Best practices

Author: gcstr

docs/.vitepress/config.mts

@@ -52,7 +52,7 @@ export default {
             { text: 'Networks',         link: '/manifest/networks' },
             { text: 'Filesets',         link: '/manifest/filesets' },
             { text: 'Applications',     link: '/manifest/applications' },
-            { text: 'Good Practices',   link: '/manifest/good_practices' }
+            { text: 'Best Practices',   link: '/manifest/best_practices' }
           ]
         },
         ...cliSidebar

docs/introduction/getting_started.md

@@ -20,9 +20,9 @@ Before you begin, make sure you have the following installed:
 
 On macOS or Linux, you can install Dockform using [Homebrew](https://brew.sh/):
 
-```sh
-brew tap gcstr/dockform
-brew install dockform
+```sh [terminal ~vscode-icons:file-type-shell~]
+$ brew tap gcstr/dockform
+$ brew install dockform
 ```
 
 ### Precompiled binaries
@@ -36,7 +36,7 @@ Download the binary for your platform, extract it, and place it somewhere in you
 
 Dockform includes a convenience command to scaffold a new project:
 
-```sh
+```sh [terminal ~vscode-icons:file-type-shell~]
 dockform init
 ```
 

docs/manifest/applications.md

@@ -50,7 +50,7 @@ applications:
 - `profiles` (optional): Compose profiles to enable.
 - `env-file` (optional): additional env files for Compose (relative to `root`).
 - `environment` (optional): per-app env definitions, with `files` and `inline`.
-- `secrets.sops` (optional): per-app SOPS-encrypted `.env` files for inline injection at runtime.
+- `secrets.sops` (optional): per-app SOPS-encrypted `.env` files for inline injection at runtime. *(See [Secrets](secrets))*
 - `project.name` (optional): Compose project name override.
 
 ## Environment merging and precedence

docs/manifest/best_practices.md

@@ -0,0 +1,104 @@
+---
+title: Best Practices
+---
+
+# Best Practices
+
+This guide collects practical recommendations for using Dockform safely and effectively across development, staging, and production.
+
+## Core principles
+
+- Treat the manifest file as *the* source of truth; avoid imperative Docker commands.
+- Scope everything with a clear `docker.identifier` (e.g., `server-name`).
+- Prefer small, focused changes and review with `dockform plan` before `apply`.
+
+## Volumes
+
+- Declare named volumes in the manifest under `volumes:` and reference them as `external` in Compose. ***Avoid defining named volumes directly in Compose***.
+- Back up volumes regularly. Dockform’s `destroy` (and `prune`) can remove labeled volumes. Consider a backup solution like [docker-volume-backup](https://offen.github.io/docker-volume-backup/).
+- If a fileset targets a volume, you may omit it from `volumes:` (it will be created), but listing it explicitly improves readability.
+
+## Networks
+
+- Declare networks in the manifest and reference them as `external` in Compose. Avoid creating ad-hoc networks via Compose.
+- Use environment-specific names if you need strict isolation per environment.
+
+## Filesets
+
+- Use filesets for configs and static assets (not for very large, frequently-changing data).
+- Keep `target_path` specific (never `/`), and use `exclude` to avoid syncing build artifacts, VCS metadata, and OS files.
+- Set `restart_services` only for services that actually need a restart.
+
+Example excludes:
+
+```yaml [dockform.yaml]
+filesets:
+  app-config:
+    source: ./config
+    target_volume: app-config
+    target_path: /etc/app
+    exclude:
+      - ".git/"
+      - "**/*.tmp"
+      - "**/.DS_Store"
+```
+
+## Applications and Compose
+
+- Set a stable `project.name` for predictable container and network names. See https://docs.docker.com/compose/how-tos/project-name/
+- Keep Compose files close to each app’s `root` folder; avoid cross-tree paths.
+- Use Compose profiles for environment-specific toggles (e.g., `prod` vs `dev`).
+- Let Dockform inject its identifier label; do not hardcode `io.dockform.identifier` in Compose.
+
+## Environment and secrets
+
+- Use root `environment.files` for shared files and app-level `environment.files` for overrides; Dockform rebases root paths to the app `root`.
+- Prefer SOPS-encrypted `.env` files for secrets. Keep keys outside of the repo and load via `${AGE_KEY_FILE}`.
+- If not using SOPS, inject secrets via CI as environment variables and pass them through Compose `environment:`.
+
+<!-- ## CI/CD recommendations
+
+- Use `dockform plan` in PRs to preview changes; require approval before `apply`.
+- Pin the Docker context and set a clear `docker.identifier` per environment.
+- Provide required env vars (including SOPS keys if used) via CI secrets.
+- For ephemeral tests, set `DOCKFORM_RUN_ID` to isolate resources, then run `dockform destroy` or `prune` at the end. -->
+
+## Safety and destructive operations
+
+Always ensure you have recent backups for stateful volumes before destructive commands.
+
+::: warning
+
+`destroy` removes all labeled resources for the active identifier (containers, networks, volumes). Use with care.
+
+:::
+
+## Performance and determinism
+
+- Limit fileset sizes and use `exclude` aggressively for large repos.
+- Keep Compose and manifest changes minimal per deployment for faster diffs.
+- Prefer stable project and resource names to minimize churn and restarts.
+
+## Suggested project structure
+
+- Dockform is unopinionated, but grouping applications by folder is effective.
+
+```text
+repo/
+  dockform.yaml
+  traefik/
+    docker-compose.yaml
+    config/
+  app/
+    docker-compose.yaml
+    .env
+  db/
+    docker-compose.yaml
+```
+
+## Troubleshooting tips
+
+- If Compose fails, run `docker compose -f <file> config` to validate YAML.
+- If a service doesn’t update, check labels and config-hash drift; then run `dockform plan`.
+- If a volume/network is “missing” in Compose, ensure it is declared in the manifest and referenced as `external` with the correct name.
+

