DEPLOYMENT: add ./deployment/* with bot docker-compose deploy

Author: gitrus

.github/workflows/docker-publish.yml

@@ -7,18 +7,16 @@ name: Docker
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
 
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
 
-
 jobs:
   build:
-
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -37,7 +35,7 @@ jobs:
         if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
         with:
-          cosign-release: 'v2.2.4'
+          cosign-release: "v2.2.4"
 
       # Set up BuildKit Docker container builder to be able to build
       # multi-platform images and export cache
@@ -75,6 +73,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker

.gitignore

@@ -8,6 +8,9 @@
 *.so
 *.dylib
 
+# Mac related
+.DS_Store
+
 # Test binary, built with `go test -c`
 *.test
 

bot

@@ -0,0 +1,7 @@
+# Bot configuration
+TELEGRAM_BOT_PUBLIC_URL=your_public_url_or_localhost
+
+# Note: Sensitive credentials are stored in the ./secrets/ directory
+# ./secrets/telegram_token.txt - Your Telegram bot token
+# ./secrets/db_user.txt - Database username
+# ./secrets/db_password.txt - Database password

deployment/.env.template

@@ -0,0 +1,25 @@
+# Digikeeper Bot Deployment
+
+Production-ready Docker Compose setup with TimescaleDB and database migrations.
+
+## Usage
+
+```bash
+#!/bin/bash
+# Script to setup secrets directory and files
+
+# Create secrets directory with secure permissions
+mkdir -p ./secrets
+chmod 700 ./secrets
+
+echo "postgres" > ./secrets/db_user
+echo "$(openssl rand -base64 32 | tr -d '\n')" > ./secrets/db_password
+echo "your_telegram_token_here" > ./secrets/telegram_token
+
+chmod 600 ./secrets/*
+```
+
+## Structure
+
+- `docker-compose.yml` - Container configuration
+- `migrations/` - Database migration scripts golang-migrate

deployment/README.md

@@ -0,0 +1,87 @@
+services:
+  dk-timescale:
+    image: timescale/timescaledb:2.19.2-pg17
+    container_name: timescaledb
+    environment:
+      - POSTGRES_USER_FILE=/run/secrets/db_user
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_DB=digikeeper
+    ports:
+      - target: 5432
+        published: 5432
+    volumes:
+      - timescaledb_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $(cat /run/secrets/db_user)"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - db
+    secrets:
+      - db_user
+      - db_password
+    mem_limit: 1G
+    mem_reservation: 512M
+    cpus: 1.0
+
+  digikeeper-bot:
+    image: ghcr.io/gitrus/digikeeper-bot:main
+    container_name: digikeeper-bot
+    environment:
+      - LOCAL_PORT=8081
+      - LOCAL_HOST=0.0.0.0
+      - TELEGRAM_BOT_TOKEN_FILE=/run/secrets/telegram_token
+      - TELEGRAM_BOT_PUBLIC_URL=${TELEGRAM_BOT_PUBLIC_URL:-localhost}
+      - TELEGRAM_ALLOWED_UPDATES=message
+      - POSTGRES_HOST=timescaledb
+      - POSTGRES_PORT=5432
+      - POSTGRES_USER_FILE=/run/secrets/db_user
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_DB=digikeeper
+    ports:
+      - target: 8081
+        published: 8081
+      - target: 8091
+        published: 8091
+    volumes:
+      - ..:/usr/app:ro
+    depends_on:
+      dk-timescale:
+        condition: service_healthy
+    networks:
+      - db
+    restart: unless-stopped
+    secrets:
+      - db_user
+      - db_password
+      - telegram_token
+    mem_limit: 512M
+    mem_reservation: 256M
+    cpus: 0.5
+
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:8091/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+
+volumes:
+  timescaledb_data:
+    driver: local
+  pgbackup_data:
+    driver: local
+
+networks:
+  db:
+    driver: bridge
+    internal: true
+
+secrets:
+  db_user:
+    file: ./secrets/db_user
+  db_password:
+    file: ./secrets/db_password
+  telegram_token:
+    file: ./secrets/telegram_token

deployment/docker-compose.yml

@@ -0,0 +1 @@
+CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;

deployment/migrations/000-initial-schema.up.sql

@@ -0,0 +1,9 @@
+DROP SCHEMA IF EXISTS digikeeper;
+
+DROP TABLE IF EXISTS digikeeper.user;
+
+DROP SCHEMA IF EXISTS digikeeper_tg;
+
+DROP TABLE IF EXISTS digikeeper_tg.tg_user_sessions;
+
+DROP TABLE IF EXISTS digikeeper.message_logs;

deployment/migrations/001-init-bot-schema.down.sql

@@ -0,0 +1,47 @@
+CREATE SCHEMA IF NOT EXISTS digikeeper;
+
+CREATE TABLE IF NOT EXISTS digikeeper.user (
+    user_uid UUID PRIMARY KEY,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW (),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW ()
+);
+
+CREATE SCHEMA IF NOT EXISTS digikeeper_tg;
+
+CREATE TABLE IF NOT EXISTS digikeeper_tg.tg_user_sessions (
+    user_uid UUID NOT NULL references digikeeper.user (user_uid),
+    tg_user_id BIGINT PRIMARY KEY,
+    chat_id BIGINT NOT NULL,
+    data JSONB,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW (),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW ()
+);
+
+CREATE INDEX IF NOT EXISTS idx_user_sessions_updated_at ON digikeeper_tg.user_sessions (updated_at);
+
+CREATE TABLE IF NOT EXISTS digikeeper.message_logs (
+    timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW (),
+    user_id BIGINT NOT NULL,
+    chat_id BIGINT NOT NULL,
+    message_id BIGINT NOT NULL,
+    message_text TEXT,
+    message_type TEXT NOT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_message_logs_user_id ON digikeeper.message_logs (user_id);
+
+CREATE INDEX IF NOT EXISTS idx_message_logs_chat_id ON digikeeper.message_logs (chat_id);
+
+SELECT
+    create_hypertable (
+        'digikeeper.message_logs',
+        by_range ('timestamp', INTERVAL '1 day'),
+        if_not_exists = > TRUE
+    );
+
+SELECT
+    add_retention_policy (
+        'digikeeper.message_logs',
+        INTERVAL '30 days',
+        if_not_exists = > TRUE
+    );

deployment/migrations/001-init-bot-schema.up.sql

@@ -72,7 +72,9 @@ require (
 	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang-migrate/migrate v3.5.4+incompatible // indirect
+	github.com/golang-migrate/migrate/v4 v4.18.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
 	github.com/golangci/go-printf-func-name v0.1.0 // indirect
 	github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
@@ -88,7 +90,9 @@ require (
 	github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
 	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
 	github.com/grbit/go-json v0.11.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
@@ -191,6 +195,7 @@ require (
 	gitlab.com/bosi/decorder v0.4.2 // indirect
 	go-simpler.org/musttag v0.13.0 // indirect
 	go-simpler.org/sloglint v0.9.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
 	golang.org/x/arch v0.6.0 // indirect
@@ -213,3 +218,5 @@ require (
 tool github.com/golangci/golangci-lint/cmd/golangci-lint
 
 tool github.com/WAY29/icecream-go
+
+tool github.com/golang-migrate/migrate/v4/cmd/migrate