astarte-platform · Emina-M · Jan 31, 2025 · Feb 4, 2025 · Feb 5, 2025 · Feb 14, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -1,25 +1,45 @@
-# Standard Elixir gitignore to be applied to all apps
-_build
-cover
-deps
-doc
-doc/doc
-.fetch
-db
-erl_crash.dump
+# This file excludes paths from the Docker build context.
+#
+# By default, Docker's build context includes all files (and folders) in the
+# current directory. Even if a file isn't copied into the container it is still sent to
+# the Docker daemon.
+#
+# There are multiple reasons to exclude files from the build context:
+#
+# 1. Prevent nested folders from being copied into the container (ex: exclude
+#    /assets/node_modules when copying /assets)
+# 2. Reduce the size of the build context and improve build time (ex. /build, /deps, /doc)
+# 3. Avoid sending files containing sensitive information
+#
+# More information on using .dockerignore is available here:
+# https://docs.docker.com/engine/reference/builder/#dockerignore-file
+
+.dockerignore
+
+# Ignore git, but keep git HEAD and refs to access current commit hash if needed:
+#
+# $ cat .git/HEAD | awk '{print ".git/"$2}' | xargs cat
+# d0b8727759e1e0e7aa3d41707d12376e373d5ecc
+.git
+!.git/HEAD
+!.git/refs
+
+# Common development/test artifacts
+/cover/
+/doc/
+/test/
+/tmp/
+.elixir_ls
+
+# Mix artifacts
+/_build/
+/deps/
 *.ez
-*.beam
-config/*.secret.exs
-.elixir_ls/
 
-# Standard Erlang gitignore to be applied to all apps
-.eunit
-*.o
-*.beam
-*.plt
-.concrete/DEV_MODE
+# Generated on crash by the VM
+erl_crash.dump
 
-# rebar 2.x
-.rebar
-rel/example_project
-ebin/*.beam
+# Static artifacts - These should be fetched and built inside the Docker image
+/assets/node_modules/
+/priv/static/assets/
+/priv/static/cache_manifest.json
diff --git a/.formatter.exs b/.formatter.exs
@@ -1,5 +1,5 @@
 # Used by "mix format"
 [
   import_deps: [:phoenix, :ecto, :skogsra],
-  inputs: ["{mix,.formatter}.exs", "{config,lib,test}/**/*.{ex,exs}"]
+  inputs: ["*.{ex,exs}", "{config,lib,test}/**/*.{ex,exs}"]
 ]
diff --git a/.gitignore b/.gitignore
@@ -19,6 +19,9 @@ erl_crash.dump
 # Also ignore archive artifacts (built via "mix archive.build").
 *.ez
 
+# Temporary files, for example, from tests.
+/tmp/
+
 # Ignore package tarball (built via "mix hex.build").
-astarte_streams-*.tar
+astarte_flow-*.tar
 
diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,17 @@
+# Find eligible builder and runner images on Docker Hub. We use Ubuntu/Debian instead of
+# Alpine to avoid DNS resolution issues in production.
+#
+# https://hub.docker.com/r/hexpm/elixir/tags?page=1&name=ubuntu
+# https://hub.docker.com/_/ubuntu?tab=tags
+#
+#
+# This file is based on these images:
+#
+#   - https://hub.docker.com/r/hexpm/elixir/tags - for the build image
+#   - https://hub.docker.com/_/debian?tab=tags&page=1&name=bullseye-20210902-slim - for the release image
+#   - https://pkgs.org/ - resource for finding needed packages
+#   - Ex: hexpm/elixir:1.12.0-erlang-24.0.1-debian-bullseye-20210902-slim
+#
 ARG ELIXIR_VERSION=1.17.3
 ARG OTP_VERSION=25.3.2.16
 ARG DEBIAN_VERSION=bullseye-20250113-slim
@@ -11,44 +25,66 @@ FROM ${BUILDER_IMAGE} as builder
 RUN apt-get update -y && apt-get install -y build-essential git \
     && apt-get clean && rm -f /var/lib/apt/lists/*_*
 
+# prepare build dir
 WORKDIR /app
 
-# Install hex
+# install hex + rebar
 RUN mix local.hex --force && \
-    mix local.rebar --force && \
-    mix hex.info
+    mix local.rebar --force
 
-# Pass --build-arg BUILD_ENV=dev to build a dev image
-ARG BUILD_ENV=prod
+# set build ENV
+ENV MIX_ENV="prod"
 
-ENV MIX_ENV=$BUILD_ENV
+# install mix dependencies
+COPY mix.exs mix.lock ./
+RUN mix deps.get --only $MIX_ENV
+RUN mkdir config
 
-# Cache elixir deps
-ADD mix.exs mix.lock ./
-RUN mix do deps.get, deps.compile
+# copy compile-time config files before we compile dependencies
+# to ensure any relevant config change will trigger the dependencies
+# to be re-compiled.
+COPY config/config.exs config/${MIX_ENV}.exs config/
+RUN mix deps.compile
 
-# Add all the rest
-ADD . .
+COPY priv priv
 
-# Build and release
-RUN mix do compile, release
+COPY lib lib
 
-# Note: it is important to keep Debian versions in sync, or incompatibilities between libcrypto will happen
-FROM ${RUNNER_IMAGE}
+# src contains pipelinelexer used for building a pipeline
+COPY src src
 
