Attempt to automate registry images

.env.example

@@ -0,0 +1,24 @@
+DOCKERDIR=/opt/compose/keywarden
+
+## Local Auth
+KEYWARDEN_SECRET_KEY=<!GENERATE SECRET HERE!>
+KEYWARDEN_ALLOW_LOCAL_LOGIN=true
+KEYWARDEN_ACCESS_TOKEN_EXPIRE_MINUTES=60
+
+## Optional OIDC
+# KEYWARDEN_OIDC_ENABLED=true
+# KEYWARDEN_OIDC_ISSUER=https://auth.example.com/application/o/<slug>
+# KEYWARDEN_OIDC_CLIENT_ID=keywarden
+# KEYWARDEN_OIDC_AUDIENCE=keywarden-api
+# KEYWARDEN_OIDC_JWKS_URL=https://auth.example.com/application/o/<slug>/jwks
+
+## Policy toggles
+# KEYWARDEN_REQUIRE_SSO=false           # if true, local login is disabled
+# KEYWARDEN_AUTO_PROVISION_OIDC=true    # JIT user creation
+
+## Postgres
+KEYWARDEN_POSTGRES_USER="postgres"
+KEYWARDEN_POSTGRES_PASSWORD="postgres"
+KEYWARDEN_POSTGRES_HOST="keywarden-db"
+KEYWARDEN_POSTGRES_PORT=5432
+KEYWARDEN_POSTGRES_DB="keywarden"

.github/workflows/ci.yml

@@ -11,9 +11,13 @@ permissions:
 
 env:
   PYTHON_VERSION: "3.11"
-  # Used by tests / alembic; matches docker-compose-style DSN
-  TEST_POSTGRES_DSN: postgresql+asyncpg://postgres:postgres@localhost:5432/keywarden
-
+  IMAGE_NAME: keywarden-api
+  # Used by tests / alembic; matches docker compose environment
+  KEYWARDEN_POSTGRES_USER: postgres
+  KEYWARDEN_POSTGRES_PASSWORD: postgres
+  KEYWARDEN_POSTGRES_HOST: localhost
+  KEYWARDEN_POSTGRES_PORT: 5432
+  KEYWARDEN_POSTGRES_DB: keywarden
 jobs:
   lint:
    name: Lint & Format
@@ -68,31 +72,69 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.cache/pip
-          key: pip-${{ runner.os }}-${{ env.PYTHON_VERSION }}-${{ hashFiles('**/requirements.txt') }}
+          key: pip-${{ runner.os }}-${{ env.PYTHON_VERSION }}-${{ hashFiles('**/requirements*.txt', 'pyproject.toml') }}
           restore-keys: |
             pip-${{ runner.os }}-${{ env.PYTHON_VERSION }}-
       
-      - name: Install dependencies
+      - name: Install deps
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
+          # optional: extras/dev
+          if [ -f pyproject.toml ]; then pip install -e .[dev] || pip install -e . ; fi
       
       - name: Set PYTHONPATH
         run: echo "PYTHONPATH=${GITHUB_WORKSPACE}" >> $GITHUB_ENV
 
-      - name: Create .env for tests (optional for app runtime)
+      # Gitea ACT Runner needs this for some reason.
+      - name: Select Postgres host for runner
         run: |
-          printf "KEYWARDEN_POSTGRES_DSN=%s\nKEYWARDEN_SECRET_KEY=%s\n" \
-            "${{ env.TEST_POSTGRES_DSN }}" "testsecret" > .env
+          if [ "${ACT:-}" = "true" ]; then
+            echo "KEYWARDEN_POSTGRES_HOST=postgres" >> "$GITHUB_ENV"   # Gitea (act_runner)
+          else
+            echo "KEYWARDEN_POSTGRES_HOST=127.0.0.1" >> "$GITHUB_ENV"  # GitHub Actions
+          fi
+
+      - name: Echo DB target
+        run: echo "DB → ${KEYWARDEN_POSTGRES_HOST:-unset}:${{ env.KEYWARDEN_POSTGRES_PORT }}"
+
+      # Explicit wait (removes race on act_runner)
+      - name: Wait for Postgres
+        run: |
+          for i in {1..60}; do
+            python - <<'PY'
+          import os, socket, sys
+          h=os.environ.get("KEYWARDEN_POSTGRES_HOST","127.0.0.1"); p=int(os.environ.get("KEYWARDEN_POSTGRES_PORT","5432"))
+          s=socket.socket(); s.settimeout(1)
+          try:
+              s.connect((h,p)); print("Postgres is up:", h,p); sys.exit(0)
+          except Exception as e:
+              print("waiting:", e); sys.exit(1)
+          finally:
+              s.close()
+          PY
+                      if [ $? -eq 0 ]; then break; fi
+                      sleep 2
+                    done
                     
