Merge pull request #144 from HAWK-Digital-Environments/feat/Martin/Docker-infrastructure

feat: docker infrastructure

Author: Ariansdf

.dockerignore

@@ -0,0 +1,20 @@
+/config/model_providers.php
+/config/model_providers.php.example
+/bin
+/node_modules
+/vendor
+/public/build
+/public/hot
+/public/storage
+/storage/*.key
+/storage/logs/laravel.log#
+/storage/framework/views/*.php
+/storage/app/test_users.json
+/.env
+/.env.private
+/.gitattributes
+/.gitignore
+/docker-compose*.yml
+/hawki
+/_documentation
+/_docker_production

.env.example

@@ -26,6 +26,7 @@
 # Global Application Settings
 # ===========================
 #
+#  - PROJECT_NAME:           URL-safe name of the project (everything lowercase, no spaces, no special characters) used to name docker containers.
 #  - APP_NAME:               Application name, can be anything you like
 #  - APP_ENV:                Deployment type: "local", "statiging" or "production"
 #  - APP_URL:                Public URL to access the web interface
@@ -41,6 +42,7 @@
 #  - AI_MENTION_HANDLE:      Hnadle to mention AI in group chats.
 
 
+PROJECT_NAME=hawki2
 APP_NAME= HAWKI2
 APP_URL= http://127.0.0.1:8000
 APP_ENV= local
@@ -92,7 +94,7 @@ DB_CONNECTION= mysql
 #DB_FOREIGN_KEYS= true
 
 ## MySQL / MariaDB
-#DB_URL= 
+#DB_URL=
 #DB_HOST= localhost
 #DB_PORT= 3306
 #DB_SOCKET=
@@ -104,7 +106,7 @@ DB_CONNECTION= mysql
 #MYSQL_ATTR_SSL_CA=
 
 ## Postgresql
-#DB_URL= 
+#DB_URL=
 #DB_HOST= localhost
 #DB_PORT= 5432
 #DB_DATABASE= HAWKI2
@@ -113,7 +115,7 @@ DB_CONNECTION= mysql
 #DB_CHARSET= utf8
 
 ## Microsoft SQL Server
-#DB_URL= 
+#DB_URL=
 #DB_HOST= localhost
 #DB_PORT= 1433
 #DB_DATABASE= HAWKI2
@@ -145,25 +147,25 @@ FILESYSTEM_DISK= local
 # Session Configuration
 # ===========================
 #
-# These are essential Laravel default variables for session management and they must be 
+# These are essential Laravel default variables for session management and they must be
 # present and active to ensure proper session handling within the application.
 #
-# SESSION_DRIVER: Specifies the session "driver" or handler used to store session data. 
-# Common choices include "file", "cookie", "database", etc. Typically, "database" is used 
+# SESSION_DRIVER: Specifies the session "driver" or handler used to store session data.
+# Common choices include "file", "cookie", "database", etc. Typically, "database" is used
 # if sessions are stored in the database.
 #
-# SESSION_LIFETIME: The session lifetime in minutes. It determines how long a session 
+# SESSION_LIFETIME: The session lifetime in minutes. It determines how long a session
 # remains active before it expires.
 #
-# SESSION_ENCRYPT: Indicates whether session data should be encrypted. Accepts "true" or "false". 
+# SESSION_ENCRYPT: Indicates whether session data should be encrypted. Accepts "true" or "false".
 # When set to "true", it adds an extra layer of security by encrypting session data.
 #
 # SESSION_PATH: Defines the path for which the session cookie is available. The default value is "/".
 #
-# SESSION_DOMAIN: Specifies the domain that the session cookie is available to. Use "null" 
+# SESSION_DOMAIN: Specifies the domain that the session cookie is available to. Use "null"
 # to default to the current domain.
 #
-# SESSION_EXPIRE_ON_CLOSE: Defines whether the session should expire when the browser 
+# SESSION_EXPIRE_ON_CLOSE: Defines whether the session should expire when the browser
 # is closed. Set to "true" to expire sessions on browser close, enhancing session security.
 
 SESSION_DRIVER=database
@@ -220,7 +222,7 @@ REVERB_SCHEME = http
 
 REVERB_APP_ID     = HAWKI2
 REVERB_APP_SECRET = ChangeMe!
-REVERB_APP_KEY    = ChangeMe!
+REVERB_APP_KEY    = hawki2
 
 #REVERB_APP_PING_INTERVAL    = 60
 #REVERB_APP_MAX_MESSAGE_SIZE = 250000
@@ -234,19 +236,19 @@ REVERB_APP_KEY    = ChangeMe!
 # =================================
 #
 # These environment variables are used to specify the SSL certificate and the corresponding
-# private key that are essential for establishing secure TLS/SSL connections in certain 
-# broadcasting setups. This is particularly crucial when using Reverb or similar services 
+# private key that are essential for establishing secure TLS/SSL connections in certain
+# broadcasting setups. This is particularly crucial when using Reverb or similar services
 # with encrypted connections, ensuring data is securely transmitted over HTTPS.
 #
-# SSL_CERTIFICATE: Specifies the path to your SSL certificate file. This certificate is used 
+# SSL_CERTIFICATE: Specifies the path to your SSL certificate file. This certificate is used
 # to authenticate and establish a secure connection between the server and the client.
 #
 # SSL_CERTIFICATE_KEY: Specifies the path to the private key file corresponding to your SSL
-# certificate. The key is required to confirm the identity of the server and encrypt the 
+# certificate. The key is required to confirm the identity of the server and encrypt the
 # data being transmitted.
 #
-# In the broadcasting configuration, these variables are used to configure the Guzzle 
-# HTTP client with appropriate SSL settings. By providing these files, you enable 
+# In the broadcasting configuration, these variables are used to configure the Guzzle
+# HTTP client with appropriate SSL settings. By providing these files, you enable
 # SSL/TLS encryption for broadcast services, enhancing the security of data in transit.
 
