feat: add Docker support and improved systemd configuration

Features:
- Complete Docker containerization with s6-overlay init
- PUID/PGID support for proper file permissions
- Multi-architecture builds (amd64/arm64)
- GitHub Actions CI/CD pipeline for ghcr.io publishing
- OpenContainer labels for proper metadata

Systemd improvements:
- Template-based service for multiple subreddits
- Per-subreddit config files in /etc/redditmodlog/
- Centralized logging to /var/log/redditmodlog/
- Automatic log rotation (30 days, 100MB max)
- Security hardening with read-only filesystem
- Resource limits (256MB RAM, 25% CPU)

Infrastructure:
- Installation script for easy deployment
- Logrotate configuration included
- Enhanced .gitignore for sensitive files
- Updated README with Docker and systemd documentation

This provides production-ready deployment options for both Docker and systemd environments.

Author: bakerboy448

.dockerignore

@@ -0,0 +1,56 @@
+# Git files
+.git
+.gitignore
+.github
+
+# Documentation
+README.md
+CLAUDE.md
+LICENSE
+CHANGELOG.md
+*.md
+
+# Development files
+*.pyc
+__pycache__
+.pytest_cache
+.coverage
+htmlcov
+.env
+.env.*
+
+# IDE files
+.vscode
+.idea
+*.swp
+*.swo
+*.swn
+.DS_Store
+
+# Local data and logs
+data/
+logs/
+*.db
+*.log
+
+# Config files (except template)
+config.json
+
+# Test files
+test_*.py
+tests/
+debug_*.py
+
+# Build artifacts
+build/
+dist/
+*.egg-info/
+
+# Systemd files
+systemd/
+*.service
+
+# Docker files (not needed in build context)
+docker-compose.yml
+docker-compose.*.yml
+Dockerfile.*

.github/workflows/docker-build.yml

@@ -0,0 +1,121 @@
+name: Docker Build and Publish
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+      - 'feature/docker-*'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      push:
+        description: 'Push images to registry'
+        required: false
+        default: 'false'
+        type: choice
+        options:
+          - 'true'
+          - 'false'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=sha,prefix={{branch}}-,enable=true,format=short
+          labels: |
+            org.opencontainers.image.title=Reddit ModLog Wiki Publisher
+            org.opencontainers.image.description=Automated Reddit moderation log publisher to wiki pages
+            org.opencontainers.image.vendor=bakerboy448
+            org.opencontainers.image.licenses=GPL-3.0
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' || github.event.inputs.push == 'true' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_DATE=${{ github.event.head_commit.timestamp }}
+            VCS_REF=${{ github.sha }}
+            VERSION=${{ steps.meta.outputs.version }}
+
+      - name: Generate SBOM
+        if: github.event_name != 'pull_request'
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Upload SBOM
+        if: github.event_name != 'pull_request'
+        uses: actions/upload-artifact@v3
+        with:
+          name: sbom
+          path: sbom.spdx.json
+
+  security-scan:
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.gitignore

@@ -2,6 +2,9 @@
 config.json
 *.config.json
 config.*.json
+/etc/redditmodlog/*.json
+!config_template.json
+!*.json.example
 
 # Database files
 *.db
@@ -38,7 +41,13 @@ venv/
 ENV/
 env/
 .venv
+
+# Environment files with credentials
 .env
+.env.*
+*.env
+!example.env
+!*.env.example
 
