From d6f3e7653fbbfbb0847850b6627cb08004850e7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Dunglas?= Date: Tue, 9 Feb 2021 10:42:17 +0100 Subject: [PATCH] feat: synchronize with API Platform's definition (#113) --- Dockerfile | 27 +++++++++++------------- docker-compose.prod.yml | 6 +++--- docker-compose.yml | 26 ++++++++++++++++++----- docker/caddy/Caddyfile | 17 ++++++++------- docker/php/docker-healthcheck.sh | 2 +- docker/php/php-fpm.d/zz-docker.conf | 7 +++++++ docs/production.md | 32 ++++++++++++++++++++++------- 7 files changed, 79 insertions(+), 38 deletions(-) create mode 100644 docker/php/php-fpm.d/zz-docker.conf diff --git a/Dockerfile b/Dockerfile index 2ebaf0f..38fb590 100644 --- a/Dockerfile +++ b/Dockerfile @@ -53,16 +53,22 @@ RUN set -eux; \ \ apk del .build-deps -COPY --from=composer:latest /usr/bin/composer /usr/bin/composer +COPY docker/php/docker-healthcheck.sh /usr/local/bin/docker-healthcheck +RUN chmod +x /usr/local/bin/docker-healthcheck + +HEALTHCHECK --interval=10s --timeout=3s --retries=3 CMD ["docker-healthcheck"] RUN ln -s $PHP_INI_DIR/php.ini-production $PHP_INI_DIR/php.ini COPY docker/php/conf.d/symfony.prod.ini $PHP_INI_DIR/conf.d/symfony.ini -RUN set -eux; \ - { \ - echo '[www]'; \ - echo 'ping.path = /ping'; \ - } | tee /usr/local/etc/php-fpm.d/docker-healthcheck.conf +COPY docker/php/php-fpm.d/zz-docker.conf /usr/local/etc/php-fpm.d/zz-docker.conf + +COPY docker/php/docker-entrypoint.sh /usr/local/bin/docker-entrypoint +RUN chmod +x /usr/local/bin/docker-entrypoint + +VOLUME /var/run/php + +COPY --from=composer:latest /usr/bin/composer /usr/bin/composer # https://getcomposer.org/doc/03-cli.md#composer-allow-superuser ENV COMPOSER_ALLOW_SUPERUSER=1 @@ -96,14 +102,6 @@ RUN set -eux; \ chmod +x bin/console; sync VOLUME /srv/app/var -COPY docker/php/docker-healthcheck.sh /usr/local/bin/docker-healthcheck -RUN chmod +x /usr/local/bin/docker-healthcheck - -HEALTHCHECK --interval=10s --timeout=3s --retries=3 CMD ["docker-healthcheck"] - -COPY docker/php/docker-entrypoint.sh /usr/local/bin/docker-entrypoint -RUN chmod +x /usr/local/bin/docker-entrypoint - ENTRYPOINT ["docker-entrypoint"] CMD ["php-fpm"] @@ -118,7 +116,6 @@ FROM caddy:${CADDY_VERSION} AS symfony_caddy WORKDIR /srv/app -ENV MERCURE_DEMO="demo /srv/mercure-assets/" COPY --from=dunglas/mercure:v0.11 /srv/public /srv/mercure-assets/ COPY --from=symfony_caddy_builder /usr/bin/caddy /usr/bin/caddy COPY --from=symfony_php /srv/app/public public/ diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 8e787fe..6925171 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -5,9 +5,9 @@ services: php: environment: APP_ENV: prod + APP_SECRET: ${APP_SECRET} caddy: environment: - MERCURE_DEMO: # Disable the demo - MERCURE_PUBLISHER_JWT: ${MERCURE_PUBLISHER_JWT} - MERCURE_SUBSCRIBER_JWT: ${MERCURE_SUBSCRIBER_JWT} + MERCURE_PUBLISHER_JWT_KEY: ${MERCURE_PUBLISHER_JWT_KEY} + MERCURE_SUBSCRIBER_JWT_KEY: ${MERCURE_SUBSCRIBER_JWT_KEY} diff --git a/docker-compose.yml b/docker-compose.yml index f4d525b..8091d69 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,6 +9,8 @@ services: SYMFONY_VERSION: ${SYMFONY_VERSION:-} STABILITY: ${STABILITY:-stable} restart: unless-stopped + volumes: + - php_socket:/var/run/php healthcheck: interval: 10s timeout: 3s @@ -25,18 +27,32 @@ services: build: context: . target: symfony_caddy + depends_on: + - php environment: SERVER_NAME: ${SERVER_NAME:-localhost, caddy:80} - MERCURE_PUBLISHER_JWT: ${MERCURE_PUBLISHER_JWT:-!ChangeMe!} - MERCURE_SUBSCRIBER_JWT: ${MERCURE_SUBSCRIBER_JWT:-!ChangeMe!} + MERCURE_PUBLISHER_JWT_KEY: ${MERCURE_PUBLISHER_JWT_KEY:-!ChangeMe!} + MERCURE_SUBSCRIBER_JWT_KEY: ${MERCURE_SUBSCRIBER_JWT_KEY:-!ChangeMe!