Restructure

.github/workflows/lint.yml

@@ -7,14 +7,23 @@ permissions:
   pull-requests: write
 
 jobs:
+  derivates:
+    name: Lookup derivates
+    runs-on: ubuntu-22.04
+    outputs:
+      matrix: ${{ env.derivates }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Lookup derivates
+        run: echo "derivates=$(make _derivates)" >> "$GITHUB_ENV"
   markdown:
     name: markdown
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
       - name: Run markdownlint
         uses: DavidAnson/markdownlint-cli2-action@v16
-  dockerfile:
+  base_dockerfile:
     name: dockerfile
     runs-on: ubuntu-22.04
     steps:
@@ -23,6 +32,21 @@ jobs:
         uses: hadolint/[email protected]
         with:
           trusted-registries: docker.io,ghcr.io
+  dockerfile:
+    name: dockerfile
+    runs-on: ubuntu-22.04
+    needs: derivates
+    strategy:
+      fail-fast: false
+      matrix:
+        derivate: ${{ fromJSON(needs.derivates.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run hadolint (${{ matrix.derivate }})
+        uses: hadolint/[email protected]
+        with:
+          dockerfile: ${{ matrix.derivate }}.dockerfile
+          trusted-registries: docker.io,ghcr.io
   shell-scripts:
     name: shell scripts
     runs-on: ubuntu-22.04

.github/workflows/push.yml

@@ -6,12 +6,23 @@ permissions:
   contents: read
 
 jobs:
+  derivates:
+    name: Lookup derivates
+    runs-on: ubuntu-22.04
+    outputs:
+      matrix: ${{ env.derivates }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Lookup derivates
+        run: echo "derivates=$(make _derivates)" >> "$GITHUB_ENV"
   build:
     name: HTTPS Proxy
     runs-on: ubuntu-22.04
+    needs: derivates
     strategy:
       fail-fast: false
       matrix:
+        derivate: ${{ fromJSON(needs.derivates.outputs.matrix) }}
         platform: [linux/arm64, linux/amd64]
     steps:
       - uses: actions/checkout@v4
@@ -20,21 +31,37 @@ jobs:
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@master
-      - name: Build HTTPS proxy (${{ matrix.platform }})
+      - name: Build HTTPS base proxy (${{ matrix.platform }})
         uses: docker/build-push-action@v6
         with:
           file: "Dockerfile"
           builder: ${{ steps.buildx.outputs.name }}
-          context: .
+          context: context/base
+          platforms: ${{ matrix.platform }}
+          labels: |
+            org.opencontainers.image.title=HTTPS base proxy
+            org.opencontainers.image.description=Docker image for HTTPS base proxy
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.version=base-${{ github.sha }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          tags: |
+            ghcr.io/${{ github.repository }}:base
+          load: true
+      - name: Build HTTPS ${{ matrix.derivate }} proxy (${{ matrix.platform }})
+        uses: docker/build-push-action@v6
+        with:
+          file: "${{ matrix.derivate }}.dockerfile"
+          builder: ${{ steps.buildx.outputs.name }}
+          context: context/derivate/${{ matrix.derivate }}
           platforms: ${{ matrix.platform }}
           labels: |
-            org.opencontainers.image.title=HTTPS proxy
-            org.opencontainers.image.description=Docker image for HTTPS proxy
+            org.opencontainers.image.title=HTTPS ${{ matrix.derivate }} proxy
+            org.opencontainers.image.description=Docker image for HTTPS ${{ matrix.derivate }} proxy
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.version=${{ github.sha }}
+            org.opencontainers.image.version=${{ matrix.derivate }}-${{ github.sha }}
             org.opencontainers.image.revision=${{ github.sha }}
           tags: |
-            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:${{ matrix.derivate }}
           load: ${{ (matrix.platform == 'linux/amd64') }}
       - uses: e1himself/[email protected]
         if: ${{ (matrix.platform == 'linux/amd64') }}

.github/workflows/release.yml

@@ -12,11 +12,25 @@ permissions:
   packages: write
 
 jobs:
+  derivates:
+    name: Lookup derivates
+    runs-on: ubuntu-22.04
+    outputs:
+      matrix: ${{ env.derivates }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Lookup derivates
+        run: echo "derivates=$(make _derivates)" >> "$GITHUB_ENV"
   build:
     name: HTTPS proxy
     runs-on: ubuntu-22.04
     if: >-
       ${{ github.event.workflow_run.conclusion == 'success' }}
+    needs: derivates
+    strategy:
+      fail-fast: false
+      matrix:
+        derivate: ${{ fromJSON(needs.derivates.outputs.matrix) }}
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
@@ -30,19 +44,36 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.PAT_TOKEN }}
-      - name: Build HTTPS proxy
+      - name: Build HTTPS base proxy
+        uses: docker/build-push-action@v6
+        with:
+          file: "Dockerfile"
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          context: context/base
+          platforms: linux/amd64,linux/arm64
+          labels: |
+            org.opencontainers.image.title=HTTPS base proxy
+            org.opencontainers.image.description=Docker image for HTTPS base proxy
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.version=base-${{ github.sha }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          tags: |
+            ghcr.io/${{ github.repository }}:base
+          load: true
+      - name: Build HTTPS ${{ matrix.derivate }} proxy
         uses: docker/build-push-action@v6
         with:
           file: "Dockerfile"
           builder: ${{ steps.buildx.outputs.name }}
           push: true
-          context: .
+          context: context/derivate/${{ matrix.derivate }}
           platforms: linux/amd64,linux/arm64
           labels: |
-            org.opencontainers.image.title=HTTPS proxy
-            org.opencontainers.image.description=Docker image for HTTPS proxy
+            org.opencontainers.image.title=HTTPS ${{ matrix.derivate }} proxy
+            org.opencontainers.image.description=Docker image for HTTPS ${{ matrix.derivate }} proxy
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
-            org.opencontainers.image.version=${{ github.sha }}
+            org.opencontainers.image.version=${{ matrix.derivate }}-${{ github.sha }}
             org.opencontainers.image.revision=${{ github.sha }}
           tags: |
-            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:${{ matrix.derivate }}

