chore: create Dockerfile

.dockerignore

@@ -0,0 +1,45 @@
+# This file excludes paths from the Docker build context.
+#
+# By default, Docker's build context includes all files (and folders) in the
+# current directory. Even if a file isn't copied into the container it is still sent to
+# the Docker daemon.
+#
+# There are multiple reasons to exclude files from the build context:
+#
+# 1. Prevent nested folders from being copied into the container (ex: exclude
+#    /assets/node_modules when copying /assets)
+# 2. Reduce the size of the build context and improve build time (ex. /build, /deps, /doc)
+# 3. Avoid sending files containing sensitive information
+#
+# More information on using .dockerignore is available here:
+# https://docs.docker.com/engine/reference/builder/#dockerignore-file
+
+.dockerignore
+
+# Ignore git, but keep git HEAD and refs to access current commit hash if needed:
+#
+# $ cat .git/HEAD | awk '{print ".git/"$2}' | xargs cat
+# d0b8727759e1e0e7aa3d41707d12376e373d5ecc
+.git
+!.git/HEAD
+!.git/refs
+
+# Common development/test artifacts
+/cover/
+/doc/
+/test/
+/tmp/
+.elixir_ls
+
+# Mix artifacts
+/_build/
+/deps/
+*.ez
+
+# Generated on crash by the VM
+erl_crash.dump
+
+# Static artifacts - These should be fetched and built inside the Docker image
+/assets/node_modules/
+/priv/static/assets/
+/priv/static/cache_manifest.json

Dockerfile

@@ -0,0 +1,101 @@
+# Find eligible builder and runner images on Docker Hub. We use Ubuntu/Debian
+# instead of Alpine to avoid DNS resolution issues in production.
+#
+# https://hub.docker.com/r/hexpm/elixir/tags?page=1&name=ubuntu
+# https://hub.docker.com/_/ubuntu?tab=tags
+#
+# This file is based on these images:
+#
+#   - https://hub.docker.com/r/hexpm/elixir/tags - for the build image
+#   - https://hub.docker.com/_/debian?tab=tags&page=1&name=bullseye-20250317-slim - for the release image
+#   - https://pkgs.org/ - resource for finding needed packages
+#   - Ex: hexpm/elixir:1.18.3-erlang-27.3.1-debian-bullseye-20250317-slim
+#
+ARG ELIXIR_VERSION=1.18.3
+ARG OTP_VERSION=27.3.1
+ARG DEBIAN_VERSION=bullseye-20250317-slim
+
+ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
+ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"
+
+ARG DATABASE="/data/database"
+
+FROM ${BUILDER_IMAGE} as builder
+
+# install build dependencies
+RUN apt-get update -y && apt-get install -y build-essential git \
+    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+# prepare build dir
+WORKDIR /app
+
+# install hex + rebar
+RUN mix local.hex --force && \
+    mix local.rebar --force
+
+# set build ENV
+ENV MIX_ENV="prod"
+
+# install mix dependencies
+COPY mix.exs mix.lock ./
+RUN mix deps.get --only $MIX_ENV
+RUN mkdir config
+
+# copy compile-time config files before we compile dependencies
+# to ensure any relevant config change will trigger the dependencies
+# to be re-compiled.
+COPY config/config.exs config/${MIX_ENV}.exs config/
+RUN mix deps.compile
+
+COPY priv priv
+
+COPY lib lib
+
+COPY assets assets
+
+# compile assets
+RUN mix assets.deploy
+
+# Compile the release
+RUN mix compile
+
+# Changes to config/runtime.exs don't require recompiling the code
+COPY config/runtime.exs config/
+
+COPY rel rel
+RUN mix release
+
+# start a new build stage so that the final image will only contain
+# the compiled release and other runtime necessities
+FROM ${RUNNER_IMAGE}
+
+RUN apt-get update -y && \
+  apt-get install -y libstdc++6 openssl libncurses5 locales ca-certificates tini \
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+# Set the locale
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+WORKDIR "/app"
+RUN chown nobody /app
+
+# set runner ENV
+ENV MIX_ENV="prod"
+
+# Only copy the final release from the build stage
+COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/putzplan ./
+
+USER nobody
+
+ENV DATABASE=${DATABASE}
+
+# If using an environment that doesn't automatically reap zombie processes, it is
+# advised to add an init process such as tini via `apt-get install`
+# above and adding an entrypoint. See https://github.com/krallin/tini for details
+ENTRYPOINT ["/usr/bin/tini", "--"]
+
+CMD ["/app/bin/server"]

