Merge branch 'master' into anchor

.dockerignore

@@ -3,6 +3,8 @@ README.md
 
 # Git
 .git/
+.github/
+buildx.sh
 
 # OSX
 .DS_Store

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+  # Maintain dependencies for GitHub Actions
+  # src: https://github.com/marketplace/actions/build-and-push-docker-images#keep-up-to-date-with-github-dependabot
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/rules.tsv

@@ -26,3 +26,4 @@
 10053	IGNORE	(Apache Range Header DoS (CVE-2011-3192))
 # again we return 200 to some strange URL
 90034	IGNORE	(Cloud Metadata Potentially Exposed)
+40035	IGNORE	(Hidden File Found)

.github/workflows/build-images.yml

@@ -1,4 +1,4 @@
-name: Deploy multi-architecture Docker images for privatebin with buildx
+name: Build & Deploy container image
 
 on:
   schedule:
@@ -12,53 +12,25 @@ on:
 jobs:
   buildx:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        base-image: [stable, edge]
+        destination-image: [nginx-fpm-alpine, fs, pdo, gcs]
+    name: ${{ matrix.destination-image }} image / ${{ matrix.base-image }} release
     steps:
       - name: Checkout
         uses: actions/checkout@v2
-      - name: Prepare
-        id: prepare
-        run: |
-          IMAGE=privatebin/nginx-fpm-alpine
-          QEMU_PLATFORMS=linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le
-          VERSION=${GITHUB_REF##*/}
-          [ "${{ github.event_name }}" = "schedule" ] && VERSION=nightly
-          echo ::set-output name=buildx_args::--tag ${IMAGE}:latest \
-            --tag ${IMAGE}:${VERSION} --tag ${IMAGE}:${VERSION%%-*} \
-            --platform linux/amd64,linux/386,${QEMU_PLATFORMS} .
-          echo ::set-output name=buildx_edge_args::--tag ${IMAGE}:edge \
-            --platform linux/amd64,linux/386,${QEMU_PLATFORMS} -f Dockerfile-edge .
-          echo ::set-output name=qemu_platforms::${QEMU_PLATFORMS}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
         with:
-          platforms: ${{ steps.prepare.outputs.qemu_platforms }}
+          platforms: linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
         with:
           install: true
-      - name: Docker Build (latest)
-        run: |
-          docker build --no-cache --pull --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_args }}
-      - name: Docker Build (edge)
-        run: |
-          sed 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile-edge
-          docker build --no-cache --pull --output "type=image,push=false" ${{ steps.prepare.outputs.buildx_edge_args }}
-      - name: Docker Login
-        if: success() && github.event_name != 'pull_request' && (github.ref != 'refs/heads/master' || github.event_name == 'schedule')
+      - name: Docker Build
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        run: |
-          printenv DOCKER_PASSWORD | docker login --username "${DOCKER_USERNAME}" --password-stdin
-      - name: Docker Push (latest)
-        if: success() && github.event_name != 'pull_request' && (github.ref != 'refs/heads/master' || github.event_name == 'schedule')
-        run: |
-          docker build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_args }}
-      - name: Docker Push (edge)
-        if: success() && github.event_name != 'pull_request' && (github.ref != 'refs/heads/master' || github.event_name == 'schedule')
-        run: |
-          docker build --output "type=image,push=true" ${{ steps.prepare.outputs.buildx_edge_args }}
-      - name: Cleanup
-        if: always() && github.event_name != 'pull_request' && (github.ref != 'refs/heads/master' || github.event_name == 'schedule')
-        run: |
-          rm -f ${HOME}/.docker/config.json
+        run: ./buildx.sh ${{ github.event_name }} ${{ matrix.destination-image }} ${{ matrix.base-image }}

.github/workflows/owasp.yml

@@ -35,7 +35,7 @@ jobs:
 
       # Run OWASP scan
       - name: OWASP ZAP Full Scan
-        uses: zaproxy/action-full-scan@v0.2.0
+        uses: zaproxy/action-full-scan@v0.3.0
         with:
           # GitHub Token to create issues in the repository
           #token: # optional, default is ${{ github.token }}