 SSL_CERTIFICATE=""
@@ -292,8 +294,8 @@ VITE_REVERB_SCHEME="${REVERB_SCHEME}"
 # Queue Worker Configuration
 # ===========================
 #
-# This configuration setting is used to specify the queue connection that should be used by the 
-# Laravel application. This is essential for managing asynchronous tasks such as sending emails, 
+# This configuration setting is used to specify the queue connection that should be used by the
+# Laravel application. This is essential for managing asynchronous tasks such as sending emails,
 # processing uploads, or any other task that can be handled in the background.
 #
 # QUEUE_CONNECTION: Defines the queue connection that the Laravel application will use.
@@ -467,7 +469,7 @@ ALLOW_USER_TOKEN_CREATION=false
 #  - DYNAMODB_ENDPOINT:           ???
 
 CACHE_STORE  = database
-CACHE_PREFIX = 
+CACHE_PREFIX =
 
 ## Database Table
 #DB_CACHE_TABLE           = cache
@@ -500,7 +502,7 @@ MEMCACHED_HOST=127.0.0.1
 # cache database table.
 #
 #  - REDIS_CLIENT:   PHP library used to access the Redis server
-#  - REDIS_SERVER:   Hostname of the Redis server
+#  - REDIS_HOST:   Hostname of the Redis server
 #  - REDIS_PORT:     Port number of the Redis server
 #  - REDIS_USERNAME: Username to access the Redis server
 #  - REDIS_PASSWORD: Password to access the Redis server
@@ -510,14 +512,14 @@ MEMCACHED_HOST=127.0.0.1
 #  - REDIS_PREFIX:   Prefix for database entry keys (by default calculated from the app name)
 
 #REDIS_CLIENT= phpredis
-#REDIS_SERVER= localhost
+#REDIS_HOST= localhost
 #REDIS_PORT= 6379
 #REDIS_USERNAME=
 #REDIS_PASSWORD=
 #REDIS_DB= 0
 #REDIS_CACHE_DB= 1
 #REDIS_CLUSTER= redis
-#REDIS_PREFIX= 
+#REDIS_PREFIX=
 
 
 # ========================
@@ -552,11 +554,11 @@ MEMCACHED_HOST=127.0.0.1
 # Encryption Configuration
 # ==========================
 #
-# For enhanced security, HAWKI utilizes individual salts for each component to ensure that data is 
-# encrypted uniquely. While not mandatory, using unique hash keys for each component is recommended 
+# For enhanced security, HAWKI utilizes individual salts for each component to ensure that data is
+# encrypted uniquely. While not mandatory, using unique hash keys for each component is recommended
 # to maximize the security of user data, invitations, AI components, passkeys, and backups.
 #
-# USERDATA_ENCRYPTION_SALT: The salt used specifically for encrypting user data. 
+# USERDATA_ENCRYPTION_SALT: The salt used specifically for encrypting user data.
 # INVITATION_SALT:          The salt used for encrypting invitations data.
 # AI_CRYPTO_SALT:           Used to generate a derived key for the AI messages in the groupchat
 # PASSKEY_SALT:             The salt used for encrypting passkey data, contributing to robust password and credential security.
@@ -579,5 +581,3 @@ BACKUP_SALT=base64:someLegendarySalt==
 
 
 IMPRINT_LOCATION = ""
-
-

.github/workflows/publish-docker-image.yml

@@ -0,0 +1,65 @@
+name: Publish Docker image
+
+on:
+  push:
+    tags:
+      - '*'
+    branches:
+      - main
+
+jobs:
+  push_to_registry:
+    name: Push Docker image to Docker Hub
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
+    # Only run this job if a tag is pushed on the main branch
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') && github.ref_name == 'main'
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Extract tag name
+        id: tag
+        shell: bash
+        run: echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: digitalenvironments/hawki
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/[email protected]
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          target: app_prod
+          tags: |
+            digitalenvironments/hawki:latest
+            digitalenvironments/hawki:${{ steps.tag.outputs.tag }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: index.docker.io/digitalenvironments/hawki
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.gitignore

@@ -6,7 +6,9 @@
 /storage/*.key
 /vendor
 .env
+!/_docker_production/.env
 .env.backup
+.env.private
 .env.production
 .phpactor.json
 .phpunit.result.cache
@@ -19,4 +21,4 @@ yarn-error.log
 /.idea
 /.vscode
 config/model_providers.php
-config/model_providers.php
+docker-compose.override.yml