Makefile

@@ -27,6 +27,7 @@ authelia-start: ${AUTHELIA_PID}
 ${AUTHELIA_PID}: ${AUTHELIA_CONFIG}
 	mkdir -p ${AUTHELIA_HOME}/tmp/
 	cd ${AUTHELIA_HOME}
+	mkdir -p $(dir ${AUTHELIA_PID})
 	authelia --config ${AUTHELIA_CONFIG} &> ${AUTHELIA_LOG} &
 	echo $$! > ${AUTHELIA_PID}
 

config/config.exs

@@ -51,7 +51,7 @@ config :putzplan,
 
 # Configures the endpoint
 config :putzplan, PutzplanWeb.Endpoint,
-  url: [host: "localhost"],
+  url: [host: "127.0.0.1"],
   adapter: Bandit.PhoenixAdapter,
   render_errors: [
     formats: [html: PutzplanWeb.ErrorHTML, json: PutzplanWeb.ErrorJSON],
@@ -99,6 +99,8 @@ config :logger, :console,
 # Use Jason for JSON parsing in Phoenix
 config :phoenix, :json_library, Jason
 
+config :exqlite, force_build: true
+
 # Import environment specific config. This must remain at the bottom
 # of this file so it overrides the configuration defined above.
 import_config "#{config_env()}.exs"

config/dev.exs

@@ -3,8 +3,6 @@ config :live_debugger, browser_features?: true
 
 # Configure your database
 config :putzplan, Putzplan.Repo,
-  username: "postgres",
-  password: "postgres",
   hostname: "localhost",
   database: "tmp/putzplan_dev",
   stacktrace: true,

config/prod.exs

@@ -5,7 +5,7 @@ import Config
 # manifest is generated by the `mix assets.deploy` task,
 # which you should run after static files are built and
 # before starting your production server.
-config :putzplan, PutzplanWeb.Endpoint, cache_static_manifest: "priv/static/cache_manifest.json"
+config :putzplan, PutzplanWeb.Endpoint, cache_static_manifest: "priv/static/cache_manifest.json", server: true
 
 # Configures Swoosh API Client
 config :swoosh, api_client: Swoosh.ApiClient.Finch, finch_name: Putzplan.Finch

config/runtime.exs

@@ -21,20 +21,15 @@ if System.get_env("PHX_SERVER") do
 end
 
 if config_env() == :prod do
-  database_url =
-    System.get_env("DATABASE_URL") ||
+  database =
+    System.get_env("DATABASE") ||
       raise """
-      environment variable DATABASE_URL is missing.
-      For example: ecto://USER:PASS@HOST/DATABASE
+      environment variable DATABASE is missing.
       """
 
-  maybe_ipv6 = if System.get_env("ECTO_IPV6") in ~w(true 1), do: [:inet6], else: []
-
   config :putzplan, Putzplan.Repo,
-    # ssl: true,
-    url: database_url,
-    pool_size: String.to_integer(System.get_env("POOL_SIZE") || "10"),
-    socket_options: maybe_ipv6
+    database: database,
+    pool_size: String.to_integer(System.get_env("POOL_SIZE") || "1")
 
   # The secret key base is used to sign/encrypt cookies and other secrets.
   # A default value is used in config/dev.exs and config/test.exs but you

flake.nix

@@ -6,41 +6,94 @@
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs, flake-utils }:
-    flake-utils.lib.eachDefaultSystem (system:
-      let
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+  }:
+    flake-utils.lib.eachDefaultSystem (
+      system: let
         pkgs = nixpkgs.legacyPackages.${system};
-      in
-      {
+        erl = pkgs.beam.interpreters.erlang_27;
+        erlangPackages = pkgs.beam.packagesWith erl;
+        elixir = erlangPackages.elixir;
+      in {
+        packages = let
+          version = "0.1.0";
+          src = ./.;
+          mixFodDeps = erlangPackages.fetchMixDeps {
+            inherit version src;
+            pname = "putzplan";
+            sha256 = "sha256-H8FFuNayJcFvESWlGYr6H6L5zSzAjqBixBmob5Gnoc4=";
+          };
+          translatedPlatform =
+            pkgs.lib.getAttr
+            system
+            {
+              aarch64-darwin = "macos-arm64";
+              aarch64-linux = "linux-arm64";
+              armv7l-linux = "linux-armv7";
+              x86_64-darwin = "macos-x64";
+              x86_64-linux = "linux-x64";
+            };
+        in rec {
+          default = erlangPackages.mixRelease {
+            inherit version src mixFodDeps;
+            pname = "putzplan";
+
+            preInstall = ''
+              ln -s ${pkgs.tailwindcss}/bin/tailwindcss _build/tailwind-${translatedPlatform}
+              ln -s ${pkgs.esbuild}/bin/esbuild _build/esbuild-${translatedPlatform}
+
+              ${elixir}/bin/mix assets.deploy
+              ${elixir}/bin/mix phx.gen.release
+            '';
+          };
+          dockerImage = pkgs.dockerTools.buildImage {
+            name = "putzplan";
+            config = {
+              Entrypoint = "${default}/bin/putzplan";
+              Cmd = "start";
+            };
+          };
+        };
         devShells.default = pkgs.mkShell {
-          buildInputs = with pkgs; [
-            erlang_25
-            beam.packages.erlang_25.elixir_1_18
-            lexical
-            beam.packages.erlang_25.elixir-ls
-            next-ls
+          buildInputs = with pkgs;
+            [
+              erl
+              elixir
+              lexical
+              erlangPackages.elixir-ls
+              next-ls
 