.github/workflows/snyk-container-analysis.yml

@@ -0,0 +1,40 @@
+# A sample workflow which checks out the code, builds a container
+# image using Docker and scans that image for vulnerabilities using
+# Snyk. The results are then uploaded to GitHub Security Code Scanning
+#
+# For more examples, including how to limit scans to only high-severity
+# issues, monitor images for newly disclosed vulnerabilities in Snyk and
+# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
+
+name: Snyk Container
+
+on:
+  push:
+    branches: [ master ]
+  schedule:
+    - cron: '23 7 * * 5'
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build a Docker image
+      run: docker build -t privatebin/nginx-fpm-alpine .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      # Snyk can be used to break the build when it detects vulnerabilities.
+      # In this case we want to upload the issues to GitHub Code Scanning
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        # In order to use the Snyk Action you will need to have a Snyk API token.
+        # More details in https://github.com/snyk/actions#getting-your-snyk-token
+        # or you can signup for free at https://snyk.io/login
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: privatebin/nginx-fpm-alpine
+        args: --file=Dockerfile
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: snyk.sarif

.github/workflows/trivy-analysis.yml

@@ -0,0 +1,35 @@
+name: trivy-analysis
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '20 13 * * 3'
+
+jobs:
+  build:
+    name: Trivy analysis
+    runs-on: "ubuntu-18.04"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t privatebin/nginx-fpm-alpine:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'privatebin/nginx-fpm-alpine:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'

.gitignore

@@ -0,0 +1 @@
+Dockerfile.edge

Dockerfile

@@ -1,32 +1,69 @@
-FROM alpine:3.13
+FROM alpine:3.15.0
 
-MAINTAINER PrivateBin <support@privatebin.org>
+ARG ALPINE_PACKAGES="php8-pdo_mysql php8-pdo_pgsql php8-openssl"
+ARG COMPOSER_PACKAGES=google/cloud-storage
+ARG PBURL=https://github.com/PrivateBin/PrivateBin/
+ARG RELEASE=1.3.5
+ARG UID=65534
+ARG GID=82
 
-ENV RELEASE   1.3.5
-ENV PBURL     https://github.com/PrivateBin/PrivateBin/
-ENV S6_READ_ONLY_ROOT 1
+ENV CONFIG_PATH=/srv/cfg
+
+LABEL org.opencontainers.image.authors=support@privatebin.org \
+      org.opencontainers.image.vendor=PrivateBin \
+      org.opencontainers.image.documentation=https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/README.md \
+      org.opencontainers.image.source=https://github.com/PrivateBin/docker-nginx-fpm-alpine \
+      org.opencontainers.image.licenses=zlib-acknowledgement \
+      org.opencontainers.image.version=${RELEASE}
 
