Implementing Gally in a single container

Co-Authored-By: Romain Ruaud <[email protected]>

docker/mono-container/Dockerfile

@@ -0,0 +1,96 @@
+FROM debian:12
+
+# Todo move everything linked to SERVER_NAME in entry point to avoid having to have it on build
+ARG SERVER_NAME
+ENV SERVER_NAME $SERVER_NAME
+ARG OPENSEARCH_INITIAL_ADMIN_PASSWORD
+ENV OPENSEARCH_INITIAL_ADMIN_PASSWORD $OPENSEARCH_INITIAL_ADMIN_PASSWORD
+
+ARG NEXT_PUBLIC_API_URL
+ARG NEXT_PUBLIC_API_ROUTE_PREFIX
+ARG REACT_APP_API_URL
+ENV NEXT_PUBLIC_API_URL $NEXT_PUBLIC_API_URL
+ENV NEXT_PUBLIC_API_ROUTE_PREFIX $NEXT_PUBLIC_API_ROUTE_PREFIX
+ENV REACT_APP_API_URL $REACT_APP_API_URL
+
+# Prerequisites
+RUN apt-get update ; \
+    apt-get install -y curl gettext gnupg lsb-release openssl supervisor
+RUN curl -sSLo /usr/share/keyrings/deb.sury.org-php.gpg https://packages.sury.org/php/apt.gpg; \
+    echo "deb [signed-by=/usr/share/keyrings/deb.sury.org-php.gpg] https://packages.sury.org/php/ bookworm main" > /etc/apt/sources.list.d/php.list
+RUN install -d /usr/share/postgresql-common/pgdg; \
+    curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc; \
+    echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list
+RUN curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring; \
+    echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch-2.x.list
+RUN apt-get update
+
+# Databases
+RUN apt-get install -y redis postgresql-16 libssl3 opensearch=2.16.0 postgresql-client
+RUN /usr/share/opensearch/bin/opensearch-plugin install -b analysis-icu analysis-phonetic ingest-attachment
+COPY redis.conf /etc/redis/redis.conf
+USER postgres
+RUN PGDATA="/var/lib/postgresql/data/"; \
+	echo "Init PostgreSQL..."; \
+	/usr/lib/postgresql/16/bin/initdb -D "$PGDATA"; \
+	/usr/lib/postgresql/16/bin/pg_ctl -D "$PGDATA" -o "-c listen_addresses=''" -w start; \
+	psql --username=postgres -c "CREATE ROLE \"api-platform\" WITH SUPERUSER LOGIN;"; \
+	psql --username=postgres -c "ALTER USER \"api-platform\" WITH password '!ChangeMe!';"; \
+	psql --username=postgres -c "CREATE DATABASE api;"; \
+	/usr/lib/postgresql/16/bin/pg_ctl -D "$PGDATA" -m fast -w stop; \
+    touch /var/log/postgresql/postgresql.log
+COPY postgresql.conf /var/lib/postgresql/data/postgresql.conf
+USER opensearch
+COPY opensearch.yml /etc/opensearch/opensearch.yml
+USER root
+RUN set -xe; \
+	bash /usr/share/opensearch/plugins/opensearch-security/tools/install_demo_configuration.sh -y -i -s
+
+# Webserver
+RUN apt-get install -y nginx varnish
+# Todo move certs in a static repository
+RUN mkdir -p /etc/nginx/template/ /etc/varnish/template/ /etc/nginx/certs/live/${SERVER_NAME} /var/log/php-fpm/
+COPY nginx.conf /etc/nginx/template/default.template
+COPY varnish.vcl /etc/varnish/template/default.vcl.template
+RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+	-keyout /etc/nginx/certs/live/${SERVER_NAME}/privkey.pem \
+	-out /etc/nginx/certs/live/${SERVER_NAME}/fullchain.pem \
+	-subj "/CN=${SERVER_NAME:-localhost}"
+RUN envsubst < /etc/nginx/template/default.template '\$SERVER_NAME' > /etc/nginx/sites-enabled/default
+RUN envsubst < /etc/varnish/template/default.vcl.template '\$SERVER_NAME' > /etc/varnish/default.vcl
+
+# Api
+RUN apt-get install -y php8.3 \
+  php8.3-apcu php8.3-dom php8.3-curl php8.3-intl php8.3-mbstring php8.3-opcache php8.3-pgsql php8.3-redis php8.3-zip \
+  php8.3-fpm
+COPY php.ini /etc/php/8.3/fpm/conf.d/app.ini
+COPY php.ini /etc/php/8.3/cli/conf.d/app.ini
+RUN sed -i 's/^;clear_env = no/clear_env = no/' /etc/php/8.3/fpm/pool.d/www.conf
+COPY --from=api_src . /var/gally/api
+RUN mkdir /run/php; \
+    touch /var/log/php8.3-fpm.log; \
+    chown www-data:www-data -R /run/php /var/log/php8.3-fpm.log /var/gally/api/var
+
+# Pwa
+COPY --from=front_src . /var/gally/front
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash && \
+    export NVM_DIR="$HOME/.nvm"  && \
+    [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" && \
+	nvm install 16 && \
+	npm install -g yarn && \
+	cd /var/gally/front && \
+	yarn install --frozen-lockfile --network-timeout 120000 && \
+	yarn cache clean && \
+	yarn build && \
+	useradd node && \
+    mkdir -p /var/log/yarn/ && \
+    chown node:node -R /var/log/yarn && \
+    ln -s "$(which node)" /usr/bin/node && \
+    ln -s "$(which yarn)" /usr/bin/yarn
+
+COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+WORKDIR /var/gally
+CMD ["/docker-entrypoint.sh"]

