From 86b01283fe3d505c53bc10b77a95a259ef4c56ab Mon Sep 17 00:00:00 2001
From: Agnieszka Rudek <61757744+Blusia@users.noreply.github.com>
Date: Tue, 27 Aug 2024 14:36:09 +0200
Subject: [PATCH] #126 - Changes in beta deployment  (#127)

* - changes in deployment paths

* - switch to harbor registry and adjust deployment workflow

* - add sops to dev and beta and corrections

* - files corrections

* - remove line from Makefile

* - changes in .env.beta

* - changes in .env.beta

* - changes in docker-compose.beta

* - remove line

* - remove init-unaccent volume

* - add volume

* - add push to trigger workflow
---
 .github/workflows/deploy-to-beta-by-push.yml  | 39 ++++++----
 .gitignore                                    |  2 +-
 .sops.yaml                                    |  6 ++
 Makefile                                      | 75 ++++++++-----------
 environment/dev/app/Dockerfile                | 18 +++++
 environment/prod/deployment/beta/.env.beta    | 31 ++++++++
 .../prod/deployment/beta/.env.beta.encrypted  |  1 -
 .../prod/deployment/beta/.env.beta.secrets    | 19 +++++
 environment/prod/deployment/beta/Makefile     | 26 +++----
 .../deployment/beta/docker-compose.beta.yml   | 35 +++++++--
 renovate.json5                                |  2 +-
 11 files changed, 177 insertions(+), 77 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 environment/prod/deployment/beta/.env.beta
 delete mode 100644 environment/prod/deployment/beta/.env.beta.encrypted
 create mode 100644 environment/prod/deployment/beta/.env.beta.secrets

diff --git a/.github/workflows/deploy-to-beta-by-push.yml b/.github/workflows/deploy-to-beta-by-push.yml
index 86b762d..f0de81d 100644
--- a/.github/workflows/deploy-to-beta-by-push.yml
+++ b/.github/workflows/deploy-to-beta-by-push.yml
@@ -5,6 +5,9 @@ concurrency:
   cancel-in-progress: true
 
 on:
+  push:
+    branches:
+      - main
   workflow_dispatch:
 
 jobs:
@@ -14,7 +17,11 @@ jobs:
     name: Deploy to beta
     runs-on: ubuntu-22.04
     env:
-      REPO_NAME: keating
+      DOCKER_REGISTRY: registry.blumilk.pl
+      DOCKER_REGISTRY_USER_NAME: robot@blumilkbot-harbor
+      DOCKER_REGISTRY_PROJECT_NAME: internal-public
+      DOCKER_REGISTRY_REPO_NAME: keating
+      TARGET_DIR_ON_SERVER: /blumilk/beta/projects
     steps:
       - name: set branch name
         run: echo "BRANCH_NAME=$GITHUB_REF_NAME" >> $GITHUB_ENV
@@ -40,17 +47,21 @@ jobs:
       - name: login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
+          registry: ${{ env.DOCKER_REGISTRY }}
+          username: ${{ env.DOCKER_REGISTRY_USER_NAME }}
+          password: ${{ secrets.BLUMILKBOT_HARBOR_TOKEN }}
+
+      - name: set docker image name
+        run: echo "DOCKER_IMAGE_NAME=${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_REGISTRY_PROJECT_NAME }}/${{ env.DOCKER_REGISTRY_REPO_NAME }}" >> $GITHUB_ENV
 
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
-          images: ghcr.io/${{ github.repository_owner }}/${{ env.REPO_NAME }}
-          tags: type=raw,value=beta
-          context: git
+          images: ${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            type=raw,value=beta
+          context: workflow
 
       - name: build and push image
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
@@ -59,10 +70,10 @@ jobs:
           file: ./environment/prod/app/Dockerfile
           build-args: DEPLOYMENT_PROJECT_VERSION_ARG=${{ env.DEPLOYMENT_PROJECT_VERSION }}
           labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
           push: true
-          tags: ghcr.io/${{ github.repository_owner }}/${{ env.REPO_NAME }}:beta
-          cache-from: type=gha, ref=ghcr.io/${{ github.repository_owner }}/${{ env.REPO_NAME }}-beta-build-cache
-          cache-to: type=gha, ref=ghcr.io/${{ github.repository_owner }}/${{ env.REPO_NAME }}-beta-build-cache, mode=max
+          cache-from: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-beta-build-cache
+          cache-to: type=gha, ref=${{ env.DOCKER_IMAGE_NAME }}-beta-build-cache, mode=max
 