 RUN \
+# Prepare composer dependencies
+    ALPINE_PACKAGES="$(echo ${ALPINE_PACKAGES} | sed 's/,/ /g')" ;\
+    ALPINE_COMPOSER_PACKAGES="" ;\
+    if [ -n "${COMPOSER_PACKAGES}" ] ; then \
+        ALPINE_COMPOSER_PACKAGES="php8 php8-curl php8-mbstring php8-phar" ;\
+        RAWURL="$(echo ${PBURL} | sed s/github.com/raw.githubusercontent.com/)" ;\
+    fi \
 # Install dependencies
-    apk add --no-cache gnupg nginx php8-fpm php8-json php8-gd \
-        php8-opcache php8-pdo_mysql php8-pdo_pgsql s6-overlay tzdata \
     && apk upgrade --no-cache \
+    && apk add --no-cache gnupg git nginx php8-fpm php8-json php8-gd php8-opcache \
+        s6 tzdata ${ALPINE_PACKAGES} ${ALPINE_COMPOSER_PACKAGES} \
 # Remove (some of the) default nginx config
     && rm -f /etc/nginx.conf /etc/nginx/http.d/default.conf /etc/php8/php-fpm.d/www.conf \
     && rm -rf /etc/nginx/sites-* \
 # Ensure nginx logs, even if the config has errors, are written to stderr
     && ln -s /dev/stderr /var/log/nginx/error.log \
 # Install PrivateBin
-    && export GNUPGHOME="$(mktemp -d)" \
+    && export GNUPGHOME="$(mktemp -d -p /tmp)" \
     && gpg2 --list-public-keys || /bin/true \
     && wget -qO - https://privatebin.info/key/release.asc | gpg2 --import - \
     && rm -rf /var/www/* \
     && cd /tmp \
-    && wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \
-    && wget -q ${PBURL}archive/${RELEASE}.tar.gz \
-    && gpg2 --verify ${RELEASE}.tar.gz.asc \
+    && if expr "${RELEASE}" : '[0-9]\{1,\}\.[0-9]\{1,\}\.[0-9]\{1,\}$' >/dev/null ; then \
+         echo "getting release ${RELEASE}"; \
+         wget -qO ${RELEASE}.tar.gz.asc ${PBURL}releases/download/${RELEASE}/PrivateBin-${RELEASE}.tar.gz.asc \
+         && wget -q ${PBURL}archive/${RELEASE}.tar.gz \
+         && gpg2 --verify ${RELEASE}.tar.gz.asc ; \
+       else \
+         echo "getting tarball for ${RELEASE}"; \
+         git clone ${PBURL%%/}.git -b ${RELEASE}; \
+         (cd $(basename ${PBURL}) && git archive --prefix ${RELEASE}/ --format tgz ${RELEASE} > /tmp/${RELEASE}.tar.gz); \
+       fi \
+    && if [ -n "${COMPOSER_PACKAGES}" ] ; then \
+        wget -qO composer-installer.php https://getcomposer.org/installer \
+        && ln -s $(which php8) /usr/local/bin/php \
+        && php composer-installer.php --install-dir=/usr/local/bin --filename=composer ;\
+    fi \
     && cd /var/www \
     && tar -xzf /tmp/${RELEASE}.tar.gz --strip 1 \
+    && if [ -n "${COMPOSER_PACKAGES}" ] ; then \
+        wget -q ${RAWURL}${RELEASE}/composer.json \
+        && wget -q ${RAWURL}${RELEASE}/composer.lock \
+        && composer remove --dev --no-update phpunit/phpunit \
+        && composer require --no-update ${COMPOSER_PACKAGES} \
+        && composer update --no-dev --optimize-autoloader \
+        rm composer.* /usr/local/bin/* ;\
+    fi \
     && rm *.md cfg/conf.sample.php \
     && mv cfg lib tpl vendor /srv \
     && mkdir -p /srv/data \
@@ -36,21 +73,22 @@ RUN \
     && mkfifo \
         /etc/s6/services/nginx/supervise/control \
         /etc/s6/services/php-fpm8/supervise/control \
-    && chown -R 65534:82 /etc/s6 /run /srv/* /var/lib/nginx /var/www \
+    && chown -R ${UID}:${GID} /etc/s6 /run /srv/* /var/lib/nginx /var/www \
     && chmod o+rwx /run /var/lib/nginx /var/lib/nginx/tmp \
 # Clean up
-    && rm -rf "${GNUPGHOME}" /tmp/* \
-    && apk del gnupg
+    && gpgconf --kill gpg-agent \
+    && rm -rf /tmp/* \
+    && apk del --no-cache gnupg git ${ALPINE_COMPOSER_PACKAGES}
 
 COPY etc/ /etc/
 
 WORKDIR /var/www
 # user nobody, group www-data
-USER 65534:82
+USER ${UID}:${GID}
 
 # mark dirs as volumes that need to be writable, allows running the container --read-only
 VOLUME /run /srv/data /tmp /var/lib/nginx/tmp
 
 EXPOSE 8080
 
-ENTRYPOINT ["/init"]
+ENTRYPOINT ["/etc/init.d/rc.local"]

README.fs.md

@@ -0,0 +1,7 @@
+# PrivateBin on Nginx, php-fpm & Alpine with file based storage backend
+
+**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
+
+## Image variants
+
+This is an image optimized for the file based storage backend. Please see the [generic image](https://hub.docker.com/r/privatebin/nginx-fpm-alpine) for details on how to use this image, other images variants and the different tags.

README.gcs.md

@@ -0,0 +1,7 @@
+# PrivateBin on Nginx, php-fpm & Alpine with Google Cloud Storage backend
+
+**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
+
+## Image variants
+
+This is an image optimized for the Google Cloud Storage backend. Please see the [generic image](https://hub.docker.com/r/privatebin/nginx-fpm-alpine) for details on how to use this image, other images variants and the different tags.

