feat: add spin

.dockerignore

@@ -0,0 +1,3 @@
+.infrastructure
+.github
+.gitlab-ci.yml

.github/workflows/README.md

@@ -0,0 +1,17 @@
+# Spin GitHub Actions Workflow Checklist
+> [!WARNING]  
+> 🤠 Hey Partner, there's some  manual steps you need to take care of before you'll get success with these workflows.
+
+# 🚨 WARNING: You must set the following secrets in GitHub:
+
+- DEPLOYMENT_SSH_PRIVATE_KEY
+- DEPLOYMENT_SSH_HOSTNAME
+- DB_ROOT_PASSWORD
+- DB_NAME
+- DB_USERNAME
+- DB_PASSWORD
+- ENV_FILE_BASE64
+
+Ensure these secrets match the environment you're deploying to.
+https://github.com/<your-organization>/<your-repo>/settings/environments
+

.github/workflows/action_deploy-production.yml

@@ -0,0 +1,64 @@
+name: Production Deployment
+on:
+  release:
+    types:
+      - released
+
+########################################################################
+# 🚨 WARNING: You must set the following secrets in GitHub:
+#
+# - DEPLOYMENT_SSH_PRIVATE_KEY
+# - DEPLOYMENT_SSH_HOSTNAME
+# - DB_ROOT_PASSWORD
+# - DB_NAME
+# - DB_USERNAME
+# - DB_PASSWORD
+# - ENV_FILE_BASE64
+#
+# Ensure these secrets match the environment you're deploying to.
+# https://github.com/<your-organization>/<your-repo>/settings/environments
+########################################################################
+
+# 👇 Set these variables to match your application needs. Most of them should work great by default.
+env:
+  DEPLOYMENT_URL_HOSTNAME: api.daim.dev
+  DEPLOYMENT_URL: https://api.daim.dev
+
+jobs:
+  build:
+    uses: ./.github/workflows/service_docker-build-and-publish.yml
+    with:
+      # 👇 Ensure these are the tags you want to publish to your registry.
+      docker-tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }},ghcr.io/${{ github.repository }}:latest
+      environment: production # 👈 Make sure you created this environment in GitHub with the secrets above.
+    secrets: inherit
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-22.04
+    environment:
+      name: production # 👈 Make sure you created this environment in GitHub with the secrets above.
+      url: "${{ env.DEPLOYMENT_URL }}"
+    steps:
+
+      - name: Get project name from repository name.
+        run: | 
+          echo "PROJECT_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
+
+      - uses: serversideup/github-action-docker-swarm-deploy@v1
+        with:
+          # 👇 Ensure these are correct and that you've set the appropriate secrets.
+          deployment_ssh_private_key: "${{ secrets.DEPLOYMENT_SSH_PRIVATE_KEY }}"
+          remote_ssh_server_hostname: "${{ secrets.DEPLOYMENT_SSH_HOSTNAME }}"
+          registry: "ghcr.io"
+          registry-username: "${{ github.actor }}"
+          registry-token: "${{ secrets.GITHUB_TOKEN }}"
+          stack_name: "${{ env.PROJECT_NAME }}"
+        env:
+          # 👇 Ensure this makes sense for your application.
+          TRAEFIK_HOST_RULE: "Host(`${{ env.DEPLOYMENT_URL_HOSTNAME }}`)"
+          DB_ROOT_PASSWORD: "${{ secrets.DB_ROOT_PASSWORD }}"
+          DB_NAME: "${{ secrets.DB_NAME }}"
+          DB_USERNAME: "${{ secrets.DB_USERNAME }}"
+          DB_PASSWORD: "${{ secrets.DB_PASSWORD }}"
+          DEPLOYMENT_IMAGE_PHP: "ghcr.io/${{ github.repository }}:${{ github.ref_name }}"