       - name: copy files via ssh
         uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
@@ -75,7 +86,7 @@ jobs:
           key: ${{ secrets.VPS_OVH_BF7EC892_SSH_PRIVATE_KEY }}
           passphrase: ${{ secrets.VPS_OVH_BF7EC892_SSH_PRIVATE_KEY_PASSPHRASE }}
           source: "./environment/prod/deployment/beta/*,./environment/prod/deployment/scripts/*,./environment/prod/deployment/postgres/*"
-          target: ${{ secrets.KEATING_VPS_BETA_APP_PATH }}
+          target: ${{ env.TARGET_DIR_ON_SERVER }}/${{ env.DOCKER_REGISTRY_REPO_NAME }}
           rm: true
 
       - name: run deployment script over ssh
@@ -90,6 +101,6 @@ jobs:
           passphrase: ${{ secrets.VPS_OVH_BF7EC892_SSH_PRIVATE_KEY_PASSPHRASE }}
           script_stop: true
           script: |
-            cd ${{ secrets.KEATING_VPS_BETA_APP_PATH }}/environment/prod/deployment/beta
-            make beta-deploy BETA_ENV_KEY=${{ secrets.BETA_ENV_KEY }}
-            docker images --filter dangling=true | grep "ghcr.io/blumilksoftware/${{ env.REPO_NAME }}" | awk '{print $3}'| xargs --no-run-if-empty docker rmi
+            cd ${{ env.TARGET_DIR_ON_SERVER }}/${{ env.DOCKER_REGISTRY_REPO_NAME }}/environment/prod/deployment/beta
+            make beta-deploy SOPS_AGE_KEY=${{ secrets.SOPS_AGE_BETA_SECRET_KEY }}
+            docker images --filter dangling=true | grep "${{ env.DOCKER_IMAGE_NAME }}" | awk '{print $3}'| xargs --no-run-if-empty docker rmi
diff --git a/.gitignore b/.gitignore
index 0f656f2..6541a77 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,7 +12,7 @@
 
 .env
 .env.backup
-.env.beta
+.env.beta.secrets.decrypted
 .phpunit.result.cache
 .php-cs-fixer.cache
 .appversion
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..a9a66f4
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,6 @@
+creation_rules:
+
+  - name: beta
+    path_regex: \.env\.beta\.secrets.*$
+    age: >-
+      age1vq7sw98g2xk9md2yg9f959k8xkaz8r32pds27jn3nsfcdue3757s0h7hd8
diff --git a/Makefile b/Makefile
index 2ee5ef9..540f683 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,6 @@ include .env
 
 SHELL := /bin/bash
 
-DOCKER_COMPOSE_FILE = docker-compose.yaml
 DOCKER_COMPOSE_APP_CONTAINER = app
 DOCKER_COMPOSE_DATABASE_CONTAINER = database
 
@@ -19,7 +18,7 @@ TEST_DATABASE_NAME=keating-test
 init: check-env-file
 	@make build \
     && make run \
-	&& docker compose --file ${DOCKER_COMPOSE_FILE} exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} bash "./environment/dev/scripts/init.sh" \
+	&& docker compose exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} bash "./environment/dev/scripts/init.sh" \
 	&& make create-test-db
 
 check-env-file:
@@ -29,63 +28,55 @@ check-env-file:
 	fi; \
 
 build:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} build --pull
+	@docker compose build --pull
 
 run:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} up --detach
+	@docker compose up --detach
 
 stop:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} stop
+	@docker compose stop
 
 restart: stop run
 
 shell:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} bash
+	@docker compose exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} bash
 
 shell-root:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} exec ${DOCKER_COMPOSE_APP_CONTAINER}
+	@docker compose exec ${DOCKER_COMPOSE_APP_CONTAINER}
 