       - name: Run Alembic migrations
         env:
-          KEYWARDEN_POSTGRES_DSN: ${{ env.TEST_POSTGRES_DSN }}
+          KEYWARDEN_POSTGRES_USER: ${{ env.KEYWARDEN_POSTGRES_USER }}
+          KEYWARDEN_POSTGRES_PASSWORD: ${{ env.KEYWARDEN_POSTGRES_PASSWORD }}
+          KEYWARDEN_POSTGRES_HOST: ${{ env.KEYWARDEN_POSTGRES_HOST }}
+          KEYWARDEN_POSTGRES_PORT: ${{ env.KEYWARDEN_POSTGRES_PORT }}
+          KEYWARDEN_POSTGRES_DB: ${{ env.KEYWARDEN_POSTGRES_DB }}
+          KEYWARDEN_POSTGRES_SSL: ${{ env.KEYWARDEN_POSTGRES_SSL }}
         run: alembic upgrade head
   
       - name: Pytest
         env:
-          KEYWARDEN_POSTGRES_DSN: ${{ env.TEST_POSTGRES_DSN }}
+          KEYWARDEN_POSTGRES_USER: ${{ env.KEYWARDEN_POSTGRES_USER }}
+          KEYWARDEN_POSTGRES_PASSWORD: ${{ env.KEYWARDEN_POSTGRES_PASSWORD }}
+          KEYWARDEN_POSTGRES_HOST: ${{ env.KEYWARDEN_POSTGRES_HOST }}
+          KEYWARDEN_POSTGRES_PORT: ${{ env.KEYWARDEN_POSTGRES_PORT }}
+          KEYWARDEN_POSTGRES_DB: ${{ env.KEYWARDEN_POSTGRES_DB }}
+          KEYWARDEN_POSTGRES_SSL: ${{ env.KEYWARDEN_POSTGRES_SSL }}
         run: |
           pytest -q tests
   docker-build:
@@ -103,15 +145,47 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      # Choose Buildx cache backend: gha on GitHub, local on act_runner
+      - name: Select Buildx cache backend
+        run: |
+          if [ "${ACT:-}" = "true" ]; then
+            echo "CACHE_TO=type=local,dest=/tmp/.buildx-cache,mode=max" >> $GITHUB_ENV
+            echo "CACHE_FROM=type=local,src=/tmp/.buildx-cache" >> $GITHUB_ENV
+          else
+            echo "CACHE_TO=type=gha,mode=max" >> $GITHUB_ENV
+            echo "CACHE_FROM=type=gha" >> $GITHUB_ENV
+          fi
+
+      - name: Prepare local cache dir (act_runner only)
+        if: ${{ env.ACT == 'true' }}
+        run: mkdir -p /tmp/.buildx-cache
+
+      - name: Set image reference (Gitea)
+        run: |
+          echo "GT_IMAGE=${{ secrets.GITEA_REGISTRY }}/${{ secrets.GITEA_NAMESPACE }}/${{ env.IMAGE_NAME }}" >> $GITHUB_ENV
+
+      - name: Set up QEMU (optional)
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build image (no push)
+      - name: Set image reference
+        run: echo "GT_IMAGE=${{ secrets.REGISTRY_HOST }}/${{ secrets.REGISTRY_NAMESPACE }}/${{ env.IMAGE_NAME }}" >> $GITHUB_ENV
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.REGISTRY_HOST }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build & push
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: false
-          tags: keywarden:ci
-          # speeds up builds by caching layers on GH Actions
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          push: true
+          tags: |
+            ${{ env.GT_IMAGE }}:${{ github.ref_name }}
+            ${{ env.GT_IMAGE }}:sha-${{ github.sha }}
+            ${{ env.GT_IMAGE }}:latest

