feat: update proxy path handling and deployment (#21)

PR mainly improves how proxy settings are handled, which helps simplify
some of the compose files and how deployment is handled. Also updated
the build image workflow.

- Proxy changes:
- Proxy settings now managed via settings/environment variables,
removing the dynamic trusted hosts.
  - Static assets are now referenced using FastAPI’s `url_for`
  - mymdc proxy path worked out from request path in all cases

- Compose:
  - Simplified compose files and removed duplication
- `compose.yml` contains main config, with `compose.override.yml` having
default (dev) overrides
- Staging inherits from main file, prod inherits from staging, with
minimal changes
  - Project name used for dynamic routing and path prefix

Author: RobertRosca

.github/workflows/lint.yml .github/bck/lint.yml.github/workflows/lint.yml renamed to .github/bck/lint.yml

@@ -1,56 +1,56 @@
-name: Build Image
+name: Build and Publish Container Image
 
 on:
   push:
-    tags:
-      - "v**"
-  workflow_call:
-  workflow_dispatch:
+    branches:
+      - main
+  release:
+    types: [published]
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  build-and-push-image:
+  build-and-push:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=ref,event=branch
-            type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
-            type=sha
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+            type=raw,value=staging,enable=${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+            type=raw,value=stable,enable=${{ github.event_name == 'release' }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        uses: docker/build-push-action@v6
         with:
+          context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/test.yml .github/bck/test.yml.github/workflows/test.yml renamed to .github/bck/test.yml

@@ -34,7 +34,7 @@ ENV \
   UV_LINK_MODE=copy \
   UV_CACHE_DIR=/opt/uv-cache/
 
-RUN apt update && apt install -y openssh-client
+RUN apt update && apt install -y openssh-client wget && rm -rf /var/lib/apt/lists/*
 
 COPY --link ./pyproject.toml ./uv.lock /app/
 
@@ -56,4 +56,4 @@ ENV ZWOP_ADDRESS=http://0.0.0.0:8000
 CMD ["uv", "run", "-m", "zulip_write_only_proxy.main"]
 
 HEALTHCHECK --start-interval=1s --start-period=30s --interval=60s \
-  CMD wget --spider http://0.0.0.0:8000/api/health || exit 1
+  CMD wget http://0.0.0.0:8000/api/health || exit 1

.github/setup/action.yml

@@ -0,0 +1,43 @@
+
+name: zwop-dev
+
+services:
+  server:
+    environment:
+      - "ZWOP_TOKEN_WRITER__ZWOP_URL=http://localhost:8000/${COMPOSE_PROJECT_NAME}"
+    develop:
+      watch:
+        - action: sync
+          path: ./src/zulip_write_only_proxy
+          target: /app/src/zulip_write_only_proxy
+          ignore:
+            - __pycache__/
+            - "*.pyc"
+            - ".pytest_cache/"
+        - action: sync+restart
+          path: ./pyproject.toml
+          target: /app/pyproject.toml
+        - action: sync+restart
+          path: ./src/zulip_write_only_proxy/main.py
+          target: /app/src/zulip_write_only_proxy/main.py
+    restart: never
+
+  traefik:
+    image: "traefik:latest"
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:8000"
+      - "--log.level=DEBUG"
+    ports:
+      - 8000:8000
+      - 8080:8080
+    volumes:
+      - ${DOCKER_SOCK:-/var/run/docker.sock}:/var/run/docker.sock:ro
+
+  whoami:
+    image: traefik/whoami
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=PathRegexp(`^/whoami(/|$)`)"