 dev:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} npm run dev
+	@docker compose exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} npm run dev
 
 test:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} composer test
+	@docker compose exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} composer test
 
 fix:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} bash -c 'composer csf && npm run lintf'
+	@docker compose exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} bash -c 'composer csf && npm run lintf'
 
 queue:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} php artisan queue:work
+	@docker compose exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} php artisan queue:work
 
 create-test-db:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} exec ${DOCKER_COMPOSE_DATABASE_CONTAINER} bash -c 'createdb --username=${DATABASE_USERNAME} ${TEST_DATABASE_NAME} &> /dev/null && echo "Created database for tests (${TEST_DATABASE_NAME})." || echo "Database for tests (${TEST_DATABASE_NAME}) exists."'
-
-encrypt-beta-env:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} run \
-	--rm \
-	--no-deps \
-	--volume ${CURRENT_DIR}/environment/prod/deployment/beta:/envs \
-	--entrypoint "" \
-	--workdir /application \
-	--user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" \
-	${DOCKER_COMPOSE_APP_CONTAINER} \
-	bash -c "cp /envs/.env.beta /application \
-		&& php artisan env:encrypt --env beta --key ${BETA_ENV_KEY} \
-		&& mv .env.beta.encrypted /envs \
-		&& rm .env.beta"
-
-decrypt-beta-env:
-	@docker compose --file ${DOCKER_COMPOSE_FILE} run \
-	--rm \
-	--no-deps \
-	--volume ${CURRENT_DIR}/environment/prod/deployment/beta:/envs \
-	--entrypoint "" \
-	--workdir /application \
-	--user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" \
-	${DOCKER_COMPOSE_APP_CONTAINER} \
-	bash -c "cp /envs/.env.beta.encrypted /application \
-		&& php artisan env:decrypt --env beta --key ${BETA_ENV_KEY} \
-		&& mv .env.beta /envs \
-		&& rm .env.beta.encrypted"
-
-.PHONY: init check-env-file build run stop restart shell shell-root test fix create-test-db queue encrypt-beta-env decrypt-beta-env
+	@docker compose exec ${DOCKER_COMPOSE_DATABASE_CONTAINER} bash -c 'createdb --username=${DATABASE_USERNAME} ${TEST_DATABASE_NAME} &> /dev/null && echo "Created database for tests (${TEST_DATABASE_NAME})." || echo "Database for tests (${TEST_DATABASE_NAME}) exists."'
+
+encrypt-beta-secrets:
+	@$(MAKE) encrypt-secrets SECRETS_ENV=beta
+
+decrypt-beta-secrets:
+	@$(MAKE) decrypt-secrets SECRETS_ENV=beta AGE_SECRET_KEY=${SOPS_AGE_BETA_SECRET_KEY}
+
+decrypt-secrets:
+	@docker compose exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" --env SOPS_AGE_KEY=${AGE_SECRET_KEY} ${DOCKER_COMPOSE_APP_CONTAINER} \
+		bash -c "echo 'Decrypting ${SECRETS_ENV} secrets' \
+			&& cd ./environment/prod/deployment/${SECRETS_ENV} \
+			&& sops --decrypt --input-type=dotenv --output-type=dotenv --output .env.${SECRETS_ENV}.secrets.decrypted .env.${SECRETS_ENV}.secrets \
+			&& echo 'Done'"
+
+encrypt-secrets:
+	@docker compose exec --user "${CURRENT_USER_ID}:${CURRENT_USER_GROUP_ID}" ${DOCKER_COMPOSE_APP_CONTAINER} \
+		bash -c "echo 'Encrypting ${SECRETS_ENV} secrets' \
+			&& cd ./environment/prod/deployment/${SECRETS_ENV} \
+			&& sops --encrypt --input-type=dotenv --output-type=dotenv --output .env.${SECRETS_ENV}.secrets .env.${SECRETS_ENV}.secrets.decrypted \
+			&& echo 'Done'"
+
+.PHONY: init check-env-file build run stop restart shell shell-root test fix create-test-db queue encrypt-beta-secrets decrypt-beta-secrets
diff --git a/environment/dev/app/Dockerfile b/environment/dev/app/Dockerfile
index 411ecee..58b29bb 100644
--- a/environment/dev/app/Dockerfile
+++ b/environment/dev/app/Dockerfile
@@ -1,3 +1,18 @@
+FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS secops-tools
+
+# https://github.com/FiloSottile/age/releases
+ARG AGE_VERSION="1.1.1"
+
+# https://github.com/getsops/sops/releases
+ARG SOPS_VERSION="3.8.1"
+
+RUN wget --output-document age.tar.gz "https://github.com/FiloSottile/age/releases/download/v${AGE_VERSION}/age-v${AGE_VERSION}-linux-amd64.tar.gz" \
+    && tar --extract --file age.tar.gz \
+    && mv age/age /usr/local/bin \
+    && mv age/age-keygen /usr/local/bin \
+    && wget --output-document /usr/local/bin/sops "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64" \
+    && chmod +x /usr/local/bin/sops
+
 FROM composer/composer:2.7.7-bin@sha256:1832641f1ba36c8e748f4b4462f77e7c8836cca7730fdf0540580d703b78f2e7 AS composer-bin
 
