Align with itk-dev drupal-11 Docker template

.docker/data/.gitignore

@@ -0,0 +1,5 @@
+# Ignore everything in this directory
+*
+# Except
+!.gitignore
+!README.md

.docker/data/README.md

@@ -0,0 +1,29 @@
+# .docker/data
+
+Please map persistent volumes to this directory on the servers.
+
+If a container needs to persist data between restarts you can map the relevant files in the container to
+`.docker/data/<container-name>`.
+
+## RabbitMQ example
+
+If you are using RabbitMQ running in a container as a message broker you need to configure a persistent volume for
+RabbitMQs data directory to avoid losing message on container restarts.
+x
+```yaml
+# docker-compose.server.override.yml
+
+services:
+  rabbit:
+    image: rabbitmq:3.9-management-alpine
+    hostname: "${COMPOSE_PROJECT_NAME}"
+    networks:
+      - app
+      - frontend
+    environment:
+      - "RABBITMQ_DEFAULT_USER=${RABBITMQ_USER}"
+      - "RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD}"
+      - "RABBITMQ_ERLANG_COOKIE=${RABBITMQ_ERLANG_COOKIE}"
+    volumes:
+      - ".docker/data/rabbitmq:/var/lib/rabbitmq/mnesia/"
+```

.docker/nginx.conf

@@ -0,0 +1,34 @@
+worker_processes  auto;
+
+error_log  /dev/stderr notice;
+pid        /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    proxy_temp_path /tmp/proxy_temp;
+    client_body_temp_path /tmp/client_temp;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+    uwsgi_temp_path /tmp/uwsgi_temp;
+    scgi_temp_path /tmp/scgi_temp;
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    # Note: set_real_ip_from is set in the server block
+
+    log_format  main  '$http_x_real_ip - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /dev/stdout main;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

.docker/templates/default.conf.template

@@ -0,0 +1,108 @@
+server {
+    listen ${NGINX_PORT};
+    server_name localhost;
+
+    root ${NGINX_WEB_ROOT};
+
+    client_max_body_size ${NGINX_MAX_BODY_SIZE};
+
+    set_real_ip_from 172.16.0.0/16;
+    set_real_ip_from 192.168.39.0/24;
+    real_ip_recursive on;
+    real_ip_header X-Forwarded-For;
+
+    location = /cron-metrics {
+        # Proxy to supercronic metrics
+        proxy_pass http://${NGINX_CRON_METRICS}/metrics;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~* \.(txt|log)$ {
+        deny all;
+    }
+
+    location ~ \..*/.*\.php$ {
+        return 403;
+    }
+
+    location ~ ^/sites/.*/private/ {
+        return 403;
+    }
+
+    # Block access to scripts in site files directory
+    location ~ ^/sites/[^/]+/files/.*\.php$ {
+        deny all;
+    }
+
+    # Block access to "hidden" files and directories whose names begin with a
+    # period.
+    location ~ (^|/)\. {
+        return 403;
+    }
+
+    location / {
+        try_files $uri /index.php?$query_string;
+    }
+
+    location @rewrite {
+        rewrite ^ /index.php;
+    }
+
+    # Don't allow direct access to PHP files in the vendor directory.
+    location ~ /vendor/.*\.php$ {
+        deny all;
+        return 404;
+    }
+
+    # Protect files and directories from prying eyes.
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.tar|.gz|.bz2|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+        deny all;
+        return 404;
+    }
+
+    location ~ '\.php$|^/update.php' {
+        include fastcgi_params;
+
+        fastcgi_buffers 16 32k;
+        fastcgi_buffer_size 64k;
+        fastcgi_busy_buffers_size 64k;
+
+        fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+
+        # Ensure the php file exists. Mitigates CVE-2019-11043
+        try_files $fastcgi_script_name =404;
+
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param QUERY_STRING $query_string;
+
+        fastcgi_intercept_errors on;
+        fastcgi_pass ${NGINX_FPM_SERVICE};
+    }
+
+    # Enforce clean URLs
+    #
+    # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+    # Could be done with 301 for permanent or other redirect codes.
+    if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+        return 307 $1$2;
+    }
+
+    error_log /dev/stderr;
+    access_log /dev/stdout main;
+}

.env

@@ -1,2 +1,4 @@
 COMPOSE_PROJECT_NAME=project-database
 COMPOSE_DOMAIN=project-database.local.itkdev.dk
+ITKDEV_TEMPLATE=drupal-11
+COMPOSE_SERVER_DOMAIN=project-database.itkdev.dk

.github/workflows/changelog.yaml

@@ -0,0 +1,27 @@
+# Do not edit this file! Make a pull request on changing
+# github/workflows/changelog.yaml in
+# https://github.com/itk-dev/devops_itkdev-docker if need be.
+
+### ### Changelog
+###
+### Checks that changelog has been updated
+
+name: Changelog
+
+on:
+  pull_request:
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 2
+
+      - name: Git fetch
+        run: git fetch
+
+      - name: Check that changelog has been updated.
+        run: git diff --exit-code origin/${{ github.base_ref }} -- CHANGELOG.md && exit 1 || exit 0