Dockerfile is now based on phusion/baseimage and enables mandatory https

access via a self-signed certificate.

10_ttrss.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -eu
+set -x
+
+php /root/configure-db.php
+php /root/configure-plugin-mobilize.php
+
+# Generate the TLS certificate for our Tiny Tiny RSS server instance.
+openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
+    -subj "/C=US/ST=World/L=World/O=ttrss/CN=ttrss" \
+    -keyout "/etc/ssl/private/ttrss.key" \
+    -out "/etc/ssl/certs/ttrss.cert"
+chmod 600 "/etc/ssl/private/ttrss.key"
+chmod 600 "/etc/ssl/certs/ttrss.cert"

Dockerfile

@@ -1,9 +1,9 @@
-FROM ubuntu
-# Based on work of Christian Lück <christian@lueck.tv>
+FROM phusion/baseimage
+# Initially was based on work of Christian Lück <christian@lueck.tv>
 MAINTAINER Andreas Löffler <andy@x86dev.com>
 
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
-  nginx git supervisor php5-fpm php5-cli php5-curl php5-gd php5-json \
+  nginx git ca-certificates php5-fpm php5-cli php5-curl php5-gd php5-json \
   php5-pgsql 
 # php5-mysql
 
@@ -13,7 +13,7 @@ RUN ln -s /etc/nginx/sites-available/ttrss /etc/nginx/sites-enabled/ttrss
 RUN rm /etc/nginx/sites-enabled/default
 
 # patch php5-fpm configuration so that it does not daemonize itself. This is
-# needed because supervisord can watch its state
+# needed so that runit can watch its state and restart it if it crashes etc.
 RUN sed -i -e "s/;daemonize\s*=\s*yes/daemonize = no/g" /etc/php5/fpm/php-fpm.conf
 
 # patch the php-fpm's listening method to _always_ use a unix socket
@@ -51,9 +51,20 @@ ENV DB_USER ttrss
 ENV DB_PASS ttrss
 
 # always re-configure database with current ENV when RUNning container, then monitor all services
-ADD run.sh /run.sh
-ADD utils.php /utils.php
-ADD configure-db.php /configure-db.php
-ADD configure-plugin-mobilize.php /configure-plugin-mobilize.php
-ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf
-CMD sh /run.sh && supervisord -c /etc/supervisor/conf.d/supervisord.conf
+## @todo pack the scripts to a .zip, ADD this and RUN it in setup.sh. Later.
+ADD utils.php /root/utils.php
+ADD configure-db.php /root/configure-db.php
+ADD configure-plugin-mobilize.php /root/configure-plugin-mobilize.php
+
+RUN mkdir /etc/service/nginx
+ADD service-nginx.sh /etc/service/nginx/run
+
+RUN mkdir /etc/service/php5-fpm
+ADD service-php5-fpm.sh /etc/service/php5-fpm/run
+
+RUN mkdir /etc/service/ttrss-update
+ADD service-ttrss-update.sh /etc/service/ttrss-update/run
+
+ADD 10_ttrss.sh /etc/my_init.d/10_ttrss.sh
+CMD /sbin/my_init
+EXPOSE 22

README.md

@@ -1,13 +1,15 @@
 # docker-ttrss
 
-Note: This Dockerfile is a modified version of https://github.com/clue/docker-ttrss.git
-which adds some features, plugins and themes I wanted to have in my own tt-rss setup. 
+This Dockerfile installs Tiny Tiny RSS with the following features:
 
-Tiny Tiny RSS' root now is in the subdirectory ttrss, e.g. http://<yourhost>/ttrss
+- Integrated [Feedly theme](https://github.com/levito/tt-rss-feedly-theme)
+- Integrated [mobilize plugin](https://github.com/sepich/tt-rss-mobilize) for using Readability, Instapaper + Google Mobilizer
+- Self-signed 2048-bit RSA TLS certificate for accessing Tiny Tiny RSS via https
+- Originally was based on [clue/docker-ttrss.git](https://github.com/clue/docker-ttrss)
 
 Feel free to tweak this further to your likings.
 
