_files $uri /index.php?$query_string; # For Drupal >= 7
+        try_files $uri /index.php?$query_string;
     }
 
     location @rewrite {
-        rewrite ^/(.*)$ /index.php?q=$1;
+        rewrite ^ /index.php;
     }
 
     # Don't allow direct access to PHP files in the vendor directory.
@@ -62,47 +52,41 @@ server {
         return 404;
     }
 
-    # In Drupal 8, we must also match new paths where the '.php' appears in
-    # the middle, such as update.php/selection. The rule we use is strict,
-    # and only allows this pattern with the update.php front controller.
-    # This allows legacy path aliases in the form of
-    # blog/index.php/legacy-path to continue to route to Drupal nodes. If
-    # you do not have any paths like that, then you might prefer to use a
-    # laxer rule, such as:
-    #   location ~ \.php(/|$) {
-    # The laxer rule will continue to work if Drupal uses this new URL
-    # pattern with front controllers other than update.php in a future
-    # release.
+    # Protect files and directories from prying eyes.
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.tar|.gz|.bz2|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+        deny all;
+        return 404;
+    }
+
     location ~ '\.php$|^/update.php' {
-        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-        # Security note: If you're running a version of PHP older than the
-        # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
-        # See http://serverfault.com/q/627903/94922 for details.
         include fastcgi_params;
-        # Block httpoxy attacks. See https://httpoxy.org/.
+
+        fastcgi_buffers 16 32k;
+        fastcgi_buffer_size 64k;
+        fastcgi_busy_buffers_size 64k;
+
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+
+        # Ensure the php file exists. Mitigates CVE-2019-11043
+        try_files $fastcgi_script_name =404;
+
         fastcgi_param HTTP_PROXY "";
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $fastcgi_path_info;
         fastcgi_param QUERY_STRING $query_string;
+
         fastcgi_intercept_errors on;
         fastcgi_pass phpfpm:9000;
     }
 
-    # Fighting with Styles? This little gem is amazing.
-    # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
-    location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
-        try_files $uri @rewrite;
+    # Enforce clean URLs
+    #
+    # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+    # Could be done with 301 for permanent or other redirect codes.
+    if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+        return 307 $1$2;
     }
 
-    # Handle private files through Drupal. Private file's path can come
-    # with a language prefix.
-    location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
-        try_files $uri /index.php?$query_string;
-    }
-
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
-        try_files $uri @rewrite;
-        expires max;
-        log_not_found off;
-    }
+    error_log /dev/stderr;
+    access_log /dev/stdout main;
 }

.gitattributes

@@ -19,29 +19,32 @@
 *.config  text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.css     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.dist    text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
-*.engine  text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php
+*.engine  text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php linguist-language=php
 *.html    text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=html
-*.inc     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php
-*.install text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php
+*.inc     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php linguist-language=php
+*.install text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php linguist-language=php
 *.js      text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.json    text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.lock    text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.map     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.md      text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
-*.module  text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php
-*.php     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php
+*.module  text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php linguist-language=php
+*.php     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php linguist-language=php
 *.po      text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
-*.profile text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php
+*.profile text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php linguist-language=php
 *.script  text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
-*.sh      text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php
+*.sh      text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php linguist-language=php
 *.sql     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.svg     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
-*.theme   text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php
+*.theme   text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2 diff=php linguist-language=php
 *.twig    text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.txt     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.xml     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 *.yml     text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tab-in-indent,tabwidth=2
 
+# PHPStan's baseline uses tabs instead of spaces.
+core/.phpstan-baseline.php text eol=lf whitespace=blank-at-eol,-blank-at-eof,-space-before-tab,tabwidth=2 diff=php linguist-language=php
+
 # Define binary file attributes.
 # - Do not treat them as text.
 # - Include binary diff in patches instead of "binary files differ."

.github/workflows/docker-image.yaml

@@ -0,0 +1,49 @@
+on: push
+
+name: Docker image
+jobs:
+  build:
+    name: Build and push
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+    - name: Setup PHP, with composer and extensions
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: 8.2
+        extensions: dom, zip
+        coverage: none
+        tools: composer:v2
+    - name: Install PHP dependencies
+      run: |
+        composer install --no-interaction --no-progress
+    - name: Build theme
+      working-directory: web/profiles/custom/os2loop/themes/os2loop_theme
+      run: |
+        yarn install
+        yarn build
+    - name: Set up Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@v1
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v1
+      # We only push from the default branch, so no need to login from elsewhere.
+      if: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v2
+      with:
+        builder: ${{ steps.buildx.outputs.name }}
+        # Only push the image if this is a push to the default branch.
+        push: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+        context: .
+        labels: |
+          org.opencontainers.image.source=https://github.com/${{ github.repository }}
+          org.opencontainers.image.version=${{ github.sha }}
+          org.opencontainers.image.revision=${{ github.sha }}
+        tags: |
+          ghcr.io/${{ github.repository }}:latest