-WORKDIR /app
+# Compile the release
+RUN mix compile
+
+# Changes to config/runtime.exs don't require recompiling the code
+COPY config/runtime.exs config/
+
+COPY rel rel
+RUN mix release
 
-RUN apt-get -qq update
+# start a new build stage so that the final image will only contain
+# the compiled release and other runtime necessities
+FROM ${RUNNER_IMAGE}
+
+RUN apt-get update -y && apt-get install -y libstdc++6 openssl libncurses5 locales \
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
 
 # Set the locale
-ENV LANG C.UTF-8
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+WORKDIR "/app"
+RUN chown nobody /app
 
-# We need SSL
-RUN apt-get -qq install libssl1.1
+# set runner ENV
+ENV MIX_ENV="prod"
 
-# We have to redefine this here since it goes out of scope for each build stage
-ARG BUILD_ENV=prod
+# Only copy the final release from the build stage
+COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/astarte_flow ./
 
-COPY --from=builder /app/_build/$BUILD_ENV/rel/astarte_flow .
+USER nobody
 
-CMD ["./bin/astarte_flow", "start"]
+CMD ["/app/bin/server"]
diff --git a/config/config.exs b/config/config.exs
@@ -1,7 +1,7 @@
 #
 # This file is part of Astarte.
 #
-# Copyright 2019 Ispirata Srl
+# Copyright 2025 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -31,9 +31,13 @@ config :lager,
 # Configures the endpoint
 config :astarte_flow, Astarte.FlowWeb.Endpoint,
   url: [host: "localhost"],
-  secret_key_base: "o/WvTw7d0OPFuYFKe9Wk0MtjJsUaiX+g+JkkZIfhg18frniYdbQnZ1DC0V2gZVY4",
-  render_errors: [view: Astarte.FlowWeb.ErrorView, accepts: ~w(json)],
-  pubsub_server: Astarte.Flow.PubSub
+  adapter: Bandit.PhoenixAdapter,
+  render_errors: [
+    formats: [json: Astarte.FlowWeb.ErrorJSON],
+    layout: false
+  ],
+  pubsub_server: Astarte.Flow.PubSub,
+  live_view: [signing_salt: "sWcZAhO3"]
 
 # Disable phoenix logger since we're using PlugLoggerWithMeta
 config :phoenix, :logger, false
@@ -53,4 +57,4 @@ config :astarte_flow, :default_amqp_connection_port, 5672
 config :astarte_flow, Astarte.Flow.Auth.Guardian,
   allowed_algos: ["ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"]
 
-import_config "#{Mix.env()}.exs"
+import_config "#{config_env()}.exs"
diff --git a/config/dev.exs b/config/dev.exs
@@ -1,7 +1,7 @@
 #
 # This file is part of Astarte.
 #
-# Copyright 2019 Ispirata Srl
+# Copyright 2025 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -25,15 +25,44 @@ import Config
 # debugging and code reloading.
 #
 # The watchers configuration can be used to run external
-# watchers to your application. For example, we use it
-# with webpack to recompile .js and .css sources.
+# watchers to your application. For example, we can use it
+# to bundle .js and .css sources.
 config :astarte_flow, Astarte.FlowWeb.Endpoint,
-  http: [port: 4009],
-  debug_errors: true,
-  code_reloader: true,
+  # Binding to loopback ipv4 address prevents access from other machines.
+  # Change to `ip: {0, 0, 0, 0}` to allow access from other machines.
+  http: [ip: {127, 0, 0, 1}, port: 4009],
   check_origin: false,
+  code_reloader: true,
+  debug_errors: true,
+  secret_key_base: "o/WvTw7d0OPFuYFKe9Wk0MtjJsUaiX+g+JkkZIfhg18frniYdbQnZ1DC0V2gZVY4",
   watchers: []
 
+# ## SSL Support
+#
+# In order to use HTTPS in development, a self-signed
+# certificate can be generated by running the following
+# Mix task:
+#
+#     mix phx.gen.cert
+#
+# Run `mix help phx.gen.cert` for more information.
+#
+# The `http:` config above can be replaced with:
+#
+#     https: [
+#       port: 4001,
+#       cipher_suite: :strong,
+#       keyfile: "priv/cert/selfsigned_key.pem",
+#       certfile: "priv/cert/selfsigned.pem"
+#     ],
+#
+# If desired, both `http:` and `https:` keys can be
+# configured to run both http and https servers on
+# different ports.
+
+# Enable dev routes for dashboard and mailbox
+config :astarte_flow, dev_routes: true
+
 # Set a higher stacktrace during development. Avoid configuring such
 # in production as building large stacktraces may be expensive.
 config :phoenix, :stacktrace_depth, 20

diff --git a/config/prod.exs b/config/prod.exs
@@ -1,7 +1,7 @@
 #
 # This file is part of Astarte.
 #
-# Copyright 2019 Ispirata Srl
+# Copyright 2025 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -33,6 +33,7 @@ config :astarte_flow, Astarte.FlowWeb.Endpoint,
 
 # Do not print debug messages in production
 config :logger,
+  level: :info,
   compile_time_purge_matching: [
     [level_lower_than: :info]
   ]
@@ -60,3 +61,6 @@ config :k8s,
   clusters: %{
     default: %{}
   }
+
+# Runtime production configuration, including reading
+# of environment variables, is done on config/runtime.exs.