Use Github Actions for Docker build/push

.dockerignore

@@ -0,0 +1,26 @@
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.Python
+env
+pip-log.txt
+pip-delete-this-directory.txt
+.tox
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.log
+.git
+.mypy_cache
+.pytest_cache
+.hypothesis
+
+.venv
+.vscode
+.lvimrc
+dist
+*.egg-info

.github/workflows/docker-build.yml

@@ -0,0 +1,45 @@
+name: docker
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+  push:
+    branches:
+      - 'master'
+  release:
+    types: [ published ]
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: |
+            icgood/pymap
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: '{context}/docker/DockerFile'
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

docker/Dockerfile

@@ -11,6 +11,7 @@ RUN apk --update add --virtual build-dependencies \
   && apk del build-dependencies
 
 EXPOSE 143 4190 50051
+HEALTHCHECK CMD ./docker/check-stale-pid.sh $KEY_FILE
 
 ENTRYPOINT ["pymap"]
 CMD ["--help"]

docker/README.md

@@ -49,28 +49,21 @@ First, expose your certificates directory as a volume, e.g.:
       - /etc/ssl/private:/etc/ssl/private
 ```
 
-And add the new arguments to the entrypoint, e.g.:
+And add the `$CERT_FILE` and `$KEY_FILE`  environment variables to the service,
+e.g.:
 
 ```yaml
-    entrypoint: >-
-      pymap --debug
-        --cert /etc/ssl/private/mail/fullchain.pem
-        --key /etc/ssl/private/mail/privkey.pem
-        dict --demo-data
+    environment:
+      CERT_FILE: /etc/ssl/private/mail/fullchain.pem
+      KEY_FILE: /etc/ssl/private/mail/privkey.pem
 ```
 
-Finally, add a healthcheck so that [pymap][1] will restart whenever a new
-certificate is generated.
-
-```yaml
-    healthcheck:
-      interval: 10s
-      retries: 1
-      test: test /etc/ssl/private/mail/privkey.pem -ot /tmp/pymap.pid
-```
+The Docker image includes a [healthcheck][6] that will mark the service as
+`unhealthy` if `$KEY_FILE` has changed since the service started.
 
 [1]: https://github.com/icgood/pymap
 [2]: https://hub.docker.com/repository/docker/icgood/proxy-protocol
 [3]: https://docs.docker.com/compose/compose-file/#volumes
 [4]: https://letsencrypt.org/
 [5]: https://hub.docker.com/repository/docker/icgood/letsencrypt-service
+[6]: https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck

docker/check-stale-pid.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+# Check if the given file is newer than the pymap PID file. This can be used
+# as a healthcheck to watch for updated certificate files.
+
+check_file=$1
+pid_file=${2:-/tmp/pymap.pid}
+
+test -n "$check_file" || exit 0  # ignore if no file is given
+
+stat -c "$check_file: %y" $check_file || exit 1
+stat -c "$pid_file: %y" $pid_file || exit 1
+
+test $check_file -ot $pid_file || exit 1

requirements-dev.txt

@@ -6,4 +6,9 @@ pytest-asyncio
 pytest-cov
 rope
 
+types-certifi
+types-protobuf
+types-setuptools
+types-toml
+
 -r requirements-all.txt

setup.cfg

@@ -1,5 +1,21 @@
 [mypy]
 files = pymap, test
+
+[mypy-msgpack.*]
+ignore_missing_imports = True
+[mypy-aioredis.*]
+ignore_missing_imports = True
+[mypy-google.rpc.*]
+ignore_missing_imports = True
+[mypy-pymacaroons.*]
+ignore_missing_imports = True
+[mypy-sievelib.*]
+ignore_missing_imports = True
+[mypy-systemd.*]
+ignore_missing_imports = True
+[mypy-pid.*]
+ignore_missing_imports = True
+[mypy-passlib.*]
 ignore_missing_imports = True
 
 [coverage:report]