michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: CI/CD pipeline setup complete - Ansible playbooks updated, secrets configured, workflow ready

Browse Source
This commit is contained in:
Michael Schiemer
2025-10-31 01:39:24 +01:00
parent 55c04e4fd0
commit e26eb2aa12
601 changed files with 44184 additions and 32477 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docker/entrypoint.sh Executable file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
set -e
echo "🔐 Loading secrets from /run/secrets/..."
# Function to load secret from file if *_FILE env var is set
load_secret() {
local var_name="$1"
local file_var="${var_name}_FILE"
if [ -n "${!file_var}" ] && [ -f "${!file_var}" ]; then
export "$var_name"="$(cat "${!file_var}")"
echo "✅ Loaded $var_name from ${!file_var}"
fi
}
# Load database password from secret file
load_secret "DB_PASSWORD"
# Load other secrets
load_secret "APP_KEY"
load_secret "VAULT_ENCRYPTION_KEY"
load_secret "SHOPIFY_WEBHOOK_SECRET"
load_secret "RAPIDMAIL_PASSWORD"
echo "✅ All secrets loaded"
echo ""
echo "📊 Environment variables:"
env | grep -E "DB_|APP_" | grep -v "PASSWORD\|KEY\|SECRET" || true
# Start PHP-FPM in background (inherits all environment variables)
echo "🚀 Starting PHP-FPM..."
php-fpm &
# Wait for PHP-FPM to be ready
sleep 2
# Start nginx in foreground (inherits all environment variables)
echo "🚀 Starting nginx..."
exec nginx -g 'daemon off;'

154
docker/nginx/default.production.conf Normal file
View File

@@ -0,0 +1,154 @@
# Production Nginx Configuration
# Based on default.conf but adapted for single-container deployment
# PHP-FPM runs in same container via Supervisor
upstream php-upstream {
server 127.0.0.1:9000;
}
# HTTP Server - Redirect to HTTPS
server {
listen 80;
listen [::]:80;
server_name _;
# Health check on HTTP
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
allow all;
}
# Redirect all other traffic to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS Server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
# SSL Configuration
ssl_certificate /var/www/ssl/cert.pem;
ssl_certificate_key /var/www/ssl/key.pem;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
root /var/www/html/public;
index index.php index.html;
# Security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# Gzip
gzip on;
gzip_vary on;
gzip_types text/css application/javascript application/json image/svg+xml;
gzip_comp_level 5;
# ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
allow all;
}
# Health check endpoint
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# Static assets with caching
location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
location ~* \.(css|js|map)$ {
expires 1w;
add_header Cache-Control "public, max-age=604800";
try_files $uri =404;
}
# Service Worker
location = /sw.js {
alias /var/www/html/public/sw.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
}
location = /js/sw-push.js {
alias /var/www/html/public/js/sw-push.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
add_header Content-Type "application/javascript; charset=utf-8";
}
# Main application
location / {
try_files $uri $uri/ /index.php?$query_string;
autoindex off;
}
# PHP-FPM
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php-upstream;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param APP_ENV production;
fastcgi_param HTTPS on;
fastcgi_read_timeout 60s;
fastcgi_connect_timeout 60s;
fastcgi_send_timeout 60s;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_keep_conn on;
fastcgi_hide_header X-Powered-By;
}
# Deny access to hidden files
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
# Prevent PHP execution in uploads
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Error pages
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 502 503 504 /errors/50x.html;
location /errors/ {
internal;
}
server_tokens off;
}

