Merge branch 'master' into feature/add-legacy-support

Author: MiloDevs

.env.example

@@ -1,30 +1,104 @@
-HOST=0.0.0.0
-PORT=8000
+# DevBin Backend Environment Configuration
 
-# Database configuration
-POSTGRES_USER: postgres
-POSTGRES_PASSWORD: postgres
-POSTGRES_DB: devbin
+# Environment (dev, staging, prod)
+APP_ENVIRONMENT=dev
 
-# Application configuration
-APP_DATABASE_URL=postgresql://postgres:postgres@devbin_db:5432/devbin
+# Server Configuration
+APP_PORT=8000
+APP_HOST=0.0.0.0
+APP_WORKERS=1
+APP_RELOAD=false
+APP_DEBUG=false
+
+# Logging Configuration
+# Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL
+APP_LOG_LEVEL=INFO
+# Log format: text (human-readable) or json (structured, for log aggregation)
+APP_LOG_FORMAT=text
+
+# Database Configuration
+APP_DATABASE_URL=postgresql+asyncpg://postgres:postgres@localhost:5432/devbin
+
+# Security - HTTPS
+# Set to true to redirect HTTP to HTTPS
+# Only enable if your deployment terminates SSL directly
+# Keep false if using reverse proxy (nginx, traefik, caddy, etc.)
+APP_ENFORCE_HTTPS=false
+
+# Security - CORS
+# For development (allows all origins):
+APP_CORS_DOMAINS=["*"]
+APP_ALLOW_CORS_WILDCARD=true
+
+# For production (specify exact domains):
+# APP_CORS_DOMAINS=["https://devbin.example.com","https://app.devbin.example.com"]
+# APP_ALLOW_CORS_WILDCARD=false
+
+# Trusted Hosts (for X-Forwarded-For header)
+APP_TRUSTED_HOSTS=["127.0.0.1"]
+
+# Paste Configuration
 APP_MAX_CONTENT_LENGTH=10000
 APP_BASE_FOLDER_PATH=./files
-# 1-9999999 or True for "os.cpu_count" ( how many cpu threads the machine has )
-# WARNING: Rate Limit / Cache is PER worker. e.g. expect 2x memore as both will cache different/doubles.
-APP_WORKERS=1
-APP_BYPASS_TOKEN= # Bypasses Rate limits
-APP_CORS_DOMAINS='["http://localhost:3000", "https://yourdomain.com"]'
-APP_CACHE_TTL=300
-APP_CACHE_SIZE_LIMIT=1000
 APP_MIN_STORAGE_MB=1024
+APP_KEEP_DELETED_PASTES_TIME_HOURS=336
 
-# Debug / Development settings
-APP_SQLALCHEMY_ECHO=false
-APP_DEBUG=false
-RELOAD=false
+# Storage Configuration
+# Storage backend: local, s3, or minio (default: local)
+APP_STORAGE_TYPE=local
+
+# S3 Configuration (when STORAGE_TYPE=s3)
+# APP_S3_BUCKET_NAME=devbin-pastes
+# APP_S3_REGION=us-east-1
+# APP_S3_ACCESS_KEY=your_access_key
+# APP_S3_SECRET_KEY=your_secret_key
+# APP_S3_ENDPOINT_URL=  # Optional: custom S3 endpoint URL
+
+# MinIO Configuration (when STORAGE_TYPE=minio)
+# APP_S3_BUCKET_NAME=devbin-pastes
+# APP_MINIO_ENDPOINT=minio:9000
+# APP_MINIO_ACCESS_KEY=minioadmin
+# APP_MINIO_SECRET_KEY=minioadmin
+# APP_MINIO_SECURE=true
+
+# Compression settings
+# Compression is most effective for content >= 2KB (achieves 30-40% compression ratio)
+# Smaller content compresses poorly and wastes CPU cycles
+APP_COMPRESSION_ENABLED=true
+APP_COMPRESSION_THRESHOLD_BYTES=2048
+APP_COMPRESSION_LEVEL=6
+
+# Caching
+# Cache backend: memory (default) or redis
+APP_CACHE_TYPE=memory
+APP_CACHE_SIZE_LIMIT=1000
+APP_CACHE_TTL=300
+
+# Redis Configuration (when CACHE_TYPE=redis or LOCK_TYPE=redis)
+# APP_REDIS_HOST=localhost
+# APP_REDIS_PORT=6379
+# APP_REDIS_DB=0
+# APP_REDIS_PASSWORD=  # Optional password
+
+# Distributed Locking
+# Lock backend: file (default) or redis
+APP_LOCK_TYPE=file
+
+# Privacy Settings
+APP_SAVE_USER_AGENT=false
+APP_SAVE_IP_ADDRESS=false
+
+# Optional: Rate limit bypass token for trusted apps
+# APP_BYPASS_TOKEN=your_secret_bypass_token_here
+
+# Metrics Authentication
+# Optional: Secure the Prometheus /metrics endpoint with Bearer token authentication
+# If not set, metrics endpoint remains publicly accessible
+# Production deployments should set this to a strong random token
+# APP_METRICS_TOKEN=your_secure_random_token_here
+# Example generation: openssl rand -hex 32
 
 # Frontend configurations
-API_BASE_URL=http://backend_container_name:port
+API_BASE_URL=http://devbin:8000
 PORT=3000
 ORIGIN=http://localhost:3000 # prevent cross-site post req forbidden from frontend because node can't resolve it's origin

