fix: auth password for production

- set password with runtime env variable

.gitea/workflows/code-quality.yml

@@ -8,12 +8,12 @@ on:
 
 jobs:
   code-quality:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     name: Code Quality (Elixir ${{matrix.elixir}} OTP ${{matrix.otp}})
     strategy:
       matrix:
-        otp: ['26.0']
+        otp: ['26.2']
-        elixir: ['1.15']
+        elixir: ['1.15.7']
 
     services:
       db:
@@ -31,6 +31,11 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4
 
+    - name: Install system dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libssl-dev libncurses5-dev
+
     - name: Set up Elixir
       uses: erlef/setup-beam@v1
       with:
@@ -67,9 +72,11 @@ jobs:
     - name: Run tests
       run: mix test
       env:
+        POSTGRES_HOSTNAME: db
         POSTGRES_PASSWORD: postgres
 
     - name: Run precommit (should pass if all above passed)
       run: mix precommit
       env:
+        POSTGRES_HOSTNAME: db
         POSTGRES_PASSWORD: postgres

.gitea/workflows/docker-build.yml

@@ -26,9 +26,12 @@ jobs:
       with:
         images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
         tags: |
-          type=ref,event=branch
+          # Latest tag will automatically be generated for the latest tagged release
+          # Version tag on releases (e.g., v1.2.3)
           type=ref,event=tag
-          type=raw,value=latest,enable={{is_default_branch}}
+          # Keep a moving branch tag (e.g., main)
+          type=ref,event=branch
+          # Snapshot tag for commits on the default branch (e.g., snapshot-<hash>)
           type=raw,value=snapshot-{{sha}},enable={{is_default_branch}}
 
     - name: Log in to Container Registry
@@ -42,10 +45,12 @@ jobs:
       uses: docker/build-push-action@v5
       with:
         context: .
-        platforms: linux/amd64,linux/arm64
+        platforms: linux/amd64
         push: true
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
+        # GitHub Actions cache needs proper runner configuration
+        # https://docs.gitea.com/usage/actions/act-runner#configuring-cache-when-starting-a-runner-using-docker-image
         cache-from: type=gha
         cache-to: type=gha,mode=max
         build-args: |
@@ -57,6 +62,7 @@ jobs:
       run: |
         echo "## Docker Build Summary" >> $GITHUB_STEP_SUMMARY
         echo "- **Image**: \`${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY
+        echo "- **Platform**: linux/amd64" >> $GITHUB_STEP_SUMMARY
         echo "- **Tags**: " >> $GITHUB_STEP_SUMMARY
         echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
         echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY

README.md

@@ -208,37 +208,58 @@ The project includes:
 
 ### 🐳 Docker Deployment (Recommended)
 
-Docker provides the easiest deployment method with all dependencies included.
+Docker provides the easiest deployment method with a pre-built container image including all dependencies.
 
 #### Quick Start
 
-1. **Clone and setup:**
+1. **Download the docker-compose file:**
    ```bash
-   git clone <repository-url>
+   curl -O https://git.maxboeer.com/schuwi/component-system/raw/branch/main/docker-compose.yml.example
-   cd components_elixir
+   mv docker-compose.yml.example docker-compose.yml
-   cp docker-compose.yml.example docker-compose.yml
    ```
 
-2. **Configure environment** (edit `docker-compose.yml`):
+2. **Generate a secure secret key:**
+   
+   **With Elixir/Phoenix installed:**
+   ```bash
+   mix phx.gen.secret
+   ```
+   
+   **Without Elixir/Phoenix (Linux/Unix):**
+   ```bash
+   dd if=/dev/random bs=1 count=64 status=none | base64 -w0 | cut -c1-64
+   ```
+   
+   > **Note**: The SECRET_KEY_BASE must be a cryptographically random string that's at least 64 characters long. Phoenix uses it to sign session cookies, CSRF tokens, and other security-sensitive data.
+
+3. **Configure environment** (edit `docker-compose.yml`):
    ```yaml
    environment:
-     SECRET_KEY_BASE: "your-64-character-secret-key"  # Generate with: mix phx.gen.secret
+     SECRET_KEY_BASE: "your-generated-64-character-secret-key"
-     AUTH_PASSWORD: "your-secure-password"
+     AUTH_PASSWORD: "your-secure-password" # Login password for the app
      PHX_HOST: "localhost"  # Change to your domain
    ```
 
-3. **Deploy:**
+4. **Deploy:**
    ```bash
-   docker compose up --build
+   docker compose up -d
    ```
 
-4. **Access:** [http://localhost:4000](http://localhost:4000)
+5. **Access:** [http://localhost:4000](http://localhost:4000)
+
+The container image is automatically built and published from the main branch at https://git.maxboeer.com/schuwi/component-system.
 
 #### Production Configuration
 
 For production environments:
 
-- **Generate secure keys**: Use `mix phx.gen.secret` for SECRET_KEY_BASE
+- **Use specific versions**: Pin to specific tags like `git.maxboeer.com/schuwi/components-elixir:v1.0.0` instead of `:latest`
+- **Available tags**: 
+  - `:latest` - Latest stable release from main branch
+  - `:main` - Latest build from main branch
+  - `:v*` - Specific version tags
+  - `:snapshot-<hash>` - Specific commit builds
+- **Generate secure keys**: Generate a 64+ character random string for SECRET_KEY_BASE (see Quick Start section for methods)
 - **Set strong passwords**: Use AUTH_PASSWORD environment variable
 - **Configure domain**: Set PHX_HOST to your actual domain
 - **Database security**: Use strong PostgreSQL credentials

config/config.exs

@@ -9,8 +9,7 @@ import Config
 
 config :components_elixir,
   ecto_repos: [ComponentsElixir.Repo],
-  generators: [timestamp_type: :utc_datetime],
+  generators: [timestamp_type: :utc_datetime]
-  auth_password: System.get_env("AUTH_PASSWORD", "changeme")
 
 # Configures the endpoint
 config :components_elixir, ComponentsElixirWeb.Endpoint,

config/runtime.exs

@@ -2,7 +2,8 @@ import Config
 
 # Runtime configuration for uploads directory
 config :components_elixir,
-  uploads_dir: System.get_env("UPLOADS_DIR", "./uploads")
+  uploads_dir: System.get_env("UPLOADS_DIR", "./uploads"),
+  auth_password: System.get_env("AUTH_PASSWORD", "changeme")
 
 # config/runtime.exs is executed for all environments, including
 # during releases. It is executed after compilation and before the

config/test.exs

@@ -8,7 +8,7 @@ import Config
 config :components_elixir, ComponentsElixir.Repo,
   username: "postgres",
   password: System.get_env("POSTGRES_PASSWORD") || "fCnPB8VQdPkhJAD29hq6sZEY",
-  hostname: "localhost",
+  hostname: System.get_env("POSTGRES_HOSTNAME") || "localhost",
   database: "components_elixir_test#{System.get_env("MIX_TEST_PARTITION")}",
   pool: Ecto.Adapters.SQL.Sandbox,
   pool_size: System.schedulers_online() * 2

docker-compose.yml.example

@@ -16,7 +16,7 @@ services:
       retries: 5
 
   app:
-    build: .
+    image: git.maxboeer.com/schuwi/components-elixir:latest
     ports:
       - "4000:4000"
     environment:
@@ -26,6 +26,7 @@ services:
       PHX_SERVER: "true"
       PORT: "4000"
       UPLOADS_DIR: "/data/uploads"
+      AUTH_PASSWORD: "changeme!"
     depends_on:
       db:
         condition: service_healthy