114
docker/nginx/default.traefik.conf Normal file
View File

@@ -0,0 +1,114 @@
# Nginx Configuration for Traefik Integration
# Traefik handles SSL termination - this listens on HTTP:80 only
upstream php-upstream {
server 127.0.0.1:9000;
}
server {
listen 80;
listen [::]:80;
server_name _;
root /var/www/html/public;
index index.php index.html;
# Security headers (Traefik may add more)
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# Gzip
gzip on;
gzip_vary on;
gzip_types text/css application/javascript application/json image/svg+xml;
gzip_comp_level 5;
# Health check endpoint
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# Static assets with caching
location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
location ~* \.(css|js|map)$ {
expires 1w;
add_header Cache-Control "public, max-age=604800";
try_files $uri =404;
}
# Service Worker
location = /sw.js {
alias /var/www/html/public/sw.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
}
location = /js/sw-push.js {
alias /var/www/html/public/js/sw-push.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
add_header Content-Type "application/javascript; charset=utf-8";
}
# Main application
location / {
try_files $uri $uri/ /index.php?$query_string;
autoindex off;
}
# PHP-FPM
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php-upstream;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param APP_ENV production;
# Traefik terminates SSL, but tell app it's HTTPS
fastcgi_param HTTPS $http_x_forwarded_proto;
fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
fastcgi_read_timeout 60s;
fastcgi_connect_timeout 60s;
fastcgi_send_timeout 60s;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_keep_conn on;
fastcgi_hide_header X-Powered-By;
}
# Deny access to hidden files
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
# Prevent PHP execution in uploads
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Error pages
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 502 503 504 /errors/50x.html;
location /errors/ {
internal;
}
server_tokens off;
}

43
docker/nginx/nginx.production.conf Normal file
View File

@@ -0,0 +1,43 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log warn;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss
application/rss+xml font/truetype font/opentype
application/vnd.ms-fontobject image/svg+xml;
# Client body size
client_max_body_size 20M;
# Include site configurations (Debian nginx uses sites-enabled)
include /etc/nginx/sites-enabled/*;
}

68
docker/php/Dockerfile.test Normal file
View File

@@ -0,0 +1,68 @@
# Dockerfile für PHP 8.4 Test-Umgebung
FROM php:8.4-fpm AS test
# System-Abhängigkeiten
RUN apt-get update && apt-get install -y \
git \
unzip \
libzip-dev \
zip \
libpng-dev \
libjpeg-dev \
libfreetype6-dev \
libwebp-dev \
libavif-dev \
libxpm-dev \
libsodium-dev \
libpq-dev \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
RUN docker-php-ext-configure gd \
--with-freetype \
--with-jpeg \
--with-webp \
--with-avif \
--with-xpm \
&& docker-php-ext-install -j$(nproc) gd
# Install PHP extensions
RUN docker-php-ext-install -j$(nproc) \
zip \
pdo \
pdo_mysql \
pdo_pgsql \
pcntl \
posix \
shmop \
bcmath
# Install PECL extensions (stable versions for PHP 8.4)
RUN pecl install apcu redis \
&& docker-php-ext-enable apcu redis
RUN echo "apc.enable_cli=1" >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini \
&& echo "apc.shm_size=128M" >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini
# Composer installieren
RUN curl -sS https://getcomposer.org/installer | php \
&& mv composer.phar /usr/local/bin/composer
WORKDIR /var/www/html
# Kopiere PHP-Konfigurationen
COPY docker/php/php.common.ini /usr/local/etc/php/php.common.ini
COPY docker/php/php.development.ini /usr/local/etc/php/php.ini
# Create appuser
RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser
# Entrypoint
COPY docker/php/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
# Install gosu
RUN apt-get update && apt-get install -y gosu && apt-get clean && rm -rf /var/lib/apt/lists/*
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
CMD ["php-fpm"]

13
docker/php/opcache.ini Normal file
View File

@@ -0,0 +1,13 @@
; OPcache Configuration for Production
[opcache]
opcache.enable = 1
opcache.enable_cli = 0
opcache.memory_consumption = 128
opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 10000
opcache.revalidate_freq = 60
opcache.fast_shutdown = 1
opcache.validate_timestamps = 0
opcache.save_comments = 1
opcache.enable_file_override = 1