.github/workflows/build-image.yml

@@ -1,38 +1,9 @@
-version: "3.8"
+name: zwop
 
-networks:
-  proxy:
-    external: true
+include:
+  - compose.staging.yml
 
 services:
   server:
-    image: ${IMAGE:-ghcr.io/european-xfel/zulip-write-only-proxy}:${TAG:?error}
-    volumes:
-      - ./config:/app/config
-    env_file:
-      - .env
-    environment:
-      - ZWOP_PROXY_ROOT=/zwop
-    networks:
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=proxy"
-      - "traefik.http.middlewares.zwop.stripprefix.forceSlash=false"
-      - "traefik.http.middlewares.zwop.stripprefix.prefixes=/zwop"
-      - "traefik.http.routers.zwop.middlewares=zwop"
-      - "traefik.http.routers.zwop.rule=Host(`exfldadev01.desy.de`) && PathPrefix(`/zwop{slash:(/|$)}`)"
-      - "traefik.http.services.zwop.loadbalancer.server.port=8000"
-    command: ["poe", "prod"]
-    deploy:
-      update_config:
-        parallelism: 1
-        delay: 10s
-        failure_action: rollback
-        order: start-first
-        monitor: 10s
-        max_failure_ratio: 0
-      restart_policy:
-        condition: any
-        delay: 5s
-        window: 120s
+    image: ghcr.io/european-xfel/zulip-write-only-proxy:stable
+    pull_policy: "every_10m"

.github/workflows/deploy.yml

@@ -1,33 +1,17 @@
-version: "3.8"
+name: zwop-staging
+
+include:
+  - compose.yml
 
 networks:
   proxy:
     external: true
 
 services:
   server:
-    image: zwop:staging
-    volumes:
-      - ./config:/app/config
-    env_file:
-      - .env
+    build: .
     environment:
-      - ZWOP_PROXY_ROOT=/zwop-staging
-      - ZWOP_TOKEN_WRITER__ZWOP_URL=https://exfldadev01.desy.de/zwop-staging
+      - "ZWOP_TOKEN_WRITER__ZWOP_URL=https://exfldadev01.desy.de/${COMPOSE_PROJECT_NAME}"
     networks:
       - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=proxy"
-      - "traefik.http.middlewares.zwop-staging.stripprefix.forceSlash=false"
-      - "traefik.http.middlewares.zwop-staging.stripprefix.prefixes=/zwop-staging"
-      - "traefik.http.routers.zwop-staging.middlewares=zwop-staging"
-      - "traefik.http.routers.zwop-staging.rule=Host(`exfldadev01.desy.de`) && PathPrefix(`/zwop-staging{slash:(/|$)}`)"
-      - "traefik.http.services.zwop-staging.loadbalancer.server.port=8000"
-    command: ["poe", "staging"]
-    deploy:
-      restart_policy:
-        condition: any
-        delay: 5s
-        window: 120s
-
+    restart: unless-stopped

Dockerfile

@@ -1,46 +1,17 @@
-version: "3.8"
-
 services:
   server:
     build: .
     volumes:
-      - ./config:/app/config
+      - ./config:/config
     env_file:
       - .env
     environment:
-      - ZWOP_PROXY_ROOT=/zwop
+      - "ZWOP_PROXY_ROOT=/${COMPOSE_PROJECT_NAME}"
+      - "ZWOP_PROXY_HEADERS=true"
+      - "ZWOP_FORWARDED_ALLOW_IPS=*"
     labels:
-      traefik.enable: true
-      traefik.http.middlewares.zwop-dev.stripprefix.forceSlash: false
-      traefik.http.middlewares.zwop-dev.stripprefix.prefixes: /zwop
-      traefik.http.routers.zwop-dev.middlewares: zwop-dev
-      traefik.http.routers.zwop-dev.rule: PathPrefix(`/zwop{slash:(/|$)}`)
-      traefik.http.services.zwop-dev.loadbalancer.server.port: 8000
-    develop:
-      watch:
-        - action: sync
-          path: ./src/zulip_write_only_proxy
-          target: /app/src/zulip_write_only_proxy
-          ignore:
-            - node_modules/
-        - action: sync+restart
-          path: ./compose.yml
-          target: /app/compose.yml
-        - action: sync+restart
-          path: ./src/zulip_write_only_proxy/main.py
-          target: /app/src/zulip_write_only_proxy/main.py
-    ports:
-      - 5678:5678
-
-  traefik:
-    image: "traefik:v2.10"
-    command:
-      - "--api.insecure=true"
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:8000"
-    ports:
-      - 8000:8000
-      - 8080:8080
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "traefik.enable=true"
+      - "traefik.http.middlewares.${COMPOSE_PROJECT_NAME}-stripprefix.stripprefix.prefixes=/${COMPOSE_PROJECT_NAME}"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=${COMPOSE_PROJECT_NAME}-stripprefix"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=PathRegexp(`^/${COMPOSE_PROJECT_NAME}(/|$)`)"
+      - "traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=8000"