Build Docker images in GitHub Actions

.github/workflows/docker-publish.yml

@@ -0,0 +1,68 @@
+name: Docker
+
+on:
+  push:
+    branches: [master]
+    # Publish semver tags as releases.
+    tags: ["v*.*.*"]
+
+env:
+  REGISTRY: ghcr.io
+  REGISTRY_WITH_PATH: ghcr.io/${{ github.repository_owner }}
+
+jobs:
+  build-push-image:
+    strategy:
+      matrix:
+        image: [secrets, nginx, service, enketo]
+        # Empty flavor and build_args are required so that GitHub finds the 'include' below
+        flavor: [""]
+        build_args: [""]
+        include:
+          # Build additional OIDC flavor for nginx (tags will be suffixed with -oidc)
+          - image: nginx
+            flavor: |
+              latest=true
+              suffix=-oidc,onlatest=true
+            build_args: |
+              OIDC_ENABLED=true
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_WITH_PATH }}/central-${{ matrix.image }}
+          flavor: ${{ matrix.flavor }}
+          # Generate Docker tags based on the following events/attributes
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}.{{hotfix}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+      - name: Build and push ${{ matrix.image }} Docker image
+        uses: docker/build-push-action@v5
+        with:
+          file: ${{ matrix.image }}.dockerfile
+          context: .
+          build-args: ${{ matrix.build_args }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

docker-compose.yml

@@ -63,10 +63,13 @@ services:
       - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
       - EMAIL_USER=${EMAIL_USER:-}
       - EMAIL_PASSWORD=${EMAIL_PASSWORD:-}
+      - ENKETO_URL=${ENKETO_URL:-http://enketo:8005/-}
       - OIDC_ENABLED=${OIDC_ENABLED:-false}
       - OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-}
       - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-}
       - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-}
+      - PYXFORM_HOST=${PYXFORM_HOST:-pyxform}
+      - PYXFORM_PORT=${PYXFORM_PORT:-80}
       - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
       - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
       - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
@@ -85,6 +88,8 @@ services:
       - enketo
     environment:
       - DOMAIN=${DOMAIN}
+      - ENKETO_URL=${ENKETO_URL:-http://enketo:8005}
+      - SERVICE_URL=${SERVICE_URL:-http://service:8383}
       - CERTBOT_EMAIL=${SYSADMIN_EMAIL}
       - SSL_TYPE=${SSL_TYPE:-letsencrypt}
       - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
@@ -125,6 +130,10 @@ services:
       - DOMAIN=${DOMAIN}
       - SUPPORT_EMAIL=${SYSADMIN_EMAIL}
       - HTTPS_PORT=${HTTPS_PORT:-443}
+      - REDIS_MAIN_HOST=enketo_redis_main
+      - REDIS_MAIN_PORT=6379
+      - REDIS_CACHE_HOST=enketo_redis_cache
+      - REDIS_CACHE_PORT=6380
   enketo_redis_main:
     image: redis:7.2
     volumes:

files/enketo/config.json.template

@@ -23,12 +23,12 @@
     "query parameter to pass to submission": "st",
     "redis": {
         "main": {
-            "host": "enketo_redis_main",
-            "port": "6379"
+            "host": "${REDIS_MAIN_HOST}",
+            "port": "${REDIS_MAIN_PORT}"
         },
         "cache": {
-            "host": "enketo_redis_cache",
-            "port": "6380"
+            "host": "${REDIS_CACHE_HOST}",
+            "port": "${REDIS_CACHE_PORT}"
         }
     },
     "support": {

files/enketo/start-enketo.sh

@@ -7,7 +7,7 @@ BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https:
 SECRET=$(cat /etc/secrets/enketo-secret) \
 LESS_SECRET=$(cat /etc/secrets/enketo-less-secret) \
 API_KEY=$(cat /etc/secrets/enketo-api-key) \
-envsubst '$DOMAIN $BASE_URL $SECRET $LESS_SECRET $API_KEY $SUPPORT_EMAIL' \
+envsubst '$DOMAIN $BASE_URL $SECRET $LESS_SECRET $API_KEY $SUPPORT_EMAIL $REDIS_MAIN_HOST $REDIS_MAIN_PORT $REDIS_CACHE_HOST $REDIS_CACHE_PORT' \
     < "$CONFIG_PATH.template" \
     > "$CONFIG_PATH"
 

files/nginx/odk.conf.template

@@ -30,7 +30,7 @@ server {
   }
 
   location /- {
-    proxy_pass http://enketo:8005;
+    proxy_pass ${ENKETO_URL};
     proxy_redirect off;
     proxy_set_header Host $host;
 
@@ -51,7 +51,7 @@ server {
 
   location ~ ^/v\d {
     proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_pass http://service:8383;
+    proxy_pass ${SERVICE_URL};
     proxy_redirect off;
 
     # buffer requests, but not responses, so streaming out works.

files/nginx/setup-odk.sh

@@ -19,7 +19,7 @@ fi
 echo "writing fresh nginx templates..."
 cp /usr/share/odk/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf
 CNAME=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
-envsubst '$SSL_TYPE $CNAME $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
+envsubst '$SSL_TYPE $CNAME $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT $ENKETO_URL $SERVICE_URL' \
   < /usr/share/odk/nginx/odk.conf.template \
   > /etc/nginx/conf.d/odk.conf
 

files/service/config.json.template

@@ -22,11 +22,11 @@
       }
     },
     "xlsform": {
-      "host": "pyxform",
-      "port": 80
+      "host": "${PYXFORM_HOST}",
+      "port": ${PYXFORM_PORT}
     },
     "enketo": {
-      "url": "http://enketo:8005/-",
+      "url": "${ENKETO_URL}",
       "apiKey": "${ENKETO_API_KEY}"
     },
     "env": {

files/service/scripts/start-odk.sh

@@ -4,7 +4,7 @@ echo "generating local service configuration.."
 
 ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \
 BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
-envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
+envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_URL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $PYXFORM_HOST $PYXFORM_PORT $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
     < /usr/share/odk/config.json.template \
     > /usr/odk/config/local.json
 

service.dockerfile

@@ -53,6 +53,7 @@ RUN apt-get update \
         procps \
         postgresql-client-14 \
         netcat-traditional \
+        curl \
     && rm -rf /var/lib/apt/lists/* \
     && npm clean-install --omit=dev --legacy-peer-deps --no-audit \
         --fund=false --update-notifier=false