58
docker/php/php.production.ini
View File

@@ -1,34 +1,36 @@
; php.ini für Produktion
include = php.common.ini
[opcache]
; Aktiviere OPcache
opcache.enable=1
; Aktiviere OPcache für CLI-Anwendungen (optional)
opcache.enable_cli=0
; Maximale Speichernutzung für Cache in MB
opcache.memory_consumption=128
; Maximale Anzahl an gecachten Dateien
opcache.max_accelerated_files=10000
; Wie oft wird der Cache validiert (0 = bei jedem Request)
; TEMPORÄR: 0 für einfachere Deployments während aktiver Entwicklung
; SPÄTER: Auf 60 erhöhen wenn System stabil ist
opcache.revalidate_freq=0
; Cache-Zeitstempel prüfen
; TEMPORÄR: 1 aktiviert für Deployment-Flexibilität
; SPÄTER: Auf 0 setzen für maximale Performance wenn stabil
opcache.validate_timestamps=1
; Performance-Optimierungen
opcache.interned_strings_buffer=16
; JIT (Just-In-Time Compilation) - Optional für PHP 8.0+
opcache.jit_buffer_size=100M
opcache.jit=1255
; Production PHP Configuration for Custom PHP Framework
[PHP]
; Error handling - Log errors, don't display
display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /var/www/html/storage/logs/php-errors.log
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
; Performance
memory_limit = 256M
upload_max_filesize = 10M
post_max_size = 12M
max_execution_time = 30
max_input_time = 60
post_max_size = 20M
upload_max_filesize = 20M
; Session
session.save_handler = files
session.save_path = /var/www/html/storage/sessions
session.gc_maxlifetime = 1440
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_strict_mode = 1
; Security
expose_php = Off
allow_url_fopen = On
allow_url_include = Off
; Timezone
date.timezone = Europe/Berlin
; Realpath cache (performance)
realpath_cache_size = 4M
realpath_cache_ttl = 600

29
docker/php/www.production.conf Normal file
View File

@@ -0,0 +1,29 @@
[www]
; Unix user/group of processes
user = www-data
group = www-data
; The address on which to accept FastCGI requests
listen = 9000
; CRITICAL: Keep environment variables from Docker
clear_env = no
; Process management
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
; Logging
catch_workers_output = yes
php_admin_value[error_log] = /proc/self/fd/2
php_admin_flag[log_errors] = on
access.log = /proc/self/fd/2
; Security
php_admin_value[upload_max_filesize] = 50M
php_admin_value[post_max_size] = 50M
php_admin_value[memory_limit] = 256M

22
docker/php/zz-docker.production.conf Normal file
View File

@@ -0,0 +1,22 @@
[global]
daemonize = no
error_log = /proc/self/fd/2
[www]
; Unix user/group of processes (www-data for production)
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
listen = 9000
; Clear environment in FPM workers
clear_env = no
; Catch output from PHP workers
catch_workers_output = yes
; Redirect worker stdout and stderr into main error log
access.log = /proc/self/fd/2
php_admin_value[error_log] = /proc/self/fd/2
php_admin_flag[log_errors] = on

16
docker/portainer/init-admin.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/sh
# Portainer Admin Password Init Script
# Creates bcrypt hash of admin password for Portainer
if [ -z "$PORTAINER_ADMIN_PASSWORD" ]; then
echo "Error: PORTAINER_ADMIN_PASSWORD environment variable not set"
exit 1
fi
# Create bcrypt hash of password
# Note: Portainer uses bcrypt cost 10
apk add --no-cache apache2-utils
htpasswd -nbB admin "$PORTAINER_ADMIN_PASSWORD" | cut -d ":" -f 2 > /tmp/portainer_password
echo "Portainer admin password hash created"
cat /tmp/portainer_password

19
docker/worker/Dockerfile
View File

@@ -11,6 +11,8 @@ RUN apt-get update && apt-get install -y \
libxml2-dev \
libzip-dev \
libicu-dev \
libpq-dev \
libsodium-dev \
zip \
unzip \
procps \
@@ -24,22 +26,39 @@ RUN docker-php-ext-configure gd --with-freetype --with-jpeg
# Note: opcache and sodium are already built into PHP 8.5
RUN docker-php-ext-install -j$(nproc) \
pdo_mysql \
pdo_pgsql \
mbstring \
exif \
pcntl \
posix \
sockets \
shmop \
gd \
zip \
intl \
bcmath
# Install PECL extensions (Redis for queue system)
RUN pecl install redis-6.3.0RC1 apcu \
&& docker-php-ext-enable redis apcu
# Configure APCu
RUN echo "apc.enable_cli=1" >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini \
&& echo "apc.shm_size=128M" >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini
# Install Composer
COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
# Set working directory
WORKDIR /var/www/html
# Create storage directory structure for volume mounts
RUN mkdir -p /var/www/html/storage/cache \
/var/www/html/storage/queue \
/var/www/html/storage/discovery \
/var/www/html/storage/logs \
/var/www/html/var
# Note: Application files and dependencies will be available via mounted volume
# No need to copy files during build since we'll use the mounted project directory