-            sqlite
-            gnumake
-            authelia
-          ]
-          ++ lib.optionals stdenv.isLinux [
-            # For ExUnit Notifier on Linux.
-            libnotify
+              gnumake
+              authelia
+              lazysql
 
-            # For file_system on Linux.
-            inotify-tools
-          ]
-          ++ lib.optionals stdenv.isDarwin ([
-            # For ExUnit Notifier on macOS.
-            terminal-notifier
+              nix-output-monitor
+            ]
+            ++ lib.optionals stdenv.isLinux [
+              # For ExUnit Notifier on Linux.
+              libnotify
 
-            # For file_system on macOS.
-            darwin.apple_sdk.frameworks.CoreFoundation
-            darwin.apple_sdk.frameworks.CoreServices
-          ]);
+              # For file_system on Linux.
+              inotify-tools
+            ]
+            ++ lib.optionals stdenv.isDarwin [
+              # For ExUnit Notifier on macOS.
+              terminal-notifier
+
+              # For file_system on macOS.
+              darwin.apple_sdk.frameworks.CoreFoundation
+              darwin.apple_sdk.frameworks.CoreServices
+            ];
 
           shellHook = ''
+            export OIDC_CLIENT_ID="putzplan"
+            export OIDC_BASE_URL="http://127.0.0.1:9091"
+            export OIDC_CLIENT_SECRET_FILE="${pkgs.writeText "client_secret" "insecure_secret"}"
+            export OIDC_REDIRECT_URI="http://127.0.0.1:4000/auth"
+
             # allows mix to work on the local directory
             mkdir -p .nix/{mix,hex}
             export MIX_HOME=$PWD/.nix/mix

lib/putzplan/accounts/user.ex

@@ -23,11 +23,11 @@ defmodule Putzplan.Accounts.User do
 
     strategies do
       oidc :oidc do
-        client_id "putzplan"
-        base_url "http://127.0.0.1:9091"
-        client_secret "insecure_secret"
+        client_id Putzplan.Secrets
+        base_url Putzplan.Secrets
+        client_secret Putzplan.Secrets
         nonce true
-        redirect_uri "http://127.0.0.1:4000/auth"
+        redirect_uri Putzplan.Secrets
         authorization_params scope: "profile email"
       end
     end

lib/putzplan/release.ex

@@ -0,0 +1,28 @@
+defmodule Putzplan.Release do
+  @moduledoc """
+  Used for executing DB release tasks when run in production without Mix
+  installed.
+  """
+  @app :putzplan
+
+  def migrate do
+    load_app()
+
+    for repo <- repos() do
+      {:ok, _, _} = Ecto.Migrator.with_repo(repo, &Ecto.Migrator.run(&1, :up, all: true))
+    end
+  end
+
+  def rollback(repo, version) do
+    load_app()
+    {:ok, _, _} = Ecto.Migrator.with_repo(repo, &Ecto.Migrator.run(&1, :down, to: version))
+  end
+
+  defp repos do
+    Application.fetch_env!(@app, :ecto_repos)
+  end
+
+  defp load_app do
+    Application.load(@app)
+  end
+end

lib/putzplan/secrets.ex

@@ -1,7 +1,64 @@
 defmodule Putzplan.Secrets do
+  require Logger
   use AshAuthentication.Secret
 