Dockerfile

@@ -1,6 +1,6 @@
 FROM nginx:1.27.0-alpine3.19-slim@sha256:66943ac4a1ca7f111097d3c656939dfe8ae2bc8314bb45d6d80419c5fb25e304
 
-COPY context/ /
+COPY / /
 
 RUN apk add --no-cache \
     bash=~5 \
@@ -11,11 +11,6 @@ RUN apk add --no-cache \
 ARG workdir=/var/www
 WORKDIR "${workdir}"
 
-ENV NGINX_FASTCGI_PASS_HOST php
-ENV NGINX_FASTCGI_PASS_PORT 9000
-ENV NGINX_LISTEN 80
-ENV PROFILE drupal
-
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
 ENTRYPOINT [ "/sbin/tini", "--", "/usr/local/bin/entrypoint" ]

Makefile

@@ -1,18 +1,26 @@
 PLATFORMS=$(shell docker version --format '{{.Server.Os}}/{{.Server.Arch}}')
+DERIVATIVES=$(shell ls context/derived)
 
-.DEFAULT_GOAL := build
+.DEFAULT_GOAL := all
 .PHONY: all build clean help _platforms test
 
 all: PLATFORMS=linux/amd64,linux/arm64
+all: $(DERIVATIVES) ## Build Docker images for all derivatives
 
 help: ## Display a list of the public targets
 	@grep -E -h "^[a-z]+:.*##" $(MAKEFILE_LIST) | sed -e 's/\(.*\):.*## *\(.*\)/\1|\2/' | column -s '|' -t
 
+_derivates: ## Output platforms as JSON list
+	@echo $(DERIVATIVES) | jq --compact-output --raw-input 'split(" ") | map(select(. != ""))'
+
 _platforms: ## Output platforms as JSON list
 	@echo $(PLATFORMS) | jq --compact-output --raw-input 'split(",") | map(select(. != ""))'
 
-build: ## Build Docker image for the HTTPS proxy
-	docker buildx build --platform=$(PLATFORMS) --file Dockerfile --tag ghcr.io/reload/https-proxy:latest --load .
+base:
+	docker build --platform=$(PLATFORMS) --file Dockerfile --tag ghcr.io/reload/https-proxy:$@ --load context/base
+
+$(DERIVATIVES): base ## Build Docker image for derivative
+	docker build --platform=$(PLATFORMS) --file $@.dockerfile --tag ghcr.io/reload/https-proxy:$@ --load context/derived/$@
 
 test:
-	dgoss run -e PROFILE=none ghcr.io/reload/https-proxy:latest
+	dgoss run ghcr.io/reload/https-proxy:base

context/etc/entrypoint.d/certs.sh → context/base/etc/entrypoint.d/10-certs.sh

@@ -33,3 +33,6 @@ certtool --generate-certificate --load-request /tmp/request.pem --load-ca-certif
 
 cp "${CA_CERT}" /usr/local/share/ca-certificates/
 /usr/sbin/update-ca-certificates
+
+mkdir -p /etc/nginx/include.d
+envsubst </etc/ssl.conf.template >/etc/nginx/include.d/ssl.conf

context/base/etc/ssl.conf.template

@@ -0,0 +1,5 @@
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name "${FIRST_VIRTUAL_HOST}";
+    ssl_certificate     /cert/${FIRST_VIRTUAL_HOST}.crt;
+    ssl_certificate_key /cert/${FIRST_VIRTUAL_HOST}.key;

context/etc/nginx/profiles/drupal.conf.template → context/derived/drupal/etc/nginx/templates/default.conf.template

@@ -3,12 +3,8 @@
 # and https://blog.john-pfeiffer.com/drupal-with-docker-compose-and-nginx-and-php-fpm-and-mariadb/
 server {
 
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name "${FIRST_VIRTUAL_HOST}";
-    ssl_certificate     /cert/${FIRST_VIRTUAL_HOST}.crt;
-    ssl_certificate_key /cert/${FIRST_VIRTUAL_HOST}.key;
-
+    include include.d/ssl.conf;
+
     root /var/www/web;
 
     disable_symlinks off;

drupal.dockerfile

@@ -0,0 +1,6 @@
+FROM ghcr.io/reload/https-proxy:base
+
+COPY / /
+
+ENV NGINX_FASTCGI_PASS_HOST php
+ENV NGINX_FASTCGI_PASS_PORT 9000