README.md

@@ -1,8 +1,26 @@
-# PrivateBin on nginx, php-fpm & alpine
+# PrivateBin on Nginx, php-fpm & Alpine
 
 **PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
 
-This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed PrivateBin instance in a secure default configuration. The images are based on the docker hub alpine image, extended with the GD module required to generate discussion avatars and the Nginx webserver to serve static JavaScript libraries, CSS & the logos. All logs of php-fpm and Nginx (access & errors) are forwarded to docker logs.
+This repository contains the Dockerfile and resources needed to create a docker image with a pre-installed PrivateBin instance in a secure default configuration. The images are based on the docker hub Alpine image, extended with the GD module required to generate discussion avatars and the Nginx webserver to serve static JavaScript libraries, CSS & the logos. All logs of php-fpm and Nginx (access & errors) are forwarded to docker logs.
+
+## Image variants
+
+This is the all-in-one image that can be used with any storage backend supported by PrivateBin: File based storage, database or Google Cloud Storage. We also offer dedicated images for each backend:
+- [Image for file based storage](https://hub.docker.com/r/privatebin/fs)
+- [Image for PostgreSQL, MariaDB & MySQL](https://hub.docker.com/r/privatebin/pdo)
+- [Image for Google Cloud Storage](https://hub.docker.com/r/privatebin/gcs)
+
+## Image tags
+
+All images contain a release version of PrivateBin and are offered with the following tags:
+- `latest` is an alias of the latest pushed image, usually the same as `nightly`, but excluding `edge`
+- `nightly` is the latest released PrivateBin version on an upgraded Alpine release image, including the latest changes from the docker image repository
+- `edge` is the latest released PrivateBin version on an upgraded Alpine edge image
+- `1.3.5` contains PrivateBin version 1.3.5 on the latest tagged release of the docker image repository - gets updated when important security fixes are released for Alpine or upon new Alpine releases
+- `1.3.5-...` are provided for selecting specific, immutable images
+
+If you update your images automatically via pulls, the `nightly` or `latest` are recommended. If you prefer to have control and reproducability or use a form of orchestration, the numeric tags are probably preferable. The `edge` tag offers a preview of software in future Alpine releases and as an early warning system to detect image build issues in these.
 
 ## Running the image
 
@@ -14,15 +32,13 @@ docker run -d --restart="always" --read-only -p 8080:8080 -v $PWD/privatebin-dat
 
 The parameters in detail:
 
-- `-v $PWD/privatebin-data:/srv/data` - replace `$PWD/privatebin-data` with the path to the folder on your system, where the pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop and restart the image or when you replace it. May be skipped if you just want to test the image.
+- `-v $PWD/privatebin-data:/srv/data` - replace `$PWD/privatebin-data` with the path to the folder on your system, where the pastes and other service data should be persisted. This guarantees that your pastes aren't lost after you stop and restart the image or when you replace it. May be skipped if you just want to test the image or use database or Google Cloud Storage backend.
 - `-p 8080:8080` - The Nginx webserver inside the container listens on port 8080, this parameter exposes it on your system on port 8080. Be sure to use a reverse proxy for HTTPS termination in front of it in production environments.
 - `--read-only` - This image supports running in read-only mode. Using this reduces the attack surface slightly, since an exploit in one of the images services can't overwrite arbitrary files in the container. Only /tmp, /var/tmp, /var/run & /srv/data may be written into.
 - `-d` - launches the container in the background. You can use `docker ps` and `docker logs` to check if the container is alive and well.
 - `--restart="always"` - restart the container if it crashes, mainly useful for production setups
 
 > Note that the volume mounted must be owned by UID 65534 / GID 82. If you run the container in a docker instance with "userns-remap" you need to add your subuid/subgid range to these numbers.
-> 
-> Note, too, that this image exposes the same service on port 80, for backwards compatibility with older versions of the image. To use port 80 with the current image, you either need to have a filesystem with extended attribute support so the nginx binary can be granted the capability to bind to ports below 1024 as non-root user or you need to start the image with user id 0 (root) using the parameter `-u 0`.
 
 ### Custom configuration
 
@@ -36,7 +52,7 @@ Note: The `Filesystem` data storage is supported out of the box. The image inclu
 
 ### Adjusting nginx or php-fpm settings
 
-You can attach your own `php.ini` or nginx configuration files to the folders `/etc/php7/conf.d/` and `/etc/nginx/conf.d/` respectively. This would for example let you adjust the maximum size these two services accept for file uploads, if you need more then the default 10 MiB.
+You can attach your own `php.ini` or nginx configuration files to the folders `/etc/php8/conf.d/` and `/etc/nginx/conf.d/` respectively. This would for example let you adjust the maximum size these two services accept for file uploads, if you need more then the default 10 MiB.
 