SETUP.md

@@ -0,0 +1,16 @@
+# NGINX - External Proxy
+
+For setups behind an external reverse proxy (heavily recommended), using a local CA and self-signed certificates is not required, but also recommended.
+
+After installing `mkcert` through your system package manager:
+
+```bash
+mkcert -install
+mkcert abc.domain.xyz, bcd.domain.xyz
+mv domain.xyz+X-key.pem nginx/certs/key.pem
+mv domain.xyz.pem nginx/certs/certificate.pem
+```
+
+NGINX will find these certificates automatically and use them when proxying the application. Unless you know what you are doing, editing files under `nginx/configs/` is not recommended.
+
+If preferred, NGINX can be used as a reverse proxy, however an additional `certbot/certbot:latest` container would be required unless other valid SSL certificates are provided under `nginx/certs`.

alembic/env.py

@@ -25,11 +25,13 @@ if config.config_file_name is not None:
 target_metadata = Base.metadata
 
 # Get DB URL from env (prefer KEYWARDEN_ prefix, fall back to unprefixed, then a sane default for local)
-DB_URL = (
-    os.getenv("KEYWARDEN_POSTGRES_DSN")
-    or os.getenv("POSTGRES_DSN")
-    or "postgresql+asyncpg://postgres:postgres@localhost:5432/keywarden"
-)
+DB_USER = os.getenv("KEYWARDEN_POSTGRES_USER", "postgres")
+DB_PASS = os.getenv("KEYWARDEN_POSTGRES_PASSWORD", "postgres")
+DB_HOST = os.getenv("KEYWARDEN_POSTGRES_HOST", "keywarden-db")
+DB_PORT = os.getenv("KEYWARDEN_POSTGRES_PORT", "5432")
+DB_NAME = os.getenv("KEYWARDEN_POSTGRES_DB", "keywarden")
+
+DB_URL = f"postgresql+asyncpg://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}"
 
 
 def run_migrations_offline():

app/core/config.py

@@ -1,4 +1,4 @@
-
+from pydantic import computed_field
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -8,13 +8,33 @@ class Settings(BaseSettings):
         env_prefix="KEYWARDEN_",
         extra="ignore",
     )
+
     PROJECT_NAME: str = "Keywarden"
     API_V1_STR: str = "/api/v1"
-    SECRET_KEY: str
+
+    # Postgres split vars (with defaults)
+    POSTGRES_USER: str = "postgres"
+    POSTGRES_PASSWORD: str = "postgres"
+    POSTGRES_HOST: str = "keywarden-db"
+    POSTGRES_PORT: int = 5432
+    POSTGRES_DB: str = "keywarden"
+
+    SECRET_KEY: str = "insecure-dev-secret"  # default for local dev only
     ACCESS_TOKEN_EXPIRE_MINUTES: int = 30
-    POSTGRES_DSN: str
+
+    OIDC_ENABLED: bool = False
     OIDC_ISSUER: str | None = None
     OIDC_CLIENT_ID: str | None = None
-    OIDC_CLIENT_SECRET: str | None = None
+    OIDC_AUDIENCE: str | None = None   # optional
+    OIDC_JWKS_URL: str | None = None   # if not set, derive from issuer
+
+    @computed_field(return_type=str)
+    @property
+    def POSTGRES_DSN(self) -> str:
+        return (
+            f"postgresql+asyncpg://{self.POSTGRES_USER}:{self.POSTGRES_PASSWORD}"
+            f"@{self.POSTGRES_HOST}:{self.POSTGRES_PORT}/{self.POSTGRES_DB}"
+        )
+
 