.github/workflows/service_docker-build-and-publish.yml

@@ -0,0 +1,73 @@
+on:
+  workflow_call:
+    inputs:
+      platforms:
+        type: string
+        default: 'linux/amd64'
+      docker-tags:
+        required: true
+        type: string
+      dockerfile:
+        type: string
+        default: './Dockerfile'
+      target:
+        type: string
+        default: ''
+      environment:
+        type: string
+        required: true
+
+env:
+  DOCKER_COMPOSE_CMD: docker compose -f docker-compose.yml -f docker-compose.ci.yml
+
+jobs:
+  docker-publish:
+    runs-on: ubuntu-22.04
+    environment:
+      name: ${{ inputs.environment }}
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Restore composer cache (if available)
+        id: composer-vendor-restore
+        uses: actions/cache/restore@v3
+        with:
+          path: vendor/
+          key: ${{ runner.os }}-composer-vendor-${{ hashFiles('composer.lock') }}
+
+      - if: ${{ steps.composer-vendor-restore.outputs.cache-hit != 'true' }}
+        name: List the composer packages
+        continue-on-error: true
+        run: |
+          $DOCKER_COMPOSE_CMD \
+          run \
+          php \
+          composer show --locked
+
+      - if: ${{ steps.composer-vendor-restore.outputs.cache-hit != 'true' }}
+        name: Install Composer dependencies
+        run: |
+          $DOCKER_COMPOSE_CMD \
+          run \
+          php \
+          composer install --optimize-autoloader --no-interaction --no-progress --no-ansi
+
+      - name: Set env file
+        run: |
+          echo $BASE_64_SECRET | base64 -d > .env
+          chmod 600 .env
+        env:
+          BASE_64_SECRET: ${{ secrets.ENV_FILE_BASE64 }}
+
+      - name: docker-build-action
+        uses: serversideup/github-action-docker-build@v5
+        with:
+          tags: "${{ inputs.docker-tags }}"
+          dockerfile: "${{ inputs.dockerfile }}"
+          registry: "ghcr.io"
+          registry-username: "${{ github.actor }}"
+          registry-token: "${{ secrets.GITHUB_TOKEN }}"
+          platforms: "${{ inputs.platforms }}"
+          target: "${{ inputs.target }}"

.gitignore

@@ -20,3 +20,4 @@ yarn-error.log
 /public/css
 /public/build
 /public/mix-manifest.json
+.vault-password

.infrastructure/conf/spin/collections/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

