Revert "build: clean up s6 overlay structure"

This reverts commit 90420823b0.

root/defaults/nginx/dhparams.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----

root/defaults/nginx/nginx.conf.sample

@@ -0,0 +1,91 @@
+# #
+#   @project        TVApp2
+#   @usage          Automatic m3u and xml guide updater for TheTvApp, TVPass, and MoveOnJoy utilized within your IPTV client.
+#   @file           nginx.conf.sample
+#   @repo.1         https://github.com/TheBinaryNinja/tvapp2
+#   @repo.2         https://git.binaryninja.net/BinaryNinja/tvapp2
+#   @repo.3         https://github.com/aetherinox/docker-base-alpine
+# #
+
+user dockerx;
+
+# Set number of worker processes automatically based on number of CPU cores.
+include /config/nginx/worker_processes.conf;
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+# Configures default error logger.
+error_log /config/log/nginx/error.log;
+
+# Includes files with directives to load dynamic modules.
+include /etc/nginx/modules/*.conf;
+
+# Include files with config snippets into the root context.
+include /etc/nginx/conf.d/*.conf;
+
+events
+{
+    # The maximum number of simultaneous connections that can be opened by
+    # a worker process.
+    worker_connections 1024;
+}
+
+http
+{
+    # Includes mapping of file name extensions to MIME types of responses
+    # and defines the default type.
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Name servers used to resolve names of upstream servers into addresses.
+    # It's also needed when using tcpsocket and udpsocket in Lua modules.
+    # resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;
+    include /config/nginx/resolver.conf;
+
+    # Don't tell nginx version to the clients. Default is 'on'.
+    server_tokens off;
+
+    # Specifies the maximum accepted body size of a client request, as
+    # indicated by the request header Content-Length. If the stated content
+    # length is greater than this size, then the client receives the HTTP
+    # error code 413. Set to 0 to disable. Default is '1m'.
+    client_max_body_size 0;
+
+    # Sendfile copies data between one FD and other from within the kernel,
+    # which is more efficient than read() + write(). Default is off.
+    sendfile on;
+
+    # Causes nginx to attempt to send its HTTP response head in one packet,
+    # instead of using partial frames. Default is 'off'.
+    tcp_nopush on;
+
+    # all ssl related config moved to ssl.conf
+    # included in server blocks where listen 443 is defined
+
+    # Enable gzipping of responses.
+    # gzip on;
+
+    # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
+    gzip_vary on;
+
+    # Helper variable for proxying websockets.
+    map $http_upgrade $connection_upgrade
+    {
+        default upgrade;
+        '' close;
+    }
+
+    # Enable http2 by default for all servers
+    http2 on;
+
+    # Sets the path, format, and configuration for a buffered log write.
+    access_log /config/log/nginx/access.log;
+
+    # Includes virtual hosts configs.
+    include /etc/nginx/http.d/*.conf;
+    include /config/nginx/site-confs/*.conf;
+}
+
+daemon off;
+pid /run/nginx.pid;

root/defaults/nginx/site-confs/default.conf.sample

@@ -0,0 +1,82 @@
+# #
+#   @project        TVApp2
+#   @usage          Automatic m3u and xml guide updater for TheTvApp, TVPass, and MoveOnJoy utilized within your IPTV client.
+#   @file           default.conf.sample
+#   @repo.1         https://github.com/TheBinaryNinja/tvapp2
+#   @repo.2         https://git.binaryninja.net/BinaryNinja/tvapp2
+#   @repo.3         https://github.com/aetherinox/docker-base-alpine
+# #
+
+server
+{
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+    set $root /app/www/public;
+    if (!-d /app/www/public)
+    {
+        set $root /config/www;
+    }
+
+    root $root;
+    index index.html index.htm index.php;
+
+    location /
+    {
+        # enable for basic auth
+        #auth_basic                 "Restricted";
+        #auth_basic_user_file       /config/nginx/.htpasswd;
+
+        # index > fancy
+        fancyindex                  on;
+        fancyindex_header           "/theme/header.html";
+        fancyindex_footer           "/theme/footer.html";
+        fancyindex_ignore           "theme";
+        fancyindex_time_format      "%m-%d-%Y %T";
+        fancyindex_name_length      255;
+        fancyindex_show_dotfiles    off;
+        fancyindex_hide_symlinks    on;
+        fancyindex_default_sort     name;
+
+        # index > auto
+    	autoindex_exact_size        off;
+    	autoindex_format            html;
+    	autoindex_localtime         on;
+
+        gzip on;
+        gzip_vary on;
+        gzip_types text/css text/javascript text/xml application/atom+xml application/rss+xml text/markdown text/mathml text/plain text/vnd.sun.j2me.app-descriptor text/vnd.wap.wml text/x-component application/json application/xhtml+xml application/xspf+xml font/woff font/woff2 image/avif image/bmp image/png image/svg+xml image/tiff image/vnd.wap.wbmp image/webp image/x-icon image/x-jng audio/midi audio/mpeg audio/ogg audio/x-m4a audio/x-realaudio;
+        gzip_proxied any;
+        gzip_comp_level 1;
+        gzip_http_version 1.0;
+        gunzip on;
+        gzip_static on;
+
+        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    }
+
+    location ~ ^(.+\.php)(.*)$
+    {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht
+    {
+        deny all;
+    }
+}