 FROM node:21.7.3-bullseye-slim@sha256:50adaf5a166e4e3dc01e77e9bdb4c35e34ef32a1e9e26200019cddb2b154fb34 AS node
@@ -5,6 +20,9 @@ FROM node:21.7.3-bullseye-slim@sha256:50adaf5a166e4e3dc01e77e9bdb4c35e34ef32a1e9
 FROM php:8.3.10-fpm-bullseye@sha256:857b7cdf42fc4e5b313548e6f6260fce0534439e30915824a5ac3efe9a121dff
 
 COPY --from=composer-bin ./composer /usr/bin/composer
+COPY --from=secops-tools /usr/local/bin/age /usr/local/bin/age
+COPY --from=secops-tools /usr/local/bin/age-keygen /usr/local/bin/age-keygen
+COPY --from=secops-tools /usr/local/bin/sops /usr/local/bin/sops
 
 ARG USER_NAME=host-user
 ARG USER_ID=1000
diff --git a/environment/prod/deployment/beta/.env.beta b/environment/prod/deployment/beta/.env.beta
new file mode 100644
index 0000000..defea00
--- /dev/null
+++ b/environment/prod/deployment/beta/.env.beta
@@ -0,0 +1,31 @@
+APP_NAME=keating
+APP_ENV=beta
+
+APP_DEBUG=false
+APP_URL=https://dev.keating.blumilk.pl
+KEATING_HOST_NAME=dev.keating.blumilk.pl
+COMPOSE_PROJECT_NAME=keating-beta
+
+LOG_CHANNEL=stack
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=debug
+
+MAIL_MAILER=smtp
+MAIL_HOST=mailpit
+MAIL_PORT=1025
+MAIL_FROM_NAME="${APP_NAME}"
+MAIL_FROM_ADDRESS="hello@example.com"
+
+DB_CONNECTION=pgsql
+DB_HOST=keating-beta-database
+DB_PORT=5432
+
+REDIS_HOST=keating-beta-redis
+REDIS_PORT=6379
+
+BROADCAST_DRIVER=log
+CACHE_DRIVER=redis
+FILESYSTEM_DISK=local
+QUEUE_CONNECTION=redis
+SESSION_DRIVER=redis
+SESSION_LIFETIME=120
diff --git a/environment/prod/deployment/beta/.env.beta.encrypted b/environment/prod/deployment/beta/.env.beta.encrypted
deleted file mode 100644
index f109d8f..0000000
--- a/environment/prod/deployment/beta/.env.beta.encrypted
+++ /dev/null
@@ -1 +0,0 @@