.infrastructure/conf/traefik/dev/certificates/local-dev-key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAzD4tEgMDNmqJMqfW1KcR7sIan+8z3J+fWRIYREkk24UbaQzX
+of3dYYzPztmVh7ai4NhAnI/MfzPlJdPFVgPvGEO0TDCz9GmhNdFmXQiZ/dDQfR8b
+5py/mdiNBqsYWDBlj+I5KrMqE+pViDoKOLxVZXo+lECc2KCaz/ROJgj7b29+AOo5
+h/b/RzSnmQJGuCAAX+WIii63T3VA3GkzbnKGjMaPVTVPSpmLhkptq1t7kYam3p9b
+lDw+o3BzQKl7GtdLLcKpxYBwfsGiyCCYu5ojqGeK0enJNDZtfyP8k6heK/npeqXo
+QcWiLVxwXVqUqzCSt08L5F8u+2tObLW6NZ2bmWPUmZSXNC4qJjjlgrwrllkDJG+S
+3LPJYW+VZzvTYFcfE7f1miLBa6X37F03htnhlLx7Ep1EEfNXlhPhqX+eA87Io6fy
+B63udmKDJiDyFrYS7Qcz4WLFSHok7i7Y8FX0maedRye8upBep4a9qP6hodtAzkqn
+AoJQqUtghgJFPh65Z3mAFV3f4YgPpxjkYPNrpnYUo+TtGGTbeH6wLMQv91ZoA6HQ
+glC88wEUyO8V9hlu16mHv1n/fcsA9itP9Pr9gT4MphBmPBDYtNUYfGxMTTkAhGlT
+w3QzNWpG3AWaBWZdoTdOHCizFGTs/dJclIJt4gZ97XPjb1oWKPc5MmLXlWUCAwEA
+AQKCAgAzq7czS1fQuHslOZj8C5hZ0vlxZM62Dhv+KLnC7M5KSw54MSuMa/FJ8JnS
+NvHBd88VGyCdezO9Kp/aRg0yiaQ/e0Ft1RRxzRdfyi4fc0GiGOXmAazJVvaSMVrc
+SQTLqtLG5/CWgOUwTKR+5lAXsm3YUmjqkL4df+QqoB/1N2iE9KvoB1musCo9FXEh
+IJZLlq0BlcxJSTBPBdb27BZ65rZrfwBcCjSZJudJfiLoqyhD1ND6mU5N3j/qkVRX
+E4l1bOo0FX9l2+yZ5NsNzlFVhNVokWlpWb/xWaOx+qS3pmzMq1kKElcD7L/uwegb
+dgMOnCdCANl9WSdFrAwXLJKDZfArFeasU2wbhVPB2J2w3l8RTBAO6OqjAgRCcRO3
+iqr9M/cDT0K83n+tijtK6YZblP8EoxRzLjfCsQs8KSUZW1cylWoYq/8fX73FJ0S/
+DGrNdlHsZc13rut8Yg2YEomkPO9V1uInqpXCUWz/O/8vTAWrbaOULNocFGutgM6T
+obvOnrKrJ45UJvbjwS/76WEn7CNiWqon+7bzAls6xTHKmmx1PZ7z+rXaIyHkWyax
+RDzy56RLMRLtQdiFoCrFHoBuiagNmO3CyZvQ6oiqH1A/XF83rgZAGU9yHDbSlqTm
+rFGgfYrWkn8w7m9O8gSyrIj9HtB82hxq/m3x7YMMN6lCKon7sQKCAQEAzggKeFOG
+1e8MQQuar3ypJH8IaqNhnKfL4308n7jFr6+wjpzeF6Mp+tl27pZrpPgHvk7YUQq/
+ZXYZFdDMoRf0KzWSLRGwev2VhEqN+Gu7akXBFOHCkrg2+aK4lIC9d3NiI3CphjqZ
+ROXVXbmNSsa0JPWPva8jQufto87yWnhyvYMQBYFCFnJjGsKsmf7EG/gEmqjR17sl
+fOW84UIcNG+W2Shyn4hMOHg6PbL2LV01WCAvOwgJDGBPntvRlZeT+70HP7q8jQ1I
+9qgnBvd9pIfD3YUdW3ToFnOzmNI5w2GHUdEKBHtyodO4wqXiGUoIbxQtuDk5x9Nu
+uvEEEG+1vrML5wKCAQEA/ccW892p/MYTqasxLH3FEuWlbDzuM/wmW0UOqCuHVsWO
+LIbObd2nXA1FfixsH7AmQGz6840eSrd42Tyc4L0PgYiZMt2x0fVPtppTleARCrb1
+G1z3pm/V0SNfiWU/zJnBRWzO19YMrd44+inqvPsdVzJzOe0MqjKpjRJnXjB4tGJ4
+5K/GiUenb2eUoWepW/Co/WHGOe06d5TvjK8aMWUZXrw8zYKAMWef60tlw8mQsiBa
+5nfVHC92bB+gVaZj7esyJmmx0HJrAZWVxdD5JogCg3k1SA5707KORXNwpUfrmHs7
+5RmidgIL4TfH5N3HD38TMUhj9M166smWYG8KUwxK0wKCAQEAm2rLYxs3Alhx+Psk
+863o9cPx+GdIseCN2AxX1/CNB0tTtzC0BEar2zOCGNZVWztStAdL/E5MNOBSafd4
+9ShZouKlYuQOKajyyblnwPabiL4XuYXXvc/CgKtz62n2Ao6CgFNzPfMkPSnWuv3G
+jJq5t4uZo6/ivIyx4bixbvefLkAYrN5lmQMuqTgi9YOOMb700in5KXBeBgpTYeT5
+28A1nZh6ZsdtH8fpvzMpquy92b1lg3U7Rh+80Avn3J1cHzDnr/ZQV2KnIJGV5xZ4
+q81SPd81VxEoJg+fce9bbXw7lMdIdDsfLN3GaOazWPpUxF4HYwmgAZIH3HME6tUp
+1zG/DwKCAQBGTh2BuesZ6BYSbybUWJN8RLqrXcXwCO7nYh5JYKXB2EEm/MG7liiD
+S/nwloXt0XMHbimnx3SY5nNIW45qhHYDQMCQYvKcZAWNZPu7DbQq77y/s+W36kum
+ANK60Z33JLFydk5nZRlmIaZPR8WMTVU3jvZ1GcLkc9ydBHg2k98cuhsb38Z0ybEN
+H/kBLiKxId7vM2MjMSF9d3lV1DzBamy43hVKKdkx1q9rFBxBPVokvunv50rW4B9C
+nRBiKhKNGxdtpOJqCQi0C6jOgLJFhnCL08x7BegwIctgWjbe0ynluF5DffKQFskL
+v9RVB0vacy3x/UgTzck7ulU6qgiGMWWZAoIBAQCVA4qZyWfvlZok4CCOyVzyokQk
+iegae/vSXavf7P3rnt9A2tWb15JKHake+zI79QC8Ea8edA8j1/2xbTV7bF3fi0at
+UC5hiyOwVgxI2lGo3KxbOx3/kdTMWgiXjX1IZA9Zp9FzsvMrAGlU02imQSWq0/qW
+kdd3NWZHLJZgzmlMVX9s6WIzRP1CdD5E9NyJortgzLQmgWkxMTU7fx9TlSAtJpci
+00gQBq/aqWMNAtQwwz2M9eMr14TgTUgVhLmQJN9aBcNgUMielcn1zTthSG7euhQK
+0gu98piVTfVQarAAWWP2O9s9CvP5o6iItvSC01DG7RPw/Cj/q9P9sFCh6y1H
+-----END RSA PRIVATE KEY-----