root/defaults/nginx/ssl.conf.sample

@@ -0,0 +1,66 @@
+# #
+#   @project        TVApp2
+#   @usage          Automatic m3u and xml guide updater for TheTvApp, TVPass, and MoveOnJoy utilized within your IPTV client.
+#   @file           nginx.conf.sample
+#   @repo.1         https://github.com/TheBinaryNinja/tvapp2
+#   @repo.2         https://git.binaryninja.net/BinaryNinja/tvapp2
+#   @repo.3         https://github.com/aetherinox/docker-base-alpine
+# #
+
+# #
+#   generated 2023-06-25, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.1.1, intermediate configuration
+#   https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=intermediate&openssl=3.1.1&guideline=5.7
+# #
+
+ssl_certificate             /config/keys/cert.crt;
+ssl_certificate_key         /config/keys/cert.key;
+ssl_session_timeout         1d;
+ssl_session_cache           shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets         off;
+
+# #
+#   curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+# #
+
+ssl_dhparam                 /config/nginx/dhparams.pem;
+
+# #
+#   intermediate configuration
+# #
+
+ssl_protocols               TLSv1.2 TLSv1.3;
+ssl_ciphers                 ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers   on;
+
+# #
+#   OCSP stapling
+# #
+
+# ssl_stapling              on;
+# ssl_stapling_verify       on;
+
+# #
+#   verify chain of trust of OCSP response using Root CA and Intermediate certs
+# #
+
+# ssl_trusted_certificate   /config/keys/cert.crt;
+
+# #
+#   HSTS (ngx_http_headers_module is required) (63072000 seconds)
+# #
+
+add_header X-Content-Type-Options nosniff;
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
+
+# #
+#   Optional additional headers
+# #
+
+# add_header                Cache-Control "no-transform" always;
+# add_header                Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'" always;
+# add_header                Permissions-Policy "interest-cohort=()" always;
+# add_header                Referrer-Policy "same-origin" always;
+# add_header                X-Content-Type-Options "nosniff" always;
+# add_header                X-Frame-Options "SAMEORIGIN" always;
+# add_header                X-UA-Compatible "IE=Edge" always;
+# add_header                X-XSS-Protection "1; mode=block" always;

root/etc/logrotate.d/nginx

@@ -0,0 +1,14 @@
+/config/log/nginx/*.log {
+        weekly
+        rotate 14
+        compress
+        delaycompress
+        nodateext
+        notifempty
+        missingok
+        sharedscripts
+        postrotate
+                s6-svc -1 /run/service/svc-nginx
+        endscript
+        su dockerx dockerx
+}

root/etc/logrotate.d/php-fpm

@@ -0,0 +1,14 @@
+/config/log/php/*.log {
+        rotate 7
+        weekly
+        missingok
+        notifempty
+        delaycompress
+        compress
+        nodateext
+        sharedscripts
+        postrotate
+                s6-svc -t /run/service/svc-php-fpm
+        endscript
+        su dockerx dockerx
+}

root/etc/nginx/nginx.conf

@@ -0,0 +1 @@
+include /config/nginx/nginx.conf;

