alexei.dolgolyov
7733e64b08
A dockerfile or static workload can opt in to reading its deploy config from a
.tinyforge.yml in its own repo. Tinyforge fetches the file, shows field-level
drift vs the live config, and an admin applies it with an explicit Sync. The
repo becomes the source of truth for the declared fields. Manual-sync only;
no auto-apply on deploy, no multi-workload reconcile, no create/delete in v1.
Scope is deliberately source-aware and source_config-resident: dockerfile
declares port/healthcheck/deploy_strategy, static declares deploy_strategy.
The file never carries repo coords or secrets (those stay in the encrypted
DB), which keeps credentials out of the repo.
Backend:
- internal/gitops: Spec/ParseSpec (KnownFields rejects unknown keys), a
source-aware ApplyPlan/BuildPlan, MergeAndValidate (omitted-field-preserving
deep merge + validate-the-merged-result-then-commit — never a partial
config), declared-only Drift with normalization, and Fetch with
ok/no_file/fetch_failed/invalid statuses and token-redacted messages.
- staticsite: DownloadFile added to GitProvider + Gitea/GitHub/GitLab impls,
reusing each provider's SSRF-safe client; 64 KiB cap; ErrFileNotFound.
- store: 4 additive gitops_* columns + setters (disjoint from UpdateWorkload
so the edit-form save and a sync never clobber each other).
- api: GET /workloads/{id}/gitops (status + raw + live drift + managed_fields),
PUT /gitops (admin, enable/path, traversal-safe), POST /gitops/sync (admin,
per-workload locked read->merge->validate->write, audited to event_log).
Frontend:
- GitOpsPanel.svelte: status pill, a purpose-built field-level drift view,
.tinyforge.yml preview, enable ToggleSwitch, Sync via ConfirmDialog; all five
statuses handled, admin affordances gated on the real viewer role.
- GitOps-managed badge (list + detail hero) and a read-only edit-form banner.
- api.ts fetchers + types; i18n apps.detail.gitops.* (en + ru parity).
Built phase-by-phase with an adversarial plan review (caught 5 design flaws
pre-implementation) and an independent review per phase (go / security / ts /
final) — all APPROVE, 0 CRITICAL/HIGH. docs/gitops.md documents the schema and
what's intentionally out of v1. Plan: plans/gitops/.
65 lines
1.7 KiB
Docker
65 lines
1.7 KiB
Docker
# syntax=docker/dockerfile:1.7
|
|
# Stage 1: Build frontend
|
|
FROM node:20-alpine AS frontend-builder
|
|
|
|
WORKDIR /build/web
|
|
COPY web/package.json web/package-lock.json* ./
|
|
RUN npm ci --no-audit
|
|
|
|
COPY web/ ./
|
|
RUN npm run build
|
|
|
|
# Stage 2: Build Go binary
|
|
FROM golang:1.25-alpine AS backend-builder
|
|
|
|
RUN apk add --no-cache git ca-certificates
|
|
|
|
WORKDIR /build
|
|
COPY go.mod go.sum ./
|
|
ENV GOTOOLCHAIN=auto
|
|
# Cache mounts persist the module + build caches across rebuilds (BuildKit).
|
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
|
go mod download
|
|
|
|
COPY . .
|
|
# Copy built frontend into the expected embed location.
|
|
COPY --from=frontend-builder /build/web/build ./web/build
|
|
|
|
RUN --mount=type=cache,target=/go/pkg/mod \
|
|
--mount=type=cache,target=/root/.cache/go-build \
|
|
CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /tinyforge ./cmd/server
|
|
|
|
# Stage 3: Minimal runtime image
|
|
FROM alpine:3.19
|
|
|
|
LABEL org.opencontainers.image.source="https://git.dolgolyov-family.by/alexei.dolgolyov/tiny-forge"
|
|
LABEL org.opencontainers.image.title="Tinyforge"
|
|
LABEL org.opencontainers.image.description="Self-hosted Docker deployment + mini-CI platform"
|
|
|
|
RUN apk add --no-cache ca-certificates tzdata wget
|
|
|
|
# Create non-root user.
|
|
RUN addgroup -g 1000 -S app && adduser -u 1000 -S app -G app
|
|
|
|
WORKDIR /app
|
|
|
|
COPY --from=backend-builder /tinyforge /app/tinyforge
|
|
|
|
# Data directory for SQLite database.
|
|
RUN mkdir -p /app/data && chown -R app:app /app
|
|
|
|
USER app
|
|
|
|
EXPOSE 8080
|
|
|
|
ENV DATA_DIR=/app/data
|
|
ENV LISTEN_ADDR=:8080
|
|
|
|
VOLUME /app/data
|
|
|
|
# /readyz is the public readiness probe (pings the DB); /livez is liveness.
|
|
HEALTHCHECK --interval=30s --timeout=5s --retries=3 --start-period=10s \
|
|
CMD wget --no-verbose --tries=1 --spider http://localhost:8080/readyz || exit 1
|
|
|
|
ENTRYPOINT ["/app/tinyforge"]
|