add updated docker files and pullpreview configuration

.env.example

@@ -14,11 +14,11 @@ DOCKER_CONTAINER_NAME=transmorpher
 # Transmorpher
 TRANSMORPHER_DEV_MODE=false
 TRANSMORPHER_STORE_DERIVATIVES=true
-TRANSMORPHER_DISK_ORIGINALS=s3Originals
-TRANSMORPHER_DISK_IMAGE_DERIVATIVES=s3ImageDerivatives
-TRANSMORPHER_DISK_VIDEO_DERIVATIVES=s3VideoDerivatives
+TRANSMORPHER_DISK_ORIGINALS=localOriginals
+TRANSMORPHER_DISK_IMAGE_DERIVATIVES=localImageDerivatives
+TRANSMORPHER_DISK_VIDEO_DERIVATIVES=localVideoDerivatives
 TRANSMORPHER_SIGNING_KEYPAIR=
-TRANSMORPHER_OPTIMIZER_TIMEOUT=5
+TRANSMORPHER_OPTIMIZER_TIMEOUT=10
 
 # AWS
 AWS_ACCESS_KEY_ID=

.github/workflows/docker.yml

@@ -35,5 +35,6 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           push: true
+          context: ./docker
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

.github/workflows/pullpreview.yml

@@ -0,0 +1,56 @@
+name: PullPreview
+on:
+  # the schedule is optional, but helps to make sure no dangling resources are left when GitHub Action does not behave properly
+  schedule:
+    - cron: "30 2 * * *"
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [labeled, unlabeled, synchronize, closed, reopened]
+
+jobs:
+  deploy:
+    if: github.event_name == 'schedule' || github.event_name == 'push' || github.event.label.name == 'pullpreview' || contains(github.event.pull_request.labels.*.name, 'pullpreview')
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      deployments: write # to delete deployments
+      pull-requests: write # to remove labels
+      statuses: write # to create commit status
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Generate .env file
+        env:
+          APP_KEY: ${{ secrets.APP_KEY }}
+          BASIC_AUTH: ${{ secrets.BASIC_AUTH }}
+          PROTECTOR_AUTH_TOKEN: ${{ secrets.PROTECTOR_AUTH_TOKEN }}
+          PROTECTOR_PRIVATE_KEY: ${{ secrets.PROTECTOR_PRIVATE_KEY }}
+          TRANSMORPHER_SIGNING_KEYPAIR: ${{ secrets.TRANSMORPHER_SIGNING_KEYPAIR }}
+        run: |
+          cp .env.example .env
+          echo "$APP_KEY" >> .env
+          echo "$PROTECTOR_AUTH_TOKEN" >> .env
+          echo "$PROTECTOR_PRIVATE_KEY" >> .env
+          echo "$TRANSMORPHER_SIGNING_KEYPAIR" >> .env
+          echo "$BASIC_AUTH" > .htpasswd
+
+      - uses: pullpreview/action@v5
+        with:
+          # Those GitHub users will have SSH access to the servers
+          admins: jheusinger, gael-connan-cybex, holyfabi, mszulik
+          # Use the cidrs option to restrict access to the live environments to specific IP ranges
+          cidrs: "0.0.0.0/0"
+          compose_files: docker-compose.pullpreview.yml
+          # The preview URL will target this port
+          default_port: 80
+          # Use a 512MB RAM instance type instead of the default 2GB
+          instance_type: nano_2_0
+          # Ports to open on the server
+          ports: 80, 443
+        env:
+          AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+          AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+          AWS_REGION: "eu-central-1"

README.md

@@ -19,6 +19,14 @@ A media server for images and videos.
 
 ## Installation
 
+### Using docker
+
+See the [Docker Hub repository] for images.
+
+To ensure backwards compatibility on automatic updates, use the following image to retrieve the latest version:
+
+`cybexwebdev/transmorpher:0`
+
 ### Cloning the repository
 
 To clone the repository and get your media server running use:

docker-compose.prod.yml

@@ -0,0 +1,16 @@
+version: '3.8'
+services:
+  app:
+    container_name: ${DOCKER_CONTAINER_NAME:-transmorpher}
+    image: mszulik/transmorpher
+    volumes:
+      - '.env:/var/www/html/.env'
+    networks:
+      - shared
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.routers.transmorpher.rule=Host(`transmorpher.test`)'
+      - 'traefik.http.services.transmorpher.loadbalancer.server.port=80'
+networks:
+  shared:
+    external: true