-eyJpdiI6Im50NzZDTVptdmpRanRzUHZPSEF1bWc9PSIsInZhbHVlIjoiZ2h2dkxKOVY4VDI1bXdSOXRJWU5LL3pycHJIcFlwTFZqN1NIL3JKdVAxTUpvMHppenU4ZmVGT0kzRyt3WGdGeDU2VVQxRmhROXd4UC9jV2kyc0hITS9uT0Roc0lrYjlIVjFuREZoMU83S1ozOW01cWJmSHlWaWpsK3JmeWV5R0h0QzJ6Mmh3Y0pyVjFwa3BxMTVLOEoyMnVscFNxZmNtWTZFd2JMOVVKTG5sM282M2ZHL3owanY5bmVTUE5oTWJwR0YxZjNuOEx1SDRzd2RQZkxCbDhmbVAzS2V5OW10UDN0TGZ5ZzNFVk1ZL2lhTVp5VkFRVkcwN0lvbTJXS2pFbkhvSTZRcGpVNFFLUTRTYklGYnJvTzlzZTl5T0djZFlRbko3dWo5eFdDd0lnSnY0RGpiVmxhbFFQMWVqM1JQTThRNmVmcVhuOXVVdzNlZVZmZGw4RWY2RUtqbXlqejl5UDdUWmxMazZ2TW1KcWdpSEkyTWpLV2FPNXNacSs4SFVKakRBUEJTa0NMRk81Sk1sTnA3NTFqS0thaXh4bFhleTA0bHZxeTBaRG9DTHlFYXJEa0NqZHVZQlhET2NLYjZpUlo3MHhOQXIwYjZqMS9uRG8vbldzeG1BaWF5aDQ1QmxoKy9IREpkNmFQajhFNXBCRGIyVGtRTWd6dVRhSUFSNGxzMVNZUWIxUzduNE8rYTFwM0t5cTlUbUYzWTV0Ky9QcFVPSGN6MUN0R0ZZNlFKRGVaYm1ybGh0YlY5eTBRc0RJMnRmdnkydkJRTUwySTJqeGgyNjZ3eWJUOHlHWVJCb0FUL1FMN0pXcVpNNlFpeWhaRXNLdWE4VmZOTVdZQXA0T2ZTS3Ywbks3OE5KSUlCTGwzUXQ2RFdHQ29qZWZ5VEs5SG0zb1NCZ0pMcHFqWElpaUU1bDhYUWRsUER1cTNwZEh0SWNFVEZabWdXb1AreERwSVU4ZHNKTWZydGtXVjFoaTZXNkRrTm1maTZaS1dad2FtbnBEdVo3RGUvVzVHWUtnNzhqWEh3NTkzRGZJRk1xZDR3UHpxSWkraTBuS3dkUTVObG5BcFFmS0xxUlBWSWFib0oybzFFTWhMOVlqaGlPaFEzMEc4WnBNSHVZcmZubVhDRDN1UzVuMjUxamhpUHJ2N3Y5Y1RObVYrTjFGS0JLK3pXSW9lTXpHdkJWNFFFQmp4TENLQ3UyMHZKcUZMTHlCdVVNR2ZMampkTTE4VWtxTzBISXFic3ZlUUUyUmEvWVRMNGxHTldiOERkUG9CdHhTWUgzNEl2WTk2Vkw4ZXZ2UnFyd244VjZQWWVsdkRXcVFVMGxtQStIMGovUzVBQkdVc3BrTitBUTRhZTlkcXZ3d21pWjRHQ25yNDAwSUFmUVJSSTMyd1o5NkRTQ3RQM2JTWW1TbndBV01TRGR0QVIyZ0RqM3lXQzR5YU5xdFl6a0VJQVBsM1V2NzIxYVBrWVpGZ2FRSXJzeHJWMHJSOG40QlB4ZmhuY1h5WE4weTV0U1JIZWhyWUlSN0pZb0o3d1RVbEVLSi93d0lNNHA2d2p3SEh0UHVncW1BenRlTEU5Kzc3K0FqWjlEdzFiL3N1dXM2dnVIK0FOS3JSNFRsakxxaVBxMktCV09FMGpDRzZ4bENRcHUzQ0NCVUhrMnhPQStRaVFGZDl1NkNPUkVvTW9qajg0aW5SbDlBMmF5L0tPaWVPVFlnekFucTZCTHRSdFpJL0wwZGVvdUNmZ1NIYnZGSkZxMWdGN0syTkFDNUpkdTJBNzBmeE82WFUyODVBSTZGZVVVVDZwQU81NGY2bTgzMml