michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: michael:417c7d7a7de9eeea973d631686f7af3962443a7a
Branches Tags
michael:staging
..
compare: michael:68a59f460f757fd6729d15c5e38f92a68025df41
Branches Tags
michael:staging

3 Commits
417c7d7a7d ... 68a59f460f

Author SHA1 Message Date
Michael Schiemer
68a59f460f fix(staging): set APP_DEBUG default to false for security
All checks were successful
Deploy Application / deploy (push) Successful in 24s
Details
Test Runner / test-php (push) Successful in 28s
Details
Test Runner / test-basic (push) Successful in 7s
Details 
Staging environment should not expose detailed error messages,
stack traces, or debug information to end users.

Changed default from 'true' to 'false' in all services:
- php
- nginx
- queue-worker
- scheduler
 2025-11-25 03:47:29 +01:00
Michael Schiemer
2d762eafdf fix(deploy): add warning messages for missing Docker secrets 2025-11-25 03:13:30 +01:00
Michael Schiemer
760690549d fix(deploy): escape shell variables in docker-compose YAML 
Shell variables like $SECRETS_DIR in docker-compose command blocks
must be escaped as $$SECRETS_DIR. Without escaping, docker-compose
interprets them as environment variable interpolation and expands
them to empty strings, causing:
- mkdir: cannot create directory ''
- Secrets copied to wrong path (/redis_password instead of /var/www/html/storage/secrets/redis_password)
- PHP TypeError: RedisConfig::__construct() argument #3 must be string, null given

The fix applies $$ escaping to all shell variables in the PHP
service entrypoint script.
 2025-11-25 03:07:26 +01:00
1 changed files with 30 additions and 25 deletions
Expand all files Collapse all files