.github/workflows/build-images.yml

@@ -0,0 +1,59 @@
+name: Build Images
+
+on:
+  pull_request:
+    branches:
+      - master
+    types: [opened, synchronize]
+  workflow_dispatch:
+
+jobs:
+  setup_build:
+    runs-on: ubuntu-latest
+    outputs:
+      backend_changed: ${{ steps.changed_files.outputs.backend == 'true' || github.event_name == 'workflow_dispatch' }}
+      frontend_changed: ${{ steps.changed_files.outputs.frontend == 'true' || github.event_name == 'workflow_dispatch' }}
+      repo_lc: ${{ steps.lowercase_repo.outputs.REPO_LC }}
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+
+      - name: Get changes
+        uses: tj-actions/changed-files@v45
+        id: changed_files
+        with:
+          files_yaml: |
+            backend:
+              - 'backend/**'
+              - '!backend/**/*.md'
+            frontend:
+              - 'frontend/**'
+              - '!frontend/**/*.md'
+          base_sha: ${{ github.event.pull_request.base.sha || github.sha }}
+
+      - name: Set lowercase repository variable
+        id: lowercase_repo
+        env:
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          REPO_LC=$(echo "$REPOSITORY" | tr '[:upper:]' '[:lower:]')
+          echo "REPO_LC=$REPO_LC" >> $GITHUB_OUTPUT
+
+  build-backend:
+    needs: setup_build
+    if: ${{ needs.setup_build.outputs.backend_changed == 'true' }}
+    uses: ./.github/workflows/docker-build.yml
+    with:
+      image_name: backend
+      context: backend
+      additional_tags: ghcr.io/${{ needs.setup_build.outputs.repo_lc }}-backend-preview:${{ github.event.pull_request.number || github.ref_name }}
+
+  build-frontend:
+    needs: setup_build
+    if: ${{ needs.setup_build.outputs.frontend_changed == 'true' }}
+    uses: ./.github/workflows/docker-build.yml
+    with:
+      image_name: frontend
+      context: frontend
+      additional_tags: ghcr.io/${{ needs.setup_build.outputs.repo_lc }}-frontend-preview:${{ github.event.pull_request.number || github.ref_name }}

.github/workflows/build-prod-images.yml

@@ -0,0 +1,73 @@
+name: Build Release Images
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version tag (e.g., 0.0.1-alpha)'
+        required: true
+        type: string
+      set_latest_tag:
+        description: 'Set latest tag'
+        required: false
+        default: true
+        type: boolean
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      repo_lc: ${{ steps.normalize.outputs.repo_lc }}
+      version: ${{ steps.normalize.outputs.version }}
+      backend_tags: ${{ steps.tags.outputs.backend }}
+      frontend_tags: ${{ steps.tags.outputs.frontend }}
+
+    steps:
+      - name: Normalize inputs
+        id: normalize
+        env:
+          VERSION_INPUT: ${{ inputs.version }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          VERSION=$(echo "$VERSION_INPUT" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9.]/-/g')
+          REPO_LC=$(echo "$REPOSITORY" | tr '[:upper:]' '[:lower:]')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "repo_lc=$REPO_LC" >> $GITHUB_OUTPUT
+
+      - name: Build tag strings
+        id: tags
+        env:
+          REPO_LC: ${{ steps.normalize.outputs.repo_lc }}
+          VERSION: ${{ steps.normalize.outputs.version }}
+          SET_LATEST: ${{ inputs.set_latest_tag }}
+        run: |
+          BACKEND_TAGS="ghcr.io/${REPO_LC}-backend:${VERSION}"
+          FRONTEND_TAGS="ghcr.io/${REPO_LC}-frontend:${VERSION}"
+          if [[ "$SET_LATEST" == "true" ]]; then
+            BACKEND_TAGS="${BACKEND_TAGS}
+          ghcr.io/${REPO_LC}-backend:latest"
+            FRONTEND_TAGS="${FRONTEND_TAGS}
+          ghcr.io/${REPO_LC}-frontend:latest"
+          fi
+          echo "backend<<EOF" >> $GITHUB_OUTPUT
+          echo "$BACKEND_TAGS" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+          echo "frontend<<EOF" >> $GITHUB_OUTPUT
+          echo "$FRONTEND_TAGS" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+  build-backend:
+    needs: setup
+    uses: ./.github/workflows/docker-build.yml
+    with:
+      image_name: backend
+      context: backend
+      additional_tags: ${{ needs.setup.outputs.backend_tags }}
+
+  build-frontend:
+    needs: setup
+    uses: ./.github/workflows/docker-build.yml
+    with:
+      image_name: frontend
+      context: frontend
+      additional_tags: ${{ needs.setup.outputs.frontend_tags }}

.github/workflows/docker-build.yml

@@ -0,0 +1,72 @@
+name: Reusable Docker Build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        description: 'Image name suffix (backend/frontend)'
+        required: true
+        type: string
+      context:
+        description: 'Docker build context path'
+        required: true
+        type: string
+      additional_tags:
+        description: 'Additional tags (newline-separated)'
+        required: false
+        type: string
+        default: ''
+      push:
+        description: 'Push image to registry'
+        required: false
+        type: boolean
+        default: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: production
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Normalize repository name
+        id: repo
+        env:
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          echo "name=$(echo "$REPOSITORY" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ steps.repo.outputs.name }}-${{ inputs.image_name }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ inputs.context }}
+          push: ${{ inputs.push }}
+          tags: |
+            ${{ steps.meta.outputs.tags }}
+            ${{ inputs.additional_tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/lint-backend.yml

@@ -0,0 +1,45 @@
+name: Lint Backend
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - "backend/**"
+  pull_request:
+    branches:
+      - master
+    paths:
+      - "backend/**"
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./backend
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.9.18"
+          enable-cache: true
+          cache-dependency-glob: "backend/uv.lock"
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Run ruff check
+        run: uv run ruff check --output-format=github .
+
+      - name: Run ruff format check
+        run: uv run ruff format --check --diff .