 ### Timezone settings
 
@@ -69,17 +85,10 @@ spec:
       labels:
         app: privatebin
     spec:
-      initContainers:
-      - name: privatebin-volume-permissions
-        image: privatebin/chown:1.33.0-musl-1.2.2-r0
-        args: ['65534:82', '/mnt']
-        securityContext:
-          runAsUser: 0
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /mnt
-          name: privatebin-data
-          readOnly: False
+      securityContext:
+        runAsUser: 65534
+        runAsGroup: 82
+        fsGroup: 82
       containers:
       - name: privatebin
         image: privatebin/nginx-fpm-alpine:1.3.5
@@ -91,19 +100,17 @@ spec:
         - name: PHP_TZ
           value: Antarctica/South_Pole
         securityContext:
-          runAsUser: 65534
-          runAsGroup: 82
           readOnlyRootFilesystem: true
           privileged: false
           allowPrivilegeEscalation: false
         livenessProbe:
           httpGet:
             path: /
-            port: http
+            port: 8080
         readinessProbe:
           httpGet:
             path: /
-            port: http
+            port: 8080
         volumeMounts:
         - mountPath: /srv/data
           name: privatebin-data
@@ -129,4 +136,3 @@ Nginx is required to serve static files and caches them, too. Requests to the in
 The Nginx setup supports only HTTP, so make sure that you run a reverse proxy in front of this for HTTPS offloading and reducing the attack surface on your TLS stack. The Nginx in this image is set up to deflate/gzip text content.
 
 During the build of the image the PrivateBin release archive and the s6 overlay binaries are downloaded from Github. All the downloaded Alpine packages, s6 overlay binaries and the PrivateBin archive are validated using cryptographic signatures to ensure they have not been tempered with, before deploying them in the image.
-

README.pdo.md

@@ -0,0 +1,7 @@
+# PrivateBin on Nginx, php-fpm & Alpine with PostgreSQL, MariaDB & MySQL backend
+
+**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
+
+## Image variants
+
+This is an image optimized for PostgreSQL, MariaDB & MySQL storage backends. Please see the [generic image](https://hub.docker.com/r/privatebin/nginx-fpm-alpine) for details on how to use this image, other images variants and the different tags.

buildx.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+# exit immediately on non-zero return code, including during a pipe stage or on
+# accessing an uninitialized variable and print commands before executing them
+set -euxo pipefail
+
+EVENT=$1
+IMAGE=$2
+EDGE=false
+[ "$3" = edge ] && EDGE=true
+
+build_image() {
+    # shellcheck disable=SC2068
+    docker build \
+        --pull \
+        --no-cache \
+        --load \
+        $@ \
+        .
+}
+
+push_image() {
+    # shellcheck disable=SC2068
+    docker buildx build \
+        --platform linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/ppc64le \
+        --pull \
+        --no-cache \
+        --push \
+        $@ \
+        .
+}
+
+docker_login() {
+    printenv DOCKER_PASSWORD | docker login \
+        --username "$DOCKER_USERNAME" \
+        --password-stdin
+}
+
+is_image_push_required() {
+    [ "$EVENT" != pull_request ] && { \
+        [ "$GITHUB_REF" != refs/heads/master ] || \
+        [ "$EVENT" = schedule ]
+    }
+}
+
+main() {
+    local TAG BUILD_ARGS
+
+    if [ "$EVENT" = schedule ] ; then
+        TAG=nightly
+    else
+        TAG=${GITHUB_REF##*/}
+    fi
+
+    case "$IMAGE" in
+        fs)
+            BUILD_ARGS="--build-arg ALPINE_PACKAGES= --build-arg COMPOSER_PACKAGES="
+            ;;
+        pdo)
+            BUILD_ARGS="--build-arg ALPINE_PACKAGES=php8-pdo_mysql,php8-pdo_pgsql --build-arg COMPOSER_PACKAGES="
+            ;;
+        gcs)
+            BUILD_ARGS="--build-arg ALPINE_PACKAGES=php8-openssl"
+            ;;
+        *)
+            BUILD_ARGS=""
+            ;;
+    esac
+    IMAGE="privatebin/$IMAGE"
+
+    if [ "$EDGE" = true ] ; then
+        sed -e 's/^FROM alpine:.*$/FROM alpine:edge/' Dockerfile > Dockerfile.edge
+        BUILD_ARGS="-f Dockerfile.edge    --tag $IMAGE:edge $BUILD_ARGS"
+        IMAGE="$IMAGE:edge"
+    else
+        BUILD_ARGS="--tag $IMAGE:latest --tag $IMAGE:$TAG --tag ${IMAGE}:${TAG%%-*} $BUILD_ARGS"
+        IMAGE="$IMAGE:latest"
+    fi
+    build_image "$BUILD_ARGS"
+
+    docker run -d --rm -p 127.0.0.1:8080:8080 --read-only --name smoketest "$IMAGE"
+    sleep 5 # give the services time to start up and the log to collect any errors that might occur
+    test "$(docker inspect --format="{{.State.Running}}" smoketest)" = true
+    curl --silent --show-error -o /dev/null http://127.0.0.1:8080/
+    if docker logs smoketest 2>&1 | grep -i -E "warn|emerg|fatal|panic|error"
+    then
+        exit 1
+    fi
+    docker stop smoketest
+
+    if is_image_push_required ; then
+        docker_login
+        push_image "$BUILD_ARGS"
+    fi
+
+    rm -f Dockerfile.edge "$HOME/.docker/config.json"
+}
+
+[ "$(basename "$0")" = 'buildx.sh' ] && main

etc/init.d/rc.local

@@ -0,0 +1,3 @@
+#!/bin/execlineb -P
+foreground { cp -r /etc/s6/services /run }
+/bin/s6-svscan /run/services

etc/nginx/http.d/site.conf

@@ -5,15 +5,22 @@ server {
     root /var/www;
     index index.php index.html index.htm;
 
-    add_header Cross-Origin-Embedder-Policy require-corp;
-    add_header Cross-Origin-Resource-Policy same-origin;
-    add_header Cross-Origin-Opener-Policy same-origin;
-    add_header Referrer-Policy no-referrer;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-Frame-Options deny;
-    add_header X-XSS-Protection "1; mode=block";
-
     location / {
+        # no-transform tells Cloudflare and others to not change the content of
+        # the file and thus breaking SRI.
+        # https://developers.cloudflare.com/cache/about/cache-control#other
+        add_header Cache-Control "public, max-age=3600, must-revalidate, no-transform";
+        add_header Cross-Origin-Embedder-Policy require-corp;
+        add_header Cross-Origin-Opener-Policy same-origin;
+        add_header Cross-Origin-Resource-Policy same-origin;
+        # opt-out of Google FloC
+        # https://developer.chrome.com/blog/floc/#how-can-websites-opt-out-of-the-floc-computation
+        add_header Permissions-Policy interest-cohort=();
+        add_header Referrer-Policy no-referrer;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options deny;
+        add_header X-XSS-Protection "1; mode=block";
+
         include /etc/nginx/location.d/*.conf;
         try_files $uri $uri/ /index.php$is_args$args;
     }
@@ -25,14 +32,6 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
 
-        fastcgi_hide_header Cross-Origin-Embedder-Policy;
-        fastcgi_hide_header Cross-Origin-Resource-Policy;
-        fastcgi_hide_header Cross-Origin-Opener-Policy;
-        fastcgi_hide_header Referrer-Policy;
-        fastcgi_hide_header X-Content-Type-Options;
-        fastcgi_hide_header X-Frame-Options;
-        fastcgi_hide_header X-XSS-Protection;
-
         # Prevent exposing nginx + version to $_SERVER
         fastcgi_param SERVER_SOFTWARE "";
     }

etc/php8/php-fpm.d/zz-docker.conf

@@ -11,3 +11,9 @@ pm.max_children = 5
 pm.start_servers = 2
 pm.min_spare_servers = 1
 pm.max_spare_servers = 3
+
+env[PRIVATEBIN_GCS_BUCKET] = $PRIVATEBIN_GCS_BUCKET
+env[GOOGLE_APPLICATION_CREDENTIALS] = $GOOGLE_APPLICATION_CREDENTIALS
+env[GOOGLE_CLOUD_PROJECT] = $GOOGLE_CLOUD_PROJECT
+env[GCLOUD_PROJECT] = $GCLOUD_PROJECT
+env[CONFIG_PATH] = $CONFIG_PATH

etc/s6/services/nginx/run

@@ -1,2 +1,9 @@
-#!/usr/bin/execlineb -P
-/usr/sbin/nginx
+#!/bin/execlineb -P
+forx -o 127 timer { 0 1 2 3 4 5 6 7 8 9 }
+    ifelse {
+        test -S /var/run/php-fpm.sock
+    } {
+        /usr/sbin/nginx
+    }
+        foreground { sleep 1 }
+        exit 127

etc/s6/services/php-fpm8/run

@@ -1,2 +1,2 @@
-#!/usr/bin/execlineb -P
+#!/bin/execlineb -P
 /usr/sbin/php-fpm8