6UzBGZ1didVRrTG1LVjM1YUdBR1pFaHdPeXRjSVRBRVJ6YjEwUjQyZnpDSWo4WXl0MDR5WWhSM1ZhelhVdG5MM0w0U0hCSlltcngwMC9FVzlHcWdBeFViQmVJSWRiNmsvMVJOWXNaSjJ3cC9BeXY4WVpnQnZDTFFycExOWHBlRnpJb09ibDd1MU9HR2ZSbjRCdFRlaVMvTnp6azVrUmpwSFpLZ2M2ZXdHaTk3VlZ0IiwibWFjIjoiNmQyZTliMjJmOTAzZGE0YzUwYzIxNjQ2ZjYwZTk5YTZkZWJjYzExYTQxYmY5MTQ2YjdmNTg4ZmIzMjI1MGZhMSIsInRhZyI6IiJ9
\ No newline at end of file
diff --git a/environment/prod/deployment/beta/.env.beta.secrets b/environment/prod/deployment/beta/.env.beta.secrets
new file mode 100644
index 0000000..4a76c61
--- /dev/null
+++ b/environment/prod/deployment/beta/.env.beta.secrets
@@ -0,0 +1,19 @@
+APP_KEY=ENC[AES256_GCM,data:TTsJs3aACKmy10SUgA8JB5WztpldU02m/8zpQ1C0PGVbMdXS+kxk2/Pek5v6h3JTN12y,iv:oBzH9N1SCfSZhdzhSvihplLSviIAENpsqWvrQhD840Y=,tag:6eH1zx4KFBDLZ2/xqTLFxg==,type:str]
+DOCKER_KEATING_BETA_DB_ROOT_PASSWORD=ENC[AES256_GCM,data:Sp7unHaaBg==,iv:K+ei3PxVGv3EJspPYwOHv8tTiWwP4irin4z51A9emM4=,tag:7VuqtaiB0UxOBm306S3wGg==,type:str]
+DOCKER_KEATING_BETA_DB_DATABASE=ENC[AES256_GCM,data:ZiFpH2f5Nw==,iv:hlf8stwm78YIGYXOk7eglFEnh/1O4X5xhNk6/tfuABU=,tag:FaLSQrq0u99xRwNT184kDg==,type:str]
+DOCKER_KEATING_BETA_DB_USERNAME=ENC[AES256_GCM,data:mtJDVPePcg==,iv:IWJ+/6KmhJ8c1NpKYYdaTo73GS9rA6kB0nI4vDrcj9I=,tag:QVXTtOAOcpVjmQJwWIee0A==,type:str]
+DOCKER_KEATING_BETA_DB_PASSWORD=ENC[AES256_GCM,data:bYiu24RQRtI=,iv:q3fBrU+hQQDcv7S0n/BxmkMUx5sJ+gnwmNhecjSkeB8=,tag:OZd6lk9xtURpRlzRgkKp2w==,type:str]
+DB_DATABASE=ENC[AES256_GCM,data:KSf9w/zgyg==,iv:PNeyBby69egxfrr2nUo/5WozY65eF17WbSFYaE/BoGk=,tag:Pfs1TzQZJWIiSCsc1e2jEg==,type:str]
+DB_USERNAME=ENC[AES256_GCM,data:0M+qZx3Chw==,iv:+GOj7PNlcjzEpJ/fY2S5PFF7LSsIGVGz/FdT1WWU2VU=,tag:3ee+CypnLieVeV4bwKt3fw==,type:str]
+DB_PASSWORD=ENC[AES256_GCM,data:Oxktp0JTisM=,iv:UgtfeMZYNV7YZboZLvw6Twu1N1cBxO4SPQI2dUYhwwo=,tag:l5sZeMd+xtbhixQLU+cHNw==,type:str]
