updated readme, stripped docker image

Author: fed1337

.dockerignore

@@ -1,11 +1,18 @@
 **/__pycache__
 .git
+.github
 .idea
 .mypy_cache
 .pytest_cache
 .ruff_cache
 .venv
+.tmp
+dist
+docs
+htmlcov
+lemur.egg-info
 lemur/static/dist
 node_modules
 bower_components
-.tmp
+*.md
+*.rst

Dockerfile

@@ -2,34 +2,42 @@ FROM python:3.10-alpine3.22 AS builder
 
 COPY --from=ghcr.io/astral-sh/uv:0.9 /uv /uvx /bin/
 
+ENV PATH="/root/.local/bin/:$PATH" \
+    CFLAGS="-Os -fomit-frame-pointer" \
+    LDFLAGS="-Wl,--strip-all"
+
+WORKDIR /opt/lemur
+COPY . .
+
 RUN apk add --update --no-cache --virtual build-dependencies \
     curl \
     bash \
     git \
     tar \
     musl-dev \
     gcc \
-    openssl-dev \
-    libffi-dev \
-    cyrus-sasl-dev \
     openldap-dev \
-    npm
-
-# Ensure the installed uv binary is on the `PATH`
-ENV PATH="/root/.local/bin/:$PATH"
-
-WORKDIR /opt/lemur
-COPY . .
-
-RUN uv sync --frozen --compile-bytecode
+    binutils \
+    npm \
+    && uv sync --no-dev --frozen --compile-bytecode
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-RUN curl -sSL https://github.com/caddyserver/caddy/releases/download/v2.10.2/caddy_2.10.2_linux_amd64.tar.gz | tar xz -C /usr/bin
 
-RUN npm install \
-    && npm run build_static \
+RUN curl -sSL https://github.com/caddyserver/caddy/releases/download/v2.10.2/caddy_2.10.2_linux_amd64.tar.gz | tar xz -C /usr/bin \
+    && npm config set cache /tmp/npm-cache \
+    && npm install \
+    && node_modules/.bin/gulp build \
     && node_modules/.bin/gulp package --urlContextPath="" \
-    && rm -rf node_modules bower_components .tmp \
+    && rm -rf node_modules bower_components .tmp /tmp/npm-cache \
+    /usr/lib/python3.10/ensurepip \
+    /usr/lib/python3.10/idlelib \
+    /usr/lib/python3.10/test \
+    /usr/lib/python3.10/lib2to3 \
+    /usr/lib/python3.10/pydoc_data \
+    /usr/lib/python3.10/tkinter \
+    && strip /usr/bin/caddy \
+    && strip /opt/lemur/.venv/lib/python*/site-packages/**/*.so || true \
+    && find /opt/lemur/.venv -name "*.so" -exec strip --strip-unneeded {} + || true \
     && apk del build-dependencies
 
 
@@ -41,13 +49,13 @@ ENV user=lemur
 ENV group=lemur
 
 ENV PATH="/opt/lemur/.venv/bin:${PATH}" \
-    PYTHONUNBUFFERED=1
+    PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1
 
-RUN apk add --update --no-cache curl libldap bash openssl
+RUN apk add --no-cache curl libldap bash openssl
 
 RUN addgroup -S ${group} -g ${gid} \
-    && adduser -D -S ${user} -G ${group} -u ${uid} \
-    && apk add --no-cache --update curl
+    && adduser -D -S ${user} -G ${group} -u ${uid}
 
 COPY --from=builder --chown=${uid}:${gid} /opt/lemur /opt/lemur
 COPY --from=builder --chown=${uid}:${gid} /usr/bin/caddy /usr/bin/caddy

README.md

@@ -1,6 +1,142 @@
 # Lemur
 
 Lemur manages TLS certificate creation. While not able to issue certificates itself, Lemur acts as a broker between CAs
-and environments providing a central portal for developers to issue TLS certificates with 'sane' defaults.
+and environments, providing a central portal for developers to issue TLS certificates with 'sane' defaults.
 
