Prepare Docker Hub publishing and production compose

Author: Jonatan Castro

.env.example

@@ -5,6 +5,7 @@ UNIFI_HOST=192.168.1.1
 # UNIFI_API_KEY_FILE=/run/secrets/unifi_api_key
 UNIFI_USERNAME=admin
 UNIFI_PASSWORD=change-me
+# UNIFI_USERNAME_FILE=/run/secrets/unifi_username
 # UNIFI_PASSWORD_FILE=/run/secrets/unifi_password
 
 # Optional but recommended for plug-and-play route creation

.github/workflows/publish-docker.yml

@@ -0,0 +1,61 @@
+name: Publish Docker Image
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+env:
+  IMAGE_NAME: bluepr0/stopliga
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set build date
+        id: build_date
+        run: echo "value=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=true
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+          labels: |
+            org.opencontainers.image.title=StopLiga
+            org.opencontainers.image.description=Synchronize a UniFi policy-based route with a public GitHub IP feed.
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ steps.meta.outputs.version }}
+            BUILD_DATE=${{ steps.build_date.outputs.value }}
+            VCS_REF=${{ github.sha }}

Dockerfile

@@ -1,5 +1,5 @@
 ARG PYTHON_BASE=python:3.12-slim@sha256:804ddf3251a60bbf9c92e73b7566c40428d54d0e79d3428194edf40da6521286
-ARG VERSION=0.1.0
+ARG VERSION=0.1.1
 ARG BUILD_DATE=unknown
 ARG VCS_REF=unknown
 ARG SOURCE_URL=https://github.com/jonatan/stopliga
@@ -25,7 +25,7 @@ RUN pip install --upgrade pip==26.0.1 setuptools==82.0.1 wheel==0.46.3 \
 
 FROM ${PYTHON_BASE} AS runtime
 
-ARG VERSION=0.1.0
+ARG VERSION=0.1.1
 ARG BUILD_DATE=unknown
 ARG VCS_REF=unknown
 ARG SOURCE_URL=https://github.com/jonatan/stopliga

README.md

@@ -150,6 +150,15 @@ STOPLIGA_RUN_MODE=loop
 docker build -t stopliga .
 ```
 
+### Publicar en Docker Hub
+
+La release automática usa [publish-docker.yml](/Users/jonatan/Code/stopliga/.github/workflows/publish-docker.yml:1) y se dispara al hacer push de una tag `v*`.
+
+Secrets requeridos en GitHub:
+
+- `DOCKERHUB_USERNAME`
+- `DOCKERHUB_TOKEN`
+
 ### One-shot
 
 ```bash
@@ -172,25 +181,39 @@ docker run -d \
 
 ## Docker Compose
 
-El proyecto incluye [docker-compose.yml](/Users/jonatan/Nextcloud/AI/Claude/Apps/StopLiga/docker-compose.yml:1).
+El proyecto incluye [docker-compose.yml](/Users/jonatan/Code/stopliga/docker-compose.yml:1).
 
 ```bash
 cp .env.example .env
 mkdir -p secrets
-docker compose up -d --build
+docker compose pull
+docker compose up -d
 ```
 
 Si quieres evitar secretos en variables de entorno:
 
 ```bash
 printf '%s\n' 'replace-me' > secrets/unifi_api_key
+printf '%s\n' 'admin' > secrets/unifi_username
 printf '%s\n' 'change-me' > secrets/unifi_password
-chmod 600 secrets/unifi_api_key secrets/unifi_password
+chmod 600 secrets/unifi_api_key secrets/unifi_username secrets/unifi_password
+```
+
+Y en `.env` deja solo `UNIFI_HOST` y referencia los ficheros:
+
+```dotenv
+UNIFI_API_KEY_FILE=/run/secrets/unifi_api_key
+# o, si usas login local:
+# UNIFI_USERNAME_FILE=/run/secrets/unifi_username
+# UNIFI_PASSWORD_FILE=/run/secrets/unifi_password
 ```
 
-Y en `.env` deja solo `UNIFI_HOST` y, si aplica, `UNIFI_USERNAME`.
+El `docker-compose.yml` del repo está simplificado para producción normal:
 
-El `docker-compose.yml` del repo ya viene preparado para Linux con `STOPLIGA_UID=1000` y `STOPLIGA_GID=1000` por defecto. Si tu host usa otro UID/GID, cámbialos en `.env`.
+- imagen `bluepr0/stopliga:latest`
+- `uid/gid 1000`
+- volumen `./data:/data`
+- secretos en `./secrets:/run/secrets:ro`
 
 Prueba puntual:
 

docker-compose.yml

@@ -1,18 +1,14 @@
 services:
   stopliga:
-    build: .
-    image: stopliga:local
+    image: bluepr0/stopliga:latest
     container_name: stopliga
     init: true
     restart: unless-stopped
     env_file:
-      - path: .env
-        required: false
+      - .env
     environment:
-      STOPLIGA_UID: ${STOPLIGA_UID:-1000}
-      STOPLIGA_GID: ${STOPLIGA_GID:-1000}
-      UNIFI_API_KEY_FILE: /run/secrets/unifi_api_key
-      UNIFI_PASSWORD_FILE: /run/secrets/unifi_password
+      STOPLIGA_UID: 1000
+      STOPLIGA_GID: 1000
     command: ["--loop"]
     volumes:
       - ./data:/data

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "stopliga"
-version = "0.1.0"
+version = "0.1.1"
 description = "Synchronize a UniFi policy-based route with a public GitHub IP feed."
 readme = "README.md"
 requires-python = ">=3.11"