 # IDE
 .vscode/

Dockerfile

@@ -0,0 +1,114 @@
+# Build stage
+FROM python:3.11-slim as builder
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create virtual environment
+RUN python -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+# Install Python dependencies
+COPY requirements.txt /tmp/
+RUN pip install --no-cache-dir -r /tmp/requirements.txt
+
+# Runtime stage
+FROM python:3.11-slim
+
+# OCI Labels
+LABEL org.opencontainers.image.title="Reddit ModLog Wiki Publisher" \
+      org.opencontainers.image.description="Automated Reddit moderation log publisher to wiki pages" \
+      org.opencontainers.image.authors="bakerboy448" \
+      org.opencontainers.image.source="https://github.com/bakerboy448/RedditModLog" \
+      org.opencontainers.image.documentation="https://github.com/bakerboy448/RedditModLog/blob/main/README.md" \
+      org.opencontainers.image.licenses="GPL-3.0" \
+      org.opencontainers.image.vendor="bakerboy448" \
+      org.opencontainers.image.base.name="python:3.11-slim"
+
+# Install runtime dependencies and s6-overlay for user management
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install s6-overlay for proper init and user management
+ARG S6_OVERLAY_VERSION=3.1.6.2
+ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
+ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp
+RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
+    tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz && \
+    rm /tmp/s6-overlay-*.tar.xz
+
+# Create default user and group
+RUN groupadd -g 1000 modlogbot && \
+    useradd -u 1000 -g modlogbot -d /app -s /bin/bash modlogbot
+
+# Copy virtual environment from builder
+COPY --from=builder /opt/venv /opt/venv
+
+# Set environment variables
+ENV PATH="/opt/venv/bin:$PATH" \
+    PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PUID=1000 \
+    PGID=1000 \
+    S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
+
+# Create application directories
+RUN mkdir -p /app /app/data /app/logs /etc/s6-overlay/s6-rc.d/modlog-bot /etc/s6-overlay/s6-rc.d/init-modlogbot
+
+# Create s6 init script for user/group management
+RUN echo '#!/command/with-contenv bash\n\
+set -e\n\
+\n\
+PUID=${PUID:-1000}\n\
+PGID=${PGID:-1000}\n\
+\n\
+echo "Setting UID:GID to ${PUID}:${PGID}"\n\
+\n\
+# Update user and group IDs\n\
+groupmod -o -g "$PGID" modlogbot\n\
+usermod -o -u "$PUID" modlogbot\n\
+\n\
+# Fix ownership\n\
+echo "Fixing ownership of /app"\n\
+chown -R modlogbot:modlogbot /app\n\
+\n\
+# Ensure data directory has correct permissions\n\
+if [ ! -f /app/data/modlog.db ]; then\n\
+    echo "Initializing database directory"\n\
+    touch /app/data/modlog.db\n\
+    chown modlogbot:modlogbot /app/data/modlog.db\n\
+fi' > /etc/s6-overlay/scripts/init-modlogbot-run && \
+    chmod +x /etc/s6-overlay/scripts/init-modlogbot-run
+
+# Create s6 service run script
+RUN echo '#!/command/with-contenv bash\n\
+cd /app\n\
+exec s6-setuidgid modlogbot python modlog_wiki_publisher.py --continuous' > /etc/s6-overlay/scripts/modlog-bot-run && \
+    chmod +x /etc/s6-overlay/scripts/modlog-bot-run
+
+# Setup s6 service definitions
+RUN echo 'oneshot' > /etc/s6-overlay/s6-rc.d/init-modlogbot/type && \
+    echo '/etc/s6-overlay/scripts/init-modlogbot-run' > /etc/s6-overlay/s6-rc.d/init-modlogbot/up && \
+    echo 'longrun' > /etc/s6-overlay/s6-rc.d/modlog-bot/type && \
+    echo '/etc/s6-overlay/scripts/modlog-bot-run' > /etc/s6-overlay/s6-rc.d/modlog-bot/run && \
+    echo 'init-modlogbot' > /etc/s6-overlay/s6-rc.d/modlog-bot/dependencies && \
+    touch /etc/s6-overlay/s6-rc.d/user/contents.d/init-modlogbot && \
+    touch /etc/s6-overlay/s6-rc.d/user/contents.d/modlog-bot
+
+# Set working directory
+WORKDIR /app
+
+# Copy application files
+COPY --chown=modlogbot:modlogbot modlog_wiki_publisher.py /app/
+COPY --chown=modlogbot:modlogbot config_template.json /app/
+
+# Health check
+HEALTHCHECK --interval=5m --timeout=10s --start-period=30s --retries=3 \
+    CMD python -c "import os, sys; sys.exit(0 if os.path.exists('/app/data/modlog.db') else 1)"
+
+# Use s6-overlay as entrypoint
+ENTRYPOINT ["/init"]