docs/manifest/good_practices.md

@@ -22,15 +22,15 @@ You need both **SOPS** and **Age** installed:
 
 Generate a new Age key pair and store it locally:
 
-```sh
+```sh [terminal ~vscode-icons:file-type-shell~]
 $ age-keygen -o ~/.config/sops/age/keys.txt
 ```
 
 ### 2. Reference the key file in the manifest
 
 Point Dockform to your Age key file inside `dockform.yaml` (directly or via environment variable interpolation):
 
-```yaml
+```yaml [dockform.yaml]
 sops:
   age:
     key_file: ${AGE_KEY_FILE}
@@ -40,7 +40,7 @@ sops:
 
 Use Dockform to scaffold a new secrets file:
 
-```sh
+```sh [terminal ~vscode-icons:file-type-shell~]
 $ dockform secrets create secrets.env
 # A template encrypted dotenv file will be created
 ```
@@ -49,7 +49,7 @@ $ dockform secrets create secrets.env
 
 Open the file securely with your `$EDITOR`. Dockform decrypts it on the fly and re-encrypts on save:
 
-```sh
+```sh [terminal ~vscode-icons:file-type-shell~]
 $ dockform secrets edit secrets.env
 ```
 
@@ -58,28 +58,92 @@ $ dockform secrets edit secrets.env
 Reference the encrypted dotenv file inside your manifest.  
 Secrets can be defined globally or scoped to a specific application.
 
-```yaml
+```yaml [dockform.yaml]
 secrets:
   sops:
     - app/secrets.env
 ```
 
 For application-specific secrets:
 
-```yaml
+```yaml [dockform.yaml]
 applications:
   web:
     secrets:
       sops:
         - web/secrets.env
 ```
 
----
+## Using secrets without SOPS (CI-managed)
+
+If you prefer not to use SOPS, you can manage sensitive values via your CI/CD system’s secret store (e.g., GitHub Actions). Provide secrets as environment variables at runtime and reference them from Compose or the manifest.
+
+- Set CI environment variables from your secret store.
+- Add them to Dockform `environment.inline` to ensure Compose receives them during planning and apply.
+
+::: code-group
+
+```yaml [dockform.yaml]
+docker:
+  context: default
+  identifier: production
+
+environment:
+  inline:
+    # These values are interpolated from CI-provided env vars at load time
+    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
 
-## Summary
+applications:
+  app:
+    root: ./app
+    files: [docker-compose.yaml]
+```
+
+```yaml [app/docker-compose.yaml]
+services:
+  api:
+    image: ghcr.io/example/api:latest
+    environment:
+      # Compose reads values from the process environment (provided by CI or Dockform inline env)
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
+```
+
+```yaml [ .github/workflows/deploy.yml ]
+name: Deploy
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    env:
+      # Provide secrets from GitHub Actions to the process environment
+      POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
+      OIDC_CLIENT_SECRET: ${{ secrets.OIDC_CLIENT_SECRET }}
+      # Optional: set a stable run identifier for scoping
+      DOCKFORM_RUN_ID: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Dockform
+        run: |
+          curl -L https://github.com/gcstr/dockform/releases/latest/download/dockform_linux_amd64 -o dockform
+          chmod +x dockform
+          sudo mv dockform /usr/local/bin/dockform
+
+      - name: Plan
+        run: dockform plan -c .
+
+      - name: Apply
+        run: dockform apply -c .
+```
 
-- Secrets are stored in encrypted dotenv files managed by SOPS.  
-- Age provides the encryption keys.  
-- Dockform offers commands to create and edit secrets without exposing raw values.  
-- Encrypted files can safely live in git repositories, while being decrypted only at runtime.  
+:::
 
+Notes:
+- Environment variable interpolation (`${VAR}`) in `dockform.yaml` occurs at load time using the runner’s environment.
+- You can mix CI-managed env vars with SOPS-managed secrets if needed.