Compile nginx+passenger for Decidim and finalize install script

lxc-apps/decidim/install.sh

@@ -22,20 +22,20 @@ chown 108080:108080 /srv/decidim/decidim_conf
 lxc-execute decidim -- tar -cC /srv/decidim-app/config . | tar -xC /srv/decidim/decidim_conf
 
 # Configure Decidim
-export DECIDIM_SECRET=$(rake secret)
+export DECIDIM_SECRET=$(lxc-execute decidim -- rake secret)
+mkdir -p /srv/decidim/decidim_data/storage /srv/decidim/decidim_data/uploads
+chown 108080:108080 /srv/decidim/decidim_data/storage /srv/decidim/decidim_data/uploads
 cp decidim_conf/environments/production.rb /srv/decidim/decidim_conf/environments/production.rb
 cp decidim_conf/initializers/decidim.rb /srv/decidim/decidim_conf/initializers/decidim.rb
 envsubst <decidim_conf/application.yml >/srv/decidim/decidim_conf/application.yml
 
 # Populate database
-lxc-execute decidim -- RAILS_ENV=production bin/rails db:create db:migrate
+lxc-execute decidim -- sh -c 'cd /srv/decidim-app; bin/rails db:migrate'
 
 # Create admin account
 export DECIDIM_ADMIN_EMAIL=admin@example.com
 export DECIDIM_ADMIN_PWD=$(head -c 12 /dev/urandom | base64 | tr -d '+/=')
-#lxc-execute decidim -- bin/rails console -e production
+envsubst <adminpwd.rb | lxc-execute decidim -- sh -c 'cd /srv/decidim-app; bin/rails console -e production'
-#user = Decidim::System::Admin.new(email: "admin@example.org", password: "P8vDKAc3FdEte9Hw", password_confirmation: "P8vDKAc3FdEte9Hw")
-#user.save!
 
 # Install config update script
 cp update-conf.sh /srv/decidim/update-conf.sh

lxc-apps/decidim/install/adminpwd.rb

@@ -0,0 +1,3 @@
+user = Decidim::System::Admin.new(email: "${DECIDIM_ADMIN_EMAIL}", password: "${DECIDIM_ADMIN_PWD}", password_confirmation: "${DECIDIM_ADMIN_PWD}")
+user.save!
+quit

lxc-apps/decidim/lxc/etc/crontabs/decidim

@@ -0,0 +1 @@
+*/5 * * * * [ -s /srv/decidim-app/tmp/pids/delayed_job.pid ] || RAILS_ENV=production /srv/decidim-app/bin/delayed_job start >/dev/null

lxc-apps/decidim/lxc/etc/nginx/nginx.conf

@@ -1,4 +1,4 @@
-user nginx;
+user decidim;
 pid /run/nginx.pid;
 worker_processes 1;
 error_log /dev/stderr warn;
@@ -17,6 +17,9 @@ http {
 	sendfile on;
 	send_timeout 300;
 
+	passenger_root /usr/local/lib/ruby/gems/2.6.0/gems/passenger-6.0.4;
+	passenger_ruby /usr/local/bin/ruby;
+
 	server {
 		listen 8080;
 		server_name localhost;

lxc-apps/decidim/lxc/etc/services.d/.s6-svscan/finish

@@ -1,4 +1,4 @@
 #!/bin/execlineb -P
 
-foreground { s6-svwait -d -t 3000 delayed_job }
+foreground { s6-svwait -d -t 3000 cron }
 foreground { s6-svwait -d -t 3000 nginx }

lxc-apps/decidim/lxc/etc/services.d/cron/run

@@ -0,0 +1,4 @@
+#!/bin/execlineb -P
+
+fdmove -c 2 1
+crond -f -d 8

lxc-apps/decidim/lxc/etc/services.d/delayed_job/run

@@ -1,6 +0,0 @@
-#!/bin/execlineb -P
-
-export RAILS_ENV production
-fdmove -c 2 1
-s6-setuidgid www-data
-/srv/decidim-app/bin/delayed_job start

lxc-apps/decidim/lxcfile

@@ -3,7 +3,6 @@ IMAGE decidim_0.0.1-191113
 LAYER alpine3.9_3.9.4-190620
 LAYER alpine3.9-ruby2.6_2.6.3-190620
 LAYER alpine3.9-nodejs10_10.14.2-190620
-LAYER alpine3.9-nginx_1.14.2-191115
 
 MERGE /usr/bin/lxcmerge
 
@@ -14,14 +13,46 @@ ENV RAILS_ENV production
 
 RUN EOF
     # Install runtime dependencies
-    apk --no-cache add libpq tzdata
+    apk --no-cache add curl libpq pcre procps tzdata
 
     # Install build dependencies
-    apk --no-cache add --virtual .deps build-base icu-dev libxml2-dev libxslt-dev postgresql-dev zlib-dev
+    apk --no-cache add --virtual .deps build-base curl-dev icu-dev libxml2-dev libxslt-dev linux-headers pcre-dev postgresql-dev zlib-dev
 
     # Install passenger
     gem install passenger --no-document
 
+    # Create OS user
+    addgroup -S decidim
+    adduser -S -h /srv/decidim-app -s /sbin/nologin -G decidim -g decidim decidim
+
+    # Compile nginx
+    # taken from passenger-install-nginx-module
+    cd /tmp
+    wget https://nginx.org/download/nginx-1.17.3.tar.gz
+    tar xf nginx-1.17.3.tar.gz
+    cd nginx-1.17.3
+    ./configure \
+        --prefix=/var/lib/nginx \
+        --sbin-path=/usr/sbin/nginx \
+        --conf-path=/etc/nginx/nginx.conf \
+        --pid-path=/run/nginx.pid \
+        --lock-path=/run/nginx.lock \
+        --user=decidim \
+        --group=decidim \
+        --with-threads \
+        --with-file-aio \
+        --with-http_ssl_module \
+        --with-http_v2_module \
+        --with-http_realip_module \
+        --with-http_gzip_static_module \
+        --with-http_stub_status_module \
+        --with-http_addition_module \
+        --with-cc-opt=-Wno-error \
+        --add-module=/usr/local/lib/ruby/gems/2.6.0/gems/passenger-6.0.4/src/nginx_module
+    make -j $(getconf _NPROCESSORS_ONLN)
+    make install
+    rm -f /etc/nginx/*.default
+
     # Install Decidim
     bundle config build.nokogiri --use-system-libraries
     gem install decidim
@@ -43,10 +74,12 @@ RUN EOF
     bin/rails assets:precompile
 
     # Change ownership
-    chown -R nginx:www-data /srv/decidim-app
+    chown -R decidim:decidim /srv/decidim-app
 
     # Cleanup
     apk --no-cache del .deps
+    rm -rf /tmp/*
+    rm -rf /root/.bundle /root/.gem
 EOF
 
 CMD s6-svscan /etc/services.d

lxc-apps/decidim/meta

@@ -14,6 +14,8 @@
             ],
             "mounts": [
                 ["DIR", "/srv/decidim/decidim_conf", "/srv/decidim-app/config"]
+                ["DIR", "/srv/decidim/decidim_data/storage", "/srv/decidim-app/storage"]
+                ["DIR", "/srv/decidim/decidim_data/uploads", "/srv/decidim-app/public/uploads"]
             ]
         },
         "decidim-postgres": {