   def secret_for([:authentication, :tokens, :signing_secret], Putzplan.Accounts.User, _opts, _ctx) do
     Application.fetch_env(:putzplan, :token_signing_secret)
   end
+
+  def secret_for([:authentication, :strategies, :oidc, name], Putzplan.Accounts.User, _opts, _ctx)
+      when is_atom(name) do
+    name
+    |> Atom.to_string()
+    |> String.upcase()
+    |> secret_from_env()
+    |> dbg
+  end
+
+  defp secret_from_env(name) do
+    name
+    |> from_file
+    |> case do
+      :not_set ->
+        from_env(name)
+
+      other ->
+        other
+    end
+    |> case do
+      {:error, error} ->
+        Logger.error(error)
+        :error
+
+      {:ok, _secret} = ok ->
+        ok
+    end
+  end
+
+  defp from_file(name) do
+    env_name = "OIDC_" <> name <> "_FILE"
+
+    with {:env, {:ok, value}} <- {:env, System.fetch_env(env_name)},
+         {:file, {:ok, contents}} <- {:file, File.read(value)} do
+      {:ok, contents}
+    else
+      {:env, :error} ->
+        Logger.info("#{env_name} is not set trying OIDC_#{name}.")
+        :not_set
+
+      {:file, _} ->
+        {:error, "Error reading secret file for #{name}."}
+    end
+  end
+
+  defp from_env(name) do
+    env_name = "OIDC_#{name}"
+
+    env_name
+    |> System.fetch_env()
+    |> case do
+      :error -> {:error, "#{env_name} is not set!"}
+      other -> other
+    end
+  end
 end

lib/putzplan_web/components/layouts/app.html.heex

@@ -1,29 +1,3 @@
-<header class="px-4 sm:px-6 lg:px-8">
-  <div class="flex items-center justify-between border-b border-zinc-100 py-3 text-sm">
-    <div class="flex items-center gap-4">
-      <a href="/">
-        <img src={~p"/images/logo.svg"} width="36" />
-      </a>
-      <p class="bg-brand/5 text-brand rounded-full px-2 font-medium leading-6">
-        v{Application.spec(:phoenix, :vsn)}
-      </p>
-    </div>
-    <div class="flex items-center gap-4 font-semibold leading-6 text-zinc-900">
-      <a href="https://twitter.com/elixirphoenix" class="hover:text-zinc-700">
-        @elixirphoenix
-      </a>
-      <a href="https://github.com/phoenixframework/phoenix" class="hover:text-zinc-700">
-        GitHub
-      </a>
-      <a
-        href="https://hexdocs.pm/phoenix/overview.html"
-        class="rounded-lg bg-zinc-100 px-2 py-1 hover:bg-zinc-200/80"
-      >
-        Get Started <span aria-hidden="true">&rarr;</span>
-      </a>
-    </div>
-  </div>
-</header>
 <main class="px-4 py-20 sm:px-6 lg:px-8">
   <div class="mx-auto max-w-2xl">
     <.flash_group flash={@flash} />

lib/putzplan_web/components/layouts/root.html.heex

@@ -9,7 +9,7 @@
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <meta name="csrf-token" content={get_csrf_token()} />
-    <.live_title default="Putzplan" suffix=" · Phoenix Framework">
+    <.live_title default="Putzplan">
       {assigns[:page_title]}
     </.live_title>
     <link phx-track-static rel="stylesheet" href={~p"/assets/app.css"} />

mix.exs

@@ -45,7 +45,6 @@ defmodule Putzplan.MixProject do
       {:phoenix, "~> 1.7.21"},
       {:phoenix_ecto, "~> 4.5"},
       {:ecto_sql, "~> 3.10"},
-      {:postgrex, ">= 0.0.0"},
       {:phoenix_html, "~> 4.1"},
       {:phoenix_live_reload, "~> 1.2", only: :dev},
       {:phoenix_live_view, "~> 1.0"},

rel/overlays/bin/migrate

@@ -0,0 +1,5 @@
+#!/bin/sh
+set -eu
+
+cd -P -- "$(dirname -- "$0")"
+exec ./putzplan eval Putzplan.Release.migrate

rel/overlays/bin/migrate.bat

@@ -0,0 +1 @@
+call "%~dp0\putzplan" eval Putzplan.Release.migrate

rel/overlays/bin/server

@@ -0,0 +1,5 @@
+#!/bin/sh
+set -eu
+
+cd -P -- "$(dirname -- "$0")"
+PHX_SERVER=true exec ./putzplan start

rel/overlays/bin/server.bat

@@ -0,0 +1,2 @@
+set PHX_SERVER=true
+call "%~dp0\putzplan" start