Dockerfile

FROM php:8.4-apache

COPY --from=composer:2 /usr/bin/composer /usr/bin/composer

ENV COMPOSER_ALLOW_SUPERUSER=1

RUN apt-get update \
    && apt-get install -y --no-install-recommends git unzip libsqlite3-dev libicu-dev \
    && docker-php-ext-install pdo_mysql pdo_sqlite intl \
    && a2enmod rewrite headers \
    && echo "ServerName localhost" > /etc/apache2/conf-available/servername.conf \
    && a2enconf servername \
    && sed -ri 's!/var/www/html!/var/www/html/htdocs!g' /etc/apache2/sites-available/000-default.conf \
    && sed -ri 's!AllowOverride None!AllowOverride All!g' /etc/apache2/apache2.conf \
    && rm -rf /var/lib/apt/lists/*

# Apache hardening drop-in: ServerTokens Prod + ServerSignature Off to keep
# the production-mode Server header minimal (no version, no OS). The `zz-`
# prefix forces alphabetical load order after Debian's `security.conf`,
# which otherwise sets `ServerTokens OS` and `ServerSignature On`.
COPY docker/apache/conf-available/zz-nene-hardening.conf /etc/apache2/conf-available/zz-nene-hardening.conf
RUN a2enconf zz-nene-hardening

# PHP ini drop-ins (NeNe production-mode overrides — currently: expose_php Off
# to suppress X-Powered-By in HTTP responses). Loaded last in conf.d/ so it
# wins over any earlier ini.
COPY docker/php/conf.d/zz-nene.ini /usr/local/etc/php/conf.d/zz-nene.ini

WORKDIR /var/www/html

# Mark the host bind-mounted working tree as safe so git invocations inside
# the container do not print `dubious ownership` warnings for every command
# when the host uid differs from the container's root uid.
RUN git config --global --add safe.directory /var/www/html

COPY composer.json composer.lock ./

# `NENE_NO_DEV=1` (passed via `--build-arg`, set by `compose.prod.yaml`) tells
# the image build to skip dev composer packages. The default keeps dev
# packages so the bundled image still runs `composer test` out of the box.
ARG NENE_NO_DEV=
RUN composer install --no-interaction --prefer-dist --no-progress ${NENE_NO_DEV:+--no-dev}

COPY . .
RUN ./init.sh