 settings = Settings()

app/db/base.py

@@ -1,9 +1,6 @@
-from sqlalchemy.orm import declarative_base
-
+from app.db.base_class import Base  # noqa: F401
 from app.models.access_request import AccessRequest  # noqa: F401
 from app.models.audit import AuditEvent  # noqa: F401
 from app.models.server import Server  # noqa: F401
 from app.models.sshkey import SSHKey  # noqa: F401
 from app.models.user import User  # noqa: F401
-
-Base = declarative_base()

app/db/base_class.py

@@ -0,0 +1,13 @@
+from sqlalchemy import MetaData
+from sqlalchemy.orm import declarative_base
+
+# Optional: naming convention keeps Alembic diffs stable
+convention = {
+    "ix": "ix_%(column_0_label)s",
+    "uq": "uq_%(table_name)s_%(column_0_name)s",
+    "ck": "ck_%(table_name)s_%(constraint_name)s",
+    "fk": "fk_%(table_name)s_%(column_0_name)s_%(referred_table_name)s",
+    "pk": "pk_%(table_name)s",
+}
+metadata = MetaData(naming_convention=convention)
+Base = declarative_base(metadata=metadata)

app/main.py

@@ -1,13 +1,37 @@
 from fastapi import FastAPI
+from sqlalchemy import text
+from sqlalchemy.exc import SQLAlchemyError
+from starlette.responses import JSONResponse
 
 from app.api.v1 import auth, keys
 from app.core.config import settings
+from app.db.session import AsyncSessionLocal
 
-app = FastAPI(title=settings.PROJECT_NAME)
+app = FastAPI(
+    title=settings.PROJECT_NAME
+    )
 app.include_router(auth.router, prefix=f"{settings.API_V1_STR}/auth", tags=["auth"])
 app.include_router(keys.router, prefix=f"{settings.API_V1_STR}/keys", tags=["keys"])
 
-# Health endpoint (useful for docker, agent and uptime)
+# Is the API running?
+@app.get("/livez")
+async def livez():
+    return {"status": "ok"}
+
+# Is the application ready (including db)?
+@app.get("/readyz")
+async def readyz():
+    try:
+        async with AsyncSessionLocal() as session:
+            await session.execute(text("SELECT 1"))
+        return {"status": "ok", "db": "up"}
+    except SQLAlchemyError:
+        return JSONResponse(
+            status_code=503,
+            content={"status": "degraded", "db": "down"},
+        )
+
+# Is the application healthy (ready)?
 @app.get("/healthz")
-def healthz():
-    return {"ok": True}
+async def healthz():
+    return await readyz()  # alias

app/models/access_request.py

@@ -1,9 +1,9 @@
-from datetime import datetime, timezone #noqa
+from datetime import datetime
 
 from sqlalchemy import DateTime, ForeignKey, String
 from sqlalchemy.orm import Mapped, mapped_column
 
-from app.models.user import Base
+from app.db.base_class import Base
 
 
 class AccessRequest(Base):

app/models/audit.py

@@ -3,7 +3,7 @@ from datetime import datetime, timezone
 from sqlalchemy import DateTime, String
 from sqlalchemy.orm import Mapped, mapped_column
 
-from app.models.user import Base
+from app.db.base_class import Base
 
 
 class AuditEvent(Base):

app/models/server.py

@@ -1,7 +1,7 @@
 from sqlalchemy import JSON, Boolean, Integer, String
 from sqlalchemy.orm import Mapped, mapped_column
 
-from app.models.user import Base
+from app.db.base_class import Base
 
 
 class Server(Base):

app/models/sshkey.py

@@ -1,9 +1,9 @@
 from datetime import datetime, timezone  # noqa: F401
 
 from sqlalchemy import Boolean, DateTime, ForeignKey, String
-from sqlalchemy.orm import Mapped, mapped_column, relationship  # noqa: F401
+from sqlalchemy.orm import Mapped, mapped_column
 
