feat: synchronize with API Platform's definition (#113)

dunglas · web-flow · commit d6f3e7653fbb · 2021-02-09T10:42:17.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -53,16 +53,22 @@ RUN set -eux; \
 	\
 	apk del .build-deps
 
-COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
+COPY docker/php/docker-healthcheck.sh /usr/local/bin/docker-healthcheck
+RUN chmod +x /usr/local/bin/docker-healthcheck
+
+HEALTHCHECK --interval=10s --timeout=3s --retries=3 CMD ["docker-healthcheck"]
 
 RUN ln -s $PHP_INI_DIR/php.ini-production $PHP_INI_DIR/php.ini
 COPY docker/php/conf.d/symfony.prod.ini $PHP_INI_DIR/conf.d/symfony.ini
 
-RUN set -eux; \
-	{ \
-		echo '[www]'; \
-		echo 'ping.path = /ping'; \
-	} | tee /usr/local/etc/php-fpm.d/docker-healthcheck.conf
+COPY docker/php/php-fpm.d/zz-docker.conf /usr/local/etc/php-fpm.d/zz-docker.conf
+
+COPY docker/php/docker-entrypoint.sh /usr/local/bin/docker-entrypoint
+RUN chmod +x /usr/local/bin/docker-entrypoint
+
+VOLUME /var/run/php
+
+COPY --from=composer:latest /usr/bin/composer /usr/bin/composer
 
 # https://getcomposer.org/doc/03-cli.md#composer-allow-superuser
 ENV COMPOSER_ALLOW_SUPERUSER=1
@@ -96,14 +102,6 @@ RUN set -eux; \
 	chmod +x bin/console; sync
 VOLUME /srv/app/var
 
-COPY docker/php/docker-healthcheck.sh /usr/local/bin/docker-healthcheck
-RUN chmod +x /usr/local/bin/docker-healthcheck
-
-HEALTHCHECK --interval=10s --timeout=3s --retries=3 CMD ["docker-healthcheck"]
-
-COPY docker/php/docker-entrypoint.sh /usr/local/bin/docker-entrypoint
-RUN chmod +x /usr/local/bin/docker-entrypoint
-
 ENTRYPOINT ["docker-entrypoint"]
 CMD ["php-fpm"]
 
@@ -118,7 +116,6 @@ FROM caddy:${CADDY_VERSION} AS symfony_caddy
 
 WORKDIR /srv/app
 
-ENV MERCURE_DEMO="demo /srv/mercure-assets/"
 COPY --from=dunglas/mercure:v0.11 /srv/public /srv/mercure-assets/
 COPY --from=symfony_caddy_builder /usr/bin/caddy /usr/bin/caddy
 COPY --from=symfony_php /srv/app/public public/
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
@@ -5,9 +5,9 @@ services:
   php:
     environment:
       APP_ENV: prod
+      APP_SECRET: ${APP_SECRET}
 
   caddy:
     environment:
-      MERCURE_DEMO: # Disable the demo
-      MERCURE_PUBLISHER_JWT: ${MERCURE_PUBLISHER_JWT}
-      MERCURE_SUBSCRIBER_JWT: ${MERCURE_SUBSCRIBER_JWT}
+      MERCURE_PUBLISHER_JWT_KEY: ${MERCURE_PUBLISHER_JWT_KEY}
+      MERCURE_SUBSCRIBER_JWT_KEY: ${MERCURE_SUBSCRIBER_JWT_KEY}
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,6 +9,8 @@ services:
         SYMFONY_VERSION: ${SYMFONY_VERSION:-}
         STABILITY: ${STABILITY:-stable}
     restart: unless-stopped
+    volumes:
+      - php_socket:/var/run/php
     healthcheck:
       interval: 10s
       timeout: 3s
@@ -25,18 +27,32 @@ services:
     build:
       context: .
       target: symfony_caddy
+    depends_on:
+      - php
     environment:
       SERVER_NAME: ${SERVER_NAME:-localhost, caddy:80}
-      MERCURE_PUBLISHER_JWT: ${MERCURE_PUBLISHER_JWT:-!ChangeMe!}
-      MERCURE_SUBSCRIBER_JWT: ${MERCURE_SUBSCRIBER_JWT:-!ChangeMe!}
+      MERCURE_PUBLISHER_JWT_KEY: ${MERCURE_PUBLISHER_JWT_KEY:-!ChangeMe!}
+      MERCURE_SUBSCRIBER_JWT_KEY: ${MERCURE_SUBSCRIBER_JWT_KEY:-!ChangeMe!}
     restart: unless-stopped
-    ports:
-      - "80:80"
-      - "443:443"
     volumes:
+      - php_socket:/var/run/php
       - caddy_data:/data
       - caddy_config:/config
+    ports:
+      # HTTP
+      - target: 80
+        published: 80
+        protocol: tcp
+      # HTTPS
+      - target: 443
+        published: 443
+        protocol: tcp
+      # HTTP/3
+      - target: 443
+        published: 443
+        protocol: udp
 