+DB_ROOT_PASSWORD=ENC[AES256_GCM,data:FrWPlpJOdQ==,iv:+fxhR7EESnvQ6bj+WzhlsJuI+wAx1Q6pkjoQc77qIWU=,tag:lMVTy287wN6h2IuJzYt1kQ==,type:str]
+REDIS_PASSWORD=ENC[AES256_GCM,data:6WAHrQ==,iv:ydPKRAjQ+rXAQ4mNPm8/6MtmQLFNPJm+VFT0sLGNVWk=,tag:X89hBximDsHMz9MHfZ6d8w==,type:str]
+MAIL_USERNAME=ENC[AES256_GCM,data:3nsqlw==,iv:my6RAA3AHIhSI5sBEGA3nPLmKWsZ4x2fetxgKPSJH5Y=,tag:dw+uvgXaHM1UVZl6+GDKQA==,type:str]
+MAIL_PASSWORD=ENC[AES256_GCM,data:ai3oXA==,iv:hCiDWPB8z0/Jfy4IhkFOUddAm5pAs4P22BwSiGRbm/o=,tag:LdzQV2wFEkwLGNb/UTFnHw==,type:str]
+MAIL_ENCRYPTION=ENC[AES256_GCM,data:27WHPA==,iv:SvtOxgKa3igVDARcBBvCB/fvFRbxwEoGCgTQsxKQPt0=,tag:WcAiPeCsgAEFjSagQ6CtPw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZk40L3hjRllyQjFnZERm\nOUppTFp0bmZPMTY1ejZybHZLOGFmWFJpaUdBCmhDZmxNenFIVXI1Q2N4cVhjcHNl\nbzFvREEvVGg4T3NrN21ZdkViR01TWHcKLS0tIHRGZC94OFIrZUt6NHRKUnQxOUow\nUEJ1YlY5TmhqZndJRG92a1VEU01FYkUKEm6zEUYB8o9ua29m5QS31sizEUN1QcYp\nNPSi6lzm0E4eFuRwjw8XW+Vs936JbHboWpOjcpgA4kiOwDmgypnu/g==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1vq7sw98g2xk9md2yg9f959k8xkaz8r32pds27jn3nsfcdue3757s0h7hd8
+sops_lastmodified=2024-08-21T10:30:14Z
+sops_mac=ENC[AES256_GCM,data:q1Pdp3UhEJldgGdd+WlIkKVEhlgFN06rQS49piUVnc/nVl+eLVM68WUcBLJ1lYzr9nVLmKQ8Iz/6wC/92p91cT/w8MuUS5Y2IErL8CArDuH67L5H8rY170jZn2YAcmZ8kSoBvnxitsJZn0NvmmwEhQbH7ACUCyPYuM4nyOFydVg=,iv:2PkFE9RDP/dzfQ+dwDgzVoIvr+NGyLWa0tIWJXLCaKA=,tag:q51yHRBVHZqQc3GeOsCMLw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1
diff --git a/environment/prod/deployment/beta/Makefile b/environment/prod/deployment/beta/Makefile
index 509407e..9ea298f 100644
--- a/environment/prod/deployment/beta/Makefile
+++ b/environment/prod/deployment/beta/Makefile
@@ -1,6 +1,8 @@
 export COMPOSE_DOCKER_CLI_BUILD = 1
 export DOCKER_BUILDKIT = 1
 