docker/mono-container/compose.yml

@@ -0,0 +1,40 @@
+services:
+  server:
+    build:
+      context: .
+      additional_contexts:
+        api_src: ../../api
+        front_src: ../../front
+      args:
+        - SERVER_NAME=${SERVER_NAME:-gally.localhost}
+        - OPENSEARCH_INITIAL_ADMIN_PASSWORD=Blop123!Blop123!
+        - NEXT_PUBLIC_API_ROUTE_PREFIX=${API_ROUTE_PREFIX:-api}
+        - NEXT_PUBLIC_API_URL=https://${SERVER_NAME:-gally.localhost}/${API_ROUTE_PREFIX:-api}
+    environment:
+      - ELASTICSEARCH_SSL_VERIFICATION=false
+      - API_ROUTE_PREFIX=${API_ROUTE_PREFIX:-api}
+      - TRUSTED_PROXIES=${TRUSTED_PROXIES:-127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}
+      - TRUSTED_HOSTS=${TRUSTED_HOSTS:-^${SERVER_NAME:-gally.localhost}$$}
+      - CORS_ALLOW_ORIGIN=${CORS_ALLOW_ORIGIN:-^https?://${SERVER_NAME:-gally.localhost}$}
+      - GALLY_CATALOG_MEDIA_URL=${GALLY_CATALOG_MEDIA_URL:-https://${SERVER_NAME:-gally.localhost}/media/catalog/product/}
+      - NEXT_PUBLIC_API_ROUTE_PREFIX=${API_ROUTE_PREFIX:-api}
+      - NEXT_PUBLIC_API_URL=https://${SERVER_NAME:-gally.localhost}/${API_ROUTE_PREFIX:-api}
+      - VARNISH_URL=http://localhost:6081/
+      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=Blop123!Blop123!
+      - ELASTICSEARCH_URL=https://${SEARCH_USER:-admin}:${OPENSEARCH_INITIAL_ADMIN_PASSWORD:-Blop123!Blop123!}@localhost:9200/
+    ports:
+      - "80:80"
+      - "443:443"
+      - "9201:9200"
+    volumes:
+      - jwt_keys:/var/gally/api/config/jwt
+      - db_data:/var/lib/postgresql/data
+      - os2_data:/var/lib/opensearch:rw
+      - redis_data:/var/lib/redis
+
+volumes:
+  jwt_keys:
+  db_data:
+  os2_data:
+  redis_data:
+    driver: local