-from app.models.user import Base
+from app.db.base_class import Base
 
 
 class SSHKey(Base):

app/models/user.py

@@ -1,10 +1,8 @@
 from sqlalchemy import Boolean, String
-from sqlalchemy.orm import Mapped, declarative_base, mapped_column
+from sqlalchemy.orm import Mapped, mapped_column
 
-# only for Alembic discovery, not used here
-from app.db.session import engine  # noqa: F401
+from app.db.base_class import Base
 
-Base = declarative_base()
 
 class User(Base):
     __tablename__ = "users"

docker-compose.yml.example

@@ -9,6 +9,7 @@ services:
       - ${DOCKERDIR}/nginx/certs/:/certs/
       - ${DOCKERDIR}/nginx/webdir/:/var/www/
       - ${DOCKERDIR}/nginx/logs:/var/log/nginx/
+# - "external:internal", change external to desired port
     ports:
       - "443:443"
 
@@ -22,10 +23,13 @@ services:
   db:
     image: postgres:17-alpine
     environment:
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
-      POSTGRES_DB: keywarden
-      POSTGRES_USER: postgres
-    # ports: ["5432:5432"]
+      POSTGRES_PASSWORD: ${KEYWARDEN_POSTGRES_PASSWORD:-postgres}
+      POSTGRES_DB: ${KEYWARDEN_POSTGRES_DB:-keywarden}
+      POSTGRES_USER: ${KEYWARDEN_POSTGRES_USER:-keywarden}
+      POSTGRES_PORT: ${KEYWARDEN_POSTGRES_PORT:-5432}
+# Do not enable unless debugging, not needed to be exposed outside of docker network
+#    ports: 
+#      - "5432:5432"
     volumes: 
       - "pgdata:/var/lib/postgresql/data"
 
@@ -33,13 +37,17 @@ services:
     build: .
     depends_on:
       - db
-    environment:
-      - SECRET_KEY=[CREATE SECRET KEY]
-      - POSTGRES_DSN=postgresql+asyncpg://postgres:${POSTGRES_PASSWORD:-postgres}@keywarden-postgres:5432/keywarden
-      - ACCESS_TOKEN_EXPIRE_MINUTES=60
-    ports: 
-      - "8000:8000"
+    env_file:
+      - .env
+# API runs on port 8000, but is unneeded to be external unless using a custom reverse proxy on another machine
+#    ports: 
+#      - "8000:8000"
     command: uvicorn app.main:app --host 0.0.0.0 --port 8000
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/healthz"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
 
 volumes:
   pgdata:

nginx/configs/nginx.conf

@@ -21,21 +21,6 @@ http {
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
     access_log  /var/log/nginx/access.log main;
-
-    server_tokens       off;
-
-    sendfile            on;
-    tcp_nopush          on;
-
-    keepalive_timeout   60;
-    tcp_nodelay         on;
-    client_body_timeout 15;
-
-    gzip                on;
-    gzip_vary           on;
-    gzip_min_length             1k;
-    client_max_body_size 10G;
-    proxy_request_buffering off;
     include /etc/nginx/conf.d/*.conf;
 
     types_hash_bucket_size 128;

nginx/configs/sites/default.conf

@@ -25,15 +25,24 @@ server {
 
     }
 
+    # NOT FOR PROD vvv
+    location ~ ^/(docs|openapi.json)$ {
+        proxy_pass  http://keywarden-api:8000;
+    }
+    ## REMOVE IN PRODUCTION BUILDS ^^^
+
     location /api/v1/ {
-        proxy_pass  http://api:8000;
+        proxy_pass  http://keywarden-api:8000;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
     }
-    location /healthz {
-        proxy_pass  http://api:8000;
+    location ~ ^/(healthz|readyz|livez)$ {
+        proxy_pass  http://keywarden-api:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }
 }

tests/test_health.py

@@ -8,6 +8,6 @@ from app.main import app
 
 def test_healthz():
     client = TestClient(app)
-    r = client.get("/healthz")
+    r = client.get("/readyz")
     assert r.status_code == 200
-    assert r.json() == {"ok": True}
+    assert r.json() == {"status": "ok", "db": "up"}