michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: michael:417c7d7a7de9eeea973d631686f7af3962443a7a
Branches Tags
michael:staging
..
compare: michael:68a59f460f757fd6729d15c5e38f92a68025df41
Branches Tags
michael:staging

3 Commits
417c7d7a7d ... 68a59f460f

Author SHA1 Message Date
Michael Schiemer
68a59f460f fix(staging): set APP_DEBUG default to false for security
All checks were successful
Deploy Application / deploy (push) Successful in 24s
Details
Test Runner / test-php (push) Successful in 28s
Details
Test Runner / test-basic (push) Successful in 7s
Details 
Staging environment should not expose detailed error messages,
stack traces, or debug information to end users.

Changed default from 'true' to 'false' in all services:
- php
- nginx
- queue-worker
- scheduler
 2025-11-25 03:47:29 +01:00
Michael Schiemer
2d762eafdf fix(deploy): add warning messages for missing Docker secrets 2025-11-25 03:13:30 +01:00
Michael Schiemer
760690549d fix(deploy): escape shell variables in docker-compose YAML 
Shell variables like $SECRETS_DIR in docker-compose command blocks
must be escaped as $$SECRETS_DIR. Without escaping, docker-compose
interprets them as environment variable interpolation and expands
them to empty strings, causing:
- mkdir: cannot create directory ''
- Secrets copied to wrong path (/redis_password instead of /var/www/html/storage/secrets/redis_password)
- PHP TypeError: RedisConfig::__construct() argument #3 must be string, null given

The fix applies $$ escaping to all shell variables in the PHP
service entrypoint script.
 2025-11-25 03:07:26 +01:00
1 changed files with 30 additions and 25 deletions
Expand all files Collapse all files

49
docker-compose.staging.yml
View File

@@ -20,7 +20,7 @@ services:
environment:
- TZ=Europe/Berlin
- APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true}
- APP_DEBUG=${APP_DEBUG:-false}
- APP_URL=https://staging.michaelschiemer.de
- APP_KEY=${APP_KEY:-}
# Git Repository - clones staging branch
@@ -72,39 +72,44 @@ services:
# Copy Docker Secrets to readable location for www-data
# Docker Secrets are only readable by root, but PHP (www-data) needs to read them.
# We copy them here as root to a location where www-data can read them.
# Note: Use $$ to escape shell variables in docker-compose YAML
echo "🔐 Setting up Docker Secrets for PHP access..."
SECRETS_DIR="/var/www/html/storage/secrets"
# Ensure we're in the right directory
cd /var/www/html || exit 1
# Create secrets directory if it doesn't exist
mkdir -p "$SECRETS_DIR"
chmod 750 "$SECRETS_DIR"
chown www-data:www-data "$SECRETS_DIR"
mkdir -p "$$SECRETS_DIR"
chmod 750 "$$SECRETS_DIR"
chown www-data:www-data "$$SECRETS_DIR"
if [ -f /run/secrets/redis_password ]; then
cp /run/secrets/redis_password "$SECRETS_DIR/redis_password" 2>/dev/null || true
chmod 640 "$SECRETS_DIR/redis_password"
chown www-data:www-data "$SECRETS_DIR/redis_password"
export REDIS_PASSWORD_FILE="$SECRETS_DIR/redis_password"
echo "✅ Copied redis_password to $SECRETS_DIR/redis_password"
cp /run/secrets/redis_password "$$SECRETS_DIR/redis_password" 2>/dev/null || true
chmod 640 "$$SECRETS_DIR/redis_password"
chown www-data:www-data "$$SECRETS_DIR/redis_password"
export REDIS_PASSWORD_FILE="$$SECRETS_DIR/redis_password"
echo "✅ Copied redis_password to $$SECRETS_DIR/redis_password"
else
echo "⚠️ Warning: /run/secrets/redis_password not found"
fi
if [ -f /run/secrets/db_user_password ]; then
cp /run/secrets/db_user_password "$SECRETS_DIR/db_user_password" 2>/dev/null || true
chmod 640 "$SECRETS_DIR/db_user_password"
chown www-data:www-data "$SECRETS_DIR/db_user_password"
export DB_PASSWORD_FILE="$SECRETS_DIR/db_user_password"
echo "✅ Copied db_user_password to $SECRETS_DIR/db_user_password"
cp /run/secrets/db_user_password "$$SECRETS_DIR/db_user_password" 2>/dev/null || true
chmod 640 "$$SECRETS_DIR/db_user_password"
chown www-data:www-data "$$SECRETS_DIR/db_user_password"
export DB_PASSWORD_FILE="$$SECRETS_DIR/db_user_password"
echo "✅ Copied db_user_password to $$SECRETS_DIR/db_user_password"
else
echo "⚠️ Warning: /run/secrets/db_user_password not found"
fi
if [ -f /run/secrets/app_key ]; then
cp /run/secrets/app_key "$SECRETS_DIR/app_key" 2>/dev/null || true
chmod 640 "$SECRETS_DIR/app_key"
chown www-data:www-data "$SECRETS_DIR/app_key"
export APP_KEY_FILE="$SECRETS_DIR/app_key"
echo "✅ Copied app_key to $SECRETS_DIR/app_key"
cp /run/secrets/app_key "$$SECRETS_DIR/app_key" 2>/dev/null || true
chmod 640 "$$SECRETS_DIR/app_key"
chown www-data:www-data "$$SECRETS_DIR/app_key"
export APP_KEY_FILE="$$SECRETS_DIR/app_key"
echo "✅ Copied app_key to $$SECRETS_DIR/app_key"
else
echo "⚠️ Warning: /run/secrets/app_key not found"
fi
@@ -205,7 +210,7 @@ services:
environment:
- TZ=Europe/Berlin
- APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true}
- APP_DEBUG=${APP_DEBUG:-false}
# Git Repository - clones staging branch
- GIT_REPOSITORY_URL=${GIT_REPOSITORY_URL:-}
- GIT_BRANCH=staging
@@ -346,7 +351,7 @@ services:
environment:
- TZ=Europe/Berlin
- APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true}
- APP_DEBUG=${APP_DEBUG:-false}
# Database - using separate staging database
- DB_HOST=postgres
- DB_PORT=5432
@@ -401,7 +406,7 @@ services:
environment:
- TZ=Europe/Berlin
- APP_ENV=staging
- APP_DEBUG=${APP_DEBUG:-true}
- APP_DEBUG=${APP_DEBUG:-false}
# Database - using separate staging database
- DB_HOST=postgres
- DB_PORT=5432