docker/mono-container/docker-entrypoint.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+/usr/bin/supervisord -c /etc/supervisor/supervisord.conf &
+
+sleep 10
+
+# Todo move this in dockerfile in order to have everything ready in the built image
+cd /var/gally/api
+
+echo "Entering Gally build configuration"
+
+bin/console lexik:jwt:generate-keypair --skip-if-exists
+bin/console doctrine:migrations:migrate --no-interaction --all-or-nothing
+
+PACKAGE="gally/gally-premium"
+if composer show "$PACKAGE" > /dev/null 2>&1; then
+	echo "Gally Premium is installed, prepare Vector Search."
+    bin/console gally:vector-search:upload-model
+fi
+
+bin/console hautelook:fixture:load
+
+echo "Gally Application is ready..."
+
+tail -f --retry --follow=name -n0 \
+	/var/gally/api/var/log/dev.log

docker/mono-container/nginx.conf

@@ -0,0 +1,102 @@
+server {
+    listen 443 ssl;
+    server_name $SERVER_NAME;
+
+    ssl_certificate /etc/nginx/certs/live/$SERVER_NAME/fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/live/$SERVER_NAME/privkey.pem;
+
+    proxy_buffer_size 64k;
+    proxy_buffers 64 16k;
+    proxy_busy_buffers_size 64k;
+
+    location / {
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_pass http://localhost:6081;
+    }
+}
+
+server {
+    listen 80;
+    server_name $SERVER_NAME;
+    root /var/gally/api/public;
+
+    client_body_buffer_size 4m;
+    client_max_body_size 256m;
+    fastcgi_buffers 64 16k;
+    fastcgi_buffer_size 64k;
+
+    location / {
+        proxy_pass http://localhost:3000;
+    }
+
+    location ~ ^/(example|ws) {
+        proxy_pass http://localhost:3000;
+    }
+
+    location /api {
+        rewrite ^/api/(.*)$ /$1 break;
+
+        # Overwrite X-Forwarded-For with actual client IP
+        add_header X-Forwarded-For $remote_addr;
+
+        # to let webapp know it's https traffic.
+        add_header X-Forwarded-Proto $scheme;
+
+        try_files $uri /index.php$is_args$args;
+    }
+
+    # Route toutes les requêtes vers l'application PHP API Platform pour $API_SERVER_NAME
+    location ~ ^/index\.php(/|$) {
+
+        # when PHP-FPM is configured to use TCP
+        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+
+        # optionally set the value of the environment variables used in the application
+        # fastcgi_param APP_ENV prod;
+        # fastcgi_param APP_SECRET <app-secret-id>;
+        # fastcgi_param DATABASE_URL "mysql://db_user:db_pass@host:3306/db_name";
+
+        # When you are using symlinks to link the document root to the
+        # current version of your application, you should pass the real
+        # application path instead of the path to the symlink to PHP
+        # FPM.
+        # Otherwise, PHP's OPcache may not properly detect changes to
+        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
+        # for more information).
+        # Caveat: When PHP-FPM is hosted on a different machine from nginx
+        #         $realpath_root may not resolve as you expect! In this case try using
+        #         $document_root instead.
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+        # Prevents URIs that include the front controller. This will 404:
+        # http://example.com/index.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    location ~ \.php$ {
+        return 404;
+    }
+
+    # WebSocket support
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    # Overwrite X-Forwarded-For with actual client IP
+    add_header X-Forwarded-For $remote_addr;
+
+    # to let webapp know it's https traffic.
+    add_header X-Forwarded-Proto $scheme;
+}