root/etc/s6-overlay/s6-rc.d/init-folders/run

@@ -4,4 +4,8 @@
 # make folders
 mkdir -p \
     /config/{keys,php,www} \
-    /run
+    /config/log/{nginx,php} \
+    /config/nginx/site-confs \
+    /run \
+    /var/lib/nginx/tmp/client_body \
+    /var/tmp/nginx

root/etc/s6-overlay/s6-rc.d/init-nginx/up

@@ -1,2 +1 @@
-# this file allows you to load an nginx webserver
-# /etc/s6-overlay/s6-rc.d/init-nginx/run
+/etc/s6-overlay/s6-rc.d/init-nginx/run

root/etc/s6-overlay/s6-rc.d/init-permissions/run

@@ -2,13 +2,22 @@
 # shellcheck shell=bash
 
 # permissions
+aetherxown -R dockerx:dockerx \
+    /var/lib/nginx \
+    /var/tmp/nginx
+
 aetherxown -R dockerx:dockerx \
     /config/keys \
     /config/log \
+    /config/nginx \
+    /config/php
 
 aetherxown dockerx:dockerx \
     /config/www
 
+chmod -R g+w \
+    /config/nginx
+
 chmod -R 644 /etc/logrotate.d
 
 if [[ -f "/config/log/logrotate.status" ]]; then

root/etc/s6-overlay/s6-rc.d/init-version-checks/run

@@ -2,23 +2,23 @@
 # shellcheck shell=bash
 
 # detect nginx configs with dates not matching the provided sample files
-# active_confs=$(find /config/nginx/ -name "*.conf" -type f 2>/dev/null)
+active_confs=$(find /config/nginx/ -name "*.conf" -type f 2>/dev/null)
 
-# for i in ${active_confs}; do
-#    if [ -f "${i}.sample" ]; then
-#        if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}")" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample")" ]; then
-#            active_confs_changed="│ $(printf '%10s' "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}" | tr / -)") │ $(printf '%10s' "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample" | tr / -)") │ $(printf '%-70s' "${i}") │\n${active_confs_changed}"
-#        fi
-#    fi
-# done
+for i in ${active_confs}; do
+    if [ -f "${i}.sample" ]; then
+        if [ "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}")" != "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample")" ]; then
+            active_confs_changed="│ $(printf '%10s' "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}" | tr / -)") │ $(printf '%10s' "$(sed -nE 's|^## Version ([0-9]{4}\/[0-9]{2}\/[0-9]{2}).*|\1|p' "${i}.sample" | tr / -)") │ $(printf '%-70s' "${i}") │\n${active_confs_changed}"
+        fi
+    fi
+done
 
 # detect site-confs with wrong extension
-# site_confs_wrong_ext=$(find /config/nginx/site-confs/ -type f -not -name "*.conf" -not -name "*.conf.sample" 2>/dev/null)
+site_confs_wrong_ext=$(find /config/nginx/site-confs/ -type f -not -name "*.conf" -not -name "*.conf.sample" 2>/dev/null)
 
-# if [ -n "${site_confs_wrong_ext}" ]; then
-#    echo "**** The following site-confs have extensions other than .conf ****"
-#    echo "**** This may be due to user customization. ****"
-#    echo "**** You should review the files and rename them to use the .conf extension or remove them. ****"
-#    echo "**** nginx.conf will only include site-confs with the .conf extension. ****"
-#    echo -e "${site_confs_wrong_ext}"
-# fi
+if [ -n "${site_confs_wrong_ext}" ]; then
+    echo "**** The following site-confs have extensions other than .conf ****"
+    echo "**** This may be due to user customization. ****"
+    echo "**** You should review the files and rename them to use the .conf extension or remove them. ****"
+    echo "**** nginx.conf will only include site-confs with the .conf extension. ****"
+    echo -e "${site_confs_wrong_ext}"
+fi

root/etc/s6-overlay/s6-rc.d/svc-nginx/run

@@ -1,3 +1,16 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
+
+if pgrep -f "[n]ginx:" >/dev/null; then
+    echo "Zombie nginx processes detected, sending SIGTERM"
+    pkill -ef [n]ginx:
+    sleep 1
+fi
+
+if pgrep -f "[n]ginx:" >/dev/null; then
+    echo "Zombie nginx processes still active, sending SIGKILL"
+    pkill -9 -ef [n]ginx:
+    sleep 1
+fi
+
 # exec /usr/sbin/nginx