} restart: unless-stopped - ports: - - "80:80" - - "443:443" volumes: + - php_socket:/var/run/php - caddy_data:/data - caddy_config:/config + ports: + # HTTP + - target: 80 + published: 80 + protocol: tcp + # HTTPS + - target: 443 + published: 443 + protocol: tcp + # HTTP/3 + - target: 443 + published: 443 + protocol: udp volumes: + php_socket: caddy_data: caddy_config: diff --git a/docker/caddy/Caddyfile b/docker/caddy/Caddyfile index 68619e2..d5622a8 100644 --- a/docker/caddy/Caddyfile +++ b/docker/caddy/Caddyfile @@ -1,4 +1,7 @@ { + # Debug + {$DEBUG} + # HTTP/3 support servers { protocol { experimental_http3 @@ -14,21 +17,21 @@ route { root * /srv/app/public mercure { # Transport to use (default to Bolt) - transport_url bolt:///data/mercure.db - # Enable the demo endpoint (disable it in production!) - {$MERCURE_DEMO} + transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db} # Publisher JWT key - publisher_jwt {$MERCURE_PUBLISHER_JWT} + publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG} # Subscriber JWT key - subscriber_jwt {$MERCURE_SUBSCRIBER_JWT} + subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG} # Allow anonymous subscribers (double-check that it's what you want) anonymous # Enable the subscription API (double-check that it's what you want) subscriptions + # Extra directives + {$MERCURE_EXTRA_DIRECTIVES} } vulcain push - php_fastcgi php:9000 - encode gzip + php_fastcgi unix//var/run/php/php-fpm.sock + encode zstd gzip file_server } diff --git a/docker/php/docker-healthcheck.sh b/docker/php/docker-healthcheck.sh index cb566ee..e9d1c82 100644 --- a/docker/php/docker-healthcheck.sh +++ b/docker/php/docker-healthcheck.sh @@ -5,7 +5,7 @@ export SCRIPT_NAME=/ping export SCRIPT_FILENAME=/ping export REQUEST_METHOD=GET -if cgi-fcgi -bind -connect 127.0.0.1:9000; then +if cgi-fcgi -bind -connect /var/run/php/php-fpm.sock; then exit 0 fi diff --git a/docker/php/php-fpm.d/zz-docker.conf b/docker/php/php-fpm.d/zz-docker.conf new file mode 100644 index 0000000..354a4e3 --- /dev/null +++ b/docker/php/php-fpm.d/zz-docker.conf @@ -0,0 +1,7 @@ +[global] +daemonize = no + +[www] +listen = /var/run/php/php-fpm.sock +listen.mode = 0666 +ping.path = /ping diff --git a/docs/production.md b/docs/production.md index 1e56902..2e46f95 100644 --- a/docs/production.md +++ b/docs/production.md @@ -23,7 +23,9 @@ Don't forget to add your SSH key or to create a password then press the "Finaliz Then, wait a few seconds while your Droplet is provisioning. When your Droplet is ready, use SSH to connect: - $ ssh root@ +```console +ssh root@ +``` ## Configuring a Domain Name @@ -35,7 +37,9 @@ Then create a DNS record of type `A` for your domain name pointing to the IP add Example: - your-domain-name.example.com. IN A 207.154.233.113 +```dns +your-domain-name.example.com. IN A 207.154.233.113 +```` Example in Gandi's UI: @@ -52,22 +56,36 @@ Deploy keys are also [supported by GitLab](https://docs.gitlab.com/ee/user/proje Example with Git: - $ git clone git@github.com:/.git +```console +git clone git@github.com:/.git +``` Go into the directory containing your project (``), and start the app in production mode: - $ SERVER_NAME=your-domain-name.example.com docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d +```console +SERVER_NAME=your-domain-name.example.com \ +APP_SECRET=ChangeMe \ +MERCURE_PUBLISHER_JWT_KEY=ChangeMe \ +MERCURE_SUBSCRIBER_JWT_KEY=ChangeMe \ +docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d +``` -Be sure to replace `your-domain-name.example.com` by your actual domain name. +Be sure to replace `your-domain-name.example.com` by your actual domain name and to set the values of `APP_SECRET`, `MERCURE_PUBLISHER_JWT_KEY` and `MERCURE_SUBSCRIBER_JWT_KEY` to cryptographically secure random values. Your server is up and running, and a Let's Encrypt HTTPS certificate has been automatically generated for you. Go to `https://your-domain-name.example.com` and enjoy! -## Disabling HTTPS +## Disabling HTTPS Alternatively, if you don't want to expose an HTTPS server but only an HTTP one, run the following command: - $ SERVER_NAME=:80 docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d +```console +SERVER_NAME=:80 \ +APP_SECRET=ChangeMe \ +MERCURE_PUBLISHER_JWT_KEY=ChangeMe \ +MERCURE_SUBSCRIBER_JWT_KEY=ChangeMe \ +docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d +``` ## Deploying on Multiple Nodes