-This docker image allows you to run the [Tiny Tiny RSS](http://tt-rss.org) feed reader.
+This docker image allows you to run the [Tiny Tiny RSS](http://www.tt-rss.org) feed reader.
 Keep your feed history to yourself and access your RSS and atom feeds from everywhere.
 You can access it through an easy to use webinterface on your desktop, your mobile browser
 or using one of available apps.
@@ -23,20 +25,20 @@ Just start up a new database container:
 $ DB=$(docker run -d nornagon/postgres)
 ```
 
-And because this docker image is available as a [trusted build on the docker index](https://index.docker.io/u/clue/ttrss/),
+And because this docker image is available as a [trusted build on the docker index](https://index.docker.io/u/x86dev/docker-ttrss/),
 using it is as simple as launching this Tiny Tiny RSS installation linked to your fresh database:
 
 ```bash
-$ docker run -d --link $DB:db -p 80:80 --name ttrss <this-image>
+$ docker run -d --link $DB:db -p 443:443 --name ttrss <this-image>
 ```
 
 Running this command for the first time will download the image automatically.
 
 ## Accessing your webinterface
 
-The above example exposes the Tiny Tiny RSS webinterface on port 80, so that you can browse to:
+The above example exposes the Tiny Tiny RSS webinterface on port 443 (https), so that you can browse to:
 
-http://localhost/
+https://<yourhost>/ttrss
 
 The default login credentials are:
 
@@ -74,7 +76,7 @@ This is particular useful for your initial database setup, as errors get reporte
 the console and further execution will halt.
 
 ```bash
-$ sudo docker run -it --link ttrss-data:db -p 80:80 --name ttrss <this-image>
+$ sudo docker run -it --link ttrss-data:db -p 443:443 --name ttrss <this-image>
 ```
 
 ##### Database configuration
@@ -110,5 +112,5 @@ Remaining arguments can be passed just like before, the following is the recomme
 minimum:
 
 ```bash
-$ sudo docker run -d --link ttrss-data:db -p 80:80 --name ttrss <this-image>
+$ sudo docker run -d --link ttrss-data:db -p 443:443 --name ttrss <this-image>
 ```

configure-db.php

@@ -1,7 +1,7 @@
 #!/usr/bin/env php
 <?php
 
-include '/utils.php';
+include '/root/utils.php';
 
 $ename = 'DB';
 $eport = 5432;
@@ -52,6 +52,7 @@ if (!dbcheck($config)) {
 $pdo = dbconnect($config);
 try {
     $pdo->query('SELECT 1 FROM ttrss_feeds');
+    echo 'Connection to database successful';
     // reached this point => table found, assume db is complete
 }
 catch (PDOException $e) {

configure-plugin-mobilize.php

@@ -1,7 +1,7 @@
 #!/usr/bin/env php
 <?php
 
-include '/utils.php';
+include '/root/utils.php';
 
 $ename = 'DB';
 $eport = 5432;

run.sh

@@ -1,3 +0,0 @@
-#/bin/sh
-php /configure-db.php && \
-php /configure-plugin-mobilize.php

service-nginx.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+set -x
+
+/usr/sbin/nginx -g "daemon off;" >> /var/log/service-nginx.log 2>&1

service-php5-fpm.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+set -x
+
+/usr/sbin/php5-fpm >> /var/log/service-php5-fpm.log 2>&1

service-ttrss-update.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+set -x
+
+exec /sbin/setuser www-data /usr/bin/php /var/www/ttrss/update_daemon2.php >> /var/log/service-ttrss-update.log 2>&1

supervisord.conf

@@ -1,15 +0,0 @@
-[supervisord]
-nodaemon=true
-
-[program:php5-fpm]
-command=/usr/sbin/php5-fpm
-
-[program:nginx]
-command=/usr/sbin/nginx -g "daemon off;"
-
-[program:ttrss-update-daemon]
-command=/usr/bin/php /var/www/ttrss/update_daemon2.php
-user=www-data
-stdout_logfile=/tmp/%(program_name)s.stdout
-stderr_logfile=/tmp/%(program_name)s.stderr
-

ttrss.nginx.conf

@@ -1,17 +1,24 @@
 server {
-	listen 80;
-	root /var/www;
+    listen 443;
+    root /var/www;
 
-	index index.php index.html;
+    ssl                       on;
+    ssl_certificate           /etc/ssl/certs/ttrss.cert;
+    ssl_certificate_key       /etc/ssl/private/ttrss.key;
+    ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on; 
+    ssl_ciphers               "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
 
-	location / {
-		try_files $uri $uri/ =404;
-	}
+    index index.php index.html;
 
-	location ~ \.php$ {
-		fastcgi_split_path_info ^(.+\.php)(/.+)$;
-		fastcgi_pass unix:/var/run/php5-fpm.sock;
-		fastcgi_index index.php;
-		include fastcgi_params;
-	}
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php5-fpm.sock;
+        fastcgi_index index.php;
+        include fastcgi_params;
+    }
 }