.infrastructure/conf/traefik/dev/certificates/local-dev.pem

@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGkjCCBHqgAwIBAgIUKttFImgEG9cO56DRD/WAJQKHIAswDQYJKoZIhvcNAQEN
+BQAwezELMAkGA1UEBhMCVVMxEjAQBgNVBAgTCVdpc2NvbnNpbjESMBAGA1UEBxMJ
+TWlsd2F1a2VlMRcwFQYDVQQKEw5TZXJ2ZXIgU2lkZSBVcDEPMA0GA1UECxMGRGV2
+T3BzMRowGAYDVQQDExFTZXJ2ZXIgU2lkZSBVcCBDQTAeFw0yMzExMDkwMTAzMDBa
+Fw00MzExMDQwMTAzMDBaMHQxCzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25z
+aW4xEjAQBgNVBAcTCU1pbHdhdWtlZTEXMBUGA1UEChMOU2VydmVyIFNpZGUgVXAx
+DzANBgNVBAsTBkRldk9wczETMBEGA1UEAwwKKi5kZXYudGVzdDCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBAMw+LRIDAzZqiTKn1tSnEe7CGp/vM9yfn1kS
+GERJJNuFG2kM16H93WGMz87ZlYe2ouDYQJyPzH8z5SXTxVYD7xhDtEwws/RpoTXR
+Zl0Imf3Q0H0fG+acv5nYjQarGFgwZY/iOSqzKhPqVYg6Cji8VWV6PpRAnNigms/0
+TiYI+29vfgDqOYf2/0c0p5kCRrggAF/liIout091QNxpM25yhozGj1U1T0qZi4ZK
+batbe5GGpt6fW5Q8PqNwc0CpexrXSy3CqcWAcH7BosggmLuaI6hnitHpyTQ2bX8j
+/JOoXiv56Xql6EHFoi1ccF1alKswkrdPC+RfLvtrTmy1ujWdm5lj1JmUlzQuKiY4
+5YK8K5ZZAyRvktyzyWFvlWc702BXHxO39ZoiwWul9+xdN4bZ4ZS8exKdRBHzV5YT
+4al/ngPOyKOn8get7nZigyYg8ha2Eu0HM+FixUh6JO4u2PBV9JmnnUcnvLqQXqeG
+vaj+oaHbQM5KpwKCUKlLYIYCRT4euWd5gBVd3+GID6cY5GDza6Z2FKPk7Rhk23h+
+sCzEL/dWaAOh0IJQvPMBFMjvFfYZbteph79Z/33LAPYrT/T6/YE+DKYQZjwQ2LTV
+GHxsTE05AIRpU8N0MzVqRtwFmgVmXaE3ThwosxRk7P3SXJSCbeIGfe1z429aFij3
+OTJi15VlAgMBAAGjggETMIIBDzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+njyDOLRRQQPlzgAq38z
+Ug209jMwHwYDVR0jBBgwFoAUNZc4wBBAJBUFKQnjiV4tknKqGPUwgZkGA1UdEQSB
+kTCBjoIKKi5kZXYudGVzdIILKi5naXRwb2QuaW+CCioubmdyb2suaW+CECoubG9j
+YWx0dW5uZWwubWWCDCouc2VydmVvLm5ldIIJKi5sb2NhLmx0gggqLm5pcC5pb4IK
+Ki5zc2xpcC5pb4IIKi54aXAuaW+CDioudHVubmVsdG8uZGV2ggwqLmlubGV0cy5k
+ZXYwDQYJKoZIhvcNAQENBQADggIBABP+PX9/Fu2kLuk1MuTs1vcAluf52i11XAPt
+QpeWCqS4lTu8P//8VPVcjdfWnqZP2xoQYS2yvMvcs6ec8Lwz7cds5NmIj5QBTRwV
+avi1J5IO62lEX6qLIUFpJFP29xtyMHZxBA/gcPeRZjcaE5CRBemUzrjSsVFr9TWl
+VcrNkGnw9MWvMuozesMWQbT4PC9kBb5Kh8mCi1uEFxRrlt1Jc7VtCQkINMNOoxty
+FYVZyd4rQtPSglFFuLrhI0wtrv1lGjiHNemipDI5TKb9swgIpqtNhXbe0vMtOHKC
+21+VHFSVRRvGRwklsGkCTC6FYnHSOVRVs9DQr8XP2sbjO6fIhlWvgt1AajYIzvfO
+9YNOsrnVeSEZrdVD8kkVL15iQewpLtgxQdm6lXedK0SNSTqWAT8+FBNKyt8FLQPv
+Owd68TCPNP7KUxwZHEeHfSn6BPdAgWhSNBLTPrwupQb9AdnQzvNA6seT4yKhI2Zj
+V7XPY92M99t6Ac7yimcT8zQQCVbNKZuFTHxb5FxQ7LWRyUK7+WlWPwLWzpU8fAlD
+KmLNIBn1HURVWDtECBpHb9ZjMh02EAea+wzpPNKiW/4+npBf6di7vUeFQs+dbB7J
+f1gR970Cmsaec3ZVOPdlcuJckNwBcvTSc07tDu5vP1nZlgp99IFVP/CQz48rVJTZ
+2lhEyLbm
+-----END CERTIFICATE-----

