From 0df8a88d28cf4be4c6b312284a5a6c2fa97c992b Mon Sep 17 00:00:00 2001
From: Mikkel Ricky <rimi@aarhus.dk>
Date: Fri, 25 Oct 2024 10:47:12 +0200
Subject: [PATCH 1/4] Updated docker compose setup

---
 .docker/nginx.conf                      |  1 +
 .docker/templates/default.conf.template | 33 +++++++------------------
 .gitignore                              |  2 ++
 docker-compose.override.yml             |  1 -
 docker-compose.server.override.yml      |  5 +---
 docker-compose.server.yml               |  2 +-
 docker-compose.yml                      |  5 +---
 7 files changed, 15 insertions(+), 34 deletions(-)

diff --git a/.docker/nginx.conf b/.docker/nginx.conf
index 0335e534..d0a557b1 100644
--- a/.docker/nginx.conf
+++ b/.docker/nginx.conf
@@ -7,6 +7,7 @@ events {
     worker_connections  1024;
 }
 
+
 http {
     proxy_temp_path /tmp/proxy_temp;
     client_body_temp_path /tmp/client_temp;
diff --git a/.docker/templates/default.conf.template b/.docker/templates/default.conf.template
index fa21e04e..2da35cc2 100644
--- a/.docker/templates/default.conf.template
+++ b/.docker/templates/default.conf.template
@@ -35,8 +35,7 @@ server {
     }
 
     # Block access to "hidden" files and directories whose names begin with a
-    # period. This includes directories used by version control systems such
-    # as Subversion or Git to store control files.
+    # period.
     location ~ (^|/)\. {
         return 403;
     }
@@ -46,7 +45,7 @@ server {
     }
 
     location @rewrite {
-        rewrite ^/(.*)$ /index.php?q=$1;
+        rewrite ^ /index.php;
     }
 
     # Don't allow direct access to PHP files in the vendor directory.
@@ -62,12 +61,16 @@ server {
     }
 
     location ~ '\.php$|^/update.php' {
+        include fastcgi_params;
+
         fastcgi_buffers 16 32k;
         fastcgi_buffer_size 64k;
         fastcgi_busy_buffers_size 64k;
 
         fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
-        include fastcgi_params;
+
+        # Ensure the php file exists. Mitigates CVE-2019-11043
+        try_files $fastcgi_script_name =404;
 
         fastcgi_param HTTP_PROXY "";
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@@ -78,30 +81,12 @@ server {
         fastcgi_pass ${NGINX_FPM_SERVICE};
     }
 
-    location ~ ^/sites/.*/files/styles/ {
-        try_files $uri @rewrite;
-    }
-
-    # Handle private files through Drupal. Private file's path can come
-    # with a language prefix.
-    location ~ ^(/[a-z\-]+)?/system/files/ {
-        try_files $uri /index.php?$query_string;
-    }
-
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
-        try_files $uri @rewrite;
-        expires max;
-        log_not_found off;
-    }
-
     # Enforce clean URLs
-    # Removes index.php from urls like:
-    # www.example.com/index.php/my-page --> www.example.com/my-page
     #
+    # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
     # Could be done with 301 for permanent or other redirect codes.
-    absolute_redirect off;
     if ($request_uri ~* "^(.*/)index\.php/(.*)") {
-        return 301 /$2;
+        return 307 $1$2;
     }
 
     error_log /dev/stderr;
diff --git a/.gitignore b/.gitignore
index 3ce5bf2a..b15c0078 100644
--- a/.gitignore
+++ b/.gitignore
@@ -81,3 +81,5 @@ private-files/
 
 # Ignore contrib modules
 /web/modules/contrib
+
+.env.local
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index 79d133f7..42b54a03 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -9,7 +9,6 @@ services:
       - .:/app:delegated
 
   phpfpm:
-    image: itkdev/php8.3-fpm:latest
     environment:
       - PHP_MAX_EXECUTION_TIME=60
       - PHP_MEMORY_LIMIT=512M
diff --git a/docker-compose.server.override.yml b/docker-compose.server.override.yml
index c5ef42fb..39ae241b 100644
--- a/docker-compose.server.override.yml
+++ b/docker-compose.server.override.yml
@@ -1,5 +1,3 @@
-version: "3"
-
 networks:
   frontend:
     external: true
@@ -9,7 +7,6 @@ networks:
 
 services:
   phpfpm:
-    image: itkdev/php8.3-fpm:latest
     environment:
       - PHP_MEMORY_LIMIT=512M
       - PHP_POST_MAX_SIZE=8M
@@ -25,4 +22,4 @@ services:
   nginx:
     environment:
       # Match PHP_UPLOAD_MAX_FILESIZE (plus a little more)
-      NGINX_MAX_BODY_SIZE: 10M
\ No newline at end of file
+      NGINX_MAX_BODY_SIZE: 10M
diff --git a/docker-compose.server.yml b/docker-compose.server.yml
index d6f1b07d..91bd2562 100644
--- a/docker-compose.server.yml
+++ b/docker-compose.server.yml
@@ -8,7 +8,7 @@ networks:
 
 services:
   phpfpm:
-    image: itkdev/php8.2-fpm:alpine
+    image: itkdev/php8.3-fpm:alpine
     restart: unless-stopped
     networks:
       - app
diff --git a/docker-compose.yml b/docker-compose.yml
index dd90e9a6..2753a3b4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,12 +19,9 @@ services:
       - MYSQL_PASSWORD=db
       - MYSQL_DATABASE=db
       #- ENCRYPT=1 # Uncomment to enable database encryption.
-    # https://symfony.com/doc/current/setup/symfony_server.html#docker-integration
-    labels:
-      com.symfony.server.service-prefix: 'DATABASE'
 
   phpfpm:
-    image: itkdev/php8.2-fpm:latest
+    image: itkdev/php8.3-fpm:latest
     networks:
       - app
     extra_hosts:

