feat(infra): add dockerfile, compose setup and migrate containerized

.dockerignore

@@ -0,0 +1,33 @@
+# Ignore VCS
+.git
+.gitignore
+
+# Python artifacts
+__pycache__/
+*.py[cod]
+*.pyc
+*.pyo
+*.pyd
+*.so
+
+# Local env & tooling
+.env
+.env.*
+venv/
+.virtualenv/
+.cache/
+.mypy_cache/
+.pytest_cache/
+.coverage
+
+# Django/SQLite development DB (use real DB in production)
+db.sqlite3
+
+# Node / misc
+node_modules/
+
+# Ansible deployment artifacts (not needed in runtime image)
+ansible/
+
+# Other
+*.log

.env.example

@@ -1 +1,13 @@
-DJANGO_DEBUG=True
+DJANGO_SECRET_KEY=change-me
+DJANGO_DEBUG=false
+DJANGO_SETTINGS_MODULE=config.settings
+DJANGO_STATIC_ROOT=/app/static/
+PORT=8000
+GUNICORN_WORKERS=3
+IMAGE_NAME=histrio/idontneedit:latest
+SITE_DOMAIN=idontneedit.org.ru
+POSTGRES_DB=idontneedit
+POSTGRES_USER=idontneedit
+POSTGRES_PASSWORD=changeme
+POSTGRES_HOST=postgres
+POSTGRES_PORT=5432

.github/workflows/ci.yml

@@ -25,7 +25,6 @@ jobs:
       - name: Install uv
         run: pip install uv
 
-
       - name: Install project
         run: uv sync
 
@@ -38,11 +37,40 @@ jobs:
       - name: Run tests
         run: uv run python manage.py test
 
-  deploy:
+  build-image:
     needs: build
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
 
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            histrio/idontneedit:latest
+            histrio/idontneedit:${{ github.sha }}
+          cache-from: type=registry,ref=histrio/idontneedit:buildcache
+          cache-to: type=registry,ref=histrio/idontneedit:buildcache,mode=max
+
+  deploy:
+    needs: build-image
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+
     steps:
       - name: checkout
         uses: actions/checkout@v4

.pre-commit-config.yaml

@@ -6,6 +6,12 @@ repos:
     -   id: end-of-file-fixer
     -   id: trailing-whitespace
     -   id: check-added-large-files
+    -   id: forbid-new-submodules
+    -   id: no-commit-to-branch
+        args: ['--branch', 'main', '--branch', 'master']
+    -   id: check-case-conflict
+    -   id: check-merge-conflict
+    -   id: detect-private-key
 -   repo: https://github.com/psf/black
     rev: 25.11.0
     hooks:
@@ -20,3 +26,11 @@ repos:
   rev: v1.4.0
   hooks:
     - id: detect-secrets
+
+- repo: local
+  hooks:
+    - id: forbid-env-files
+      name: Forbid .env files
+      entry: '.env files must not be committed'
+      language: fail
+      files: '(^|/)\.env($|\.(?!example$).*)'

Dockerfile

@@ -0,0 +1,48 @@
+ARG PYTHON_VERSION=3.13
+FROM python:${PYTHON_VERSION}-slim AS base
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=off \
+    PIP_DISABLE_PIP_VERSION_CHECK=on \
+    PIP_DEFAULT_TIMEOUT=100
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+       ca-certificates curl \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --uid 10001 --create-home --shell /usr/sbin/nologin app \
+    && mkdir -p /app /app/static \
+    && chown -R app:app /app
+
+WORKDIR /app
+
+FROM base AS runtime
+
+COPY requirements.txt ./
+RUN pip install --upgrade pip wheel \
+    && pip install -r requirements.txt --no-cache-dir
+
+ENV DJANGO_SETTINGS_MODULE=config.settings \
+    DJANGO_STATIC_ROOT=/app/static/ \
+    GUNICORN_WORKERS=3 \
+    GUNICORN_BIND=0.0.0.0:8000 \
+    GUNICORN_MAX_REQUESTS=1000 \
+    GUNICORN_MAX_REQUESTS_JITTER=100 \
+    PORT=8000
+
+
+COPY . /app
+
+RUN chown -R app:app /app
+
+USER app
+
+EXPOSE 8000
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD curl -fsS "http://127.0.0.1:${PORT}/" || exit 1
+
+CMD ["/bin/sh", "-c", "exec gunicorn config.wsgi:application --bind 0.0.0.0:${PORT:-8000} --workers ${GUNICORN_WORKERS:-3} --access-logfile - --error-logfile -"]

Makefile

@@ -15,3 +15,17 @@ requirements.txt: uv.lock
 	@test -r .env \
 		&& echo "Your .env is older than .env.example" \
 		|| cp .env.example .env
+
+DOCKER?=docker
+IMAGE_REPO:=histrio/idontneedit
+IMAGE_TAG?=$(shell git rev-parse --short HEAD)
+LATEST_TAG?=latest
+
+.PHONY: image.build
+image.build:
+	@$(DOCKER) build -t $(IMAGE_REPO):$(IMAGE_TAG) -t $(IMAGE_REPO):$(LATEST_TAG) .
+
+.PHONY: image.push
+image.push:
+	@$(DOCKER) push $(IMAGE_REPO):$(IMAGE_TAG)
+	@$(DOCKER) push $(IMAGE_REPO):$(LATEST_TAG)

ansible/Caddyfile

@@ -1,15 +1,18 @@
-idontneedit.org.ru {
+{$SITE_DOMAIN} {
+    encode zstd gzip
 
-
-    handle_path /static/* {
-        root * /srv/idontneedit/static
-        file_server
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "DENY"
+        Referrer-Policy "strict-origin-when-cross-origin"
     }
 
-    handle_path /media/* {
-        root * /srv/idontneedit/media
+    handle_path /static/* {
+        root * /app/static
+        header Cache-Control "public, max-age=31536000, immutable"
         file_server
     }
 
-    reverse_proxy unix//srv/idontneedit/run/gunicorn.sock
+    reverse_proxy app:8000
 }

ansible/ansible.cfg

@@ -0,0 +1,3 @@
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+pipelining = True