55
docker-compose.staging.yml
View File

@@ -20,7 +20,7 @@ services:
environment: environment:
- TZ=Europe/Berlin - TZ=Europe/Berlin
- APP_ENV=staging - APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true} - APP_DEBUG=${APP_DEBUG:-false}
- APP_URL=https://staging.michaelschiemer.de - APP_URL=https://staging.michaelschiemer.de
- APP_KEY=${APP_KEY:-} - APP_KEY=${APP_KEY:-}
# Git Repository - clones staging branch # Git Repository - clones staging branch
@@ -72,39 +72,44 @@ services:
# Copy Docker Secrets to readable location for www-data # Copy Docker Secrets to readable location for www-data
# Docker Secrets are only readable by root, but PHP (www-data) needs to read them. # Docker Secrets are only readable by root, but PHP (www-data) needs to read them.
# We copy them here as root to a location where www-data can read them. # We copy them here as root to a location where www-data can read them.
# Note: Use $$ to escape shell variables in docker-compose YAML
echo "🔐 Setting up Docker Secrets for PHP access..." echo "🔐 Setting up Docker Secrets for PHP access..."
SECRETS_DIR="/var/www/html/storage/secrets" SECRETS_DIR="/var/www/html/storage/secrets"
# Ensure we're in the right directory # Ensure we're in the right directory
cd /var/www/html || exit 1 cd /var/www/html || exit 1
# Create secrets directory if it doesn't exist # Create secrets directory if it doesn't exist
mkdir -p "$SECRETS_DIR" mkdir -p "$$SECRETS_DIR"
chmod 750 "$SECRETS_DIR" chmod 750 "$$SECRETS_DIR"
chown www-data:www-data "$SECRETS_DIR" chown www-data:www-data "$$SECRETS_DIR"
if [ -f /run/secrets/redis_password ]; then if [ -f /run/secrets/redis_password ]; then
cp /run/secrets/redis_password "$SECRETS_DIR/redis_password" 2>/dev/null || true cp /run/secrets/redis_password "$$SECRETS_DIR/redis_password" 2>/dev/null || true
chmod 640 "$SECRETS_DIR/redis_password" chmod 640 "$$SECRETS_DIR/redis_password"
chown www-data:www-data "$SECRETS_DIR/redis_password" chown www-data:www-data "$$SECRETS_DIR/redis_password"
export REDIS_PASSWORD_FILE="$SECRETS_DIR/redis_password" export REDIS_PASSWORD_FILE="$$SECRETS_DIR/redis_password"
echo "✅ Copied redis_password to $SECRETS_DIR/redis_password" echo "✅ Copied redis_password to $$SECRETS_DIR/redis_password"
else else
echo "⚠️ Warning: /run/secrets/redis_password not found" echo "⚠️ Warning: /run/secrets/redis_password not found"
fi fi
if [ -f /run/secrets/db_user_password ]; then if [ -f /run/secrets/db_user_password ]; then
cp /run/secrets/db_user_password "$SECRETS_DIR/db_user_password" 2>/dev/null || true cp /run/secrets/db_user_password "$$SECRETS_DIR/db_user_password" 2>/dev/null || true
chmod 640 "$SECRETS_DIR/db_user_password" chmod 640 "$$SECRETS_DIR/db_user_password"
chown www-data:www-data "$SECRETS_DIR/db_user_password" chown www-data:www-data "$$SECRETS_DIR/db_user_password"
export DB_PASSWORD_FILE="$SECRETS_DIR/db_user_password" export DB_PASSWORD_FILE="$$SECRETS_DIR/db_user_password"
echo "✅ Copied db_user_password to $SECRETS_DIR/db_user_password" echo "✅ Copied db_user_password to $$SECRETS_DIR/db_user_password"
else
echo "⚠️ Warning: /run/secrets/db_user_password not found"
fi fi
if [ -f /run/secrets/app_key ]; then if [ -f /run/secrets/app_key ]; then
cp /run/secrets/app_key "$SECRETS_DIR/app_key" 2>/dev/null || true cp /run/secrets/app_key "$$SECRETS_DIR/app_key" 2>/dev/null || true
chmod 640 "$SECRETS_DIR/app_key" chmod 640 "$$SECRETS_DIR/app_key"
chown www-data:www-data "$SECRETS_DIR/app_key" chown www-data:www-data "$$SECRETS_DIR/app_key"
export APP_KEY_FILE="$SECRETS_DIR/app_key" export APP_KEY_FILE="$$SECRETS_DIR/app_key"
echo "✅ Copied app_key to $SECRETS_DIR/app_key" echo "✅ Copied app_key to $$SECRETS_DIR/app_key"
else
echo "⚠️ Warning: /run/secrets/app_key not found"
fi fi
@@ -205,7 +210,7 @@ services:
environment: environment:
- TZ=Europe/Berlin - TZ=Europe/Berlin
- APP_ENV=staging - APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true} - APP_DEBUG=${APP_DEBUG:-false}
# Git Repository - clones staging branch # Git Repository - clones staging branch
- GIT_REPOSITORY_URL=${GIT_REPOSITORY_URL:-} - GIT_REPOSITORY_URL=${GIT_REPOSITORY_URL:-}
- GIT_BRANCH=staging - GIT_BRANCH=staging
@@ -346,7 +351,7 @@ services:
environment: environment:
- TZ=Europe/Berlin - TZ=Europe/Berlin
- APP_ENV=staging - APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true} - APP_DEBUG=${APP_DEBUG:-false}
# Database - using separate staging database # Database - using separate staging database
- DB_HOST=postgres - DB_HOST=postgres
- DB_PORT=5432 - DB_PORT=5432
@@ -401,7 +406,7 @@ services:
environment: environment:
- TZ=Europe/Berlin - TZ=Europe/Berlin
- APP_ENV=staging - APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true} - APP_DEBUG=${APP_DEBUG:-false}
# Database - using separate staging database # Database - using separate staging database
- DB_HOST=postgres - DB_HOST=postgres
- DB_PORT=5432 - DB_PORT=5432