-Lemur aims to support the 3 most recent python releases which have been released for at least a year. For example, if python3.13 released last month, we'd aim to support versions 3.10, 3.11, and 3.12.
+Lemur aims to support three of the most recent python releases which have been released for at least a year. For
+example, if python 3.13 released last month, we'd aim to support versions 3.10, 3.11, and 3.12.
+
+# Build & run
+
+## Local
+
+### Frontend
+
+Build
+
+```bash
+npm install                       # Install dependencies
+gulp build                        # Compiles frontend
+gulp package --urlContextPath=""  # Sets correct base path to API endpoints
+```
+
+Run
+
+```
+gulp serve
+```
+
+### Backend
+
+1. Supposed you have uv installed
+2. Activate virtual environment: `source .venv/bin/activate`
+3. Install python dependencies: `uv sync`
+4. Review initial config in `lemur.conf.py` and adjust it to your needs
+5. Make sure you are inside lemur package (with the migrations folder): `cd lemur/`
+6. Create admin user with login `lemur` and password `password`:
+   `uv run lemur -c /path/to/lemur.conf.py init -p password`
+7. Run app: `uv run lemur -c /path/to/lemur.conf.py start`
+8. Access via browser: http://localhost:8000
+
+### Tests
+
+```bash
+# Install test dependencies
+uv sync --group tests
+
+# Run tests
+pytest
+
+# With coverage
+pytest --cov=lemur
+```
+
+### Docs
+
+
+## Docker
+
+### Build
+
+### Docker-compose
+
+```bash
+docker compose up -d postgres       # run postgres in background
+docker compose run --rm lemur init  # initialize database (one time)
+docker compose up -d lemur          # start the app
+```
+
+### Running tests
+
+### Docker Development
+
+```bash
+# Start services
+docker-compose -f docker-compose.dev.yml up
+
+# Start in background
+docker-compose -f docker-compose.dev.yml up -d
+
+# View logs
+docker-compose -f docker-compose.dev.yml logs -f lemur
+
+# Stop services
+docker-compose -f docker-compose.dev.yml down
+
+# Rebuild after code changes
+docker-compose -f docker-compose.dev.yml up --build
+
+# Run database migrations
+docker-compose -f docker-compose.dev.yml exec lemur lemur db upgrade
+
+# Access Python shell
+docker-compose -f docker-compose.dev.yml exec lemur lemur shell
+```
+
+### Hot Reload
+
+The development docker-compose includes `--reload` flag for gunicorn, so Python changes are automatically detected.
+
+
+## Production environment overview
+
+```
+┌─────────────────────────────────────────────────────┐
+│                   Browser/Client                    │
+└─────────────────────┬───────────────────────────────┘
+                      │
+                      ↓
+┌─────────────────────────────────────────────────────┐
+│     Caddy/your favorite web server (port 80/433)    │
+│  • Serves static files (CSS, JS, images)            │
+│  • Proxies /api/* to Flask backend                  │
+│  • SPA routing (all routes → index.html)            │
+└─────────────────────┬───────────────────────────────┘
+                      │
+                      ↓
+┌─────────────────────────────────────────────────────┐
+│           Flask + Gunicorn (port 8000)              │
+│  • REST API endpoints (/api/1/*)                    │
+│  • Serves index.html for root route                 │
+│  • SQLAlchemy ORM                                   │
+└─────────┬───────────────────────────┬───────────────┘
+          │                           │
+          ↓                           ↓
+┌──────────────────┐        ┌──────────────────┐
+│   PostgreSQL     │        │      Redis       │
+│   (port 5432)    │        │   (port 6379)    │
+│  • Main database │        │  • Cache/Queue   │
+│  • pg_trgm ext   │        │  • Celery broker │
+└──────────────────┘        └──────────────────┘
+                                      │
+                                      ↓
+                            ┌──────────────────┐
+                            │  Celery Worker   │
+                            │ • Background     │
+                            │   tasks          │
+                            └──────────────────┘
+```
+
+---
+
+**Happy certificate management! 🎉**