+MAKEFLAGS += --no-print-directory
+
 DOCKER_COMPOSE_FILENAME = docker-compose.beta.yml
 DOCKER_COMPOSE_APP_CONTAINER = keating-beta-app
 
@@ -11,23 +13,21 @@ BETA_DOCKER_IMAGE = ghcr.io/blumilksoftware/keating:beta
 
 CURRENT_DIR = $(shell pwd)
 
-beta-deploy: decrypt-beta-env create-deployment-file
+beta-deploy: decrypt-secrets create-deployment-file
 	@docker compose --file ${DOCKER_COMPOSE_FILENAME} pull && \
 	docker compose --file ${DOCKER_COMPOSE_FILENAME} up --detach && \
 	echo "App post deploy actions" && \
 	${DOCKER_EXEC_SCRIPT} post-deploy-actions.sh
 
-decrypt-beta-env:
-	@docker run \
-	--rm \
-	--volume ${CURRENT_DIR}:/envs \
-	--entrypoint "" \
-	--workdir /application \
-	${BETA_DOCKER_IMAGE} \
-	bash -c "cp /envs/.env.beta.encrypted /application \
-		&& php artisan env:decrypt --env beta --key ${BETA_ENV_KEY} \
-		&& cp .env.beta /envs/.env.beta \
-		&& cp .env.beta /envs/.env"
+SOPS_VERSION=3.8.1
+
+decrypt-secrets:
+	@wget --output-document ./sops "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64" \
+    	&& chmod +x ./sops \
+    	&& mv .env.beta .env \
+    	&& echo "Decrypting secrets" \
+    	&& ./sops --decrypt --input-type=dotenv --output-type=dotenv .env.beta.secrets >> .env \
+    	&& echo "Done"
 
 DEPLOYMENT_DATETIME = $(shell TZ=Europe/Warsaw date --rfc-3339=seconds)
 
@@ -36,4 +36,4 @@ create-deployment-file:
 	DEPLOY_DATE='${DEPLOYMENT_DATETIME}'\
 	" > .deployment
 
-.PHONY: beta-deploy decrypt-beta-env create-deployment-file
+.PHONY: beta-deploy decrypt-secrets create-deployment-file
diff --git a/environment/prod/deployment/beta/docker-compose.beta.yml b/environment/prod/deployment/beta/docker-compose.beta.yml
index 5c6e521..6e2294e 100644
--- a/environment/prod/deployment/beta/docker-compose.beta.yml
+++ b/environment/prod/deployment/beta/docker-compose.beta.yml
@@ -1,5 +1,3 @@
-version: "3.8"
-
 networks:
   traefik-proxy:
     external: true
@@ -14,15 +12,20 @@ volumes:
 
 services:
   keating-beta-app:
-    image: ghcr.io/blumilksoftware/keating:beta
+    image: registry.blumilk.pl/internal-public/keating:beta
     container_name: keating-beta-app
-    pull_policy: always
     deploy:
       mode: replicated
       replicas: 1
       resources:
         limits:
           memory: 512M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "50m"
+        max-file: "5"
+    pull_policy: always
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.keating-beta-app.rule=Host(`${KEATING_HOST_NAME:? variable KEATING_HOST_NAME not set}`)"
@@ -48,6 +51,17 @@ services:
   keating-beta-database:
     image: postgres:15.5-alpine3.17@sha256:1961f9d61a86948fb3c02ef87a6616f74f3530d10a1cd299b84abba7ed6db791
     container_name: keating-beta-database
+    deploy:
+      mode: replicated
+      replicas: 1
+      resources:
+        limits:
+          memory: 512M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "50m"
+        max-file: "5"
     environment:
       - PGPASSWORD=${DOCKER_KEATING_BETA_DB_ROOT_PASSWORD:? variable DOCKER_KEATING_BETA_DB_ROOT_PASSWORD not set}
       - POSTGRES_DB=${DOCKER_KEATING_BETA_DB_DATABASE:? variable DOCKER_KEATING_BETA_DB_DATABASE not set}
@@ -59,7 +73,7 @@ services:
       timeout: 3s
       retries: 5
     volumes:
-      - ./environment/prod/deployment/postgres/init-unaccent.sql:/docker-entrypoint-initdb.d/init-unaccent.sql
+      - ../postgres/init-unaccent.sql:/docker-entrypoint-initdb.d/init-unaccent.sql
       - keating-beta-pgsql-data:/var/lib/postgresql/data
     networks:
       - keating-beta
@@ -68,6 +82,17 @@ services:
   keating-beta-redis:
     image: redis:7.0.11-alpine3.17@sha256:cbcf5bfbc3eaa232b1fa99e539459f46915a41334d46b54bf894f8837a7f071e
     container_name: keating-beta-redis
+    deploy:
+      mode: replicated
+      replicas: 1
+      resources:
+        limits:
+          memory: 512M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "50m"
+        max-file: "5"
     healthcheck:
       test: [ "CMD-SHELL", "redis-cli ping | grep PONG" ]
       interval: 3s
diff --git a/renovate.json5 b/renovate.json5
index 28b907a..e38be8a 100644
--- a/renovate.json5
+++ b/renovate.json5
@@ -7,6 +7,6 @@
         "Blusia", // Agnieszka Rudek
     ],
     "ignoreDeps": [
-        "ghcr.io/blumilksoftware/keating",
+        "registry.blumilk.pl/internal-public/keating",
     ],
 }