 volumes:
+  php_socket:
   caddy_data:
   caddy_config:
diff --git a/docker/caddy/Caddyfile b/docker/caddy/Caddyfile
@@ -1,4 +1,7 @@
 {
+    # Debug
+    {$DEBUG}
+    # HTTP/3 support
     servers {
         protocol {
             experimental_http3
@@ -14,21 +17,21 @@ route {
     root * /srv/app/public
     mercure {
         # Transport to use (default to Bolt)
-        transport_url bolt:///data/mercure.db
-        # Enable the demo endpoint (disable it in production!)
-        {$MERCURE_DEMO}
+        transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
         # Publisher JWT key
-        publisher_jwt {$MERCURE_PUBLISHER_JWT}
+        publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
         # Subscriber JWT key
-        subscriber_jwt {$MERCURE_SUBSCRIBER_JWT}
+        subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
         # Allow anonymous subscribers (double-check that it's what you want)
         anonymous
         # Enable the subscription API (double-check that it's what you want)
         subscriptions
+        # Extra directives
+        {$MERCURE_EXTRA_DIRECTIVES}
     }
     vulcain
     push
-    php_fastcgi php:9000
-    encode gzip
+    php_fastcgi unix//var/run/php/php-fpm.sock
+    encode zstd gzip
     file_server
 }
diff --git a/docker/php/docker-healthcheck.sh b/docker/php/docker-healthcheck.sh
@@ -5,7 +5,7 @@ export SCRIPT_NAME=/ping
 export SCRIPT_FILENAME=/ping
 export REQUEST_METHOD=GET
 
-if cgi-fcgi -bind -connect 127.0.0.1:9000; then
+if cgi-fcgi -bind -connect /var/run/php/php-fpm.sock; then
 	exit 0
 fi
 
diff --git a/docker/php/php-fpm.d/zz-docker.conf b/docker/php/php-fpm.d/zz-docker.conf
@@ -0,0 +1,7 @@
+[global]
+daemonize = no
+
+[www]
+listen = /var/run/php/php-fpm.sock
+listen.mode = 0666
+ping.path = /ping
diff --git a/docs/production.md b/docs/production.md
@@ -23,7 +23,9 @@ Don't forget to add your SSH key or to create a password then press the "Finaliz
 Then, wait a few seconds while your Droplet is provisioning.
 When your Droplet is ready, use SSH to connect:
 
-    $ ssh root@<droplet-ip>
+```console
+ssh root@<droplet-ip>
+```
 
 ## Configuring a Domain Name
 
@@ -35,7 +37,9 @@ Then create a DNS record of type `A` for your domain name pointing to the IP add
 
 Example:
 
-    your-domain-name.example.com.  IN  A     207.154.233.113
+```dns
+your-domain-name.example.com.  IN  A     207.154.233.113
+````
 
 Example in Gandi's UI:
 
@@ -52,22 +56,36 @@ Deploy keys are also [supported by GitLab](https://docs.gitlab.com/ee/user/proje
 
 Example with Git:
 
-    $ git clone git@github.com:<username>/<project-name>.git
+```console
+git clone git@github.com:<username>/<project-name>.git
+```
 
 Go into the directory containing your project (`<project-name>`), and start the app in production mode:
 
-    $ SERVER_NAME=your-domain-name.example.com docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
+```console
+SERVER_NAME=your-domain-name.example.com \
+APP_SECRET=ChangeMe \
+MERCURE_PUBLISHER_JWT_KEY=ChangeMe \
+MERCURE_SUBSCRIBER_JWT_KEY=ChangeMe \
+docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
+```
 
-Be sure to replace `your-domain-name.example.com` by your actual domain name.
+Be sure to replace `your-domain-name.example.com` by your actual domain name and to set the values of `APP_SECRET`, `MERCURE_PUBLISHER_JWT_KEY` and `MERCURE_SUBSCRIBER_JWT_KEY` to cryptographically secure random values.
 
 Your server is up and running, and a Let's Encrypt HTTPS certificate has been automatically generated for you.
 Go to `https://your-domain-name.example.com` and enjoy!
 
-## Disabling HTTPS 
+## Disabling HTTPS
 
 Alternatively, if you don't want to expose an HTTPS server but only an HTTP one, run the following command:
 
-    $ SERVER_NAME=:80 docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
+```console
+SERVER_NAME=:80 \
+APP_SECRET=ChangeMe \
+MERCURE_PUBLISHER_JWT_KEY=ChangeMe \
+MERCURE_SUBSCRIBER_JWT_KEY=ChangeMe \
+docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
+```
 
 ## Deploying on Multiple Nodes
 
