Staging environment should not expose detailed error messages,
stack traces, or debug information to end users.
Changed default from 'true' to 'false' in all services:
- php
- nginx
- queue-worker
- scheduler
Shell variables like $SECRETS_DIR in docker-compose command blocks
must be escaped as $$SECRETS_DIR. Without escaping, docker-compose
interprets them as environment variable interpolation and expands
them to empty strings, causing:
- mkdir: cannot create directory ''
- Secrets copied to wrong path (/redis_password instead of /var/www/html/storage/secrets/redis_password)
- PHP TypeError: RedisConfig::__construct() argument #3 must be string, null given
The fix applies $$ escaping to all shell variables in the PHP
service entrypoint script.
- Add explicit sed pattern for production-php:9000 → php:9000
- Fix character class [a-f0-9_]* to [a-zA-Z0-9_-]* to match full container names
- Loop over both sites-enabled and sites-available configs
- Add fastcgi_pass replacement for production-php
- Change docker-compose.staging.yml: git.michaelschiemer.de:5000 -> localhost:5000
- Update deploy-image.yml playbook to:
- Pull images from registry.michaelschiemer.de (source registry)
- Tag and push to localhost:5000 (local registry) for local containers
- Remove hardcoded git.michaelschiemer.de:5000 logic
- Use local_registry from compose files for deployment
This ensures:
- Workflow pushes to registry.michaelschiemer.de (external, HTTPS)
- Containers use localhost:5000 (local, faster, no HTTPS overhead)
- Consistent registry usage across staging and production
- Introduce `EnumResolver` to centralize and cache enum value conversions.
- Enhance `DockerSecretsResolver` with result caching to avoid redundant file reads and improve performance.
- Update `Environment` to integrate `EnumResolver` for enriched enum resolution support and improved maintainability.
- Adjust unit tests to validate caching mechanisms and error handling improvements.
- Add secrets section at end of docker-compose.staging.yml
- Ensures secrets are properly loaded even if inherited from base file
- Should fix issue where REDIS_PASSWORD_FILE variable is not set
- Secrets are now explicitly defined: redis_password, db_user_password, app_key, vault_encryption_key, git_token
- Add REDIS_PASSWORD_FILE=/run/secrets/redis_password to staging-app environment
- Add redis_password to staging-app secrets list
- Ensures REDIS_PASSWORD can be resolved from Docker Secret via *_FILE pattern
- Fixes issue where REDIS_PASSWORD was empty in staging-app even though secret exists