docker-compose.pullpreview.yml

@@ -0,0 +1,87 @@
+version: '3.8'
+services:
+  app:
+    container_name: ${APP_CONTAINER_NAME:-transmorpher}
+    build:
+      context: ./docker
+      dockerfile: Dockerfile
+    networks:
+      - traefik
+      - internal
+    depends_on:
+      mysql:
+        condition: service_healthy
+      traefik:
+        condition: service_started
+    environment:
+      PULLPREVIEW: true
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.http.middlewares.htpasswd.basicauth.usersfile=/.htpasswd'
+      - 'traefik.http.routers.${APP_CONTAINER_NAME:-transmorpher}.rule=Host(`${PULLPREVIEW_PUBLIC_DNS}`)'
+      - 'traefik.http.routers.${APP_CONTAINER_NAME:-transmorpher}.tls=true'
+      - 'traefik.http.routers.${APP_CONTAINER_NAME:-transmorpher}.tls.certresolver=production'
+      - 'traefik.http.routers.${APP_CONTAINER_NAME:-transmorpher}.middlewares=htpasswd'
+  mysql:
+    image: 'mysql/mysql-server:8.0'
+    container_name: ${MYSQL_CONTAINER_NAME:-transmorpher-mysql}
+    ports:
+      - '3306:3306'
+    command: mysqld --default-authentication-plugin=mysql_native_password
+    environment:
+      MYSQL_ROOT_PASSWORD: '${DB_PASSWORD}'
+      MYSQL_ROOT_HOST: "%"
+      MYSQL_DATABASE: '${DB_DATABASE}'
+      MYSQL_USER: '${DB_USERNAME}'
+      MYSQL_PASSWORD: '${DB_PASSWORD}'
+      MYSQL_ALLOW_EMPTY_PASSWORD: 1
+    volumes:
+      - 'mysql:/var/lib/mysql'
+    networks:
+      - internal
+    healthcheck:
+      test: [ "CMD", "mysqladmin", "ping", "-p${DB_PASSWORD}" ]
+      retries: 3
+      timeout: 5s
+  traefik:
+    image: traefik:v2.10
+    container_name: ${TRAEFIK_CONTAINER_NAME:-transmorpher-traefik}
+    ports:
+      - '80:80'
+      - '443:443'
+    environment:
+      TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE: false
+      TRAEFIK_API: false
+      TRAEFIK_API_DASHBOARD: false
+      TRAEFIK_CERTIFICATESRESOLVERS_PRODUCTION: true
+      TRAEFIK_CERTIFICATESRESOLVERS_PRODUCTION_ACME_EMAIL: 'webdevelopment@cybex-online.com'
+      TRAEFIK_CERTIFICATESRESOLVERS_PRODUCTION_ACME_CASERVER: 'https://acme-v02.api.letsencrypt.org/directory'
+      TRAEFIK_CERTIFICATESRESOLVERS_PRODUCTION_ACME_STORAGE: '/letsencrypt/acme.json'
+      TRAEFIK_CERTIFICATESRESOLVERS_PRODUCTION_ACME_HTTPCHALLENGE: true
+      TRAEFIK_CERTIFICATESRESOLVERS_PRODUCTION_ACME_HTTPCHALLENGE_ENTRYPOINT: web
+      TRAEFIK_ENTRYPOINTS_WEB: true
+      TRAEFIK_ENTRYPOINTS_WEB_ADDRESS: ':80'
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP: true
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_TO: websecure
+      TRAEFIK_ENTRYPOINTS_WEB_HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME: https
+      TRAEFIK_ENTRYPOINTS_WEBSECURE: true
+      TRAEFIK_ENTRYPOINTS_WEBSECURE_ADDRESS: ':443'
+      TRAEFIK_PROVIDERS_DOCKER: true
+      TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT: false
+      TRAEFIK_PROVIDERS_DOCKER_NETWORK: traefik
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./letsencrypt:/letsencrypt
+      - ./.htpasswd:/.htpasswd
+    networks:
+      - traefik
+
+networks:
+  internal:
+    internal: true
+  traefik:
+    name: traefik
+
+volumes:
+  mysql:
+    driver: local

docker-compose.yml

@@ -1,5 +1,5 @@
 # For more information: https://laravel.com/docs/sail
-version: '3'
+version: '3.8'
 services:
     app:
         container_name: ${DOCKER_CONTAINER_NAME:-transmorpher}
@@ -24,6 +24,10 @@ services:
         depends_on:
             - mysql
             - mysql_testing
+        labels:
+            - 'traefik.enable=true'
+            - 'traefik.http.routers.transmorpher.rule=Host(`transmorpher.test`)'
+            - 'traefik.http.services.transmorpher.loadbalancer.server.port=80'
     mysql:
         image: 'mysql/mysql-server:8.0'
         ports:

docker/Dockerfile

@@ -0,0 +1,30 @@
+FROM webdevops/php-nginx:8.2
+
+WORKDIR /var/www/html
+
+ENV WEB_DOCUMENT_ROOT /var/www/html/public
+
+# Timeout for the post update script in minutes.
+LABEL com.centurylinklabs.watchtower.lifecycle.post-update-timeout="1440"
+# Watchtower will run this script after restarting the updated container.
+LABEL com.centurylinklabs.watchtower.lifecycle.post-update="/var/www/html/docker/watchtower.sh"
+
+COPY ../ /var/www/html
+COPY ./workers.conf /opt/docker/etc/supervisor.d/
+
+RUN composer install --no-interaction --no-dev
+
+RUN chmod +x ./docker/entryfile.sh
+RUN chmod +x ./docker/watchtower.sh
+RUN chmod 755 -R /var/www/html/storage
+RUN chown -R application:application /var/www/html/storage
+
+RUN php artisan storage:link
+
+RUN apt update
+RUN apt install -y imagemagick jpegoptim optipng pngquant gifsicle webp ffmpeg
+
+RUN docker-service-enable cron
+RUN docker-cronjob '0 2 * * * application php /var/www/html/artisan ffmpeg:delete-temp
+
+ENTRYPOINT ["./entryfile.sh"]

docker/entryfile.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+if ${PULLPREVIEW:-false}; then
+    php /var/www/html/artisan migrate --force
+    php /var/www/html/artisan protector:import --remote --force
+fi
+
+exec /entrypoint supervisord "$@"

docker/watchtower.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+php /var/www/html/artisan migrate --force

docker/workers.conf

@@ -0,0 +1,11 @@
+[program:laravel-worker]
+process_name=%(program_name)s_%(process_num)02d
+command=php /var/www/html/artisan queue:work --queue=video-transcoding
+autostart=true
+autorestart=true
+stopasgroup=true
+killasgroup=true
+numprocs=1
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stopwaitsecs=10801