Update Docker

Docker.md

@@ -4,6 +4,15 @@
 
 AURWeb's Docker infrastructure is composed of a [Dockerfile](https://gitlab.archlinux.org/archlinux/aurweb/-/tree/pu/Dockerfile) and [docker-compose.yml Services](https://gitlab.archlinux.org/archlinux/aurweb/-/tree/pu/docker-compose.yml).
 
+## Contents
+
+- [Services](#services)
+- [Getting Started](#getting-started)
+- [Development](#development)
+- [Production](#production)
+
+## Services
+
 | Service       | Port  | Profile | Purpose                        |
 |---------------|-------|---------|--------------------------------|
 | ca            |       |         | Self-signed CA generation      |
@@ -42,13 +51,13 @@ To get started, you need to build the `aurweb:latest` Docker image by issuing th
 
 You can then `docker-compose (up|run)` any one of the services:
 
-    $ docker-compose -f docker-compose.yml -f docker-compose.dev.yml --profile dev run test
+    $ docker-compose run test
     $ docker-compose up -d nginx
 
 Users will notice initially starting up a service can take some time, especially one with many dependencies. After the initial startup, however, users can run services again without much initialization:
 
-    $ docker-compose -f docker-compose.yml -f docker-compose.dev.yml --profile dev run test  # First run with no up'd services, takes a while.
+    $ docker-compose run test  # First run with no up'd services, takes a while.
-    $ docker-compose -f docker-compose.yml -f docker-compose.dev.yml --profile dev run test  # Starts instantly.
+    $ docker-compose run test  # Starts instantly.
 
 ## Continued Imaging
 
@@ -64,7 +73,7 @@ The `ca` service will generate a `ca.root.pem` file in `$aurweb_path/cache`, whi
 
 Otherwise, users may also wish to run tests. Users can easily run tests by taking advantage of the `pytest-mysql`, `pytest-sqlite`, `sharness` and `test` services.
 
-For an all in one testing strategy, the `test` service should be preferred, as it also runs linter checks which the aurweb project requires: flake8 and isort. This test is identical to GitLab CI's tests.
+For an all in one testing strategy, the `test` service should be preferred, as it also runs linter hecks which the aurweb project requires: flake8 and isort. This test is identical to GitLab CI's tests.
 
 Our test suites also provide coverage data via a shared volume directory at `$aurwebdir/cache/`. After tests are complete, users can copy coverage data output by Docker into their local setup by executing `./util/fix-coverage ./cache/.coverage`. After this is done, users can continue on with standard coverage execution:
 
@@ -79,12 +88,77 @@ Test services which provide coverage data: `pytest-mysql`, `pytest-sqlite`, and
 
 ## Production
 
-For production, the `fastapi` (exposed on localhost:18000) and `php-fpm` (exposed on localhost:19000) services can be used to supply back-ends to a host instance of nginx. The `git` service (exposed on localhost:2222) should be used for a Docker-contained AUR sshd.
+For production, the [docker-compose.prod.yml](https://gitlab.archlinux.org/archlinux/aurweb/-/tree/pu/docker-compose.prod.yml) should be used in unison with the standard `docker-compose.yml`:
 
-These services will both share the `mariadb` service, which they depend on and will be started when starting higher services.
+    $ docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d <service>
 
-`smartgit` is not yet supported for deployment through Docker, unless using our internal services with it.
+This provides service overrides which mainly affect volume behavior. In
+production, volumes will not be shared with docker from the host.
 
-## Notes
+The following services in particular are useful for production:
 
-This wiki document is not as specific and complete as it could be and it will be improved over time.
+- `mariadb`
+- `git`
+- `smartgit`
+- `cgit-fastapi` (`fastapi` depends on)
+- `redis` (`fastapi` depends on)
+- `fastapi`
+- `cgit-php` (`php-fpm` depends on)
+- `memcached` (`php-fpm` depends on)
+- `php-fpm`
+
+Note: To see exposed ports on the host, take a look at [Services](#services) at
+the beginning of this document.
+
+Deployers will want to use an HTTP front-end like `nginx` which uses
+Docker's `php-fpm` and/or `fastapi` services as a backend.
+
+Example:
+
+    $ docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d fastapi
+    $ docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d php-fpm
+    $ cat /etc/nginx/conf.d/aur-fastapi.conf
+    server {
+        listen 443 ssl http2;
+        server_name aur-fastapi.domain.org;
+
+        ssl_certificate /path/to/aur.cert.pem;
+        ssl_certificate_key /path/to/aur.key.pem;
+
+        root /path/to/aurweb_root;
+
+        location / {
+            try_files $uri @proxy_to_app;
+        }
+
+        # Not yet accessible for production.
+        location ~ "^/([a-z0-9][a-z0-9.+_-]*?)(\.git)?/(git-(receive|upload)-pack|HEAD|info/refs|objects/(info/(http-)?alternates|packs)|[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" {
+            include      uwsgi_params;
+            uwsgi_pass   smartgit;
+            uwsgi_modifier1 9;
+            uwsgi_param  SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+            uwsgi_param  PATH_INFO /aur.git/$3;
+            uwsgi_param  GIT_HTTP_EXPORT_ALL "";
+            uwsgi_param  GIT_NAMESPACE $1;
+            uwsgi_param  GIT_PROJECT_ROOT /aurweb;
+        }
+
+        # Not yet enabled for production.
+        location ~ ^/cgit {
+            include uwsgi_params;
+            rewrite ^/cgit/([^?/]+/[^?]*)?(?:\?(.*))?$ /cgit.cgi?url=$1&$2 last;
+            uwsgi_modifier1 9;
+            uwsgi_param CGIT_CONFIG /etc/cgitrc;
+            uwsgi_pass uwsgi://127.0.0.1:<exposed_cgit_fastapi_port>;
+        }
+
+        location @proxy_to_app {
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_redirect off;
+            proxy_buffering off;
+            proxy_pass https://127.0.0.1:18000;
+        }
+
+    }