From 6c4e9f8252faaf5a048bd31aeaf185d2a330a450 Mon Sep 17 00:00:00 2001
From: Mikkel Ricky <rimi@aarhus.dk>
Date: Fri, 25 Oct 2024 10:48:13 +0200
Subject: [PATCH 2/4] Cleaned up settings

---
 web/sites/default/settings.local.php | 56 ----------------------------
 web/sites/default/settings.php       | 27 +++++++-------
 2 files changed, 13 insertions(+), 70 deletions(-)
 delete mode 100644 web/sites/default/settings.local.php

diff --git a/web/sites/default/settings.local.php b/web/sites/default/settings.local.php
deleted file mode 100644
index 74785e08..00000000
--- a/web/sites/default/settings.local.php
+++ /dev/null
@@ -1,56 +0,0 @@
-<?php
-
-/**
- * Add development service settings.
- */
-if (file_exists(__DIR__ . '/services.local.yml')) {
-  $settings['container_yamls'][] = __DIR__ . '/services.local.yml';
-}
-
-/**
- * Disable CSS and JS aggregation.
- */
-$config['system.performance']['css']['preprocess'] = FALSE;
-$config['system.performance']['js']['preprocess'] = FALSE;
-
-/**
- * Disable caching.
- */
-$settings['cache']['bins']['render'] = 'cache.backend.null';
-$settings['cache']['bins']['dynamic_page_cache'] = 'cache.backend.null';
-$settings['cache']['bins']['page'] = 'cache.backend.null';
-
-/**
- * Database connection.
- */
-$databases['default']['default'] = array(
- 'database' => 'db',
- 'username' => 'db',
- 'password' => 'db',
- 'host' => 'mariadb',
- 'port' => '',
- 'driver' => 'mysql',
- 'prefix' => '',
-);
-
-/**
- * Skip permissions hardening.
- */
-$settings['skip_permissions_hardening'] = TRUE;
-
-/**
- * Set config sync path.
- */
-$settings['config_sync_directory'] = '../config/sync';
-
-/**
- * Set hash salt.
- */
-$settings['hash_salt'] = '1234';
-
-/**
- * Set trusted host pattern.
- */
-$settings["trusted_host_patterns"] = [
-  "^ai-screening\.local\.itkdev\.dk$"
-];
diff --git a/web/sites/default/settings.php b/web/sites/default/settings.php
index 9925e42d..50d3448b 100644
--- a/web/sites/default/settings.php
+++ b/web/sites/default/settings.php
@@ -88,7 +88,18 @@
  * ];
  * @endcode
  */
-$databases = [];
+$databases['default']['default'] = array (
+  'database' => 'db',
+  'username' => 'db',
+  'password' => 'db',
+  'prefix' => '',
+  'host' => 'mariadb',
+  'port' => '',
+  'isolation_level' => 'READ COMMITTED',
+  'driver' => 'mysql',
+  'namespace' => 'Drupal\\mysql\\Driver\\Database\\mysql',
+  'autoload' => 'core/modules/mysql/src/Driver/Database/mysql/',
+);
 
 /**
  * Customizing database settings.
@@ -256,7 +267,7 @@
  * directory in the public files path. The setting below allows you to set
  * its location.
  */
-# $settings['config_sync_directory'] = '/directory/outside/webroot';
+$settings['config_sync_directory'] = '../config/sync';
 
 /**
  * Settings:
@@ -874,15 +885,3 @@
 if (file_exists($app_root . "/" . $site_path . "/settings.local.php")) {
   include $app_root . "/" . $site_path . "/settings.local.php";
 }
-$databases['default']['default'] = array (
-  'database' => 'db',
-  'username' => 'db',
-  'password' => 'db',
-  'prefix' => '',
-  'host' => 'mariadb',
-  'port' => '',
-  'isolation_level' => 'READ COMMITTED',
-  'driver' => 'mysql',
-  'namespace' => 'Drupal\\mysql\\Driver\\Database\\mysql',
-  'autoload' => 'core/modules/mysql/src/Driver/Database/mysql/',
-);

From d7fb85f378ae5b32496d6822fb1c9b4a13fdf394 Mon Sep 17 00:00:00 2001
From: Mikkel Ricky <rimi@aarhus.dk>
Date: Fri, 25 Oct 2024 10:48:30 +0200
Subject: [PATCH 3/4] Updated installation instructions

---
 README.md | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index f00b16ec..cb9d5ff5 100644
--- a/README.md
+++ b/README.md
@@ -5,13 +5,9 @@
 Run the following commands to set up the site a new. This will start containers
 and run composer install, add a settings.php file and run site-install.
 
-```shell name="site-up-new"
-task build-site:new
-```
-
-If the site has existing config and a settings.php file build the site from that.
-
 ```shell name="site-up"
+task compose -- pull
+task compose -- up --detach
 task build-site:existing-conf
 ```
 

From 045067622e75a6789d685a39e559d77c02687302 Mon Sep 17 00:00:00 2001
From: Mikkel Ricky <rimi@aarhus.dk>
Date: Fri, 25 Oct 2024 10:49:52 +0200
Subject: [PATCH 4/4] Updated changelog

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 620ec7b5..b88bc335 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,9 +7,10 @@ and this project adheres to [Semantic Versioning].
 
 ## [Unreleased]
 
+- [PR-3](https://github.com/itk-dev/ai-screening/pull/3)
+  Deployment
 - [PR-2](https://github.com/itk-dev/ai-screening/pull/2)
   Add ai_screening_project module
-
 - [PR-1](https://github.com/itk-dev/ai-screening/pull/1)
   Setup custom drupal theme