Files
ansible-lemp-wordpress/docker/Dockerfile
Sebastian Palencsar dffd8e3b76 feat: v2.5.0 - Complete Technology & Security Update
Features:
- PHP 8.4 support (from 8.3)
- WordPress 7.0 (auto-update via WP-CLI)
- Modern TLS 1.3 cipher suites (2026 best practices)
- Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive)
- Auto-update cron job for WordPress (weekly Minor updates)
- Debian 14 Forky support (testing)
- Ubuntu 25.04 support
- Python 3.12 in GitHub Actions

Security:
- Fail2Ban with SSH brute force protection (24h ban)
- WordPress wp-login.php protection (2h ban)
- Nginx bot scanner protection
- Recidive jail for repeat offenders (1 week ban)
- Modern TLS ciphers (AEAD only)
- HSTS 2 years for preload

Documentation:
- docs/autoupdate.md - WordPress auto-update guide
- docs/fail2ban.md - Fail2Ban configuration guide
- docs/troubleshooting.md - Updated with php_version variable

Breaking changes:
- PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
2026-05-04 19:37:27 +02:00

117 lines
3.0 KiB
Docker
Executable File

# Optimized multi-stage Dockerfile for LEMP WordPress testing
# This Dockerfile creates a lightweight, secure testing environment
# Stage 1: Base system with essential packages
FROM ubuntu:24.04 AS base
# Set environment variables
ENV DEBIAN_FRONTEND=noninteractive
ENV TZ=Europe/Berlin
# Create necessary directories and users early
RUN mkdir -p /var/run/sshd /var/log/supervisor \
&& groupadd -r ansible && useradd -r -g ansible ansible \
&& echo 'ansible ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# Install base system packages in a single layer
RUN apt-get update && apt-get upgrade -y && apt-get install -y \
# Core system
ca-certificates \
gnupg \
lsb-release \
apt-transport-https \
# SSH and system control
openssh-server \
sudo \
systemd \
systemd-sysv \
# Python for Ansible
python3 \
python3-pip \
python3-venv \
python3-dev \
# Essential utilities
curl \
wget \
unzip \
git \
vim \
nano \
htop \
net-tools \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
# Stage 2: Runtime with LEMP stack
FROM base AS runtime
# Install LEMP stack packages
RUN apt-get update && apt-get install -y \
# Web server
nginx \
# Database
mysql-server \
mysql-client \
# PHP and extensions
php8.4 \
php8.4-fpm \
php8.4-cli \
php8.4-mysql \
php8.4-gd \
php8.4-xml \
php8.4-mbstring \
php8.4-curl \
php8.4-zip \
php8.4-intl \
php8.4-soap \
php8.4-xmlrpc \
php8.4-opcache \
php8.4-redis \
# Security and monitoring
fail2ban \
ufw \
# Cache systems (optional)
redis-server \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
# Configure SSH
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config \
&& sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config \
&& echo 'root:password' | chpasswd \
&& echo 'ansible:ansible' | chpasswd
# Configure systemd
RUN systemctl enable ssh \
&& systemctl enable nginx \
&& systemctl enable mysql \
&& systemctl enable php8.4-fpm
# Create web directory structure
RUN mkdir -p /var/www/html \
&& chown -R www-data:www-data /var/www/html \
&& chmod -R 755 /var/www/html
# Copy service startup script
COPY start-services.sh /usr/local/bin/start-services.sh
RUN chmod +x /usr/local/bin/start-services.sh
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
CMD curl -f http://localhost/ || exit 1
# Expose ports
EXPOSE 22 80 443
# Set working directory
WORKDIR /var/www/html
# Use systemd as init system for proper service management
CMD ["/usr/local/bin/start-services.sh"]
# Labels for metadata
LABEL org.opencontainers.image.title="LEMP WordPress Testing Environment"
LABEL org.opencontainers.image.description="Ubuntu 24.04 LTS with Nginx, MySQL, PHP 8.4 for WordPress testing"
LABEL org.opencontainers.image.version="1.0"
LABEL org.opencontainers.image.licenses="MIT"