.infrastructure/conf/traefik/dev/traefik-certs.yml

@@ -0,0 +1,11 @@
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /certificates/local-dev.pem
+        keyFile: /certificates/local-dev-key.pem
+  certificates:
+    - certFile: /certificates/local-dev.pem
+      keyFile: /certificates/local-dev-key.pem
+      stores:
+        - default

.infrastructure/conf/traefik/dev/traefik.yml

@@ -0,0 +1,30 @@
+# Allow self-signed certificates
+serversTransport:
+  insecureSkipVerify: true
+
+providers:
+  docker:
+    network: development
+    exposedbydefault: false
+  file:
+      filename: /traefik-certs.yml
+      watch: true
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+
+  websecure:
+    address: ":443"
+
+accessLog: {}
+log:
+  level: ERROR
+
+api:
+  dashboard: true
+  insecure: true

.infrastructure/conf/traefik/prod/traefik.yml

@@ -0,0 +1,70 @@
+# Cloudflare TrustedIPs
+x-trustedIps: &trustedIPs
+  - "173.245.48.0/20"
+  - "103.21.244.0/22"
+  - "103.22.200.0/22"
+  - "103.31.4.0/22"
+  - "141.101.64.0/18"
+  - "108.162.192.0/18"
+  - "190.93.240.0/20"
+  - "188.114.96.0/20"
+  - "197.234.240.0/22"
+  - "198.41.128.0/17"
+  - "162.158.0.0/15"
+  - "104.16.0.0/13"
+  - "104.24.0.0/14"
+  - "172.64.0.0/13"
+  - "131.0.72.0/22"
+  - "2400:cb00::/32"
+  - "2606:4700::/32"
+  - "2803:f800::/32"
+  - "2405:b500::/32"
+  - "2405:8100::/32"
+  - "2a06:98c0::/29"
+  - "2c0f:f248::/32"
+
+# Allow self-signed certificates
+serversTransport:
+  insecureSkipVerify: true
+
+providers:
+  docker:
+    network: web-public
+    exposedbydefault: false
+    swarmMode: true
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entrypoint:
+          to: websecure
+          scheme: https
+    forwardedHeaders:
+      trustedIPs: *trustedIPs
+    proxyProtocol:
+      trustedIPs: *trustedIPs
+
+  websecure:
+    address: ":443"
+    forwardedHeaders:
+      trustedIPs: *trustedIPs
+    proxyProtocol:
+      trustedIPs: *trustedIPs
+
+accessLog: {}
+log:
+  level: ERROR
+
+api:
+  dashboard: true
+  insecure: true
+
+certificatesResolvers:
+  letsencryptresolver:
+    acme:
+      email: "changeme@example.com"
+      storage: "/certificates/acme.json"
+      httpChallenge:
+        entryPoint: web

.infrastructure/volume_data/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore