inno-devops-labs · GrandAdmiralBee · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026
diff --git a/.envrc b/.envrc
@@ -0,0 +1,14 @@
+export DIRENV_WARN_TIMEOUT=20s
+
+eval "$(devenv direnvrc)"
+
+use devenv 
+
+if [[ "$SHELL" =~ "zsh" || "$SHELL"  =~ "bash" ]]; then
+  source ./site/env/bin/activate || true
+fi
+
+if [[ "$SHELL" =~ "fish" ]]; then
+  source ./site/env/bin/activate.fish || true
+fi
+
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,13 @@
+## Goal
+<!-- What does this PR accomplish? 1 sentence. -->
+
+## Changes
+-
+
+## Testing
+<!-- How did you verify it? -->
+
+## Checklist
+- [ ] Title is a clear sentence (≤ 70 chars)
+- [ ] Commits are signed (`git log --show-signature`)
+- [ ] `submissions/labN.md` updated
diff --git a/.gitignore b/.gitignore
@@ -52,6 +52,9 @@ Thumbs.db
 # Local agent config (not part of the course)
 .claude/
 
+# Devenv env
+.devenv/
+
 # NOTE: deliberately NOT ignored, because students commit them as lab evidence:
 #   submissions/labN.md        (lab reports)
 #   .github/workflows/*.yml    (Lab 3 CI)

diff --git a/app/Dockerfile b/app/Dockerfile
@@ -0,0 +1,35 @@
+# syntax=docker/dockerfile:1.7
+
+# Stage 1: builder
+FROM golang:1.24.13-alpine AS builder
+WORKDIR /src
+
+# Layer-cache: dependencies before source
+COPY go.mod ./
+RUN go mod download
+
+COPY . .
+
+ENV CGO_ENABLED=0 \
+    GOOS=linux \
+    GOARCH=amd64
+
+RUN go build -trimpath -ldflags='-s -w' -o /out/quicknotes . \
+ && go build -trimpath -ldflags='-s -w' -o /out/healthcheck ./cmd/healthcheck \
+ && mkdir -p /out/data
+
+# Stage 2: runtime — distroless static, nonroot
+FROM gcr.io/distroless/static-debian12:nonroot
+
+COPY --from=builder /out/quicknotes  /quicknotes
+COPY --from=builder /out/healthcheck /healthcheck
+COPY --from=builder /src/seed.json   /seed.json
+COPY --from=builder --chown=65532:65532 /out/data /data
+
+ENV ADDR=:8080 \
+    DATA_PATH=/data/notes.json \
+    SEED_PATH=/seed.json
+
+EXPOSE 8080
+USER nonroot:nonroot
+ENTRYPOINT ["/quicknotes"]
diff --git a/app/cmd/healthcheck/main.go b/app/cmd/healthcheck/main.go
@@ -0,0 +1,23 @@
+package main
+
+import (
+	"net/http"
+	"os"
+	"time"
+)
+
+func main() {
+	url := os.Getenv("HC_URL")
+	if url == "" {
+		url = "http://127.0.0.1:8080/health"
+	}
+	c := http.Client{Timeout: 2 * time.Second}
+	r, err := c.Get(url)
+	if err != nil {
+		os.Exit(1)
+	}
+	r.Body.Close()
+	if r.StatusCode != http.StatusOK {
+		os.Exit(1)
+	}
+}
diff --git a/compose.yaml b/compose.yaml
@@ -0,0 +1,38 @@
+services:
+  quicknotes:
+    build:
+      context: ./app
+      dockerfile: Dockerfile
+    image: quicknotes:lab6
+    ports:
+      - "127.0.0.1:8080:8080"
+    environment:
+      ADDR: ":8080"
+      DATA_PATH: "/data/notes.json"
+      SEED_PATH: "/seed.json"
+    volumes:
+      - quicknotes-data:/data
+    healthcheck:
+      test: ["CMD", "/healthcheck"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+    restart: unless-stopped
+
+    # Bonus: 6 hardening defaults:
+    # nonroot (matches distroless`:nonroot`)
+    # root filesystem is read-only
+    # scratch space for runtime; /data stays RW
+    # drop every Linux capability
+    user: "65532:65532"
+    read_only: true
+    tmpfs:
+      - /tmp
+    cap_drop:
+      - ALL
+    security_opt:
+      - "no-new-privileges:true"
+
+volumes:
+  quicknotes-data:
diff --git a/devenv.lock b/devenv.lock
@@ -0,0 +1,65 @@
+{
+  "nodes": {
+    "devenv": {
+      "locked": {
+        "dir": "src/modules",
+        "lastModified": 1781576018,
+        "narHash": "sha256-bERSTGBUVBySDulPk8NSW7GM8fzGSrrlyD37e3N+x9s=",
+        "owner": "cachix",
+        "repo": "devenv",
+        "rev": "b495a8fbaa95ef1cbece20c705f68540b108f59d",
+        "type": "github"
+      },
+      "original": {
+        "dir": "src/modules",
+        "owner": "cachix",
+        "repo": "devenv",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "inputs": {
+        "nixpkgs-src": "nixpkgs-src"
+      },
+      "locked": {
+        "lastModified": 1778507786,
+        "narHash": "sha256-HzSQCKMsMr8r55LwM1JuzIOB+8bzk0FEv6sItKvsfoY=",
+        "owner": "cachix",
+        "repo": "devenv-nixpkgs",
+        "rev": "8f24a228a782e24576b155d1e39f0d914b380691",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "ref": "rolling",
+        "repo": "devenv-nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1778274207,
+        "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "devenv": "devenv",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/devenv.nix b/devenv.nix
@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+
+{
+  packages = with pkgs; [
+    git
+    openssh
+    python3
+    curl
+    jq
+    gh
+  ];
+
+  languages.go.enable = true;
+
+  enterShell = ''
+    echo "── DevOps-Intro devenv ──"
+    go version
+    git --version
+    echo "QuickNotes: cd app && go run ."
+  '';
+}
diff --git a/devenv.yaml b/devenv.yaml
@@ -0,0 +1,3 @@
+inputs:
+  nixpkgs:
+    url: github:cachix/devenv-nixpkgs/rolling